MikroTik

You are brave man ... huge jump ... from 5.x up to 6.47.
Did you upgrade to the latest 5.x version?
Did you read about changes of bridges circa 6.41 version?
Why Webfig? Try Winbox to access your device with MAC.

I recall this ... not perfect but it could help
viewtopic.php?f=23&t=148187&p=729368#p729368

You should prepare your list before import.
Read this topic: viewtopic.php?p=606832#p606832

You are asking right ... What is the problem to press "Post reply" instead of "Quote"? It is just a different button.

If I see a quote I wonder if poster has joined some replies or just quoted whole previous post so I have to check it.
Don't you think it is unneeded waste of time?

@mafiosa

Is it a problem to press "Post reply" button to comment preceeding post instead of quoting it as a whole just to write few words?
Do you think that people are unable to follow the thread?

Part of my Access List for CAPSMan.

caps1.PNG

Drop connections with signal up to -74 dB and let connect with better signals.

So the logic is reject all you conections want to disable according to interface name, signal strenth, MAC address and allow then all.

I know, I know ... very old topic but : RouterBOOT booter 6.46.5 CCR1036-12G-4S CPU frequency: 1200 MHz Memory size: 4096 MiB NAND size: 1024 MiB Press any key within 2 seconds to enter setup.. loading kernel..... OK setting up elf image... OK jumping to kernel code (0,0) hv_panic: corrupt hvfs: com...

A. You do DSTNAT to 192.168.10.8 not to 192.168.10.4.

B. To access server from LAN using WAN address you need to configure https://wiki.mikrotik.com/wiki/Hairpin_NAT

Watch the difference: Microsoft Windows [Version 10.0.18363.1082] (c) 2019 Microsoft Corporation. Wszelkie prawa zastrzeżone. d:\>nslookup Default Server: router.mypreciousdomain.pl Address: 10.254.254.254 > google.com <- no dot there Server: router.mypreciousdomain.pl Address: 10.254.254.254 Non-au...

Just multiply shown rule replacing change dst=????? parameter to the particular interface you want to limit ... that's all.

@alibalalo:

If you go to a doctor do you say only "I'm ill" and expect proper treatment?

Really?
I reported problem with ROS 6.44 + Winbox 3.25 therefore:

Winbox <3.25 is buggy and do not report errors but 3.25 does
or
3.25 has bugs and messes with configuration behind the scene
or
3.25 correctly reports ROS hidden problems

Topic for WinBox 3.25 ... do not multiply topics.

viewtopic.php?f=21&t=165525&p=814432#p814432

IMHO You shold fix WinBox not ROS ASAP as upgrade to ROS > 6.47 is not always possible

Observation.

WinBox 3.25 removed all CAPSMAN ACL rules following the one which held Polish diacritic letter in a comment.
This particular rule persists but is cleared.
Router was not rebooted.

I've noticed some CAPSMAN ACL rules removed when I used 3.25. Not all.
There is also autospout.rif file generated.

ROS 6.44.5 ... CAPSMA & WiFi killed with 3.25

In-interface in your rule means traffic from "outside" to "inside" but he wants to block/limit traffic in the opposite direction.

Make Philips'' addresses static, syslog their traffic and find common targets of it. They all should try to connect to same servers.

"Use your force ... and forum API keyword search for ... and you receive the result" :)
viewtopic.php?f=9&t=29073&hilit=API

Yes. I would say "convincing" a TV to believe that it connects to a server it wants to connect to.

Sa it's time to track what servers Philps's TV connects to to check if they have Internet connection and redirect all that traffic to you local resources. It's easy to make a rule which redirects NTP traffic headed to eg. ntp1.philips.com to you local resource. TV will even not know that is redirect...

Are you sure that TVs connect to proper NTP servers? Maybe they are set by default to access nonworking servers. How users decide if TV connected to NTP or not? Are they allowed to reconfigure TVs'? Maybe you should install your own local NTP server https://wiki.mikrotik.com/wiki/Setup_local_NTP_ser...

Any possible kind of DoS attack that use this port...

Do you want to limit flooding with NTP port but you do not care about flooding for DNS or SNMP or any other "well known" service?
What is the reason? Flooding is flooding no matter what target and how you flood.

@romas:

Do you REALLY need to quote such a long post? What for?

Please edit it.

What kind attack you are writing about? What do you want to limit?

As printer and computers communicate directly so they bypass router therefore you have no control over it but I do it this way.... change IP of a printer to the new one. The old one assign to the router and make DST NAT the old to the new IP. All printers will pass the traffic to the router which wi...

Please, rewrite your question to let us know what are you asking for.

... both put out current on the frame ground screw. It's the same voltage that's going in via the DC ports....

Kind question: what is the voltage of the mentioned current"?

Any Mikrotik device which manages WiFi traffic.
ROS offers API to control almost all aspects of it so it's up to you to "script it".

RB1100AHx4 serving circa 100 person at company branch = Internet + VPNs to main site for NAS access = 110 days uptime RB4011 circa 50 persons + VPN for homeoffice + VPN to branch + normal routing, firewoling etc = 36 days uptime as we have had to power down our company due to power maintenance. Prev...

Axe or chainsaw are wrong to cut a tree?

Most of users who need torrent client will not pass further than logging to a router. The next requests will be - do nicer GUI for torrent client as we are not able to use WinBox and WWW GUI is awkward to us as we like .... cklient. - what about browsing files on the router and downloading them to m...

Have you read this topic? What is torrent client needed in router for?

do not respam spam

RB1100AHx4 does not upgrade.

RB1100AHx4b7.1.PNG

What could I say ...CISCO has 100Gb cards for their Nexus line ... price @ 55k$ ...
Who expects that MKT will do it for 55$ or 550$ or even 5500$ to make users happy?

If you have 2 servers which both serve web services on the same port then there is no way for router to decide what server send incoming connection traffic to. Harpin just lets to access local resource via external IP from LAN but the problem is the same: which server should receive packets send to ...

...
I changed the Ports with a few clicks and presto no more attacks on the Mikrotik Router.
..

Do not forget that your router is still under attack but packets are dropped or not accepted.
Your line is still full of unwanted traffic scanning for open ports or services.

What is the problem with Ctrl+C and Ctrl+V in CLI?
It is not just a checkbox ... you can tailor linked solution according your configuration, ports, filters etc.
Simple checkbox with noncustimizable rules is not a good solution.

Could rules' icons be grayed out when rules are disabled to be consistent with grayed out text?
When you look at them you are fooled that they are active even rules are not,

https://wiki.mikrotik.com/wiki/Manual:C ... Management

@mozerd ... what is the need to quote "previous post" just write "nice post"?
Do you know the funcionality of "post reply" button?

I do services for car service company. They have two walls full of fancy "must have" series professional tools bought from the Corpo. Some of them look like torture machines from the Middle Ages. No discussion about buying as the Corpo knows better. Always. Servicemen use circa 10% of them. Most rep...

Could you please use "Post reply" button instead of quoting whole posts?
Is it so hard?
Do you think that such "quote escalation" helps to understand flow of discussion when you can just scroll one sentence back?

The proper word coming to my mind is: IMPRESSIVE

list of changes.

Could you please use "Post replay" instead of quoting hole previous posts.

We are able to follow the thread ... no need to quote it all the time.

Export configuration to a file and then import to the new device.
You have to tailor configuration according to interface names, MAC's etc.
Search the forum for "restore configuration"

Anav:

Rules should be obeyed.

Do you volunteer to translate posts instead of all lazy OP?

IMHO you should set "distance" for ISP interfaces in your local routing tables to number higher than expected "distance" of default router received from OSPF.
With no OSPF information the only one route will be ISP interface and when OSPF is connected the default route will be switched to the new one.

Upgrade, reset to the default configuration and then compare.
Or reset to "no-default-configuration" and start configuring from scratch.

I think more people would want a couple 40G ports at home than 12x 10G.

vortex ... please do not treat us as fools and please do not lie ... once more i see such a comment and you will be banned

vortex.

Last call ... PLEASE DO STOP throwing everywhere comments that 10+ Gb ports are a common need at homes ....

Please DO STOP.

CRS305 IS an ALMOST perfect fit for OP needs ... so once more PLEASE DO STOP throwing your comments about "a must have device" for all.

@vortex

PLEASE STOP sharing your thoughts what people need or what you think people dream of.

The OP asked a question about simple device with small amount of fast ports to use them as converters. Nothing more.

CCR2004-1G-12S+2XS is our router with the most powerful single-core performance so far. It provides incredible results in single tunnel (up to 3.4 Gbps) and BGP feed processing.

Maybe it is the answer.

And what is the implication of that? What does it mean for Mac's networking?

40G is the new 10G. When I was asking for home routers capable of 10G switching some years ago, it was professional level. Now not only is 10G cheap, some people even have 10G WAN at home. Why would you buy a couple of 25G cards when they are not much cheaper than 40G? Workstations and NAS that can...

A. Use "Post reply" instead of quoting whole previous post. No need to cite it. B. If an interface is part of any bridge then it "losts" it's MAC. It becomes "dumb" connector of a bridge and a bridge takes over its MAC and presents itself with the lowest MAC of all interfaces it consists of. If inte...

Printed MAC is the MAC of interface usually described as Internet and the second MAC is the lowest MAC of interfaces designated to be LAN interfaces. If you configure bridge for a group of interfaces then it receives administrative MAC as the lowest MAC of all included interfaces until you set it ma...

@Mikhalich

Could you use "Post reply" button instead of quotting previous posts all the time? Most readers are able to read them if they need it and there is no need to quote.

You start traffic via WAN2, receive answer and then rest of connection goes via WAN1.
Result: Netflix see traffic from different addresses and "complains".

Quoting news: "Juniper Networks warned customers Thursday of a high-risk vulnerability in the GD graphics library that could allow a remote attacker to take control of systems running certain versions of the Junos OS." "The denial of service vulnerability, CVE-2020-3120, affects separate implementat...

Inside? Just kidding ...

What address are you asking about? Are you connected to your router via WWW or Winbox?

"9pfs is a network filesystem protocol developed for Plan 9"

Is HA coming with shared resources?

I'm not Mikrotik's empleyee so do not ask me questions what is "ordinary and affordable" and if Mikrotik is "hopeless". Mikrotik does not manufacture "DUMB" switches. DUMB and CHEAP. Maybe their not so cheap devices have their flaws but it's a different story. If you want really "cheap and affordabl...

Once more. What is the sense of doing less usable device_ You have to prepare casting molds for cases. design PCB or redesign current one to be able not to mount some parts. YOU HAVE TO CERTIFY such device for CE/FCC etc. It's not free. You have to have a stock of it, you have to service it. Do you ...

And what's the point of buying a switch with an SFP port that will never be used What is the sense of removing connectors which make cost of a device a little higher and let serve more users? Are you still joking? You consider providing cable to each desk if only a ceiling would be placed lower. Wh...

Are you joking? Designing new device just beacuse your client cannot afford 10$ difference on a switch with additional USB and SD ports? If look and feel is the most important factor then price shouldn't be a problem. BTW: hide device of any size behind the first desk and there should be no visual/e...

@allencesar and @bda

Is it a problem for you to press "Post replay" instead of quoting quotes of quotes ? Do you think it makes reading your discussion more readable?

I use hAP ac2 to do PPPoE connection to ISP on 600/60 line and this router serves/shares pool of public IPs to "second level" routers at my place.
No problem with CPU and traffic. I installed it in the place of my 1100AHx2 which had decided to end it's life

More details please. What is your big problem?

Your report is like: I'm ill. What can I do to cure myself.

https://wiki.mikrotik.com/wiki/Hairpin_NAT

Make a drawing and post it. One picture tells sometime more than thousends of words.

Buy two hAP ac2 listed @ 65$

Such device behaves quite well for me serving 600/60 line so think that it will be enough for you and you will have two routers.

Make src masquarade changing src ip to router's ip for all connected via VPN.

@vortex

Once again:
Could you be so kind and stop filling forum with such consecutive selfanswering "comments".
You just make huge amount of "posts" with no clearly visible sense.

You THE MAN!
or even
You THE MEN!

vortex:

Please DO STOP answering yourself and sending post under post ... this is my last "suggestion"

vortex:

Please DO STOP. It is not funny.

B. Moderator's duties. It's not your duty to police a thread that needs none, he isn't posting spam or any such thing. You simply don't like it and that's not enough. *edit* It's not my job to defend so I will just stay out of it. I'm a moderator of a large forum and an admin for another and we fol...

Why do you care? He started this thread.

A. I just care. Why not?
B. Moderator's duties.

vortex,

IIMHO i's time to stop increasing your post counter. You ask questions, answer them and comment own answers at once. Maybe you should set up your own blog?

Too many quotes and post to justify that 10Gb router + 40Gb switching is a "must have" for home users.

I did not ask for 10Gbps routing. Some people will eventually need 10Gbps routing. Really? English is not my native language but I try to understand what I read and answer to I am not saying 10G routing is budget. 10G switching is. But when you see the 4011 would be capable of asymmetric 6Gbps it i...

You freely mix differents things. You ask for 10Gb switching, for 40Gb switching to connect "proper" 40Gb NAS, for 6 or 10GB router based on 4011,.... Adding 10Gb switch just for pure switching with no rules/filtering at bridge level is not even close to providing enough resources to do 10Gb routing.

Did I ?

Just saying that there is no sense to push the limits just for show off.
It is like buying the Bugatti Veyron just for it's 1300 Hp and then cruising your urban area @ 30Mph.

The assumption of your disccusion is that faster is better than stable.

10G would be a budget router. A proper home NAS should be 40G now. It depends who you are. Most people could live with 100mb just for Netlix, YouTube or Spotify. If you are a gamer ar IT nerd then yes ... more than 1Gb could fit your needs but is not a "must have". Your theory is that each should b...

A. Edit the first post end delete this 2 meters long quote

B. You need a better router. My 2011 also gives no more than your one with 600 Mb FTTH

@vortex:

Never ending story .... why do you quote the WHOLE previous post? What for? Deas it emphasise your answer more?
Do you know what "post reply" button is for?
Seems that most of us could follow the discussion flow without such quotes. We are able to read provious posts.

@rooted:

Never ending story .... why do you quote the WHOLE previous post? What for? Deas it emphasise your answer more?
Do you know what "post reply" button is for?

@PTPStudio:
Why do you quote whole previous post? Does it makes your answer more valuable? Do you see "Post replay" button?

.... Not when you are downloading 50GB games. A. Are you sure that source is able to deliver data with 10Gbs? B. ISPs always oversell bandwith so I'm not shure if they are able to deliver constant multi 10GB traffic to users. Edge routers will limit their throughput. C. 5 sec vs 50 sec for 50GB dow...

@Sib:

"It allows ..." does not mean that it should be full ASCII editor.
Is it possible now to make such a piece of art? Yes or no?
As I wrote ... use any editor to prepare your logo and just paste it into a note.

3,4) RouterOS is known to not support everything. If you want to be sure, download CD image and try to install it. It will run without any limits for 24 hours. Or there's free L1 license, it works forever, but has some stuff limited.

Just test CHR https://wiki.mikrotik.com/wiki/Manual:CHR

What about designing your logo in notepad or any other text editor and copy+paste into Note?
No one except admin is able to contemplate this logo as a Note

@Bartoz - Why would you infer that the issue only refers to 6.43 unless you can prove that the issue raised in the CVE was covered in the firmware upgrade notes of subsequent Versions. In other words, you know it has been and thus a link or quote or post referring to that would be helpful. Or, you ...

What are the current versions of ROS?
This CPE is about versions 6.42 which are obsolete since 2018 ...

Read this: https://wiki.mikrotik.com/wiki/Hairpin_NAT

....
And of course you must be able to reach internet from the device. So in Tools->Ping try to ping 8.8.8.8. That must work. When not, fix it first.
(check IP->Routes etc)

It is much better to check ping mikrotik.com as it checks not only Internet access but also a DNS resolver.

Vectra is the Polish CableTV operator. From log we can see that something behind this static address tries to connect to address 155.x.y.x port 52676 For me it is not Qnap the source as it is just accessible with the redirection at the same address from the "attack" comes from. I suspect that there ...

https://wiki.mikrotik.com/wiki/Manual:Scripting

look for global variables

Use Scheduler to schedule when your script runs.

https://lmgtfy.com/?q=mikrotik+script+schedule

@irqhost: why do you quoute whole post? Isn't it enough just to ask a question in this thread?

If you disabled port then nothing could help.
If other ports are not disabled then use WinBox in MAC mode and try to access your router.

viewtopic.php?t=147994

A. "RAW" part of firewal inspects packets which enter firewall or leave it but are originated by router: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Raw B. NAT is done before routing and firewal so you have inspect proper addresses in firewall rules e.g if you DST-NATted packet to internal dev...

I doubt that it is a bug. I use GRE-IPSec and IPIP-IPSec ..

Have you specified local and remote addresses of GRE on both routers?
Do you allow proper protocols to pass firewall?

I doubt.

Look for 3011 or 4011 instead.

Simply ... you ask a question: Will my planned restaurant 100 sqm size be big enough to serve all clients? No info of of place where this restaurant is planned? What food do you want to sell? When it will be open? How many tables do you plan? How many chairs or benches do you plan? Will you offer ta...

The answer is easy ... as many as you wish if only they do not use functions which are limited by license:
Read this: https://wiki.mikrotik.com/wiki/Manual:License

The question is ... does this router is powerfull enough to serve all connected clients?

Possibly ISP side was not configured properly on time and that's why it works now.

Last week 2011L tested as PPoE client to ISP. 600/60 bandwith.

Maximum throughput received with fasttrack on and one NAT for PPoE was circa 200Mb / 60Mb

VLANS?

Make firewall rule which accepts access to webfig only for particular address.

MAC list ...

Is it a problem for you to download it to your computer or any RPi device ... the cheapest one you can find? Should it be done by a router? Printer Services, SMB, Torrent ... lets add full SMTP server, Backup server, WordPress, Spotify ,Netflix Player ... Do we really need a monster like this? https...

English please. Use any translator you want. It is English based forum.

https://blog.mikrotik.com/

The question is if you are able to make PPPoE connection from "internal" router to receive public address if there is no Mikrotik "in the middle"?
What do Mikrotik should do in your opinion?

https://wiki.mikrotik.com/wiki/Hairpin_NAT

@upower3

Is it a problem to pin https://mikrotik.com/download url to the tab in your favourite browser and open it with one click?

Checito

You should assume that most readers are skilled enough to stick with the flow of consecuitive posts.
If you want to comment something what was mentioned a few posts earlier then quote only the crucial part of that post.

Why not to use Winbox with MAC address?

Chechito,
Could you please do not quote full previous posts in your answers if there is no need for that.
Just use big button "Post replay"

Zacharias,

Could you please do not quote full previous posts in your answers if there is no need for that.
Just use big button "Post replay"

It may help you:

search.php?keywords=stp++iphone

MikroTik
Certified
Network
Anesthesiologist

will bring your router back to life

Run such script when rebooted # :local loctoemail "destination@address.com" # :local locident [/system identity get name] :local locmachine [/system resource get architecture-name] :local locversion [/system resource get version] :local loctime [/system clock get time] :local locdate [/system clock ...

It's more like coma after surgery as router is still alive

Version 6.46beta38 has been released.
......
*) console - fixed IP conversation to "num" data type;
....

Shouldn't it be "conversion"?

Show configuration of your router.
I suspect that you have assigned 8.8.8.8 address to interface in your router.

How to educate other users if you do not set a good example? Laziness is not a good excuse.

!ste:

Is it necessary to quote FULL previous post?

Yes,

"Bigger" devices usually have "higher" licenses what is described there: https://wiki.mikrotik.com/wiki/Manual:L ... nse_Levels

Why do you think that Mikrtik's forum is proper place to ask about problems with Tenda router?

Was it "Upgrading on the edge" by Aerosmith?

Jump from 6.40 directly to 6.45 .... you are brave man. Have you read changelogs in the 6.41?

anav: maybe my toilet paper has just more layers than your? BTW.... If you want to protect computers on one bridge at L3 from another L3 layer then you need to block bridge A pool (name it poolA) from poolB, poolC, poolD ... poolC protect form poolD but not from poolE .... poolF from poolA, poolB bu...

@anav:

Nets at L2 may be separated but routing at L3 works and OP asks how to prevent IP access.

@OP:
what about using filters at bridge level? Antything what is forwarded to other interface than WAN should be dropped.

How you add Port1 to four different bridges?

Do you connect any interfaces to this bridge?

My simple solution: /ip service set winbox port=18291 /interface list add name=WAN_LIST /interface list member add interface=ETH1-WAN list=WAN_LIST /ip firewall raw # # accept packets to nonstandard WinBox port ... could be tailored for access from particular subnets etc. # add action=accept chain=p...

My old 0.02$ to this topic: viewtopic.php?f=1&t=93307&p=490460#p490402

http://bfy.tw/NuAw

viewtopic.php?f=21&t=146087&p=727601#p727601

Directly from power socket if you use 24V PSU?

Thank you for the report.
It is example of situation when one subnet is fully included in another. I do not look for such optimization ... yet

IMHO it is not "a bug" .. output is fully valid however not optimized to "deep roots".

I was thinking how to optimize big IP lists before importing them to Mikrotik. It ended as this program. Feel free to use it. Comments welcome. Written with GNU Linux and gcc. Standard usage ... takes data from stdin and outputs to stdout Program tries to merge consecutive IP addresses or IP ranges....

@tayroborges:

English please !

No device calling itself a router should have this as it's fully patched, default configuration out of the box be this: ...... If you want to make excuses for having crappy default configurations that's fine. Mikrotik is the one that is making the reputation for making devices that are part of botn...

After upgrade of CRS125 it stopped to be visible in a neigherhood and for WinBox.

Tony:

Once more ... please do not start so many threads. Make one and please stick with it.

Isn't it better to make one topic instead of starting several ones?

After upgrade to 6.44.1 on RB962 GRE+IPSec stopped working when connected to 6.44 on the other side. After downgrade to 6.44 back on-line.

What about logging with WinBox via MACaddress?

Resseting configuration should not be allowed without setting password as integral part of this process.

You are using the wrong symbol to explain to IT people, should use "!=" instead, then they will better understand

For some "<>" should be used

It is always safer to netinstall as it formats device.

*) e-mail - fixed missing "from" address for sent e-mails (introduced in v6.44);

Emils

I'm interested how did it happen? What someone had been messing for with e-mail part of ROS?

"Expected more" means 23+ Gb sustained transmission with 190$ device?

No. It's not old thinking.

My net is my castle. Period.

Xymox,

Be responsible ISP/IT company and inform your customers that someone tries to take over their security.

Inform them about pros and cons and explain why you prefer not to jump into that train.

Easy.

Hmmm.... I watched this video and what comes to my eyes is "security manager will configure customers' micornets to be safe/secure etc...." or sth like that ...
Who the ..... is Alice ... opssss ... security manager?

Keeping up with the Simpsons ... let me decide

Frankly speaking: Bartosz ... "sz" pronounced as "sh" in "wash"

How your PC reaches camera?

WAN -> LAN? Is it OK?
LAN -> LAN? OK or not? Look for Harpin NAT.
LAN -> WAN? OK?

CRS are switches not routers. Thay can do routing but they are not designed for routing/natting/mangling heavy traffic. You should look for CCR devices if you want to mostly route or start with AH1100x4 ones. I have installation with AH1100x4 for 50+ users, VPN+IPSec used to access main office share...

Strange ... IPSec works for me

after upgrade 6.43.12 -> 6.44

IPSeced IPIP and GRE tunnels work smooth after upgrade, self-reconnected without problems. Comments still in place.

viewtopic.php?f=21&t=140165
viewtopic.php?f=21&t=137572

Do you really use these public IPs in your configuration?

Be patient. Most of moderators are volunteers so it takes some time to be moderated.

Suspecting that DHCP server mostly warns

A. when device try to renew address when lease is still valid and full DHCP REQUEST-ACK-CONFIRM process is not done
or
B. ROS sees that device is "vanishing" ... I see it in logs when CAPSMAN moves device from one AP or interface to another.

Does not help ... no change .. still receiving warnings

Most users who start threads "Mikrotik hacked...", "My router is unsecured", "Big hole in security of ..." seems to not check forum for security topics Did you try easiest method to look for security problems: https://forum.mikrotik.com/search.php?keywords=vulnerability https://forum.mikrotik.com/se...

If I recall correctly it means that there is NNNN exactly the same consequent messages in the log.

It is my way of "drop it ASAP" 0. if attacker scans us again (is already on the list) then drop it right now. A. check if unwanted port is checked. B. if yes, add attacker to the ban list C. drop all packets coming from attacker list /ip firewall raw add action=accept chain=prerouting dst-port=porto...

It would be convinient to CAPSAM and DHCP to log to log not only MAC address but also HOSTNAME if it is known.
Process of transforming MAC 2 HOST is tedious and if log changes quickly you have no chance to check who is associating/dhcping

Uncheck ...
"Always send replies as broadcasts even if destination IP is known. Will add additional load on L2 network."
DHCP broadcast an offer even if device is just deassigned.

For me the problem is with static addresses and seems to be connected with this option which sends offer even if there is no demand for it. Converting dynamic address to static makes this option somehow "checked" even DHCP server has it "unchecked" so if you forgot to uncheck then static reservation...

Before import rename all interfaces in 1009 to names used in 3011. It will make import much easier.

/ip firewall filter
add action=drop chain=input comment=WAN->DNS dst-port=53 in-interface=YOURWAN protocol=udp

Please edit your post and use English

Anav ... should mrz explain again and again and step by step what to do when you are hacked or could expect that autor is aware of https://blog.mikrotik.com/

What about https://mikrotik.com/products ?

Users of what service?

IMHO it could be problem of STP/RSTP protocol. Switch it off and see what will happen.

I use N++ with it's regular expression search+replace/replace all option.

@anav: Barracuda ESG does good job .. it filters most of spam from China ... most means 99% ... but I was tired skipping whole pages of "dropped/blocked" entries and decided to not allow such e-mails to reach ESG @Xtreamer: Please check attachment. It is part of a bigger set of rules so you must to ...

How did you remove ethernet interface from router? Physically? Then I doubt if you can connect to your router

Do you have more eth interfaces? What router it is? Configuration?

Almost 24 hours later

Edit ... blocked at RAW firewall level

Chiny4.PNG

Hi, I use Barracuda Spam Filter (Barracude ESG) as my spam-firewall for one of my customers. It does good job but one of their e-mail's was used for communication with China based client. Since then we receive hundreds spam e-mails per day only for this used e-mail. We do not receive e-mails to admi...

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

Do you use same "paranoic"

rules for LAN as for WAN side?

@n21roadie ... could you please stop full quoting all posts you are commenting. Use "Post replay" instead of "quoting" post.

Yes.
You don't need

...dst-port=!8291,22 ...

You accept it earlier so packets to 8291 and 22 do not even reach this drop rule.
I suggest to change 8291 port to other port in you configuration for winbox access.

Yes.

If you want to protect your castle then you build THE WALL which stops all at the gate and then allow to go inside only allowed persons/goods/packets. It is far far easier then allow all to enter and spy them for "bad guys".

Search found 1800 matches