Community discussions

Search found 179 matches

by tippenring
Wed Jun 05, 2019 5:29 pm
Forum: General
Topic: Basic traffic prioritization
Replies: 8
Views: 505

Re: Basic traffic prioritization

I figured I'd post my standard HTB config that I start with. Fasttrack effectively breaks queuing, so I exclude marked packets (this also applies to my mangle rules for IPSec, but that a different example). In this case, I use mangle to mark typical DSCP VOIP traffic, but it can be anything. eth6 is...
by tippenring
Fri Mar 22, 2019 4:15 pm
Forum: Beginner Basics
Topic: Connecting SSTP Client and SSTP Server on MT
Replies: 6
Views: 454

Re: Connecting SSTP Client and SSTP Server on MT

Your post leaves many unanswered questions, so I'm making a lot of assumptions. I'll start with the basics, and that this is mostly a guess. To summarize: Your SSTP clients in 172.17.0.0/16 connect to MT-CHR (internal IP: 172.17.1.1/16). Then MT-CHR (external SSTP IP: 172.16.16.236) connects as an S...
by tippenring
Wed Mar 06, 2019 6:28 pm
Forum: General
Topic: Port knocking alternative
Replies: 4
Views: 528

Re: Port knocking alternative

Besides being less practical than nping, I suspected the executable might be malicious. VT Detection ratio: 11 / 70

Check VirusTotal: https://www.virustotal.com/en/file/d81c ... /analysis/
by tippenring
Thu Feb 07, 2019 1:18 am
Forum: Beginner Basics
Topic: New connection added!!solution for load failover [SOLVED]
Replies: 10
Views: 622

Re: New connection added!!solution for load failover [SOLVED]

I have something very similar to this (https://wiki.mikrotik.com/wiki/Advanced ... _Scripting) working. It seems to work quite well.
by tippenring
Tue Feb 05, 2019 6:43 pm
Forum: General
Topic: MikroTik Bridget network got DDOS
Replies: 4
Views: 495

Re: MikroTik Bridget network got DDOS

I would run at least a RB4011 these days. However, you'll also need to use the raw table to drop as fast as you can. Ultimately, however, you may need upstream (your ISP) support as they will most likely always be able to do it better than your equipment. Agreed. The 2011 is quite old and weak by t...
by tippenring
Tue Feb 05, 2019 6:18 pm
Forum: General
Topic: Windows short name resolution with bridge and firewall [SOLVED]
Replies: 8
Views: 874

Re: Windows short name resolution with bridge and firewall [SOLVED]

Is there some reason you want to force bridge traffic to be processed by the firewall rules? Based on your description of the network, I doubt you want to do that. I expect you probably just want to apply the firewall rules to traffic that will be crossing trust levels, such as private to public int...
by tippenring
Mon Jan 28, 2019 7:39 pm
Forum: General
Topic: DHCP philosophy - where/what is it best served by?
Replies: 9
Views: 615

Re: DHCP philosophy - where/what is it best served by?

I manage all aspects of a network. Routers, switches, servers, video, VoIP, and pretty much anything else that gets an IP address. If there is a real server (or servers) on the network, one or more will be handling DNS, DHCP, and pretty much any other client/server type of service. Routers are quite...
by tippenring
Sat Jan 12, 2019 12:36 am
Forum: General
Topic: Filtering Malicious Traffic
Replies: 6
Views: 547

Re: Filtering Malicious Traffic

It really depends on the nature of the malicious traffic that is landing you on blacklists. My guess is it is mail since that's most prevalent. If it is, you could drop all outbound port 25, 465, and 587 from your clients and make them relay mail through your internal mail server. Once you have the ...
by tippenring
Wed Jan 09, 2019 10:29 pm
Forum: Beginner Basics
Topic: gateway confusion
Replies: 2
Views: 316

Re: gateway confusion

Sounds to me like "routers" 2-6 are functioning as bridges rather than routers. They probably have an IP address for management. Are the router IPs all on the same subnet?
by tippenring
Wed Jan 09, 2019 10:14 pm
Forum: General
Topic: Spam filtering - how to improve my antispam system
Replies: 9
Views: 1058

Re: Spam filtering - how to improve my antispam system

Can you please add a post with your blocking rules and ip address list for this solution. Thank you for your time. Here's my process to create a US-based network address list for geofencing. You may wish to name your address list differently of course. 1. Copy the US-based address list here to N++....
by tippenring
Tue Jan 08, 2019 7:57 pm
Forum: Beginner Basics
Topic: Noob firewall question - being brute forced
Replies: 7
Views: 493

Re: Noob firewall question - being brute forced

The above is good advice, but there is something more fundamentally wrong with your situation. That is a lack of information security awareness. It's good that you managed to notice the brute force attempts to your RDP server. The bigger problem is that you, or whoever is responsible for the network...
by tippenring
Mon Dec 10, 2018 5:17 pm
Forum: General
Topic: Cannot upgrade v6.42.3 to v6.45.3
Replies: 3
Views: 395

Re: Cannot upgrade v6.42.3 to v6.45.3

There is no version 6.45.3.
by tippenring
Thu Nov 15, 2018 12:53 am
Forum: General
Topic: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]
Replies: 16
Views: 1590

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]

I just checked Shodan. Shodan only lists 7 devices on the internet listening on port 64312. 6 of them are Torrent DHT nodes.
by tippenring
Thu Nov 15, 2018 12:43 am
Forum: General
Topic: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]
Replies: 16
Views: 1590

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED) [SOLVED]

If you're correct, this would be new exploit code that I haven't yet seen. It isn't a surprise to me that firmware and RouterOS updates don't remove it. I personally find it a little hard to believe that you have what you think you have because you haven't provided anything concrete except a belief ...
by tippenring
Tue Nov 13, 2018 8:45 pm
Forum: General
Topic: High Traffic
Replies: 4
Views: 415

Re: High Traffic

Netinstall is the only foolproof way to resolve a hacked router. You could go through the configuration and remove what appears suspicious (proxies and such), but it is nearly impossible to say with 100% certainty that the router is no longer compromised. Perhaps there is a hidden script that runs e...
by tippenring
Tue Nov 13, 2018 5:50 pm
Forum: General
Topic: Rogue IPV6 DNS advertisement Problem, FISHY situation !
Replies: 7
Views: 467

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

If you really have the IPv6 package disabled, I'm not sure why the MT is using IPv6 at all. However, it isn't important. The packet you captured is a simple ICMPv6. The fe80 address is a link local address (like 169.254.x.x in IPv4).
by tippenring
Tue Nov 13, 2018 5:15 pm
Forum: General
Topic: Rogue IPV6 DNS advertisement Problem, FISHY situation !
Replies: 7
Views: 467

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

See these pcap screenshots. These are DNS queries sent a Windows 7 machine. Note that it is asking the DNS server for both the A records and AAAA records for google.com. The DNS server dutifully responds to both requests. IPv4 and IPv6 are communication protocols. DNS is a name resolution protocol. ...
by tippenring
Tue Nov 13, 2018 4:41 pm
Forum: General
Topic: Rogue IPV6 DNS advertisement Problem, FISHY situation !
Replies: 7
Views: 467

Re: Rogue IPV6 DNS advertisement Problem, FISHY situation !

IPv6 and DNS are generally unrelated. A query for a FQDN will return whatever records are assigned to that FQDN. AAAA records are valid DNS records.
by tippenring
Fri Nov 09, 2018 10:47 pm
Forum: Beginner Basics
Topic: The winbox is hard to use
Replies: 12
Views: 1174

Re: The winbox is hard to use

How did you go about setting that up? The basics are here: https://wiki.mikrotik.com/wiki/Manual:Winbox They don't really explain sessions though. Connect to your most convenient router with Winbox. Select the windows you'd like to be open each time you connect to any router. I have the log and fir...
by tippenring
Fri Nov 09, 2018 6:58 pm
Forum: Beginner Basics
Topic: The winbox is hard to use
Replies: 12
Views: 1174

Re: The winbox is hard to use

I have my Winbox windows pre-defined in my session preferences, so every new session opens with my preferred windows open in exactly the same place and dimensions each time. If a window ends up behind another, I don't go looking for it in the right-hand pane. I navigate to it through the menu again....
by tippenring
Mon Nov 05, 2018 6:01 pm
Forum: Beginner Basics
Topic: Can't copy big files through VPN
Replies: 3
Views: 492

Re: Can't copy big files through VPN

I'd suggest checking MTU. Try lowering it some on each side. PMTUD should take care of this, but it may either not be enabled, or ICMP packet too big messages may not be able to reach the source host. I'll admit it doesn't seem too likely since you get to 80% and compressed large files still make it...
by tippenring
Mon Nov 05, 2018 5:53 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 24434

Re: Blacklist Filter (Development Topic)

OK, now I'll be clear here ;-) Thanks. Will test how much RAM a RB2011 needed. Only with priority 2 or priority 1 + drop.malicious.rsc I'm using the priority 2 list on an RB2011. Memory is fine. I currently have free 74MB of 128MB with ~30k blacklist entries. The RB2011 is more CPU starved when it'...
by tippenring
Fri Nov 02, 2018 4:23 pm
Forum: Wireless Networking
Topic: Mikrotik wi-fi and Iphone = problem
Replies: 66
Views: 43329

Re: Mikrotik wi-fi and Iphone = problem

We stopped using Mikrotik for client wifi several years ago due to connection instability and weak signals vs other brands. We fought with it for a long time. Apple devices are especially troublesome. We still use Mikrotik routers almost exclusively and Mikrotik radios for point to point wifi links ...
by tippenring
Fri Nov 02, 2018 4:13 pm
Forum: General
Topic: SSTP VPN between two MT routers
Replies: 3
Views: 439

Re: SSTP VPN between two MT routers

It seems to me there are details missing in your explanation. SSTP will transit NAT with no problem. You admit this when you say the PCs can ping Mikrotik 2. Based on the information provided, I think there's something else going on unrelated to a NAT device in the middle. /export hide-sensitive is ...
by tippenring
Mon Oct 29, 2018 10:51 pm
Forum: General
Topic: Mikrotik does not support IPSec, L2TP or OpenVPN connections to any VPN provider
Replies: 9
Views: 3771

Re: Mikrotik does not support IPSec, L2TP or OpenVPN connections to any VPN provider

I've had a Torguard tunnel up via L2TP/IPSec for a couple of years. No problems. Torguard has a guide.

It may not be the best, but it serves my purpose.
by tippenring
Tue Oct 23, 2018 9:10 pm
Forum: General
Topic: 31 subnet - Not finding an answer to default gateway.
Replies: 16
Views: 1919

Re: 31 subnet - Not finding an answer to default gateway.

I spent a few minutes testing. Unfortunately my tests did not result in connectivity either. First I tried my Windows PC. It didn't like a /31 at all and wouldn't let me use it. Then I used a Cisco router and Mikrotik on the same LAN network. I added 10.99.99.0/31 on the Cisco, and 10.99.99.1/31 on ...
by tippenring
Tue Oct 23, 2018 4:51 pm
Forum: General
Topic: 31 subnet - Not finding an answer to default gateway.
Replies: 16
Views: 1919

Re: 31 subnet - Not finding an answer to default gateway.

Is the MAC address for x.x.x.30 in your ARP table?
by tippenring
Tue Oct 23, 2018 4:37 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 636

Re: Advanced IP scanners locks up winbox access?

Strange. I manage quite a few routers and have yet to see this behavior. The only other thing I can think of is Winbox 3.18 was released at least in part to resolve an issue with failed logins. I'm betting you're already on 3.18 though.
by tippenring
Tue Oct 23, 2018 3:59 pm
Forum: General
Topic: Advanced IP scanners locks up winbox access?
Replies: 7
Views: 636

Re: Advanced IP scanners locks up winbox access?

Are you using RADIUS perhaps?
by tippenring
Thu Oct 18, 2018 5:41 pm
Forum: General
Topic: Unable to login
Replies: 5
Views: 482

Re: Unable to login

I'd suggest posting your firewall config. If you have some kind of blacklisting set of rules, you could very well be hitting them and blocking your own access after a few packets. That's just a thought off the top of my head.
by tippenring
Thu Oct 18, 2018 5:09 pm
Forum: General
Topic: libssh exploit, is Mikrotik affected?
Replies: 5
Views: 948

Re: libssh exploit, is Mikrotik affected?

Is Mikrotik affected by the libssh bug described here? https://arstechnica.com/information-technology/2018/10/bug-in-libssh-makes-it-amazingly-easy-for-hackers-to-gain-root-access/ I am not sure if libssh is used under the hood, it would be great to know one way or the other. Thanks Thanks for aski...
by tippenring
Wed Oct 17, 2018 5:36 pm
Forum: General
Topic: Unable to login
Replies: 5
Views: 482

Re: Unable to login

Good morning, some devices with the 6.43.2 software do not allow me to login. The credentials are correct, in case of error I receive the error "Authentication failed", instead with the right user/pass the process goes into timeout. The problem occurs both with the Winbox, with the telnet and with ...
by tippenring
Thu Oct 11, 2018 4:39 pm
Forum: General
Topic: Can my ISP access my Mikrotik Router and make changes?
Replies: 7
Views: 716

Re: Can my ISP access my Mikrotik Router and make changes?

So you mean they have some exploit in the device that they could gain access anytime?
Depending on your software version, yes, that is correct. See https://blog.mikrotik.com/security/winb ... ility.html

Also, it's a good idea to monitor https://blog.mikrotik.com/security/
by tippenring
Wed Oct 03, 2018 4:07 pm
Forum: General
Topic: Router won't install update
Replies: 7
Views: 1485

Re: Router won't install update

As Nescafe mentioned, the log will *probably* tell you why it didn't upgrade. I suspect that's why he asked what other files are on the file system. If you have other packages of a different version, the upgrade may fail.
by tippenring
Mon Oct 01, 2018 9:00 pm
Forum: General
Topic: Winbox Protocol Dissector
Replies: 2
Views: 438

Re: Winbox Protocol Dissector

I loaded up the dissector and captured a small bit of traffic. My understanding from the Cisco article is that it will only work on unencrypted sessions. I believe all newer versions of Winbox use encryption, and my small capture didn't seem to have any readable data. I spent less than 5 minutes try...
by tippenring
Fri Sep 28, 2018 10:38 pm
Forum: Wireless Networking
Topic: Spambots
Replies: 12
Views: 4040

Re: Spambots

by tippenring
Thu Sep 27, 2018 12:45 am
Forum: Beginner Basics
Topic: Router Sending Spam
Replies: 7
Views: 1752

Re: Router Sending Spam

In addition to disabling the proxy and socks services, you need to change all passwords (and ideally usernames) for the router as well. Otherwise the attackers will probably log back in and turn on the socks and proxy services again. add action=add-src-to-address-list address-list="port scanners" \ ...
by tippenring
Tue Sep 25, 2018 5:28 pm
Forum: Beginner Basics
Topic: Site to Site IPSec between two Mikrotik Routers
Replies: 7
Views: 759

Re: Site to Site IPSec between two Mikrotik Routers

Glancing over your screenshots, it looks about right for the IPSec. I'd tell you to make sure you exclude the subnets from masquerade or dst-nat, but you aren't getting that far yet.

Can your routers reach each other at all? It looks like they can't.
by tippenring
Tue Sep 25, 2018 5:01 pm
Forum: Beginner Basics
Topic: How to Monitor specific Ip
Replies: 5
Views: 624

Re: How to Monitor specific Ip

Well if this is a site that contains only one host IP it's easy, but if it is something like facebook, with multiple hosts, just mark the connection and then create a log rule on firewall over this connection mark, like so: /ip firewall mangle add chain=forward action=mark-connection new-connection...
by tippenring
Fri Sep 14, 2018 9:47 pm
Forum: Beginner Basics
Topic: How do I connect to IP 0.0.0.0?
Replies: 13
Views: 5313

Re: How do I connect to IP 0.0.0.0?

There it is again. Mention of IPv6. Often times, when I hear about IPv6, someone is saying something about network problems disappearing. I work for a small company with a network of less then 255 devices. I'm having that 0.0.0.0 problem, myself. Would it be worth it to migrate to IPv6? What are th...
by tippenring
Fri Sep 14, 2018 9:38 pm
Forum: General
Topic: DNS Server TTL problem
Replies: 14
Views: 1247

Re: DNS Server TTL problem

@tippenring: I'm not admin of RB trying to outsmart DNS domain admin, @alli is.
Dang it. Sorry about that. I don't know why I didn't notice you were not the OP. I read your reply from the context of the OP. No wonder it didn't make sense to me. :-)
by tippenring
Fri Sep 14, 2018 9:35 pm
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 696

Re: Power outage causes specific sites to be blocked

I don't think that is the issue. But it is a great Idea. Our 2 CCR in the area are not parallel. They are actually 150 miles apart. We have a layer 3 switch on the mountaintop separating them with OSPF. We don't use ICMP redirects at all. It looks like this Frontier fiber-----Blanding CCR ------ Ab...
by tippenring
Fri Sep 14, 2018 8:12 pm
Forum: General
Topic: Can't Log in After Upgrade
Replies: 21
Views: 4028

Re: Can't Log in After Upgrade

I'm not a mikrotik master, but i have enough brains to change my credentials after hacking.
Have you tried Winbox 3.18? There's a potential fix there. I just realized you aren't the OP. The OP tried 3.18, but you haven't said you tried it.
by tippenring
Fri Sep 14, 2018 5:52 pm
Forum: General
Topic: Can't Log in After Upgrade
Replies: 21
Views: 4028

Re: Can't Log in After Upgrade

RB3011 running 6.40.9, 2 days ago recieved "wrong username or password" in winbox. User is not "admin", password is strong enough. LCD touch was disabled. A crack - i think, than netinstall, 6.43, total reconfig (had no backups)... and today i recived the same message "wrong username or password". ...
by tippenring
Fri Sep 14, 2018 5:49 pm
Forum: Beginner Basics
Topic: Can't access webfig on WAN
Replies: 10
Views: 2208

Re: Can't access webfig on WAN

When a router is defaulted, it normally has a set default config which includes firewall rules. When you first connect, you have the option to retain the config or start clean. I'd have to think you chose to start clean. If you are running pre-6.40.8 or pre-6.42.1, someone may have already hijacked ...
by tippenring
Fri Sep 14, 2018 5:07 pm
Forum: General
Topic: block multicast traffic
Replies: 2
Views: 2395

Re: block multicast traffic

/ip firewall filter
  add action=drop chain=input dst-address-type=multicast
by tippenring
Thu Sep 13, 2018 6:52 pm
Forum: General
Topic: DNS Server TTL problem
Replies: 14
Views: 1247

Re: DNS Server TTL problem

It is up to domain administrator to decide how long TTL is the best one for her domain. If she has really good reason for setting short TTL then it's probably counter-productive if caching DNS server administrator (e.g. @alli) tries to out-smart her. Because it's quite probable that caching DNS adm...
by tippenring
Thu Sep 13, 2018 6:27 pm
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 696

Re: Power outage causes specific sites to be blocked

Here's a different possible cause to look at. I believe you've described your network as having two parallel border CCR routers. Is that correct? If so, when the power returns, could one router be the default gateway for your network, but actually be routing the traffic to the other border router (a...
by tippenring
Wed Sep 12, 2018 4:46 am
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 696

Re: Power outage causes specific sites to be blocked

I'll take a look and post them without sensitive configs. Too bad I can't use the Mikrotik auto remove sensitive on saved backups.
You don't necessarily need to post them. Just load the before and after in notepad++ and do a compare.
by tippenring
Wed Sep 12, 2018 4:25 am
Forum: General
Topic: Power outage causes specific sites to be blocked
Replies: 11
Views: 696

Re: Power outage causes specific sites to be blocked

Right now we are using the CCR that was causing the issue to pass traffic. The only thing that changed to get it to start working was to restore a config file from before the power outage.
What was different between the two configs? That's an easy thing to look at.
by tippenring
Wed Sep 12, 2018 3:57 am
Forum: General
Topic: RouterOS ISP identifier
Replies: 10
Views: 685

Re: RouterOS ISP identifier

I'm pretty rusty on internet records, but I'm thinking what you're looking for might be PTR DNS records, which your ISP has to set up. Either that, or the IP block you have needs updated with your RIR. I believe your upstream should be able to do that also. I'm sure someone will come along shortly t...
by tippenring
Tue Sep 11, 2018 1:12 am
Forum: General
Topic: DMZ like firewalls on Mikrotik [SOLVED]
Replies: 11
Views: 1532

Re: DMZ like firewalls on Mikrotik [SOLVED]

Similarly, our standard starting config contains an address list named whitelist.mgmt where we designate any management subnets. The first rule of the firewall permits the management traffic. The second removes all the default firewall rules, then the rest of our standard ruleset is pasted in. /ip f...
by tippenring
Mon Sep 10, 2018 6:36 am
Forum: Beginner Basics
Topic: UDP Broadcast from my Windows Server [SOLVED]
Replies: 6
Views: 605

Re: UDP Broadcast from my Windows Server [SOLVED]

If you use Winbox to connect to the router via MAC address rather than IP, Winbox sends the packets to the IP broadcast address of the subnet on that UDP port.

https://wiki.mikrotik.com/wiki/Manual:I ... _and_ports
by tippenring
Fri Sep 07, 2018 1:14 am
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 501

Re: Windows 2016 DC requesting lots of IPs from DHCP?

If an IP in the DHCP range is in-use but the DHCP server has no lease for it, Mikrotik will mark it as in-use and try the next IP. Microsoft will give out the in-use IP. Example: Client buys a payment terminal, printer or whatever. The vendor plugs it in, the device gets a dynamic IP. Vendor goes a...
by tippenring
Thu Sep 06, 2018 10:12 pm
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 501

Re: Windows 2016 DC requesting lots of IPs from DHCP?

Why wouldn't you let your DCs be the DHCP server rather than the router? You have redundancy with 2 DCs.
by tippenring
Thu Sep 06, 2018 10:11 pm
Forum: General
Topic: Windows 2016 DC requesting lots of IPs from DHCP?
Replies: 6
Views: 501

Re: Windows 2016 DC requesting lots of IPs from DHCP?

... and for proxy-arps which pass packets from one subnet to another and "eat" DHCP IPs. proxy-arp is my thought as well. Probably at the vmware level. You're Windows server NIC is a virtual NIC. It isn't physically connected to the LAN. However, your physical host is. It's virtual switch is connec...
by tippenring
Thu Sep 06, 2018 4:13 pm
Forum: General
Topic: Mikrotik output traffic to the 25 port
Replies: 6
Views: 373

Re: Mikrotik output traffic to the 25 port

so just disable it and that's all, or smth more needed?) thanks Maybe. If you haven't changed the credentials (all of them) for the router, then an attacker still has your user list. If you disable your firewall rules preventing access from the internet, they'll log in again and set it up again. It...
by tippenring
Thu Aug 30, 2018 4:20 pm
Forum: Beginner Basics
Topic: RB3011UiAS Password was changed?
Replies: 10
Views: 793

Re: RB3011UiAS Password was changed?

Yes :(
No. Or "not necessarily" anyway.
And how do you log in with a lost password??

Sent from Tapatalk
I'll bet he/she was alluding that the OP may have a version susceptible to the credential theft bug, so the OP could simply download their creds from the router in clear text and log in.
by tippenring
Thu Aug 30, 2018 4:11 pm
Forum: Beginner Basics
Topic: RB3011UiAS Password was changed?
Replies: 10
Views: 793

Re: RB3011UiAS Password was changed?

I never understand the big deal of these "lost access" posts. Why not wipe, reinstall, and restore your backup? It takes just a few minutes.
by tippenring
Tue Aug 28, 2018 6:37 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 24434

Re: Blacklist Filter (Development Topic)

Dave, Still very interested in learning how to setup a honeypot to collect addresses. Even if you are not to the point to accept other people's honeypot lists, could you do a brief write up to teach us the best way to setup a honeypot? Thanks! Here are a couple of Honeypot projects from my notes. I...
by tippenring
Tue Aug 28, 2018 6:34 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 24434

Re: Blacklist Filter (Development Topic)

Unfortunately, I don't have IPv6 yet. The system is designed for it, but I have no routers in IPv6 networks that I can test with. My home internet supports it, but it's so unstable, I don't bother with it. Have you seen HE's free IPv6 tunnel https://tunnelbroker.net/? I've had one up for nearly a y...
by tippenring
Sun Aug 26, 2018 6:13 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 24434

Re: Blacklist Filter (Development Topic)

Please keep up the great work. I've been running the BL on my home router as an experiment for a few weeks now. No trouble so far here. I would be interested in assisting with dev if I can. I'm not sure what I could do to help though. I'm not a good coder (unless my years-ago basic and quickbasic co...
by tippenring
Thu Aug 23, 2018 10:53 pm
Forum: General
Topic: Sofware VLAN/Bridge on RuterOS explained.
Replies: 59
Views: 15429

Re: Sofware VLAN/Bridge on RuterOS explained.

I just want to comment to thank you both. I'm thoroughly enjoying this discussion.

I too have been plagued by the variables of interface, bridge, vlan, and switch configurations when implementing VLANs. This discussion is definitely helping me understand it better.
by tippenring
Thu Aug 23, 2018 5:03 pm
Forum: General
Topic: LHG 60 project in Hawaii
Replies: 98
Views: 20049

Re: LHG 60 project in Hawaii

Waiting for the rain to test the MikroTik LHG 60G over a 1473.16m link... Hurricane LANE will be here in a day or two.
I'll be waiting to see your findings. Be safe!
by tippenring
Thu Aug 23, 2018 4:44 pm
Forum: Beginner Basics
Topic: Error:could not connect to 192.168.15.1
Replies: 4
Views: 9572

Re: Error:could not connect to 192.168.15.1

i noticed that the winbox port has change ...
what can be the reason ?
Presumably you or someone else has control of your router and changed the winbox port. Consider changing the credentials. It wouldn't hurt to netinstall and reconfigure, just in case.
by tippenring
Tue Aug 14, 2018 1:26 am
Forum: General
Topic: Forced routing with UTM connected both ends to Mikrotik
Replies: 7
Views: 672

Re: Forced routing with UTM connected both ends to Mikrotik

Thanks, the traffic inside the wire that would be connected to the UTM is tagged VLANs and from what I know it doesn't support VLANs (Sophos). And in real config there will be two UTMs daisy chained (client request), and I don't even know what the second one is. So I assume it will not work. Or am ...
by tippenring
Mon Aug 13, 2018 4:52 pm
Forum: Beginner Basics
Topic: google captcha after installing mikrotik
Replies: 4
Views: 968

Re: google captcha after installing mikrotik

Hi all I just finished installing a rb750GR-3, running a CAPsMAN with 2 AP's. Default firewal rules. I now get a captcha popup when ever I search on google. It reads: Our systems have detected unusual traffic from your computer network. i've attacehd a screenshot of the popup. any help would be gre...
by tippenring
Mon Aug 13, 2018 8:14 am
Forum: General
Topic: Forced routing with UTM connected both ends to Mikrotik
Replies: 7
Views: 672

Re: Forced routing with UTM connected both ends to Mikrotik

If the UTM is in bridge mode, why not simply connect it in-line with one of the ethernet ports?
by tippenring
Fri Aug 10, 2018 5:02 pm
Forum: Beginner Basics
Topic: Open Ports
Replies: 7
Views: 826

Re: Open Ports

i used to scan the network from lan and in results had open just 2 ports (dns for example and mikrotik winbox) now when i scan the network from inside (im scaning WAN interface btw not LAN) i have tons of open ports....dont have avast installed anywhere tho Yes, you have Avast installed somewhere. ...
by tippenring
Wed Aug 08, 2018 9:35 pm
Forum: General
Topic: Do not open port tcp/23 to your device from internet you will be hacked
Replies: 6
Views: 989

Re: Do not open port tcp/23 to your device from internet you will be hacked

This isn't really a surprise for most people.
I am not surprised by the number of the attack, but that its >95% on tcp/23.
I expect the rest of the ports getting pinged are dropped further up in the firewall chain, so not being reported.
by tippenring
Wed Aug 08, 2018 9:28 pm
Forum: General
Topic: Line by line config restore from 6.34 to 6.42 firmware
Replies: 16
Views: 1077

Re: Line by line config restore from 6.34 to 6.42 firmware

there are not any MAC Addresses in my export rsc file so not really sure what you're talking about... sorry If there are no MAC addresses, then restore the whole config to your backup router and test. I personally prefer to either SSH or open a terminal in Winbox and paste a config by hand. That wa...
by tippenring
Wed Aug 08, 2018 9:24 pm
Forum: Beginner Basics
Topic: Please help me get my network in order
Replies: 7
Views: 757

Re: Please help me get my network in order

I can only give you advice on the MikroTik-part of your network. What you should do: Reset the MikroTik-devices, with no default configuration Access the MikroTik using Winbox and Mac-address Create a new bridge, containing all interfaces (ethernet and wireless) Depending on your need, either confi...
by tippenring
Wed Aug 08, 2018 7:12 pm
Forum: General
Topic: Line by line config restore from 6.34 to 6.42 firmware
Replies: 16
Views: 1077

Re: Line by line config restore from 6.34 to 6.42 firmware

I think you're working way to hard at this. /interface ethernet set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=4074 loop-protect=o...
by tippenring
Wed Aug 08, 2018 1:19 am
Forum: General
Topic: Backround upload traffic from google ips 172.217.x.x is saturating my upload speed
Replies: 7
Views: 551

Re: Backround upload traffic from google ips 172.217.x.x is saturating my upload speed

Maybe I have read too many "help! my users are actually making traffic! I want to block block block!" topics...
I definitely share your frustration with the "Help! Someone please do all my network engineering for free! URGENT!!!" :-)
by tippenring
Tue Aug 07, 2018 9:10 pm
Forum: General
Topic: Backround upload traffic from google ips 172.217.x.x is saturating my upload speed
Replies: 7
Views: 551

Re: Backround upload traffic from google ips 172.217.x.x is saturating my upload speed

Also consider dropping from the business and finding another way to earn money.
That seems a bit harsh. This could be an opportunity for the OP to learn about traffic management.
by tippenring
Tue Aug 07, 2018 5:04 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 24434

Re: Blacklist Filter (Development Topic)

If anyone wants to help out more, I need more routers to report some stats to the server. This is part of the health monitoring and alerting system. If you paste the code into a terminal window, it will setup the script and start reporting. Running on my home router. Do you really want it reporting...
by tippenring
Tue Aug 07, 2018 7:12 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 87716

Re: Winbox vulnerability: please upgrade

Tippenring.

I was agreeing with you. The logs were proof that 2 different attackers had the password from before the upgrade
I misunderstood your post. My apologies.
by tippenring
Tue Aug 07, 2018 1:12 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 87716

Re: Winbox vulnerability: please upgrade

When they updated they didn't change the password. No, the attacker didn't change the password. If he did, that would give away that the router had been compromised. The attacker didn't want you to know he had the admin password for the router. So, you upgraded software, but did not change the pass...
by tippenring
Mon Aug 06, 2018 10:48 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 87716

Re: Winbox vulnerability: please upgrade

Is there anymore detailed information than the old blog post? I've seen numerous routers running 6.40.8 bugfix get compromised in the last few days. Winbox was externally accessible. On Friday I updated a couple older routers that had not yet been compromised that weren't on 6.40.8 to 6.40.8, only ...
by tippenring
Thu Aug 02, 2018 6:40 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 87716

Re: Winbox vulnerability: please upgrade

On forum posts if the subject line doesn't interest me, I would never read it. It is like: I do not like this song as I have never listened to it earlier and the title is boring me. :D lol. Nice try, but the analogy is weak. A song can be in the background and doesn't consume any time. This forum i...
by tippenring
Thu Aug 02, 2018 4:42 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 329
Views: 87716

Re: Winbox vulnerability: please upgrade

@normis, hey can you get this on the blog? I'd like the see any complainers cut off at the pass that this announcement didn't end up in the right spots. I'm with @Samot. If it's worth a forum post, it's worth posting a similar update to the blog. As soon as the blog was announced I added it to my i...
by tippenring
Wed Aug 01, 2018 7:34 am
Forum: Beginner Basics
Topic: Not able to log in [SOLVED]
Replies: 5
Views: 695

Re: Not able to log in [SOLVED]

RouterBoard OS 6.35.2

I wonder if your device did not maybe get hacked!
why do you say that...? and how can i check?
A search of this forum before yet another post about how "I've been pwned" would do you wonders.
by tippenring
Mon Jul 30, 2018 6:05 pm
Forum: General
Topic: IPsec setting help pls!!
Replies: 10
Views: 610

Re: IPsec setting help pls!!

Router AB /ip firewall filter add chain=forward action=accept place-before=1 src-address=10.1.101.0/24 dst-address=10.1.202.0/24 connection-state=established,related add chain=forward action=accept place-before=1 src-address=10.1.202.0/24 dst-address=10.1.101.0/24 connection-state=established,relat...
by tippenring
Fri Jul 27, 2018 7:57 pm
Forum: General
Topic: 185.153.198.228 Has been BUSY
Replies: 9
Views: 1061

Re: 185.153.198.228 Has been BUSY

Anyone ever write a good tool for 3 failed winbox log in attempts from one address, and we can add them to an address list??? Here's my typical blacklist firewall config. Generally we don't permit any admin connections from the internet other than known management networks. This is used in any case...
by tippenring
Mon Jul 23, 2018 7:24 pm
Forum: General
Topic: IKEv2 VPN + Radius + EAP-TLS - why does the radius certificate have to be installed on the router?
Replies: 5
Views: 1273

Re: IKEv2 VPN + Radius + EAP-TLS - why does the radius certificate have to be installed on the router?

Hi all, I have successfully configured routeros to allow VPN clients to connect via IKEv2, backed with radius, and authenticating using EAP-TLS (no passwords). The config is below. What I discovered is that this configuration would only work if I took the private key and certificate of our radius s...
by tippenring
Fri Jul 20, 2018 1:24 am
Forum: General
Topic: .npk files auto deleted
Replies: 18
Views: 2219

Re: .npk files auto deleted

Have you tried netinstall? Or is the affected box also too high and/or far to do that?
I understand netinstall doesn't work if the device is >50 ft off the ground. Does anyone have the support ticket # for that issue? :-)
by tippenring
Tue Jul 17, 2018 5:15 pm
Forum: General
Topic: ssl cert error
Replies: 4
Views: 631

Re: ssl cert error

CRL is the cert revocation list. I'm guessing the CRL is perhaps signed by a cert which the router doesn't trust. You may need to import a different cert chain for it.
by tippenring
Wed Jul 11, 2018 4:26 pm
Forum: General
Topic: Connecting multiple networks. [SOLVED]
Replies: 29
Views: 3435

Re: Connecting class c networks. [SOLVED]

#1 computer (172.19.2.10) is on ether 2, it can ping to 172.19.2.1 (which is the ether 2 IP address). #2 computer (172.19.3.10) is on ether 3, it can ping to 172.19.3.1 (which is the ether 3 IP address). The two computers can not ping to each other. Unfortunately there are many unknowns in this cas...
by tippenring
Wed Jul 11, 2018 4:01 pm
Forum: General
Topic: Connecting multiple networks. [SOLVED]
Replies: 29
Views: 3435

Re: Connecting class c networks. [SOLVED]

What's next thing to do for routing?
It's a router. It always routes by default.
by tippenring
Wed Jun 27, 2018 4:52 pm
Forum: Beginner Basics
Topic: IPSEC Issues
Replies: 11
Views: 812

Re: IPSEC Issues

/ip firewall nat add action=accept chain=srcnat protocol=udp src-port=500,4500 place-before=0 add action=masquerade chain=srcnat out-interface=pppoe-out1 It sure looks like you're NATing the traffic that would be destined for the remote network. You need an accept rule to prevent NAT from happening...
by tippenring
Fri Jun 22, 2018 10:53 pm
Forum: General
Topic: Bridge VLAN Filtering
Replies: 22
Views: 6736

Re: Bridge VLAN Filtering

Also note that RB3011 is capable of VLAN switching on a hardware level, you can find an example how to set it up here: https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip Hello Artz. Could you possibly elaborate on the wiki URL you posted? /interface e...
by tippenring
Wed Jun 20, 2018 5:54 pm
Forum: General
Topic: ipsec tunnel working in 6.37.5, not working in 6.40.8
Replies: 12
Views: 2616

Re: ipsec tunnel working in 6.37.5, not working in 6.40.8

Hello, I have RB1200 in a company connecting to another location via ipsec tunnel, working well. After the vpnfilter etc bugs, I decided to upgrade to last bugfix release 6.40.8, and it completely broke the tunnel - although I am pretty sure I saw something like "established" in ipsec - remote peer...
by tippenring
Wed Jun 20, 2018 4:59 pm
Forum: General
Topic: bug persists after updating to 6.42.3
Replies: 14
Views: 6156

Re: bug persists after updating to 6.42.3

By Firewall Filter i did Log for the attacker src address , so when he attacks my host , Mikrotik Server logs his Src address and (a) src Mac-Address The src mac address logged in my Server log not belong's to me , That's all buddy MAC addresses work only at the broadcast domain level (layer 2). No...
by tippenring
Wed Jun 20, 2018 4:39 pm
Forum: Announcements
Topic: Winbox v3.15 released!
Replies: 21
Views: 7088

Re: Winbox v3.15 released!

There are 2 anoying bugs since a long time ago: - In some computers, if you try to connect via MAC, it starts to load, then it disconnects, but it connects after you press "Reconnect" button. In my experience historically, this is caused by what appears to be a frame size limitation. If I connect b...
by tippenring
Wed Jun 20, 2018 4:35 pm
Forum: General
Topic: Ping >1500 timing out
Replies: 7
Views: 805

Re: Ping >1500 timing out

When you have don't fragment set to true, if you aren't getting ICMP fragmentation needed, then you most likely have a layer 2 problem. Layer 2 devices don't respond with ICMP messages. I didn't see what kind of radios you have, but I'm guessing they are bridging. I'm betting the wireless link itsel...
by tippenring
Sun May 20, 2018 5:49 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5533

Re: I cant quite wrap my head around this one...

If ping delay really bothers you, then you might want to set up a queue (simple queue might do) on your RB to rate limit your VM backups to, say, 80% or 90% of your subscribed UL speed. This way most of time ISP's traffic shaper wouldn't touch your data packets including ICMP echo requests. This wo...
by tippenring
Fri May 18, 2018 11:44 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5533

Re: I cant quite wrap my head around this one...

Thanks for your reply Can anyone tell me how I do that? Its odd though - as I mentioned in my first post...this router came from my old house and nothing on the config changed when it was moved to the new house with a new line. I never had this issue before I moved house! I actually have a RB750G I...
by tippenring
Fri May 18, 2018 6:52 pm
Forum: General
Topic: some of ipsec tunels stopped working
Replies: 6
Views: 504

Re: some of ipsec tunels stopped working

I've noticed a recent change around 6.42. Previously, if one side was set to tunnel 10.10.0.0/24, and the other side was set for 10.0.0.0/16, the side with the /16 defined would accept the /24 proposal. Around 6.42, it seems that flexibility disappeared. Now both routers have to have matching subnet...
by tippenring
Wed May 16, 2018 4:23 pm
Forum: Announcements
Topic: Winbox 3.13 released!
Replies: 61
Views: 21400

Re: Winbox 3.13 released!

Still no signature checking or HTTPS... man in the middle can easily compromise administrator's PC.

https://i.imgur.com/TX7G9pq.gifv
Wow. Although relatively low risk, I can't think of a reason for not verifying the cert but laziness. Good thing I don't upgrade from Winbox I guess.
by tippenring
Wed May 16, 2018 4:17 pm
Forum: Announcements
Topic: Winbox 3.13 released!
Replies: 61
Views: 21400

Re: Winbox 3.13 released!

Great work ^^ It would be interesting if some day winbox would allow to save "a default view" with the customized configuration of columns, fields, views, etc ... and each time you enter a new routerOS imports automatically your personal "saved" configuration. You could add export / import between ...
by tippenring
Tue May 15, 2018 5:45 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5533

Re: I cant quite wrap my head around this one...

High latency on a fiber connection is 150ms not 400ms that's just way to much and it doesn't happen when download/upload with original isp router. High latency is whatever increased delay happens as you approach 100% of the bandwidth limit. It might be 150ms worth of buffers, or it might be 500ms w...
by tippenring
Tue May 15, 2018 7:31 am
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5533

Re: I cant quite wrap my head around this one...

I don't see a problem. Uploading at the max bandwidth of 10Mbps will result in high latency. There are ways to adjust for it with custom queuing to reduce the high latency for desired traffic, such as ping for example. It will result in a slight, not very noticeable reduced upload speed for the big ...
by tippenring
Fri May 11, 2018 9:17 pm
Forum: General
Topic: Site to Site IPsec Tunnel
Replies: 28
Views: 7427

Re: Site to Site IPsec Tunnel

If you aren't getting phase 2 established, something doesn't match between the two peers. I always have this logging rule on standby to enable whenever I want to see what's going on: add disabled=yes prefix="IPSEC: " topics=ipsec,!packet If it helps, here's my starting template when setting up a sit...
by tippenring
Fri May 11, 2018 5:00 pm
Forum: General
Topic: Can route to internet but not between local Subnets
Replies: 10
Views: 713

Re: Can route to internet but not between local Subnets

You cannot route between subnets by default. That's the point of having different subnets, so the hosts can communicate with those on their subnet but not others. Those dynamic routes that are being made are for Internet access so those subnets can route out to the Internet. If you want 10.0.16.0/2...
by tippenring
Fri May 04, 2018 4:21 pm
Forum: General
Topic: Configuring RB2011 as VPN Remote Access Server
Replies: 3
Views: 550

Re: Configuring RB2011 as VPN Remote Access Server

Look into SSTP VPN, works great for me, very secure and uses certificates
I second this recommendation. I have several in production now. It's a very simple VPN to set up compared to IPSec client-type connections.
by tippenring
Thu Apr 26, 2018 11:12 pm
Forum: General
Topic: Solutions for cable 1.2km
Replies: 14
Views: 1196

Re: Solutions for cable 1.2km

True fiber is much safer in the case of lightning and other voltage surges, but the originally claimed problem of ground voltage differential due to loading is not a problem for ethernet. It should be able to withstand 1500V RMS or 2250 V DC. (not with the el-cheapo-PoE solution found in older Mikr...
by tippenring
Tue Apr 24, 2018 9:12 pm
Forum: General
Topic: Solutions for cable 1.2km
Replies: 14
Views: 1196

Re: Solutions for cable 1.2km

Besides the lightning, I'll add that copper between buildings can fall victim to ground potential differentials where the copper becomes a current-carrying electrical path for unequal ground voltage. That cannot happen with ethernet, it is isolated from the equipment using a transformer. The except...
by tippenring
Tue Apr 24, 2018 9:01 pm
Forum: General
Topic: 6.42 attacked??
Replies: 3
Views: 664

Re: 6.42 attacked??

You might want to follow this thread: viewtopic.php?p=655739#p655739
by tippenring
Wed Apr 18, 2018 9:05 pm
Forum: General
Topic: Fasttrack and route marked packets
Replies: 17
Views: 2394

Re: Fasttrack and route marked packets

@Sob and @sindy, with all due respect, I love watching you guys argue / "interfere" ;-) I learn so much from you guys, please continue
Fully agree with what @CZFan said.
by tippenring
Wed Apr 18, 2018 9:00 pm
Forum: General
Topic: Solutions for cable 1.2km
Replies: 14
Views: 1196

Re: Solutions for cable 1.2km

Besides the lightning, I'll add that copper between buildings can fall victim to ground potential differentials where the copper becomes a current-carrying electrical path for unequal ground voltage. It's not a good idea without real electrical engineering involved. Fiber is definitely the way to go.
by tippenring
Tue Apr 17, 2018 11:17 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 152458

Re: Block Torrents & p2p Traffic 100% working on all versions

I am not an ISP. I manage a company network with BYOD policy.
Well that totally changes my opinion. :-) I thought you were an ISP.

In that case, you get to do whatever you want with the bandwidth that you provide to your employees.
by tippenring
Tue Apr 17, 2018 11:06 pm
Forum: General
Topic: Need HELP on L2TP/IPSEC on VPN
Replies: 14
Views: 1064

Re: Need HELP on L2TP/IPSEC on VPN

According to the log (which for some reason was sorted descending by time), phase 1 has succeeded. That's why I've suggested to remove the lifetime from the ph2 proposal.
I only glanced at the log. I hadn't noticed that. Good catch.
by tippenring
Tue Apr 17, 2018 10:57 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 152458

Re: Block Torrents & p2p Traffic 100% working on all versions

I have 100mbps symmetrical. One or two clients doing BitTorrent with a few files to be shared are enough to eat 50+% of the available bandwidth. This is why I mind about p2p! I've managed networks for a few small ISPs over the years. I admit I don't know your environment at all, so I'm just making ...
by tippenring
Tue Apr 17, 2018 9:38 pm
Forum: General
Topic: Need HELP on L2TP/IPSEC on VPN
Replies: 14
Views: 1064

Re: Need HELP on L2TP/IPSEC on VPN

That's phase 2. What about the phase 1 proposals under IPSec > Peers? They all need to agree.

Also, on the IPSec Peer Advanced tab, set Proposal Check to Obey.

I assume you're testing, but don't leave the obsolete algorithms enabled when you're done. Especially null.
by tippenring
Tue Apr 17, 2018 9:26 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 152458

Re: Block Torrents & p2p Traffic 100% working on all versions

Blocking can also be shaping (or queueing in mikrotik lingo). P2P traffic creates sustained loads in both directions and can be overkilling for most WANs. I cannot and don't want to tell legitimate from unlegitimate content access: no sane net admin would. Being able to tell P2P traffic from other ...
by tippenring
Tue Apr 17, 2018 6:45 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 152458

Re: Block Torrents & p2p Traffic 100% working on all versions

Hello from the US. Why would you want to block torrents? It is often legitimate traffic. Perhaps torrents are sometimes used to copy copyrighted content without appropriate license, but that is on the person making the illegal copy. The ISP cannot know if a torrent is legal or illegal without confro...
by tippenring
Tue Apr 17, 2018 6:32 pm
Forum: General
Topic: MikroTik 6.41.4 - FTP daemon Denial of Service PoC
Replies: 25
Views: 1740

Re: MikroTik 6.41.4 - FTP daemon Denial of Service PoC

I wish I had time to write a longer reply, but no one would read it anyway. Just like the world population, there is no black and white when it comes to vuln discovery and reporting. Each of us has our personal opinions on the matter, and they won't agree with others. Industry has generally come up ...
by tippenring
Tue Apr 17, 2018 6:06 pm
Forum: General
Topic: Need HELP on L2TP/IPSEC on VPN
Replies: 14
Views: 1064

Re: Need HELP on L2TP/IPSEC on VPN

If I'm reading your debug correctly, you're offering 3DES and 3DES/SHA1. You should be using the AES family anyway. DES, 3DES, and MD5 are deprecated.
by tippenring
Tue Apr 17, 2018 6:05 pm
Forum: General
Topic: Need HELP on L2TP/IPSEC on VPN
Replies: 14
Views: 1064

Re: Need HELP on L2TP/IPSEC on VPN

Yes. Your router and the far end device have to agree on encryption algorithms. Whatever your router is offering is not being accepted by the peer. Enable more algorithms until a proposal is chosen.
by tippenring
Mon Apr 16, 2018 10:30 pm
Forum: General
Topic: Blocking an IP range from accessing IPsec
Replies: 4
Views: 939

Re: Blocking an IP range from accessing IPsec

To expand on HzMeister's firewall example, here is part of my standard firewall rules addressing unsolicited incoming traffic. What I like about this set of rules is I can apply it to any protocols and port(s) that I wish. I found the basic example for blacklisting some time ago I believe on the MT ...
by tippenring
Mon Apr 16, 2018 10:13 pm
Forum: General
Topic: IPsec VPN issue Cisco ASA and Mikrotik Router
Replies: 2
Views: 409

Re: IPsec VPN issue Cisco ASA and Mikrotik Router

I have quite a few MT to ASA tunnels in production, including one from my office (CCR1009 on 6.38.3) to an ASA 5515. Once the configs match up, I don't have any stability problems with any tunnels. On the Cisco, your debug commands are "debug crypto ipsec sa" and "debug crypto isa". You also will wa...
by tippenring
Tue Apr 10, 2018 6:02 pm
Forum: General
Topic: IPsec tunnel doesn't reestablish [SOLVED]
Replies: 4
Views: 447

Re: IPsec tunnel doesn't reestablish [SOLVED]

/system logging
add disabled=no prefix="IPSEC: " topics=ipsec,!packet
by tippenring
Mon Apr 09, 2018 6:44 pm
Forum: General
Topic: Sniffer capture split into multiple files
Replies: 7
Views: 560

Re: Sniffer capture split into multiple files

I think the point the previous posters are trying to make is you can stream it to Wireshark (or tcpdump) and have Wireshark save the files and split the captures for you while it is capturing. That's how I would do it. AFAIK RouterOS does not do what you're wanting.
by tippenring
Thu Apr 05, 2018 6:30 pm
Forum: General
Topic: DHCP Client
Replies: 8
Views: 1725

Re: DHCP Client

Thanks again! I found something intersting ,maybe this could be the culprit... i imported the same config on an other mikrotik i have here and i put the WAN port on a simple SOHO Asus router, where i set 120sec lease time (thats the minimum for him) and i saw that the router renews the IP at 1 minu...
by tippenring
Thu Apr 05, 2018 5:59 pm
Forum: General
Topic: CCR1009-8G-1S-1S+ keeps crashing
Replies: 6
Views: 498

Re: CCR1009-8G-1S-1S+ keeps crashing

Firewall rule 1 permits ICMP from address list GostLAN to AdminLAN. Firewall rule 2 permits all ICMP. Therefore, rule 1 is not necessary unless you want a separate counter for that traffic. In the end, there are a few input rules limiting some traffic to the router (address list GostLAN drops connec...
by tippenring
Thu Apr 05, 2018 5:49 pm
Forum: General
Topic: DHCP Client
Replies: 8
Views: 1725

Re: DHCP Client

Basically if it would be (please correct me if im incorrect) a firewall rule problem, this would occure on every dhcp release/renew right? But this happens randomly (like in the 2 last days they had 3 times this problem, before no one said anything but maybe they just didnt "see" the problem). "Mak...
by tippenring
Thu Apr 05, 2018 4:33 pm
Forum: General
Topic: DHCP Client
Replies: 8
Views: 1725

Re: DHCP Client

Dear MikroTik Community, i'd like to ask if someone else encounters this problem with the newest RouterOS version: dhcp client ("WAN" port) "looses" IP. My router: MikroTIk hEX 6.41.3 The log says: dhcp,critical,error dhcp-client on WAN-ETH1 lost IP address X.X.X.X received NAK from dhcp server 0.0...
by tippenring
Wed Apr 04, 2018 4:54 pm
Forum: General
Topic: Most abusing IPs ... thread more for ISPs than average Users
Replies: 4
Views: 541

Re: Most abusing IPs ... thread more for ISPs than average Users

I have a similar problem, user from France keep trying to get into my IP PBX system. I reported the IP on abuse sites, also contacted the owners of the IP block a couple of times, and their response is services disabled only to find the user is coming again but from a different IP in the same IP bl...
by tippenring
Wed Apr 04, 2018 1:21 am
Forum: General
Topic: MNDP "Hack" - Is This A Bug Or Not?
Replies: 10
Views: 1149

Re: MNDP "Hack" - Is This A Bug Or Not?

While I am happy to accept those suggestions relating to firewall rules there does seem to be a hint of ignoring the root problem. After all neighbour discovery is exactly that - not for discovering devices halfway around the world!! I simply do not see this as a problem. A standard firewall config...
by tippenring
Tue Apr 03, 2018 9:52 pm
Forum: General
Topic: MNDP "Hack" - Is This A Bug Or Not?
Replies: 10
Views: 1149

Re: MNDP "Hack" - Is This A Bug Or Not?

I don't see a particular threat here. As was already pointed out, consumer-class gear is already firewalled, and commercial-class gear should have qualified people that understand networking configuring them. Sure, Mikrotik could require MNDP to accept only broadcast. There are some benefits to allo...
by tippenring
Tue Apr 03, 2018 9:29 pm
Forum: General
Topic: MNDP "Hack" - Is This A Bug Or Not?
Replies: 10
Views: 1149

Re: MNDP "Hack" - Is This A Bug Or Not?

What would you have Mikrotik change about MNDP's behavior? Requiring authentication of some kind is counter to the purpose of MNDP. Every practical administrator will apply a set of firewall rules to protect appropriate interfaces and set discovery to disabled because it's best practice. I have a st...
by tippenring
Tue Apr 03, 2018 6:29 pm
Forum: General
Topic: RB2011UiAS-2HnD-IN and unmanaged switch
Replies: 6
Views: 721

Re: RB2011UiAS-2HnD-IN and unmanaged switch

Even if the switch was so very old that it would not automatically choose between MDI and MDI-X,,,,
MDI/MDIX is no doubt the problem. Make a crossover patch cable and you'll be good.
by tippenring
Sun Apr 01, 2018 9:13 am
Forum: Announcements
Topic: Urgent security advisory
Replies: 110
Views: 88880

Re: Urgent security advisory

You are mixing up two different topics! Botnet is discussed here. It's more than related: since "the botnet issue" has started we detected malicious activity on our Mikrotiks. I tend to think that you have detected malicious activity unrelated to the botnet issue discussed in this post. An SMB vuln...
by tippenring
Sun Apr 01, 2018 4:18 am
Forum: General
Topic: hAP ac² noisy when using WiFi [SOLVED]
Replies: 21
Views: 2876

Re: hAP ac² noisy when using WiFi [SOLVED]

If you can hear it, it's in a relatively low frequency as far as electronics go, and probably coming from the dc/dc circuitry. Put your ear next to all the electronics you have(and/or their power supplies) and you will most likely hear something in all of them. It doesn't make a difference in perfo...
by tippenring
Tue Mar 27, 2018 9:52 pm
Forum: General
Topic: Firewall doesn't block IP ?
Replies: 12
Views: 1085

Re: Firewall doesn't block IP ?

Someone correct me if I'm wrong, but I see no evidence so far that the 5Mbps of inbound traffic is not destined for an internal host. Check IP > Firewall > Connections for a traffic flow being initiated by an internal host to that IP. If not, then you may be receiving DoS traffic. The 459kbps outbou...
by tippenring
Fri Mar 23, 2018 11:34 pm
Forum: General
Topic: Thank you for the great Cable Test feature!
Replies: 5
Views: 844

Re: Thank you for the great Cable Test feature!

I find the packet sniffer streaming works great. Not quite port mirroring, but close enough for what I need.
by tippenring
Fri Mar 23, 2018 5:37 pm
Forum: General
Topic: Lost connection to multiple LHG units [SOLVED]
Replies: 25
Views: 2485

Re: Lost connection to multiple LHG units [SOLVED]

It sounds like your customers devices were completely exposed to the internet then. Someone probably just brute-forced their way in would be my guess.

I'd suggest you consider retaining connection logs at your border device. It gives you something to review during root cause analysis.
by tippenring
Fri Mar 23, 2018 5:15 pm
Forum: General
Topic: Lost connection to multiple LHG units [SOLVED]
Replies: 25
Views: 2485

Re: Lost connection to multiple LHG units [SOLVED]

I would be curious to see your previous firewall rules to see if there is any obvious weakness.
by tippenring
Thu Mar 22, 2018 3:21 pm
Forum: General
Topic: Queue tree problm
Replies: 14
Views: 937

Re: Queue tree problm

I want that gradeE go at full speed 2.4M when there is no traffic from hight priority queues, but go at 1M (and not less than it) when hight priority queues have traffic. For exaple i like to se 1M for gradeE and 19M to gradeD! If you had a single traffic flow, I would expect to see closer to 100%....
by tippenring
Thu Mar 22, 2018 12:29 am
Forum: General
Topic: Queue tree problm
Replies: 14
Views: 937

Re: Queue tree problm

[/quote] Hi, thanks for your reply i use httpBig to mark http paket that are not http surfing, so httpBig is http download (so are http connection (port 80,443) with Connection Bytes: 4M-0 and Connection Rate: 200k-100M) allRest is all rest of traffic not maked with mangle and gemlan is an hotspot n...
by tippenring
Thu Mar 22, 2018 12:22 am
Forum: General
Topic: Lost connection to multiple LHG units [SOLVED]
Replies: 25
Views: 2485

Re: Lost connection to multiple LHG units [SOLVED]

I don't know how to erase firmware, so I can't begin to guess what happened. Perhaps one of your management hosts is/was compromised. Another possibility would be an as-yet-undiscovered vulnerability since it only occurred on routers with public IPs. I have perhaps 100 MT routers with public IPs and...
by tippenring
Wed Mar 21, 2018 4:53 pm
Forum: General
Topic: Lost connection to multiple LHG units [SOLVED]
Replies: 25
Views: 2485

Re: Lost connection to multiple LHG units [SOLVED]

Most people that think they have a "secure" network do not. I see this all the time. As far as the question of how did this happen, it will be easier to determine once you have done some investigation. Right now, how it happened has many answers. Do you have remote management of the devices at the c...
by tippenring
Wed Mar 21, 2018 4:16 pm
Forum: General
Topic: Queue tree problm
Replies: 14
Views: 937

Re: Queue tree problm

I also tend to agree that your throughput looks to be about what I would expect, but for a different reason. The grade D says big HTTP. I'm not sure what type of traffic you classify as grade D, but if the packets all tend to be 1500 bytes (or near MTU in size), your 98.5% circuit congestion (19.7M/...
by tippenring
Wed Mar 21, 2018 4:01 pm
Forum: General
Topic: Problems with Safe Mode [SOLVED]
Replies: 3
Views: 592

Re: Problems with Safe Mode [SOLVED]

In the top right of the firewall filter rules window, click the dropdown and select "all." As far as safe mode, my experience is safe mode in the GUI vs the terminal do not work together. Clicking on safe mode in the GUI, then editing the config in a terminal window will result in the terminal windo...
by tippenring
Tue Mar 20, 2018 5:11 pm
Forum: General
Topic: CCR1009-7G-1C No buffer space available
Replies: 23
Views: 2403

Re: CCR1009-7G-1C No buffer space available

That is not the case. PPPoE does not use ARP, route cache can be leaked from something else. Generate supout file and send to support.
Good point. ARP only occurs on broadcast interfaces. PPPoE would not be a broadcast. Thanks for the correction.
by tippenring
Tue Mar 20, 2018 5:09 pm
Forum: General
Topic: Lost connection to multiple LHG units [SOLVED]
Replies: 25
Views: 2485

Re: Lost connection to multiple SXT units [SOLVED]

there is no any wifi signal also, most of them LHG and all of them same problem... bios seems lost. we copy one of LHG bios and transfer it to broken one and it worked. but now the licence has problem,device worked and telling there is no licence. and another problem all mac same with copied one. J...
by tippenring
Tue Mar 20, 2018 4:17 pm
Forum: General
Topic: CCR1009-7G-1C No buffer space available
Replies: 23
Views: 2403

Re: CCR1009-7G-1C No buffer space available

/ip route add distance=10 gateway=ZF_Server routing-mark=ZF add check-gateway=ping distance=2 gateway=pppoe-MTS routing-mark=ISP-MTS-route add check-gateway=ping distance=2 gateway=xxx.xxx.xxx.xxx routing-mark=ISP-Spark-route add check-gateway=ping distance=2 gateway=xxx.xxx.xxx.xxx add check-gatew...
by tippenring
Tue Mar 20, 2018 12:29 am
Forum: General
Topic: CCR1009-7G-1C No buffer space available
Replies: 23
Views: 2403

Re: CCR1009-7G-1C No buffer space available

That makes sense I suppose. I'm not sure why your route cache is filling up.

Can you post an "ip route export"?
by tippenring
Mon Mar 19, 2018 4:39 pm
Forum: General
Topic: ipsec phase 2 problem (fatal NO-PROPOSAL-CHOSEN ...
Replies: 2
Views: 5782

Re: ipsec phase 2 problem (fatal NO-PROPOSAL-CHOSEN ...

This is a very common problem with IPSec. No proposal chosen is caused because the 2 routers do not agree on the configured options for IPSec. Try disabling DPD. Also very with the ASA administrator that the outside_40_arcom_cryptomap access list on the ASA is configured to tunnel source 192.168.001...
by tippenring
Thu Mar 15, 2018 5:55 pm
Forum: General
Topic: Stopping Unsolicited packets
Replies: 5
Views: 659

Re: Stopping Unsolicited packets

Long-term blocking of malware based on port number is futile. What will you do when the next malware that uses dynamic ports 1025-65535 hits the 'net? Block 1025-65535? It's hard to read with your rules so randomly organized. I'm guessing you're probably already adversely affecting some small number...
by tippenring
Wed Mar 14, 2018 4:49 pm
Forum: General
Topic: CCR1009-7G-1C No buffer space available
Replies: 23
Views: 2403

Re: CCR1009-7G-1C No buffer space available

Did I seriously get that right based on the vague description in the OP? Wow. lol.
by tippenring
Wed Mar 14, 2018 12:27 am
Forum: General
Topic: Slingshot APT [SOLVED]
Replies: 44
Views: 24356

Re: Slingshot APT, RouterOS spying software [SOLVED]

one thing that bothers me, I have only been using your products for around a month, and I downloaded Winbox 3.11 and was using it. Why was the known to be insecure winbox still there a month ago, if you knew about it a year ago? And even though I have installed 3.12, it still throws up a message ab...
by tippenring
Tue Mar 13, 2018 4:36 pm
Forum: General
Topic: CCR1009-7G-1C No buffer space available
Replies: 23
Views: 2403

Re: CCR1009-7G-1C No buffer space available

This is a real shot in the dark, but do you happen to have a default route pointing at a broadcast interface? Something like
add distance=1 gateway=ether1
could conceivably fill up the ARP table.
by tippenring
Fri Mar 09, 2018 11:46 pm
Forum: General
Topic: Slingshot APT [SOLVED]
Replies: 44
Views: 24356

Re: Slingshot APT, RouterOS spying software [SOLVED]

Here's a bleepingcomputer.com article on it: https://www.bleepingcomputer.com/news/s ... k-routers/
by tippenring
Thu Mar 08, 2018 4:04 pm
Forum: General
Topic: Recursive route with %interface
Replies: 4
Views: 843

Re: Recursive route with %interface

VRF is probably what you're looking for.

https://wiki.mikrotik.com/wiki/Manual:V ... Forwarding
by tippenring
Tue Mar 06, 2018 6:56 pm
Forum: General
Topic: RouterOS <- IPIP Tunnel -> Cisco IOS
Replies: 7
Views: 1255

Re: RouterOS <- IPIP Tunnel -> Cisco IOS

No protocol chosen means that the responder rejected all offered IPSec proposals. You have PFS configured on the Cisco (group 2), but I don't see it on the MT. Try adding pfs-group=modp1024 to the dup-001-router-1 policy. Correction. Not PFS. It's the phase 1 DH group that mismatches I believe.
by tippenring
Tue Mar 06, 2018 6:54 pm
Forum: General
Topic: RouterOS <- IPIP Tunnel -> Cisco IOS
Replies: 7
Views: 1255

Re: RouterOS <- IPIP Tunnel -> Cisco IOS

No protocol chosen means that the responder rejected all offered IPSec proposals.

You have PFS configured on the Cisco (group 2), but I don't see it on the MT. Try adding
pfs-group=modp1024
to the dup-001-router-1 policy.
by tippenring
Fri Mar 02, 2018 9:48 pm
Forum: General
Topic: 2011UiAS-2HnD Wifi and stability issues
Replies: 8
Views: 917

Re: 2011UiAS-2HnD Wifi and stability issues

I have had the same router for about 3 months, and occasionally have similar issues. One time the SSIDs stopped broadcasting. Another the clients couldn't connect. One time I rebooted out of convenience. A couple of times I disabled and re-enabled the wifi interface. I switched to 20MHz only about 3...
by tippenring
Fri Mar 02, 2018 9:30 pm
Forum: General
Topic: How Autoblock IP address
Replies: 7
Views: 1831

Re: How Autoblock IP address

As Companion posts, that is how I used to accomplish the same thing. It began to become unwieldy when I wanted other rules to apply the same blacklist rules, so I reorganized it as a sort of subroutine. add action=jump chain=input comment="Blacklist IP trying to hit 22" connection-state=new dst-port...
by tippenring
Wed Feb 28, 2018 7:12 pm
Forum: General
Topic: How to configure route between gateway / lan bridge?
Replies: 2
Views: 508

Re: How to configure route between gateway / lan bridge?

Based on your description, it doesn't sound like you need the MT at all. Just connect the Fritzbox and PC (on ether2) to the same switch. If the MT is your only switch, the easiest thing might be to move the Fritzbox from ether1 to whatever is open on ether2 to ether5 and disable the DHCP server on ...
by tippenring
Thu Feb 22, 2018 11:20 pm
Forum: General
Topic: How to configure MikroTik to be primary router?
Replies: 24
Views: 1791

Re: How to configure MikroTik to be primary router?

I accept the first part of your post about being random but not everything is as you say. First: Yes, lzo was the reason why MT was not good enough. Second: ExpressVPN do not support MT and have no plans to. So, about their recommendation to keep your existing set up with preexisting router and add...
by tippenring
Thu Feb 22, 2018 5:42 pm
Forum: General
Topic: How to configure MikroTik to be primary router?
Replies: 24
Views: 1791

Re: How to configure MikroTik to be primary router?

I feel we lost the focus of the topic and the help I wanted to ask from you. I was with the intention to use only the ASUS. But then came the recommendation clearly stated on ExpressVPN website "We recommend that you preserve your existing network setup and just connect the ASUS as a second router"...
by tippenring
Thu Feb 22, 2018 5:09 pm
Forum: General
Topic: After upgrade firmware 6.40.5, Can't change admin's group to full
Replies: 43
Views: 4503

Re: After upgrade firmware 6.40.5, Can't change admin's group to full

Guys ... how many times must we write this. 1. Change "admin" to some other username 2. SET A PASSWORD 3. USE FIREWALL There will be no end to people that can perform a basic setup with no concept of security. Perhaps a feature request to consider: blank or default passwords cause the unit to beep ...
by tippenring
Wed Feb 21, 2018 12:56 am
Forum: General
Topic: How to configure MikroTik to be primary router?
Replies: 24
Views: 1791

Re: How to configure MikroTik to be primary router?

It is clear that ExpressVPN assert by competent knowledge or by experience that it is best to keep your old router and add the new router behind it. As router behind router even sounds crazy I am left, by deduction with the only conclusion that old router is in router mode and new ASUS is in Bridge...
by tippenring
Tue Feb 20, 2018 10:11 pm
Forum: General
Topic: How to configure MikroTik to be primary router?
Replies: 24
Views: 1791

Re: How to configure MikroTik to be primary router?

The MT should be a router. It should get the public IP. From there onwards the ASUS will be one of the clients of the MT and will be in Bridge mode (as advised by ExpressVPN) , then even more the devices will all be connected to the ASUS. How would the port forwarding look like? If the ASUS will be...
by tippenring
Tue Feb 20, 2018 9:57 pm
Forum: General
Topic: How to configure MikroTik to be primary router?
Replies: 24
Views: 1791

Re: How to configure MikroTik to be primary router?

It is the advise of the ExpressVPN providers and I don't want to question that advice. If you need the MT to be a VPN tunnel endpoint, then I expect you can't use it in a bridge configuration. You'll need the MT to be a router. If the MT only has one public IP address, unfortunately that will compl...
by tippenring
Fri Feb 16, 2018 10:55 pm
Forum: General
Topic: RouterOS must split! Rant.
Replies: 13
Views: 1859

Re: RouterOS must split! Rant.

PSA: I just learned if you click on a username, you can add them as a foe, which is basically an ignore button. Pretty nice feature for Kackele.
by tippenring
Wed Feb 14, 2018 6:07 pm
Forum: General
Topic: VPN - domain computers?
Replies: 2
Views: 285

Re: VPN - domain computers?

The first question that comes to mind is why there would be both domain-joined hosts and non-domain-joined hosts on the same subnet. I try to avoid putting hosts at differing trust levels on a common subnet.
by tippenring
Tue Jan 30, 2018 11:05 pm
Forum: General
Topic: Primary / Secondary interfaces
Replies: 2
Views: 277

Re: Primary / Secondary interfaces

Your question is very vag and hard to understand. Without knowing the topography or what you're trying to achieve its hard to help you, but typically assigning static routes with set costs for each interface under ip > routes would proibably be your best way to go. Yep. A pretty vague request. I re...
by tippenring
Tue Jan 30, 2018 4:59 pm
Forum: General
Topic: One lan port with two subnets
Replies: 7
Views: 413

Re: One lan port with two subnets

The way you describe what you've done, it sounds right. What is your new IP address and subnet on the local bridge? What IP did you assign to the PC?
by tippenring
Fri Jan 26, 2018 5:36 pm
Forum: General
Topic: Client IP instead of Gateway IP [SOLVED]
Replies: 7
Views: 1066

Re: Client IP instead of Gateway IP [SOLVED]

If your wifi interface is bridged to the ethernet interface, try disabling NAT. You shouldn't need it.
by tippenring
Fri Jan 26, 2018 5:29 pm
Forum: General
Topic: Blocking UDP attack in Mikrotik not working
Replies: 14
Views: 1826

Re: Blocking UDP attack in Mikrotik not working

You could be the target of a DDoS, but more likely you're contributing to a DDoS targeting someone else. You should configure your router to drop the UDP traffic in question, rather than reject or forward.
by tippenring
Fri Jan 26, 2018 5:25 pm
Forum: General
Topic: Limit bandwith (Where?)
Replies: 8
Views: 794

Re: Limit bandwith (Where?)

Check port speed and duplex (especially duplex). Check for late collisions and packet errors. A packet capture also might provide a clue.
by tippenring
Thu Jan 25, 2018 12:44 am
Forum: General
Topic: S2S IPSEC VPN Established, not passing traffic
Replies: 4
Views: 1250

Re: S2S IPSEC VPN Established, not passing traffic

/ip route add distance=1 dst-address=192.168.89.0/24 gateway=192.168.89.1 That (and its counterpart on the other router) doesn't look right to me. Your router already knows how to get to 192.168.89.0/24. It is directly connected already. I'd be surprised if that route is active. If you have a defau...
by tippenring
Sat Jan 20, 2018 1:05 am
Forum: General
Topic: mikrotik scp/sftp client to transfer file between MT
Replies: 13
Views: 9159

Re: mikrotik scp/sftp client to transfer file between MT

But ftp is the most fast and secure protocol you can use without waiting any implementation. ost fast and secure protocol you can use without waiting any implementation. Simply firewall rules and/or change the default 21 port to any make impossible to hack on easy way or brute force the ftp... The ...
by tippenring
Tue Mar 03, 2015 11:00 pm
Forum: Beginner Basics
Topic: CRS and VLAN help
Replies: 1
Views: 648

Re: CRS and VLAN help

I just got this working a few minutes ago based on the same wiki article you referenced. I'll share the pertinent config. I was also confused about the bridge virtual interface. You do not need it in this case. I'm still trying to figure out the distinction. It seems that the bridge and switch are s...
by tippenring
Tue Jan 20, 2015 7:52 pm
Forum: General
Topic: Two LAN routers, MT is default gateway. MT dropping packets
Replies: 0
Views: 255

Two LAN routers, MT is default gateway. MT dropping packets

I have two routers on a LAN. The Mikrotik RB2011 is the default gateway for the LAN. There is a second Cisco router on the LAN for which the MT has a static route defined for a specific network. The issue is that the Mikrotik router does not always relay packets that should be routed to the Cisco ro...
by tippenring
Thu Oct 02, 2014 9:52 pm
Forum: General
Topic: DHCP Options
Replies: 12
Views: 9223

Re: DHCP Options

Here is my code for IP phones that use option 66.

ros code

/ip dhcp-client option
 add code=66 name="tftp server" value=0xc0a8040a
I use http://paulschou.com/tools/xlate/ to convert between hex, text, base64 and other formats.