Community discussions

MikroTik App

Search found 129 matches

by Joni
Mon Oct 11, 2021 10:41 am
Forum: Announcements
Topic: v6.48.5 [long-term] is released!
Replies: 71
Views: 11825

Re: v6.48.5 [long-term] is released!

Especially since even the changelog references a non-existing long-term release in relation to changes from v6.48.4 and not the actual predecessor v6.47.10 . https://mikrotik.com/download/changelogs/long-term-release-tree So lets see how the actual release notes for long-term v6.48.5 upgrade from v...
by Joni
Fri Oct 08, 2021 9:57 pm
Forum: Announcements
Topic: v6.48.5 [long-term] is released!
Replies: 71
Views: 11825

Re: v6.48.5 [long-term] is released!

I still think it is a bad policy to release a new version in the stable channel and declare it the long-term version at the same time. You should move versions to the long-term channel only after they have proven to be free of obvious issues in the stable channel for some time. (I know that long-te...
by Joni
Thu Sep 16, 2021 6:31 pm
Forum: General
Topic: Why firewall rules are so important...
Replies: 12
Views: 1493

Re: Why firewall rules are so important...

You do realize this is not a oppionion debate.

Obviously it is.

Sure it is https://cwe.mitre.org/data/definitions/200.html
The simplified main point being that there are zero actual benefits about showing it.
by Joni
Thu Sep 16, 2021 6:27 pm
Forum: General
Topic: Why firewall rules are so important...
Replies: 12
Views: 1493

Re: Why firewall rules are so important...

Google will take care of them looking for you... Easy life for hacker... You apparently haven't tried Shodan. About display version or not: WHAT IS THE PROBLEM? Simply try all the hack, who stops you? Trying all hacks triggers alerts and countermeasures on many different levels. Different methods h...
by Joni
Thu Sep 16, 2021 6:08 pm
Forum: General
Topic: Why firewall rules are so important...
Replies: 12
Views: 1493

Re: Why firewall rules are so important...

You do realize this is not a opinion debate. The point is that router's management access (any kind) should not be wildly open. Period. The point is that no information whatsoever should be shared unless authenticated (by default). Period. I like to see version on login page so that I don't have to ...
by Joni
Thu Sep 16, 2021 5:08 pm
Forum: General
Topic: Why firewall rules are so important...
Replies: 12
Views: 1493

Re: Why firewall rules are so important...

Maybe they are honeypots? I hope... :p
You're missing the point, the version number is still displayed on the login page, once your router has a vulnerability then anyone with access to the user interface knows which one to exploit..
by Joni
Thu Sep 16, 2021 4:35 pm
Forum: General
Topic: Why firewall rules are so important...
Replies: 12
Views: 1493

Re: Why firewall rules are so important...

Years pass by and nothing changes...
by Joni
Thu Sep 16, 2021 2:24 pm
Forum: Beginner Basics
Topic: Will separate hardware firewall make the router safer? [SOLVED]
Replies: 8
Views: 2897

Re: Will separate hardware firewall make the router safer? [SOLVED]

Make sure you run a recent/latest-stable RouterOS release

What jvanhambelgium obviously meant was latest "Long-term" (not "Stable") :lol:

Also specifically make a mental distinction between exposing RouterOS vs hosts / services behind it, that is a huge difference.
by Joni
Sun Sep 12, 2021 12:03 am
Forum: General
Topic: Backup
Replies: 2
Views: 367

Re: Backup

They think wrong because the tickbox is not ticked (by default) and the tickbox says it is encrypted if not ticked... nowhere in the interface is it mentioned it would not be encrypted if the tickbox is not ticked. Especially as it before 6.43 defaulted to encrypting the backup with the user passwor...
by Joni
Sat Sep 11, 2021 11:17 pm
Forum: General
Topic: Backup
Replies: 2
Views: 367

Backup

The manual says https://wiki.mikrotik.com/wiki/Manual:System/Backup dont-encrypt (yes | no; Default: no) Disable backup file encryption. Note that since RouterOS v6.43 without a provided password the backup file is unencrypted. however the Winbox user interface doesn't default to ticking the box &qu...
by Joni
Wed Sep 08, 2021 8:59 am
Forum: RouterBOARD hardware
Topic: RB1100Ahx4 Dude Edition - Slow SATA speeds
Replies: 2
Views: 2468

Re: RB1100Ahx4 Dude Edition - Slow SATA speeds

Wonder when they are going to catch up on their own deception... https://mikrotik.com/product/RB1100Dx4 (still same speed sentence)
This is intentionally misleading and has been reported to https://www.eccnet.eu/ Ombudsman
by Joni
Wed Sep 01, 2021 5:48 pm
Forum: RouterOS v7 BETA
Topic: ZeroTier added to RouterOS v7.1rc2
Replies: 175
Views: 34799

Re: ZeroTier added to RouterOS v7rc2

Of all the request to implement in RouterOS, why specifically ZeroTier? When you look at it from a business standpoint, it makes complete sense. 1) MikroTik needed an SDWAN solution to sell more boxes 2) ZeroTier needed a hardware solution to sell more licenses It's a phenomenal protocol and far be...
by Joni
Wed Sep 01, 2021 3:13 pm
Forum: RouterOS v7 BETA
Topic: ZeroTier added to RouterOS v7.1rc2
Replies: 175
Views: 34799

Re: ZeroTier added to RouterOS v7rc2

Of all the request to implement in RouterOS, why specifically ZeroTier?
by Joni
Fri Jul 23, 2021 10:27 am
Forum: Wireless Networking
Topic: Mikrotik - Early Access beta hardware?
Replies: 13
Views: 1361

Re: Mikrotik - Early Access beta hardware?

Yup ... buy new model devices from your local MT distributor and you're hooked up for beta testing. Or so it seems ...
Straight up...
by Joni
Thu Jul 01, 2021 10:40 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 156
Views: 25442

Re: v7 launch date

Now if only all communication from Mikrotik was this logical and resonable. <3
You should be promoted, I haven't seen this sensible output here in years.
Let's clarify rumors.
...
by Joni
Mon Apr 26, 2021 8:38 pm
Forum: RouterBOARD hardware
Topic: RB750Gr3 - Report and questions
Replies: 113
Views: 44894

Re: RB750Gr3 - Report and questions

RB750Gr3 switch chip does not have full VLAN tagging/untagging support yet, it is planned to implement it in future. Currently, you should use RB750Gr3 switch chip only for basic switching.
Maybe some horizon update of the nearest decade when this might be implemented?
by Joni
Tue Apr 20, 2021 1:02 pm
Forum: General
Topic: Neighbor Discovery Over L2TP
Replies: 1
Views: 344

Re: Neighbor Discovery Over L2TP

Reading the manual about dynamic L2TP interfaces and neighbourhood discovery discover-interface-list (string; Default: !dynamic) Interface list on which members the discovery protocol will run on https://wiki.mikrotik.com/wiki/Manual:IP/Neighbor_discovery In the future, post your config /export hide...
by Joni
Tue Apr 20, 2021 10:26 am
Forum: Scripting
Topic: Yet another DHCP to DNS script
Replies: 28
Views: 21240

Re: Yet another DHCP to DNS script

While the script itself is marvelous, one of the best dhcp2dns scripts...
Interestingly this prompts yet another RouterOS "feature", logs filled with "statis dns entry added/removed" a event with system,info topics but without a DNS topic to filter them away...
by Joni
Sat Apr 10, 2021 2:05 pm
Forum: General
Topic: Tools/email and ports
Replies: 3
Views: 573

Re: Tools/email and ports

All I know is it works fine with my ISP provider?? Yes, they are receiving email, they have to because of ignorant customers, accepting legacy setups. The difference is Mikrotik is sending and have no reason default to a legacy port which the user can override if needed. My ISP provider requires 46...
by Joni
Sat Apr 10, 2021 12:43 pm
Forum: General
Topic: Tools/email and ports
Replies: 3
Views: 573

Tools/email and ports

In https://wiki.mikrotik.com/wiki/Manual:Tools/email there is a note If start-tls='''tls-only''', port 465 will be used either the note is left over from a previous circumstance or it is not RFC compliant http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt https...
by Joni
Wed Apr 07, 2021 6:16 pm
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 77
Views: 10857

Re: "antenna gain" missing in 6.46.8?

52 messages and 20 participants later. Do you feel like "you already wrote this", nobody said you didn't write but everybody said they did didn't understand the reasoning or logic behind your writing. "nothing has changed basically" then why was it implemented in the first place ...
by Joni
Tue Feb 02, 2021 9:08 am
Forum: General
Topic: Allow Ethernet interface with specific MAC address only
Replies: 34
Views: 14395

Re: Allow Ethernet interface with specific MAC address only

Against stupid attackers, a bridge firewall filter linking MAC address to a port is sufficient. A clever attacker will copy the camera's MAC address to his device, so only 802.1X is a safe method, unless the attacker can extract the password for 802.1X from the camera. The question is whether your ...
by Joni
Tue Dec 22, 2020 9:38 am
Forum: General
Topic: IP Firewall Address list FQDN resolution expiration
Replies: 6
Views: 907

Re: IP Firewall Address list FQDN resolution expiration

/ip firewall address-list add list=somename address=hostname.example.net Adds hostname.example.net to list and automatically resolves it based on dns record's ttl. When this ttl expires, it's resolved again. When address changes, old one is replaced by new one. Also works when hostname resolves to ...
by Joni
Mon Dec 21, 2020 10:42 pm
Forum: General
Topic: IP Firewall Address list FQDN resolution expiration
Replies: 6
Views: 907

Re: IP Firewall Address list FQDN resolution expiration

It should be all automatic, resolved addresses simply inherit ttl from dns record, disappear when it expires, and system then resolves hostname again. As literally emphasised above it should absolutely not happen as you describe, as you loose even more control to yet another party in the process yo...
by Joni
Mon Dec 21, 2020 8:26 pm
Forum: General
Topic: IP Firewall Address list FQDN resolution expiration
Replies: 6
Views: 907

IP Firewall Address list FQDN resolution expiration

So afaik as an undocumented function you can do /ip firewall address-list add address=officeX.example.com list=whitelist And RouterOS will resolve the FQDN name (every X minutes) to a IP address and add it to the address list as a "dynamic" item (actually static, ie not lost on reboot). If...
by Joni
Tue Dec 01, 2020 4:29 pm
Forum: General
Topic: Public-Mikrotik-Bandwidth-Test-Server(s)
Replies: 765
Views: 717519

Re: Public-Mikrotik-Bandwidth-Test-Server(s)

And while we are testing bandwidth... we might want a refresher on the affects of latency and loss... Namely where your public test server is located, globally... https://accedian.com/blog/measuring-network-performance-latency-throughput-packet-loss/ http://bradhedlund.com/2008/12/19/how-to-calculat...
by Joni
Wed Nov 18, 2020 3:27 pm
Forum: Announcements
Topic: v6.46.8 [long-term] is released!
Replies: 38
Views: 17436

Re: v6.46.8 [long-term] is released!

. hEX PoE powering 48V three wAP ac (RBwAPG-5HacT2HnD) for a few years, iterating through long-term versions, however when upgrading from v6.46.7 to v6.46.8 suddenly port ether4 requires poe-out=forced-on or wAP ac on the port starts POE cycling endlessly. (any cable, firmware upgraded, rebooted thr...
by Joni
Tue Nov 17, 2020 11:57 am
Forum: RouterBOARD hardware
Topic: ChaCha20 hardware offloading?
Replies: 2
Views: 716

Re: ChaCha20 hardware offloading?

As something running on a EOL 2012 Linux kernel you can imagine that since wireguard was merged Linux 2020 we'll be seing _full_ _stable_ Wireguard support around 2024 (presuming the adoption lifecycle has halved in 8 years). https://forum.mikrotik.com/viewtopic.php?f=2&t=144639 https://forum.mi...
by Joni
Sun Oct 25, 2020 9:13 pm
Forum: Scripting
Topic: mkdir function for easy folder creation
Replies: 18
Views: 5639

Re: mkdir function for easy folder creation

What do you need folders for?

For RouterOS not trying to upgrade itself on every boot when .npk for Capsman Cap's (APs) exists in filesystem... for one...

"What does Capsman need a package path setting for?"
by Joni
Wed Oct 14, 2020 10:56 pm
Forum: General
Topic: NAT by incoming interface
Replies: 3
Views: 725

Re: NAT by incoming interface

Please note that internal src-nat is a typical need also when a accessing (managing) non-routed networks / subnets over VPN etc, while wanting to retain traceable logs of entering and exiting traffic. Traffic enters via management node vpn interface from a remote subnet which is not available via th...
by Joni
Wed Oct 14, 2020 3:31 pm
Forum: General
Topic: NAT by incoming interface
Replies: 3
Views: 725

Re: NAT by incoming interface

(clear, old, question)

No, you understood it right.
These are the kind of things that hinders adoption of Mikrotik by intermediate level users.
The solution would be to mark traffic on the incoming interface(s) and src-nat by marked traffic.
by Joni
Sat Sep 19, 2020 10:35 am
Forum: General
Topic: Capsman disconnecting all CAPs
Replies: 3
Views: 539

Re: Capsman disconnecting all CAPs

Upgrading Capsman to v6.46.7 (Long-term) on CCR disabled Capsman, configuration intact.
by Joni
Tue Jul 14, 2020 9:47 am
Forum: General
Topic: Mikrotik CRS125-24G Speed Problem
Replies: 13
Views: 2880

Re: Mikrotik CRS125-24G Speed Problem

Probably a bad idea. CRS125 is a switch, and in no way it can route a gigabit.
"no way"
"route"
Please be much much more specific, you present the subject like routing would be some magical high overhead process.
by Joni
Tue Jul 14, 2020 9:44 am
Forum: General
Topic: Mikrotik CRS125-24G Speed Problem
Replies: 13
Views: 2880

Re: Mikrotik CRS125-24G Speed Problem

https://mikrotik.com/product/CRS125-24G ... estresults

To confirm any speed issues you need to reset everything and start adding settings from scratch, one by one, unitl you find the issue. Techically there is no reason you couldn't get reasonable performance out of a CRS125.
by Joni
Wed Jun 17, 2020 8:20 pm
Forum: Wireless Networking
Topic: Wireless product max distance
Replies: 62
Views: 52182

Re: Wireless product max distance

The tables have been moved to product documentation download tabs: https://mikrotik.com/product/lhg_2#fndtn-downloads Selection guide for PtP links https://i.mt.lv/cdn/rb_files/antenas-160404123306.pdf Selection guide for PtMP links https://i.mt.lv/cdn/rb_files/antenas-mantbox-160404123306.pdf And a...
by Joni
Tue Jun 09, 2020 8:20 pm
Forum: Wireless Networking
Topic: how to adjust tx power for caps in capsman
Replies: 9
Views: 3565

Re: how to adjust tx power for caps in capsman

However according to Mikrotik you are not supposed to adjust tx power, only antenna gain.

viewtopic.php?t=121782#p599546
viewtopic.php?t=129865
by Joni
Tue Jun 09, 2020 8:05 pm
Forum: General
Topic: capsman keep WiFi up when capsman unavailable?
Replies: 15
Views: 3878

Re: capsman keep WiFi up when capsman unavailable?

What you want is not possible. In CAPsMAN it is manager that always handles client authentication, no matter what forwarding mode is in use. That's by design. Reference manual link or source for this fact... https://wiki.mikrotik.com/wiki/Manual:CAPsMAN#Radio_Provisioning Interfaces on CAPsMAN can ...
by Joni
Tue Jun 09, 2020 7:55 pm
Forum: General
Topic: drop second WAN IP remote access
Replies: 2
Views: 733

Re: drop second WAN IP remote access

Firewall?
Block input to second address and port?
https://wiki.mikrotik.com/wiki/Manual:IP/Services
by Joni
Mon Apr 13, 2020 6:04 pm
Forum: General
Topic: dhcp client $(hostname) contains whitespaces
Replies: 0
Views: 1471

dhcp client $(hostname) contains whitespaces

RouterOS DHCP Client $(hostname) variable contains white space characters from RouterOS Identity making it incompatible with any DHCP servers and their "dynamic DNS update" (not to be confused with DDNS ) which don't clean names. rfc2181 rfc2132 rfc4702 And no, Mikrotik, nobody here is in...
by Joni
Tue Mar 24, 2020 10:23 am
Forum: Beginner Basics
Topic: VLAN setup help
Replies: 30
Views: 7419

Re: VLAN setup help

by Joni
Tue Mar 24, 2020 9:05 am
Forum: SwOS
Topic: Configuring VLAN on RB260GS
Replies: 10
Views: 4264

Re: Configuring VLAN on RB260GS

by Joni
Sat Feb 22, 2020 12:18 pm
Forum: Beginner Basics
Topic: Native VLAN + 1 tagged VLAN
Replies: 3
Views: 1850

Re: Native VLAN + 1 tagged VLAN

Except if your hardware is CRS https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples . And the shame goes once again to Mikrotik for not having notice headers in their wiki articles... https://wiki.mikrotik.com/wiki/Manual:CRS_Router And the much to little emphasized note of: &qu...
by Joni
Sat Feb 22, 2020 11:07 am
Forum: General
Topic: CRS default config: Bridge and Interface MAC in IP Neighbors
Replies: 3
Views: 2380

Re: CRS default config: Bridge and Interface MAC in IP Neighbors

Same issue, suggested solution doesn't help. Hardware CRS109, CRS125, RB960PGS. The lists duplicate items always contain the bridge mac address without proper details and the discovery interface mac address with proper details. (just like in the original op post) All running long-term current [admin...
by Joni
Sat Jan 25, 2020 6:30 pm
Forum: Scripting
Topic: DHCP automatic dynamic to static
Replies: 14
Views: 7935

Re: DHCP automatic dynamic to static

How about just extending the DHCP lease time to one month, so unless your device is offline for a month it will retain its IP address (and if you have lots of guests then setup a bigger subnet).
by Joni
Thu Dec 12, 2019 2:54 pm
Forum: General
Topic: QoS / Traffic Shaping - limit per IP with double PCQ
Replies: 16
Views: 4869

Re: QoS / Traffic Shaping - limit per IP with double PCQ

Bump =) So what Cha0s wants is in the general lines of a parent with: /queue type add kind=pcq name=pcq-parent-upload pcq-classifier=src-address pcq-dst-address-mask=32 pcq-src-address-mask=32 add kind=pcq name=pcq-parent-download pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-src-address-ma...
by Joni
Thu Oct 31, 2019 6:14 pm
Forum: General
Topic: Bare metal CHR on Hetzner Dedicated [SOLVED]
Replies: 9
Views: 4318

Re: Bare metal CHR on Hetzner Dedicated [SOLVED]

Duh... Forgot to mention that Hetzner Cloud works for CHR...
by Joni
Sat Oct 26, 2019 6:40 pm
Forum: General
Topic: Bare metal CHR on Hetzner Dedicated [SOLVED]
Replies: 9
Views: 4318

Re: Bare metal CHR on Hetzner Dedicated [SOLVED]

Did you anyhow solve the problem?
Unfortunately no.
by Joni
Sat Sep 07, 2019 5:26 pm
Forum: General
Topic: v7 Linux Kernel version ?
Replies: 6
Views: 5103

Re: v7 Linux Kernel version ?

AFAIK. Because Tile(ra) architecture (CCR) support is dropped after kernel v4.14.x
by Joni
Sat Aug 17, 2019 4:06 pm
Forum: General
Topic: I'm sure Mikrotik has a legit response to this...
Replies: 14
Views: 3566

Re: I'm sure Mikrotik has a legit response to this...

The response that Normis gave is equivalent to saying, "I don't have AIDS" when he should be able to be saying, "I don't have AIDS and I always wear a condom too." We don't just want Mikrotik to be looking for and fixing vulnerabilities, we also want modern development and desig...
by Joni
Sat Aug 17, 2019 8:58 am
Forum: General
Topic: I'm sure Mikrotik has a legit response to this...
Replies: 14
Views: 3566

Re: I'm sure Mikrotik has a legit response to this...

How many of these vulnerabilities though are still present when a competent person configures the router? Most persons configuring things in this world are not competent, including you and me, that is why we ask these questions. If your WAN is entirely firewalled against incoming connections (inclu...
by Joni
Thu Aug 15, 2019 6:59 am
Forum: General
Topic: I'm sure Mikrotik has a legit response to this...
Replies: 14
Views: 3566

I'm sure Mikrotik has a legit response to this...

These are the seatbelts and airbags of the software world. These numbers are unheard of in operating systems or (Web) browsers. Its just a sign that they’re not trying, https://www.reddit.com/r/mikrotik/comments/cqksvr/these_are_the_seatbelts_and_airbags_of_the/ How it is a all a misunderstanding, ...
by Joni
Mon Jul 22, 2019 8:18 pm
Forum: Forwarding Protocols
Topic: Problem with L2TP / IPSEC AND WINDOWS CLIENT
Replies: 2
Views: 6659

Re: Problem with L2TP / IPSEC AND WINDOWS CLIENT

It turns out that windows 10 was broken. I had to delete ALL WAN MINI PORTs in device manager and let windows reinstall them and now my vpn works fine. This <3 What made it confusing was that the same bug (windows updates) was affecting multiple (all) computers. (Remove in Windows / Device Manager ...
by Joni
Fri May 24, 2019 5:51 am
Forum: General
Topic: DNS Flag Day
Replies: 3
Views: 1252

Re: DNS Flag Day

Just some follow up on the subject in general https://www.zdnet.com/article/dns-flag-day-2020-dns-servers-must-support-both-udp-and-tcp-queries/ accompanied by a quote from Mikrotik Wiki : A MikroTik router with DNS feature enabled can be set as a DNS server for any DNS-compliant client. Moreover, M...
by Joni
Tue Apr 16, 2019 11:11 pm
Forum: General
Topic: DHCP Option 51 (Apple, IP address lease time)
Replies: 1
Views: 1292

DHCP Option 51 (Apple, IP address lease time)

This was an interesting read, any field experiences?

https://jimswirelessworld.wordpress.com ... option-51/

TLDR:
"Apple devices didn’t like having short lease times for its DHCP, Apple products will always request for 90 days."
by Joni
Wed Apr 10, 2019 1:00 pm
Forum: General
Topic: Mikrotik "Internet detect" problem
Replies: 18
Views: 17293

Re: Mikrotik "Internet detect" problem

Still not working on v6.43.13, WAN is never upgraded to Internet. [admin@GW]> /interface detect-internet state print terse 0 name=ether1-gateway state=no-link state-change-time=apr/10/2019 12:12:22 1 name=ether2-master-local state=lan state-change-time=apr/10/2019 12:12:22 2 name=ether3-slave-local ...
by Joni
Sat Apr 06, 2019 7:01 pm
Forum: General
Topic: Holy grail for Failover 2 Wans NO SCRIPTING
Replies: 14
Views: 4461

Re: Holy grail for Failover 2 Wans NO SCRIPTING

I really don't care about re-establishing the same connection on failover. That seems pie in the sky thinking. The old connection is gone caput, dead, I would expect to have to restart all my activity. The idea of failover is minimal disruption to service plus as the admin I dont have to intervene....
by Joni
Sat Apr 06, 2019 6:09 pm
Forum: General
Topic: Holy grail for Failover 2 Wans NO SCRIPTING
Replies: 14
Views: 4461

Re: Holy grail for Failover 2 Wans NO SCRIPTING

Overly complex Failover. Simple recursive routes (choose 1 or 2 public DNS) is just as effective, no mangling required. Nope. Established sessions (like VPN) never return to the primary connection. This is a recurring problem for Mikrotik that there doesn't exist vetted solutions which either funct...
by Joni
Fri Apr 05, 2019 7:14 pm
Forum: General
Topic: Holy grail for Failover 2 Wans NO SCRIPTING
Replies: 14
Views: 4461

Re: Holy grail for Failover 2 Wans NO SCRIPTING

Your definition holy grail would imply dhcp support for wan, this is nothing new.
by Joni
Mon Mar 25, 2019 9:43 pm
Forum: General
Topic: Remotely access Mikrotik router
Replies: 11
Views: 2256

Re: Remotely access Mikrotik router

There is a much simpler way... dynamic whitelisting 1) Get a DynDNS client (or URL) on your client device (hint: could also be another Mikrotik device on the same client network https://wiki.mikrotik.com/wiki/Manual:IP/Cloud ) 2) Add that DynDNS name (not IP address) to Firewall address list in the ...
by Joni
Mon Mar 25, 2019 9:23 pm
Forum: General
Topic: Mikrotik and FreeRadius (DaloRADIUS)
Replies: 4
Views: 5363

Re: Mikrotik and FreeRadius (DaloRADIUS)

Just my five cents worth... a non-vetted review without running the product. I would instead highly recommend something in the lines of pfSense or OPNsense which are secure, modern, tested, vetted for "generations": https://turbofuture.com/internet/How-to-Set-Up-a-Radius-Server-on-pfSense-...
by Joni
Mon Dec 31, 2018 3:11 pm
Forum: General
Topic: PWR-Line AP - problem with cominicate
Replies: 9
Views: 3602

Re: PWR-Line AP - problem with cominicate

I test a pair of these APs, but can't find a description. What is the maximum distance to work etc. https://mikrotik.com/product/pwr_line_ap says the PLC chipset is https://www.qualcomm.com/products/ar7420 which says Ethernet Standards: Home Plug 1.0, Home Plug AV, IEEE 802.3, IEEE 1900 Ethernet Ne...
by Joni
Sat Dec 29, 2018 11:30 am
Forum: General
Topic: PWR-Line AP - problem with cominicate
Replies: 9
Views: 3602

Re: PWR-Line AP - problem with cominicate

Typical Mikrotik, making a device with six leds and two buttons but not documenting more than one led in one state... reminds me of cAP Lite (RBcAPL-2nD-307)...
by Joni
Sat Dec 29, 2018 10:53 am
Forum: General
Topic: PWR-Line AP - problem with cominicate
Replies: 9
Views: 3602

Re: PWR-Line AP - problem with cominicate

Begin by trying to pair them on the same extension cord, side by side.
by Joni
Sat Dec 29, 2018 10:43 am
Forum: Wireless Networking
Topic: wAP LTE Kit International APN problem [SOLVED]
Replies: 24
Views: 10295

Re: wAP LTE Kit International APN problem [SOLVED]

YMMV! Check currently running R11e-LTE version ("MikroTik_CP_2.160.000_v006"): /interface lte info lte1 once Issue R11e-LTE "firmware update mode": /interface lte at-chat lte1 input="at+mififlag=1" Trigger update download, ~5MB (R11e-LTE has to be online, download is fe...
by Joni
Thu Dec 27, 2018 10:32 pm
Forum: Wireless Networking
Topic: wAP LTE Kit International APN problem [SOLVED]
Replies: 24
Views: 10295

Re: wAP LTE Kit International APN problem [SOLVED]

Bug is solved in newer wAPs because they come out with LTE firmware v8, you have v1. Ask support@mikrotik.com the guide to upgrade wAP's LTE firmware, and always upgrade wAPs to last stable version. You're referring to this? https://wiki.mikrotik.com/wiki/Manual:Interface/LTE#Modem_firmware_upgrade...
by Joni
Thu Dec 27, 2018 10:19 pm
Forum: Wireless Networking
Topic: wpa3
Replies: 5
Views: 3063

Re: wpa3

Just FYI... "Synology is the first manufacturer to produce WPA3 certified router, MR2200ac, WPA3-Personal, WPA3-Enterprise and Opportunistic Wireless Encryption (OWE), officially announced in October of 2018." https://www.modders-inc.com/synology-mr2200ac-mesh-router-review-first-wpa3-cert...
by Joni
Tue Dec 18, 2018 9:06 pm
Forum: General
Topic: Enable TCP ECN for bandwidth efficiency
Replies: 11
Views: 6081

Re: Enable TCP ECN for bandwidth efficiency

It would be more interesting to know (as these are routers) which queue types, if any, support ECN
in MikroTik products.
https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter
by Joni
Fri Nov 30, 2018 4:28 pm
Forum: Wireless Networking
Topic: Removing Mikrotik elements from beacons
Replies: 15
Views: 4875

Re: Removing Mikrotik elements from beacons

This is a vulnerability +1
by Joni
Mon Nov 12, 2018 2:06 pm
Forum: Wireless Networking
Topic: cAP ac /wAP ac: recommended TX power?
Replies: 3
Views: 4928

Re: cAP ac /wAP ac: recommended TX power?

It is much more safer to use the method I described that modifying the tx power directly. You risk damaging the wireless adapter if you accidentally adjust the tx power beyond the capacity of the card. Whereas, modifying the antenna gain allow the ROS to automatically adjust the tx power to ensure ...
by Joni
Wed Oct 31, 2018 9:20 am
Forum: General
Topic: Default config exports
Replies: 1
Views: 3810

Re: Default config exports

So executing "/system default-configuration print" on a "RB962UiGS-5HacT2HnT" (ie international hAP ac) running v6.42.7 (factory default) which is lost when upgrading to v6.42.9 (long-term, bugfix): script: :global ssid; #| RouterMode: #| * WAN port is protected by firewall and e...
by Joni
Thu Oct 25, 2018 12:54 pm
Forum: General
Topic: Feature request - DNSCrypt support...
Replies: 172
Views: 70356

Re: Feature request - DNSCrypt support...

DoH is incompatible with the basic architecture of the DNS because it moves control plane (signalling) messages to the data plane (message forwarding), and that's a no-no.
https://www.theregister.co.uk/2018/10/2 ... _standard/
by Joni
Thu Oct 18, 2018 2:59 pm
Forum: The Dude
Topic: The Dude scan kills network connectivity
Replies: 4
Views: 3319

Re: The Dude scan kills network connectivity

Mikrotik is notoriously famous for under performing MicroSD (compatibility?), and Dude uses a lot of I/O (in comparison to logging). Switch to USB and compare.
by Joni
Sat Oct 13, 2018 1:13 am
Forum: General
Topic: Forum (phpBB) functions missing / broken [SOLVED]
Replies: 1
Views: 858

Forum (phpBB) functions missing / broken [SOLVED]

How did you mark my post solved? I can't find any such feature? i the upper right corner of the post you will find 4 icons - one of them toggles solved/unsolved. well only yesterday i discovered the feature :-) 1) So I (apparently my account) have none of these, any OS any Browser, I only have &quo...
by Joni
Fri Oct 12, 2018 11:52 pm
Forum: RouterBOARD hardware
Topic: SXT/LHG LTE KIT [SOLVED]
Replies: 4
Views: 2108

Re: SXT/LHG LTE KIT [SOLVED]

How did you mark my post solved? I can't find any such feature?
by Joni
Fri Oct 05, 2018 11:29 am
Forum: General
Topic: Default config exports
Replies: 1
Views: 3810

Default config exports

In the spirit of this, having to downgrade, export, upgrade, etc... I've found a different factory reset behavior after upgrading to v6.42.9. In v6.40.9 the interfaces, DHCP server, and firewall policies were included by default. Now in v6.42.9, only a static IP address of 192.168.88.1 is configured...
by Joni
Wed Oct 03, 2018 1:12 pm
Forum: Wireless Networking
Topic: Capsman client to client forwarding in local forwarding mode [SOLVED]
Replies: 7
Views: 11094

Re: Capsman client to client forwarding in local forwarding mode [SOLVED]

It's *really* unclear in the manual but set Multicast Helper to Full when using multiple VLANs or VLAN override from one SSID.

https://wiki.mikrotik.com/wiki/Manual:I ... g_override
Thank you, works <3
by Joni
Mon Sep 24, 2018 3:54 pm
Forum: Wireless Networking
Topic: Capsman client to client forwarding in local forwarding mode [SOLVED]
Replies: 7
Views: 11094

Re: Capsman client to client forwarding in local forwarding mode [SOLVED]

There is no (inside AP) client-to-client communication happening, neither on same SSID or other, what so ever (any device, os, etc), unless AP configured manually (Cap disabled) with default-forward and everything works. Client-to-client communication only works between different APs clients if port...
by Joni
Mon Sep 24, 2018 1:57 pm
Forum: Beginner Basics
Topic: Mikrotik SXT LTE powering issue
Replies: 1
Views: 648

Re: Mikrotik SXT LTE powering issue

With the included Mikrotik POE injector, with the included Mikrotik power adapter, via a ethernet cable of supported length?
by Joni
Mon Sep 24, 2018 12:29 pm
Forum: Wireless Networking
Topic: Capsman client to client forwarding in local forwarding mode [SOLVED]
Replies: 7
Views: 11094

Capsman client to client forwarding in local forwarding mode [SOLVED]

I wonder why it is that when with Capsman using datapath.local-forwarding=yes (ie local forwarding mode, also known as wireless default-forwarding) then datapath.client-to-client-forwarding is ignored / not supported, resulting in that you can basically only enable client-to-client-forwarding with &...
by Joni
Sun Sep 16, 2018 8:12 pm
Forum: General
Topic: DNSSEC
Replies: 36
Views: 17826

Re: DNSSEC

by Joni
Sat Sep 15, 2018 9:14 pm
Forum: Forwarding Protocols
Topic: Public IP over a tunnel ( SOLVED )
Replies: 34
Views: 16423

Re: Public IP over a tunnel ( SOLVED )

I am using a Hetzner Cloud VPS and ive found using a single vCPU, you can get around 400MBits, which ant bad at all. Adding an additional CPU produces around 800Mits. It seems to be CPU limited due to encryption so im looking at tweaking it a bit and see if can get a bit more out of it. Does Hetzne...
by Joni
Thu Sep 06, 2018 9:24 am
Forum: Announcements
Topic: Future of LTE products, user feedback requested
Replies: 187
Views: 65275

Re: Future of LTE products, user feedback requested

How about first fixing the issues with current hardware search.php?keywords=R11e-LTE
by Joni
Sat Sep 01, 2018 10:51 am
Forum: General
Topic: Bare metal CHR on Hetzner Dedicated [SOLVED]
Replies: 9
Views: 4318

Re: Bare metal CHR on Hetzner Dedicated [SOLVED]

Exact same issue viewtopic.php?t=114844
and almost same, except I can't ping out... viewtopic.php?t=83196
by Joni
Sat Sep 01, 2018 8:37 am
Forum: General
Topic: Bare metal CHR on Hetzner Dedicated [SOLVED]
Replies: 9
Views: 4318

Re: Bare metal CHR on Hetzner Dedicated [SOLVED]

To be specific, even assigning a one additional IP to the ether1-WAN interface doesn't respond to ping, with Linux it works without anything more than
ip address add a.b.c.d/32 dev eth0
by Joni
Fri Aug 31, 2018 11:07 pm
Forum: Beginner Basics
Topic: 5GHz Channel
Replies: 4
Views: 3811

Re: 5GHz Channel

My guess is that this would give a hint about D and DP: Made some reconfigurations. Looks like it's because of Skip DFS setting. When Skip DFS Channels is not checked this messages appears in logs and wi-fi interface setup is delayed for one minute: capfive-MikroTik ST-hAP-AC-Lite3-1: do radar detec...
by Joni
Fri Aug 31, 2018 8:29 pm
Forum: Scripting
Topic: Blacklisting seems popular, honeypot made simple
Replies: 12
Views: 5958

Re: Blacklisting seems popular, honeypot made simple

Remember that most internet users will be able to feed your blacklist by sending spoofed TCP SYN packets (with source address that they want you to block). IP source address filtering (to allow only source addresses that you "own") is not widely deployed. This makes it easy to DDoS and it...
by Joni
Fri Aug 31, 2018 8:23 pm
Forum: Virtualization
Topic: CHR on OVH VPS SSD
Replies: 23
Views: 19587

Re: CHR on OVH VPS SSD

by Joni
Fri Aug 31, 2018 8:20 pm
Forum: General
Topic: Bare metal CHR on Hetzner Dedicated [SOLVED]
Replies: 9
Views: 4318

Bare metal CHR on Hetzner Dedicated [SOLVED]

cd /root && curl -O https://download2.mikrotik.com/routeros/6.42.3/chr-6.42.3.img.zip && gunzip -S .zip chr-6.42.3.img.zip dd if=/root/chr-6.42.3.img of=/dev/sda Tried this on Hetzner dedicated (bare metal, EX series, I know bm isn't officially supported but I don't want the virtual...
by Joni
Fri Aug 31, 2018 4:21 pm
Forum: Virtualization
Topic: CHR on OVH VPS SSD
Replies: 23
Views: 19587

Re: CHR on OVH VPS SSD

cd /root && curl -O https://download2.mikrotik.com/routeros/6.42.3/chr-6.42.3.img.zip && gunzip -S .zip chr-6.42.3.img.zip dd if=/root/chr-6.42.3.img of=/dev/sda Tried this on Hetzner dedicated (bare metal, EX series, I know bm isn't officially supported) however everything except r...
by Joni
Sun Aug 26, 2018 3:50 pm
Forum: General
Topic: Simple queues didn't work
Replies: 5
Views: 1219

Re: Simple queues didn't work

Disable https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

Torching disables Fasttrack temporarily
by Joni
Mon Aug 20, 2018 8:41 pm
Forum: Scripting
Topic: Blacklisting seems popular, honeypot made simple
Replies: 12
Views: 5958

Re: Blacklisting seems popular, honeypot made simple

So please add the port 23 to the "popular" list. At least in my case there is nothing there, but people keeps trying it. I must admit the port list is straight from Artillery and for some reason they left port 23 (Telnet) out... however I can't figure out a specific reason for leaving it ...
by Joni
Mon Aug 20, 2018 6:15 pm
Forum: Scripting
Topic: Blacklisting seems popular, honeypot made simple
Replies: 12
Views: 5958

Re: Blacklisting seems popular, honeypot made simple

I'll grab hold of this later and push it to a test router I have to see what it does or doesn't break. Basically the only thing it can break at its current state is blocking non-whitelisted ip-addresses if you for some reason would have incoming WAN traffic from trusted IPs trying to access non-exi...
by Joni
Mon Aug 20, 2018 1:55 pm
Forum: Scripting
Topic: Blacklisting seems popular, honeypot made simple
Replies: 12
Views: 5958

Re: Blacklisting seems popular, honeypot made simple

There are many thing you can do to improve this. 1. Use a find command to find outside interface so that you do not need to change it when pasting commands. There are many things you can do too, post a updated version improving it accordingly ;) 2. Use the "place-before" commands, so that...
by Joni
Mon Aug 20, 2018 1:26 pm
Forum: Scripting
Topic: Blacklisting seems popular, honeypot made simple
Replies: 12
Views: 5958

Blacklisting seems popular, honeypot made simple

Inspired by the now defunct Linux Portsentry (by Psionic, accuired by Cisco in 2002) revive by https://github.com/BinaryDefense/artillery (which unfortunately is still a bit rough around the edges) This is just a quick "oneliner" draft I'm running, YMMV, do not just blindly copy paste! You...
by Joni
Tue Jun 26, 2018 12:14 pm
Forum: Wireless Networking
Topic: WPA3
Replies: 2
Views: 2248

Re: WPA3

by Joni
Thu May 03, 2018 4:08 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 272
Views: 72399

SNMP

SNMP: Looks like running Dude (on CCR1009-7G-1C-1S+, v6.42.1) and enabling IPv6 (in addition to IPv4) on it makes Dude unable to SNMP poll IPv4 agents (any make and model), however snmpwalk (from Dude) on same agent works (presumably uses / defaults to IPv4, which is obviously also wrong). Once you ...
by Joni
Wed Apr 18, 2018 3:36 pm
Forum: General
Topic: How to allow incomming ports from both isps
Replies: 2
Views: 800

Re: How to allow incomming ports from both isps

It's not about the incoming traffic, rather the returning traffic which takes the default route unless you use connection marking on the incoming traffic.

search.php?keywords=dual+wan

viewtopic.php?t=124993
by Joni
Tue Mar 20, 2018 8:58 am
Forum: General
Topic: Router OS default values - where to set them
Replies: 7
Views: 1940

Re: Router OS default values - where to set them

Some values, when declared "default", inherit its values from the interface used. So, the "default" value isn't an arbitrary default. The real meaning is "use the already set value, to this interface, as the default for this connection". Guess what, we know what defaul...
by Joni
Mon Mar 19, 2018 7:26 pm
Forum: General
Topic: Router OS default values - where to set them
Replies: 7
Views: 1940

Re: Router OS default values - where to set them

This, unfortunate ignorance of Mikrotik. I love the fact that someone has actually taken the time to write default = default in all value definitions in the wiki... However, many value defaults are listed in the wiki: change-tcp-mss (yes | no | default; Default: default) Modifies connection MSS sett...
by Joni
Tue Mar 13, 2018 9:48 am
Forum: Scripting
Topic: Built in function library
Replies: 96
Views: 42246

Re: Built in function library

You could also take into consideration the future possibility of executing scheduled remote scripts from The Dude on remote Device.
(ex collect backups from monitored devices)
by Joni
Fri Mar 09, 2018 9:02 am
Forum: Scripting
Topic: external editor syntax highlighting
Replies: 44
Views: 59493

Re: external editor syntax highlighting

How about contributing the package too... https://notepad-plus-plus.org/contribute/
by Joni
Fri Mar 09, 2018 8:52 am
Forum: Scripting
Topic: Built in function library
Replies: 96
Views: 42246

Re: Built in function library

If you want to really jumpstart the Mikrotik scripting community then you should probably review the php most common sought after functions. Also review scripts made for Mikrotik and the most commonly created functions there. Personally any and all validation functions (ip, dns, email, url, time, da...
by Joni
Mon Jan 08, 2018 1:05 pm
Forum: General
Topic: Feature request - DNSCrypt support...
Replies: 172
Views: 70356

Re: Feature request - DNSCrypt support...

Well that problem got resolved... funny how things turn out in completely unexcpected ways... wait, no... https://www.reddit.com/r/linux/comments ... abandoned/
by Joni
Fri Dec 29, 2017 2:18 pm
Forum: General
Topic: Feature Request: SAFE MODE time based
Replies: 23
Views: 5463

Re: Feature Request: SAFE MODE time based

Obvious requirement for a multitude of remote changes +1
by Joni
Tue Oct 24, 2017 7:45 pm
Forum: General
Topic: Feature request - DNSCrypt support...
Replies: 172
Views: 70356

Re: Feature request - DNSCrypt support...

Just emphasizing as many presume one with the other.
Could you reference the intention? It's not a authentication protocol but an encryption protocol... hence the name... not that it could fix SNI but since you specified intentions...
by Joni
Tue Oct 24, 2017 12:19 pm
Forum: General
Topic: Feature request - DNSCrypt support...
Replies: 172
Views: 70356

Re: Feature request - DNSCrypt support...

Well this isn't about websites, considering the current "HTTPS everywhere" movement this sounds a bit more than "only" , as SNI is a TLS extension, not HTTP. (just to elaborate how the implementation of DNSCrypt or DNS over TLS (DNSS) itself isn't much of an advancement, especial...
by Joni
Tue Oct 24, 2017 10:58 am
Forum: General
Topic: Feature request - DNSCrypt support...
Replies: 172
Views: 70356

Re: Feature request - DNSCrypt support...

Excellent point, DNSCrypt vs DNS over TLS However doesn't it have the same "issue"? (being a different protocol, HTTP(S) vs DNS) AFAIK, overly simplified the only difference being "Instead of relying on trusted certificate authorities commonly found in web browsers, the client has to ...
by Joni
Tue Oct 24, 2017 8:55 am
Forum: General
Topic: Feature request - DNSCrypt support...
Replies: 172
Views: 70356

Re: Feature request - DNSCrypt support...

Since it is not mentioned yet... "However, just enabling "DNS over TLS" feature would not prevent your ISP to know what websites you visit. Server Name Indication (SNI) — an extension of the TLS protocol — also indicates ISPs that which hostname is being contacted by the browser at th...
by Joni
Mon Oct 16, 2017 3:10 pm
Forum: General
Topic: Why firewall rules are so important...
Replies: 12
Views: 1493

Why firewall rules are so important...

A Google search for "misconfigured" Mikrotik products...

https://www.google.com/search?q=intitle ... on+page%22

Mikrotik should probably at least remove the version number from the login page....
by Joni
Sat Sep 02, 2017 5:01 pm
Forum: General
Topic: Eth1 poe port won't do gigabit
Replies: 11
Views: 2895

Re: Eth1 poe port won't do gigabit

Same issue. Sent mine for inspection (RMA).
by Joni
Tue Mar 21, 2017 9:43 am
Forum: Wireless Networking
Topic: WLAN crashes on RouterBOARD 962UiGS-5HacT2HnT
Replies: 3
Views: 1213

Re: WLAN crashes on RouterBOARD 962UiGS-5HacT2HnT

I have the same issue with 962UiGS-5HacT2HnT (hAP ac) running v6.38.5 . (no netinstall yet)
by Joni
Fri Feb 24, 2017 3:15 pm
Forum: Announcements
Topic: v6.38.3 [current]
Replies: 63
Views: 21766

Re: v6.38.3 [current]

Upgrading from 6.38.1 to 6.38.3 somehow broke a CRS109-8G-1S-2HnD-IN (lost all connectivity)
by Joni
Fri Jan 06, 2017 1:41 pm
Forum: General
Topic: btest.exe v0.1 auth fails (at least with v6.38)
Replies: 0
Views: 1857

btest.exe v0.1 auth fails (at least with v6.38)

Running btest server on ROS v6.38 (current, stable) and btest.exe v0.1 on Win10 (64-bit), wirelessly between Win client and ROS AP, causes ROS log entry "login failure for user admin via bandwidth-test". The admin account exists and works for everything else (winbox/http/etc). On the btest...
by Joni
Fri Dec 04, 2015 9:04 am
Forum: General
Topic: WAN NAT + WAN bridge + Forwarding
Replies: 0
Views: 864

WAN NAT + WAN bridge + Forwarding

So I'm trying to tie this up at home out of curiosity, how does one do properly the following configuration (on RB750GL / RB951G-2HnD): To get the main question out of the way: Why? Because it's really convenient, what one could consider out of the box features for any IoT home, and technically not ...