Community discussions

Search found 110 matches

by Uqbar
Fri Jan 11, 2019 4:18 pm
Forum: Beginner Basics
Topic: Mikrotik 6.34.1 Check updates fail
Replies: 44
Views: 40554

Re: Mikrotik 6.34.1 Check updates fail

Hi I have the same problem. The problem was that blocking rules in firewall were at the very top. I moved it lower without disabling, and everything started to work :) I think there actually are two different types of problem here. One is user-created, the other one is (could be?) a bug. If the use...
by Uqbar
Sun Dec 02, 2018 2:12 pm
Forum: Beginner Basics
Topic: Mikrotik 6.34.1 Check updates fail
Replies: 44
Views: 40554

Re: Mikrotik 6.34.1 Check updates fail

Hi I had the following rule in /ip firewall filter ;;; defconf; drop all not coming from LAN chain=input action=drop in-interface-list=!LAN Where LAN was defined as my LAN addresses. Temporarily disabling this rule fixed it, and allowed me to update. I just enabled it again after. Note that the abo...
by Uqbar
Sat Nov 10, 2018 3:27 pm
Forum: Beginner Basics
Topic: Mikrotik 6.34.1 Check updates fail
Replies: 44
Views: 40554

Re: Mikrotik 6.34.1 Check updates fail

I would not advise setting a static address, especially one not tracable to MikroTik.
As I see that advise mainly/only from 1-time posters, let's assume they have bad intentions and ignore them.
I fully agree.
I'd like mikrotik to investigate and fix.
by Uqbar
Wed Oct 31, 2018 1:36 pm
Forum: General
Topic: Old kernel. Why?
Replies: 5
Views: 750

Re: Old kernel. Why?

One of the issues is that Mikrotik wrote a lot of their own proprietary kernel modules, they likely aren't compatible with newer kernels. It's a shame as a lot of the included drivers with newer kernels are much higher quality than Mikrotik's implementations (eg the QCA driver supports Wave 2 802.1...
by Uqbar
Wed Oct 31, 2018 9:56 am
Forum: General
Topic: Old kernel. Why?
Replies: 5
Views: 750

Re: Old kernel. Why?

Plenty. Do you have any link, or it is "word of mouth"? ROSv7's main hold up is developing to new kernel. Major kernel's have major changes, especially from what ROS is currently based on to new, the whole networking stack has been re-worked (I believe), so requires a lot of re-development, re-test...
by Uqbar
Wed Oct 31, 2018 8:57 am
Forum: General
Topic: Old kernel. Why?
Replies: 5
Views: 750

Old kernel. Why?

I see the current ROS is based upon a rather old Linux v3 kernel. More or less the same as Android. I see a number of reasons for keeping an old kernel instead of jumping on a v4 one (v5 is next to be launched), and also a number of reasons for doing an upgrade. For sure it gets more and more diffic...
by Uqbar
Thu Oct 04, 2018 9:20 pm
Forum: Wireless Networking
Topic: wireless PtP advice [SOLVED]
Replies: 8
Views: 871

Re: wireless PtP advice [SOLVED]

Sure a SXTsq Lite 5AC can do the job, just reduce the TX power on both sides to have around -50dbm on both sides and you should be able to pass over around 100mbps with those equipments. regards. Would you please elaborate a little bit more on your suggestion? I am not really an expert on WiFi and ...
by Uqbar
Thu Oct 04, 2018 6:34 pm
Forum: Wireless Networking
Topic: wireless PtP advice [SOLVED]
Replies: 8
Views: 871

Re: wireless PtP advice [SOLVED]

60ghz (wireless wire) will give plenty of bandwidth, and at 100m shouldnt have any issues with bad weather.
The V-band is not freely available in Italy. Unluckily.
by Uqbar
Thu Oct 04, 2018 6:31 pm
Forum: Wireless Networking
Topic: wireless PtP advice [SOLVED]
Replies: 8
Views: 871

Re: wireless PtP advice [SOLVED]

I need no less than 50 Mbps. Stability is better than bandwidth, in my scenario.
by Uqbar
Wed Oct 03, 2018 12:25 pm
Forum: Wireless Networking
Topic: wireless PtP advice [SOLVED]
Replies: 8
Views: 871

wireless PtP advice [SOLVED]

Hi all.
I need to implement a 100m PtP link. The two antennas have unimpeded air view.
I think a couple of SXTsq Lite5 should do great.
Is there any experience in similar setups?
Any advice?

Thanks in advance.
by Uqbar
Fri Sep 21, 2018 9:50 pm
Forum: General
Topic: Weird outbound UDP traffic
Replies: 19
Views: 2323

Re: Weird outbound UDP traffic

Reset means blank, completely blank in my experience.
by Uqbar
Fri Sep 21, 2018 4:47 pm
Forum: General
Topic: Weird outbound UDP traffic
Replies: 19
Views: 2323

Re: Weird outbound UDP traffic

Maybe I am wrong, but a router that's been reset should simply not be sending anything out. Period.
If I enable a "cloud" feature, I can expect some traffic getting out.
If I enable NTP, I also expect some traffic getting out.
An "empty" router should not be sending any traffic anywhere.
by Uqbar
Fri Sep 21, 2018 12:41 pm
Forum: General
Topic: Weird outbound UDP traffic
Replies: 19
Views: 2323

Re: Weird outbound UDP traffic

Also, the problem about disabling IP Cloud DDNS sending packets after disabled - it sent "remove my IP from DDNS" packets to IP Cloud servers. Also, if you print in that menu, it could trigger check - if DDNS is disabled check and if disabled - "delete my IP address" packet was sent once again - wi...
by Uqbar
Thu Sep 20, 2018 3:32 pm
Forum: General
Topic: Weird outbound UDP traffic
Replies: 19
Views: 2323

Re: Weird outbound UDP traffic

UDP#15252 is everything related to cloud - Time-zone detection, time (if not set in SNTP/NTP), DDNS, backup management frames. TCP#15252 is IP Cloud backup Did some magic with PTR It's OK: there's reverse DNS now. That's not really a trick, though: PTR records have been "invented" just for that: re...
by Uqbar
Thu Sep 20, 2018 9:12 am
Forum: General
Topic: Weird outbound UDP traffic
Replies: 19
Views: 2323

Re: Weird outbound UDP traffic

Soon after the upgrade to v6.43.1 I DROP-OUTPUT output: in:(unknown 0) out:ether24, proto UDP, 192.168.255.252:38962-> 159.148.147.201 :15252, len 66 DROP-OUTPUT output: in:(unknown 0) out:ether24, proto UDP, 192.168.255.252:49614-> 159.148.172.251 :15252, len 66 $ host cloud2.mikrotik.com cloud2.m...
by Uqbar
Wed Sep 19, 2018 4:56 pm
Forum: General
Topic: Weird outbound UDP traffic
Replies: 19
Views: 2323

Re: Weird outbound UDP traffic

Those settings all get actualized ONLY after a reboot. Only after the reboot all that UDP traffic stopped. Which is really weird: a router shouldn't never be rebooted, unless a firmware update has been done or a huge bug is freezing it. I would treat this a bug and file a ticket for it if there was ...
by Uqbar
Wed Sep 19, 2018 2:00 pm
Forum: General
Topic: Output chain questions
Replies: 7
Views: 1485

Re: Output chain questions

This is happening on v6.43.1 but not in v.6.42.x.
I have disabled both the "Time Zone Autodetect" and all the "IP could" stuff.
I still see those UDP packets trying to go out every two minutes.
I'd say, if that's legitimate, then please document it.
by Uqbar
Wed Sep 19, 2018 1:57 pm
Forum: General
Topic: Weird outbound UDP traffic
Replies: 19
Views: 2323

Re: Weird outbound UDP traffic

Read here: https://forum.mikrotik.com/viewtopic.php?t=137708 I really don't expect a default "blank" router configuration to enable outbound connections over unknown protocols. So I've also disabled that "Time Zone Autodetect" setting. I still see those outbound UDP:15252 connections. Anyway, if tha...
by Uqbar
Wed Sep 19, 2018 1:09 pm
Forum: General
Topic: Weird outbound UDP traffic
Replies: 19
Views: 2323

Weird outbound UDP traffic

Hi all. I've setup a new Mikrotik box. My policy is to only allow traffic that's meant to be allowed and dropping anything else. Soon after the upgrade to v6.43.1 I am finding a number of events in the logs like this one: DROP-OUTPUT output: in:(unknown 0) out:ether24, proto UDP, 192.168.255.252:389...
by Uqbar
Mon Aug 27, 2018 11:48 am
Forum: Beginner Basics
Topic: winbox + SOCKSv5 proxy?
Replies: 22
Views: 7667

Re: winbox + SOCKSv5 proxy?

btw Safari still has Gopher support :)
There's still people using Internet Explorer, Windows and even DOS. And even PDP-11s.
by Uqbar
Mon Aug 27, 2018 11:46 am
Forum: Beginner Basics
Topic: winbox + SOCKSv5 proxy?
Replies: 22
Views: 7667

Re: winbox + SOCKSv5 proxy?

For anyone who stumbles upon this as I do for the third time: it is possible to use WinBox via SSH tunnel. If you use PuTTY, go to Connection, SSH, Tunnels and add a tunnel: Source port: your-local-port (say, 8090) Destination: mikrotik.local:8291 (i.e, 10.0.0.1:8291) Local Auto OpenSSH is more str...
by Uqbar
Sat Aug 18, 2018 3:09 pm
Forum: Beginner Basics
Topic: Mikrotik 6.34.1 Check updates fail
Replies: 44
Views: 40554

Re: Mikrotik 6.34.1 Check updates fail

I've found the cause in the wrong DNS settings. Using Google's DNS server solved it for me. Enter the next in your terminal: /ip dns set allow-remote-requests=yes cache-max-ttl=1d cache-size=2048KiB max-udp-packet-size=4096 servers=8.8.8.8,8.8.4.4 Do you think Google DNSes have better answers? I do...
by Uqbar
Thu Aug 02, 2018 12:08 pm
Forum: General
Topic: How to Self-Sign SSL Certificate and Activate HTTPS
Replies: 4
Views: 10650

[SOLVED] Re: How to Self-Sign SSL Certificate and Activate HTTPS

The directions by quicky2g didn't work on v6.42.6. First, the certificate to be used by www-ssl service isn't named "cert_2" but rather "mikrotik_ssl_.crt_0". I presume this is just a copy+paste error. Second, whatever certificate file I select for www-ssl I get this error on Firefox 61.0.1 (64-bit)...
by Uqbar
Wed Apr 18, 2018 1:13 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

This is why I aim at identifying the P2P traffic (BitTorrent, DHT-based protocols and the likes). If I succeed I can do something: blocking, limiting ... If I cannot, then I have little to discuss. Again, downloading a torrent file is NOTHING. Have you tried to use a recent BitTorrent client with "...
by Uqbar
Wed Apr 18, 2018 10:18 am
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

It seems to me if an ISP offers a customer bandwidth, say 1M up and 10M down for example, then the ISP is obligated to deliver 1M up and 10M down 99% of the time. After all, that's what the customer was sold. If an ISP can't deliver promised bandwidth in aggregate due to oversubscription, overutili...
by Uqbar
Tue Apr 17, 2018 10:59 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

I am not an ISP. I manage a company network with BYOD policy.
by Uqbar
Tue Apr 17, 2018 10:35 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

I have 100mbps symmetrical.
One or two clients doing BitTorrent with a few files to be shared are enough to eat 50+% of the available bandwidth.
This is why I mind about p2p!
by Uqbar
Tue Apr 17, 2018 8:33 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

Hello from the US. Why would you want to block torrents? It is often legitimate traffic. Perhaps torrents are sometimes used to copy copyrighted content without appropriate license, but that is on the person making the illegal copy. The ISP cannot know if a torrent is legal or illegal without confr...
by Uqbar
Tue Apr 17, 2018 1:29 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

This will only block the download of a torrent file, not the torrent traffic itself. Try to first download the torrent file, then enable the rules and finally ask your torrent client to load the torrent file to start the p2p exchange. You will see the p2p traffic bidirectionally flowing unimpeded! ...
by Uqbar
Tue Apr 17, 2018 11:07 am
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

Hi! I followed your tutorial and it's perectly work on my router ! Thank you a lot ! (I work for a small french ISP and we receive letters from Hadopi, so we are searching a solution to limit the illegal download ^^ ) I have a question, maybe it will sounds stupid for you, but this code : /ip firew...
by Uqbar
Wed Apr 11, 2018 11:27 am
Forum: Beginner Basics
Topic: Mikrotik 6.34.1 Check updates fail
Replies: 44
Views: 40554

Re: Mikrotik 6.34.1 Check updates fail

Hello, i have the some problem, i have configured my routerboard from default mode and on my pc i have network access with dhcp, i have updated dns to google default, and i have tried to add a static redirect to mikrotik ip dns but On the routerboard still dont have internet. Can you help? https://...
by Uqbar
Tue Mar 13, 2018 10:11 pm
Forum: Beginner Basics
Topic: Is routerOS supporting modern SSH?
Replies: 4
Views: 820

Re: Is routerOS supporting modern SSH?

You would have put all these in the original post and perhaps in the general forum instead of beginner basics.
I did put them in the original post.
They are mentioned between the words "support" and "keys".
I don't need any help any more on this topic, though.
Also this is in the original post.
by Uqbar
Tue Mar 13, 2018 8:14 pm
Forum: Beginner Basics
Topic: Is routerOS supporting modern SSH?
Replies: 4
Views: 820

Re: Is routerOS supporting modern SSH?

Not sure your particular target but in general yes, you can use /system ssh xx.xx.xx.xx from Mikrotik router terminal to establish an SSH session to the IP address that the router can reach. My particolar target is ... elliptic curve keys . I already know SSH is working fairly well. I already know ...
by Uqbar
Tue Mar 13, 2018 4:52 pm
Forum: Beginner Basics
Topic: Is routerOS supporting modern SSH?
Replies: 4
Views: 820

Is routerOS supporting modern SSH?

I am wondering whether the SSH server bundled with the rest of the RouterOS software is modern enough to support elliptic curve keys.

Any idea?

UPDATE
Neither Ed25519 nor ECDSA are supported. I tried to import both, but failed.
What a pity!
by Uqbar
Wed Feb 14, 2018 1:08 pm
Forum: Beginner Basics
Topic: Mikrotik 6.34.1 Check updates fail
Replies: 44
Views: 40554

Re: Mikrotik 6.34.1 Check updates fail

Maybe I am wrong, but this issue is going too far. Adding an entry into the /etc/hosts file to fix a DNS issue sounds like childish to me. I understand this is among the rarest issues with this otherwise marvelous product, but there needs to be a reason and, of course, a solution. Is there any loggi...
by Uqbar
Sun Nov 12, 2017 10:14 am
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

The torrent file download is not the torrent traffic. I don't really mind about downloading torrent files: they can be a few megs, even a dozen, and then it's done. Torrent traffic is about large movies (from a few gigas to a hundred), mostly all pirated contents. And you can bring torrent files int...
by Uqbar
Wed Mar 15, 2017 10:26 am
Forum: General
Topic: Please, fix that damend "Quickset" page!
Replies: 3
Views: 514

Please, fix that damend "Quickset" page!

The Quickset page is meant to be a useful tool, a "first glance" view of the box. As of now it's a real nightmare. Have you ever tried the "design skin" with that page? You will get the details (internet, local network, bridge, system) repeated several times. The page itself is displaying (in my cas...
by Uqbar
Tue Feb 07, 2017 3:01 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

I started by dropping all incoming TCP and UDP traffic (all of it) but those services that go to DMZ. So there's no traffic going to LAN, which means "low ID" in the P2P lingo. Then I started throttling (I'd like to drop, actually) all outgoing traffic from LAN with UDP ports other than 53 (DNS) and...
by Uqbar
Fri Jul 01, 2016 11:31 am
Forum: Beginner Basics
Topic: Mikrotik 6.34.1 Check updates fail
Replies: 44
Views: 40554

Re: Mikrotik 6.34.1 Check updates fail

Added static entry in IP/DNS for upgrade.mikrotik.com 52.85.184.245 and now works perfectly. Sometimes things just happen with no explanation :) That indeed works! But I cannot accept that "it just happened"! Something in the resover path was wrong, and was wrong only there. I have 7 of these route...
by Uqbar
Thu May 26, 2016 4:35 pm
Forum: Beginner Basics
Topic: No space left on device. Now what?
Replies: 20
Views: 2639

Re: No space left on device. Now what?

We already have a (powerful) serial console. We already have XModem via console in the "BIOS", even if uploading 16+ MB via 115.2K console takes some time. If that is not possible there could be a way to restart the unit in "single user mode", setup an ethernet port, download an image via TFTP etc. ...
by Uqbar
Thu May 26, 2016 3:03 pm
Forum: Beginner Basics
Topic: No space left on device. Now what?
Replies: 20
Views: 2639

Re: No space left on device. Now what?

If you are linux savvy, you could do this: http://www.cyberciti.biz/tips/running-x-window-graphical-application-over-ssh-session.html and then run Netinstall in Wine In remote sites, besides all application servers and storage we only have a single tiny Linux machine for support we access with SSH ...
by Uqbar
Thu May 26, 2016 12:50 pm
Forum: Beginner Basics
Topic: No space left on device. Now what?
Replies: 20
Views: 2639

Re: No space left on device. Now what?

Yes
Just to understand: what'd the XModem upgrade procedure be for?
by Uqbar
Thu May 26, 2016 12:42 pm
Forum: Beginner Basics
Topic: No space left on device. Now what?
Replies: 20
Views: 2639

Re: No space left on device. Now what?

Xmodem has no relation to my suggestion. I suggested to use Netinstall. You must start the device in Etherboot mode, not in Xmodem mode. Follow instructions here: http://wiki.mikrotik.com/wiki/Manual:Netinstall As I have no IP connection any more to the CCR, I need to use the Xmodem. Isn't it worki...
by Uqbar
Thu May 26, 2016 12:35 pm
Forum: Beginner Basics
Topic: No space left on device. Now what?
Replies: 20
Views: 2639

Re: No space left on device. Now what?

OK. I'll follow your suggestion and will post the news here. I am going to use XModem as there's no IP connectivity any more. Is the "main package" just enough to bring it back to normal operations (provided that there's no other major reason for failure)? Paldies! Xmodem has no relation to my sugg...
by Uqbar
Thu May 26, 2016 12:34 pm
Forum: Beginner Basics
Topic: No space left on device. Now what?
Replies: 20
Views: 2639

Re: No space left on device. Now what?

Upgrade packages comes in .npk extension. Check this I have got this after the lengthy XModem transfer: press any key to continue... | file transfer ok invalid upgrade file id I was using the file "routeros-tile-6.35.2.bin" I downloaded from Mikrotik website. Now what? If I go here , I read "npk" i...
by Uqbar
Thu May 26, 2016 12:06 pm
Forum: Beginner Basics
Topic: No space left on device. Now what?
Replies: 20
Views: 2639

Re: No space left on device. Now what?

I have got this after the lengthy XModem transfer: press any key to continue... | file transfer ok invalid upgrade file id I was using the file "routeros-tile-6.35.2.bin" I downloaded from Mikrotik website. Now what?
by Uqbar
Thu May 26, 2016 11:16 am
Forum: Beginner Basics
Topic: No space left on device. Now what?
Replies: 20
Views: 2639

Re: No space left on device. Now what?

OK. I'll follow your suggestion and will post the news here.
I am going to use XModem as there's no IP connectivity any more.
Is the "main package" just enough to bring it back to normal operations (provided that there's no other major reason for failure)?
Paldies!
by Uqbar
Thu May 26, 2016 11:15 am
Forum: Beginner Basics
Topic: No space left on device. Now what?
Replies: 20
Views: 2639

Re: No space left on device. Now what?

I didn't do that, as it sounded "scary" :lol:
What about the configuration file? Will be it kept?
TIA.
by Uqbar
Thu May 26, 2016 10:04 am
Forum: Beginner Basics
Topic: No space left on device. Now what?
Replies: 20
Views: 2639

No space left on device. Now what?

Hi all. My box is a: Board type: CCR1009-8G-1S Firmware version: 3.27 Since a few days I had to put it offline as it was not working anymore. Once I connected the serial console, the boot shown the following messages: RouterBOOT booter 3.27 CCR1009-8G-1S CPU frequency: 1200 MHz Memory size: 1024 MiB...
by Uqbar
Sun Mar 27, 2016 1:00 pm
Forum: Scripting
Topic: Webfig with HTTPS support?
Replies: 22
Views: 16252

Re: Webfig with HTTPS support?

Which RouterOS version?
by Uqbar
Sat Mar 26, 2016 8:45 pm
Forum: Beginner Basics
Topic: Mikrotik 6.34.1 Check updates fail
Replies: 44
Views: 40554

Re: Mikrotik 6.34.1 Check updates fail

From "PC": support@server:/home/support > ping -c 5 upgrade.mikrotik.com PING d355q2xs8kb5oj.cloudfront.net (54.192.131.180) 56(84) bytes of data. 64 bytes from server-54-192-131-180.ams50.r.cloudfront.net (54.192.131.180): icmp_req=1 ttl=53 time=44.1 ms 64 bytes from server-54-192-131-180.ams50.r.c...
by Uqbar
Fri Mar 25, 2016 8:17 am
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

in my case i have identified torrent traffic by discard Do you mean "everything else" (everything but HTTP, HTTPS, SSH, SMTPS, IMAP4S POP3S..) is considered torrent? If so, which protocols are you considering? If not, please elaborate. As I cannot really block P2P in general, I am trying to throttl...
by Uqbar
Thu Mar 24, 2016 8:09 pm
Forum: Beginner Basics
Topic: Mikrotik 6.34.1 Check updates fail
Replies: 44
Views: 40554

Re: Mikrotik 6.34.1 Check updates fail

How can I test from within the Mikrotik whether I can resolv upgrade.mikrotik.com?
It's clearly not working!
So the real question is how can I troubleshoot it?
I can resolv from lan, but not from the router itself.
by Uqbar
Thu Mar 24, 2016 7:54 pm
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

in my case i have identified torrent traffic by discard Do you mean "everything else" (everything but HTTP, HTTPS, SSH, SMTPS, IMAP4S POP3S..) is considered torrent? If so, which protocols are you considering? If not, please elaborate. As I cannot really block P2P in general, I am trying to throttl...
by Uqbar
Thu Mar 24, 2016 11:32 am
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

I agree with chechito. The only "small problem"™ is to correctly identifying the torrent traffic.
Blocking the download of the torrent file itself is useless as torrents can be added manually from other sources.
I think that only Deep Packet Inspection can help.
Any ideas?
by Uqbar
Mon Feb 01, 2016 1:37 pm
Forum: Scripting
Topic: Help needed to understand wiki example
Replies: 3
Views: 697

Re: Help needed to understand wiki example

In your example, if ip firewall address-list is empty, then [/ip firewall address-list find ] will return nothing - "", so conditions for: :if ( [/ip firewall address-list find ] = "") will be TRUE. Maybe I have been unclear. If you read the wiki script I linked, the address list is named "restrict...
by Uqbar
Mon Feb 01, 2016 1:15 pm
Forum: Scripting
Topic: Help needed to understand wiki example
Replies: 3
Views: 697

Help needed to understand wiki example

Hi all. I am new to the syntax/semantics of the Mikrotik scripting language. I stumbled upon the Block access to specific websites script in the wiki. I am willing to understand and not to blindly use it and the documentation seems not to be clear to me. Very likely it's my fault. 1. At line no.12 I...
by Uqbar
Sat Jan 09, 2016 1:02 pm
Forum: Scripting
Topic: Webfig with HTTPS support?
Replies: 22
Views: 16252

Re: Webfig with HTTPS support?

Is there anyone out there that knows anything about this?
The RouterOS HTTPS stuff needs an undate!!!
by Uqbar
Fri Nov 27, 2015 12:26 pm
Forum: Beginner Basics
Topic: How to access DMZ from LAN with its public IP?
Replies: 9
Views: 2135

Re: How to access DMZ from LAN with its public IP?

I made it (almost) working with these two rules in NAT: 0 chain=dstnat action=dst-nat to-addresses=10.74.1.222 to-ports=80 protocol=tcp dst-address-type=local in-interface=ether2-LAN dst-port=80 1 chain=srcnat action=masquerade protocol=tcp src-address=10.74.1.0/24 dst-address=10.74.1.222 out-interf...
by Uqbar
Fri Nov 27, 2015 11:05 am
Forum: Beginner Basics
Topic: Access to WAN IP from LAN
Replies: 20
Views: 17918

Re: Access to WAN IP from LAN

I am having the same problem.
I would have expected a dst-nat, not src-nat, though. Something to change my destination public address to my private LAN server address when accessing the LAN server through its public IP!
by Uqbar
Mon Nov 23, 2015 3:25 pm
Forum: Beginner Basics
Topic: How to access DMZ from LAN with its public IP?
Replies: 9
Views: 2135

Re: How to access DMZ from LAN with its public IP?

We are back to the original point.
1. I have a dst-nat rule with a few TCP ports available from internet
2. I have a dst-nat rule with all TCP ports available from LAN

But it doesn't work.
by Uqbar
Mon Nov 23, 2015 1:09 pm
Forum: Beginner Basics
Topic: How to access DMZ from LAN with its public IP?
Replies: 9
Views: 2135

Re: How to access DMZ from LAN with its public IP?

i did not understand well what you said . but you can only forward the ports you need to dmz. like ip firewall nat add chain=dstnat protocol=tcp dst-port=80,443,3128 dst-address=public-ip action=dst-nat to-addresses=local-ip if you want you can define "to-ports=80,443,3128" so that it will only for...
by Uqbar
Mon Nov 23, 2015 12:39 pm
Forum: Beginner Basics
Topic: How to access DMZ from LAN with its public IP?
Replies: 9
Views: 2135

Re: How to access DMZ from LAN with its public IP?

That works. But it's interfering with the filtering dst-nat rule that comes before. I have a first dst-nat rule to allow the access from internet to the DMZ server only with a few protocols. While the second one that you suggested (and works) allows all protocols, as it should be. What happens is th...
by Uqbar
Mon Nov 23, 2015 12:13 pm
Forum: Beginner Basics
Topic: How to access DMZ from LAN with its public IP?
Replies: 9
Views: 2135

Re: How to access DMZ from LAN with its public IP?

That's not working yet.
I want to be able to access the local DMZ server by means of its public IP...
by Uqbar
Thu Nov 19, 2015 4:53 pm
Forum: Beginner Basics
Topic: How to access DMZ from LAN with its public IP?
Replies: 9
Views: 2135

How to access DMZ from LAN with its public IP?

I have a server on my LAN that I have exposed in DMZ with a couple of src-nat/dst-nat. Its public IP address is different from the mikrotik WAN IP. I added a NAT rule like this (sorry, I use winbox): Chain: dst-nat Dst-address: DMZ public IP In.Interface: LAN Action: dst-nat to address: LAN private ...
by Uqbar
Fri Nov 06, 2015 10:36 am
Forum: Beginner Basics
Topic: winbox + SOCKSv5 proxy?
Replies: 22
Views: 7667

Re: winbox + SOCKSv5 proxy?

Why else would e.g. all current web browsers still support it?.
Modern browsers still have a field to enter "Gopher proxy" address, but that was not so much popular after 1993 :)
Which browser are you using? :lol:
by Uqbar
Fri Nov 06, 2015 10:31 am
Forum: Beginner Basics
Topic: winbox + SOCKSv5 proxy?
Replies: 22
Views: 7667

Re: winbox + SOCKSv5 proxy?

SOCKS5 is too new for MikroTik, look at SOCKS server in RouterOS, still limited to SOCKS4 only. ;) It would be nice to see it upgraded one day too. But that's OT here. The SSH server running into RouterOS v6.32 already supports it. Connect to it with a "dynamic forwarder" (a nickname for SOCKS prox...
by Uqbar
Fri Nov 06, 2015 10:21 am
Forum: Beginner Basics
Topic: winbox + SOCKSv5 proxy?
Replies: 22
Views: 7667

Re: winbox + SOCKSv5 proxy?

You see, I open an SSH connection through which I access the HTTP webfig and ftp.
Are you saying you have already got this working, or you wish to do it?
Yes: my browser and my ftp client support SOCSKv5 proxy.
by Uqbar
Thu Nov 05, 2015 1:16 pm
Forum: Beginner Basics
Topic: winbox + SOCKSv5 proxy?
Replies: 22
Views: 7667

Re: winbox + SOCKSv5 proxy?

Yes. Same applies to Dude. To be honest, this is the first time I have heard a similar request. The use of SSH TCP Port forwarding and SOCKSv5 proxy is very popular among system and network administrators, AFAIK. Especially when "standard" SSH implementations are available. It's not a high performa...
by Uqbar
Thu Nov 05, 2015 1:07 pm
Forum: Beginner Basics
Topic: winbox + SOCKSv5 proxy?
Replies: 22
Views: 7667

Re: winbox + SOCKSv5 proxy?

Winbox uses TLS, it is in the manual.
OK. I saw it, though it's optional.
It's TLS 1.2, right?
by Uqbar
Thu Nov 05, 2015 12:14 pm
Forum: Beginner Basics
Topic: winbox + SOCKSv5 proxy?
Replies: 22
Views: 7667

Re: winbox + SOCKSv5 proxy?

What is the purpose of your request? Is the router in some private LAN, accessible only over SOCKS proxy? Otherwise, use direct connection. I am sorry for not having been clear enough. My purpose is to always connect to the MikroTik with known security levels. This is mandatory in my environment so...
by Uqbar
Thu Nov 05, 2015 9:50 am
Forum: Beginner Basics
Topic: winbox + SOCKSv5 proxy?
Replies: 22
Views: 7667

Re: winbox + SOCKSv5 proxy?

1) SOCKSv5 is ancient history - RFC is from 1996. I do not see any need for it in modern networking. Really? A lot of people like me finds that feature really useful so OpenSSH is STILL supporting and maintaining it since looong time now. Latest proposals for FTP (supported by RouterOS) are from 19...
by Uqbar
Wed Nov 04, 2015 5:11 pm
Forum: General
Topic: Feature request: add support to ed25519 signature
Replies: 1
Views: 787

Feature request: add support to ed25519 signature

https://en.wikipedia.org/wiki/EdDSA
http://ed25519.cr.yp.to/

as it's part of OpenSSH since v6.5 (http://www.openssh.com/txt/release-6.5)
Anyone can see the pros of such a choice and there seems to be no cons so far.
by Uqbar
Wed Nov 04, 2015 4:17 pm
Forum: General
Topic: Feature request: SOCKSv5 proxy for Winbox
Replies: 0
Views: 489

Feature request: SOCKSv5 proxy for Winbox

A SOCKSv5 proxy can be used, when created with a capable SSH client like OpenSSH and PuTTY, to securely access the GUI of the router.
Currently it can be used for webfig as all major HTML browsers support it.
by Uqbar
Wed Nov 04, 2015 4:06 pm
Forum: Beginner Basics
Topic: winbox + SOCKSv5 proxy?
Replies: 22
Views: 7667

Re: winbox + SOCKSv5 proxy?

I need to be able to use winbox with a SOCKSv5 proxy I create with an SSH session.. what have winbox to do with SOCKSv5 proxy?? Winbox is only for conneccion to RouterOS devices. You don't know what a SOCKSv5 proxy is for, do you? Have you ever used a "-D" option in OpenSSH? For example I open an S...
by Uqbar
Wed Nov 04, 2015 1:01 pm
Forum: General
Topic: How many SSH keys for each user?
Replies: 3
Views: 460

Re: How many SSH keys for each user?

where is the problem adding another key in the way you added the first one? /user ssh-keys print Flags: R - RSA, D - DSA # USER BITS KEY-OWNER 0 D admin 1024 1 D admin 2048 2 R admin 2048 No problem at all. Simply it seems to me it's not stated that I can set up more ssh keys. So I was scared to "o...
by Uqbar
Wed Nov 04, 2015 12:46 pm
Forum: General
Topic: SSH bruteforce mitigation
Replies: 5
Views: 479

Re: SSH bruteforce mitigation

Anyway, with those rules in place I don't see any address list being created.
Should I create them manually?
by Uqbar
Wed Nov 04, 2015 12:45 pm
Forum: Beginner Basics
Topic: winbox + SOCKSv5 proxy?
Replies: 22
Views: 7667

winbox + SOCKSv5 proxy?

I need to be able to use winbox with a SOCKSv5 proxy I create with an SSH session.
As far as I've seen neither v2 nor the v3beta allow it.
Is this a missing feature or am I missing something?
TIA.
by Uqbar
Wed Nov 04, 2015 12:21 pm
Forum: General
Topic: SSH bruteforce mitigation
Replies: 5
Views: 479

Re: SSH bruteforce mitigation

These rules give any user 3 minutes to properly authenticate. After that, the IP address that is used will not be able to get a connection to the SSH service for 10 days. While any computer can still try to connect to port 22 on your Mikrotik, the fact that you drop packets will take away the incen...
by Uqbar
Wed Nov 04, 2015 12:09 pm
Forum: General
Topic: SSH bruteforce mitigation
Replies: 5
Views: 479

SSH bruteforce mitigation

I am experiencing a rather annoying brute force attack on my WAN over the SSH TCP port. To try to mitigate such a problem I've read this wiki page , second chapter about SSH. It's not clear to me how those rules can discern from the various SSH handshake stages, especially with the order that's bein...
by Uqbar
Wed Nov 04, 2015 10:43 am
Forum: Beginner Basics
Topic: Safe mode in webfig
Replies: 5
Views: 1447

Re: Safe mode in webfig

Safe Mode only protects you from yourself. Other sessions are not checked. So no, SSH will not be monitored. It only checks what you personally do in Webfig when the Safe Mode is activated (also by you) I am the one who's typing commands via SSH! I cannot see (my fault) the difference (apart of the...
by Uqbar
Wed Nov 04, 2015 9:45 am
Forum: General
Topic: How many SSH keys for each user?
Replies: 3
Views: 460

How many SSH keys for each user?

I need to load more than one SSH key for a single user.
Is this possible just like plain OpenSSH? How to?
by Uqbar
Tue Nov 03, 2015 7:48 pm
Forum: Scripting
Topic: Webfig with HTTPS support?
Replies: 22
Views: 16252

Re: Webfig with HTTPS support?

It looks like this is a top secret.
:?
by Uqbar
Tue Nov 03, 2015 5:54 pm
Forum: Scripting
Topic: Webfig with HTTPS support?
Replies: 22
Views: 16252

Re: Webfig with HTTPS support?

I fear the problem is in the choice of available SSL cyphers. aNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In-The-Middle (MITM) attacks eNULL contains null-encryption ciphers (cleartext) EXPORT are legacy weak ciphers that were marked as exportable by US law...
by Uqbar
Tue Nov 03, 2015 4:58 pm
Forum: Beginner Basics
Topic: Safe mode in webfig
Replies: 5
Views: 1447

Re: Safe mode in webfig

Yes, it does work. It checks if anything you do in the config will not block you. If it does, it makes "Undo". For example, click on "Safe mode" then go to IP Firewall filter and add a new rule, chain "input" action "drop". You will be blocked from Webfig, but after a minute, it will reconnect and ...
by Uqbar
Tue Nov 03, 2015 10:31 am
Forum: Beginner Basics
Topic: Why is my Mikrotik is generating outgoing traffic?
Replies: 13
Views: 2090

Re: Why is my Mikrotik is generating outgoing traffic?

There are hardly any connection-state=new connections that you need to accept from public port. basically only managment tools like winbox and ssh rest should be dropped, ether by default configuration or custom - something like this: /ip firewall filter add chain=input connection-state=established...
by Uqbar
Thu Oct 29, 2015 9:40 am
Forum: Beginner Basics
Topic: Why is my Mikrotik is generating outgoing traffic?
Replies: 13
Views: 2090

Re: Why is my Mikrotik is generating outgoing traffic?

Sorry, but networking is not a guessing game...
Use /tool torch or sniffer to see what traffic is that.
I do know which traffic was it: DNS and NTP.
My question is about the difference in behaviours between two products.
by Uqbar
Thu Oct 29, 2015 9:31 am
Forum: Beginner Basics
Topic: Why is my Mikrotik is generating outgoing traffic?
Replies: 13
Views: 2090

Re: Why is my Mikrotik is generating outgoing traffic?

One big question. As my previous firewall solution was not allowing such a behaviour, isn't it possible there's something missing in the RouterOS? Or is it the "old" one to be much smarted than Mikrotik? As I said, if I replaced the Mikrotik with the old one, everything went back to normal within se...
by Uqbar
Thu Oct 29, 2015 9:28 am
Forum: Beginner Basics
Topic: Safe mode in webfig
Replies: 5
Views: 1447

Safe mode in webfig

Hi all.
I do understand these can be seen as a silly questions.
Does the "safe mode" work in webfig?
Is the 9 minutes timeout in force?
Can it be configured?
Is it working with HTTPS as well?

Thanks in advance.
by Uqbar
Thu Oct 29, 2015 8:38 am
Forum: Beginner Basics
Topic: Why is my Mikrotik is generating outgoing traffic?
Replies: 13
Views: 2090

Re: Why is my Mikrotik is generating outgoing traffic?

I once had a similar issue in the long past but mine was such a high traffic from the hotspot interface, meanwhile no one was online at the time. Solution was to navigate to ip - hotspot - host and i locates and block the mac address that is doing the transmission. Instantly, the traffic went down....
by Uqbar
Thu Oct 29, 2015 12:07 am
Forum: Beginner Basics
Topic: Why is my Mikrotik is generating outgoing traffic?
Replies: 13
Views: 2090

Re:

Unless DNS cache is turned on by default, I don't have it.
Thanks for the hint.
by Uqbar
Wed Oct 28, 2015 10:47 pm
Forum: Beginner Basics
Topic: Why is my Mikrotik is generating outgoing traffic?
Replies: 13
Views: 2090

Re: Why is my Mikrotik is generating outgoing traffic?

possible amplification attack check incoming dns,ntp,telnet and ssh connections (to the router) Any hint on how to "check for incoming dns, ntp ..."? I mean, I do know about UDP:53, TCP:53, UDP:123, TCP:23 and the likes . But I am new to Mikrotik and have no idea on how to "check" them on RouterOS....
by Uqbar
Wed Oct 28, 2015 10:45 pm
Forum: Beginner Basics
Topic: Why is my Mikrotik is generating outgoing traffic?
Replies: 13
Views: 2090

Re: Why is my Mikrotik is generating outgoing traffic?

Do you have SSH on port 22 accessible from WAN? Show us a firewall rules & services running. Also it can be wireless interface traffic. My device has no wireless interface, as you can see from screenshot. My network is not a trivial one. LAN (10.16.16.x) connects to 10.72.5.0/24 and a gateway (10.7...
by Uqbar
Wed Oct 28, 2015 8:42 pm
Forum: Beginner Basics
Topic: Why is my Mikrotik is generating outgoing traffic?
Replies: 13
Views: 2090

Why is my Mikrotik is generating outgoing traffic?

All of a sudden I am experiencing the strange behaviour I can show with one screenshot. The eth1 (wan1) is sending about 2 Mbps of traffic, while the overall traffic from the other interfaces is actually negligible. The only services available are webfig, api and www only available from inside. I ha...
by Uqbar
Tue Oct 20, 2015 11:11 am
Forum: Beginner Basics
Topic: Multiple IPs on WAN to LAN servers. How to?
Replies: 2
Views: 705

Re: Multiple IPs on WAN to LAN servers. How to?

I also need to translate the outgoing traffic of the "servers" each with its own public IP.
Thanks for the clarification.
by Uqbar
Thu Oct 15, 2015 3:57 pm
Forum: Beginner Basics
Topic: Multiple IPs on WAN to LAN servers. How to?
Replies: 2
Views: 705

Multiple IPs on WAN to LAN servers. How to?

I have multiple public IPs on WAN available and I need to "hairpin" a couple of them to two servers on LAN.
One of those will be used for the router alone, the other ones for servers.
I have tried the Hairpin wiki page with no luck.
Any hint?

Thanks in advance.
by Uqbar
Thu Aug 06, 2015 1:25 pm
Forum: General
Topic: Webfig woes
Replies: 1
Views: 250

Webfig woes

Hi all. I am having problems with Webfig main screen (aka "QuickSet") "Local network" section. To which interface are those data related to? At the moment I see the data for eth4 but, if I simply hit "apply configuration" button that configuration is applied to eth2. If this is not a bug I am missin...
by Uqbar
Thu Aug 06, 2015 11:23 am
Forum: General
Topic: Block Torrents & p2p Traffic 100% working on all versions
Replies: 57
Views: 154052

Re: Block Torrents & p2p Traffic 100% working on all versions

Maybe I am wrong, but the proposed solution blocks the downloads of the .torrent files (GET) from known torrent repositories. This is of course important but not effective. But it won't block the torrent protocol (file sharing) itself. Which is what I'd like to block, as torrent files can be exchang...
by Uqbar
Thu May 28, 2015 3:55 pm
Forum: Beginner Basics
Topic: NTH load balancing and failing links
Replies: 7
Views: 823

Re: NTH load balancing and failing links

You should add exception rules not to mark local traffic. Please be more specific: I am new to the mikrotik world. I followed the Manual:PCC page and there I already set dst-address-type=!local . Is this the exception you are talking about? [UPDATE]: I did it. I added an "accept" for the traffic no...
by Uqbar
Thu May 28, 2015 3:41 pm
Forum: Beginner Basics
Topic: NTH load balancing and failing links
Replies: 7
Views: 823

Re: NTH load balancing and failing links

It works ... almost.
I have a second LAN interface (that doesn't need to go to the Internet) that routes to another network.
As soon as I enable the rule for mark-routing=to_ISP2 I loose the connectivity on this second LAN.
Where should I start checking?
by Uqbar
Mon May 25, 2015 4:44 pm
Forum: Beginner Basics
Topic: NTH load balancing and failing links
Replies: 7
Views: 823

Re: NTH load balancing and failing links

Using PCC is part of the equation (to force spread outgoing connections amongst available Internet uplinks). As multiple default gateways will be used, duplicating routes with connection marks while increasing its distance to the opposite gateway will take care of failover w/o the need of scripts. ...
by Uqbar
Mon May 25, 2015 4:30 pm
Forum: Announcements
Topic: Manual Improvements
Replies: 94
Views: 19237

Re: Manual Improvements

WebFig operations along with command line instructions?
by Uqbar
Mon May 25, 2015 4:27 pm
Forum: Beginner Basics
Topic: NTH load balancing and failing links
Replies: 7
Views: 823

Re: NTH load balancing and failing links

Nice. Thanks.
But I don't see where the fail is detected...
Should I need a script for that?
by Uqbar
Wed May 20, 2015 1:41 pm
Forum: Beginner Basics
Topic: Routing between LAN and another interface (OK, it's silly to you all!)
Replies: 3
Views: 664

Re: Routing between LAN and another interface (OK, it's silly to you all!)

There where spurious firewall rules interfering with the setup.
Once I cleaned them up, everything worked fine.ù
Thanks to you all.
by Uqbar
Wed May 20, 2015 1:39 pm
Forum: Beginner Basics
Topic: NTH load balancing and failing links
Replies: 7
Views: 823

NTH load balancing and failing links

Hi all. As far as I've understood, the NTH load balancing technique (http://wiki.mikrotik.com/wiki/NTH_load_balancing_with_masquerade) cannot cope with a failing link. This should mean that 50% of the requests will fail. Is there any way to work this limitation around? (Yes, I am new to the MikroTik...
by Uqbar
Fri May 15, 2015 6:16 pm
Forum: Beginner Basics
Topic: Routing between LAN and another interface (OK, it's silly to you all!)
Replies: 3
Views: 664

Routing between LAN and another interface (OK, it's silly to you all!)

I need to connect my LAN (eth2) to another LAN via an external router (not mine) on a different interface (eth3). It is already working with a different router we need to phase out in favour of the Mikrotik. See schema for a better idea (I hope). It all looked simple: two interfaces and a static rou...
by Uqbar
Tue May 05, 2015 5:15 pm
Forum: Beginner Basics
Topic: Block downloading of exe files over http & https
Replies: 3
Views: 2109

Re: Block downloading of exe files over http & https

An HTTP proxy can do it, but I haven't set it up yet.
Try give it a read on http://wiki.mikrotik.com/wiki/Manual:IP/Proxy
by Uqbar
Tue May 05, 2015 1:51 pm
Forum: Beginner Basics
Topic: tunnel problem
Replies: 3
Views: 513

Re: tunnel problem

What's the packet loss rate for the used connectivity?
What's the packet loss rate in the main tunnel?
Which type of "tunnel" are you using?
Is there any log detail you can provide?
by Uqbar
Tue May 05, 2015 12:41 pm
Forum: Beginner Basics
Topic: SOLVED - PPPoE on port other than eth1
Replies: 12
Views: 4534

Re: PPPoE on port other than eth1

I also noticed that WAN (static IP address) needs to be on ETH1.
I fear there is some nailed in configuration... I hope I am wrong.
by Uqbar
Tue May 05, 2015 12:39 pm
Forum: Beginner Basics
Topic: IPSec VPN interoperability
Replies: 6
Views: 2806

IPSec VPN interoperability

I am trying to create a site-to-site IPSec VPN between a Mikrotik v6.28 and a Gateprotect v9.4. I managed to make a site-to-site IPSev VPN between two Mikrotiks. On the Mikrotik side I have: PROPOSAL : Auth. Algo : SHA1; Encr. Algo : 3DES; Lifetime : default (00:30:00); PFS : Modp1024 PEER : Destina...