Community discussions

Search found 5204 matches

by pe1chl
Fri May 24, 2019 9:37 pm
Forum: General
Topic: Mikrotik as source of DNS Amplification attacks
Replies: 31
Views: 11088

Re: Mikrotik as source of DNS Amplification attacks

This is an old topic. After the above, the default firewall has changed and the risk of open DNS resolver in the hands of newcomers is a lot less.
When you still have the old firewall, consider resetting to defaults and re-building your config, even when it costs some effort.
by pe1chl
Thu May 23, 2019 7:00 pm
Forum: General
Topic: How to routing between two nat subnet?
Replies: 11
Views: 335

Re: How to routing between two nat subnet?

I assumed that you would have "switch" functionality between the two ports of the ISP router. So no routes would be required. When it actually is some software bridge with filters, indeed it will not work without tricks like VPN. But in that case you may consider adding a switch in front of the ISP ...
by pe1chl
Wed May 22, 2019 9:02 pm
Forum: General
Topic: routing - 3x GW, failover
Replies: 14
Views: 516

Re: routing - 3x GW, failover

I had that problem too, solved it in a similar way, but at that time I asked MikroTik and it was sort of promised (as always) that version 7 would have multiple marks support :D It should be "easy to do" based on the underlying kernel support, it is more or less of an oversight that this is not poss...
by pe1chl
Wed May 22, 2019 3:38 pm
Forum: General
Topic: How to routing between two nat subnet?
Replies: 11
Views: 335

Re: How to routing between two nat subnet?

You will have to change the masquerade rules and add: dst.address = !10.0.0.0/8 to them (note the ! which means NOT)
by pe1chl
Wed May 22, 2019 10:51 am
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 312
Views: 76338

Re: Mikrotik VDSL / DSL Modem?

I just used VLAN10 as the ISP has recommended me and it works like charm. So it likely is VDSL, not ADSL, so you do not have ATM and no VPI/VCI settings. In that case this limitation does not occur. Do you get the expected speed (same as a ISP supplied modem)? It still is unfortunate that MikroTik ...
by pe1chl
Tue May 21, 2019 11:19 pm
Forum: Wireless Networking
Topic: Co-locate LHG 60ad on same mount
Replies: 10
Views: 434

Re: Co-locate LHG 60ad on same mount

If it is fresnel, would this explain what I'm seeing? -> High signal, good rssi, MCS8, but a very high error rate? I would really like to know if this can explain my readings, so I can make the right choice to relocate the lower antenna. Thanks again! No not really, that is why I did not mention th...
by pe1chl
Tue May 21, 2019 10:35 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 221
Views: 44924

Re: v6.45beta [testing] is released!

*) dhcpv6-client - added option to disable rapid-commit (CLI only); When you are working on dhcpv6-client: I would like to see an option in the client so that it does NOT save the obtained information in nonvolatile storage, and/or to delete it when the interface goes down. Reason: ISP uses the req...
by pe1chl
Tue May 21, 2019 9:23 pm
Forum: Wireless Networking
Topic: Co-locate LHG 60ad on same mount
Replies: 10
Views: 434

Re: Co-locate LHG 60ad on same mount

Which one works perfect the higher mounted one? Yes, the higher mounted one works fine. It is possible that the lower one is too close to the roof, especially when it is not on the edge (can't see that on the photo). You need to keep a clear zone (fresnel zone), larger than the diameter of the dish...
by pe1chl
Tue May 21, 2019 5:01 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 49
Views: 9028

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Cisco have their own protocol for that (DMVPN).
by pe1chl
Tue May 21, 2019 2:28 pm
Forum: Wireless Networking
Topic: Co-locate LHG 60ad on same mount
Replies: 10
Views: 434

Re: Co-locate LHG 60ad on same mount

Turn off the other one and see if that changes anything.
by pe1chl
Tue May 21, 2019 11:55 am
Forum: Beginner Basics
Topic: FQDN for Mikrotik update server for hotspot walled garden bypass
Replies: 1
Views: 100

Re: FQDN for Mikrotik update server for hotspot walled garden bypass

You don't need any of those, the upgrade is done using upgrade.mikrotik.com
by pe1chl
Tue May 21, 2019 11:53 am
Forum: Beginner Basics
Topic: Can mikrotik get all the bandwidth of 100Mbps internet from ISP?
Replies: 13
Views: 629

Re: Can mikrotik get all the bandwidth of 100Mbps internet from ISP?

Also you should note that when the ISP gives you a 100 Mbps connection, what they mean is there will be 100 Mbps at the lowest network layer. (sometimes not even that, in the past here when getting an ADSL line the specified speed would be the ATM line rate which is even a lower layer) All layers ab...
by pe1chl
Mon May 20, 2019 5:23 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 510
Views: 117557

Re: RouterOS v7.0 beta1 - when?

The problem is that this only mentions beta versions. I do require more IPv6 functionality (like policy routing, hopefully also NAT66) somewhat urgently for a production environment, not really the place to run early beta versions. Best would be when that appeared in v6 but as I understood, no more...
by pe1chl
Mon May 20, 2019 4:58 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 510
Views: 117557

Re: RouterOS v7.0 beta1 - when?

I was at a MUM recently and they said we could expect "stable" RouterOS 7 release before the end of the year. However, I should add that it was not mentioned WHICH year that was! Already answered here ! The problem is that this only mentions beta versions. I do require more IPv6 functionality (like...
by pe1chl
Mon May 20, 2019 3:04 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 510
Views: 117557

Re: RouterOS v7.0 beta1 - when?

p.s. Now, before everyone get's super hyped and expects a release next month...Personally, and by experience in the software engineering industry, I don't expect any betas before EOCY 2019 or Q1 2020. I was at a MUM recently and they said we could expect "stable" RouterOS 7 release before the end o...
by pe1chl
Sun May 19, 2019 1:15 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 510
Views: 117557

Re: RouterOS v7.0 beta1 - when?

Windows Phone was not vaporware, it was real ... shit. And that's why it disappeared real soon ... Well, it really showed that Microsoft thrives only on existing installed base. In a "new market", it really stands no chance against the competition. However, what I meant is that the platform has alm...
by pe1chl
Sun May 19, 2019 11:17 am
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 510
Views: 117557

Re: RouterOS v7.0 beta1 - when?

"Trust in Mikrotik! What you're waiting for is getting closer every day!" TM

Microsoft tried patenting that for Windows Phone/Mobile, but Mikrotik got there first ;)
Don't use that example, we all hope that it will not be vaporware like Windows Phone...
by pe1chl
Sat May 18, 2019 1:37 pm
Forum: General
Topic: differentiating IPSEC EAP roadwarrior clients
Replies: 2
Views: 139

Re: differentiating IPSEC EAP roadwarrior clients

Should be possible!
I use this in a PPPoE scenario, it should also work in other places:
username          Cleartext-Password := "abcdefgh"
                  Framed-IP-Address = 1.2.3.4
by pe1chl
Thu May 16, 2019 3:54 pm
Forum: General
Topic: 70m cable with MikroTik
Replies: 8
Views: 524

Re: 70m cable with MikroTik

But I'd lie if I say, I'm 100% sure if it is cat5 or cat5e. As there is no text on it I can't verify. Is there any other way how to determine if cable is cat5 or cat5e? When it does not mention Cat5E on the cable you can be sure it is either Cat5 or it is crap that does not satisfy any specificatio...
by pe1chl
Tue May 14, 2019 8:29 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 250
Views: 82166

Re: Feature Request: OpenVPN [ovpn] udp tunnels

I think you should look into the router brand that is for home networking Well, I not really am into home networking... When I use VPN, I use it in the traditional way. To connect two networks over a tunnel across internet. IPsec is normally fine for that. And again, undoubtedly many open source pr...
by pe1chl
Tue May 14, 2019 8:19 pm
Forum: General
Topic: routing - 3x GW, failover
Replies: 14
Views: 516

Re: routing - 3x GW, failover

Forgot to point out two things. First was already covered by pe1chl. If you only ping the gateway and there's a problem further down the line in the ISP, those routes will stay up but you'll drop all the traffic. I.e. the failover won't happen. More complex checking schemes will require scripts. Th...
by pe1chl
Tue May 14, 2019 2:52 pm
Forum: RouterBOARD hardware
Topic: What is two gigabit lines for ports in Mikrotik hex gr3?
Replies: 2
Views: 301

Re: What is two gigabit lines for ports in Mikrotik hex gr3?

When you want an official MikroTik answer, why not get the info from the MikroTik website instead of from other sites? https://mikrotik.com/product/RB750Gr3#fndtn-downloads (I think) all MikroTik equipment uses hidden VLANs to make the indivudual ports accessible on an architecture like that. This i...
by pe1chl
Tue May 14, 2019 2:43 pm
Forum: General
Topic: How use routing mark with 2 wan [SOLVED]
Replies: 9
Views: 331

Re: How use routing mark with 2 wan [SOLVED]

Search a bit more thoroughly, there are many fine examples to do what you want.
(there are different ways to approach it, also depending on whether you have incoming portforwarded connections as well)
by pe1chl
Tue May 14, 2019 2:40 pm
Forum: Beginner Basics
Topic: Telnet Response after admin login
Replies: 2
Views: 128

Re: Telnet Response after admin login

Those are ANSI standard escape sequences that are used to do cursor movement, set colors, etc.
You can do a telnet login with options to disable that.
See the wiki: https://wiki.mikrotik.com/wiki/Manual:C ... in_process
by pe1chl
Tue May 14, 2019 2:38 pm
Forum: General
Topic: same MAC address in two mikrotik
Replies: 6
Views: 256

Re: same MAC address in two mikrotik

You can remove the MAC address but of course it causes a temporary problem on the network until everyone has noticed the new MAC address.
So do it outside office hours.
by pe1chl
Tue May 14, 2019 11:00 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1087
Views: 185333

Re: Feature requests

The problem with bulk management is configuring an algorithm which does two thing - 1; load share connected clients on APs and 2; define a set of client preferred APs to use when available. These issues are completely independent. You need a bulk management method to distrubute any configuration ch...
by pe1chl
Tue May 14, 2019 10:53 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 250
Views: 82166

Re: Feature Request: OpenVPN [ovpn] udp tunnels

I think you'll have to agree that the majority of routers do not support OpenVPN, you may be able to find the odd product that does, but not like client and server across the entire product line of the manufacture, which MikroTik does offer. The problem with OpenVPN on RouterOS is that it is a re-cr...
by pe1chl
Mon May 13, 2019 7:31 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1087
Views: 185333

Re: Feature requests

Thus, if you have 300 clients connecting to a tower with more than one AP , then you can end up with 300 clients that need to be reconfigured/re-programmed. I've been down this road many times in the past and it ain't pretty. When you have to manage 300 devices you should have some mechanism in pla...
by pe1chl
Mon May 13, 2019 5:39 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 250
Views: 82166

Re: Feature Request: OpenVPN [ovpn] udp tunnels

To be honest, IKEv2 is not as popular as OpenVPN. It's a bit too late. RouterOS in general is late. Please give a list of commercial router manufacturers that do support OpenVPN in their products and which have a level of support that is adequate. (not opensource projects like OpenWRT or Pihole, ac...
by pe1chl
Sun May 12, 2019 6:58 pm
Forum: Scripting
Topic: how to prevent specific users from being connected as pppoe
Replies: 3
Views: 177

Re: how to prevent specific users from being connected as pppoe

But can't you give them some IP that does not provide them with service?
Like 127.0.0.2 or some IP internal to your network range that you block in the firewall.
Then they can still connect with PPPoE of course but nothing can be done with that connection.
by pe1chl
Sun May 12, 2019 12:30 pm
Forum: RouterBOARD hardware
Topic: Need more than one SFP interface at the level of $100 and $200
Replies: 8
Views: 478

Re: Need more than one SFP interface at the level of $100 and $200

Well at the moment it appears you only options are that, or a CCR. I would not count on MikroTik developing a new product especially for your use case (two ISP via SFP but no money to spend on a CCR). Usually that kind of configuration would be found in business use, and $500 for a router is not too...
by pe1chl
Sat May 11, 2019 7:02 pm
Forum: General
Topic: L2TP over IPSEC disconnecting repeatedly
Replies: 18
Views: 520

Re: L2TP over IPSEC disconnecting repeatedly

Are both the regional and the branch office routers directly on an external globally routed IP address? Or is there some NAT inbetween at your local setup or at the ISP? (visible by having an external address like 100.64.x.x on your internet line) Is it possible that your L2TP link fails at the mome...
by pe1chl
Sat May 11, 2019 5:54 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1087
Views: 185333

Re: Feature requests

And it is already available... you can make a connect list with different MAC addresses for the same SSID.
by pe1chl
Sat May 11, 2019 12:03 pm
Forum: General
Topic: Queue tree upload max-limit stops working when parent=ether1
Replies: 7
Views: 312

Re: Queue tree upload max-limit stops working when parent=ether1

I don't think it's a problem with how the queue tree/mangle is configured. Do you have any more insight as to what else could be the problem? No. You come here with a configuration that does not work, I give you a configuration of which I am sure it works, but I don't have experience with configs t...
by pe1chl
Sat May 11, 2019 11:56 am
Forum: General
Topic: L2TP over IPSEC disconnecting repeatedly
Replies: 18
Views: 520

Re: L2TP over IPSEC disconnecting repeatedly

Ok. I think I find the solution here. Actually, the problem is everytime the VPN connection is lost, I have to reroute manually again. I just have to add dynamic routes to VPN profile and everytime it disconnect, the routes automatically recreated. For that I always just use BGP. Setup BGP at each ...
by pe1chl
Fri May 10, 2019 8:45 pm
Forum: General
Topic: Queue tree upload max-limit stops working when parent=ether1
Replies: 7
Views: 312

Re: Queue tree upload max-limit stops working when parent=ether1

Additionally, setting a limit-at for the heavy-upload child queue would only be useful if I wanted to guarantee 900k to it, essentially cutting the available bandwidth for other queues in half - I want queues with a higher priority to get 100% of the available bandwidth of the parent max-limit if n...
by pe1chl
Fri May 10, 2019 5:17 pm
Forum: Beginner Basics
Topic: If I use "src-nat" i can not ping external(internet) resources
Replies: 6
Views: 294

Re: If I use "src-nat" i can not ping external(internet) resources

ping uses the icmp protocol so when you do not allow icmp you will not be able to ping.
by pe1chl
Fri May 10, 2019 3:28 pm
Forum: General
Topic: L2TP over IPSEC disconnecting repeatedly
Replies: 18
Views: 520

Re: L2TP over IPSEC disconnecting repeatedly

There is a problem when you run 2 L2TP/IPsec connections over the same NAT. Not sure if this is happening here. When your central office is on a static IP with the MikroTik directly on that external IP (which is not in one of the private ranges) and not another router between the MikroTik and intern...
by pe1chl
Fri May 10, 2019 3:06 pm
Forum: General
Topic: Queue tree upload max-limit stops working when parent=ether1
Replies: 7
Views: 312

Re: Queue tree upload max-limit stops working when parent=ether1

You should put the limits on the child queues, that is where they are evaluated.
In this case I would put a limit-at of 900k at the heavy-up queue and set max-limit to like 2 M everywhere.
by pe1chl
Fri May 10, 2019 2:59 pm
Forum: RouterBOARD hardware
Topic: hAP powered from 802.3af port - possible?
Replies: 3
Views: 234

Re: hAP powered from 802.3af port - possible?

You should check the datasheet so it mentions 802.3af/at.
When it only says PoE it is not compatbile with 802.3af/at (in case of MikroTik and other lowcost devices).
802.3af/at capability is only available on newer devices like cAP AC.
by pe1chl
Fri May 10, 2019 2:52 pm
Forum: General
Topic: L2TP over IPSEC disconnecting repeatedly
Replies: 18
Views: 520

Re: L2TP over IPSEC disconnecting repeatedly

No it is not a recommended solution. It is recommended to find the root cause of the problem. I use L2TP/IPsec with keepalive and for extended periods of time without any problem. So there has to be some issue. Are there more L2TP connections than this one? E.g. from users at the branch office? Or o...
by pe1chl
Fri May 10, 2019 2:23 pm
Forum: General
Topic: routing - 3x GW, failover
Replies: 14
Views: 516

Re: routing - 3x GW, failover

It is the basic way of configuring it, yes. Use policy routing to route depending on your local subnet, use multiple default gw at different distance to achieve your failiver. You need to decide what criteria you want to use for "not working ISP". You can use ping or arp check of their end of the co...
by pe1chl
Fri May 10, 2019 1:48 pm
Forum: Scripting
Topic: Routing exeptions for connections from the routers itself
Replies: 7
Views: 294

Re: Routing exeptions for connections from the routers itself

When you apparently don't mind sending your alert messages through your VPN (which will fail whenever the internet connection is down or the VPN is down) why not send the telegram message from your central system as an action on the syslog server there?
by pe1chl
Fri May 10, 2019 1:45 pm
Forum: General
Topic: L2TP over IPSEC disconnecting repeatedly
Replies: 18
Views: 520

Re: L2TP over IPSEC disconnecting repeatedly

Maybe you have setup a default route via the L2TP link that becomes active when your link has been established?
In that case you should also set a specific route for the L2TP server itself in the client router (pointing to the ISP)
by pe1chl
Fri May 10, 2019 1:37 pm
Forum: General
Topic: hAP ac2 as repeater
Replies: 1
Views: 121

Re: hAP ac2 as repeater

Click on the Setup Repeater button
by pe1chl
Fri May 10, 2019 11:01 am
Forum: Beginner Basics
Topic: Sort the order of bridge ports
Replies: 4
Views: 256

Re: Sort the order of bridge ports

I tried it in winbox and at first it appears to support moving but when you actually do it, it moves and then jumps back to where it was.
So that is the same thing as what you are seeing.
by pe1chl
Thu May 09, 2019 8:37 pm
Forum: Announcements
Topic: v6.44.3 [stable] is released!
Replies: 92
Views: 18465

Re: v6.44.3 [stable] is released!

Did you restore a backup made on a lower version? Should not do that, because sometimes configuration structure is changed and the conversion is only made during the upgrade.
So the new version will not be able to handle the old configuration.
This is even mentioned in some of the release notes...
by pe1chl
Thu May 09, 2019 4:52 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 38
Views: 6055

Re: Feature Request: 802.1X over ethernet

Well, we do MAC based authentication here but I have looked only 5 seconds at UM before noticing that it is not really suitable for this. Very limited possibility to add attributes, no support for replicated servers, etc. So now I am happily using freeradius. But of course it requires machines to ru...