Community discussions

MikroTik App

Search found 7268 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 25
by pe1chl
Wed Mar 03, 2021 5:46 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

I often do stuff that requires a gigabit internet connection, and getting even close to that with wireless would be great.
When you want that kind of throughput, MikroTik wireless is not the best choice for you (except maybe the 60 GHz products).
Other manufacturers are far ahead in this regard.
by pe1chl
Tue Mar 02, 2021 8:18 pm
Forum: General
Topic: OpenVPN SHA256 + UDP
Replies: 64
Views: 37590

Re: OpenVPN SHA256 + UDP

I think the issue is that RouterOS does not use the available opensource OpenVPN implementation, probably for reasons of licensing. They implemented the protocol themselves and now it is a lot of work to keep uptodate with what the opensource version develops. And don't forget that while one crowd i...
by pe1chl
Sun Feb 28, 2021 7:55 pm
Forum: General
Topic: Feature requests
Replies: 1302
Views: 311359

Re: Feature requests

And rules for a number of different addresses can be combined using address lists.
Rules that are some exception e.g. only for certain interfaces can be grouped into a single chain that is jumped from the toplevel chains.
So there really is not a problem.
by pe1chl
Sat Feb 27, 2021 10:41 pm
Forum: Announcements
Topic: WinBox v3.27 released!
Replies: 96
Views: 17850

Re: WinBox v3.27 released!

Well yes it is a bit strange that it is in the detail window, because when you click COPY it will open a new window with the copy but the original is still there. You have to be careful to close that without also saving it. I think instead it should have been "save as new" where you can op...
by pe1chl
Sat Feb 27, 2021 5:26 pm
Forum: Announcements
Topic: v6.47.9 [long-term] is released!
Replies: 65
Views: 12391

Re: v6.47.9 [long-term] is released!

- download all_packages.zip file for the version you want to install - unpack the file and select only the packages you need - put these files on a location accessible to the routers - write a small script that fetches the files (/tool fetch) and reboots the router - upload that script to every rout...
by pe1chl
Sat Feb 27, 2021 5:24 pm
Forum: Announcements
Topic: WinBox v3.27 released!
Replies: 96
Views: 17850

Re: WinBox v3.27 released!

I'd love to see "duplicate" command for firewall rules, to create similar rule. Especially useful if want to try something by copying old rule and then temporary disable old one. And when create several similar rules.
That is the COPY button that is already there.
by pe1chl
Sat Feb 27, 2021 5:22 pm
Forum: General
Topic: Feature requests
Replies: 1302
Views: 311359

Re: Feature requests

more important for me will be a selective protocol not only TCP or UDP and creating double rules but have a protocol list 6 TCP + 17 UDP in one FW RULE - this can grup my firewall rules drastically. That makes no sense! TCP and UDP are different protocols, they cannot be grouped. Access List of oth...
by pe1chl
Sat Feb 27, 2021 12:19 pm
Forum: Announcements
Topic: v6.47.9 [long-term] is released!
Replies: 65
Views: 12391

Re: v6.47.9 [long-term] is released!

Hi, is there a confirmation from MikroTik of this issue and if so, is there any plan for fixing long-term stream? I have planned remote upgrade of hap lite devices and want to make sure that it is safe. Thank You I would recommend to do a manual upgrade in any case. You can control what version get...
by pe1chl
Fri Feb 26, 2021 7:11 pm
Forum: General
Topic: Feature requests
Replies: 1302
Views: 311359

Re: Feature requests

As for features I believe I read this somewhere recently where someone was suggesting firewall lists within firewall lists. That way we can select a number of firewall lists into a group of their own and so on. That feature has been present for years. But people don't bother to really study the mat...
by pe1chl
Fri Feb 26, 2021 11:45 am
Forum: General
Topic: Feature requests
Replies: 1302
Views: 311359

Re: Feature requests

Oh... well I prefer stacked windows rather than tiled ones, and I would like to see a "taskbar" or similar feature where you can click windows that have gone buried under others, to raise them again. Or some "lower" function that you can click in a large window to move it back to...
by pe1chl
Fri Feb 26, 2021 10:55 am
Forum: Announcements
Topic: v6.47.9 [long-term] is released!
Replies: 65
Views: 12391

Re: v6.47.9 [long-term] is released!

The problem must be in your network, maybe one or more of your configured DNS resolvers does not respond.
by pe1chl
Fri Feb 26, 2021 10:52 am
Forum: General
Topic: Feature requests
Replies: 1302
Views: 311359

Re: Feature requests

Maybe you should explain what "snapping capabilities" are?
by pe1chl
Thu Feb 25, 2021 9:24 pm
Forum: General
Topic: Slow VPN tunnels (SSL, PPTP, L2TP)
Replies: 49
Views: 54012

Re: Slow VPN tunnels (SSL, PPTP, L2TP)

Are you sure that adding a /queue tree item prevents the packets handled by the queue from getting fasttracked? Yes, sniffing does disable fasttracking, maybe torching does as well, but adding a queue? You are right, adding a queue tree to an interface (vs a global queue tree) should not disable fa...
by pe1chl
Thu Feb 25, 2021 7:07 pm
Forum: General
Topic: Slow VPN tunnels (SSL, PPTP, L2TP)
Replies: 49
Views: 54012

Re: Slow VPN tunnels (SSL, PPTP, L2TP)

For some reason, my SSTP connection was slow unless I either TORCHED the connection or enabled a QUEUE TREE on the interface (even though nothing goes through the queue tree, apparently). That means you are using "fasttrack" in a situation where it cannot be used. (fasttrack is enabled by...
by pe1chl
Wed Feb 24, 2021 7:32 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

There is no such thing as a "default certificate" that will be usable with modern browsers.
You need to provide a certificate or it will be marked as unsafe. Nothing you can do about that.
by pe1chl
Wed Feb 24, 2021 5:54 pm
Forum: Announcements
Topic: v6.48.1 [stable] is released!
Replies: 99
Views: 18812

Re: v6.48.1 [stable] is released!

as reported on 6.48, queue tree packets counter seems to be a 32 unsigned integer and is overflowing at 2 million and something packets. That is not the only "32-bit counter" issue in RouterOS v6. I have previously reported such issues and it seems the fix for that is planned only in v7.
by pe1chl
Wed Feb 24, 2021 11:20 am
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

It can also help to connect the serial port (if there is any) to another system and run a terminal program there to capture what is sent to serial.
by pe1chl
Wed Feb 24, 2021 11:18 am
Forum: General
Topic: block internet access but allow some sites - NOT WORKING
Replies: 7
Views: 394

Re: block internet access but allow some sites - NOT WORKING

How you will find what IP has outlook.com if you drop traffic to DNS server? Well, there are two things: the client can get a DNS server (actually resolver) where it can lookup outlook.com, this can be the MikroTik router itself when it is configured to forward those DNS requests to next level reso...
by pe1chl
Tue Feb 23, 2021 8:42 pm
Forum: General
Topic: block internet access but allow some sites - NOT WORKING
Replies: 7
Views: 394

Re: block internet access but allow some sites - NOT WORKING

Also those networks published by Microsoft are not complete and uptodate all the time. I tried to fill an address list with "Microsoft addresses" to use in an outbound firewall but it is a continuous task where the drop rule is logging and you need to examine the dropped traffic weekly, do...
by pe1chl
Tue Feb 23, 2021 5:02 pm
Forum: General
Topic: LLDP only works partially
Replies: 8
Views: 1228

Re: LLDP only works partially

LLDP works only between a switch and its connected equipment.
MNDP works across a broadcast-capable network. So it can work on a local network (including across switches) and also over some but not all VPN networks.
(e.g. GRE, L2TP)
by pe1chl
Tue Feb 23, 2021 12:05 pm
Forum: RouterOS v7 BETA
Topic: Request: Better visibility regarding SLAAC in V7
Replies: 8
Views: 2009

Re: Request: Better visibility regarding SLAAC in V7

I fully agree that this is not right! It was probably the result of some dirty hack to add a client for SLAAC to RouterOS, as in normal Linux it works as expected (you can see the address and route using "ip -6 addr" and "ip -6 route"). It should show the address and route as a D...
by pe1chl
Tue Feb 23, 2021 11:12 am
Forum: General
Topic: LLDP only works partially
Replies: 8
Views: 1228

Re: LLDP only works partially

LLDP is not forwarded by (correctly working) switches. So what you observe would be normal: you do not see the LLDP info at a router connected to APs via a switch.
MikroTik has another protocol that provides this information (MNDP) which works at UDP level and it is forwarded by switches.
by pe1chl
Sun Feb 21, 2021 2:52 pm
Forum: General
Topic: 6.45.6 ipsec site to site tutorial request
Replies: 13
Views: 1526

Re: 6.45.6 ipsec site to site tutorial request

Ok... I don't understand why the external addresses of the GRE tunnels were set to a NAT'ed address, I always set those to the external address of the router.
Of course this method may be more convenient when the external address is not fixed.
by pe1chl
Sun Feb 21, 2021 11:53 am
Forum: General
Topic: l2TP ,IP SEC,IKEv1 and IkeV2 in more Details and information
Replies: 15
Views: 3803

Re: l2TP ,IP SEC,IKEv1 and IkeV2 in more Details and information

What I wrote was true at that time, but since then changes have been made to RouterOS so it is now possible to have multiple identities for the same peer.
by pe1chl
Sun Feb 21, 2021 11:48 am
Forum: General
Topic: 6.45.6 ipsec site to site tutorial request
Replies: 13
Views: 1526

Re: 6.45.6 ipsec site to site tutorial request

The NAT rule should have been no problem, unless the GRE or IPIP tunnel interface is in the interface list WAN. It should NOT be in that list!
by pe1chl
Fri Feb 19, 2021 3:14 pm
Forum: Announcements
Topic: v6.48.1 [stable] is released!
Replies: 99
Views: 18812

Re: v6.48.1 [stable] is released!

So if you have no control of the client, webproxy is useless. That is correct. You can do "auto proxy config" e.g. on Windows machines but it requires a webserver to store a file with the proxy config (the URL of that file is sent as a DHCP option). In such cases it is a bit inconvenient ...
by pe1chl
Fri Feb 19, 2021 10:59 am
Forum: Announcements
Topic: v6.48.1 [stable] is released!
Replies: 99
Views: 18812

Re: v6.48.1 [stable] is released!

It can be used with https, but only when configured in the client as a proxy server. Not when configured in the router as a transparent proxy.
by pe1chl
Thu Feb 18, 2021 7:04 pm
Forum: General
Topic: IPv6 and NAT - how I changed my mind
Replies: 31
Views: 13757

Re: IPv6 and NAT - how I changed my mind

No, MikroTik routers do not come with preconfigured network prefix translation, as they do not support it at all. (at least in v6) The main supported configuration for MikroTik routers with IPv6 is: - use DHCPv6 client to request IPv6 prefix pool from ISP and store it in a local pool - configure loc...
by pe1chl
Thu Feb 18, 2021 2:35 pm
Forum: Announcements
Topic: v6.48.1 [stable] is released!
Replies: 99
Views: 18812

Re: v6.48.1 [stable] is released!

Come on! Web proxy on a hAP lite??? Maybe it is better when MikroTik release a "RouterOS lite" version for use on smips which does not include such applications... That would also ease the upgrading for those users, as they now often run out of memory during the upgrade and end up with a d...
by pe1chl
Thu Feb 18, 2021 12:12 pm
Forum: General
Topic: IPv6 and NAT - how I changed my mind
Replies: 31
Views: 13757

Re: IPv6 and NAT - how I changed my mind

With IPv6 , there is no need for NAT. Normally an upstream provider will hand off something like a /64 or a /60/ or possibly a whopping large /56 There is no need for many-to-one translation as is usual with IPv4 and having only a single external address for your entire network, but even with IPv6 ...
by pe1chl
Wed Feb 17, 2021 12:58 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

I'd speculate they shared the "beta" out of desperation — to demonstrate progress and to get some testing out in the wild for free. Well, we have been promised the version 7 that would solve all our problems for many years. Many feature additions and bugfixes were made to version 6 in the...
by pe1chl
Mon Feb 15, 2021 10:44 pm
Forum: Announcements
Topic: WinBox v3.27 released!
Replies: 96
Views: 17850

Re: WinBox v3.27 released!

recently found that on one CCR (latest long-term ROS) with lots of interfaces (meaning thousands) when we try to resize column sizes or re-sort bridge-filters winbox is actig out: That is the problem discussed in posting #22 and #24-#26 of this topic, and other release topics since WinBox 3.22 (whe...
by pe1chl
Mon Feb 15, 2021 10:40 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

I think "stable" should not be used in any release name, because of the confusion between "stability of the system" and "stability of the version". Stable version can mean "it does not change often" or "it does not crash a lot". (just like "free...
by pe1chl
Mon Feb 15, 2021 11:38 am
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

In previous betas it was actually completing but after very long time, like 20m. Actually without 'verbose' it takes exactly 20min. Very interesting. This was already explained. It hangs twice, and apparently there is some form of software watchdog that fires after 10 minutes, generates a crashdump...
by pe1chl
Mon Feb 15, 2021 11:36 am
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

gre tunnel are borken ...down grade to 6.xx works immediately
This is known. Disable keepalive at both ends.
by pe1chl
Sun Feb 14, 2021 9:15 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

No, I did not and I agree it's worth mentioning. However, issue with running export (without any options) had been reported many times so far it's really stale by now and because it did not get fixed it's still reported over and over again. Yes it is a blocking issue for many. However I agree that ...
by pe1chl
Sun Feb 14, 2021 2:40 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

I wish MT acknowledged the problem so that not everybody (and their dog) reports it as some great discovery.
Did you know that /export verbose works when /export doesn't? For me that was a great discovery!
by pe1chl
Sun Feb 14, 2021 12:48 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

Follow up:
I noticed that verbose exports are considerably faster. Can someone else confirm that?
You are right! /export verbose works correctly, only when verbose is omitted it is slow and generates crashdumps.
by pe1chl
Sat Feb 13, 2021 6:05 pm
Forum: Virtualization
Topic: CHR is useless for disaster recovery scenarios
Replies: 6
Views: 803

Re: CHR is useless for disaster recovery scenarios

I think you should make your template without a license installed, and then clone it and you can get a trial license or assign a paid license to each cloned copy.
But I never tried that, I have always just installed the .ova instead of doing any cloning.
by pe1chl
Sat Feb 13, 2021 2:46 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

No, indeed it terminated after some time and completed the export, and also generated an autosuport.old.rif and autosupout.rif (spaced 10 minutes in time) I guess indeed it first did some part of the export, then hang for ~10 minutes, dumped an autosupout.rif and continued, hang again for ~10 minute...
by pe1chl
Sat Feb 13, 2021 1:55 pm
Forum: General
Topic: Speedtest.net - How to bypass
Replies: 10
Views: 10555

Re: Speedtest.net - How to bypass

I misunderstood. I did not say you would block other speedtest sites, I said that with the block method that @erkexzcx is using, you will block other sites that you cannot know beforehand.
Anyway, he explained how to do it.
by pe1chl
Sat Feb 13, 2021 12:50 pm
Forum: Announcements
Topic: v6.47.9 [long-term] is released!
Replies: 65
Views: 12391

Re: v6.47.9 [long-term] is released!

No, the DNS server change to enable DoH caused problems from the beginning. In my case the solution is simple: do not use DoH.
by pe1chl
Sat Feb 13, 2021 12:45 pm
Forum: General
Topic: Speedtest.net - How to bypass
Replies: 10
Views: 10555

Re: Speedtest.net - How to bypass

Of course there is no guarantee that this will block ONLY speedtest.net. It might be that "Ookla" provides other services as well. You will block them too. Also, the result of this will depend on where you are. When I try it here. I get a completely different network, "Fastly". S...
by pe1chl
Sat Feb 13, 2021 12:41 pm
Forum: General
Topic: Is there any way to add src-adress to a list which ttl is greater than 2 or as i wish
Replies: 4
Views: 292

Re: Is there any way to add src-adress to a list which ttl is greater than 2 or as i wish

Let me rephrase, There is option in filter rules that you can check the TTL under advanced tab and then add src address to address list, but what I meant with the "No" is that they will most probably not have a TTL of 1 or 2, but higher value, i.e. 64 / 128 depending if they cross any hop...
by pe1chl
Sat Feb 13, 2021 12:37 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

How do you want to run a test scenario, document the configuration used during testing, and report problems to MikroTik when you cannot do a /export ???
I have started a /export command now to see if it will ever complete.
by pe1chl
Fri Feb 12, 2021 11:04 am
Forum: Announcements
Topic: WinBox v3.27 released!
Replies: 96
Views: 17850

Re: WinBox v3.27 released!

Was Winbox designed to dock the child window to the main window (when maximized)? Or has this behavior changes in recent version? Perhaps this is not a bug but rather a suggestion or feature request.. better contact support. This bug has appeared since approximately version 3.25 That is possible, I...
by pe1chl
Thu Feb 11, 2021 2:44 pm
Forum: Announcements
Topic: v6.47.9 [long-term] is released!
Replies: 65
Views: 12391

Re: v6.47.9 [long-term] is released!

hAP mini (is about the same thing as hAP lite I think) did upgrade from 6.47.8 to 6.47.9 here OK but I had already reduced my install to 6 packages instead of combined package. (system/advanced-tools/dhcp/ppp/security/wireless) This gives it some more breathing space when updating, very important fo...
by pe1chl
Wed Feb 10, 2021 5:41 pm
Forum: Announcements
Topic: v6.47.9 [long-term] is released!
Replies: 65
Views: 12391

Re: v6.47.9 [long-term] is released!

After upgrading RouterOS and RouterBOARD, then doing a reset, then adding back your config via console, do you still have the same issues?
No idea, and I don't think it should be required to do that on upgrade.
The firmware is on 6.47.7 both before and after test.
by pe1chl
Wed Feb 10, 2021 5:20 pm
Forum: Announcements
Topic: v6.47.9 [long-term] is released!
Replies: 65
Views: 12391

Re: v6.47.9 [long-term] is released!

I upgraded a hAP mini from 6.47.8 and got the same WiFi problem as with 6.48, fixed by downgrading. The issue is that on a WiFi connection with 90% CCQ there are interruptions in the traffic every couple of seconds. As if the retransmit timer is too long (like 200-500ms). I wonder why this happens o...
by pe1chl
Tue Feb 09, 2021 11:22 am
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

L2TP/IPsec often has a timing problem because when the IPsec association has not yet been established, an unencrypted L2TP packet may leak out and establish the connection, which is then rejected. You can avoid such problems using a firewall rule, e.g. on the server: /ip firewall filter add action=a...
by pe1chl
Mon Feb 08, 2021 9:18 pm
Forum: Announcements
Topic: v6.48.1 [stable] is released!
Replies: 99
Views: 18812

Re: v6.48.1 [stable] is released!

Well, here we go again ... it is my ? fault to not partition RB in advance ? Completely irrelevant! It is your own responsibility to ensure that you can operate your equipment at sufficient availability for your network. That includes being responsible for backups, rollback possibilities, spare har...
by pe1chl
Mon Feb 08, 2021 12:24 pm
Forum: Announcements
Topic: v6.48.1 [stable] is released!
Replies: 99
Views: 18812

Re: v6.48.1 [stable] is released!

no, i don't dare to make reboots. It is in production, and that was my mistake to rush on 6.48 i wanted PPP->Remote IPv6 prefix/IPv6 Routes features to finaly replace old scripts and without thinking pushed Upgrade button what an idiot From this point, my rock solid 3011 started to flap ports, and ...
by pe1chl
Fri Feb 05, 2021 5:45 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

Chateau LTE12, /export works just fine. Please report to support everyone who has issues, that means the bug depends on your specific configuration, so Mikrotik should detect which config lines/firmware problems causes export failing. That is why I mentioned: I loaded it on a CHR, starting with def...
by pe1chl
Thu Feb 04, 2021 1:06 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

Updated a RB2011 and a Chateau LTE12 from Beta3 to Beta4. A small Bug is introduced in Beta4:: If anything in "ip/routes" is changed ( modify, add, ... ), only a "by admin" appears in the Log - Window in the Message - Tab. Missing what has been done ! That is not introduced in b...
by pe1chl
Thu Feb 04, 2021 1:05 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 183
Views: 23317

Re: v7.1beta4 [development] is released!

Looks like export still hangs...
Indeed. Downloaded the .ova for CHR, installed on VMware ESXi 6.7u3, start the VM, type /export, instaneous hangup.
by pe1chl
Wed Feb 03, 2021 4:42 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 62020

Re: v6.48 [stable] is released!

Remember that "stable" in actual use (i.e. it does not crash, it performs the required functions, no critical bugs) has nothing to do with the name "stable" in a software release branch, which means "we are not tinkering with it all the time". It is similarly confusing ...
by pe1chl
Wed Feb 03, 2021 4:39 pm
Forum: General
Topic: need a cellular backup for CCR1009-7G-1C-1S+PC router
Replies: 7
Views: 441

Re: need a cellular backup for CCR1009-7G-1C-1S+PC router

No, I think you interpret it wrong. "It can be used with any of our products that have miniPCIe slot". But CCR1009 does not have it. Products RB800 and RB4011 do have miniPCIe slot, but still it cannot be used in those. The CCR1009 has USB. You can use a 4G USB stick (not every model, but ...
by pe1chl
Wed Feb 03, 2021 3:29 pm
Forum: General
Topic: need a cellular backup for CCR1009-7G-1C-1S+PC router
Replies: 7
Views: 441

Re: need a cellular backup for CCR1009-7G-1C-1S+PC router

Yes it has a SIM card slot, but I am not aware that it has a PCIe slot where you could install the R11e-LTE6. Where did you find that information? The SIM card slot on the CCR routers is afaik only used to store certificates for encryption protocols, and even that seems seldomly used and difficult t...
by pe1chl
Tue Feb 02, 2021 7:50 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 62020

Re: v6.48 [stable] is released!

Hmm, are some wrong with the forum as well? (or just in this thread)

Both Cray, morphema and stevenb are all listed with Posts: 0
I think it is an off-by-one bug, it appears that new posters get posts: 0 after their first post.
by pe1chl
Tue Feb 02, 2021 5:44 pm
Forum: General
Topic: Ipsec required resource
Replies: 7
Views: 597

Re: Ipsec required resource

The RB750Gr3 is a beast in IPsec performance, certainly considering its price.
Many other routers (also MikroTik and also more expensive) are slower in IPsec than this one.
by pe1chl
Tue Feb 02, 2021 12:39 pm
Forum: General
Topic: How to keep people from connecting PC instead of Access points or Cameras ?
Replies: 6
Views: 1025

Re: How to keep people from connecting PC instead of Access points or Cameras ?

As a start, why don't you configure a separate VLAN for the cameras that is untagged on the switchports where they are connected (and those ports have no other VLANs) so anything happening with the cameras or the ports where they are connected does not in any way affect your LAN. In this same VLAN y...
by pe1chl
Tue Feb 02, 2021 12:33 pm
Forum: Scripting
Topic: problem with /ip firewall mangle get number in scripting
Replies: 2
Views: 170

Re: problem with /ip firewall mangle get number in scripting

You are using numbers in scripts. That cannot be done, numbers are only valid in interactive sessions (after print command).
You must use [find ...] in scripts.
by pe1chl
Mon Feb 01, 2021 5:10 pm
Forum: Scripting
Topic: Finding and disabling previous static DNS script [SOLVED]
Replies: 5
Views: 417

Re: Finding and disabling previous static DNS script [SOLVED]

Or you can look in System Scheduler, because you can add script directly there.
But it is not the only place where it could be! In this case it could also be a DHCP lease script.
/export tells you what it is.
by pe1chl
Mon Feb 01, 2021 4:41 pm
Forum: Scripting
Topic: Send email if router rejects someone to my wifi
Replies: 4
Views: 436

Re: Send email if router rejects someone to my wifi

Problem with that solution often is that logging selection criteria are not good enough. I.e. there is no way to select logging actions on a regexp match with the actual message contents, and while you can select on the logging topics there a not enough unique topics defined to select a single messa...
by pe1chl
Mon Feb 01, 2021 4:35 pm
Forum: Scripting
Topic: Finding and disabling previous static DNS script [SOLVED]
Replies: 5
Views: 417

Re: Finding and disabling previous static DNS script [SOLVED]

Just do a /export and look in the export where your script is configured, then go to that menu and remove it.
by pe1chl
Mon Feb 01, 2021 11:37 am
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 62020

Re: v6.48 [stable] is released!

So far so good ... long uptimes ... the one with 12d has shorter timeup due to power outgage in an external building. In our HAMNET I see several 6.48 routers with uptimes up to 39d. It looks like as long as you are not hit with one of the obvious problems, the release in itself is stable. I tried ...
by pe1chl
Sun Jan 31, 2021 5:22 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 62020

Re: v6.48 [stable] is released!

Ok so now there is no difference... which can be expected.
by pe1chl
Sun Jan 31, 2021 4:33 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 62020

Re: v6.48 [stable] is released!

Remove the DoH server and try again....
by pe1chl
Sun Jan 31, 2021 2:54 pm
Forum: General
Topic: PPTP server behind 1:1 nat
Replies: 4
Views: 400

Re: PPTP server behind 1:1 nat

There is no such problem on the MikroTik router but I know of plenty of problems with NAT and "DMZ" settings in consumer-grade routers. PPTP on such a NAT router will normally only work on the client side, not when the router is on the server side. When you are faced with such a router it ...
by pe1chl
Sun Jan 31, 2021 12:18 pm
Forum: General
Topic: What is IP SOCKS ? I got hacked and they open this
Replies: 10
Views: 1469

Re: What is IP SOCKS ? I got hacked and they open this

the RouterOS is 6.40.1 , is it a problem? I have many routers with this version (~ 50) YES it is a BIG problem! With that version, people can walk in regardless of the complexity of your password. You should update ASAP, and keep a bit more uptodate in the future. However, I would not recommend to ...
by pe1chl
Fri Jan 29, 2021 7:20 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 62020

Re: v6.48 [stable] is released!

Is there a bug on 6.48 for these devices?
Likely, yes. Read the above messages. So downgrade to long-term version.
by pe1chl
Fri Jan 29, 2021 12:30 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 62020

Re: v6.48 [stable] is released!

@peichl Thanks for the explanation. I assumed everything you enter there is treated as a string, because Data doesn't necessarily need to be an IP Address, it could also be a domain name, in case it's a CNAME or PTR record. Yes, probably in that case it would work. The thing you need to understand ...
by pe1chl
Thu Jan 28, 2021 9:19 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 62020

Re: v6.48 [stable] is released!

You cannot use the "contains" filter on IP addresses! You can use the "in" filter (which requires a subnet as value but it can be a single IP address). The filtering is working on the raw IP address value, not the text you see in the output. Of course it would be better when opti...
by pe1chl
Thu Jan 28, 2021 9:15 pm
Forum: General
Topic: What is IP SOCKS ? I got hacked and they open this
Replies: 10
Views: 1469

Re: What is IP SOCKS ? I got hacked and they open this

Even if there would be no firewall at all, router can't get hacked so easily. It would have to be another user error (missing or weak password), or something really wrong with RouterOS. That's nothing against firewall, it's of course good idea to have it. He was likely running an old version of Rou...
by pe1chl
Thu Jan 28, 2021 6:25 pm
Forum: General
Topic: What is IP SOCKS ? I got hacked and they open this
Replies: 10
Views: 1469

Re: What is IP SOCKS ? I got hacked and they open this

Note that the hack is likely an indication of a bad firewall on your router.
After you have re-installed it make sure you configure the firewall properly.
by pe1chl
Thu Jan 28, 2021 6:22 pm
Forum: General
Topic: Mikrotik PCI DSS External Vulnerability Scan
Replies: 5
Views: 435

Re: Mikrotik PCI DSS External Vulnerability Scan

You should check if your firewall is configured properly, because normally a router should have little reason to reply to UDP packets sent to it from internet.
by pe1chl
Thu Jan 28, 2021 12:14 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 62020

Re: v6.48 [stable] is released!

I think the AUTOUPGRADE feature (Auto Upgrade under the System menu) has been orphaned long ago. There is barely any documentation for it. Instead, the /system package update (with check-for-updates, download and install subcommands) is suggested. Of course the disadvantage is that it will download ...
by pe1chl
Mon Jan 25, 2021 11:55 am
Forum: RouterBOARD hardware
Topic: hEX RB750GR3 Poor Performance
Replies: 5
Views: 543

Re: hEX RB750GR3 Poor Performance

When you really want to get 1Gbps performance even the hAP AC2 may be too small (depending on configuration) and a device like the RB4011 would have more capacity to spare.
by pe1chl
Sun Jan 24, 2021 1:04 pm
Forum: General
Topic: how to conquer random mac address?
Replies: 8
Views: 618

Re: how to conquer random mac address?

This is a 'similar' problem with changing MAC addresses. Maybe the MAC/"mask" principle can be used somewhere for DHCP as well for this Lenovo case. https://forum.mikrotik.com/viewtopic.php?f=2&t=168682 No, because in that case there is no fixed part of the changing MAC address (excep...
by pe1chl
Fri Jan 22, 2021 12:21 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 113
Views: 8576

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

The problem is with this 'Mikrotik world'. Normal people live in the normal world en not some parallel universe in which the word stable had a different explanation. When Mikrotik annouces a new Stable version people just want it to be eat least a little bit stable. This misunderstanding is quite c...
by pe1chl
Fri Jan 22, 2021 11:57 am
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 113
Views: 8576

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

As I already wrote above: in general it is best to not update to a 6.xx version released to stable. In the MikroTik world, "stable" does not mean stability in performance, but stability in updating. "testing" is the version where new things are tried out and regular new versions ...
by pe1chl
Fri Jan 22, 2021 11:27 am
Forum: General
Topic: Feature requests
Replies: 1302
Views: 311359

Re: Feature requests

Change /tool netwatch so that it can also use ARP instead of PING (similar to route gateway checking) When a local address of the router is entered, it is still to send ARP to the interface of that subnet and react on ARP replies. UP/DOWN status is maintained depending on the arrival of ARP replies....
by pe1chl
Fri Jan 22, 2021 11:16 am
Forum: General
Topic: tool kid-control
Replies: 64
Views: 24956

Re: tool kid-control

What I mean is: use a queue tree to determine the priorities of the different classes of traffic depending on packet marks that you set (based on connection marks, probably, that are in turn based on the device class making the connection). That way you set the priority of your guests lower than you...
by pe1chl
Fri Jan 22, 2021 11:12 am
Forum: Beginner Basics
Topic: udp 500 and 4500 forwarding from Mikrotik to fortigate
Replies: 7
Views: 632

Re: udp 500 and 4500 forwarding from Mikrotik to fortigate

That (ipsec-esp) is not required when you do IPsec over a a NAT path. It will use only UDP port 500 (as usual for isakmp) and 4500 (instead of ESP protocol 50).
by pe1chl
Thu Jan 21, 2021 11:34 am
Forum: General
Topic: tool kid-control
Replies: 64
Views: 24956

Re: tool kid-control

You are trying to use "simple queue" in a "complicated" configuration.
Look at queue tree for the global priority and bandwidth management (main vs guests vs kids) and then use simple queue only to divide the bandwidth amongst different users of the same class.
by pe1chl
Wed Jan 20, 2021 5:56 pm
Forum: General
Topic: Another thread asking for help with port forwarding (RB750Gr3)
Replies: 7
Views: 640

Re: Another thread asking for help with port forwarding (RB750Gr3)

In general it can be said that the current default configuration of the RouterOS firewall is good. Previous ones were not. "instructional videos" on Youtube are often even worse: clueless operators who have just unpacked their box provide methods that are completely wrong. It is always bes...
by pe1chl
Mon Jan 18, 2021 4:13 pm
Forum: Beginner Basics
Topic: udp 500 and 4500 forwarding from Mikrotik to fortigate
Replies: 7
Views: 632

Re: udp 500 and 4500 forwarding from Mikrotik to fortigate

The problem in this case is usually in some (other) NAT device. IPsec requires that the port numbers remain the same during the session. When you have some router that does NAT on the traffic and it thinks it needs to setup a new session (e.g. because the previous one failed) and starts using a diff...
by pe1chl
Mon Jan 18, 2021 2:13 pm
Forum: General
Topic: PPPoE hangs sometimes
Replies: 7
Views: 573

Re: PPPoE hangs sometimes

My script is like this: # check if PPPoE interface still has an IPv4 address # if not, disable/enable interface so it will re-establish PPPoE :if ([:len [/ip address find where interface="pppoe-out1"]] = 0) do={ /interface pppoe-client disable pppoe-out1 /delay 10 /interface pppoe-client e...
by pe1chl
Mon Jan 18, 2021 12:40 pm
Forum: General
Topic: PPPoE hangs sometimes
Replies: 7
Views: 573

Re: PPPoE hangs sometimes

The fact that it happens during the night can hint in the direction that it is related to some service window. E.g. there is maintenance in the transport network that leads to brief interruptions of the link or some loss of state in the transport network (comparable to NAT at the network level) from...
by pe1chl
Mon Jan 18, 2021 11:29 am
Forum: General
Topic: PPPoE hangs sometimes
Replies: 7
Views: 573

Re: PPPoE hangs sometimes

Did you check if the problem occurs only on IPv4 or if it also affects IPv6? I have an issue like that where the IPv4 IP on the PPPoE is sometimes lost, but the IPv6 address remains. I added a small script to recover from that condition (it regularly checks if an IPv4 address is still present on the...
by pe1chl
Mon Jan 18, 2021 11:01 am
Forum: Beginner Basics
Topic: Firewall: Invalid forward packets, unknown input [SOLVED]
Replies: 4
Views: 495

Re: Firewall: Invalid forward packets, unknown input [SOLVED]

What do you mean with "ignore (not drop)"?
As I said, the easiest is to remove the log flag on that rule.
In a NAT router, you can also consider removing the entire rule. It does not really accomplish much: invalid traffic from WAN would be blocked because of the NAT anyway.
by pe1chl
Sun Jan 17, 2021 9:39 pm
Forum: Beginner Basics
Topic: Firewall: Invalid forward packets, unknown input [SOLVED]
Replies: 4
Views: 495

Re: Firewall: Invalid forward packets, unknown input [SOLVED]

I came across the following in Mikrotik log: invalid forward: in:bridge out:ether1, src-mac xx..., proto TCP (RST), 10.0.0.204:57914->23.3.109.12:443, len 40 (iphone to an Akamai) invalid forward: in:bridge out:ether1, src-mac ...., proto TCP (ACK,FIN), 10.0.0.152:60806->54.173.8.102:80, len 52 (am...
by pe1chl
Sun Jan 17, 2021 9:31 pm
Forum: RouterBOARD hardware
Topic: SXTsq G-5acD sorely needing more FLASH
Replies: 2
Views: 278

Re: SXTsq G-5acD sorely needing more FLASH

And you should not keep backups on the flash. It is useless (by the time you need your backup you will not be able to access it) and it is a potential security risk (someone breaking into your router can download the backup and maybe extract sensitive information from it). So after you make a backup...
by pe1chl
Sun Jan 17, 2021 9:26 pm
Forum: General
Topic: Full disk on empty router hAP ac^2
Replies: 4
Views: 451

Re: Full disk on empty router hAP ac^2

Also, you should never run user-manager or dude on such a device with the db stored on the internal flash.
In this case it is not the cause of the problem, but it very well can turn out to be a problem later.
I would recommend to do a netinstall with format of the flash.
by pe1chl
Sun Jan 17, 2021 12:30 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 62020

Re: v6.48 [stable] is released!

is downgrade to long term still the only way to fix the fails with all my rb2011 ? why the firmware is still available? its broken and has to stop the rollout. i don't remember that mt handle his problems like that in all the years... It often goes like this when a new test version is promoted to s...
by pe1chl
Sat Jan 16, 2021 11:31 pm
Forum: General
Topic: L7 Filter rule exception.
Replies: 22
Views: 1553

Re: L7 Filter rule exception.

Unfortunatelly, it still doesn't solve the main problem. If you don't want to work, you'll always find a way. Browse internet on your phone, play tic tac toe with yourself, stare at ceiling, ... That is so true... when the boss wants to keep the employees at work by blocking facebook and youtube, t...
by pe1chl
Sat Jan 16, 2021 5:08 pm
Forum: General
Topic: L7 Filter rule exception.
Replies: 22
Views: 1553

Re: L7 Filter rule exception.

There IS no permanent, always-working, way to block websites. It will always fail after some time. And the measures you have implemented may have or develop side-effects that you notice only after some time.QUIC is one thing, but encryption of the plaintext hostname in TLS setup is already running ...
by pe1chl
Thu Jan 14, 2021 8:30 pm
Forum: General
Topic: L7 Filter rule exception.
Replies: 22
Views: 1553

Re: L7 Filter rule exception.

There IS no permanent, always-working, way to block websites. It will always fail after some time. And the measures you have implemented may have or develop side-effects that you notice only after some time. QUIC is one thing, but encryption of the plaintext hostname in TLS setup is already running ...
by pe1chl
Thu Jan 14, 2021 5:13 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 113
Views: 8576

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

Bugs occur with any manufacturer. I have been fighting with CISCO bugs as well as with MikroTik, and the problem with CISCO is that they only help you when you have an expensive support contract (instead of taking reports of bugs from everyone who has bought their products for big money and deserves...
by pe1chl
Thu Jan 14, 2021 12:07 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 62020

Re: v6.48 [stable] is released!

With this release on a hAP mini and using a HP Chromebook as a client on the WiFi, I experience regular "stuttering" of the traffic. I have downgraded to 6.47.8 and the issue is resolved. Some more detail: when this problem occurs, the connection appears "dead" for 1-2 seconds e...
by pe1chl
Wed Jan 13, 2021 7:06 pm
Forum: General
Topic: L7 Filter rule exception.
Replies: 22
Views: 1553

Re: L7 Filter rule exception.

TLS host blocking wont work if the connection to the site is already established. And I can't find other way. Of course you use TLS blocking to prevent the connection from getting established enough to get any data. It will get established in TCP but not in TLS. I think that is best accomplished by...
by pe1chl
Wed Jan 13, 2021 12:03 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 62020

Re: v6.48 [stable] is released!

With this release on a hAP mini and using a HP Chromebook as a client on the WiFi, I experience regular "stuttering" of the traffic. It is not apparent when using TCP connections and services that use a lot of buffering (e.g. Youtube), but when using a UDP stream or a TCP connection with l...
by pe1chl
Wed Jan 13, 2021 11:56 am
Forum: General
Topic: Logging prefix is a mess
Replies: 7
Views: 2580

Re: Logging prefix is a mess

I have filed a feature request some time ago to allow more control over the logging. Of course the best would be when there is much more detail about the log message in the prefix, probably even up to a unique identifier of each message. (so you don't have to rely on pattern matching of the message ...
by pe1chl
Sun Jan 10, 2021 9:46 pm
Forum: General
Topic: RB750Gr3 difference between workstation speedtest vs bandwitch test
Replies: 13
Views: 749

Re: RB750Gr3 difference between workstation speedtest vs bandwitch test

Check the two block diagrams found on the product page: https://mikrotik.com/product/RB750Gr3#fndtn-downloads It has always been unclear to me what the method is to choose between the two modes. "with disabled switching" and "with enabled switching", what does it mean? However, i...
by pe1chl
Sun Jan 10, 2021 9:38 pm
Forum: General
Topic: L7 Filter rule exception.
Replies: 22
Views: 1553

Re: L7 Filter rule exception.

It would be better when you tried to find some way to live without the "block this or that site"... It will be a short pleasure anyway. Soon, all this "matching using L7 header" (which is not clever anyway since we already have the option to match on TLS host!) will be completely...
by pe1chl
Fri Jan 08, 2021 7:16 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 64
Views: 13738

Re: MikroTik newsletter November 2020 (#98)

Re: It helps when they are mounted in a fan-cooled device -- What about the thousands/millions of existing GPON customers with outdoor Nema enclosures which don't have fans ? I don't know if these use SFP. I was talking about SFP. IMO - any device that puts out excessive heat is an electrically ine...
by pe1chl
Fri Jan 08, 2021 7:11 pm
Forum: General
Topic: NTFS support
Replies: 38
Views: 9993

Re: NTFS support

As discussed before, it would be better to move SMB into an optional package. Then it can be expanded without impact to the flash size for everyone. In v7 more optional packages were moved back into the main package, however. When that is because of the tricky dependencies and linking between all th...
by pe1chl
Fri Jan 08, 2021 7:07 pm
Forum: Virtualization
Topic: CHR feature requests
Replies: 67
Views: 16398

Re: CHR feature requests

Of course this is a feature request topic, but when your request is "please implement this for some bucks" it is more like a sales case. When talking to developers here, it is quite apparent that requests that come via sales have quite some more priority than "nice to have" reque...
by pe1chl
Fri Jan 08, 2021 4:11 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 64
Views: 13738

Re: MikroTik newsletter November 2020 (#98)

All but trivial SFP modules often get uncomfortably hot. The package is too small to dissipate 5-10W of power. It helps when they are mounted in a fan-cooled device.
by pe1chl
Fri Jan 08, 2021 4:09 pm
Forum: Virtualization
Topic: CHR is useless for disaster recovery scenarios
Replies: 6
Views: 803

Re: CHR is useless for disaster recovery scenarios

Of course. When you thought this was a way to copy a CHR to a different one and then operate both of them using the same license, of course it is not.
For recovery of a CHR after configuration or upgrade mistake, or loss of the ESXi host, it works OK.
by pe1chl
Thu Jan 07, 2021 3:33 pm
Forum: Beginner Basics
Topic: Split Tunnel routing interent via IPsec Tunnel
Replies: 4
Views: 507

Re: Split Tunnel routing interent via IPsec Tunnel

That depends on what you have in the Fortigate. But in normal cases it should be enough to have a single policy with dst-address 0.0.0.0/0 (and have the same thing in the Fortigate but with src-address 0.0.0.0/0 there, in the naming convention they have there) However, when it is possible it would b...
by pe1chl
Thu Jan 07, 2021 2:03 pm
Forum: General
Topic: Some websites unavailable on IPv6 [SOLVED]
Replies: 12
Views: 1088

Re: Some websites unavailable on IPv6 [SOLVED]

The main problem is that Path MTU Discovery sucks. Both because the ICMP messages are often deleted by bad firewall admins, and also because such a mechanism always has some lifetime and after this lifetime it again tries with 1500 byte packets and has to scale back again. Often this lifetime is ver...
by pe1chl
Thu Jan 07, 2021 1:58 pm
Forum: Beginner Basics
Topic: Split Tunnel routing interent via IPsec Tunnel
Replies: 4
Views: 507

Re: Split Tunnel routing interent via IPsec Tunnel

You need to change the IPsec policy to have 0.0.0.0/0 at the Fortigate end (both in your MikroTik config and in your Fortigate).
by pe1chl
Thu Jan 07, 2021 12:02 am
Forum: Virtualization
Topic: CHR is useless for disaster recovery scenarios
Replies: 6
Views: 803

Re: CHR is useless for disaster recovery scenarios

The OP probably did not make a good backup of the original machine, but rather made a "clone" and used that. This clone has a different MAC address and won't accept the same license. Instead he should have shutdown the machine, copied its files, then power back on and keep the copied files...
by pe1chl
Wed Jan 06, 2021 10:34 pm
Forum: Virtualization
Topic: CHR feature requests
Replies: 67
Views: 16398

Re: CHR feature requests

Well, maybe the developers will see my post and agree to write such a page ( Dashboard ) for some amount of bucks? I have never seen developers on this forum engage in such activity... does not mean it never happens, of course. But I think it would be better to contact the sales department about it...
by pe1chl
Wed Jan 06, 2021 4:51 pm
Forum: General
Topic: Output chain question
Replies: 9
Views: 570

Re: Output chain question

One useful output rule that I like to use is to block all trafic to tcp/25. Nobody uses simple SMTP to reach remote SMTP servers nowdays. Except worms and trojan programs that send out spam through misconfigured SMTP servers. When you think that is useful in the output chain, you probably don't und...
by pe1chl
Wed Jan 06, 2021 1:22 pm
Forum: Beginner Basics
Topic: IPv6 Firewall
Replies: 22
Views: 1173

Re: IPv6 Firewall

It isn't. This is just Linux iptables.
(there are other firewall systems in Linux)
by pe1chl
Wed Jan 06, 2021 1:12 pm
Forum: General
Topic: Output chain question
Replies: 9
Views: 570

Re: Output chain question

Your output chain accepts everything, so it does not do any filtering. However, rules like that can be interesting to see counters (so you know how much output traffic there actually is). In general it can be said that firewall rules are to be decided and maintained according to your own needs. It i...
by pe1chl
Wed Jan 06, 2021 12:33 pm
Forum: Beginner Basics
Topic: IPv6 Firewall
Replies: 22
Views: 1173

Re: IPv6 Firewall

Actually, connection tracking entries are not created by those filter chains, that happens elsewhere. When you need to avoid a tracking entry, you have to do that in the raw chains (prerouting and output), that is the only one that is "early enough" to drop packets or to pass them but not ...
by pe1chl
Wed Jan 06, 2021 12:25 pm
Forum: Virtualization
Topic: CHR feature requests
Replies: 67
Views: 16398

Re: CHR feature requests

You can do it with Winbox... i.e. you can start Winbox, open the things you want to see in separate subwindows, arrange them how you like, and save that session. The next time you start Winbox and connect that router, it will come back with that view immediately. There are some possible tricks to sh...
by pe1chl
Wed Jan 06, 2021 12:13 pm
Forum: General
Topic: Feature Request: IPSEC Improvements
Replies: 91
Views: 24924

Re: Feature Request: IPSEC Improvements

I guess most people requesting new features are not running beta versions...
(the v7beta is not really usable in production, like the v6 betas often would be)
by pe1chl
Wed Jan 06, 2021 12:11 pm
Forum: RouterBOARD hardware
Topic: Wireless wire 60Ghz default password
Replies: 30
Views: 14782

Re: Wireless wire 60Ghz default password

I have no experience with this particular device, but I guess that when you do a full reset of the device it will come up with the default settings or else you can click the button for reset to defaults once you have logged in. I do not know how they manage those passwords printed on the stickers an...
by pe1chl
Wed Jan 06, 2021 12:05 pm
Forum: Beginner Basics
Topic: IPv6 Firewall
Replies: 22
Views: 1173

Re: IPv6 Firewall

I always make the ruleset so that it ends in a "drop" rule OK, let's consider this simplified but working example: /ipv6 firewall filter add action=accept chain=input comment="Allow established and related" connection-state=established,related add action=drop chain=input comment...
by pe1chl
Tue Jan 05, 2021 10:35 pm
Forum: RouterBOARD hardware
Topic: netPower 16P power design flaw
Replies: 14
Views: 1384

Re: netPower 16P power design flaw

There used to be a product like that for 12V but it was discontinued. Apparently this kind of thing does not sell.
by pe1chl
Tue Jan 05, 2021 7:54 pm
Forum: RouterBOARD hardware
Topic: netPower 16P power design flaw
Replies: 14
Views: 1384

Re: netPower 16P power design flaw

Re 48 Volts , on some of the Mikrotik product documents ( printed and on-line ), Mikrotik references "-48V DC telecom".
Yes but that is a different class of device, that should have isolation on that input (DC-DC converter).
by pe1chl
Tue Jan 05, 2021 7:51 pm
Forum: Beginner Basics
Topic: IPv6 Firewall
Replies: 22
Views: 1173

Re: IPv6 Firewall

In the ruleset above, where is the rule which actually creates connection states from egress traffic? Is connection state tracking enabled implicitly? How does this work? This ruleset relies on the fact that in RouterOS there is a "default allow" at the end of each chain. So when the pack...
by pe1chl
Tue Jan 05, 2021 4:51 pm
Forum: RouterBOARD hardware
Topic: netPower 16P power design flaw
Replies: 14
Views: 1384

Re: netPower 16P power design flaw

These devices are designed to be powered by wallwarts, and to provide 24 or 48 V power via PoE to devices like access points. They are not designed to be powered from a grounded system like telecom power (-48V referenced to ground). But I would not power them from a +48V system that is referenced to...
by pe1chl
Tue Jan 05, 2021 4:37 pm
Forum: Beginner Basics
Topic: IPv6 Firewall
Replies: 22
Views: 1173

Re: IPv6 Firewall

It is a bug/shortcoming in RouterOS. When you add a new package, the default configuration for that package is not applied. Workaround: always enable IPv6 as first thing when you receive a new router, then update to the newest RouterOS version, and then reset to factory defaults. When you do the res...
by pe1chl
Tue Jan 05, 2021 11:13 am
Forum: RouterBOARD hardware
Topic: Wireless wire 60Ghz default password
Replies: 30
Views: 14782

Re: Wireless wire 60Ghz default password

Did you try admin and empty password?
by pe1chl
Mon Jan 04, 2021 10:29 am
Forum: Beginner Basics
Topic: Connection between SFP / SFP+
Replies: 10
Views: 1937

Re: Connection between SFP / SFP+

Yes, you need to use SFP materials. Not SFP+ in SFP mode, I think not even that would work.
And also not a SFP module at one end connected via fiber to an SFP+ module at the other end, that likely also won't work.
by pe1chl
Sat Jan 02, 2021 8:01 pm
Forum: RouterOS v7 BETA
Topic: REST
Replies: 11
Views: 1536

Re: REST

Even now, the documentation page is not formally correct. It says "Starting from RouterOS v7.1beta4, it is implemented as a JSON wrapper interface of the console API." (with bold added after comments here) But that tells nothing about what versions it is available in. It could be read as &...
by pe1chl
Sat Jan 02, 2021 12:12 pm
Forum: General
Topic: Gre over ipsec
Replies: 10
Views: 921

Re: Gre over ipsec

I am using GRE over IPSec, so that I can use ospf between branches. It should work well. Another potential problem is to enable keepalive. Don't do that at first. It can be incompatible. With a routing protocol on top you probably don't require the keepalive at all. When you want fast switchover us...
by pe1chl
Fri Jan 01, 2021 10:15 pm
Forum: General
Topic: Gre over ipsec
Replies: 10
Views: 921

Re: Gre over ipsec

That is quite common with incomplete or older IPsec implementations.
It is also the reason why this is still the default configuration. When you change it, you run the risk of problems.
by pe1chl
Fri Jan 01, 2021 12:59 pm
Forum: RouterBOARD hardware
Topic: 48-Volt POE-Out switches
Replies: 15
Views: 1275

Re: 48-Volt POE-Out switches

Which means you'd have to replace it with ... hmm ... DC-DC bridge. The problem is that Telco-grade DC power is -48V, but Mikrotik takes +48V. If you directly applied Telco power, you'd likely experience some shortcuts because Telco gear uses chasis as positive pole while Mikrotik uses chasis as ne...
by pe1chl
Fri Jan 01, 2021 12:15 pm
Forum: General
Topic: Gre over ipsec
Replies: 10
Views: 921

Re: Gre over ipsec

In case of gre over ipsec what ipsec policy should I create? Does it need to be a 255(all) or 4(ip-encap) or 47 gre? I am configuring it between huawei and mikrotik. Huawei guide suggests to set up for ipsec acl for gre over ipsec. Of course you can do whatever you need to keep the other end happy....
by pe1chl
Wed Dec 30, 2020 11:13 am
Forum: Scripting
Topic: How to delete the specified ip connection with a script? [SOLVED]
Replies: 11
Views: 667

Re: How to delete the specified ip connection with a script? [SOLVED]

I have multiple pppoe clients, and I use "src-nat" because I heard that it is more efficient than "masquerade".
That is true, but by adding that script you are throwing that advantage away. The script will now consume the CPU that is implicitly consumed when using masquerade.
by pe1chl
Tue Dec 29, 2020 2:15 pm
Forum: Beginner Basics
Topic: About log records " pptp, info - TCP connection established from xxxx "
Replies: 4
Views: 347

Re: About log records " pptp, info - TCP connection established from xxxx "

I have a /16 network on internet and it gets a constant flow of 1-2 Mbit/s of this crap. I run some automatic blacklisting on that network (which is not as straightforward as you would think), and it lists 70000-80000 systems doing such scans all the time. That would be too complex for most retail ...
by pe1chl
Tue Dec 29, 2020 2:08 pm
Forum: Scripting
Topic: How to delete the specified ip connection with a script? [SOLVED]
Replies: 11
Views: 667

Re: How to delete the specified ip connection with a script? [SOLVED]

When you have only a single connection it is easy to remove all tracking entries using: /ip firewall connection remove [find] You can place that in the "On Down" script in the PPP profile used with the PPPoE connection (copy profile "default", make that change, and set the PPP p...
by pe1chl
Tue Dec 29, 2020 12:25 pm
Forum: Scripting
Topic: How to delete the specified ip connection with a script? [SOLVED]
Replies: 11
Views: 667

Re: How to delete the specified ip connection with a script? [SOLVED]

When you have only a single connection it is easy to remove all tracking entries using: /ip firewall connection remove [find] You can place that in the "On Down" script in the PPP profile used with the PPPoE connection (copy profile "default", make that change, and set the PPP pr...
by pe1chl
Tue Dec 29, 2020 11:25 am
Forum: Scripting
Topic: How to delete the specified ip connection with a script? [SOLVED]
Replies: 11
Views: 667

Re: How to delete the specified ip connection with a script? [SOLVED]

Probably all your connections have that. It is your own external IP used to translate the internal address (the 1st column) to the internet address you have.
(100.127.248.189 is another "internal IP", which will again be translated further down the path by your ISP)
by pe1chl
Tue Dec 29, 2020 11:17 am
Forum: Beginner Basics
Topic: About log records " pptp, info - TCP connection established from xxxx "
Replies: 4
Views: 347

Re: About log records " pptp, info - TCP connection established from xxxx "

The mentioned addresses are from "stretchoid", another one of those pests. Those are services that just try all addresses on internet for commonly known services, and maintain a database of what they find where. When some vulnerability is found, their paying customers can use queries on th...
by pe1chl
Mon Dec 28, 2020 3:20 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 42937

Re: v7.1beta3 [development] is released!

Yes, EoIP is layered on top of GRE, and GRE keepalives is a MikroTik patch in the Linux kernel (Linux does not support it by itself) which probably has to be re-done for RouterOS v7.
by pe1chl
Mon Dec 28, 2020 2:20 pm
Forum: General
Topic: Feature Request: IPv6 NAT66 Support
Replies: 42
Views: 12334

Re: Feature Request: IPv6 NAT66 Support

Yeah I would not want it either, and fortunately it is normal practice to give every home user a static /48 here (which also can be considered a bad idea and wasteful). My use-case for NPT would be as one of the building blocks to enable balancing and fail-over on two different ISP connections to th...
by pe1chl
Mon Dec 28, 2020 12:21 pm
Forum: General
Topic: Feature Request: IPv6 NAT66 Support
Replies: 42
Views: 12334

Re: Feature Request: IPv6 NAT66 Support

That said, of course RouterOS should support NPTv6 and NAT66 too, because those are tools that in some cases can be useful. Downside is that if it can also cover someone else's mistakes, there will be less pressure to fix them. Sometimes the ISP does not consider it a mistake. E.g. there are places...
by pe1chl
Fri Dec 25, 2020 7:31 pm
Forum: RouterOS v7 BETA
Topic: Chateau Config Backup & Restore
Replies: 14
Views: 1302

Re: Chateau Config Backup & Restore

One reason is that v7 is beta software and has bugs. The export function does not work well. Sure it is frustrating that you can only run beta software on a Chateau but that is the fact of life right now. Importing exports made on another device has always been a pain on RouterOS. The fact that you ...
by pe1chl
Thu Dec 24, 2020 12:31 pm
Forum: General
Topic: Switch-chip config RB951Ui-2HnD [SOLVED]
Replies: 7
Views: 519

Re: Switch-chip config RB951Ui-2HnD [SOLVED]

I mean the other switchports. Those configs are likely not what you want. Port 1 is configured for untagged VLAN 100.
by pe1chl
Thu Dec 24, 2020 11:52 am
Forum: General
Topic: Switch-chip config RB951Ui-2HnD [SOLVED]
Replies: 7
Views: 519

Re: Switch-chip config RB951Ui-2HnD [SOLVED]

The VLAN definition and port 1 configuration is OK.
The other ports, not so much.
by pe1chl
Thu Dec 24, 2020 11:46 am
Forum: RouterOS v7 BETA
Topic: Chateau Config Backup & Restore
Replies: 14
Views: 1302

Re: Chateau Config Backup & Restore

This (transferring a config to another similar device) has traditionally been a problem on MikroTik routers. They really should do something about that! Anyway, when you export config to import it on another router, make sure you remove all MAC addresses from the export (e.g. admin-mac=48:8F:5A:B4:4...
by pe1chl
Thu Dec 24, 2020 11:43 am
Forum: General
Topic: error network changed in browser
Replies: 3
Views: 252

Re: error network changed in browser

Are those people on Windows PCs connected to network ports which have several tagged VLANs on them?
Cannot do that! Windows PCs fail when connected to such ports unless a special network driver is installed that understands VLANs.
by pe1chl
Thu Dec 24, 2020 11:07 am
Forum: General
Topic: Feature Request: IPv6 NAT66 Support
Replies: 42
Views: 12334

Re: Feature Request: IPv6 NAT66 Support

The fact that it is designed to make your life easier does not mean that essential features have to be omitted for everyone! When you can live without something like NPT and/or think that is easier for you, fine. But do not impose that limitation on others please. There are several cases where such ...
by pe1chl
Tue Dec 22, 2020 6:34 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 42937

Re: v7.1beta3 [development] is released!

You should have partitioned the router (2 partitions) before diving into beta version installation.
Then you can always go back to the working partition, or the router will even do that by itself when the newly updated partition fails to boot.
by pe1chl
Mon Dec 21, 2020 7:13 pm
Forum: General
Topic: Another thread asking for help with port forwarding (RB750Gr3)
Replies: 7
Views: 640

Re: Another thread asking for help with port forwarding (RB750Gr3)

To get information about how the firewall works, what the chains are, what the different types are (filter, nat, raw, mangle) etc you can consult a manual/introduction of the Linux iptables firewall. The RouterOS firewall is the same thing, just with an extra configuration layer on top of it. Howeve...
by pe1chl
Mon Dec 21, 2020 4:52 pm
Forum: Beginner Basics
Topic: Server name resolution over L2TP
Replies: 3
Views: 350

Re: Server name resolution over L2TP

It is not possible to send a domain search list in PPP profiles (as it is with DHCP) so you will either need to manually configure the DNS search list in the client, or use the full domain name.
by pe1chl
Mon Dec 21, 2020 4:47 pm
Forum: Wireless Networking
Topic: Camping wireless Improvement
Replies: 1
Views: 231

Re: Camping wireless Improvement

I would stay with Ubiquiti....
by pe1chl
Mon Dec 21, 2020 12:08 pm
Forum: RouterBOARD hardware
Topic: New High Performance Routers ! ?
Replies: 82
Views: 15480

Re: New High Performance Routers ! ?

It should not make that much of a difference when you have a dedicated border router that is not doing anything else than BGP to some peers and forwarding the traffic, and it does not have all kinds of extra functions like a complicated forward firewall. Remember such a router has two different task...
by pe1chl
Sat Dec 19, 2020 1:15 pm
Forum: Virtualization
Topic: Metarouter for rb110ahx4
Replies: 1
Views: 241

Re: Metarouter for rb110ahx4

Metarouter was only available on some old PPC and MIPSBE boards.
Current models of MikroTik routers no longer support Metarouter.
by pe1chl
Sat Dec 19, 2020 1:12 pm
Forum: General
Topic: TCP retransmissions & low performance while bridging
Replies: 5
Views: 626

Re: TCP retransmissions & low performance while bridging

When you have so few retransmissions (430 retransmissions ~ 645K while transmitting 1 GB is only very tiny) it does not indicate a setup problem like MTU, it just means you have some slight bottleneck and the transmitting side is overfeeding the link. The retransmissions in TCP are actually used to ...
by pe1chl
Fri Dec 18, 2020 11:26 am
Forum: Beginner Basics
Topic: QoS example/template
Replies: 15
Views: 1545

Re: QoS example/template

MikroTik follows no particular convention at all, I think. Everything RouterOS does is just copying certain fields into others, it is up to the user to assign meaning to that. The "priority" field is just a field assigned to each packet, it does not change the handling of the packet by its...
by pe1chl
Thu Dec 17, 2020 7:28 pm
Forum: Beginner Basics
Topic: QoS example/template
Replies: 15
Views: 1545

Re: QoS example/template

DSCP=0 is the lowest possible priority. Originally that was the case, but as 0 is also the default DSCP value that made it impossible to have below-normal priority e.g. for large transfers. Therefore in most systems the DSCP values 8 and 16 are used to indicate lowest and one-but-lowest priority, b...
by pe1chl
Thu Dec 17, 2020 6:30 pm
Forum: Scripting
Topic: Reading command outout from ssh linux client [SOLVED]
Replies: 5
Views: 520

Re: Reading command outout from ssh linux client [SOLVED]

OK I am not familiar with the PHP API library but I advise you to experiment with some simple commands and at first do not include extra selection condtions, add them later.
by pe1chl
Thu Dec 17, 2020 12:30 pm
Forum: Announcements
Topic: v6.48rc [testing] is released!
Replies: 18
Views: 5093

Re: v6.48rc [testing] is released!

We currently have all our LCDs turned off since we find it not to useful and mainly a security concern. You can already disable the touchscreen so it won't act as a control device However it would be great to be able to display a static logotype and an asset name/tag. Maybe it could display the /sy...
by pe1chl
Thu Dec 17, 2020 11:46 am
Forum: RouterOS v7 BETA
Topic: REST
Replies: 11
Views: 1536

Re: REST

When that new documentation system was introduced I already questioned if it would not have been better to have a documentation system where you can anchor pages to a certain version, so you can input a version number somewhere and you get the documentation as it is relevant to that version. Or at l...
by pe1chl
Wed Dec 16, 2020 8:40 pm
Forum: General
Topic: Question about VPN, pools and subnets [SOLVED]
Replies: 11
Views: 718

Re: Question about VPN, pools and subnets [SOLVED]

Yes in the default setup you would usually want to add the VPN interface to the LAN interface list.
by pe1chl
Wed Dec 16, 2020 4:35 pm
Forum: General
Topic: Question about VPN, pools and subnets [SOLVED]
Replies: 11
Views: 718

Re: Question about VPN, pools and subnets [SOLVED]

It depends on what is in LAN and WAN interface lists...
You also made some changes (like changing !LAN into WAN) that could have effect.
You also need to check if the routing table is OK on your client devices (is there a route that sends 192.168.88.0/24 traffic to the VPN).
by pe1chl
Wed Dec 16, 2020 4:10 pm
Forum: Beginner Basics
Topic: Max concurrnt clients RB750GR3
Replies: 2
Views: 307

Re: Max concurrnt clients RB750GR3

It depends on how you define "45 concurrent users" and what the router is doing for them. When it is just a plain NAT router for the typical users on a LAN (RFC1918 address via DHCP, all translated via NAT to a single external address) it will be fine at 100 Mbps. It could do like 300 Mbps...
by pe1chl
Wed Dec 16, 2020 2:17 pm
Forum: General
Topic: Question about VPN, pools and subnets [SOLVED]
Replies: 11
Views: 718

Re: Question about VPN, pools and subnets [SOLVED]

Check your firewall settings. Probably the packets are getting dropped somewhere.
by pe1chl
Wed Dec 16, 2020 2:13 pm
Forum: General
Topic: Feature Request? Dropwatch
Replies: 1
Views: 198

Re: Feature Request? Dropwatch

I would rather like to see the "rpfilter" matcher in the firewall so that packets not matching rpfilter can be dropped or marked as usual in firewall rules, including the usual way of counting and logging them. Linux iptables has this "rpfilter" matcher as documented in the man p...
by pe1chl
Wed Dec 16, 2020 2:05 pm
Forum: Scripting
Topic: ppp secret profile comment problem
Replies: 2
Views: 260

Re: ppp secret profile comment problem

set a comment on the profile(s) and it is visible in the selection box for profile in a ppp secret.
by pe1chl
Wed Dec 16, 2020 1:59 pm
Forum: RouterOS v7 BETA
Topic: REST
Replies: 11
Views: 1536

Re: REST

That would be difficult in a single-shot API like REST... but it is possible in the original API that is based on a session.
by pe1chl
Wed Dec 16, 2020 1:53 pm
Forum: General
Topic: DNS cache records
Replies: 5
Views: 2212

Re: DNS cache records

When the DNS service is reachable from internet there is a serious foul-up in the firewall rules on the device.
It may be better to reset it to defaults and configure again!
(depending on the complexity of the configuration that is in the device now)
by pe1chl
Tue Dec 15, 2020 5:58 pm
Forum: General
Topic: [FORUM] Cannot reply to announcement threads
Replies: 3
Views: 387

Re: [FORUM] Cannot reply to announcement threads

Where is the discussion thread for the 6.48rc1 announcement?
I don't see a link in the announcement and neither do I see such a thread.
by pe1chl
Tue Dec 15, 2020 5:01 pm
Forum: General
Topic: Ethernet Port Flapping on MikroTik Routers
Replies: 10
Views: 589

Re: Ethernet Port Flapping on MikroTik Routers

For me it usually works fine, except on a single site where there is a RB750Gr3 connected to an outdoor UBNT dish and it has ever changing speed. That site is a radio/TV broadcast tower where multiple kilowatts of FM, DAB+ and DVB-T2 are transmitted. I think the problem is related to that (RF interf...
by pe1chl
Tue Dec 15, 2020 4:53 pm
Forum: Beginner Basics
Topic: Mikrotik DHCP server is assigning multiply IP addresses for the same MAC address. Why it happens?
Replies: 5
Views: 541

Re: Mikrotik DHCP server is assigning multiply IP addresses for the same MAC address. Why it happens?

The client IDs start with RAS so I think it is done by the RAS subsystem. (remote access)
When you do not know what that is and why you use it, it is probably best to disable it.
by pe1chl
Tue Dec 15, 2020 4:03 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 42937

Re: v7.1beta3 [development] is released!

Please read earlier items in the topic before you ask...
by pe1chl
Tue Dec 15, 2020 10:56 am
Forum: General
Topic: Ethernet Port Flapping on MikroTik Routers
Replies: 10
Views: 589

Re: Ethernet Port Flapping on MikroTik Routers

See if you can reproduce the issue with a short pre-made cable.
How are you powering the APs? Is there some additional power inserter inbetween?
by pe1chl
Tue Dec 15, 2020 10:54 am
Forum: Beginner Basics
Topic: QoS example/template
Replies: 15
Views: 1545

Re: QoS example/template

Make sure your upload program in the PC uses a lower priority (DSCP 8 or 16) than the default traffic (normally DSCP 0).
Then use one of the QoS methods that use DSCP (high 3 bits) to determine priority.
by pe1chl
Mon Dec 14, 2020 8:39 pm
Forum: General
Topic: Ethernet Port Flapping on MikroTik Routers
Replies: 10
Views: 589

Re: Ethernet Port Flapping on MikroTik Routers

I would suggest to leave everything at defaults and see if it switches back to 100 or 10 Mbps or still goes down completely.
by pe1chl
Mon Dec 14, 2020 8:16 pm
Forum: General
Topic: Ethernet Port Flapping on MikroTik Routers
Replies: 10
Views: 589

Re: Ethernet Port Flapping on MikroTik Routers

Yes you can do that. It will bring almost nothing when compared to an auto setting with all speeds advertised, the only difference is that the link will fail completely instead of negotiate to 100 Mbps e.g. in case of a partial cable failure or out-of-spec cable, but when that is what you want it is...
by pe1chl
Mon Dec 14, 2020 7:29 pm
Forum: General
Topic: Ethernet Port Flapping on MikroTik Routers
Replies: 10
Views: 589

Re: Ethernet Port Flapping on MikroTik Routers

Mimosa radios are locked to 1 Gbps on the ethernet ports
Undo that! All ports should be set to "auto", for the link negotiation to work correctly.
When you want 1 Gbps or nothing, set only the "advertise" checkmarks for 1 Gbps, do not lock speeds.
by pe1chl
Mon Dec 14, 2020 5:18 pm
Forum: RouterBOARD hardware
Topic: New High Performance Routers ! ?
Replies: 82
Views: 15480

Re: New High Performance Routers ! ?

I did not mention using a refurbished juniper/cisco for bgp, but it could be a better idea yes. What I meant was using a refurbished rackserver instead of a workstation. Of course a more or less recent server with decent CPU, NOT a Dell R320 or other minimal server. And it is only a general advice. ...
by pe1chl
Sun Dec 13, 2020 10:21 pm
Forum: Scripting
Topic: Reading command outout from ssh linux client [SOLVED]
Replies: 5
Views: 520

Re: Reading command outout from ssh linux client [SOLVED]

When using API you are effectively doing the same but you define and run the functions on the Linux system, using a programming language that you prefer and that potentially is more powerful than the RouterOS scripting language. I use Perl, others use Python or PHP. With API you can retrieve the val...
by pe1chl
Sat Dec 12, 2020 1:58 pm
Forum: RouterBOARD hardware
Topic: New High Performance Routers ! ?
Replies: 82
Views: 15480

Re: New High Performance Routers ! ?

Well I agree that in such a situation it is probably better to go for a "professional rack server" system from companies like HPE, Dell, IBM etc.
When you have no money it could be an idea to buy from a refurbishing company.
by pe1chl
Sat Dec 12, 2020 12:16 pm
Forum: RouterBOARD hardware
Topic: New High Performance Routers ! ?
Replies: 82
Views: 15480

Re: New High Performance Routers ! ?

Well. I have replaced a single 1036 for core, into two routers: 1x CCR2004 in fastpath to take care of the BGP only. the 1036 do to all the firewall and eventual NAT needed. Now it all runs flawlessy Yes, when you are doing BGP with multiple peers on internet and you want to do NAT and stateful fir...
by pe1chl
Fri Dec 11, 2020 10:23 pm
Forum: RouterBOARD hardware
Topic: New High Performance Routers ! ?
Replies: 82
Views: 15480

Re: New High Performance Routers ! ?

The problem of course is that it requires a very specific workload to keep 72 cores busy and it does not help that there are tasks that are not multithreaded. Those people that run BGP on internet (not me, fortunately) have performance issues that can only be solved with faster cores, not with more ...
by pe1chl
Fri Dec 11, 2020 6:08 pm
Forum: Scripting
Topic: Reading command outout from ssh linux client [SOLVED]
Replies: 5
Views: 520

Re: Reading command outout from ssh linux client [SOLVED]

It is better to do this kind of thing via API.
You will have to familiarize your self at first, and maybe download and install a helper library, but then it becomes very easy to retrieve information and process it.
by pe1chl
Fri Dec 11, 2020 6:05 pm
Forum: General
Topic: Switch stack
Replies: 1
Views: 267

Re: Switch stack

What do you want to do? Apply a configuration change to all switches in your network, that all have the same user/password? And then have some method of doing that automatically on all devices? Of course how to do this depends on what you have already configured before and what tools you have availa...
by pe1chl
Fri Dec 11, 2020 11:26 am
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 42937

Re: v7.1beta3 [development] is released!

Have you read all previous replies, in particular #53 ??
by pe1chl
Fri Dec 11, 2020 11:23 am
Forum: RouterOS v7 BETA
Topic: HAP mini unable to update
Replies: 25
Views: 2293

Re: HAP mini unable to update

You have to understand that the situation is not (only) related to the 16MB flash but also to the amount of RAM.
The hAP mini and hAP lite have only 32MB of RAM and that is what causes the problems here.
For the hAP ac2 that is different.
by pe1chl
Thu Dec 10, 2020 6:04 pm
Forum: General
Topic: Mikrotik randomly lost internet connection
Replies: 5
Views: 450

Re: Mikrotik randomly lost internet connection

Right-click on that interface, select Torch, then sort the output on traffic amount (click on colum header until amount is sorted down). Identify which IP address is causing the traffic. Close Torch window and go to DHCP server leases list to find the hostname for the system and the MAC address. Use...
by pe1chl
Thu Dec 10, 2020 2:40 pm
Forum: General
Topic: [Feature Request] IPv6 Fasttrack
Replies: 39
Views: 10923

Re: [Feature Request] IPv6 Fasttrack

Unfortunately in enviroments where you use QoS, traffic shaping, policy routing, automatic routing in a partial mesh, etc these tricks cause bad or confusing behavior.
So then it is better to spend a little more on the CPU power so you won't have to chase those rabbitholes.
by pe1chl
Wed Dec 09, 2020 1:27 pm
Forum: General
Topic: Question about TCP Established and Call of Duty disconnects [SOLVED]
Replies: 26
Views: 1512

Re: Question about TCP Established and Call of Duty disconnects [SOLVED]

What I mean is: of course it is a good idea to assume something is wrong when you get a lot of complaints, but it is never safe to assume that everything is OK when you receive no complaints or less complaints than before.
by pe1chl
Wed Dec 09, 2020 12:43 pm
Forum: Announcements
Topic: v6.47.8 [stable] is released!
Replies: 56
Views: 13185

Re: v6.47.8 [stable] is released!

I have an RB1100AHx4 running on 6.47 for about 185 days now, which is when that version was released. I'm currently not experiencing any issues, bugs or any other problems yet. I checked change logs and there doesn't seem to be any security fixes since then. Should I leave it as is or upgrade? Rout...
by pe1chl
Wed Dec 09, 2020 12:35 pm
Forum: General
Topic: SSH server interface list
Replies: 9
Views: 653

Re: SSH server interface list

That is right, that is the ancient firewall that dropped packets explicitly from ether1 and which was so prone to mistakes when the actual internet connection was not on ether1 but instead was a PPPoE interface. The new firewall is much safer. Indeed it is an issue that RouterOS never touches the fi...
by pe1chl
Tue Dec 08, 2020 7:27 pm
Forum: Beginner Basics
Topic: QoS example/template
Replies: 15
Views: 1545

Re: QoS example/template

While that is true, the issue of "not being able to view streams while something is being uploaded" is actually not really an inbound QoS problem, it is more of an outbound problem. Not really QoS usually, it is caused by buffer bloat (the outbound router doing way too much buffering, that...
by pe1chl
Tue Dec 08, 2020 6:53 pm
Forum: General
Topic: Connections shouldnt be there
Replies: 12
Views: 716

Re: Connections shouldnt be there

Ok but when you have a larger number of addresses, you would normally not be using NAT mode (at least not on the border router). In the general case of a router that does not do NAT, a reboot of the router would not interrupt a TCP connection with loose tracking, but it would do so with strict track...
by pe1chl
Tue Dec 08, 2020 6:27 pm
Forum: General
Topic: Connections shouldnt be there
Replies: 12
Views: 716

Re: Connections shouldnt be there

I'm curious if that will change anything. I expect that it won't. (AFAIK "loose" TCP tracking only means that connections are setup for every packet, not only for SYN packets. so in "loose" mode it will pickup an existing established connection when the router is rebooted, and in...
by pe1chl
Tue Dec 08, 2020 4:45 pm
Forum: General
Topic: Mikrotik DNS missing features
Replies: 11
Views: 982

Re: Mikrotik DNS missing features

Well, as it was already written above there recently were some long-requested additions to the DNS resolver and also addition of DoH support. However, as obvserved by the behavior of the resolver when new features and DoH are enabled at the same time, and also when testing boundary cases like large ...
by pe1chl
Tue Dec 08, 2020 4:38 pm
Forum: General
Topic: [Feature Request] IPv6 Fasttrack
Replies: 39
Views: 10923

Re: [Feature Request] IPv6 Fasttrack

I consider fasttrack only a quick bandaid to improve the performance of underpowered routers. It is always the first thing that I disable as it often is incompatible with what I want to do. IMHO the only furure-proof way of handling traffic is to buy a device that can route it without fasttrack or s...
by pe1chl
Tue Dec 08, 2020 4:31 pm
Forum: General
Topic: Connections shouldnt be there
Replies: 12
Views: 716

Re: Connections shouldnt be there

This is the internet as it is today. You will have to live with it! All over the place there are "scanners" which try all possible IP addresses to see what is there. Both small scans that try to find something that is vulnerable at that time, but also broad scans that simply scan everythin...
by pe1chl
Tue Dec 08, 2020 4:21 pm
Forum: General
Topic: Simple Qos to set prio of dscp values
Replies: 1
Views: 241

Re: Simple Qos to set prio of dscp values

Use "queue tree" instead of simple queue. simple queue is best for distributing bandwidth equally among users, queue tree is for prioritizing. You can also check this topic: https://forum.mikrotik.com/viewtopic.php?f=9&t=113308 (the reason it does not work at all is likely that you hav...
by pe1chl
Tue Dec 08, 2020 4:17 pm
Forum: Beginner Basics
Topic: QoS example/template
Replies: 15
Views: 1545

Re: QoS example/template

The simple solution is to prioritize by DSCP (TOS) value. There is a script on this forum that does it automatically. See this topic: https://forum.mikrotik.com/viewtopic.php?f=9&t=113308 This works OK for applications like VoIP because the writers of those applications usually set the right DSC...
by pe1chl
Tue Dec 08, 2020 4:10 pm
Forum: General
Topic: SSH server interface list
Replies: 9
Views: 653

Re: SSH server interface list

The old firewall was structured like "accept everything except from ether1" and the new one is more like "accept only from LAN". So when you add new interfaces you need to specify that they are trusted (LAN) or untrusted (WAN) by putting them in the correct interface list. This i...
by pe1chl
Sun Dec 06, 2020 4:38 pm
Forum: RouterOS v7 BETA
Topic: New User Manager in RouterOS v7
Replies: 67
Views: 50345

Re: New User Manager in RouterOS v7

There could be a fixed limit determined by licensing, and of course there is a "load limit" but that depends more on the number of logon/logoff actions than on the actual number of users. So it would be more difficult to predict, because it depends on the behavior of your users. And on the...
by pe1chl
Sat Dec 05, 2020 9:36 pm
Forum: Announcements
Topic: v6.47.8 [stable] is released!
Replies: 56
Views: 13185

Re: v6.47.8 [stable] is released!

Oh, it was my impression that this figure is the max EIRP per chain on that specific frequency.
So subtract the antenna gain and you get the max output power per chain.
by pe1chl
Sat Dec 05, 2020 1:01 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 42937

Re: v7.1beta3 [development] is released!

!) added new experimental wireless package "wifiwave2" for ARM devices with more than 256 MB of RAM (CLI only); Does it mean that 802.11ax devices are coming soon? Can we expect this new wi-fi driver to replace the old one in 7.x for hAP ac2 (mine has 16M of flash and 256 of RAM)? Did you...
by pe1chl
Fri Dec 04, 2020 2:43 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 42937

Re: v7.1beta3 [development] is released!

AGAIN: you cannot update it that way. Download the package from the website, upload it to your router, and reboot. And at least make sure you have a backup of your system that you can restore outside of RouterOS (like a disk image), as it is probably going to fail. Certainly when you try to update f...
by pe1chl
Fri Dec 04, 2020 1:12 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 42937

Re: v7.1beta3 [development] is released!

LHGGR
You cannot update that way. You have to download it yourself, upload to the router, and reboot.
by pe1chl
Fri Dec 04, 2020 12:41 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 42937

Re: v7.1beta3 [development] is released!

Which features are missing in your opinion? To be clear: I mean the list of new/updated features in the "What's new in 7.1beta3". I hoped for BGP GUI. What I got was BGP that no longer works (even in commandline, see report above). I am hoping for new features in IPv6, including NPT. (I t...
by pe1chl
Fri Dec 04, 2020 12:07 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 42937

Re: v7.1beta3 [development] is released!

Finally! That was one long wait...
Frankly, the feature list is a bit disappointing after such a long wait and after seeing some of the feature matrices on the help site.
by pe1chl
Thu Dec 03, 2020 10:42 pm
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 185
Views: 65295

Re: v6.48beta [testing] is released!

*) dns - improved stability with large table of static records; It now resolves them correctly into the DNS cache but it still does not load them correctly into address lists... (see SUP-28445) I have to recall that, it does not fix the issue, the router still exhausts the memory and crashes when l...
by pe1chl
Thu Dec 03, 2020 10:06 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 42937

Re: v7.1beta3 [development] is released!

Talking about workarounds, I would not hold my breath too much. All the workarounds proposed have a significant development effort associated with them, while the chances to return the investments are pretty unclear. I have been using wave2 AP's from the competitor for quite some time. Currently it...
by pe1chl
Thu Dec 03, 2020 9:38 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 42937

Re: v7.1beta3 [development] is released!

I upgraded a CHR that I use for some testing from v7.1beta2 to v7.1beta3. After upgrade, the BGP link that was configured does not come up. No log messages in either this router or the one it connects to (other than the close of the previous connection at reboot). The config was very simple: /routin...
by pe1chl
Thu Dec 03, 2020 1:31 am
Forum: Beginner Basics
Topic: Static Routing Assistance - Learning - Point me the right direction
Replies: 5
Views: 586

Re: Static Routing Assistance - Learning - Point me the right direction

Autorouting on Mikrotik routers is a piece of cake. Once you got used to that you will never want static routes anymore! In case of BGP and without any complicated routing preferences, it just requires 3 things to be setup: the AS number in the default BGP instance, the peers on each router, and the...
by pe1chl
Wed Dec 02, 2020 7:52 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 97137

Re: v7.1beta2 [development] is released!

Ok one warning though: there is someone who claims that setting up partitioning (i.e. the creation of 2 partitions on a device that has only one) is broken in all 6.47 versions. I cannot verify that right now as all my routers with that capability have been partitioned on older versions. For sure th...
by pe1chl
Wed Dec 02, 2020 3:22 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 97137

Re: v7.1beta2 [development] is released!

But it never hurts to read about partitioning, how to set it up, and how it works e.g. when the system cannot boot. I always use it on every upgrade on devices that I manage and that support it (i.e. everything besides the 16MB flash devices) and it has sometimes saved me. Before I do an upgrade, I ...
by pe1chl
Wed Dec 02, 2020 1:49 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 97137

Re: v7.1beta2 [development] is released!

Tried that version on my RB4011. Always crashes after some seconds after boot. Wonderful .. x_X. At least I was able to downgrade within these seconds. Of course wise people (with devices with 128MB or more of flash) use partitioning so they can try a new version and go back to the old one without ...
by pe1chl
Mon Nov 30, 2020 6:06 pm
Forum: General
Topic: Port scanner filling up connection tracking
Replies: 21
Views: 1195

Re: Port scanner filling up connection tracking

You need to look in the "raw" instead of "filter" firewall.
by pe1chl
Mon Nov 30, 2020 5:29 pm
Forum: General
Topic: Port scanner filling up connection tracking
Replies: 21
Views: 1195

Re: Port scanner filling up connection tracking

You can move the filter from the forward/input filter to the prerouting filter in raw. That will solve your connection tracking issue, but BE CAREFUL: when somehow a legitimate server address ends up on the blacklist, you/your clients will no longer be able to communicate with that server. Hackers a...
by pe1chl
Sat Nov 28, 2020 3:47 pm
Forum: Scripting
Topic: Updating CA root certs regularly [SOLVED]
Replies: 9
Views: 720

Re: Updating CA root certs regularly [SOLVED]

It would be very bad practice for a certificate issuer to update their root certs only the day before they expire! Remember all certs issued to clients depend on the root cert to be valid at least as long as the issued certificate. As these are valid often for a year, the new root cert should be iss...
by pe1chl
Sat Nov 28, 2020 2:10 pm
Forum: General
Topic: Winbox display scaling on Linux/Wine for HiDPI screens
Replies: 7
Views: 2477

Re: Winbox display scaling on Linux/Wine for HiDPI screens

Yes it was fixed in a later release. But note that the ability to open multiple windows in winbox and not in webfig is just a limitation of the current webfig, this can be solved by MikroTik. There are other devices that have web configuration and that do allow a structure similar to winbox (differe...
by pe1chl
Fri Nov 27, 2020 2:27 pm
Forum: General
Topic: IPV6 DHCP Option 23 Recursive DNS
Replies: 5
Views: 555

Re: IPV6 DHCP Option 23 Recursive DNS

Can it actually parse IPv6 addresses? I use value=0x20010db8000000000000000000000001 for 2001:db8::1 which works for me, but I am not sure this is required.
by pe1chl
Fri Nov 27, 2020 2:23 pm
Forum: Scripting
Topic: Updating CA root certs regularly [SOLVED]
Replies: 9
Views: 720

Re: Updating CA root certs regularly [SOLVED]

Completely unnecessary to update them that often! Once every 3 months should be more than enough, maybe even once per year.
by pe1chl
Thu Nov 26, 2020 4:38 pm
Forum: Announcements
Topic: v6.47.8 [stable] is released!
Replies: 56
Views: 13185

Re: v6.47.8 [stable] is released!

Upgrade went smooth...really interested in the "arm - improved system stability"! I'm also curious Look in 6.48beta topic... there is some discussion about that. Normally the text "improved system stability" means: fixed something that caused a hard crash/hang/reboot. Similarly ...
by pe1chl
Thu Nov 26, 2020 12:24 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 97137

Re: v7.1beta2 [development] is released!

Well, your viewpoint is understandable from a user of a device that supports only v7, but for other users it is confusing that fixes introduced in the 6.48beta58 version get backported into 6.47.8 (stable) and released before even getting feedback on the resolution of the problems reported in the co...
by pe1chl
Wed Nov 25, 2020 11:31 pm
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 185
Views: 65295

Re: v6.48beta [testing] is released!

*) dns - improved stability with large table of static records; It now resolves them correctly into the DNS cache but it still does not load them correctly into address lists... (see SUP-28445) When doing a remote request via the DNS resolver of 6.48beta58 the dig tool sometimes returns: ;; Truncat...
by pe1chl
Wed Nov 25, 2020 3:30 pm
Forum: General
Topic: Finding IP from Mac Address
Replies: 4
Views: 509

Re: Finding IP from Mac Address

On a switch the IP->MAC entry (created by ARP) is normally not present when the switch is not routing. You need to find a device on the network that does IP routing for that device (router, server) and look in the ARP table there. Or, when the IP is assigned using DHCP, look in the DHCP leases table...
by pe1chl
Wed Nov 25, 2020 3:22 pm
Forum: Beginner Basics
Topic: Static Routing Assistance - Learning - Point me the right direction
Replies: 5
Views: 586

Re: Static Routing Assistance - Learning - Point me the right direction

I think the numbering plan is not very good. You best assign /29 networks to each link where the routers and APs on that link each have an address, e.g. like 10.0.0.1/29 router1 10.0.0.2/29 ap1 10.0.0.5/29 ap2 10.0.0.6/29 router2 Then additionally you have some larger network assigned to each router...
by pe1chl
Tue Nov 24, 2020 4:49 pm
Forum: RouterBOARD hardware
Topic: Suggest me which hardware should i go for my small business
Replies: 5
Views: 465

Re: Suggest me which hardware should i go for my small business

No, not for that budget. L3 switches I normally buy will be more like $900.
However you should not worry too much, as I wrote in normal use cases (and with your internet speed) something like a 4011 or a recent CRS model will be fast enough.
by pe1chl
Tue Nov 24, 2020 11:51 am
Forum: Beginner Basics
Topic: Not DST-NAT traffic hits your INPUT
Replies: 11
Views: 615

Re: Not DST-NAT traffic hits your INPUT

It should normally not be a problem because every sensible setup has a DROP for every input coming from untrusted sources. The default setup accepts established/related traffic (basically: replies on outgoing sessions setup by the router) and traffic from the local network. It drops all input traffi...
by pe1chl
Tue Nov 24, 2020 11:40 am
Forum: RouterBOARD hardware
Topic: Suggest me which hardware should i go for my small business
Replies: 5
Views: 465

Re: Suggest me which hardware should i go for my small business

Of course you need to know what inter-VLAN routing speed you require, and what filtering you require on those paths. When this system is the typical "those VLANs route only to internet and only very occasionally between them", the MikroTik devices will have no problems with that. E.g. the ...
by pe1chl
Mon Nov 23, 2020 5:56 pm
Forum: General
Topic: Question about TCP Established and Call of Duty disconnects [SOLVED]
Replies: 26
Views: 1512

Re: Question about TCP Established and Call of Duty disconnects [SOLVED]

Ok, in my network I usually don't manage settings based only on the "how many customers are complaining" feedback, but of course to each his own.
by pe1chl
Mon Nov 23, 2020 12:11 pm
Forum: General
Topic: lost admin password
Replies: 5
Views: 558

Re: lost admin password

In any case, make that /export of the current config and then netinstall the router to the current version (6.47.7) (including format of the flash) and start again from default config. DO NOT just import the exported config but just keep it as a note to know what you have to configure again in the n...
by pe1chl
Mon Nov 23, 2020 11:59 am
Forum: Scripting
Topic: delete address-list the best way
Replies: 5
Views: 17649

Re: delete address-list the best way

Of course the total amount of CPU time spent will be more in that case, it will be spread over a longer time so it may look less severe in graphs. It depends on what is your problem. When you have a very old model with 1 CPU (like in 2010 when this question was first asked) maybe there is some impac...
by pe1chl
Mon Nov 23, 2020 11:35 am
Forum: General
Topic: Question about TCP Established and Call of Duty disconnects [SOLVED]
Replies: 26
Views: 1512

Re: Question about TCP Established and Call of Duty disconnects [SOLVED]

When you run into problems with a 24h established timeout, and you solve it by lowering it, it is an indication of bad connections in the network at some place. Of course in an ISP setting it could be that clients use WiFi at home and walk into/outside range and this can cause TCP connections to get...
by pe1chl
Sun Nov 22, 2020 3:42 pm
Forum: General
Topic: decrease TX-Power
Replies: 13
Views: 7567

Re: decrease TX-Power

As you can see my prediction from Jan 25, 2018 became reality! Now it is no longer possible to set the gain to a fake value. However, the implementation has bugs. When you had an older version than 6.47 and set a fake gain there (like 0) and now you have upgraded to 6.47 and above, you can no longer...
by pe1chl
Sun Nov 22, 2020 3:36 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 97137

Re: v7.1beta2 [development] is released!

You forget that there still is a use-case for the classical meaning of a VPN, a virtual private network. It is e.g. a network between a company and its branches or employees working from home. Both the server and the clients are under a single management which can decide what to buy to make them com...
by pe1chl
Sat Nov 21, 2020 8:40 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 97137

Re: v7.1beta2 [development] is released!

I agree with Sob, my internet is 100 Mbps down 30 Mbps up so for a VPN my speed is not going to be above 30 Mbps. And that is even quite high, on other connections it may be 5 or 7 Mbps in this country. Also, I prefer RouterOS over OpenWRT any time. But I think those that don't are welcome to use Op...
by pe1chl
Sat Nov 21, 2020 2:41 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 97137

Re: v7.1beta2 [development] is released!

This is not an issue with MikroTik als the RB750 or RB2011 you bought nearly 10 years ago still gets a new firmware version every month or so, and adds more and more new features, fixes bugs, etc. Ok, then tell me the new firmware, what is the use ov rb750/2011 with OpenVPN ? or with wireguard? doe...
by pe1chl
Sat Nov 21, 2020 12:52 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 97137

Re: v7.1beta2 [development] is released!

Well that is your opinion, mine is different. MikroTIk IS doing it the right way! Other manufacturers (I have experience with e.g. Draytek and AVM) usually release new devices and have a firmware available only on that specific device. Each new device introduces some new function which is available ...
by pe1chl
Fri Nov 20, 2020 2:15 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 97137

Re: v7.1beta2 [development] is released!

I don't think it is time to retire the TILE hardware yet, but I think it is better to release further betas for other architectures while issues with TILE are resolved. That way, work on debugging v7 can continue while engineers work on TILE support. Anyway, it is friday today so always a chance we ...
by pe1chl
Thu Nov 19, 2020 4:53 pm
Forum: Scripting
Topic: Need help to modify a script
Replies: 3
Views: 286

Re: Need help to modify a script

Insert it in the if body (below the nat setting command):
/tool e-mail send to="yourname@yourdomain" subject="your subject" body="yourmessage"
by pe1chl
Thu Nov 19, 2020 11:55 am
Forum: General
Topic: Mikrotik SYN Cookie Protection
Replies: 2
Views: 361

Re: Mikrotik SYN Cookie Protection

I think SYN cookie in RouterOS is only active for TCP connections to the router itself, not when handling forwarded traffic.
by pe1chl
Tue Nov 17, 2020 11:30 am
Forum: General
Topic: DHCP deassigned, assigned every few minutes?!
Replies: 16
Views: 10118

Re: DHCP deassigned, assigned every few minutes?!

The root cause is that your device regularly loses connection to the network (e.g. due to bad WiFi) and then when it re-connects it also releases and re-requests the lease. Not all devices do that, it depends on the firmware in the device and how it exactly reacts to connectivity interruptions and h...
by pe1chl
Mon Nov 16, 2020 4:40 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 64
Views: 13738

Re: MikroTik newsletter November 2020 (#98)

5ghz backup is useless because: When the first 60G devices were introduced there were a lot of folks asking for a combined devices with 5G backup. Now that the first such device is introduced there are other guys saying the opposite... I think it is worthwile to have a 60 GHz device with 5 GHz back...
by pe1chl
Mon Nov 16, 2020 12:24 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 97137

Re: v7.1beta2 [development] is released!

Is this just wrong information or can there be a difference between routeros version and routerboard version? Please study the difference between RouterOS version and firmware version. Firmware is the bootloader. It was made confusing by having the same version on the bootloader as on a RouterOS (e...
by pe1chl
Mon Nov 16, 2020 11:09 am
Forum: Announcements
Topic: v6.47.7 [stable] is released!
Replies: 45
Views: 11861

Re: v6.47.7 [stable] is released!

Better find out what is going wrong with the printer. Maybe some WiFi option that has been set that it does not support. It may help to update the printer. Anyway, you can download 6.47.4 for your router (MIPSBE version), upload the file to the router, and then select "downgrade" under sys...
by pe1chl
Sun Nov 15, 2020 11:35 am
Forum: General
Topic: WAP AC - new version - without triple chain
Replies: 32
Views: 1865

Re: WAP AC - new version - without triple chain

That is the main issue with MikroTik WiFi: these self-made drivers which maybe were a good idea when they were created are now blocking all progress. All those manufacturers of lowcost WiFi APs are passing MikroTik left and right with new WiFi features and MikroTik remains what it always was, so now...
by pe1chl
Sat Nov 14, 2020 12:25 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 97137

Re: v7.1beta2 [development] is released!

Run a /export and save it.
Use netinstall to install the router with 6.47.7 and restore the backup you made before you went to v7 beta.
Then use the /export to review any changes you made after going to the beta and that you now want to apply to your 6.47.7 install.
by pe1chl
Sat Nov 14, 2020 12:23 pm
Forum: Forwarding Protocols
Topic: SAME ASN 2 BGP SESSIONS (LOCAL & INTERNATIONAL TRAFFIC)
Replies: 8
Views: 652

Re: SAME ASN 2 BGP SESSIONS (LOCAL & INTERNATIONAL TRAFFIC)

Ok in general it can be said that you cannot control how the other side routes the traffic. You can only control how you route traffic TO other destinations, not how others route traffic TO you. However, with the "BGP prepend" you can sometimes tweak it a little. For a proper solution, con...
by pe1chl
Sat Nov 14, 2020 11:13 am
Forum: Forwarding Protocols
Topic: SAME ASN 2 BGP SESSIONS (LOCAL & INTERNATIONAL TRAFFIC)
Replies: 8
Views: 652

Re: SAME ASN 2 BGP SESSIONS (LOCAL & INTERNATIONAL TRAFFIC)

What direction do you want to affect? To select a different path for outgoing traffic, you set a local pref. To get a different path for your incoming traffic, you can try to use "set BGP prepend" and experiment with a (small) value like 2..4 to force the other end to use a different path....
  • 1
  • 2
  • 3
  • 4
  • 5
  • 25