Community discussions

Search found 5048 matches

by pe1chl
Sun Mar 24, 2019 1:16 am
Forum: Scripting
Topic: Basic scripts not working on 6.44.1 (work in 6.43.13)
Replies: 5
Views: 211

Re: Basic scripts not working on 6.44.1 (work in 6.43.13)

Original post did mention "If I copy/paste into terminal window the commands work just fine on 6.44.1" ... So it still works just not in the script.
Using numbered items is valid in the terminal window but not in scripts.
by pe1chl
Sat Mar 23, 2019 5:29 pm
Forum: General
Topic: LHG5 AC in N mode at 10 MHz
Replies: 5
Views: 180

Re: LHG5 AC in N mode at 10 MHz

It does not work :-( The 5 and 10 MHz channel width is shown but when it is programmed just like the other side (band=5ghz-a/n channel-width=10mhz) it says that the scan list is empty. When a scan list is created with the correct channel in it, it says it is unsupported... Is this something that is ...
by pe1chl
Sat Mar 23, 2019 3:42 pm
Forum: Scripting
Topic: Basic scripts not working on 6.44.1 (work in 6.43.13)
Replies: 5
Views: 211

Re: Basic scripts not working on 6.44.1 (work in 6.43.13)

Using numbered items instead of [find ...] was never correct.
Maybe it finally stopped working completely, so that the situation is clear.
Use a proper [find] command, add something unique to each item (e.g. a comment) if required.
by pe1chl
Sat Mar 23, 2019 3:31 pm
Forum: Beginner Basics
Topic: What is the best outdoor wireless access point
Replies: 3
Views: 153

Re: What is the best outdoor wireless access point

I want something that can distribute the signal through these container walls.
Forget about that!
As andriys says, install something like cAP AC inside each container.
by pe1chl
Sat Mar 23, 2019 1:34 pm
Forum: General
Topic: LHG5 AC in N mode at 10 MHz
Replies: 5
Views: 180

Re: LHG5 AC in N mode at 10 MHz

First generation AC didn;t worked in 5/10mhz.
Yes I seem to remember such a thing. Don't know if it was fixed in software or another way.
Anyway, I have ordered a LHG5 AC and it should arrive today so I can test it.
by pe1chl
Fri Mar 22, 2019 6:38 pm
Forum: General
Topic: LHG5 AC in N mode at 10 MHz
Replies: 5
Views: 180

Re: LHG5 AC in N mode at 10 MHz

I checked on a hAP AC and it can be set to 10 MHz channel width.
I seem to remember that there was an issue with some AC chips and 10 MHz but it could have been UBNT and not MikroTik...
by pe1chl
Fri Mar 22, 2019 4:24 pm
Forum: General
Topic: LHG5 AC in N mode at 10 MHz
Replies: 5
Views: 180

LHG5 AC in N mode at 10 MHz

Can the LHG5 AC connect to an 802.11N accesspoint (RB912UAG-5HPnD) with 10 MHz bandwidth?
Or do I have to use the older LHG5 for that?
by pe1chl
Fri Mar 22, 2019 11:54 am
Forum: General
Topic: DHCP Offering Lease Without Success
Replies: 25
Views: 4395

Re: DHCP Offering Lease Without Success

Having this "issue" is normal in a wireless network, probably it stands out on MikroTik only because it is logged by default.
What is important is: are your systems, when they have a stable wireless connection, getting their IP address allocated.
by pe1chl
Fri Mar 22, 2019 10:49 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 64
Views: 9303

Re: v6.44.1 [stable] is released!

Downgrading to 6.44 solves the Problem !!!
Did you also try a reboot before downgrade?
by pe1chl
Wed Mar 20, 2019 11:05 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 64
Views: 9303

Re: v6.44.1 [stable] is released!

probably windows is not properly detecting nat, there is registry to force windows to assume both client and server is behind NAT.. reg add HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f 0 - no nat 1 - server behind nat 2 - both ...
by pe1chl
Mon Mar 18, 2019 11:21 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 324
Views: 63155

Re: Winbox vulnerability: please upgrade

Better idea, prevent changing/removal of the default firewall. That is what all other "home router" brands seem to do. Simply prevent idiots from doing stupid things. There could be a default firewall where user can add things, and an "expert" mode where they can redesign the whole firewall when de...
by pe1chl
Mon Mar 18, 2019 11:19 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 324
Views: 63155

Re: Winbox vulnerability: please upgrade

It should only be updated when security vulnerabilities have been found and fixed, ... What if they don't find any for a while? Imagine that there's no vulnerability for few years and then something happens. They would have to make an update that would apply to several RouterOS versions released ov...
by pe1chl
Sun Mar 17, 2019 10:33 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 324
Views: 63155

Re: Winbox vulnerability: please upgrade

I think the point was that unlike with HA solutions, where you can take out some part and everything else will still work, unexpected reboots of lone routers would be annoying to users. Plus MikroTik would need extremely good quality control, because small mistake could result in thousands of inope...
by pe1chl
Sun Mar 17, 2019 6:17 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 324
Views: 63155

Re: Winbox vulnerability: please upgrade

Automatic upgrade should be the default and is quickly becoming best practice.
Automatic upgrade with reboot will never become best practice in non-HA clusters.
You are not going to tell us that those 200.000 - 400.000 compromised MikroTik routers form a HA cluster, do you?
by pe1chl
Sat Mar 16, 2019 9:46 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 64
Views: 9303

Re: v6.44.1 [stable] is released!

Try to upgrade immediately after a reboot (before running lots of traffic through it).
When that does not work, export and backup the config and netinstall.
by pe1chl
Sat Mar 16, 2019 11:45 am
Forum: General
Topic: How to solve multiple same IP addresses?
Replies: 6
Views: 239

Re: How to solve multiple same IP addresses?

Is there a way to make mikrotik report to me when I have another smartass DHCP on the LAN??
Yes, see the documentation (and the rightmost tab on the DHCP server panel)
by pe1chl
Fri Mar 15, 2019 3:47 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 64
Views: 9303

Re: v6.44.1 [stable] is released!

I can confirm the "Loose TCP Tracking" is completely broken in this release (and perhaps 6.44, didn't test it extensively). Previously established connections are treated as INVALID regardless of the setting. That already happened in 6.44 as I noticed when I upgraded my home router. There I always ...
by pe1chl
Fri Mar 15, 2019 2:01 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 64
Views: 9303

Re: v6.44.1 [stable] is released!

Updated hAP AC2 and CCR1009 from 6.44 to 6.44.1 I am seeing a lot of dropped Forwarded packets as INVALID. These are packets that should have hit the New connection from a local device in the address list. But are getting dropped. This looks like a case of the problem already mentioned in post #2 i...
by pe1chl
Thu Mar 14, 2019 3:35 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 64
Views: 9303

Re: v6.44.1 [stable] is released!

Has anything done about the problem in connection tracking? (it is not listed in the changes, but neither was the change that introduced the problem) loose-tcp-tracking is no longer working! after upgrade and reboot all existing TCP connections across the router are stuck, and firewall logs "tcp (AC...
by pe1chl
Thu Mar 07, 2019 11:03 pm
Forum: General
Topic: IPsec speed test encryption algorithms
Replies: 1
Views: 107

Re: IPsec speed test encryption algorithms

Those routers do not have hardware accelerated IPsec.
Use RB750Gr3 instead and it will fly!

To measure speed, do not use a tool on the router itself. Transfer data from a separate system located at each end.
by pe1chl
Wed Mar 06, 2019 4:11 pm
Forum: Beginner Basics
Topic: Mikrotik 6.34.1 Check updates fail
Replies: 39
Views: 30323

Re: Mikrotik 6.34.1 Check updates fail

Adding
chain=input action=accept connection-state=established,related
solved this for me.
Ok that was the case of the user-created problem then.
(this rule is in the default firewall, you removed it)
by pe1chl
Wed Mar 06, 2019 4:05 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 26329

Re: v6.44 [stable] is released!

Maybe it could be related to the bug that I reported above? (loose TCP connection tracking no longer works) It could be that there were changes in the connection tracking firewall that have side effects like this. Looks like we're all hit by the same problem, manifested over different application p...
by pe1chl
Tue Mar 05, 2019 6:59 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 26329

Re: v6.44 [stable] is released!

*) bgp - properly update keepalive time after peer restart; what exactly this fix for? I have seen issues with BGP when the keepalive time is not set equal at both peers. According to the protocol spec the lower of the two keepalive times should be used by both peers. But in practice it sometimes h...
by pe1chl
Tue Mar 05, 2019 1:57 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 26329

Re: v6.44 [stable] is released!

Hi Since the last update we have had multiple clients complaining about existing sites where VoIP experiences issues, from de-registration, no audio, one way audio. Currently we downgrading the clients back to 6.43.8 which works. I've sent multiple supouts and support tickets to Support with no fee...
by pe1chl
Mon Mar 04, 2019 2:27 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 324
Views: 63155

Re: Winbox vulnerability: please upgrade

Essentially the most general most important dilemma about most commonly (well, over the ultra-modern two years or anything to that effect) vulnerabilities in ROS is that main default settings did not sincerely shut all WAN access to RB. That is not correct! On every router except the CCR the defaul...
by pe1chl
Sun Mar 03, 2019 12:02 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 26329

Re: v6.44 [stable] is released!

Very stupid dependence! I don't need DHCP at many situations, but need SSH. So i have had installed: advanced-tools, security, system packages only. But now i have to use DHCP?! Nonsense!!! Ideally, the new function of IKEv2 that requires DHCP would just be disabled until DHCP is installed (prefera...
by pe1chl
Fri Mar 01, 2019 8:09 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 26329

Re: v6.44 [stable] is released!

loose-tcp-tracking is no longer working! after upgrade and reboot all existing TCP connections across the router are stuck, and firewall logs "tcp (ACK, PSH)" packets being dropped. normally, after a router reboot an outgoing TCP packet on an existing connection (no NAT in use!) will re-establish th...
by pe1chl
Thu Feb 28, 2019 11:52 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 445
Views: 103180

Re: RouterOS v7.0 beta1 - when?

... when you now release a v7 that is just a 6.44 with new kernel there will be a large uproar. As many other people, I also expect that when v7 comes out, my router will be able to do anything I've ever dreamed of and more, and make me a coffee on top of that (without any additional hardware requi...
by pe1chl
Thu Feb 28, 2019 11:02 am
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 445
Views: 103180

Re: RouterOS v7.0 beta1 - when?

The problem is that the delay has been so long and the expectations have gone op so high that it has become almost impossible to release something that will not cause a lot of criticism. You should just have made a v7 with new kernel at some time (already enough work to forward-port all customizatio...
by pe1chl
Sat Feb 23, 2019 5:33 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: CCR & MetaRouter
Replies: 49
Views: 18929

Re: CCR & MetaRouter

It will probably never happen... I have proposed that instead of MetaRouter a new, lighter feature to run user code on MikroTik routes should be added. Something that does not require virtualization but just is a user process that is connected to the network only via predefined sockets and only has ...
by pe1chl
Sat Feb 23, 2019 5:29 pm
Forum: General
Topic: Firmware upgrade needed?
Replies: 4
Views: 381

Re: Firmware upgrade needed?

I guess the issue was that when people were asked "what version are you running" they looked in that firmware version field and came back with "3.41" which of course was useless when looking at RouterOS issues. So they changed it to be the same as the RouterOS version. However, to me that isn't an i...
by pe1chl
Fri Feb 22, 2019 10:49 am
Forum: General
Topic: Unauthorized access to MikroTiK
Replies: 20
Views: 1606

Re: Unauthorized access to MikroTiK

We also went away from the main question, how did we get into the router, which did not have vulnerabilities, to pick up a password is not an easy task. And why nobody talks about API ports? These ports also allow you to log in, right? You did not answer the question if your router was open to API,...
by pe1chl
Thu Feb 21, 2019 5:56 pm
Forum: General
Topic: Unauthorized access to MikroTiK
Replies: 20
Views: 1606

Re: Unauthorized access to MikroTiK

The firewall was set up.
What do you mean? Is there remote access to ports 80 and/or 8291 to your router?
(the default firewall does not allow that, but maybe after your setup it does)
by pe1chl
Thu Feb 21, 2019 5:52 pm
Forum: General
Topic: Firmware upgrade needed?
Replies: 4
Views: 381

Re: Firmware upgrade needed?

It was (unfortunately) changed at some time between those versions. Before, firmware versions were independent from RouterOS versions and the suggestion to update appeared only when the running RouterOS contained a newer firmware image than the router. Now, the firmware version is always the same as...
by pe1chl
Thu Feb 21, 2019 5:45 pm
Forum: Beginner Basics
Topic: Backup for the mikrotik [SOLVED]
Replies: 5
Views: 356

Re: Backup for the mikrotik [SOLVED]

Transfer of configuration from one router to another (both to continue service after hardware failure and to serve as template for a new router) is a function that certainly needs improvement in RouterOS. There should be functions like "restore but ignore MAC addresses" and "continue after minor err...
by pe1chl
Thu Feb 21, 2019 2:43 pm
Forum: Scripting
Topic: Global variable dissapears?
Replies: 9
Views: 497

Re: Global variable dissapears?

The environment variables also have a field "user" but it appears not in use. It would be nice when every script context at least had access to some global variables limited by the "user" field. E.g. "netwatch". (and of course a user with higher privileges preferably would have some means to read an...
by pe1chl
Thu Feb 21, 2019 11:06 am
Forum: Wireless Networking
Topic: Illegal country-info for New Zealand?
Replies: 14
Views: 689

Re: Illegal country-info for New Zealand?

You can always reduce the frequencies that RouterOS uses by setting up your own "/interface wireless channels" table and
assigning it to the interface. This can be used as a workaround for problems like this, and to avoid channels that you know
to have RADAR so they do not have to be tried.
by pe1chl
Thu Feb 21, 2019 11:03 am
Forum: General
Topic: IPSEC dynamic peer ip
Replies: 10
Views: 518

Re: IPSEC dynamic peer ip

For an easy out-of-the-box solution for dynamic IP I always use L2TP/IPsec. And then I assign a fixed IP to each user and setup BGP to communicate the subnet routes at their endpoints. (BGP set to passive at the central router) For static addresses I normally use GRE/IPsec and still have BGP over it...
by pe1chl
Wed Feb 20, 2019 4:18 pm
Forum: General
Topic: IPSEC dynamic peer ip
Replies: 10
Views: 518

Re: IPSEC dynamic peer ip

I see two different use cases: 1. you want to connect outbound to some other router which is mostly on a static address but it can change sometimes. there you can use DDNS for a satisfactory solution 2. you want to accept inbound connections from other routers that are on wildly dynamic addresses (e...
by pe1chl
Wed Feb 20, 2019 3:19 pm
Forum: General
Topic: IPSEC dynamic peer ip
Replies: 10
Views: 518

Re: IPSEC dynamic peer ip

Ok I did not look into the script exactly, but AFAIK it is not implemented in RouterOS to connect with a remote that has a dynamic IP (identify it via remote ID or certificate) and then use that association without fixup via some script. Using DDNS is kind of a workaround for that problem, but it wo...
by pe1chl
Wed Feb 20, 2019 2:56 pm
Forum: General
Topic: IPSEC dynamic peer ip
Replies: 10
Views: 518

Re: IPSEC dynamic peer ip

Dynamic policy refers to policies created internally by RouterOS as a result of other configuration (i.e. not adding the policy in the ipsec menu). It can be: - using simple IPsec config in tunnel interfaces - incoming IPsec connections from dynamic addresses e.g. using L2TP?IPsec There is no easy s...
by pe1chl
Wed Feb 20, 2019 2:52 pm
Forum: Wireless Networking
Topic: Illegal country-info for New Zealand?
Replies: 14
Views: 689

Re: Illegal country-info for New Zealand?

It is better to mail this to support@mikrotik.com instead of trying via the forum.
This is mostly a user-to-user support forum.

Did you update the software to the latest version? Lots of regulatory updates have been done in the latest release.
by pe1chl
Wed Feb 20, 2019 2:49 pm
Forum: General
Topic: PPPoE drops out randomly
Replies: 1
Views: 172

Re: PPPoE drops out randomly

What is it exactly that you observe? What happens here: - PPPoE normally works fine - when maintenance or a short interruption occurs in the ISP network, but the VDSL sync remains, PPPoE session fails - RouterOS tries to re-establish the PPPoE connection but this fails persistently - disable the PPP...
by pe1chl
Sun Feb 17, 2019 11:53 am
Forum: RouterBOARD hardware
Topic: CCR1036 Power Supply
Replies: 61
Views: 8367

Re: CCR1036 Power Supply

I don't understand the logic behind dual PSU's that aren't hot-swappable.
Well, they can be monitored via SNMP so when one of them fails you can plan downtime at a convenient moment
to swap the entire router or to repair it using a spare supply.
by pe1chl
Sat Feb 16, 2019 9:20 am
Forum: General
Topic: Azure to Mikrotik IPSec Site-to-Site VPN painfully slow on one direction [SOLVED]
Replies: 5
Views: 428

Re: Azure to Mikrotik IPSec Site-to-Site VPN painfully slow on one direction [SOLVED]

Well, when you confingure a site-to-site IPsec VPN there is no explicit tunnel interface, so there is nowhere where you can set the MTU. This is one reason why I prefer not to use that configuration, but instead recommend to use some type of explicit tunnel (like GRE or IP tunnel) with IPsec configu...
by pe1chl
Fri Feb 15, 2019 8:58 pm
Forum: General
Topic: Azure to Mikrotik IPSec Site-to-Site VPN painfully slow on one direction [SOLVED]
Replies: 5
Views: 428

Re: Azure to Mikrotik IPSec Site-to-Site VPN painfully slow on one direction [SOLVED]

The problem is that a VPN tunnel has a slightly smaller MTU (maximum packet size) than a plain ethernet network connection, so the router behaves like a funnel that will not let packets that are too large through to the other side. It should inform the sending system whenever a packet is too large, ...
by pe1chl
Fri Feb 15, 2019 7:59 pm
Forum: General
Topic: Azure to Mikrotik IPSec Site-to-Site VPN painfully slow on one direction [SOLVED]
Replies: 5
Views: 428

Re: Azure to Mikrotik IPSec Site-to-Site VPN painfully slow on one direction [SOLVED]

Maybe something MTU and PMTU related?
Try to add this to see if that fixes it:
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
by pe1chl
Fri Feb 15, 2019 5:15 pm
Forum: General
Topic: Romon - UBNT
Replies: 3
Views: 501

Re: Romon - UBNT

Make sure that on UBNT links you have "WDS" enabled.
It is required to transparently pass traffic including MAC address between WiFi link peers.
by pe1chl
Fri Feb 15, 2019 12:34 pm
Forum: Announcements
Topic: v6.43.12 [stable] is released!
Replies: 49
Views: 9353

Re: v6.43.12 [stable] is released!

I had read that too. With the latest firmwares, my DFS detects went from zero to zero :D . Even if it actually got worse, which it might, I think the problem is still at least an order of magnitude worse with MT devices regarding rate of false positives. My setups are almost entirely mixed-vendor. ...