Community discussions

Search found 5535 matches

by pe1chl
Tue Aug 20, 2019 12:03 am
Forum: General
Topic: When can developers improve ipv6 functionality?
Replies: 15
Views: 577

Re: When can developers improve ipv6 functionality?

Microsoft, the company that people always made fun of, how they are lacking in networking, they enabled IPv6 in Windows by default in Vista, in 2006. But it took them until this year to enable it on their own cloud services... All articles on IPv6 on Azure cloud are dated in the past 3 monts, it se...
by pe1chl
Mon Aug 19, 2019 11:21 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1119
Views: 196647

Re: Feature requests

That is likely not accurate enough to achieve such results. I connect the 1PPS to the DCD input of an old-style RS232 port (with UART on the bus, not via USB) and I achieve jitter like 3-5us. This is possible because the edge of the 1PPS pulse directly generates an interrupt in the UART, and in the ...
by pe1chl
Mon Aug 19, 2019 9:55 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1119
Views: 196647

Re: Feature requests

2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP ove...
by pe1chl
Mon Aug 19, 2019 6:12 pm
Forum: Beginner Basics
Topic: Tunnel traffic through VPN
Replies: 9
Views: 407

Re: Tunnel traffic through VPN

Your VPN provider probably does not offer that option. Yes, the hEX S (or the normal hEX, this is now the RB750Gr3) is powerful enough for fast IPsec encryption at the speed you want. This of course still does not guarantee you will achieve that speed, there can be other bottlenecks in the network. ...
by pe1chl
Mon Aug 19, 2019 5:40 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1119
Views: 196647

Re: Feature requests

The relevant question of course is: how often will it happen that installations with strict requirements like IEEE1588 will use equipment from MikroTik? Will it lead to a lot of new sales when MikroTik switches do support IEEE1588? IMHO there are LOTS of things missing from MikroTik switches, and IE...
by pe1chl
Mon Aug 19, 2019 4:56 pm
Forum: General
Topic: When can developers improve ipv6 functionality?
Replies: 15
Views: 577

Re: When can developers improve ipv6 functionality?

Currently, there is no compelling business case for IPv6 other than from the tech community. When applications become available that serve business needs that have a heavy reliance on P2P communications then ipv6 will create a strong demand for adoption --- that day is coming very soon [within 3 ye...
by pe1chl
Mon Aug 19, 2019 4:06 pm
Forum: General
Topic: When can developers improve ipv6 functionality?
Replies: 15
Views: 577

Re: When can developers improve ipv6 functionality?

My main distributor is selling a lot of different makes of routers and other network equipment, and they also provide consultancy etc. They provide a limited selection from the product gamma. I think when I ask them about IPv6 and MikroTik their reaction is likely to be "we do not advise MikroTik in...
by pe1chl
Mon Aug 19, 2019 2:58 pm
Forum: Beginner Basics
Topic: Tunnel traffic through VPN
Replies: 9
Views: 407

Re: Tunnel traffic through VPN

I tried https://www.expressvpn.com/ on my desktop, but I get only 25-100mbit/s
What router type do you have? Of course this is not going to work with a RB2011 or RB750G2!
You need a modern router with encryption acceleration to get those high speeds.
by pe1chl
Mon Aug 19, 2019 11:46 am
Forum: Beginner Basics
Topic: Tunnel traffic through VPN
Replies: 9
Views: 407

Re: Tunnel traffic through VPN

It is unlikely that the MikroTik OpenVPN implementation is going to work with them.
(I have no personal experience with this particular combination, but in general MikroTik OpenVPN is missing a lot of features that most servers require these days)

You will have more luck with IPsec (IKEv2) I think.
by pe1chl
Mon Aug 19, 2019 11:44 am
Forum: General
Topic: When can developers improve ipv6 functionality?
Replies: 15
Views: 577

Re: When can developers improve ipv6 functionality?

I have repeatedly asked for more IPv6 functionality here on the forum and also on MUM events. The above is what I heard there. Do you think it is worth it to go to the trouble of asking the same question to the distributor where I usually buy things so it comes to MikroTik via that channel as well? ...
by pe1chl
Mon Aug 19, 2019 11:19 am
Forum: General
Topic: Mikrotik CCR-1072 router
Replies: 4
Views: 204

Re: Mikrotik CCR-1072 router

The above is just a random thread of some crash on a CCR, not really an answer to those questions. CCR routers run stable for many users. However, BGP is a bit of a different matter. Note that the CCR series get their performance by running many CPU cores in parallel, 72 cores in the case of the CCR...
by pe1chl
Mon Aug 19, 2019 11:14 am
Forum: General
Topic: When can developers improve ipv6 functionality?
Replies: 15
Views: 577

Re: When can developers improve ipv6 functionality?

From what I understand, IPv6 is a low priority for MikroTik. Apparently the segment where they are working has little application for IPv6, or at least their customers make little demand for it at their sales department. So while there are the usual bugfixes and the occasional new feature, the major...
by pe1chl
Sun Aug 18, 2019 8:48 pm
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 76
Views: 17706

Re: v6.45.3 [stable] is released!

upgraded an rb450g from 6.44.3 to 6.45.3. my gre tunnel would not come up ike/ipsec working fine but could not get the tunnel up. Also seemed to affect logging, I could not get any debug info, in fact all that filled my logs were fw drops of the gre tunnel establishment traffic. Why did you not fix...
by pe1chl
Sun Aug 18, 2019 9:28 am
Forum: General
Topic: Hotspot and HTTPS? What solutions?
Replies: 34
Views: 2896

Re: Hotspot and HTTPS? What solutions?

Price and Trust have nothing to do with each other!
E.g. Letsencrypt certificates are free and they are trusted, but paid certificates from some used-to-be-big-names like Symantec are NOT Trusted!
by pe1chl
Sat Aug 17, 2019 8:39 pm
Forum: Beginner Basics
Topic: Default firewall config query [SOLVED]
Replies: 4
Views: 350

Re: Default firewall config query [SOLVED]

I always sort the firewall rules so that first all the forward rules appear and then all the input rules. makes things a lot clearer. But of course while manually sorting them (moving them around using the mouse within the listed rules), you must keep the sequence within the same chain the same as i...
by pe1chl
Sat Aug 17, 2019 8:25 pm
Forum: General
Topic: Hotspot and HTTPS? What solutions?
Replies: 34
Views: 2896

Re: Hotspot and HTTPS? What solutions?

You can get certificates for free. But only for your own site. So you cannot get a certificate for Google.com and so you CANNOT SOLVE the redirection problem. And neither can MikroTik. It is just a case of 'sorry but that is no longer possible, forget about it'. That is why you should focus on getti...
by pe1chl
Sat Aug 17, 2019 4:28 pm
Forum: General
Topic: Hotspot and HTTPS? What solutions?
Replies: 34
Views: 2896

Re: Hotspot and HTTPS? What solutions?

As written many times above, that issue cannot be solved ! However, the writers of software like Chrome and Android do know that, and they use requests that you do not enter yourself (some DNS and some HTTP requests) to detect this situation. When they find that they are on a hotspot/portal network...
by pe1chl
Sat Aug 17, 2019 1:06 pm
Forum: General
Topic: Hotspot and HTTPS? What solutions?
Replies: 34
Views: 2896

Re: Hotspot and HTTPS? What solutions?

As written many times above, that issue cannot be solved ! However, the writers of software like Chrome and Android do know that, and they use requests that you do not enter yourself (some DNS and some HTTP requests) to detect this situation. When they find that they are on a hotspot/portal network,...
by pe1chl
Sat Aug 17, 2019 12:45 pm
Forum: RouterBOARD hardware
Topic: Force 2.5G or 5G
Replies: 1
Views: 272

Re: Force 2.5G or 5G

Open the interface configuration, click the ethernet port you want to setup, select the ethernet tab and remove the "advertise" checkmark(s) for rates you do not want to use.
Keep the speed on "auto negotiate".
by pe1chl
Sat Aug 17, 2019 12:37 pm
Forum: General
Topic: Hotspot and HTTPS? What solutions?
Replies: 34
Views: 2896

Re: Hotspot and HTTPS? What solutions?

Make sure your hotspot is intercepting requests to hotspot-detection services that any modern OS has. This includes HTTP requests to URLs such as http://gstatic.com/generate_204 and intercepting all DNS requests eg for invalid / random hostnames like "xgjaiobman" Wait a moment... this should read: ...
by pe1chl
Sat Aug 17, 2019 11:10 am
Forum: General
Topic: I'm sure Mikrotik has a legit response to this...
Replies: 14
Views: 1312

Re: I'm sure Mikrotik has a legit response to this...

If your WAN is entirely firewalled against incoming connections (including VPNs) then your risk is only coming from the LAN side which is generally a lot safer. Well that holds for vulnerabilities in the configuration interface (webfig, winbox, telnet/ssh) which have been most common lately. Howeve...
by pe1chl
Sat Aug 17, 2019 11:04 am
Forum: General
Topic: LTS vs Stable
Replies: 6
Views: 424

Re: LTS vs Stable

Ok maybe someone had already upgraded it then. Normally you cannot downgrade below the version that comes on the device from the factory. This version is listed under System->Resources in the field "Factory software". But it could be that a dealer has upgraded it from a known security-vulnerable ver...
by pe1chl
Fri Aug 16, 2019 9:56 pm
Forum: Beginner Basics
Topic: GPS over Ethernet and/or WiFi
Replies: 5
Views: 298

Re: GPS over Ethernet and/or WiFi

Maybe MikroTik should add a "gpsd" package for RouterOS. That will make it much easier to use and share the GPS capability of the devices.
by pe1chl
Fri Aug 16, 2019 6:53 pm
Forum: General
Topic: LTS vs Stable
Replies: 6
Views: 424

Re: LTS vs Stable

When the router came with 6.45.1, downgrading to the 6.44 LTS version is not an option. I would recommend upgrading it to the current stable release while you have physical access to it, and then keep it at that until some new critical vulnerability is found. When at that time 6.45.x is the LTS vers...
by pe1chl
Fri Aug 16, 2019 5:04 pm
Forum: SwOS
Topic: unsecured access to admin interface?
Replies: 8
Views: 498

Re: unsecured access to admin interface?

Well, I have never seen a MikroTik employee answer any question regarding "plans" here with anything more specific than "It happens, when it happens"... True there sometimes are answers regarding technical matters, but far more from other users than from MikroTik employees. W.r.t. switches that comp...
by pe1chl
Fri Aug 16, 2019 3:10 pm
Forum: General
Topic: DHCP server assigns .0 IP
Replies: 2
Views: 202

Re: DHCP server assigns .0 IP

Or create dummy static entries (with nonexisting MAC address) on the addresses you do not want to assign.
But indeed, it is no problem at all. We run /22 networks all the time with a 1000-address IP range and people are happily using .0 and .255 addresses.
by pe1chl
Fri Aug 16, 2019 3:07 pm
Forum: General
Topic: I'm sure Mikrotik has a legit response to this...
Replies: 14
Views: 1312

Re: I'm sure Mikrotik has a legit response to this...

How many of these vulnerabilities though are still present when a competent person configures the router? That is completely unknown. MikroTik state that there are no known (to them!) vulnerabilities at this layer, however that does not mean there are no vulnerabilities that are not yet known or ar...
by pe1chl
Fri Aug 16, 2019 12:01 pm
Forum: General
Topic: Please add documentation for ping-timeout added in 6.43
Replies: 11
Views: 953

Re: Please add documentation for ping-timeout added in 6.43

Well, using such features usually causes unexpected and unnecessary downtime anyway. It is always a tradeoff and it should be used only in well-understood environments completely under the owner's control, and it that case it can probably be tested as well. I remember in the early days of my DSL con...
by pe1chl
Fri Aug 16, 2019 11:50 am
Forum: General
Topic: I'm sure Mikrotik has a legit response to this...
Replies: 14
Views: 1312

Re: I'm sure Mikrotik has a legit response to this...

There are many things that can be done to reduce the attack surface. I think as a first thing I would consider not running all processes as root, use chroot to limit their filesystem view, etc. Maybe also other finegrained security features in the Linux kernel can be used. When a good mechanism is i...
by pe1chl
Fri Aug 16, 2019 11:47 am
Forum: RouterBOARD hardware
Topic: Corrupted routerboard firmware prevents booting
Replies: 15
Views: 2979

Re: Corrupted routerboard firmware prevents booting

The cost of license is completely arbitrary. To ilustrate, regular price of L4 license is $45, but at the same time hAP mini, complete hardware with L4 license included, is $19.95. So what's the cost of license there? It's more like free bonus. It's the most extreme example, but it's clear that eve...
by pe1chl
Fri Aug 16, 2019 11:34 am
Forum: SwOS
Topic: unsecured access to admin interface?
Replies: 8
Views: 498

Re: unsecured access to admin interface?

You have to consider that the first switches where SWOS was used do not have more memory than that. Of course these days the dual-boot SWOS/RouterOS switches do have more memory but they can use RouterOS. It is not useful to ask about plans here. This is a user forum, for users to help eachother. To...
by pe1chl
Fri Aug 16, 2019 12:11 am
Forum: SwOS
Topic: unsecured access to admin interface?
Replies: 8
Views: 498

Re: unsecured access to admin interface?

SWOS is like 64KB is size. sixty-four KILObytes. Like the memory size of a Commodore 64.
RouterOS is more like 8 megabytes.
Is it surprising that SWOS lacks some features?
Only the addition of an SSL library will at least double the size of SWOS.
by pe1chl
Thu Aug 15, 2019 8:56 pm
Forum: General
Topic: QoS / Prioritisation on Variable Bandwidth Link
Replies: 4
Views: 543

Re: QoS / Prioritisation on Variable Bandwidth Link

Strict priority levels should work on such interfaces. Use some mechanism (e.g. DSCP) to recognize the traffic and set the priority as a postrouting rule in the firewall mangle table. When the LTE driver supports that, it should send the higher priority packets first. The whole thing with queuing an...
by pe1chl
Thu Aug 15, 2019 8:48 pm
Forum: SwOS
Topic: unsecured access to admin interface?
Replies: 8
Views: 498

Re: unsecured access to admin interface?

Can your switch run RouterOS instead of SWOS? (some models can do that)
I think that is the only viable solution as SWOS is an extremely small system that is not likely to be extended.
by pe1chl
Thu Aug 15, 2019 6:57 pm
Forum: General
Topic: Beeper [SOLVED]
Replies: 1
Views: 162

Re: Beeper [SOLVED]

Apparently any component that is not strictly required for the average user is at risk of being dropped.
User-LED, beeper, flash storage for at least 2 RouterOS versions, LCD screen, they have all bitten the dust since the days of devices like the 2011.
by pe1chl
Thu Aug 15, 2019 6:52 pm
Forum: General
Topic: Please add documentation for ping-timeout added in 6.43
Replies: 11
Views: 953

Re: Please add documentation for ping-timeout added in 6.43

I think it is like this: after boot, the router first waits for no-ping-delay before doing anything. To give other devices time to initialize and make a connection. Then, it starts pinging at an interval of ping-timeout/6. So, one ping every 10 seconds for the default ping-timeout of 60s. When no pi...
by pe1chl
Thu Aug 15, 2019 12:21 pm
Forum: General
Topic: I'm sure Mikrotik has a legit response to this...
Replies: 14
Views: 1312

Re: I'm sure Mikrotik has a legit response to this...

What is he even referring to?
Is it a reply to some paper discussing number of vulnerabilities in router products?
Where is it to be found?
by pe1chl
Thu Aug 15, 2019 10:35 am
Forum: RouterBOARD hardware
Topic: Corrupted routerboard firmware prevents booting
Replies: 15
Views: 2979

Re: Corrupted routerboard firmware prevents booting

Of course it also depends on the age of the device and to the ratio of average income to the price of such devices. Frankly, when I had a single SXT Lite5 fail after a couple of years and see what they cost new, I would just bin it. When "hundreds of devices" are affected it could be different. Here...
by pe1chl
Wed Aug 14, 2019 10:24 am
Forum: Beginner Basics
Topic: File download block?
Replies: 23
Views: 1961

Re: File download block?

Isn't that a limit for the two directions? The 0 is supposed to mean "unlimited" but apparently it is rejected by incorrect validation. You can put a very large number there.
by pe1chl
Tue Aug 13, 2019 7:34 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1119
Views: 196647

Re: Feature requests

I have seen that as well. This is a DDoS amplification: those SYN packets are not really coming from the servers or even AS that you think, but they are spoofed by the DDoS operator. The idea is that for every SYN they send to you, you will send a number of SYN ACK packets to the address that they s...
by pe1chl
Tue Aug 13, 2019 7:12 pm
Forum: General
Topic: VLAN or port isolation?
Replies: 12
Views: 1664

Re: VLAN or port isolation?

Yes there really is a difference between MikroTik and Cisco switches, however when you look e.g. at that Private VLAN wiki page you can see that there are others inbetween the two. And as I wrote, you can look at bridge filtering and at bridge (port) horizon in RouterOS. But I do not know if using t...
by pe1chl
Tue Aug 13, 2019 12:46 pm
Forum: General
Topic: VLAN or port isolation?
Replies: 12
Views: 1664

Re: VLAN or port isolation?

yes, but I would like to use mikrotik switches, but thx :)
IMHO MikroTik switches are toys... but of course they are cheap.
I'm not sure what is possible with bridge filters, bridge horizon value etc in those switches without killing the performance.
You could investigate that.
by pe1chl
Tue Aug 13, 2019 11:39 am
Forum: General
Topic: VLAN or port isolation?
Replies: 12
Views: 1664

Re: VLAN or port isolation?

There are standard solutions for this in switches. E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN I don't think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc) but as ...
by pe1chl
Tue Aug 13, 2019 11:33 am
Forum: Wireless Networking
Topic: Google Home devices with MikroTik AC hardware
Replies: 3
Views: 356

Re: Google Home devices with MikroTik AC hardware

I have observed this same behavior long time ago when using Raspberry Pi with cheap noname WiFi USB stick and connecting to RB2011. I never fully researched it as I presumed it was just a bug in the driver of that stick or some other part of the Linux WiFi stack. Later I have used Raspberry Pi 3b+ w...
by pe1chl
Tue Aug 13, 2019 11:14 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1119
Views: 196647

Re: Feature requests

The AS number is only directly available when the router has a full BGP routing table from internet. When you are just connected using a static default route to internet (i.e. typical endpoint on a single ISP) the AS number is not available. The cost to lookup the AS number is high to very high (dep...
by pe1chl
Tue Aug 13, 2019 11:09 am
Forum: Beginner Basics
Topic: File download block?
Replies: 23
Views: 1961

Re: File download block?

On the page there is a hint, without an example of how to do it: ... "Also You can start this strategy base on File Extensions , Such as ( mp3 , avi , flv , zip , ... )" Now the question is, how do you do it? It was possible only for transfers occurring in plaintext. I.e. http, ftp etc. Today these...
by pe1chl
Tue Aug 13, 2019 12:06 am
Forum: Beginner Basics
Topic: File download block?
Replies: 23
Views: 1961

Re: File download block?

As I have already mentioned above, I have set up on airport WLAN connection and I could do everything. Only *.exe, *.mp4 ...files, could not be downloaded. I don't believe that. Likely only via http and not via https. There is no way a public WLAN system, no matter what manufacturer, can see what y...
by pe1chl
Mon Aug 12, 2019 9:52 pm
Forum: Beginner Basics
Topic: File download block?
Replies: 23
Views: 1961

Re: File download block?

This is not a problem of MikroTik!
What you want is simply not possible anymore.
You can blame Google and others for migrating everything to https to prevent that people like you look in the traffic.
by pe1chl
Mon Aug 12, 2019 9:13 pm
Forum: Beginner Basics
Topic: File download block?
Replies: 23
Views: 1961

Re: File download block?

Which I don't understand. HTTPS pages can be blocked with the above regexp, but HTTPS downloads cannot. The filename and filetype of the download URL is not visible to the L7 matcher! squid/proxy filtering with the L7 Protocol principle? Same problem. Squid sees only "CONNECT www.sitename.tld:443" ...
by pe1chl
Mon Aug 12, 2019 4:20 pm
Forum: Beginner Basics
Topic: File download block?
Replies: 23
Views: 1961

Re: File download block?

But that only works after you have destroyed the security of your device (by adding a new root certificate that cannot be trusted).
So that only works inside companies where they can decide to do this on their own workstations.
It is not a solution that could be used on a public WiFi.