Community discussions

Search found 5815 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 20
by pe1chl
Thu Oct 17, 2019 5:38 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 38
Views: 3480

Re: Is there an new exploit going around?

I'd like to add that it has become difficult to update our customers' routers. Most are hAPs and do not have enough free space to upgrade.
Well, maybe you should have thought about it a little more before giving most of your customers a $19.95 router!
by pe1chl
Thu Oct 17, 2019 5:16 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 38
Views: 3480

Re: Is there an new exploit going around?

- Do not use "admin" user, ever That is just "security by obscurity". When it is vulnerable for admin, it is probably vulnerable for any user. And when it is the old exploit or a variant thereof (looks like it, given the immediately successful login), they can retrieve your "secret username" as wel...
by pe1chl
Thu Oct 17, 2019 11:50 am
Forum: Beginner Basics
Topic: mikrotik router date and time is false
Replies: 2
Views: 179

Re: mikrotik router date and time is false

hello ı activated mikrotik radius date and time on routerboard but ı get one screen can anyone check plz. my computer time is real time and date but mikrotik routerbord secreen is different how it is fix on routerboard... First you need to find if the router is running wrong time. Probably it isn't...
by pe1chl
Thu Oct 17, 2019 11:46 am
Forum: Beginner Basics
Topic: Communicating to outlook server port 993 with IMAP
Replies: 1
Views: 114

Re: Communicating to outlook server port 993 with IMAP

Remove everything you have added or changed and start to debug the issue. There are NO rules required to allow any outgoing connections in the router. When you don't understand the workings of the firewall, start off by bringing it back to its default setting. That will work for you. Also, ask your ...
by pe1chl
Wed Oct 16, 2019 2:36 pm
Forum: General
Topic: L2TP/IPSec Android Cannot Connect
Replies: 7
Views: 360

Re: L2TP/IPSec Android Cannot Connect

Sorry I do not know which options do and do not work with current versions of Android, but in my case I got it working when resetting the IPsec profile entirely to defaults, and it stopped working when e.g. enabling sha256 in phase1.
by pe1chl
Wed Oct 16, 2019 12:50 am
Forum: General
Topic: L2TP/IPSec Android Cannot Connect
Replies: 7
Views: 360

Re: L2TP/IPSec Android Cannot Connect

Maybe you have double-NAT between your phone and router?
Also, Android does not like some of the more "advanced" settings of IPsec profile...
by pe1chl
Tue Oct 15, 2019 11:17 am
Forum: General
Topic: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine
Replies: 76
Views: 9157

Re: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine

Dude is a Windows program and has always been. But since some time there is also some Dude functionality (not everything) in Webfig! I still think that is the way to the future... as nice a a native application may be, everyone is moving to web applications, and the possibilities there have improved.
by pe1chl
Mon Oct 14, 2019 8:45 pm
Forum: General
Topic: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine
Replies: 76
Views: 9157

Re: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine

Dude currently no immediate plans. Run it in Windows. Wow, that is bad, so I have to buy 1 windows machine to run dude ???? BAD BAD BAD I suppose you understand that the main people to blame here are Apple, who took away your ability to run 32-bit code? Other platforms support 32-bit code on 64-bit...
by pe1chl
Mon Oct 14, 2019 3:42 pm
Forum: General
Topic: Winbox 64bit Version
Replies: 80
Views: 11203

Re: Winbox 64bit Version

In theory I agree with the idea that the focus should be put on WebFig. However, WinBox is just so nice to use, especially for things like Torch and having multiple windows open for troubleshooting. That is why I write that WebFig should be updated/extended to work the same as WinBox. Then there is...
by pe1chl
Sun Oct 13, 2019 8:37 pm
Forum: General
Topic: Winbox 64bit Version
Replies: 80
Views: 11203

Re: Winbox 64bit Version

+1 for native OSX (MacBox)
-1 for native OSX (MacBox) when there is no native Linux (LinBox) version.
And a native Chromebook (ChromeBox) too!

No, it is much better to improve WebFig so it works the same as WinBox.
That makes all those special boxes unnecessary.
by pe1chl
Sun Oct 13, 2019 8:34 pm
Forum: General
Topic: Wrong ethernet speed negotiation [SOLVED]
Replies: 13
Views: 642

Re: Wrong ethernet speed negotiation [SOLVED]

ok found why i had 100mbps injector we bought LHG 2Ghz before, and we replaced it with 5Ghz AC antennas, without replacing the injector... i found the good gigabit poe injector and installed it on site 1 : now it's giga ;) i must install it to site B thanks for finding it Zacharias Wait, I told you...
by pe1chl
Sat Oct 12, 2019 8:00 pm
Forum: General
Topic: Wrong ethernet speed negotiation [SOLVED]
Replies: 13
Views: 642

Re: Wrong ethernet speed negotiation [SOLVED]

on site B, the LHG don't advertise 1Gbps, that's strange.
Remember only the AC type LHG can do 1G, the N type is 100 Mbit.
You also have to use the power inserters that come with it, not some leftover type from another device.
by pe1chl
Sat Oct 12, 2019 7:42 pm
Forum: General
Topic: Wrong ethernet speed negotiation [SOLVED]
Replies: 13
Views: 642

Re: Wrong ethernet speed negotiation [SOLVED]

I have seen such things happen in radio transmission towers where there are strong transmitter signals at FM and DAB frequencies.
by pe1chl
Sat Oct 12, 2019 11:47 am
Forum: General
Topic: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine
Replies: 76
Views: 9157

Re: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine

consider to name it Macbox instead of winbox 3.20? Why?? It still is a Windows program, isn't it? 64-bit executables are not something specific to the Mac, Windows and Linux have them as well. (but those platforms also support 32-bit executables on the same system, something the newer MacOS Catalin...
by pe1chl
Fri Oct 11, 2019 7:09 pm
Forum: General
Topic: NTP for smips
Replies: 24
Views: 4282

Re: NTP for smips

NTP wont travel across an L2TP tunnel, so we serve it locally.. Well that is hogwash, NTP will travel perfectly well across any path that routes IP. Maybe you used NTP "broadcast" or "multicast" mode which would not work with L2TP directly, but when you use the L2TP line to route a subnet to/from t...
by pe1chl
Fri Oct 11, 2019 4:27 pm
Forum: General
Topic: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine
Replies: 76
Views: 9157

Re: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine

Screenshot 2019-10-11 at 15.12.52.png
That part should be trivial to get working. Now show a screenshot where you are actually logged in to a router :-)
by pe1chl
Fri Oct 11, 2019 2:26 pm
Forum: General
Topic: Very Urgent!!! CCR MEMORY GROW RAPIDLY!!! Rebooting system within 45 minutes
Replies: 4
Views: 778

Re: Very Urgent!!! CCR MEMORY GROW RAPIDLY!!! Rebooting system within 45 minutes

It is a good idea to investigate if there is some resource that is being exhausted by behavior of your clients or scanners from the internet. E.g. session table in the firewall, ARP table, IPv6 neighbor table, etc. This could be due to someone doing port scanning or other DoS attacking of the router...
by pe1chl
Thu Oct 10, 2019 4:25 pm
Forum: General
Topic: Best VPN for Mikrotik Router
Replies: 13
Views: 2089

Re: Best VPN for Mikrotik Router

The question is more: is it interoperable with existing OpenVPN server deployments as they are commonly made, without server-side changes. Until then, there will be issues when connecting to servers that are outside your own control for management/configuration. It would be best when MikroTik just u...
by pe1chl
Thu Oct 10, 2019 4:22 pm
Forum: RouterOS v7 BETA
Topic: OpenVPN .ovpn
Replies: 5
Views: 1636

Re: OpenVPN .ovpn

I would hope that at some time MikroTik find some way to replace the entire OpenVPN thing with a recent version of the opensource implementation....
That will solve a lot of issues, at least until OpenVPN development further continues and becomes incompatible again.
by pe1chl
Thu Oct 10, 2019 2:19 pm
Forum: RouterBOARD hardware
Topic: 100 % CPU on some Routerboards
Replies: 9
Views: 1349

Re: 100 % CPU on some Routerboards

make sure there's nothing attached to the serial console if the device has one. this was a very hard issue to track down: we had devices with long serial cables connected to the router and the other end of the cable (~10m long) wasn't connected to anything. it picked up some EM noise and constantly...
by pe1chl
Thu Oct 10, 2019 11:30 am
Forum: General
Topic: Best VPN for Mikrotik Router
Replies: 13
Views: 2089

Re: Best VPN for Mikrotik Router

For roadwarrior clients I normally use L2TP/IPsec.
A single IPsec PSK is shared between all clients and each client has a username/password.

Of course when you want you can add the extra complexity of using certificates, and/or maybe IKEv2.
by pe1chl
Wed Oct 09, 2019 9:22 pm
Forum: General
Topic: CCR1009-8G-1S-1S+ Hotspot High CPU Usage
Replies: 4
Views: 525

Re: CCR1009-8G-1S-1S+ Hotspot High CPU Usage

I would advise you to sort the firewall rules first on chain (e.g. all forward rules, all input rules, your "virus" rules, etc) to make things more clear. For every packet the rules will be processed (in that chain) from top to bottom, and stops when it finds a match. So "established" should always ...
by pe1chl
Wed Oct 09, 2019 6:59 pm
Forum: General
Topic: CCR1009-8G-1S-1S+ Hotspot High CPU Usage
Replies: 4
Views: 525

Re: CCR1009-8G-1S-1S+ Hotspot High CPU Usage

Your firewall is configured wrong. You should have the established/related rules first and the other rules below it.
by pe1chl
Wed Oct 09, 2019 12:52 pm
Forum: General
Topic: Winbox 64bit Version
Replies: 80
Views: 11203

Re: Winbox 64bit Version

We already have Webfig for Chrome :)
Please rework Webfig (even when only for Chrome) to work exactly like winbox. That will make the requests for winbox for 64bit, for MAC, for Linux disappear.
by pe1chl
Wed Oct 09, 2019 12:48 pm
Forum: Beginner Basics
Topic: queque trees..
Replies: 2
Views: 396

Re: queque trees..

queue trees have no download and upload, they have only upload. you only manage the speed at which packets go OUT the interface. when you want to manage traffic for a single interface, you attach the queue tree to the outgoing interface, e.g. wlan1 or ether2. that will manage the traffic towards tho...
by pe1chl
Wed Oct 09, 2019 11:49 am
Forum: Wireless Networking
Topic: Provisioning DFS Channels in US
Replies: 2
Views: 258

Re: Provisioning DFS Channels in US

Indeed there should be a lot more log and/or status information for DFS events. As it is now, it often misdetects RADAR on our APs (detecting RADAR where there sure isn't any) and it is impossible to debug it because no details are being logged. 1) Can you see when the last radar scan was done? 2) C...
by pe1chl
Tue Oct 08, 2019 11:49 pm
Forum: RouterBOARD hardware
Topic: 100 % CPU on some Routerboards
Replies: 9
Views: 1349

Re: 100 % CPU on some Routerboards

Have you already tried to use netinstall to format and reinstall them to the current version with blank configuration, then re-configure them to your needs? Don't use backup/restore. At most do a /export first and then use that to re-configure them manually or by pasting sections of the /export that...
by pe1chl
Tue Oct 08, 2019 9:38 pm
Forum: RouterOS v7 BETA
Topic: OpenVPN .ovpn
Replies: 5
Views: 1636

OpenVPN .ovpn

- OpenVPN UDP protocol support OpenVPN should be able to read (import) standard OpenVPN .ovpn files that work with the standard client, and that include - remote server - protocol specification - compression options - authentication parameters - client certificate - options like passtos, explicit-e...
by pe1chl
Tue Oct 08, 2019 7:13 pm
Forum: General
Topic: Best VPN for Mikrotik Router
Replies: 13
Views: 2089

Re: Best VPN for Mikrotik Router

If they support L2TP and will happily give you a username, password and IPSEC key then they should be fine.
Yeah, but that is less and less popular for that kind of service. They move towards IKEv2, OpenVPN, Wireguard etc.
by pe1chl
Tue Oct 08, 2019 6:05 pm
Forum: General
Topic: Best VPN for Mikrotik Router
Replies: 13
Views: 2089

Re: Best VPN for Mikrotik Router

I think he is (like most new users) not looking for a VPN in the traditional meaning (to make a virtual network between two routers he is both managing), but the "new meaning" of "route all my internet traffic to some more-or-less trusted party who will route it to internet, instead of doing that di...
by pe1chl
Tue Oct 08, 2019 6:01 pm
Forum: Wireless Networking
Topic: CAP AC - splitting 2.4 and 5G neworks.
Replies: 4
Views: 781

Re: CAP AC - splitting 2.4 and 5G neworks.

And very important: once you have done such things, never visit the QuickSet menu again. And if you do, ignore the "errors" or wrong values you see there and do not attempt to correct them, because that will seriously foul up the config. Just never hit OK or Apply on that menu again. (just a generic...
by pe1chl
Tue Oct 08, 2019 10:14 am
Forum: General
Topic: Multiple static public IPs through one interface
Replies: 26
Views: 5597

Re: Multiple static public IPs through one interface

Again, it depends how the ISP route it.
When they route the second /30 via the 1st, you can just set it on a link between your two routers and it will work.
But when they route the second block just directly on the line (address2 via address1) you will need to use tricks.
by pe1chl
Mon Oct 07, 2019 2:18 pm
Forum: RouterBOARD hardware
Topic: New High Performance Routers ! ?
Replies: 22
Views: 3443

Re: New High Performance Routers ! ?

Those tests are "standardized tests", like the gas mileage tests on cars. A test standard is required to be able to compare between different routers or cars, but the results do not represent at all what your actual daily performance will be. Indeed, that is unfortunate. But it would probably be dif...
by pe1chl
Mon Oct 07, 2019 1:12 pm
Forum: Wireless Networking
Topic: Point to Point Wireless Security
Replies: 10
Views: 2269

Re: Point to Point Wireless Security

And of course on a point-to-point link, only allow the MAC address of your own client. All measures that can be defeated by the determined hacker, but they will protect you from wardrivers in general. 60 GHz also has the advantage of the very limited range (so you cannot connect from far away), but ...
by pe1chl
Mon Oct 07, 2019 10:22 am
Forum: Wireless Networking
Topic: Point to Point Wireless Security
Replies: 10
Views: 2269

Re: Point to Point Wireless Security

I have no experience with those. I normally use dish-type APs like LHG 5 ac or LHG XL 5 ac or more often the competitor's product UBNT Powerbeam 5AC 400 ISO. Of course the QRT devices look very slick, but those panel type antennas tend to have more sidelobes so they pick up more interference from ot...
by pe1chl
Sun Oct 06, 2019 8:19 pm
Forum: Wireless Networking
Topic: Point to Point Wireless Security
Replies: 10
Views: 2269

Re: Point to Point Wireless Security

Of course you should enable WPA2 security on your link, and when you are paranoid you could always use another layer of security on top of that, e.g. an IPsec tunnel. Make sure you make a separate point-to-point link for each connection, do not be tempted to put an omnidirectional station and one po...
by pe1chl
Sun Oct 06, 2019 1:31 pm
Forum: General
Topic: /export hangs
Replies: 5
Views: 1209

Re: /export hangs

I think it is unlikely that it is a "fault with the device", at most it is some inconsistency in the internal configuration or else it could be some seldomly triggered bug. I would (after making the abovementioned supout.rif file) probably try to generate a complete export, then when that has succee...
by pe1chl
Sun Oct 06, 2019 12:07 pm
Forum: General
Topic: Firewall logging forward: in:(unknown 16)
Replies: 0
Views: 524

Firewall logging forward: in:(unknown 16)

I get logs from a drop rule in my firewall which do not specify the actual input interface, but instead they print in:(unknown 16) The firewall rule has an in-interface-list matcher, with an interface list that currently has a bridge as its only member. (PPPoE users would have their server side inte...
by pe1chl
Sat Oct 05, 2019 10:00 pm
Forum: Scripting
Topic: Basic DSCP to Priority Mapping
Replies: 6
Views: 1714

Re: Basic DSCP to Priority Mapping

In my routers I mark all packets with a mark corresponding to the top 3 bits of DSCP, with the number 0-7 in the names of the marks.
The queue definitions used on the output interfaces take these marks in the prio order that I have shown above.
So indeed DSCP 00 ends up in queue prio 6.
by pe1chl
Sat Oct 05, 2019 9:54 pm
Forum: General
Topic: L2TP/IPSec - Works from Android and Mikrotik but not Windows?
Replies: 3
Views: 1295

Re: L2TP/IPSec - Works from Android and Mikrotik but not Windows?

In IPsec there are some connection profiles that indicate the allowed modes of encryption, hashing, DH group, and key management (psk, certificate) and in PPP (used by L2TP) there are also several settings for authentication, compression, encryption etc. This whole set of profiles has to be acceptab...
by pe1chl
Fri Oct 04, 2019 9:26 pm
Forum: Scripting
Topic: Basic DSCP to Priority Mapping
Replies: 6
Views: 1714

Re: Basic DSCP to Priority Mapping

It is not common to treat DSCP 0 as lowest priority. It was defined that way, but as usually "default" traffic is marked with DSCP 0 this makes it impossible to have below-normal traffic. (e.g. to run a backup over a line that you also use for regular browsing) Therefore the priority of the highest ...
by pe1chl
Fri Oct 04, 2019 5:18 pm
Forum: Forwarding Protocols
Topic: Monitoring bgp edge router. [SOLVED]
Replies: 4
Views: 710

Re: Monitoring bgp edge router. [SOLVED]

I tried that script and indeed it is valuable, installed it on some routers.
by pe1chl
Fri Oct 04, 2019 5:17 pm
Forum: General
Topic: understanding packet sniffer
Replies: 5
Views: 649

Re: understanding packet sniffer

Sorry I forgot to include the options passthrough=yes protocol=tcp tcp-flags=syn that you may want to use with this rule. The reason to use a low MSS (1280) is to cover the case that the correct MSS is not really known by the router. This can happen because you use PPPoE as well (which also costs so...
by pe1chl
Fri Oct 04, 2019 12:30 pm
Forum: General
Topic: /export hangs
Replies: 5
Views: 1209

Re: /export hangs

You should probably make a supout.rif when this happens and mail it to support.
by pe1chl
Fri Oct 04, 2019 10:58 am
Forum: General
Topic: understanding packet sniffer
Replies: 5
Views: 649

Re: understanding packet sniffer

When you are tracing traffic that is sent via IPsec, you should trace on the tunnel interface to see the plaintext traffic in both directions. When you have no tunnel interface (because you use plain IPsec tunnel in both directions instead of e.g. GRE/IPsec) you are out of luck. However, when lookin...
by pe1chl
Thu Oct 03, 2019 10:11 pm
Forum: General
Topic: Packet loss just on 443 port
Replies: 12
Views: 1372

Re: Packet loss just on 443 port

You provide zero information about your network configuration and details of findings, and reply to all suggestions with "no, its not that".
Then at some point the inputs will cease. You are on your own.
by pe1chl
Thu Oct 03, 2019 3:48 pm
Forum: Beginner Basics
Topic: openssl certificate
Replies: 12
Views: 786

Re: openssl certificate

Indeed, but he could save $10 by using a valid domain in combination with a free certificate. As fas as I know, MikroTik routers can't yet apply for (and renew) a letsencrypt certificate, so that would require a separate system (e.g. a Raspberry Pi) and it would require some clever automation to upd...
by pe1chl
Thu Oct 03, 2019 2:23 pm
Forum: Beginner Basics
Topic: openssl certificate
Replies: 12
Views: 786

Re: openssl certificate

When you are clever you can get the letsencrypt certificate for free. However, it requires some special tricks, for which you need a webserver that you can configure to serve that account. Then you can get the certificate for that and copy it to the router. This has to be repeated every 3 months. Wh...
by pe1chl
Thu Oct 03, 2019 11:31 am
Forum: Beginner Basics
Topic: openssl certificate
Replies: 12
Views: 786

Re: openssl certificate

Probably not. They very likely do not issue certifcates for that.
When you cannot shell out the $10/year or so for a valid domain name, just forget about the whole thing.
by pe1chl
Wed Oct 02, 2019 10:39 pm
Forum: General
Topic: Getting CLDAP attack in mikrotik
Replies: 7
Views: 519

Re: Getting CLDAP attack in mikrotik

i understand that..But being an admin how should i check it now ?? You cannot. Oops..if any basic things i will have to check then suggest me plz..!! There is nothing you can do except think what could have caused someone to get mad at you or one of your customers. I had this happen in my network b...
by pe1chl
Wed Oct 02, 2019 9:54 pm
Forum: General
Topic: Getting CLDAP attack in mikrotik
Replies: 7
Views: 519

Re: Getting CLDAP attack in mikrotik

Well, that is the internet. You cannot know how this is caused and how long it will continue. Your MikroTik router has nothing to do with this. More likely your behavior or one of your client's behavior on internet (like cheating in a game, cutting off someone for doing something you did not like, e...
by pe1chl
Wed Oct 02, 2019 9:36 pm
Forum: General
Topic: Getting CLDAP attack in mikrotik
Replies: 7
Views: 519

Re: Getting CLDAP attack in mikrotik

Just drop it in your firewall.
When your link suffers from it, ask your upstream provider to drop it for you.
by pe1chl
Wed Oct 02, 2019 9:05 pm
Forum: General
Topic: Getting CLDAP attack in mikrotik
Replies: 7
Views: 519

Re: Getting CLDAP attack in mikrotik

MikroTik is not listening on that port by default. Of course anyone can send traffic to any port optionally in DDoS form, but that is not a MikroTik problem. Such things are usually retaliations against one of your customers or against yourself. There really is no solution other than waiting for it ...
by pe1chl
Wed Oct 02, 2019 4:16 pm
Forum: Beginner Basics
Topic: Mikrotik Firewall preventing outbound traffic when using 5 digit ports.
Replies: 2
Views: 332

Re: Mikrotik Firewall preventing outbound traffic when using 5 digit ports.

I have a client who is reporting that when they specify 5 digit port numbers, outbound traffic is halted. 4 digit ports seem to have no issue. I'm a neophyte with this equipment and I'm looking for any suggestions on what I should check to resolve this issue. Thanks! You need to include your router...
by pe1chl
Wed Oct 02, 2019 4:14 pm
Forum: Beginner Basics
Topic: openssl certificate
Replies: 12
Views: 786

Re: openssl certificate

can i install the certificate that i make with openssl, to the devices, so the certificate error will be removed, when they entering the hotspot? or they will continue see the message? You can make the key and the csr with openssl, then have it signed by a trusted certificate issuer, and then you i...
by pe1chl
Wed Oct 02, 2019 3:10 pm
Forum: Scripting
Topic: How to grab via ssh a value
Replies: 3
Views: 445

Re: How to grab via ssh a value

You will have to code it in scripting language. I'm not sure that is even possible.
Normally it would be best to do such things from a separate device (e.g. Raspberry Pi or similar) where you can use existing API client libraries and many other software tools.
by pe1chl
Wed Oct 02, 2019 3:08 pm
Forum: Scripting
Topic: Built in function library
Replies: 55
Views: 13762

Re: Built in function library

- a set of functions to support accessing another RouterOS device via API
by pe1chl
Wed Oct 02, 2019 1:48 pm
Forum: General
Topic: DHCP Offering Lease Without Success
Replies: 35
Views: 9354

Re: DHCP Offering Lease Without Success

The Facebook filter rule probably doesn't even work correctly! (and it blocks unrelated sites for others)

But hey, people keep trying it...
by pe1chl
Wed Oct 02, 2019 1:06 am
Forum: General
Topic: 6.38.1 pppoe link up/down time wrong
Replies: 18
Views: 2110

Re: 6.38.1 pppoe link up/down time wrong

Yes, it is a well known bug in winbox.
It appears it can sometimes be fixed by deleting the session (.viw) file but I have not observed that.
by pe1chl
Tue Oct 01, 2019 9:10 pm
Forum: General
Topic: 6.38.1 pppoe link up/down time wrong
Replies: 18
Views: 2110

Re: 6.38.1 pppoe link up/down time wrong

No need to ask for that extra info, it is a well known bug and apparently low-priority to fix.
by pe1chl
Tue Oct 01, 2019 8:31 pm
Forum: Forwarding Protocols
Topic: Monitoring bgp edge router. [SOLVED]
Replies: 4
Views: 710

Re: Monitoring bgp edge router. [SOLVED]

I am facing a similar issue, but instead for a network with multiple routers where it would be nice to monitor the peerings to detect issues before all network redundancy is lost and they show up as connectivity issues. The problem is that it quickly becomes very specific to the situation at hand. F...
by pe1chl
Mon Sep 30, 2019 5:47 pm
Forum: General
Topic: IPSec with multiple WAN Adresses
Replies: 3
Views: 364

Re: IPSec with multiple WAN Adresses

It is the method I use all the time and it works fine for me.
As it works so good I have not wasted time on finding workarounds to get it working with direct IPsec tunnels...
by pe1chl
Mon Sep 30, 2019 3:47 pm
Forum: General
Topic: IPSec with multiple WAN Adresses
Replies: 3
Views: 364

Re: IPSec with multiple WAN Adresses

Make different GRE/IPsec tunnels with the src and dst address, and use some autorouting method to select the working tunnel as the active route (e.g. BGP or OSPF, with BFD when you need quick changeover).
by pe1chl
Mon Sep 30, 2019 3:45 pm
Forum: Scripting
Topic: How to grab via ssh a value
Replies: 3
Views: 445

Re: How to grab via ssh a value

Use API instead of SSH.
by pe1chl
Mon Sep 30, 2019 11:58 am
Forum: General
Topic: Feature Request: Logging of all administrator user actions
Replies: 19
Views: 4153

Re: Feature Request: Logging of all administrator user actions

RouterOS already has a comment facility for almost any configuration item (which sets it apart from many many other routers!)
plus there is the "/system note" field where you can put multi-line notices. What more do you require?
by pe1chl
Mon Sep 30, 2019 12:44 am
Forum: General
Topic: Cameras behind 2 mikrotiks and home router
Replies: 15
Views: 1432

Re: Cameras behind 2 mikrotiks and home router

Then you can setup the usual dstnat to "forward a port" in /ip firewall nat It may require a /ip firewall filter rule too (not required when you run the default firewall which already handles that). Of course you need to do that in every NAT router along the path, and it will be difficult to do for ...
by pe1chl
Sun Sep 29, 2019 11:24 am
Forum: General
Topic: Cameras behind 2 mikrotiks and home router
Replies: 15
Views: 1432

Re: Cameras behind 2 mikrotiks and home router

It really isn't practical to have inbound connections in a triple-NAT network like that.
You should at least remove the middle NAT (in the Ubiquiti).
by pe1chl
Sat Sep 28, 2019 5:52 pm
Forum: Beginner Basics
Topic: Traffic Forwarding from LAN1 to LAN2 via vpn
Replies: 2
Views: 353

Re: Traffic Forwarding from LAN1 to LAN2 via vpn

The above is incorrect.
Does your OpenVPN server allow traffic between clients?
It needs the "client-to-client" config line in its config file.
by pe1chl
Sat Sep 28, 2019 12:27 pm
Forum: General
Topic: Cameras behind 2 mikrotiks and home router
Replies: 15
Views: 1432

Re: Cameras behind 2 mikrotiks and home router

It appears that the Wanscam cameras can also do it.
This will work without modification to your network, and is the way to go when you have such a multiple-NAT network.
by pe1chl
Sat Sep 28, 2019 10:45 am
Forum: General
Topic: Cameras behind 2 mikrotiks and home router
Replies: 15
Views: 1432

Re: Cameras behind 2 mikrotiks and home router

Get a camera that connects outbound to some cloud service, where the customer can connect to that cloud service and view/control their camera.
Allowing inbound access to cameras is so 2010...
by pe1chl
Fri Sep 27, 2019 6:55 pm
Forum: Scripting
Topic: item referred by 'place-before' does not exist (11) [SOLVED]
Replies: 7
Views: 568

Re: item referred by 'place-before' does not exist (11) [SOLVED]

Furthermore in case you really want to delete a rule to replace it with a different one, you should first insert the new rule and then delete the existing one.
by pe1chl
Fri Sep 27, 2019 6:32 pm
Forum: RouterOS v7 BETA
Topic: RouterOS v7.0beta2 bug fund
Replies: 9
Views: 1888

Re: RouterOS v7.0beta2 bug fund

I guess it will become more clear what happens when using multiple route tables, route marking, route rules, and VRF at the same time (or as alternatives for the same config)?
by pe1chl
Fri Sep 27, 2019 5:46 pm
Forum: Beginner Basics
Topic: Access a switch management GUI from a PC connected to a router [SOLVED]
Replies: 3
Views: 459

Re: Access a switch management GUI from a PC connected to a router [SOLVED]

Assuming that your switch is connected to the "inside" of your router (one of the LAN ports), where your PC is also connected (wired or wireless), you should proceed as written in that manual. So change your PC address from DHCP to 192.168.0.2/24 and access the switch on 192.168.0.1 There, change th...
by pe1chl
Fri Sep 27, 2019 5:20 pm
Forum: RouterOS v7 BETA
Topic: RouterOS v7.0beta2 bug fund
Replies: 9
Views: 1888

Re: RouterOS v7.0beta2 bug fund

- static IPv4 routes added are shown blue (inactive) but they work. after a long wait they become active. - changes in the routes show up in the log as "by admin" without saying what was done by admin - IPv4 route marking/rules appears to be dead - IPv6 route rule panel shows "ERROR: feature not imp...
by pe1chl
Fri Sep 27, 2019 4:25 pm
Forum: RouterOS v7 BETA
Topic: RouterOS v7.0beta2 bug fund
Replies: 9
Views: 1888

Re: RouterOS v7.0beta2 bug fund

I installed the beta2 on a CHR (from .ova) for some testing. Well, there are quite a number of small bugs that you can expect from a major overhaul, many of them are so apparent that I think it is not necessary to make reports for them. (anyone in an in-house testing team will find them as well, and...
by pe1chl
Thu Sep 26, 2019 4:07 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

It doesn't matter if IPv6 was/is enabled/disabled in v6, after upgrading to v7 it will be enabled, and upon executing /system reset-configuration , default IPv6 firewall rules will be added. The default configuration for any package should be installed when it is first enabled, in this case when v7...
by pe1chl
Thu Sep 26, 2019 1:10 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

These firewall rules for home devices already exist. Upgrade your device to latest version, THEN reset to defaults.
When you need IPv6, first enable the package, then upgrade your device to latest version, THEN reset to defaults.
by pe1chl
Wed Sep 25, 2019 1:35 pm
Forum: General
Topic: CCR1009 maxes out at 2gbps?
Replies: 26
Views: 2701

Re: CCR1009 maxes out at 2gbps?

The internal "graphing" tool cannot display more than 2.1Gbps. But that does not mean the router cannot handle more. You need to use an external graphing tool (with proper configuration to use 64-bit values or to poll more often) to be able to graph higher rates. In your graph you can add the small ...
by pe1chl
Tue Sep 24, 2019 5:09 pm
Forum: General
Topic: Block internet access based on schedule [SOLVED]
Replies: 1
Views: 244

Re: Block internet access based on schedule [SOLVED]

You have to move your rule more to the top. As soon as you accept LAN to WAN, further rules are not evaluated so your rule is never reached.
by pe1chl
Tue Sep 24, 2019 4:38 pm
Forum: Beginner Basics
Topic: Double NAT with IPSec tunnel on second one.
Replies: 4
Views: 514

Re: Double NAT with IPSec tunnel on second one.

Your problem is that this type of IPsec is not cleanly integrated in a router as a separate virtual interface that sends traffic to some other site. Instead, it first does all routing as it normally does and then at the last moment it sees that the source/destination of the traffic matches an actve ...
by pe1chl
Tue Sep 24, 2019 4:28 pm
Forum: Beginner Basics
Topic: How to hide a bridge?
Replies: 12
Views: 920

Re: How to hide a bridge?

Maybe your wifi link is not transparent? Then the devices at one side get the MAC address of the wlan.
by pe1chl
Tue Sep 24, 2019 2:13 pm
Forum: Beginner Basics
Topic: How to hide a bridge?
Replies: 12
Views: 920

Re: How to hide a bridge?

- make sure you have a fixed admin mac address on your bridge! (copy the ether1 or wlan1 MAC to it and save it)
- make sure you have a DHCP client only on your bridge, not on the ether1 or wlan1 interface (although there should be an error when you try)
by pe1chl
Tue Sep 24, 2019 2:11 pm
Forum: Announcements
Topic: Newsletter 91
Replies: 12
Views: 8366

Re: Newsletter 91

Will there also be a R11e-LoRa4 ?
Or is that market not large enough to be interesting...
by pe1chl
Tue Sep 24, 2019 12:29 am
Forum: General
Topic: safe to upgrade from v6.35rc42 to current?
Replies: 7
Views: 747

Re: safe to upgrade from v6.35rc42 to current?

I think it is only a few seconds. It will try to locate the waiting netinstall program (bootp/tftp) and if not found it will immediately boot the nand again. I have had my access points in this mode for a long time because they often are in hardly accessible locations and I want to be able to recove...
by pe1chl
Mon Sep 23, 2019 8:30 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

Please don't post those useless +1 messages in this topic. They serve no purpose and clutter the useful information.
by pe1chl
Mon Sep 23, 2019 7:12 pm
Forum: Beginner Basics
Topic: How to get a consolidated view of all connections on HAP AC?
Replies: 10
Views: 665

Re: How to get a consolidated view of all connections on HAP AC?

This is not available as standard overview.
You can write your own program that retrieves the information via API and presents it in the way you like.
It would even be possible to write a script that does it, but it can only be called in character mode.
by pe1chl
Mon Sep 23, 2019 6:46 pm
Forum: Forwarding Protocols
Topic: ip route cache BUG
Replies: 36
Views: 11237

Re: ip route cache BUG

Offload your OpenVPN connects to some external server until this is fixed. OpenVPN on RouterOS v6 is a joke anyway.
It should improve on v7.
by pe1chl
Mon Sep 23, 2019 6:45 pm
Forum: General
Topic: IPV6 only network
Replies: 12
Views: 725

Re: IPV6 only network

This is indicated by the "managed address configuration" option in the ND settings.
That indicates to the RA listeners that they should use DHCPv6 instead of SLAAC.
However, that is not a usual configuration for IPv6 and you may encounter devices that do not support it.
by pe1chl
Mon Sep 23, 2019 5:30 pm
Forum: General
Topic: IPV6 only network
Replies: 12
Views: 725

Re: IPV6 only network

can I use mikrotiks dhcp6-server for that if yes How can I set it up since it has no nice setup wizard like ipv4 dhcp sever BTW: Why use RA if there is dhcp is RA better? or is it only used on dual stack? The DHCPv6 server on MikroTIk cannot assign IP addresses to the clients. So you need a hybrid ...
by pe1chl
Mon Sep 23, 2019 4:49 pm
Forum: General
Topic: IPV6 only network
Replies: 12
Views: 725

Re: IPV6 only network

Windows cannot get DNS server address from IPv6 RA so you need to run a DHCPv6 server for that. You need to set a fixed option 23 with the IPv6 address(es) you want your clients to use as a 0x11112222333344445555666677778888 hex value corresponding to the DNS server address. (can be your own router ...
by pe1chl
Sun Sep 22, 2019 10:01 pm
Forum: General
Topic: MTU and L2 MTU on ether
Replies: 6
Views: 654

Re: MTU and L2 MTU on ether

L2MTU has nothing to do with CPU usage. It is just a limit on the size of the low-level frames. Maybe it has some impact on memory usage (size of buffer used when receiving frames). I never touch it, I just leave it at its value decided by RouterOS. When using link level protocols that add lots of h...
by pe1chl
Sun Sep 22, 2019 3:01 pm
Forum: General
Topic: MTU and L2 MTU on ether
Replies: 6
Views: 654

Re: MTU and L2 MTU on ether

Different hardware has different L2MTU. However it is not important, unless you are doing MPLS and need a lot of L2MTU.
For normal use it is only MTU that matters.
by pe1chl
Sat Sep 21, 2019 6:44 pm
Forum: Beginner Basics
Topic: Isolated Network
Replies: 10
Views: 1013

Re: Isolated Network

In adition to the two posts above, beware that subnet 192.168.1.0/23 actually contains 192.168.2.0/25 (192.168.1.0/23 are all IP addresses from 192.168. 1.0 to 192.168. 2.255 while 192.168.2.1/25 are IP addresses from 192.168. 2.0 to 192.168. 2.127 ). No, that is not correct. 192.168.1.1/23 is netw...
by pe1chl
Sat Sep 21, 2019 5:37 pm
Forum: Beginner Basics
Topic: Isolated Network
Replies: 10
Views: 1013

Re: Isolated Network

Use two firewall rules.
Forward chain, input and output interfaces are these two bridge interfaces (both ways), action is reject.
by pe1chl
Sat Sep 21, 2019 1:37 pm
Forum: Beginner Basics
Topic: PPPoe connection to ISP with tagged VLAN
Replies: 18
Views: 1692

Re: PPPoe connection to ISP with tagged VLAN

This should work OK, I use it all the time. But of course every detail must be correct according to your ISP specification!
by pe1chl
Sat Sep 21, 2019 1:35 pm
Forum: Beginner Basics
Topic: Isolated Network
Replies: 10
Views: 1013

Re: Isolated Network

You can setup as many DHCP servers and associated pools as you like, but of course they have to be on different networks. So create a new bridge and move one or more of the ethernet ports from the default bridge to that one, and connect the 2nd company to there. You should do all config normally don...
by pe1chl
Sat Sep 21, 2019 1:29 pm
Forum: General
Topic: Multihoming with srcnat
Replies: 3
Views: 377

Re: Multihoming with srcnat

You should use 2 routers for that, one to do the external BGP and runs without connection tracking and NAT, then another one behind that to do your NAT and other firewalling, maybe your PPPoE etc.
Combining that in a single router will cause issues, as you correctly point out.
by pe1chl
Sat Sep 21, 2019 12:28 pm
Forum: General
Topic: VLAN filtering and more than one bridge
Replies: 4
Views: 631

Re: VLAN filtering and more than one bridge

As I wrote above, each solution has their pros and cons. The bridge VLAN filtering was added because this was the only possible solution to get STP (and in particular MSTP) working correctly. People as asking for that in mixed manufacturer networks where they need a compatible MSTP. When you have no...
by pe1chl
Sat Sep 21, 2019 12:19 pm
Forum: Beginner Basics
Topic: Reset counters - no way or bug in WinBox?
Replies: 19
Views: 1990

Re: Reset counters - no way or bug in WinBox?

as i said above, even if it cant be reset at the driver level it can be shown by subtracting a previous value to give the delta. Heck, you could even show both “Drops (Absolute)” and “Drops (Delta)”. reset counter sets the previous value to the current absolute value. when the values are “rendered”...
by pe1chl
Fri Sep 20, 2019 3:37 pm
Forum: General
Topic: VLAN filtering and more than one bridge
Replies: 4
Views: 631

Re: VLAN filtering and more than one bridge

You can decide yourself if you want to use: 1 - one bridge with VLAN filtering in the bridge and VLAN subinterfaces on top of the bridge 2 - VLAN subinterfaces on the ethernet ports where you want them and putting the VLAN subinterfaces in several bridges 3 - using switch configuration menu to confi...
by pe1chl
Fri Sep 20, 2019 1:56 pm
Forum: Beginner Basics
Topic: Double NAT with IPSec tunnel on second one.
Replies: 4
Views: 514

Re: Double NAT with IPSec tunnel on second one.

Instead of using plain IPsec tunnels, make a GRE/IPsec (or IPIP/IPsec) tunnel, set a //30 address on each side of the tunnel, and use static routes or an autorouting protocol to distribute the routes.
Now it is just a standard network setup, and it is much easier to manage firewall, NAT, etc.
by pe1chl
Fri Sep 20, 2019 1:53 pm
Forum: General
Topic: How resilient is CCR1009
Replies: 9
Views: 896

Re: How resilient is CCR1009

There is a MUM video presentation about this. I don't have the URL at hand but maybe others have.
by pe1chl
Fri Sep 20, 2019 11:37 am
Forum: Beginner Basics
Topic: Reset counters - no way or bug in WinBox?
Replies: 19
Views: 1990

Re: Reset counters - no way or bug in WinBox?

You should understand that these counters are not intended for user applications (like bookkeeping of ISP data limits), but rather are statistics of the hardware drivers.
When you have a Linux system you will note that these counters are not resetable there either.
by pe1chl
Thu Sep 19, 2019 7:10 pm
Forum: General
Topic: How resilient is CCR1009
Replies: 9
Views: 896

Re: How resilient is CCR1009

It depends on what you combine and how heavily everything is loaded. I run a CCR1009 for ~800 NAT clients plus BGP for a company VPN (*not* full internet routing tables but just some 25 routes and 8 endpoints), a number of VPN connections, and complicated firewall, and it runs just fine (2 250Mbps i...
by pe1chl
Thu Sep 19, 2019 7:05 pm
Forum: Wireless Networking
Topic: hAP AC2+cAP AC Roaming is a joke
Replies: 35
Views: 4178

Re: hAP AC2+cAP AC Roaming is a joke

Yeah, but as was written before this can also backfire on you, especially when you have no complete coverage of the entire building. We had another installation where there was some feature configured to auto-add every device to a blacklist for 1 minute every 4 hours, to force everyone to roam shoul...
by pe1chl
Thu Sep 19, 2019 2:47 pm
Forum: General
Topic: Yet another GRE not working [SOLVED]
Replies: 7
Views: 1043

Re: Yet another GRE not working [SOLVED]

The firewall issue is new and did not exist at the time the wiki page was written. It even can be considered to be a bug. We will have to see if this bug is fixed and it will work as before, or else the wiki should be updated so it will work with the default firewall. When you have customized the fi...
by pe1chl
Wed Sep 18, 2019 3:48 pm
Forum: Wireless Networking
Topic: hAP AC2+cAP AC Roaming is a joke
Replies: 35
Views: 4178

Re: hAP AC2+cAP AC Roaming is a joke

No, with the more expensive systems that do "seamless roaming" it is the AP/controller that decides where the client is served. Of course that system also has some disadvantages and also the systems in the price segment where MikroTik operates do not offer this (AFAIK). I believe you are referring ...
by pe1chl
Wed Sep 18, 2019 10:46 am
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

Thanks, I would presume the beta version of V6 would slow down now and more resources allocated to the v7 dev team. No point in flogging a dead horse essentially. I would hope that by now the infrastructure is in place to work on both versions in parallel without duplicating all the effort... after...
by pe1chl
Tue Sep 17, 2019 9:25 pm
Forum: General
Topic: HE IPv6 tunnel broker not working
Replies: 1
Views: 314

Re: HE IPv6 tunnel broker not working

You forgot to include your configuration export!
by pe1chl
Tue Sep 17, 2019 8:26 pm
Forum: RouterBOARD hardware
Topic: Routerboard and Memory
Replies: 8
Views: 1091

Re: Routerboard and Memory

You are apparently uploading the wrong version. it must match your installed RouterOS version.
by pe1chl
Tue Sep 17, 2019 7:11 pm
Forum: Wireless Networking
Topic: hAP AC2+cAP AC Roaming is a joke
Replies: 35
Views: 4178

Re: hAP AC2+cAP AC Roaming is a joke

What you are referring to here is technically not a roaming, because in this case clients do not really roam, but are rather constantly talking to a single huge AP with spatially distributed radio elements. This approach clearly has advantages, but those come at a cost. Yes, it is clear to me that ...
by pe1chl
Tue Sep 17, 2019 3:26 pm
Forum: General
Topic: Disk space problem [SOLVED]
Replies: 4
Views: 772

Re: Disk space problem [SOLVED]

You should never run UM on the router internal storage! Add an external USB memory stick or SSD drive and use that.
by pe1chl
Tue Sep 17, 2019 3:18 pm
Forum: Wireless Networking
Topic: hAP AC2+cAP AC Roaming is a joke
Replies: 35
Views: 4178

Re: hAP AC2+cAP AC Roaming is a joke

In the MikroTik world, roaming is still "up to the client to do" In the whole world with every AP vendor and every client device, roaming is ALWAYS "up to the client". No, with the more expensive systems that do "seamless roaming" it is the AP/controller that decides where the client is served. Of ...
by pe1chl
Tue Sep 17, 2019 11:42 am
Forum: Wireless Networking
Topic: hAP AC2+cAP AC Roaming is a joke
Replies: 35
Views: 4178

Re: hAP AC2+cAP AC Roaming is a joke

Indeed. Seeing that the cAP AC is their high-end ceiling access point clearly shows they are not interested in that market.
by pe1chl
Mon Sep 16, 2019 10:40 pm
Forum: Wireless Networking
Topic: hAP AC2+cAP AC Roaming is a joke
Replies: 35
Views: 4178

Re: hAP AC2+cAP AC Roaming is a joke

Roaming is always tricky to get right, as it was not envisioned in the original WiFi standard and has later been bolted on, but certainly MikroTik is not the best starting point as it lacks even basic support for roaming. In the MikroTik world, roaming is still "up to the client to do" and this lead...
by pe1chl
Mon Sep 16, 2019 11:59 am
Forum: General
Topic: Laptops are trying to hack my router
Replies: 8
Views: 1086

Re: Laptops are trying to hack my router

Are you sure it was winbox login attempts and not some other service like webfig or SMB? It is quite common for guest devices to do all kinds of attempts to connect services that they have available at home, and where the owner has installed software or has made configuration for it. The best way is...
by pe1chl
Sun Sep 15, 2019 1:23 pm
Forum: Scripting
Topic: ppp profile -> scripts .... run as certain user
Replies: 9
Views: 1232

Re: ppp profile -> scripts .... run as certain user

Ah ok, I did not notice that... and it is not even completely documented in the wiki yet.
Apparently parameters are:
/system ssh-exec 
output-to-file  port  routing-table  src-address  user  address  command
So maybe it just works when user=root is specified.
by pe1chl
Sun Sep 15, 2019 1:17 pm
Forum: General
Topic: [Feature request] Wireguard
Replies: 94
Views: 22699

Re: [Feature request] Wireguard

I don't consider that really true, there would be some way for MikroTik to offer user-contributed plugins when they run in a sandbox environment e.g. as a user process.
But apparently MikroTik is not interested in doing this.
by pe1chl
Sun Sep 15, 2019 1:15 pm
Forum: General
Topic: safe to upgrade from v6.35rc42 to current?
Replies: 7
Views: 747

Re: safe to upgrade from v6.35rc42 to current?

That is tricky because it may drop the wireless link due to the upgrade. Newer versions are more strict in checking local regulations and sometimes it may fail even when they are OK. You can then correct that in the config but of course not when you only have access via radio. So you should be caref...
by pe1chl
Sat Sep 14, 2019 10:37 pm
Forum: Scripting
Topic: ppp profile -> scripts .... run as certain user
Replies: 9
Views: 1232

Re: ppp profile -> scripts .... run as certain user

No. But there are other tricks you can use.
E.g. you can setup the Linux machine as a network syslog server on the MikroTik (always a good thing to do!) and send a /log line to the log in the ppp-up, then in the Linux machine setup syslogd to take action on receiving that log line.
by pe1chl
Sat Sep 14, 2019 10:16 pm
Forum: General
Topic: safe to upgrade from v6.35rc42 to current?
Replies: 7
Views: 747

Re: safe to upgrade from v6.35rc42 to current?

I think SXT still has 128M flash. So first partition the flash with 2 partitions, copy part0 to part1, then you can update part0 and when it fails to boot it will boot part1 and you can reconsider things. (newer devices have only 16M flash so this can no longer be done) I would certainly recommend t...
by pe1chl
Sat Sep 14, 2019 10:07 pm
Forum: The User Manager
Topic: user manager usb disk not found
Replies: 7
Views: 1501

Re: user manager usb disk not found

Maybe it is better to use a Micro SD card, that is a little more sturdy.
by pe1chl
Sat Sep 14, 2019 10:04 pm
Forum: Scripting
Topic: ppp profile -> scripts .... run as certain user
Replies: 9
Views: 1232

Re: ppp profile -> scripts .... run as certain user

That cannot be done. You even cannot start ssh sessions from a script.
by pe1chl
Sat Sep 14, 2019 3:27 pm
Forum: General
Topic: Packet loss just on 443 port
Replies: 12
Views: 1372

Re: Packet loss just on 443 port

The proper way to deal with the PMTUD issues is not to change MTU on either side, but rather to make sure you do not drop (block) ICMP messages that should not be dropped. A rather widespread workaround is to use TCP MSS clamping on the router (which some people consider an ugly hack- and for a rea...
by pe1chl
Sat Sep 14, 2019 2:09 pm
Forum: General
Topic: GRE dont-fragment - inherit from where? [SOLVED]
Replies: 7
Views: 941

Re: GRE dont-fragment - inherit from where? [SOLVED]

But I think andriys and others are right, it means to copy don't fragment from the encapsulated packet to the outer GRE packet.
(same for DSCP)
by pe1chl
Sat Sep 14, 2019 12:44 pm
Forum: RouterBOARD hardware
Topic: WAPG60ADM new 60 GHz product
Replies: 17
Views: 2361

Re: WAPG60ADM new 60 GHz product

Ok so it is something like the mini-PCI modules used for LTE (and, mainly in the past, also for WiFi)?
by pe1chl
Fri Sep 13, 2019 3:08 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

IMO unless a feature/package doesn't have a significant impact on the performance of the device just because it is installed, but has a way to deactivate it in the configuration, it is just fine. why'd anyone bother to uninstall/disable the routing package (BGP or MPLS) if BGP/LDP/MPLS is disabled ...
by pe1chl
Fri Sep 13, 2019 12:51 pm
Forum: Beginner Basics
Topic: Wrong default route when router and modem start at the same time [SOLVED]
Replies: 5
Views: 656

Re: Wrong default route when router and modem start at the same time [SOLVED]

Don't do it so difficult... just set a higher "default route distance" in the Advanced tab on the DHCP client.
The DHCP client will add a default route with high distance (2 or higher) and later when your PPPoE client comes up it will set its normal distance 1 default route which will be used.
by pe1chl
Fri Sep 13, 2019 1:50 am
Forum: Scripting
Topic: Know connected MAC-Adress
Replies: 8
Views: 904

Re: Know connected MAC-Adress

In my case:
- The MikroTik is doing only routing, WiFi is done by >30 other access points
- 5m time uncertainty is OK for the purpose, DHCP lease time is not
It was used for an "in house / not in house" indication for a couple of employees by tracking their mobile phones
by pe1chl
Thu Sep 12, 2019 8:28 pm
Forum: Scripting
Topic: Know connected MAC-Adress
Replies: 8
Views: 904

Re: Know connected MAC-Adress

The DHCP server does not tell you if a system is connected or not. The DHCP lease will remain in the server for as long as the lease time is set, even when the client has left. I needed to do what you want (to check if certain devices are online or not) and I used this script fragment: :if ([:len [/...
by pe1chl
Thu Sep 12, 2019 6:12 pm
Forum: Wireless Networking
Topic: 802.11r/k, Band Steering
Replies: 17
Views: 2587

Re: 802.11r/k, Band Steering

And as can be seen in the 802.11d discussion ("Country code") it looks like MikroTik does not consider working around other people's bugs a priority. If this is true they should stop any developement! There will always be problems with foreign vendors hardware in a network. Wired or wireless. I agr...
by pe1chl
Thu Sep 12, 2019 5:40 pm
Forum: Wireless Networking
Topic: 802.11r/k, Band Steering
Replies: 17
Views: 2587

Re: 802.11r/k, Band Steering

I have to agree, pe1chl. But the density of devices with problems drops constantly. I build temporary wireless networks with tens of thousands of concurrent clients on a very regular basis - the last time I had problems with clients with k/r/v was in August 2017 (that was a Meru/Fortinet system). O...
by pe1chl
Thu Sep 12, 2019 5:32 pm
Forum: Wireless Networking
Topic: 802.11r/k, Band Steering
Replies: 17
Views: 2587

Re: 802.11r/k, Band Steering

It's funny to see us discussing something that WE DON’T HAVE, while other users from other vendors are enjoying the benefits of it As I wrote, I have experience with another manufacturer (in the same market segment) who DOES have these options, but I am not enjoying the benefits! I have them all tu...
by pe1chl
Thu Sep 12, 2019 4:34 pm
Forum: Wireless Networking
Topic: Country Code [SOLVED]
Replies: 53
Views: 3851

Re: Country Code [SOLVED]

Please stop posting about what can happen when you interpret 802.11d country codes sent by others and focus on the request to send the 802.11d country code in a MikroTik AP so that others (broken, old, whatever) can pick it up and do whatever they were programmed to do with it!
by pe1chl
Thu Sep 12, 2019 4:31 pm
Forum: Beginner Basics
Topic: File download block?
Replies: 25
Views: 2481

Re: File download block?

As above, the suggestion was to use winbox or commandline to work around this bug in webfig (the config mode via the browser).
by pe1chl
Thu Sep 12, 2019 4:26 pm
Forum: General
Topic: Add DNS over HTTPS (DoH) support
Replies: 16
Views: 6988

Re: Add DNS over HTTPS (DoH) support

Yes that is why there is some discussion about this. However, be warned that this "canary domain", as Sob already writes too, is likely to go away in the future once hackers who want to play man-in-the-middle on DNS see this, implement the canary domain, Mozilla finds out about that, and decides to ...
by pe1chl
Thu Sep 12, 2019 4:19 pm
Forum: Wireless Networking
Topic: 802.11r/k, Band Steering
Replies: 17
Views: 2587

Re: 802.11r/k, Band Steering

It depends on what you have. I had issues with some older Samsung phones, with a HP wireless printer, and with some models of Microsoft Surface laptops. All of them appear to be "known problems that aren't going to be fixed by their manufacturer" when I search the internet for it. Of course when you...
by pe1chl
Thu Sep 12, 2019 4:13 pm
Forum: General
Topic: Feature request: Static DNS NXDOMAIN
Replies: 8
Views: 1454

Re: Feature request: Static DNS NXDOMAIN

Mozialla is getting closer and closer to ship DoH with Firefox. Mikrotik should strongly think about implementing a way to sending NXDOMAIN from within the integrated DNS Server since doing so for the Domain use-application-dns.net is maybe a way to tell Firefox that it should use the Mikrotik DNS ...
by pe1chl
Thu Sep 12, 2019 4:08 pm
Forum: Wireless Networking
Topic: Country Code [SOLVED]
Replies: 53
Views: 3851

Re: Country Code [SOLVED]

That is a misunderstanding! It is not allowed for USA certified equipment to interpret received countrycodes to extend capabilities beyond the USA allowed ones, as you already know you have to sell USA-specific hardware. However, that is totally different from TRANSMITTING the countrycode in the be...
by pe1chl
Thu Sep 12, 2019 11:11 am
Forum: Wireless Networking
Topic: 802.11r/k, Band Steering
Replies: 17
Views: 2587

Re: 802.11r/k, Band Steering

The point is that unless it is a small network for e.g. your family house or you know exactly which types of devices are on it, so you can test them all, there is no way to know that there are problems!
by pe1chl
Thu Sep 12, 2019 11:03 am
Forum: Wireless Networking
Topic: Country Code [SOLVED]
Replies: 53
Views: 3851

Re: Country Code [SOLVED]

Currently MikroTik has no plans of implementing 802.11d as it's already not allowed to rely solely on 802.11d for setting country-specific radio parameters in USA since 2015, thus most of the phone, laptop etc. manufacturers most likely have made the changes in their drivers and/or software to obey...
by pe1chl
Wed Sep 11, 2019 5:44 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

Put BGP, MPLS, and other things that have no place in consumer devices into another package. Well it actually is like that in v6, but unfortunately those packages are part of the "bundle" and enabled by default, while things more important for consumers like IPv6 are disabled by default. It would h...
by pe1chl
Wed Sep 11, 2019 5:06 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

So things like MPLS, OSPF, BGP etc will remain standard in all home routers? Or will these options just go away for things like hAP Lite?
by pe1chl
Wed Sep 11, 2019 5:01 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

And no more extra packages? Or still the "download a zipfile, unpack it, upload some files to the router" method of installing an extra package? I mean it seems so easy to solve that in the UI of the router itself, given that it already can update itself and that works ok when extra packages have be...
by pe1chl
Wed Sep 11, 2019 4:50 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

I never liked the bundle. I usually don't require all packages in the bundle but I do require some extra packages. I think the better way would be to only install packages that are relevant to the device by default, and have an easy-to-use UI to download the required extra packages. (the update serv...
by pe1chl
Wed Sep 11, 2019 4:47 pm
Forum: RouterOS v7 BETA
Topic: /tool e-mail
Replies: 14
Views: 1504

Re: /tool e-mail

With most services these days, from addresses must match authentication to prevent address spoofing. Well, not with my server. It requires proper from address but it allows unauthenticated SMTP from the local subnet. (it does not even implement authentication so requiring that and enforcing it on c...
by pe1chl
Wed Sep 11, 2019 12:13 pm
Forum: Wireless Networking
Topic: 802.11r/k, Band Steering
Replies: 17
Views: 2587

Re: 802.11r/k, Band Steering

I hope you will get troublefree operation from your network. I operate a WiFi network from another competitor and I find that whenever you enable features like fast roaming, band steering etc you will always have some devices that have problems. Not an issue when you have a controlled environment (e...
by pe1chl
Wed Sep 11, 2019 12:07 pm
Forum: RouterOS v7 BETA
Topic: /tool e-mail
Replies: 14
Views: 1504

Re: /tool e-mail

If Youre using "from=" variable in /tool e-mail send , You need to also specify "user=" and "password=", i.e
Why would that be? Setting a sender address is completely unrelated to authentication when sending mail, isn't it?
by pe1chl
Tue Sep 10, 2019 10:46 pm
Forum: General
Topic: Packet loss just on 443 port
Replies: 12
Views: 1372

Re: Packet loss just on 443 port

Did you ping with 1400-1500 byte packet size?
It is quite normal that default-size ping packets get through without problem, but larger packets as used with TCP links (1500 bytes) get dropped on bad links.
by pe1chl
Tue Sep 10, 2019 2:45 pm
Forum: General
Topic: Policy to block website in Mikrotik increase CPU
Replies: 16
Views: 1460

Re: Policy to block website in Mikrotik increase CPU

I'm afraid there is no such link!
When you "need to block websites" the best advise is to close down your network.
That will create the best overal happiness amongst users and administrators.
by pe1chl
Tue Sep 10, 2019 10:36 am
Forum: RouterBOARD hardware
Topic: Routerboard and Memory
Replies: 8
Views: 1091

Re: Routerboard and Memory

You can see the file space under the Files menu. When you add a disk like that a folder will show up with a name like "Disk1" and inside that are the subfolders and files used by Dude. The memory of course is never completely empty, at least not when you can look. It starts empty but by the time the...
by pe1chl
Mon Sep 09, 2019 6:58 pm
Forum: Beginner Basics
Topic: Not getting browser response back on new subnet
Replies: 8
Views: 680

Re: Not getting browser response back on new subnet

Post your existing configuration exported using "/export hide-sensitive". Otherwise it is impossible to make single-line config items that fit into your total situation.
Also specify what you want to allow.
by pe1chl
Mon Sep 09, 2019 6:56 pm
Forum: General
Topic: Request: FEC tunnel types
Replies: 27
Views: 3092

Re: Request: FEC tunnel types

And then you have drones and UAVs, this market is booming and sending live video is one of the biggest challenges. Drones with video downlink used for control (vs. using it to send nice video streams to viewers on internet) is usually still done using analog video over FM links, because any appreci...
by pe1chl
Mon Sep 09, 2019 6:49 pm
Forum: Beginner Basics
Topic: Not getting browser response back on new subnet
Replies: 8
Views: 680

Re: Not getting browser response back on new subnet

The established/related rule allows traffic to already established connections. To allow the connection to be established you need another rule further down. Usually you would allow limited traffic inbound (e.g. your RDP session) and all traffic outbound. You should add another rule to allow your ou...
by pe1chl
Mon Sep 09, 2019 5:45 pm
Forum: Beginner Basics
Topic: Not getting browser response back on new subnet
Replies: 8
Views: 680

Re: Not getting browser response back on new subnet

It is a good idea to have a drop everything rule at the end of a list that only allows intended traffic, but it is not a good idea to have a rule with comment "Drop everything" that in reality does not drop everything! That only confuses you and anyone else looking at it. And you have to insert a ru...
by pe1chl
Mon Sep 09, 2019 5:11 pm
Forum: Beginner Basics
Topic: Not getting browser response back on new subnet
Replies: 8
Views: 680

Re: Not getting browser response back on new subnet

You have no rule that allows new traffic from inside the subnet except for ICMP. So that is not surprising. Also the "Drop everything else" comment for rule 3 is misleading because that is not what the rule does. (and because there is a default "Accept" at the end of every rule list it will make you...
by pe1chl
Mon Sep 09, 2019 5:06 pm
Forum: General
Topic: Add DNS over HTTPS (DoH) support
Replies: 16
Views: 6988

Re: Add DNS over HTTPS (DoH) support

But then it also does not bring the advantages that the client side implementers think it will bring! So they will work around it even when you implement it in the router. It appears that some implementations allow a switchoff (lookup a DNS name which should return NXDOMAIN) but MikroTik DNS does no...
by pe1chl
Mon Sep 09, 2019 4:36 pm
Forum: RouterBOARD hardware
Topic: Routerboard and Memory
Replies: 8
Views: 1091

Re: Routerboard and Memory

Do you know the difference between memory and hdd space?
by pe1chl
Mon Sep 09, 2019 4:34 pm
Forum: General
Topic: Policy to block website in Mikrotik increase CPU
Replies: 16
Views: 1460

Re: Policy to block website in Mikrotik increase CPU

find the policy how we are blocking /ip firewall filter add action=drop chain=forward dst-address-list=DoT-block Please show the entire forward chain. Are you using connection tracking? Is the rule placed after the "accept established/related" rule? Note that such rules are expensive without connec...
by pe1chl
Mon Sep 09, 2019 4:29 pm
Forum: General
Topic: Policy to block website in Mikrotik increase CPU
Replies: 16
Views: 1460

Re: Policy to block website in Mikrotik increase CPU

Redirect DNS to local DNS and then filter at DNS server.
DNS over HTTPS that is now being introduced (enabled by default) in webbrowsers will end that possibility...
by pe1chl
Mon Sep 09, 2019 4:26 pm
Forum: General
Topic: Add DNS over HTTPS (DoH) support
Replies: 16
Views: 6988

Re: Add DNS over HTTPS (DoH) support

This is something that (when you want to have it at all) should be implemented in the client, not in the router. And of course MikroTIk already supports DNS over HTTPS done by the client. (and you will lose the possibility of controlling access to sites, shaping bandwidth to certain sites, etc. but ...
by pe1chl
Mon Sep 09, 2019 1:53 pm
Forum: General
Topic: Request: FEC tunnel types
Replies: 27
Views: 3092

Re: Request: FEC tunnel types

We also came forward to many "unusual" requests from some customers (radio and TV stations to mention some) ... I thought that is what he was referring to. These days Electronic News Gathering is often done using portable setups with like 4 LTE radios+cards to transmit the live video, instead of a ...
by pe1chl
Mon Sep 09, 2019 11:03 am
Forum: Forwarding Protocols
Topic: RB 3011UiAS dynamic routes missing for VLANS [SOLVED]
Replies: 4
Views: 698

Re: RB 3011UiAS dynamic routes missing for VLANS [SOLVED]

They are bridge virtual interfaces VLAN based, so they are always up AFAIK (I mean they are independent from physical cable connection) It depends on how it is configured. At least it used to be like that in the days of "master-port" and switch configuration. E.g. when you configure a VLAN with onl...
by pe1chl
Mon Sep 09, 2019 10:57 am
Forum: General
Topic: Request: FEC tunnel types
Replies: 27
Views: 3092

Re: Request: FEC tunnel types

That is a pretty specialist use case which would be better solved in a dedicated LTE router which also has multiple SIMs and radios.
You can undoubtedly get these on the market already.
by pe1chl
Sun Sep 08, 2019 1:10 pm
Forum: Forwarding Protocols
Topic: RB 3011UiAS dynamic routes missing for VLANS [SOLVED]
Replies: 4
Views: 698

Re: RB 3011UiAS dynamic routes missing for VLANS [SOLVED]

Routes to networks are not active when the router-side interface for that network is down.
Depending on your configuration this can happen when no devices are connected to that network!
by pe1chl
Sun Sep 08, 2019 9:39 am
Forum: General
Topic: Request: FEC tunnel types
Replies: 27
Views: 3092

Re: Request: FEC tunnel types

IP compression (packing) was useful in the past, when network traffic often consisted of uncompressed data. E.g. in my network it would be SMB traffic reading uncompressed files, or HTML traffic. These would be highly compressible and there would be some gain. Today most traffic is encrypted or at l...
by pe1chl
Sat Sep 07, 2019 11:26 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 609
Views: 154805

Re: RouterOS v7.0 beta1 - when?

The IP route cache is gone in the newer Linux kernel. It would be surprising when that problem is still present.
by pe1chl
Sat Sep 07, 2019 9:21 pm
Forum: Wireless Networking
Topic: LHG 60 clone from ubiquti
Replies: 13
Views: 2056

Re: LHG 60 clone from ubiquti

i don't really understand however, why they have this on a P2P unit. When you have links in many directions from a single tower, it is an advantage when you can synchronize them for transmit/receive so the link in another direction does not transmit over the remote station you are trying to receive...
by pe1chl
Sat Sep 07, 2019 8:06 pm
Forum: General
Topic: [Feature Request] split DNS
Replies: 5
Views: 935

Re: [Feature Request] split DNS

It sure is a horrible idea, but it fits in the line of horrible ideas that the browsermakers have launched in the past years (and this forum shows the problems they have caused). I already filed a feature request for NXDOMAIN static records some time ago for another purpose: to allow answer NXDOMAIN...
by pe1chl
Sat Sep 07, 2019 6:27 pm
Forum: General
Topic: [Feature Request] split DNS
Replies: 5
Views: 935

Re: [Feature Request] split DNS

It seems that it is all for nothing anyway, as now the browser manufacturers have started phasing out DNS. They will use DNS-over-HTTPS by default, which makes it impossible to host your own DNS service with local additions... And even the "canary domain lookup" performed by them cannot be set in Mi...
by pe1chl
Fri Sep 06, 2019 6:13 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

BGP cannot be split in the way you propose. Filters need to be processed in a "run to completion" fashion. Currently the only way to get a semblence of multi threading is to run a thread/process per BGP peer, process the routing update against the filter set, then push the result up to a conductor ...
by pe1chl
Fri Sep 06, 2019 5:39 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

We have never promised multicore BGP routing, by the way. Surely, but keeping in mind your multicore CCRs for such a decent money and mostly stable BGP implementation you have there is no wonder a lot of poor it man still hoping for that. The "demo" I saw recently (no idea if it was a hoax) showed ...
by pe1chl
Fri Sep 06, 2019 12:18 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

Ok thanks, nice project for the weekend :-)
by pe1chl
Fri Sep 06, 2019 12:07 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 194
Views: 35826

Re: RouterOS v7.0beta1 (ARM)

Have any special instructions been given?
I see a netinstall and an npk, do you need to use netinstall or is it enough to upload the npk and reboot?
Is it limited to certain ARM devices or can it be used on all of them? (I have an unused LHG ac that I could try it on)
by pe1chl
Fri Sep 06, 2019 11:26 am
Forum: Beginner Basics
Topic: Where do you report a bug?
Replies: 12
Views: 1182

Re: Where do you report a bug?

No that is not correct, it depends on the size of the subnet as well. I run several WiFi networks with /22 networks on MikroTik routers and normally the addresses are assigned from lowest up, also for Apple devices. But on smaller networks it tends to be from top down. There is no defined or preferr...
by pe1chl
Thu Sep 05, 2019 9:28 pm
Forum: Beginner Basics
Topic: Convert Wifi to Wired
Replies: 4
Views: 539

Re: Convert Wifi to Wired

Indeed. It will work OK when you setup the AP as a client and do the normal NAT thing behind that, but when you configure it as a transperent bridge (i.e. your wired clients get their address from the existing wireless router's DHCP server) you will see interesting things happen. Certainly when ther...
by pe1chl
Thu Sep 05, 2019 7:53 pm
Forum: General
Topic: OpenVPN SHA256 + UDP
Replies: 56
Views: 23222

Re: OpenVPN SHA256 + UDP

That is why I suggested a more lightweight approach which does not require special processor and kernel support and is the natural way to add functions: a user process.
And to keep it reasonably secure, use some existing Linux features to guard it.
by pe1chl
Thu Sep 05, 2019 7:14 pm
Forum: Beginner Basics
Topic: Where do you report a bug?
Replies: 12
Views: 1182

Re: Where do you report a bug?

There is no defined order for assignment of the addresses in a pool. It often starts from lowest but under some conditions it may assign higher addresses. And certainly when a device has had an address before, it will often ask "can I have this address again?" and they router will allow it when it i...
by pe1chl
Thu Sep 05, 2019 7:09 pm
Forum: Scripting
Topic: Test for existing disk logging before enabling disk logging
Replies: 2
Views: 283

Re: Test for existing disk logging before enabling disk logging

You can first check it with "/system logging print where action=disk" maybe also with "and topics=aaa" when you want to test them one by one.
by pe1chl
Thu Sep 05, 2019 6:17 pm
Forum: General
Topic: Hotspot and HTTPS? What solutions?
Replies: 53
Views: 5565

Re: Hotspot and HTTPS? What solutions?

I found that the cause of this problem is a Windows bug... The PC was connected to a switchport which had tagged VLANs on the other networks, and it turns out that Windows just strips all VLAN tags on incoming traffic and treats everything as "the network", so it of course receives the RA from the o...
by pe1chl
Thu Sep 05, 2019 6:10 pm
Forum: General
Topic: OpenVPN SHA256 + UDP
Replies: 56
Views: 23222

Re: OpenVPN SHA256 + UDP

I don't recall any of the device series released in the last couple of years actively supporting or advertising any kind of virtualization That is probably because it is advertised so little. But the mipsbe and ppc devices have a feature called MetaROUTER which basically is virtualisation. You can ...
by pe1chl
Thu Sep 05, 2019 12:33 pm
Forum: General
Topic: OpenVPN SHA256 + UDP
Replies: 56
Views: 23222

Re: OpenVPN SHA256 + UDP

RouterOS already has it. But newer small devices do not have enough resources (disk space, mainly) to use it. And judging by the many demands for better OpenVPN, it does not suit the desires of most users anyway. Likely, it is too complicated to have 2 virtual routers for the task of implementing a ...
by pe1chl
Thu Sep 05, 2019 12:21 pm
Forum: General
Topic: OpenVPN SHA256 + UDP
Replies: 56
Views: 23222

Re: OpenVPN SHA256 + UDP

If at least we had a robust implementation of any virtualization tech in ROS for the lower-end devices, we would be able to add an image with a fully working OVPN implementation. I think what we need is not virtualization as it (rudimentarily) exists now, but a feature to run user contributed progr...
by pe1chl
Thu Sep 05, 2019 11:27 am
Forum: General
Topic: OpenVPN SHA256 + UDP
Replies: 56
Views: 23222

Re: OpenVPN SHA256 + UDP

Yes I think it is a licensing issue. Somehow MikroTik cannot use the reference openvpn implementation and they had to write something themselves, which apparently was not done well and now nobody wants to touch that anymore. I have had a router from another manufacturer that listed OpenVPN in its sa...
by pe1chl
Wed Sep 04, 2019 9:50 pm
Forum: General
Topic: OpenVPN SHA256 + UDP
Replies: 56
Views: 23222

Re: OpenVPN SHA256 + UDP

MikroTik staff on the forum have written that requests for features that are backed up by sales should be sent to their sales address and/or their distributors, not posted on the forum. Apparently (and understandably) requests via that channel have more priority. Requests on the forum must have near...
by pe1chl
Wed Sep 04, 2019 7:44 pm
Forum: RouterBOARD hardware
Topic: WAPG60ADM new 60 GHz product
Replies: 17
Views: 2361

Re: WAPG60ADM new 60 GHz product

Weird. It has way less output power that the WAP60/WAP60SXT and more than the LHG60. But name suggests WAP60 form factor. No Idea where they going with this, what is the M for WAP60SXT - 363 mW WAP60G - 146 mW LHG60 - 17 mW WAPG60ADM - 30 mW The output power is irrelevant for usage. What matters is...
by pe1chl
Wed Sep 04, 2019 7:35 pm
Forum: Beginner Basics
Topic: How I can block VPN progrmas
Replies: 6
Views: 724

Re: How I can block VPN progrmas

The correct method is to allow the necessary services and then block all other traffic on forward chain! But that is usually not practical either. There is no easy way to allow a service like a generic website, and even allowing generic services like a DNS resolver which recurses to internet DNS (r...
by pe1chl
Wed Sep 04, 2019 1:07 pm
Forum: Beginner Basics
Topic: How I can block VPN progrmas
Replies: 6
Views: 724

Re: How I can block VPN progrmas

There are so many VPN programs and so many that use common ports like 443 that it is impossible to block them. There are even VPN programs that work via DNS! Those often even work when you have a hotspot and the user has no account/ticket. Really, when you "need to block" you should not offer intern...
by pe1chl
Wed Sep 04, 2019 12:23 pm
Forum: General
Topic: Low Throughput on 2011 [SOLVED]
Replies: 5
Views: 589

Re: Low Throughput on 2011 [SOLVED]

At one point I disable all the rule and queues leaving only 1 NAT - 1 mangle and 1 route, basically the only rule you need to connect, but still I only manage to max the RB to 120mbps, at this point I can only presume that I got a bad unit, thinking going to x86. A limited performance is likely not...
by pe1chl
Wed Sep 04, 2019 12:16 pm
Forum: General
Topic: Inline transparent port filtering
Replies: 1
Views: 218

Re: Inline transparent port filtering

Maybe you have hw accel enabled on the bridge ports? Then it is processed by the switch chip.
Try setting hw=no on the 3 ports.
by pe1chl
Wed Sep 04, 2019 12:04 pm
Forum: Beginner Basics
Topic: How I can block VPN progrmas
Replies: 6
Views: 724

Re: How I can block VPN progrmas

That really isn't possible...
by pe1chl
Tue Sep 03, 2019 8:49 pm
Forum: Beginner Basics
Topic: GRE on IPSec doesnt' work
Replies: 9
Views: 1132

Re: GRE on IPSec doesnt' work

I don't have that problem here! GRE/IPsec works for me using the checkmark and input field in the GRE interface. For L2TP/IPsec I use some specific IPsec configuration, but it was made long ago and I am not sure it is still necessary. It was only necessary to make L2TP/IPsec work from clients behind...
by pe1chl
Tue Sep 03, 2019 7:07 pm
Forum: The User Manager
Topic: URGENT! UserManager and DHCP Server stopped working after upgrading to 6.45.5
Replies: 2
Views: 660

Re: URGENT! UserManager and DHCP Server stopped working after upgrading to 6.45.5

Did you verify network connectivity to the RADIUS server?
It could be the result of the change in GRE tunnel firewall, so your RADIUS server may be unreachable because a GRE tunnel you use to reach it is now not working anymore.
by pe1chl
Tue Sep 03, 2019 7:05 pm
Forum: General
Topic: PPPOE User Duplicate - Problem [SOLVED]
Replies: 2
Views: 372

Re: PPPOE User Duplicate - Problem [SOLVED]

The user shared their credentials, either willingly or without knowing.
Just change the password and mail to the legitimate user.
When it happens again, do whatever your terms and conditions warrant you to do in such cases...
by pe1chl
Tue Sep 03, 2019 1:55 pm
Forum: General
Topic: [Feature Request] split DNS
Replies: 5
Views: 935

Re: [Feature Request] split DNS

It has been requested many times. Probably the easiest thing to implement would be the addition of static NS records (no idea why that has not been done yet, it has been asked for so many times), but also multiple DNS server instances like I described here: https://forum.mikrotik.com/viewtopic.php?f...
by pe1chl
Tue Sep 03, 2019 1:51 pm
Forum: General
Topic: feature request: upgrade mactelnet
Replies: 2
Views: 307

Re: feature request: upgrade mactelnet

mactelnet is not a MikroTik product! It was made by an independent developer after reverse-engineering (and maybe some hints here) of the protocol. Now the protocol has changed and a MikroTik employee has stated there is no documentation available yet. Maybe in the future. So you either have to hope...
by pe1chl
Mon Sep 02, 2019 11:27 pm
Forum: Beginner Basics
Topic: GRE on IPSec doesnt' work
Replies: 9
Views: 1132

Re: GRE on IPSec doesnt' work

No, I have that as well and it works without problem (L2TP/IPsec accepting road warrior connections and GRE/IPsec to fixed peers).
by pe1chl
Mon Sep 02, 2019 9:17 pm
Forum: Beginner Basics
Topic: GRE on IPSec doesnt' work
Replies: 9
Views: 1132

Re: GRE on IPSec doesnt' work

Use "/export hide-sensitive file=config" to export your config and paste it here in a </> section.
by pe1chl
Mon Sep 02, 2019 5:25 pm
Forum: The Dude
Topic: Updating packages through The Dude
Replies: 1
Views: 412

Re: Updating packages through The Dude

When you have some router which has both the "bundle" package and a separate package "wireless" you first have to resolve that problem manually.
(it is an error that could sometimes occur in older versions)
by pe1chl
Mon Sep 02, 2019 5:22 pm
Forum: General
Topic: Blocked by Mac Address [SOLVED]
Replies: 2
Views: 447

Re: Blocked by Mac Address [SOLVED]

MAC filtering is local to the router and only for WiFi AP function.
So you need to do that on both your TP link and your MikroTIk separately.
by pe1chl
Mon Sep 02, 2019 5:00 pm
Forum: Beginner Basics
Topic: can I access mikrotik rb2011 through internet
Replies: 7
Views: 721

Re: can I access mikrotik rb2011 through internet

Check that "/interface list member print" shows the lists LAN and WAN and that your "pppoe-out1" is member of WAN. If not, make sure you have updated RouterOS and after you have done that it is preferred to reset the configuration to defaults and setup the router again. (if there is not too much con...
by pe1chl
Mon Sep 02, 2019 3:14 pm
Forum: Beginner Basics
Topic: can I access mikrotik rb2011 through internet
Replies: 7
Views: 721

Re: can I access mikrotik rb2011 through internet

Hopefully not.
If yes, then you have messed with the firewall, and it is not a good idea to do that when you have to ask!
by pe1chl
Mon Sep 02, 2019 11:00 am
Forum: Wireless Networking
Topic: Bondig WIFI links 60G and 5G
Replies: 15
Views: 1537

Re: Bondig WIFI links 60G and 5G

Yes to include the management of the WiFi use /29 Well it is of course also possible to use a /24 but what is important is that you should use a separate network for each of the links and not put these things in a bridge as so many people do. So on each router you take out 2 ports from the normal br...
by pe1chl
Sun Sep 01, 2019 11:52 pm
Forum: Wireless Networking
Topic: Bondig WIFI links 60G and 5G
Replies: 15
Views: 1537

Re: Bondig WIFI links 60G and 5G

You would recommend to setup 2 /30 networks between the routers and run your favorite routing protocol.
Combine it with BFD to make it aware of connection loss a lot quicker than OSPF or BGP do by default.
by pe1chl
Sun Sep 01, 2019 8:02 pm
Forum: Wireless Networking
Topic: Bondig WIFI links 60G and 5G
Replies: 15
Views: 1537

Re: Bondig WIFI links 60G and 5G

Do you need transparent behavior? I.e. should it be like a bridge/switch? If not, do not use EoIP but use routing. You can use an autorouting protocol configured for quick switchover (e.g. with BFD). Even when you do require EoIP, you can use a single EoIP pair and use routing to select the path bet...
by pe1chl
Sat Aug 31, 2019 11:13 pm
Forum: General
Topic: [Feature Request] Winbox and netinstall 64 Bit versions - URGENT
Replies: 21
Views: 3597

Re: [Feature Request] Winbox and netinstall 64 Bit versions - URGENT

It doesn't work anymore! That is what the request for details was about: they changed the details and now a new mactelnet is required.
Works with RouterOS 6.44.5 here ...
Sure. But not with 6.45.x
by pe1chl
Sat Aug 31, 2019 10:28 pm
Forum: General
Topic: [Feature Request] Winbox and netinstall 64 Bit versions - URGENT
Replies: 21
Views: 3597

Re: [Feature Request] Winbox and netinstall 64 Bit versions - URGENT

On Linux, f.ex. in Debian, you can use the package mactelnet-client, binary named mactelnet to access by the MAC address.
It doesn't work anymore! That is what the request for details was about: they changed the details and now a new mactelnet is required.
by pe1chl
Sat Aug 31, 2019 8:13 pm
Forum: General
Topic: Quick Set
Replies: 6
Views: 899

Re: Quick Set

Please read his reply again. After you have changed something using another menu item (like you did), do NOT look at Quick Set again. Forget that it exists. Quick Set does NOT work correctly anymore after you have made another change. We have asked MikroTIk many times to remove Quick Set after anoth...
by pe1chl
Sat Aug 31, 2019 6:00 pm
Forum: Beginner Basics
Topic: GRE on IPSec doesnt' work
Replies: 9
Views: 1132

Re: GRE on IPSec doesnt' work

The rule you mentioned has chain=forward.
Maybe you made the same oversight in the other 3 rules?
It should be chain=input for this, not chain=forward. That is for plain IPsec tunnels only.
by pe1chl
Sat Aug 31, 2019 3:56 pm
Forum: Beginner Basics
Topic: GRE on IPSec doesnt' work
Replies: 9
Views: 1132

Re: GRE on IPSec doesnt' work

Maybe firewall rule? For GRE/IPsec you need to accept on input:
- udp port 500
- protocol esp
- protocol gre with IPsec policy: in:ipsec
by pe1chl
Fri Aug 30, 2019 5:41 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 207829

Re: Feature requests

Is it what you expect or what you're afraid of? Because it's like this by design: if you broke access 'forever', it will be rolled back. But generally ssh is quite tolerant to network instability. Well, it is certainly a weak point in the RouterOS "safe mode" that it immediately rolls back all chan...
by pe1chl
Fri Aug 30, 2019 3:50 pm
Forum: General
Topic: Experience with DHCP server using RADIUS backend?
Replies: 1
Views: 329

Re: Experience with DHCP server using RADIUS backend?

I have tested it in a temporary setup but no, when the RADIUS server does not reply the client does not get a lease. (the event is logged as error) I have not yet tested what happens with a working RADIUS server. What about such a setup as a new feature? Or could it be achieved by having 2 DHCP serv...
by pe1chl
Fri Aug 30, 2019 2:11 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 207829

Re: Feature requests

and :commit for writing changes to the persistant memory Ctrl+X again There is a difference in philosophy. In RouterOS you can use "safe mode" to make some changes and they will be rolled back when you lose the connection. I'm not sure what happens with the changes when you powercycle the router ha...
by pe1chl
Fri Aug 30, 2019 12:01 pm
Forum: General
Topic: QoS / Prioritisation on Variable Bandwidth Link
Replies: 6
Views: 906

Re: QoS / Prioritisation on Variable Bandwidth Link

/ip firewall mangle
add action=set-priority chain=postrouting new-priority=from-dscp-high-3-bits passthrough=yes
by pe1chl
Wed Aug 28, 2019 8:42 pm
Forum: Wireless Networking
Topic: Point-to-Multipoint with wAP 60G [SOLVED]
Replies: 4
Views: 687

Re: Point-to-Multipoint with wAP 60G [SOLVED]

Those are only 100 Mbps, though.
Oh that is bad, I had not noticed that... why do they do these things? Even 1 Gbps is a limit on the usable rate.
by pe1chl
Wed Aug 28, 2019 3:38 pm
Forum: General
Topic: Experience with DHCP server using RADIUS backend?
Replies: 1
Views: 329

Experience with DHCP server using RADIUS backend?

Anyone here with experience using the RADIUS server backend for DHCP server? I am thinking about adding some functionality to a DHCP server where the supplied lease depends on some parameters in the request. Of course I can make some feature request to add such functionality to the DHCP server (e.g....
by pe1chl
Wed Aug 28, 2019 2:57 pm
Forum: General
Topic: Bridge VLAN Filtering help [SOLVED]
Replies: 22
Views: 1990

Re: Bridge VLAN Filtering help [SOLVED]

Is there an explanation why "VLAN filtering itself will not cause CPU to process all packets on CRS3xx series, but will on others due to disabled HW offloading." even when those other models can do the same thing WITH HW offloading when you configure it in the switch menu instead of the bridge menu?...
by pe1chl
Wed Aug 28, 2019 1:40 pm
Forum: General
Topic: Bridge VLAN Filtering help [SOLVED]
Replies: 22
Views: 1990

Re: Bridge VLAN Filtering help [SOLVED]

What I found very confusing when setting up my bridge with VLAN filtering is: when you specify a certain port as untagged in the /interface bridge vlan definition, you STILL need to set the pvid to the same value in the /interface bridge port definition! This is the case in some switches too. It pro...
by pe1chl
Tue Aug 27, 2019 8:13 pm
Forum: Forwarding Protocols
Topic: BGP Multihomed (Single Router)
Replies: 5
Views: 586

Re: BGP Multihomed (Single Router)

I would advise to not do any firewalling in the forward path of the border router except for things that you can do stateless and are always valid on both paths.
(like blocking packets with bogon source addresses or with destination pors you never want to allow)
by pe1chl
Tue Aug 27, 2019 7:00 pm
Forum: Forwarding Protocols
Topic: BGP Multihomed (Single Router)
Replies: 5
Views: 586

Re: BGP Multihomed (Single Router)

When we do this we appear to be breaking DNS and I it's because the way the traffic is going out and coming back in. What do you mean with this? With such a setup you will invariably have some asymmetric routing so you should not be doing any stateful firewalling that expects answers to come back v...
by pe1chl
Tue Aug 27, 2019 6:18 pm
Forum: Beginner Basics
Topic: Mikrotik 6.34.1 Check updates fail
Replies: 44
Views: 39221

Re: Mikrotik 6.34.1 Check updates fail

Do you use PPPoE for internet connection or do you have some other tunnel/VPN mechanism in use? This can cause problems.
Can you ping to upgrade.mikrotik.com ? Can you visit that site from a local system?
by pe1chl
Tue Aug 27, 2019 3:30 pm
Forum: Wireless Networking
Topic: Point-to-Multipoint with wAP 60G [SOLVED]
Replies: 4
Views: 687

Re: Point-to-Multipoint with wAP 60G [SOLVED]

I would use SXTsq Lite60 on the endpoints, they have a little more gain so you have more headroom.
by pe1chl
Tue Aug 27, 2019 12:39 pm
Forum: Scripting
Topic: Array Push Function
Replies: 9
Views: 4241

Re: Array Push Function

My worry with solutions like this is normally "what is going on under the hood"... Maybe it is my bad that I started programming 40 years ago and back then the beautiful solution often was too slow to be usable in practice. Of course that has changed a little today, although a lot of the slowness of...
by pe1chl
Tue Aug 27, 2019 12:34 pm
Forum: General
Topic: Request: FEC tunnel types
Replies: 27
Views: 3092

Re: Request: FEC tunnel types

I would think using a fullblown FEC like reed-solomon is a bit wasteful for this purpose, as you can expect that you receive either correct packets or nothing. Sure the reed-solomon code would be able to fix some corrupted packets, but do they really occur in practice? As written above, that is alre...
by pe1chl
Tue Aug 27, 2019 12:25 pm
Forum: Beginner Basics
Topic: Graphing problems
Replies: 3
Views: 356

Re: Graphing problems

It is a limitation of 32-bit math. Of course it would be possible to solve it by using 64-bit math, but apparently this was not done.
It is a common problem in traffic graphing solutions.
by pe1chl
Tue Aug 27, 2019 12:26 am
Forum: Beginner Basics
Topic: MikroTik RB4011 Initial setup cant access internet
Replies: 2
Views: 329

Re: MikroTik RB4011 Initial setup cant access internet

Please note: use quickset only to initially setup the device. Once you have filled in everything and hit the Apply button, never use it again unless it is to reset the configuration and start anew.
by pe1chl
Mon Aug 26, 2019 9:11 pm
Forum: Beginner Basics
Topic: tag all untagged traffic - can't get it working
Replies: 12
Views: 964

Re: tag all untagged traffic - can't get it working

Correct config for a port that adds some tag to untagged traffic is this: set 1 default-vlan-id=10 vlan-header=always-strip i.e. you have to see the command as it is working outbound, not inbound. Also remember that not all switch chips can do hybrid ports! So you may not be able to have some traffi...
by pe1chl
Mon Aug 26, 2019 4:26 pm
Forum: General
Topic: how to display a message to all requests ?
Replies: 3
Views: 297

Re: how to display a message to all requests ?

That is impossible, because gmail uses https so you cannot send a message to your clients pretending to be gmail.
The browser will reject such traffic.
This includes redirects.
by pe1chl
Mon Aug 26, 2019 2:14 pm
Forum: General
Topic: Hotspot and HTTPS? What solutions?
Replies: 53
Views: 5565

Re: Hotspot and HTTPS? What solutions?

Testing on the network without IPsec I cannot reproduce the issue. Likely the PC has temporarily been connected to one of the other networks and has remembered the address. (I don't know how it got all 3 addresses, nor do I know why Microsoft would remember the IPv6 address for so long even when it ...
by pe1chl
Mon Aug 26, 2019 2:12 pm
Forum: Useful user articles
Topic: Whitelisting websites
Replies: 13
Views: 1190

Re: Whitelisting websites

This means you still need to do investigation because it is unlikely that e.g. the bulk of the traffic (the video streams) from netflix will come from www.netflix.com.
But I would suggest to just try it and monitor the situation carefully.
by pe1chl
Mon Aug 26, 2019 1:15 pm
Forum: Useful user articles
Topic: Whitelisting websites
Replies: 13
Views: 1190

Re: Whitelisting websites

It is possible to do that but remeber: there is no practical way for you to isolate "traffic for a website" by domain or IP address.
by pe1chl
Mon Aug 26, 2019 11:39 am
Forum: General
Topic: Mark packet dont work like expected
Replies: 2
Views: 283

Re: Mark packet dont work like expected

Looking at the direction of the traffic you are trying to match you probably need to use out-interface instead of in-interface.
As this is not possible in prerouting you need to re-think your setup.
by pe1chl
Mon Aug 26, 2019 11:09 am
Forum: General
Topic: IPSec - duplicate entry and weird log
Replies: 9
Views: 856

Re: IPSec - duplicate entry and weird log

Interesting difference between #1 and #4 is that the former has only DPD, while the latter has more vendor IDs. I'm no IPSec expert, so I don't know if it's possible that same peer would sometimes send more or less of them, or if you have logs from two peers mixed together. I guess it could be the ...
by pe1chl
Mon Aug 26, 2019 11:05 am
Forum: Beginner Basics
Topic: Will this equipment work? [Choosing the right Hardware]
Replies: 7
Views: 699

Re: Will this equipment work? [Choosing the right Hardware]

I have no personal experience with using those APs but they should be OK for that kind of performance. The RB952 is a combined router, switch and AP with good overall performance. As you don't need a router there you could also consider a separate small switch and another cAP AC. Or use a HAP AC2.....
by pe1chl
Mon Aug 26, 2019 1:32 am
Forum: General
Topic: Hotspot and HTTPS? What solutions?
Replies: 53
Views: 5565

Re: Hotspot and HTTPS? What solutions?

The networks are on different physical ports of the CCR router...
As I mentioned, I plan to investigate this further.
by pe1chl
Sun Aug 25, 2019 10:35 pm
Forum: Beginner Basics
Topic: Alternate DNS for one domain
Replies: 4
Views: 488

Re: Alternate DNS for one domain

Are there still (political?) reasons not to migrate that network to the ampr.org net-44 space? At least there you have DNS servers that are on internet... This is the network that we use over here. I briefly studied the mesh network and I understood that while it initially did not support net-44 bec...
by pe1chl
Sun Aug 25, 2019 7:09 pm
Forum: Beginner Basics
Topic: Will this equipment work? [Choosing the right Hardware]
Replies: 7
Views: 699

Re: Will this equipment work? [Choosing the right Hardware]

I have no personal experience with using those APs but they should be OK for that kind of performance.
The RB952 is a combined router, switch and AP with good overall performance. As you don't need a router there you could also consider a separate small switch and another cAP AC.
by pe1chl
Sun Aug 25, 2019 2:40 pm
Forum: Wireless Networking
Topic: Country Code [SOLVED]
Replies: 53
Views: 3851

Re: Country Code [SOLVED]

Well I think it is pretty broken to listen to what other people's devices (you have no control over) transmit and take it as authoritative.
But it is probably required by law in the USA.
by pe1chl
Sun Aug 25, 2019 2:02 pm
Forum: Wireless Networking
Topic: Country Code [SOLVED]
Replies: 53
Views: 3851

Re: Country Code [SOLVED]

Time to transmit the country code of a country that does not allow WiFi! Fun...
by pe1chl
Sun Aug 25, 2019 1:04 pm
Forum: Beginner Basics
Topic: Will this equipment work? [Choosing the right Hardware]
Replies: 7
Views: 699

Re: Will this equipment work? [Choosing the right Hardware]

How fast is the fiber connection? You should note that the CRS line of devices are primarily SWITCHES with a dummy router function to use e.g. to setup some management connection. These are not suitable for high-performance routing e.g. for a fast fiber connection. I know these devices are attractiv...
by pe1chl
Sun Aug 25, 2019 12:59 pm
Forum: Wireless Networking
Topic: Country Code [SOLVED]
Replies: 53
Views: 3851

Re: Country Code [SOLVED]

The issue apparently is that some client devices look at what other APs are transmitting to then lock their settings to the country code they receive there, instead of first looking for the correct SSID and then connecting there without country code (and thus no locked settings). This may be related...
by pe1chl
Sun Aug 25, 2019 12:51 pm
Forum: Beginner Basics
Topic: Alternate DNS for one domain
Replies: 4
Views: 488

Re: Alternate DNS for one domain

RouterOS does not support this method of working. It has been requested many times but it has not been implemented. (what you need is the capability to set a static DNS record for local.mesh with type NS and pointing to the nameserver for that domain) As RouterOS also does not offer a feature to run...
by pe1chl
Sun Aug 25, 2019 12:16 pm
Forum: General
Topic: 100% CPU load in CCR 1009
Replies: 22
Views: 2235

Re: 100% CPU load in CCR 1009

BUT, the best way is to make a suppout.rif and send it to support@mikrotik.com, they can see inside and tell you what is wrong. I think he did that but now he is expecting an immediate reply, and that is not the service provided at that address. Well, when in despair and wanting a solution NOW, I s...
by pe1chl
Sun Aug 25, 2019 12:11 pm
Forum: Wireless Networking
Topic: 802.11ax [SOLVED]
Replies: 118
Views: 19451

Re: 802.11ax [SOLVED]

I believe the main reason was the ability to implement protocols like nstream and nv2.
Ok, but when I understand correctly, nstream and nv2 can be phased out once we have 802.11ax ?
Maybe there could be 2 drivers which are selected depending on the protocol mode in use?
by pe1chl
Sun Aug 25, 2019 12:08 pm
Forum: General
Topic: Hotspot and HTTPS? What solutions?
Replies: 53
Views: 5565

Re: Hotspot and HTTPS? What solutions?

A router with the IPv6 package simply installed is not a concern. The interface needs a valid v6 global address on a /64 subnet with advertise=yes in order for end users to get a v6 global address that could cause a problem. There is some bug in the RouterOS DHCPv6 that I still need to investigate ...
by pe1chl
Sun Aug 25, 2019 12:11 am
Forum: General
Topic: 100% CPU load in CCR 1009
Replies: 22
Views: 2235

Re: 100% CPU load in CCR 1009

It is currently weekend, support is not working now. They are only working on weekdays during local office hours.
Also they are not there for high-priority help with operational problems, you should hire a local certified consultant for that.
https://mikrotik.com/consultants
  • 1
  • 2
  • 3
  • 4
  • 5
  • 20