Community discussions

Search found 4811 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 97
by pe1chl
Fri Oct 19, 2018 6:31 pm
Forum: General
Topic: /ip dns servers= (cache) - how are multiple servers used?
Replies: 18
Views: 615

Re: /ip dns servers= (cache) - how are multiple servers used?

My understanding was that DNS servers were always used in preference order. First one until it is not available at which point the queries go to the second. That is usually the case with resolver libraries and their config (e.g. /etc/resolv.conf). The big drawback is that the system becomes extreme...
by pe1chl
Fri Oct 19, 2018 6:27 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: New IP cloud is coming.
Replies: 80
Views: 11022

Re: New IP cloud is coming.

Really? Everyone wants to have a supersecured router and you would give all your login details to a cloud? It certainly has some applications. I have been suggesting a management VPN to be part of IP cloud as well. People have trouble arranging secure management of their routers that are on dynamic...
by pe1chl
Fri Oct 19, 2018 6:22 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 191
Views: 63880

Re: Feature Request: OpenVPN [ovpn] udp tunnels

It is likely quite easy to implement a user process but it could take some iterations to make it completely secure. I would envision it like: you make a folder on the flash disk and put the executable there and add a config item which specifies the folder and the network devices you desire. (like 1....
by pe1chl
Thu Oct 18, 2018 5:08 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 191
Views: 63880

Re: Feature Request: OpenVPN [ovpn] udp tunnels

+1 for UDP. Damn, take 10% of my payments to you for routers and hire a programmer for 6 months to do this (he'll implement it in a few weeks and work for you for the remaining 5 months) :-/ It is so annoying to have CCRs with speed of RB750 running openvpn via TCP.. Instead, pay them to implement ...
by pe1chl
Thu Oct 18, 2018 4:11 pm
Forum: Scripting
Topic: Built in function library
Replies: 40
Views: 4167

Re: Built in function library

Completely unrelated to original topic.
What is the progress on the original topic? Has it been decided if this is going to happen, when, and what functions?
by pe1chl
Thu Oct 18, 2018 10:50 am
Forum: General
Topic: /ip dns servers= (cache) - how are multiple servers used?
Replies: 18
Views: 615

Re: /ip dns servers= (cache) - how are multiple servers used?

But now the most interesting testcase: you have 4 DNS servers configured and 3 are working, and you regularly query for nonresponding records (those .in-addr.arpa ones). The DNS resolver queries 8.8.8.8 and gets no response, it has to assume that 8.8.8.8 is dead and switch to the next one. There (8....
by pe1chl
Wed Oct 17, 2018 11:11 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 240
Views: 19163

Re: RB4011

When you want to be flexible w.r.t the WAN interface, you could consider making a new bridge "WAN", change all your config to refer to that bridge instead of the sfp interface, and make either the sfp or the ethernet port the sole member port of that bridge. It is possible to change config in bulk u...
by pe1chl
Wed Oct 17, 2018 8:37 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 120
Views: 18187

Re: v6.44beta [testing] is released!

But what I cannot ping Miktrotik ipv6 addres from LAN, same subnet, same VLAN. Maybe someone have similar issue ? Please do not use the release topic for other things than reporting issues with the release. Make a new topic in the General or Beginners section describing your issue and include a /ex...
by pe1chl
Wed Oct 17, 2018 2:10 pm
Forum: RouterBOARD hardware
Topic: New "RB2011".... reloaded [SOLVED]
Replies: 12
Views: 617

Re: New "RB2011".... reloaded [SOLVED]

I would like to see a line with RB3011 power at RB2011 price (or maybe $10 more).
I would like to see a router with CCR1072 performance at RB2011 price (and of course at RB2011 mains power usage).
But hey, not everything we would like to see is possible today. Maybe in 5 years?
by pe1chl
Wed Oct 17, 2018 2:02 pm
Forum: General
Topic: ROS 6.43.2 export config BUG
Replies: 3
Views: 156

Re: ROS 6.43.2 export config BUG

Indeed it looks like export hide-sensitive does hide the secret= config for IPsec peers, but not the ipsec-secret= config for tunnel interfaces with automatic IPsec peer.
That should be considered a bug. It appears in earlier versions as well.
by pe1chl
Tue Oct 16, 2018 8:00 pm
Forum: Announcements
Topic: v6.43.1 [stable] and v6.43.2 [stable] are released!
Replies: 186
Views: 23701

Re: v6.43.1 [stable] and v6.43.2 [stable] are released!

beware that of them are using PL2303 series chipset and some of them are using fake PL2303 chipset, the latest driver and win10 driver will refuse to work with them. If you look for a Serial to USB cable better check if can work in win10 without manually install any driver. Could be, I never use Wi...
by pe1chl
Tue Oct 16, 2018 5:40 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 240
Views: 19163

Re: RB4011

the power led is unnecessary bright This is a signature feature of MikroTik equipment. Despite remarks about this running for several years, nobody in development bothers to decrease the current through the blue led. When you visit a datacenter you see those blue torches everywhere. I suppose that ...
by pe1chl
Tue Oct 16, 2018 11:20 am
Forum: Announcements
Topic: v6.43.1 [stable] and v6.43.2 [stable] are released!
Replies: 186
Views: 23701

Re: v6.43.1 [stable] and v6.43.2 [stable] are released!

are those 3 hidden spots with Rx, Tx, and GND marking real serial port or just ...
TTL serial. Get a TTL serial to USB converter from aliexpress or similar, and you can connect it to a PC and watch the boot procedure.
(or even flash new firmware over serial when you are patient)
by pe1chl
Mon Oct 15, 2018 5:25 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 244
Views: 31048

Re: Winbox vulnerability: please upgrade

Have you netinstalled? Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again. You should not allow re...
by pe1chl
Sat Oct 13, 2018 4:51 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 941
Views: 153665

Re: Feature requests

It would be really nice if MikroTik would add the ability to graph health information such as voltage and temperature and no I'm not referring about SNMP and API, I am referring to tools->graphing,the same way as resources, queues and interfaces are graphed. There should simply be the possibility t...
by pe1chl
Fri Oct 12, 2018 4:50 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 110
Views: 14844

Re: Security announcement blog

I have never seen increasing memory usage due to IPv6 forwarding. But apparently your use case or configuration is different.
by pe1chl
Fri Oct 12, 2018 4:47 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 110
Views: 14844

Re: Security announcement blog

Not "someone access the router". When "some user" logs in to the router they cannot see this info. They have to be an administrator to see it. The reason why this data is stored in plaintext is that it has to be available in plaintext for the protocols it is used for (IPsec, xCHAPx). So you cannot s...
by pe1chl
Fri Oct 12, 2018 12:19 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 110
Views: 14844

Re: Security announcement blog

As Normis already wrote, these are not really bugs but you are merely exhausting the capacity of the router, either for IPv6 ND or for IPv6 connection tracking. Happens with IPv6 set to NOTRACK. It's not tracking causing this. So it is ND (also indicated by the name of the tool). You will not be af...
by pe1chl
Fri Oct 12, 2018 11:21 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 191
Views: 63880

Re: Feature Request: OpenVPN [ovpn] udp tunnels

Another solution would be to support and maintain Metarouter.... even on the RB1100AHx2, but that's another story. Yes, it would be very good to have metarouter back in service, or some other way of running user programs in some sandbox that only gives them some memory, a disk directory, and one or...
by pe1chl
Fri Oct 12, 2018 11:14 am
Forum: Announcements
Topic: Security announcement blog
Replies: 110
Views: 14844

Re: Security announcement blog

As Normis already wrote, these are not really bugs but you are merely exhausting the capacity of the router, either for IPv6 ND or for IPv6 connection tracking. When you are facing such attacks on the local network, you are in trouble. Especially when you have a small router which does not have giga...
by pe1chl
Thu Oct 11, 2018 11:18 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 191
Views: 63880

Re: Feature Request: OpenVPN [ovpn] udp tunnels

The long waiting time makes me so sad! Products and software - this is not a good match. One is good the other is a joke!
Please enumerate your list of commercial routers (not alternative firmware) that actually have OpenVPN support that conforms to your wishes.
by pe1chl
Tue Oct 09, 2018 12:32 pm
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 244
Views: 31048

Re: Winbox vulnerability: please upgrade

Normis: 1. about auto upgrade: yes, but it should be installed by default in new routers and it should use a dedicated release channel only for security fixes like those that fixed the winbox and webserver vulnerabilities. 2. about firewall: what I suggest fixes only the firewall filters without ove...
by pe1chl
Tue Oct 09, 2018 11:30 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 244
Views: 31048

Re: Winbox vulnerability: please upgrade

Automatic upgrade should be the default and is quickly becoming best practice. This is plain stupid! I could be fired on the spot if I don't issue warning about down time. Some environments depend on equipment which is 24/7/365 up. But then you don't understand what "default" means? Default does no...
by pe1chl
Tue Oct 09, 2018 11:20 am
Forum: Announcements
Topic: Winbox vulnerability: please upgrade
Replies: 244
Views: 31048

Re: Winbox vulnerability: please upgrade

Maybe MikroTik or one of the expert scripting users could post a script that changes the firewall filter rules of a router to the new default firewall. The script that adds that is of course already available in the router but it does a lot of other things. Some users might not be prepared to reset ...
by pe1chl
Tue Oct 09, 2018 10:32 am
Forum: Forwarding Protocols
Topic: DSCP policy based routing?
Replies: 2
Views: 136

Re: DSCP policy based routing?

Of course I know I can setup a test, but it would be nice to hear "yes that is OK I use that all the time" or "that is definitely not going to work I tried that" before I spend a lot of effort. I'm not sure if there would be anything that separates the two BGP instances when AS numbers and link addr...
by pe1chl
Mon Oct 08, 2018 11:28 pm
Forum: Forwarding Protocols
Topic: DSCP policy based routing?
Replies: 2
Views: 136

DSCP policy based routing?

Say I want to have different routing for some DSCP value(s) so the chosen path depends on the DSCP (not just a single hop but the entire network). Currently routing is using eBGP with some routing filters that tweak the local-pref based on community values to prefer some paths. I would need a second...
by pe1chl
Mon Oct 08, 2018 8:07 pm
Forum: RouterBOARD hardware
Topic: RB4011
Replies: 240
Views: 19163

Re: RB4011

I'm guessing the answer is a "No", though would the RB4011 support -48v telecom power like the RB1100AHx4? We have quite a few sites with included -48v power or where we have our own -48v rectifier.
Use an isolated 48v to 24v converter, many of those available on Aliexpress or Ebay.
by pe1chl
Sat Oct 06, 2018 7:53 pm
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 85
Views: 9506

Re: v6.42.9 [long-term] is released!

It is true that there is a bridge by default but in the past I have converted RB750 and RB750G routers which by default have no bridge, and it created the bridge. But those did not have VLANs on the switch, only the default LAN with a couple of ports and a master-port where the IP address is configu...
by pe1chl
Sat Oct 06, 2018 5:49 pm
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 85
Views: 9506

Re: v6.42.9 [long-term] is released!

No features were removed, only one feature was renamed and that is the "master-port" that had various limitations, now it is replaced with a simple bridge configuration. Nothing else is changed regarding to VLAN configuration. You simply have to replace every configuration line that involves the ma...
by pe1chl
Sat Oct 06, 2018 1:08 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 941
Views: 153665

Re: Feature requests

Remember that interface lists are handled by the CPU. An interface list is just a bit set in the interface definition which can be matched e.g. in the firewall ("is this bit set for the interface where this packet arrived") by the processor. This is entirely different from switch programming, where ...
by pe1chl
Sat Oct 06, 2018 11:49 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 941
Views: 153665

Re: Feature requests

Maybe when you don't really need the full 10G performance you could use one of the new SFP+ switches together with a CCR1009 as router-on-a-stick?
by pe1chl
Fri Oct 05, 2018 11:26 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 941
Views: 153665

Re: Feature requests

That is already possible via RADIUS!
by pe1chl
Thu Oct 04, 2018 8:54 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 941
Views: 153665

Re: Feature requests

I'm new to the forum, and I'd like to know where is the right place for a feature request.
Your feature is already implemented in RC/testing version. And some people don't like it...
by pe1chl
Thu Oct 04, 2018 8:51 pm
Forum: General
Topic: CloudFlare DNS over TLS
Replies: 33
Views: 5158

Re: CloudFlare DNS over TLS

Pity that "DNS over TLS" was implemented as a new standard. They could just have used existing VPN technology and tunneled standard DNS over that. So services like CloudFlare could simply offer VPN access to their resolvers. Would be more efficient too. And best of all, router manufacturers would no...
by pe1chl
Thu Oct 04, 2018 8:46 pm
Forum: Beginner Basics
Topic: reset-configuration with run-after-reset not working
Replies: 6
Views: 2243

Re: reset-configuration with run-after-reset not working

I think it is very unfortunate that:
1. the delay is still necessary. It would seem so trivial to include it in the first-boot procedure but it has not been done even after more than a year...
2. still nothing is done about the error recovery and logging. that would likely be more work.
by pe1chl
Thu Oct 04, 2018 2:08 pm
Forum: General
Topic: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]
Replies: 53
Views: 3278

Re: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]

From your description maybe it works fine when the NAT entry has to handle some traffic during the time the connection is down, but it does not work when the interruption is so short that there is no traffic in that time interval? NAT always remains tricky. Fortunately most of the use I have for Mik...
by pe1chl
Thu Oct 04, 2018 12:22 pm
Forum: General
Topic: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]
Replies: 53
Views: 3278

Re: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]

No, ours tend to happen after brief disconnections, too. It's rare, but we have even seen it happen *immediately* after a reboot ('tik boots up, PPPoE connects, SIP still stuck). And, yes, it doesn't always happen to us either...in fact it has been FRUSTRATINGLY difficult to reproduce in a lab. If ...
by pe1chl
Thu Oct 04, 2018 12:15 pm
Forum: General
Topic: CloudFlare DNS over TLS
Replies: 33
Views: 5158

Re: CloudFlare DNS over TLS

Hope this feature can be implemented soon, this is the last piece before we can go full encrypted You can already go full encrypted by setting up a VPN link to a router "in the cloud" (your own CHR running on a VPS host or one of the many VPN services) and route your DNS traffic over that. (RouterO...
by pe1chl
Thu Oct 04, 2018 9:06 am
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 85
Views: 9506

Re: v6.42.9 [long-term] is released!

I've found a different factory reset behavior after upgrading to v6.42.9. In v6.40.9 the interfaces, DHCP server, and firewall policies were included by default. Now in v6.42.9, only a static IP address of 192.168.88.1 is configured on Interface 1, without a DHCP server, or firewall policies (which...
by pe1chl
Tue Oct 02, 2018 12:36 pm
Forum: General
Topic: Help with Google Unusual Traffic issue
Replies: 3
Views: 135

Re: Help with Google Unusual Traffic issue

You should implement a proper firewall so outsiders cannot connect into your router. At least read https://blog.mikrotik.com/security/ For configuration hints you should first post your current configuration: /export hide-sensitive file=config then download config.rsc from the router and post it her...
by pe1chl
Tue Oct 02, 2018 11:10 am
Forum: General
Topic: Help with Google Unusual Traffic issue
Replies: 3
Views: 135

Re: Help with Google Unusual Traffic issue

Are all your 500 clients sharing the same address? Then this issue really cannot be avoided, because there will always be bad guys in there.
However, you should still make sure your router and any client routers that you manage are properly configured and not part of the botnet.
by pe1chl
Mon Oct 01, 2018 9:07 pm
Forum: Beginner Basics
Topic: BGP route filters
Replies: 6
Views: 223

Re: BGP route filters

I think you would usually set a localpref on an incoming filter. This attribute is not sent to external peers, only internal (iBGP).
by pe1chl
Mon Oct 01, 2018 8:22 pm
Forum: Beginner Basics
Topic: BGP route filters
Replies: 6
Views: 223

Re: BGP route filters

That advice was not really correct. Of course you can match on the BGP as path to apply certain filter rules to one AS. When you have more than one peer and you really want to weigh the usage of the peers, you can also create separate filters for each peer and assign them as incoming filters for eac...
by pe1chl
Mon Oct 01, 2018 4:57 pm
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 85
Views: 9506

Re: v6.42.9 [long-term] is released!

With ROS > 6.40 it is possible to use "new" bridge vlan-filtering, but it is not mandatory to do it. New way lacks HW offload support for non-trivial tasks, but it allows things to be done which were not possible previously on some devices due to lack of support in hardware. I converted an RB2011 r...
by pe1chl
Mon Oct 01, 2018 4:14 pm
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 85
Views: 9506

Re: v6.42.9 [long-term] is released!

This is a bad move! Now users of 6.40.x versions cannot install updates anymore. We need full support of hw-accelerated VLAN switching in the new bridge at some locations before versions >6.40 can be used. All VLAN related features are available in newer versions. they have been available since 6.4...
by pe1chl
Mon Oct 01, 2018 12:06 pm
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 85
Views: 9506

Re: v6.42.9 [long-term] is released!

This is a bad move! Now users of 6.40.x versions cannot install updates anymore.
We need full support of hw-accelerated VLAN switching in the new bridge at some locations before versions >6.40 can be used.
by pe1chl
Sun Sep 30, 2018 9:20 pm
Forum: General
Topic: /ip dns servers= (cache) - how are multiple servers used?
Replies: 18
Views: 615

Re: /ip dns servers= (cache) - how are multiple servers used?

With all domains, there should always be response, as long as authoritative servers are not dead or too slow. Which I'm sure does happen, but I can't say how often. I'd say at least in about 25% of reverse-DNS lookups (for addresses that are doing portscanning etc, so probably not representative fo...
by pe1chl
Sun Sep 30, 2018 8:24 pm
Forum: General
Topic: /ip dns servers= (cache) - how are multiple servers used?
Replies: 18
Views: 615

Re: /ip dns servers= (cache) - how are multiple servers used?

Asking for non-existing record will still give you answer: > dig 1.88.168.192.in-addr.arpa PTR @8.8.8.8 ; <<>> DiG 9.9.2-P2 <<>> 1.88.168.192.in-addr.arpa PTR @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42555 ;; flags: qr rd ra; QUERY: 1, ANS...
by pe1chl
Sun Sep 30, 2018 7:20 pm
Forum: General
Topic: /ip dns servers= (cache) - how are multiple servers used?
Replies: 18
Views: 615

Re: /ip dns servers= (cache) - how are multiple servers used?

I see simple failover. First server is used initially and when it fails, it moves to next one and so on. If it works like this, then even distribution does look suspicious. But hey, it's udp, packet can get lost. When it works like that the distribution will also be quite even because there is a ce...
by pe1chl
Sun Sep 30, 2018 12:28 pm
Forum: General
Topic: /ip dns servers= (cache) - how are multiple servers used?
Replies: 18
Views: 615

Re: /ip dns servers= (cache) - how are multiple servers used?

That is not really true. When the operation mode is "round robin" without any failure detection, the result will be that one in 3 (in this case) requests will get no reply and has to be retried, which happens after 2 seconds by default (can be changed in the setup). That slows down the DNS service. ...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 97