Community discussions

Search found 4303 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 87
by pe1chl
Sun Jun 17, 2018 2:24 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

But that was done because there were bugs that allowed the retrieval of the unencrypted passwords (and thus the quick retrieval of valid user/password combinations as shown), and I am not convinced that in the current stable and bugfix versions there are no such bugs. Apparently there are still user...
by pe1chl
Sat Jun 16, 2018 10:26 pm
Forum: General
Topic: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]
Replies: 38
Views: 1460

Re: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]

There is only so much that can be done. When you have an unreliable or non-cooperating ISP you cannot have reliable SIP service. When you really cannot switch to a more reasonable ISP, at least avoid the address change by setting up some virtual server (e.g. with CHR) and route your local network to...
by pe1chl
Sat Jun 16, 2018 7:37 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

I have not, however received any updates from MikroTik on the subsequent updates to VPNFilter status where essentially all devices running RouterOS were added to the original four cloud core router devices. Of course those "updates" were not from MikroTik but from an external party who did not unde...
by pe1chl
Sat Jun 16, 2018 7:35 pm
Forum: General
Topic: Management VPNs
Replies: 7
Views: 266

Re: Management VPNs

Sure, but that is a complicated solution that does not scale well. SSTP has terrible performance under load (so does OpenVPN over TCP) but for purposes like some light remote management and monitoring it is fine. Setting up an SSTP tunnel per remote device is quite simple, just create the server and...
by pe1chl
Fri Jun 15, 2018 4:42 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: feature request: expose variables to netwatch scripts
Replies: 4
Views: 159

Re: feature request: expose variables to netwatch scripts

When you want to setup a complicated monitoring system that performs actions when reachability changes, it is better to avoid netwatch. Not only is it limited by the recent changes to scripting policy, but also it has always had the problem that a single missed ping indicates a "down" condition. (th...
by pe1chl
Fri Jun 15, 2018 4:36 pm
Forum: General
Topic: Management VPNs
Replies: 7
Views: 266

Re: Management VPNs

L2TP over IPsec could be trouble when all those remote systems are behind the same or a couple of CGNAT.
In that case it could be safer to use the (otherwise inferior) TCP tunnels like SSTP or OVPN.
As this is a low-bandwidth situation it will likely work OK.
by pe1chl
Fri Jun 15, 2018 4:33 pm
Forum: Forwarding Protocols
Topic: BGP Bonding
Replies: 3
Views: 140

Re: BGP Bonding

When you have only a single peer it does not make sense to run full route table...
When you have two peers it could be, but when it is only for redundancy then not.
Try to accept only default route in your incoming filters.
by pe1chl
Fri Jun 15, 2018 12:08 pm
Forum: RouterBOARD hardware
Topic: More info about mUPS
Replies: 41
Views: 4726

Re: More info about mUPS

I think you should picture the use of the mUPS in a situation where there is a 7Ah or maybe 14Ah battery.
For such a large installation where you also do not need insertion via PoE you can just obtain a charger/inverter from the usual market (e.g. used in boats and trucks).
by pe1chl
Fri Jun 15, 2018 12:04 pm
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 255
Views: 46953

Re: Mikrotik VDSL / DSL Modem?

We distribute the Metanoia V5311-T-R in New Zealand and are working on this with the manufacturers. We have the V5311-T-R working now on NZ EUBA ADSL in a test environment currently. Once all tests are done we will contact customers directly with the necessary updates. What method do you use to rea...
by pe1chl
Fri Jun 15, 2018 11:57 am
Forum: RouterOS v6 RC and v7 BETA
Topic: New IP cloud is coming.
Replies: 20
Views: 1668

Re: New IP cloud is coming.

3) the new cloud works much faster, so the precision will be better - this is for setups where you cannot run NTP/SNTP or don't need the time so precise. This is enabled by default to get some, any time for logs where a user could benefit from seeing a time of occurrence. I completely understand th...
by pe1chl
Thu Jun 14, 2018 8:11 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 170
Views: 58837

Re: Feature Request: OpenVPN [ovpn] udp tunnels

But there has also been the "well... maybe there will not be a v7... we already implemented most of the promised features in v6!".
Of course this does not include the promised features w.r.t. OpenVPN. (and others, e.g. BGP)
by pe1chl
Thu Jun 14, 2018 12:29 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 170
Views: 58837

Re: Feature Request: OpenVPN [ovpn] udp tunnels

I prepare to install OpenVPN server in hAP ac2. It is possible but it will just be a server with very limited options. After all this I start to think it would be better when MikroTik simply relabled the OpenVPN feature: name it something like MikroTikVPN and don't suggest any compatability to Open...
by pe1chl
Thu Jun 14, 2018 11:22 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

The wireless vulnerabilities are mostly theoretical, it is not something that will go wrong just because it is there. You need someone to go into the coverage area of your wireless and actively attacking it to then attack one of your users, something that is not very likely to happen when looking at...
by pe1chl
Wed Jun 13, 2018 6:37 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

Unix uses the method of 1 line per user and a defined length of the file. When you add a user at the end and then delete it, the length of the file is decreased. But when you would look in the disk block directly, the entry for your deleted user would probably still be there. (depends on how the new...
by pe1chl
Wed Jun 13, 2018 2:13 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: New IP cloud is coming.
Replies: 20
Views: 1668

Re: New IP cloud is coming.

Will the cloud time accuracy be more reasonable?
I mean, I could live with a 2 second error and a 1 second resolution but more than that is really sub-par.
(especially as NTP and SNTP work OK but are not enabled by default as the cloud time option is)
by pe1chl
Wed Jun 13, 2018 2:09 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

Of course it is quite typical (and to be expected) that a record in a user file is not completely wiped when the user is deleted, but instead there is some field that indicates active/inactive or there is a length field for the file, one of which is adjusted when you delete something. Looking in the...
by pe1chl
Mon Jun 11, 2018 3:34 pm
Forum: General
Topic: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]
Replies: 38
Views: 1460

Re: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]

Users with a single fixed IP on a single WAN line should not be affected by the above, so they do not need a fix. The problem described above only occurs when there are multiple WAN lines and the router switches between them (e.g. due to some failover mechanism) without the client knowing about it. ...
by pe1chl
Mon Jun 11, 2018 3:20 pm
Forum: General
Topic: More than 254 IPs needed! What options do I have?
Replies: 16
Views: 571

Re: More than 254 IPs needed! What options do I have?

Arp is sent to the 255.255.255.255 broadcast address so it is not affected by the mask. Traffic for devices in the old range will work normally, the device will send traffic for the new extended space to the router (default gateway) instead of sending Arp, the router will reply with a "redirect" pac...
by pe1chl
Mon Jun 11, 2018 2:43 pm
Forum: General
Topic: More than 254 IPs needed! What options do I have?
Replies: 16
Views: 571

Re: More than 254 IPs needed! What options do I have?

I fully agree with that. I routinely use /23 /22 and /21 subnets without any issues.
Furthermore, when you extend the existing subnet the existing addresses can remain the same.
by pe1chl
Sat Jun 09, 2018 3:04 pm
Forum: General
Topic: General QOS Script
Replies: 10
Views: 3823

Re: General QOS Script

Does this only provide QOS on outbound traffic? What about inbound traffic?
It is not really possible to do QoS on inbound traffic. You can limit the rate of some of the
traffic, but you cannot affect the priority.
To do it properly, it has to be done outbound at the other side of the link.
by pe1chl
Fri Jun 08, 2018 10:51 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 784
Views: 139079

Re: Feature requests

Yeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch... There are standards for fast handover but they weaken the security. Also there are standards t...
by pe1chl
Fri Jun 08, 2018 1:54 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 784
Views: 139079

Re: Feature requests

So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc. :) That is one way of doing it, but it does not really work well. Clients have to "hop" between access points and this often only happens wh...
by pe1chl
Fri Jun 08, 2018 11:06 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

Full list of affected RouterBoards since now
It is pointless to post this list, it was made by people who do not know MikroTik and do not know that all routers
are running the same firmware. You can safely assume that any device running RouterOS is affected.
by pe1chl
Fri Jun 08, 2018 11:05 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

Once your device is compromised it can do anything. What actual value is there in changing user-level rules within a compromised router for what it can do? It has already been compromised, by no less than one of the most sophisticated state-level malwares seen to date ... There is no point in doing...
by pe1chl
Thu Jun 07, 2018 8:05 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

One thing I have started doing as a preventative measure - block everything in the OUTPUT chain except necessary services (eg dhcp client, sntp client, etc). I have that for some time. As that router is used as a VPN/Tunnel router it required some more rules but indeed it is a potentially good meas...
by pe1chl
Thu Jun 07, 2018 5:58 pm
Forum: RouterBOARD hardware
Topic: Can I restore a backup from a RB1200 to the CCR1009-7G-1C-1S+PC
Replies: 2
Views: 162

Re: Can I restore a backup from a RB1200 to the CCR1009-7G-1C-1S+PC

Indeed you can get info from export but do NOT simply import the entire export. That will fail and/or cause problems. Do a /export on the old router, read the file into a text editor on the PC and prepare the new router with the info that you need to add manually anyway, then paste the sections that...
by pe1chl
Thu Jun 07, 2018 5:52 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

Back in the Urgent security advisory , it was said that upgrading your RouterOS version would remove "the bad files" on the device. But in reality the upgrading of RouterOS does not even detect the unwanted/temporary files it creates itself! I had to rollback an update of a CCR1009 because after th...
by pe1chl
Thu Jun 07, 2018 4:46 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

There is unfortunately no easy way to tell, since Mikrotik doesn't allow us shell access to our routers to perform this kind of examination. There is a "check installation" feature but unfortunately it does not check if there are files on the router that are unaccounted for, even though this has be...
by pe1chl
Thu Jun 07, 2018 3:29 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

The fact that Mikrotik is still on the list due to them seeing Mikrotik routers still being hit by this means one thing only for Mikrotik users. They have failed to keep their routers current and are still running over a YEAR OLD (plus) version of ROS. Regardless of this virus attack, that is just ...
by pe1chl
Thu Jun 07, 2018 12:18 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

now are more mikrotik devices affected..... No more devices affected, just an updated announcement after the announcers better researched the MikroTik product gamma. (the original announcment where it was said it affected CCR1016 1036 and 1072 but not 1009 was of course hogwash) Solution was mentio...
by pe1chl
Thu Jun 07, 2018 12:05 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

If your have no open ports on your WAN interface, then you are completely safe from remote wired exploits of any kind. Unfortunately that is not true at all. You are safe from the exploits as they are seen now. You could still have problems e.g. when there turns out to be a problem in some obscure ...
by pe1chl
Thu Jun 07, 2018 12:01 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 140
Views: 38468

Re: VPNfilter official statement

If we/they have no proof that something is "broken" then they always could say "YES, it is safe". Actually I have always found it ridiculous that MikroTik people made remarks on this forum that RouterOS is safe because there were no known security problems and there had been no major problems in th...
by pe1chl
Wed Jun 06, 2018 10:33 pm
Forum: RouterBOARD hardware
Topic: Dynadish board replacement
Replies: 2
Views: 187

Re: Dynadish board replacement

I think different models share that name so you should obtain the exact model number of yours, and I
would advise contacting a local distributor or ask sales@mikrotik.com instead of the forum.
by pe1chl
Wed Jun 06, 2018 2:44 pm
Forum: Scripting
Topic: What is the working method to define and clear an array?
Replies: 3
Views: 173

Re: What is the working method to define and clear an array?

I have no problems with setting the values in the array. The construct shown above does that reliably. All my accesses to the array are using a variable for the index and it works fine. I only have the problem that when I want to start with a clean slate, I see difficulty doing that. The setting of ...
by pe1chl
Tue Jun 05, 2018 6:05 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 338
Views: 76261

Re: RouterOS v7.0 beta1 - when?

True, it doesn't have OpenVPN and everything else installed - but it would not use more than 1 GiB. Even if it used 3 more GiB: It would be still using less than ROS.
I think you somehow are confusing MB and GB here. Quite common these days!
by pe1chl
Tue Jun 05, 2018 4:26 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 338
Views: 76261

Re: RouterOS v7.0 beta1 - when?

One reason is probably that when you use opensource software and keep tracking all the updates, you end up with more and more bloated software that does not fit into a space-limited router anymore. It works fine on the PC platform where space and other resource usage (CPU) has grown with the code, b...
by pe1chl
Tue Jun 05, 2018 2:13 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 334
Views: 39435

Re: v6.43rc [release candidate] is released!

/System check-installation reports everything ok and the old system check-disk is no longer there. As I wrote in the 6.42.3 thread, the check-installation function does not seem to have the claimed new functionality to check for unwanted extra files (introduced some versions ago to detect and remov...
by pe1chl
Tue Jun 05, 2018 11:54 am
Forum: Announcements
Topic: MikroTik News June 2018 (Issue #83)
Replies: 39
Views: 4719

Re: MikroTik News June 2018 (Issue #83)

I like the continuing migration from "passive PoE" towards "802.3 af/at"!
Keep it going, guys!
by pe1chl
Tue Jun 05, 2018 11:50 am
Forum: Announcements
Topic: MikroTik News June 2018 (Issue #83)
Replies: 39
Views: 4719

Re: MikroTik News June 2018 (Issue #83)

The prices are great. What bothers me is the taxes my country charges. :( This is not the place to complain about that. Some countries have a policy like that, e.g. to promote local production of equipment or to finance other unrelated expenses made by the government. Remember on a low price you pa...
by pe1chl
Mon Jun 04, 2018 10:11 am
Forum: RouterBOARD hardware
Topic: Mikrotik VDSL / DSL Modem?
Replies: 255
Views: 46953

Re: Mikrotik VDSL / DSL Modem?

ADSL often uses ATM rather than PPPoE. But it depends on your particular provider. You would need to ask your provider or ask around in a forum etc to find what exactly has to be done on your provider's network to setup the connection. You need to tag your packets with VLAN 6 (i.e. you create a VLAN...
by pe1chl
Sat Jun 02, 2018 3:04 pm
Forum: SwOS
Topic: CRS-317 - Does SWoS have a physical advantage over RouterOS
Replies: 7
Views: 2679

Re: CRS-317 - Does SWoS have a physical advantage over RouterOS

Yep, I did buy a switch .. just wondering if one of the 2 available underlying management sofware applications makes any of the hardware functionality of that switch work better than the other. I don't think it is different for this particular type of switch. (CRS 300 series) For other MikroTik swi...
by pe1chl
Sat Jun 02, 2018 2:03 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: The security flaw for Hajime is closed by the firewall
Replies: 12
Views: 2502

Re: The security flaw for Hajime is closed by the firewall

You will have to decide for yourself if you trust that such people have only good intentions, and how well you are able to check that they did not change anything else to your router than the firewall and the note. At least check the users and the scripts sections to see if their are unexpected thin...
by pe1chl
Sat Jun 02, 2018 1:48 pm
Forum: General
Topic: downgrade firmware
Replies: 2
Views: 167

Re: downgrade firmware

You do not need to downgrade your firmware! Maybe you want to downgrade your RouterOS, that is not the same as your firmware. The version would be something like 6.x not 3.x Why do you want to downgrade? To get the situation before the bridge/switch change? Then you would have to download the 6.40.8...
by pe1chl
Sat Jun 02, 2018 1:43 pm
Forum: Wireless Networking
Topic: Beam
Replies: 3
Views: 217

Re: Beam

The brochure on the site says the beamwidth is 23 degrees.
The antenna gain is listed at 16dBi which would correspond to about 24 degrees of beamwidth so this is probably correct.
by pe1chl
Sat Jun 02, 2018 1:31 pm
Forum: General
Topic: Routing between 2 routers and separate sub-nets
Replies: 11
Views: 343

Re: Routing between 2 routers and separate sub-nets

You will have to find that yourself because here on the forum there is not enough info. You would need to post your configs. However, the problem is likely not in the routers (when they are are on default settings plus this address and route) but in the systems you have connected to them. These days...
by pe1chl
Sat Jun 02, 2018 10:30 am
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 334
Views: 39435

Re: v6.43rc [release candidate] is released!

It is not really reasonable to expect a smooth upgrade with such a large version jump. Often things change in configuration and the upgrade procedure converts existing configuration to new, but it cannot be expected to work when there are many changes in the same area. So when you really want to do ...
by pe1chl
Sat Jun 02, 2018 10:21 am
Forum: General
Topic: Set priority for bridge traffic
Replies: 2
Views: 137

Re: Set priority for bridge traffic

Yes that would already be a solution, for this particular issue. I'm not sure if it would be as efficient as a special case like was made for the TCP MSS adjustment, and why that case was done the way it is. (I normally put a MANGLE rule for TCP MSS adjustment in the forward table in routers where t...
by pe1chl
Fri Jun 01, 2018 4:52 pm
Forum: Beginner Basics
Topic: Foolishly added filter rule is preventig access to RouterOS.
Replies: 7
Views: 264

Re: Foolishly added filter rule is preventig access to RouterOS.

This also teaches you to set the routerboard boot mode to "try ethernet once then nand" instead of the default "nand if fail then ethernet" when your tower-mounted device is on a reasonably safe local network. At least you can powercycle it and netinstall without pushing the button. (of course there...
by pe1chl
Fri Jun 01, 2018 4:33 pm
Forum: General
Topic: Set priority for bridge traffic
Replies: 2
Views: 137

Set priority for bridge traffic

Is there a way to do a "set priority" on bridged traffic without having to set the global "use IP firewall" flag for all bridges and then having all bridge traffic pass through the IP firewall, where in fact only a single MANGLE rule is desired? Use case: to have WMM working on an access point that ...
by pe1chl
Fri Jun 01, 2018 3:17 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 338
Views: 76261

Re: RouterOS v7.0 beta1 - when?

If V7 is a major overhaul, I can't image the hour/man needed to do that. That is why it is often impractical to develop software that way. Announcing a new version that is to be "rewritten from scratch" or similar claims usually results in failure. Gradually developing new features and maybe rewrit...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 87