Community discussions

Search found 226 matches

by ivicask
Mon Jan 28, 2019 2:34 pm
Forum: General
Topic: Examples of using RAW firewall?
Replies: 28
Views: 5101

Re: Examples of using RAW firewall?

Thanks ivicask.
Rule was worked once. Now users from IP addresses of the Black list tring to connect to sip port 5060 and rule not working.
I think u should change all those blacklist to
for example from add address=37.0.0.0 -> address=37.0.0.0/24
by ivicask
Mon Jan 28, 2019 12:24 pm
Forum: General
Topic: Examples of using RAW firewall?
Replies: 28
Views: 5101

Re: Examples of using RAW firewall?

Thanks MKX. I tried all variants but rule is not working. I have task from my chief - block all connections on ports 5060-5080 from abroad. I tried to block one subnet 37.0.0.0 but rule not working :( Here are my firewall settings Regards. Rule actually seams working fine as u can see one block in ...
by ivicask
Tue Jan 22, 2019 7:54 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 2205

Re: Mark the traffic for YouTube, Facebook, etc.

Hmmm Okay, so that sounds promising. However what you are telling me is that initial traffic will ALWAYS get out and not be rerouted because its done in real time not prerouting. Also, the script is not timed to user access but to a rote timing scheme that will run regardless if streaming is done (...
by ivicask
Tue Jan 22, 2019 3:36 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 2205

Re: Mark the traffic for YouTube, Facebook, etc.

@anav, tls-host only works for TCP, you should use ivicask script to read googlevideo.com dns from catch and write it to address list Thats basically what OP @mladen074 did but in simpler script, i actually jumped to lasts posts and missed the first post from him :) Not sure which one is better if ...
by ivicask
Tue Jan 22, 2019 2:52 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 2205

Re: Mark the traffic for YouTube, Facebook, etc.

yeah good stuff, i noticed that when you are using Mobile app, it uses UDP 443 instead of TCP. For desktop, i believe that google QUIC protocol is disabled by default, hence should work with TCP. (in where tls-host only works) It streams to my Windows 10 PC (Chrome) in UDP protocol also. The above ...
by ivicask
Tue Jan 22, 2019 2:34 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 2205

Re: Mark the traffic for YouTube, Facebook, etc.

Maybe google is using and additional dns structure. What ip's are being streamed from? which doman is that? You can contribute to the thread. I figured it, its streaming it over UDP actualy for me, i had TCP protocol as TLS matcher requires it and this of course didint work for me. I added this scr...
by ivicask
Tue Jan 22, 2019 2:16 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 2205

Re: Mark the traffic for YouTube, Facebook, etc.

I also tried implementing you tube Traffic control via this and its absolutely not working. TSL host thing is totally useless in this case and doesnt pick actual IP of video stream *.googlevideo.com *.youtube.com give me about 4 ip to my address list, but when i start youtube video it comes from so...
by ivicask
Tue Jan 22, 2019 12:45 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 2205

Re: Mark the traffic for YouTube, Facebook, etc.

I also tried implementing you tube Traffic control via this and its absolutely not working. TSL host thing is totally useless in this case and doesnt pick actual IP of video stream *.googlevideo.com *.youtube.com give me about 4 ip to my address list, but when i start youtube video it comes from so...
by ivicask
Tue Jan 22, 2019 11:58 am
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 2205

Re: Mark the traffic for YouTube, Facebook, etc.

I also tried implementing you tube Traffic control via this and its absolutely not working. TSL host thing is totally useless in this case and doesnt pick actual IP of video stream *.googlevideo.com *.youtube.com give me about 4 ip to my address list, but when i start youtube video it comes from som...
by ivicask
Thu Jan 10, 2019 11:42 am
Forum: General
Topic: Hairpin NAT not working on RouterOS 6 line WAN load balancing
Replies: 8
Views: 403

Re: Hairpin NAT not working on RouterOS 6 line WAN load balancing

Can anyone support me this problem. Thank you! For me doesnt work without this rule also add action=masquerade chain=srcnat comment=HAIRPIN dst-address=192.168.1.0/24 out-interface=LAN src-address=192.168.1.0/24 Change ips and out interface to match your network. He have this rule already add actio...
by ivicask
Thu Jan 10, 2019 11:25 am
Forum: General
Topic: Hairpin NAT not working on RouterOS 6 line WAN load balancing
Replies: 8
Views: 403

Re: Hairpin NAT not working on RouterOS 6 line WAN load balancing

Can anyone support me this problem. Thank you! For me doesnt work without this rule also add action=masquerade chain=srcnat comment=HAIRPIN dst-address=192.168.1.0/24 out-interface=LAN src-address=192.168.1.0/24 Change ips and out interface to match your network. He have this rule already add actio...
by ivicask
Thu Jan 10, 2019 10:59 am
Forum: General
Topic: Hairpin NAT not working on RouterOS 6 line WAN load balancing
Replies: 8
Views: 403

Re: Hairpin NAT not working on RouterOS 6 line WAN load balancing

Can anyone support me this problem.
Thank you!
For me doesnt work without this rule also

add action=masquerade chain=srcnat comment=HAIRPIN dst-address=192.168.1.0/24 out-interface=LAN src-address=192.168.1.0/24

Change ips and out interface to match your network.
by ivicask
Mon Dec 31, 2018 10:17 pm
Forum: Scripting
Topic: pppoe status script [SOLVED]
Replies: 7
Views: 551

Re: pppoe status script [SOLVED]

this is not helping because i have more than 80 pppoe-out1-80 so any one disconect will be disconnect all Create several profiles for each pppoe with matching pppoe name inside, u can easy automate it to add via command line.. Or someone with a bit scripting knowlage could make u script which loops...
by ivicask
Mon Dec 31, 2018 10:09 pm
Forum: General
Topic: Why (not) use Hairpin NAT
Replies: 14
Views: 775

Re: Why (not) use Hairpin NAT

Now i have set in my RDC connection file public dns name with ports matching which server i wanna access blablab.dyndns.org:3000 blablab.dyndns.org:4000 blablab.dyndns.org:5000 I see that could be a problem. But I would not have done it this way. For what you need to pay for dyndns.org each year to...
by ivicask
Mon Dec 31, 2018 9:30 pm
Forum: General
Topic: Why (not) use Hairpin NAT
Replies: 14
Views: 775

Re: Why (not) use Hairpin NAT

server0.home.com 192.168.10.50 server1.home.com 192.168.10.51 server2.home.com 192.168.10.52 server3.home.com 192.168.10.53 server4.home.com 192.168.10.54 server5.home.com 192.168.10.55 server6.home.com 192.168.10.56 server7.home.com 192.168.10.57 server8.home.com 192.168.10.58 server9.home.com 192...
by ivicask
Mon Dec 31, 2018 9:06 pm
Forum: General
Topic: Why (not) use Hairpin NAT
Replies: 14
Views: 775

Re: Why (not) use Hairpin NAT

Use internal DNS. When someone on the internet asks for your server web.myserver.com on inernal ip 192.168.10.50 he asks a public DNS and gets IP 85.12.134.20 (sample IP) Then when you are on the internal net, you will use the DNS server you get from your DHCP server. That should not be google or o...
by ivicask
Mon Dec 31, 2018 8:50 pm
Forum: General
Topic: Why (not) use Hairpin NAT
Replies: 14
Views: 775

Re: Why (not) use Hairpin NAT

I agree with quoted comment by thirdstreetzero. Just think about going IPv6 ... no NAT there. So HairpinNAT really is an obscure solution to a specific problem ... and use case of @ivicask is just further exagerated misuse. Quite a few times people requested full-featured DNS server for ROS ... and...
by ivicask
Mon Dec 31, 2018 11:55 am
Forum: General
Topic: Why (not) use Hairpin NAT
Replies: 14
Views: 775

Re: Why not use Hairpin NAT

Not sure what your post means?Why not to use? Anyways, with DNS you can only do single internal host, if u need multiple ips to work with DNS name inside ur network u simple must use hairpin. For example how would you access 3 different IPs via dns name ?If you add static entry for like mydomain.dyn...
by ivicask
Thu Dec 27, 2018 4:21 pm
Forum: Wireless Networking
Topic: LHG 60G experience
Replies: 449
Views: 33636

Re: LHG 60G experience

what do you expect more if you bond 5ghz+60ghz? anyway there is 1gbps ethernet port, i dont get your idea (: my point, just to get ANY connection during bad weather, okay let it be at least 100mbps for snow fall or heavy rain, so the customers would not fuck up to red our phones :) What if you go a...
by ivicask
Thu Dec 27, 2018 11:20 am
Forum: Wireless Networking
Topic: LHG 60G experience
Replies: 449
Views: 33636

Re: LHG 60G experience

Yes LHG60 is great hardware with improved distance and 5 GHZ backup it 'll be a must for 2019 wating for more info
I wonder if its only backup failover, or you can agregate 2 links 60+5ghz at the same time for bigger throughput along for instant failover.
by ivicask
Sat Dec 08, 2018 10:48 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Crowd Funding of v7
Replies: 32
Views: 3908

Re: Crowd Funding of v7

What do you mean with queue "parallelization"? Each parent queue already works on separate CPU core in v6. Really?Because when i asked support why cant my RB750Gr3 route more than 150mbit of traffic with queues and single core gets stuck at 100% while router all cores arent going even over 50%, i w...
by ivicask
Mon Dec 03, 2018 3:00 pm
Forum: Announcements
Topic: Tik App, MikroTik android utility ALPHA test
Replies: 367
Views: 122275

Re: Tik App, MikroTik android utility ALPHA test

I wonder is i possible to add some kinda of bandwidth test into this app?So i can quickly test actual wifi performance from router to my phone directly, it would be the most useful thing ever.
by ivicask
Thu Nov 29, 2018 2:01 pm
Forum: General
Topic: QoS and Firewall Mangle questions [SOLVED]
Replies: 2
Views: 182

Re: QoS and Firewall Mangle questions [SOLVED]

Check if you have fastrack rule in firewall, disable it.
by ivicask
Thu Nov 22, 2018 9:27 am
Forum: General
Topic: QOS not working with file hosting sites like Megaupload
Replies: 16
Views: 706

Re: QOS not working with file hosting sites like Megaupload

I'm leaving some reserved bandwidth for dns and some other small packets, and also downloads get grouped under another parent which has limit a bit below my total download speed, this way it doesn't saturate download and gives time for queues to drop packets so everything works smooth. If u like i ...
by ivicask
Wed Nov 21, 2018 8:06 pm
Forum: General
Topic: Why blacklist burteforcers VS just dropping the ports/service?
Replies: 7
Views: 416

Re: Why blacklist burteforcers VS just dropping the ports/service?

If you have drop rules that simply drop packets to ports/services you do not use like ssh, ftp, telnet, winbox, etc... what is the advantage to creating a timed black list and dropping that? Is it to gain the logs and perform further action? If you have the IP/Services turned for all those is there...
by ivicask
Wed Nov 21, 2018 5:34 pm
Forum: General
Topic: Queue Trees, CPU Utilization and Watchdog reboots
Replies: 12
Views: 774

Re: Queue Trees, CPU Utilization and Watchdog reboots

If these reboots are just because router is slow to respond due to high cpu load, but does respond, you could disable watchdog for time being... I did that, than router froze and was not accessible for 5mins and until I force rebooted him via power, it still did switch traffic to my acces point con...
by ivicask
Wed Nov 21, 2018 5:28 pm
Forum: General
Topic: Why blacklist burteforcers VS just dropping the ports/service?
Replies: 7
Views: 416

Re: Why blacklist burteforcers VS just dropping the ports/service?

If you have drop rules that simply drop packets to ports/services you do not use like ssh, ftp, telnet, winbox, etc... what is the advantage to creating a timed black list and dropping that? Is it to gain the logs and perform further action? If you have the IP/Services turned for all those is there...
by ivicask
Wed Nov 21, 2018 8:39 am
Forum: General
Topic: QOS not working with file hosting sites like Megaupload
Replies: 16
Views: 706

Re: QOS not working with file hosting sites like Megaupload

I'm leaving some reserved bandwidth for dns and some other small packets, and also downloads get grouped under another parent which has limit a bit below my total download speed, this way it doesn't saturate download and gives time for queues to drop packets so everything works smooth. If u like i c...
by ivicask
Wed Nov 21, 2018 12:32 am
Forum: General
Topic: QOS not working with file hosting sites like Megaupload
Replies: 16
Views: 706

Re: QOS not working with file hosting sites like Megaupload

add action=mark-connection chain=postrouting comment=DOWNLOADS_5+MB connection-bytes=\ 5000000-0 new-connection-mark=HTTP_DOWNLOADS_5+_2 passthrough=yes port=80,443,8080 protocol=\ tcp add action=mark-packet chain=postrouting connection-mark=DOWNLOADS_5+_2 new-packet-mark=\ HTTP_DOWNLOADS_5+ passthr...
by ivicask
Tue Nov 20, 2018 10:14 pm
Forum: General
Topic: QOS not working with file hosting sites like Megaupload
Replies: 16
Views: 706

Re: QOS not working with file hosting sites like Megaupload

You using that download manager of theirs? I downloaded alot from mega thru browser directly this days and goes properly thru my queue for large downloads, simple mangle of ports 443,80,8080 and bytes set to 5+mb.
by ivicask
Tue Nov 20, 2018 6:16 pm
Forum: General
Topic: Queue Trees, CPU Utilization and Watchdog reboots
Replies: 12
Views: 774

Re: Queue Trees, CPU Utilization and Watchdog reboots

I actually have the same issue with exact same router, got 3 random watchdoog reboots so far in past 10 days, but this first time ever happen to me since latest update (44beta28), but didint had much time to debug it or change versions..
by ivicask
Mon Nov 12, 2018 10:22 am
Forum: Announcements
Topic: Newsletter 85
Replies: 31
Views: 8333

Re: Newsletter 85

And more LTE products with old and slow cat4 modems...I dont understand how can anyone even get more than 100mbit from this, i cant get more than 30mbit sitting next to tower, while anything else from super old mobile phone(6-7 years) to 2x cheaper routers achieve at least 2x speed if not more.. Why...
by ivicask
Mon Nov 05, 2018 3:00 pm
Forum: General
Topic: Need help with VPN routing
Replies: 0
Views: 149

Need help with VPN routing

So im preparing one CRC router for my customer, and i want to make separate DHCP POOL for VPN users.And this does work without problem unless i un-tick the "use default gateway on remote network" under VPN profile under windows, than i cant ping between subnets anymore.But if i dont untick this opti...
by ivicask
Thu Oct 25, 2018 10:06 am
Forum: General
Topic: Port Scan Drop ?
Replies: 6
Views: 453

Re: Port Scan Drop ?

Attacker can't use spoofed IP for scanning because such results wouldn't make it back to him (unless he is your ISP and all your traffic pass through him) Spoofed IP is used mostly for (D)DoS attacks where you don't care about response or where you want the response to be sent to someone else on pu...
by ivicask
Wed Oct 24, 2018 3:01 pm
Forum: General
Topic: Port Scan Drop ?
Replies: 6
Views: 453

Re: Port Scan Drop ?

Best practice says you should drop all unknown input, there's no need to make rules specifically for port scanners. Yea, but than attacker can scan for ports and for example find my none standard RDP port and than do further attacks on it, this way he get IP block for port scan attempts and he does...
by ivicask
Fri Sep 28, 2018 12:15 pm
Forum: General
Topic: something is wrong with my DNS resolving...
Replies: 8
Views: 452

Re: something is wrong with my DNS resolving...

https://i.imgur.com/xjwAmyu.jpg My DNS settings looks ok to me, i did not make any changes for years. This problem occurred yesterday without any modification from my side. I also noticed unauthorized attempt to log in into my router viewtopic.php?f=2&t=139702 My current suspicion is that someone m...
by ivicask
Sat Sep 22, 2018 8:40 pm
Forum: General
Topic: restore back to identical devices never works :(
Replies: 28
Views: 1181

Re: restore back to identical devices never works :(

At the very leat, we should be able to import a backup into another device of same model and RoS/bootloader version. Certificates, users and all. I think that is working. But in practice it is not enough. E.g. I have 2 installs of CCR1009-8G-1S-1S+ which when broken is no longer available and would...
by ivicask
Tue Sep 18, 2018 6:11 pm
Forum: General
Topic: Port 60000 attacks, anyone info on this?
Replies: 11
Views: 616

Re: Port 60000 attacks, anyone info on this?

I'm seeing them too. From two different routers: [admin@MikroTik] > /log print count-only where message~":60000->" 6 and [admin@MikroTik] > /log print count-only where message~":60000->" 14 They are stealth in the sense that they avoid typical blacklisting attempts; just a few contacts per hour com...
by ivicask
Tue Sep 18, 2018 4:46 pm
Forum: General
Topic: Port 60000 attacks, anyone info on this?
Replies: 11
Views: 616

Re: Port 60000 attacks, anyone info on this?

... i was just wondering if anyone else is getting probed via this port as it seams im catching this on several locations and not 100% sure what to do about it. Could be, but I don't notice as I have a general drop rule at the end of firewall rules list. It does show increasing number of connection...
by ivicask
Tue Sep 18, 2018 4:33 pm
Forum: General
Topic: Port 60000 attacks, anyone info on this?
Replies: 11
Views: 616

Re: Port 60000 attacks, anyone info on this?

... i was just wondering if anyone else is getting probed via this port as it seams im catching this on several locations and not 100% sure what to do about it. Could be, but I don't notice as I have a general drop rule at the end of firewall rules list. It does show increasing number of connection...
by ivicask
Tue Sep 18, 2018 4:29 pm
Forum: General
Topic: Port 60000 attacks, anyone info on this?
Replies: 11
Views: 616

Re: Port 60000 attacks, anyone info on this?

I don't get it why would anybody want to allow connections to some random port (3389 is as nice random number as any other between 0 and 65536) from internet at large? Your firewall rule is not complete ... attacker can easily change source port to some other and your rule won't catch anything. I g...
by ivicask
Tue Sep 18, 2018 4:16 pm
Forum: General
Topic: Port 60000 attacks, anyone info on this?
Replies: 11
Views: 616

Re: Port 60000 attacks, anyone info on this?

I don't get it why would anybody want to allow connections to some random port (3389 is as nice random number as any other between 0 and 65536) from internet at large? Your firewall rule is not complete ... attacker can easily change source port to some other and your rule won't catch anything. I g...
by ivicask
Tue Sep 18, 2018 11:45 am
Forum: General
Topic: Port 60000 attacks, anyone info on this?
Replies: 11
Views: 616

Port 60000 attacks, anyone info on this?

After recently one of our server got hacked over RDC and got crpytolocker i noticed theres frequent port 60000 TCP to 3389 and also other random ports attemps. After bit googling it says that port 60000 is "deepthroat" trojan attack port. For now i added firewall rule to catch all source port 60000 ...
by ivicask
Mon Sep 17, 2018 1:17 pm
Forum: General
Topic: How to remotely administer Mikrotik routers in safeway
Replies: 19
Views: 950

Re: How to remotely administer Mikrotik routers in safeway

Hello As we all know it's very important how to configure firewall and services on our Miktotik routers. A lot of us are using Winbox for remote administrating because its easiest, changing port from 8021 to any other doesnt rise security level. So next step is to use SSH but I read that I can't fo...
by ivicask
Fri Sep 14, 2018 4:26 pm
Forum: Beginner Basics
Topic: Is it possible make queue tree under simple queue
Replies: 5
Views: 1203

Re: Is it possible make queue tree under simple queue

Why not create new PCQ queue with desired limits, but add a bit above burst limits, set this queue to hotspot interface, it should smoothen out browsing while downloading.
by ivicask
Tue Aug 28, 2018 10:42 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 558
Views: 96050

Re: v6.43rc [release candidate] is released!

I cant update CCR1009-7G-1C from 6.43rc51 to 6.43rc64, i click check for updates, download&install, after reboot i still have old version.Tried also manually downloading the file and puting into root and rebooting, same thing. EDIT:I figured it , i had other router package so it failed to select pro...
by ivicask
Sun Aug 05, 2018 7:07 pm
Forum: Wireless Networking
Topic: High Ping on 2.4GHz
Replies: 12
Views: 925

Re: High Ping on 2.4GHz

I often have this problem with 2.4ghz, where its un-usable, without any close networks to interfere, what helps alot is set mode to G/N, or only N if you dont need backward compatibility.
by ivicask
Sat Aug 04, 2018 10:55 am
Forum: Wireless Networking
Topic: Caps selecting same channel
Replies: 30
Views: 4895

Re: Caps selecting same channel

Anything new on this topic? CAPSMAN still uses the same frequency for all 5 GHz radios on my hap AC devices regardless of any configuration I might try. There is only one setup that works: in case I DON'T set any frequencies AND uncheck "skip DFS channels" I end up having different channels on my r...
by ivicask
Mon Jul 09, 2018 12:40 pm
Forum: Beginner Basics
Topic: SSID for kids Zone with OpenDNS
Replies: 14
Views: 1042

Re: SSID for kids Zone with OpenDNS

HI, I haven't got a different DHCP server for each SSID because I couldn't create one. Couldn't add New DHCP server - can not run on slave interface (6) Sorry to be dum but this is my debut with routerboard OS. I think that having a different DHCP server for each SSID is the way I'll like to go for...
by ivicask
Mon Jul 09, 2018 12:15 pm
Forum: Beginner Basics
Topic: SSID for kids Zone with OpenDNS
Replies: 14
Views: 1042

Re: SSID for kids Zone with OpenDNS

Hi, I managed to create multiple SSID in my house. One of the SSID is for my children and their friends (9 years old). The idea of having multiple ssid was to be able to control the content on the kids wifi using OpenDNS. So far, I haven't managed to figure out how to set dns per ssid so that my ma...