MikroTik

Pea

In 2013 I thought it would be good idea to implement this function.
In 2020 I would not trust that, I would never run that, I feel happy that this was never implemented.

Pea

https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Pea

If you configured Cloudflare DoH then check here:
https://1.1.1.1/help

Pea

Just try with this one:

Pea

Why do you import all 138 CA certificates? Isn't it better do import only the one needed?

Pea

For the wireless link you can look for mesh setup example here:
viewtopic.php?f=13&t=144649#p711777

Or search for station-bridge, this should work similar.

Pea

Example how to use: 1) Paste this input with emoji into generator https://r-1.ch/mikrotik-unicode-ssid-generator.php: I❤MikroTik 2) You will get this output: /interface wireless set [find name="wlan1"] ssid="\49\E2\9D\A4\4D\69\6B\72\6F\54\69\6B" 3) Paste this code into terminal in winbox (edit inter...

Pea

Just write it down normally into the generator, no comma necessary. Try my examples for a test.
You can use few emojis within one ssid (up to 32 bytes, one emoji is up to 4 bytes).
U+1FE8 (Ῠ) is not emoji, that's why it is not translated by Android/iOS/Windows10 into emoji picture.

Pea

Didnt work at all.

You must change it via terminal, you cannot do it in winbox wireless settings.
Which client you used to see the emoji ssid?

Note: U+1FE8, U+1FE9 are not emoji characters...

Pea

just tested with 6.47.1 and all fine

/interface wireless set [find name="wlan1"] ssid="\F0\9F\90\8C\F0\9F\98\88\F0\9F\92\A9"

https://r-1.ch/mikrotik-unicode-ssid-generator.php
https://unicode.org/emoji/charts/full-emoji-list.html (copy from "Browser" column)

Pea

Client device's Wi-Fi data rate will not exceed 54 Mbps when wired equivalent privacy (WEP) or temporal key integrity protocol (TKIP) encryption is configured. The IEEE* 802.11n prohibits using high throughput with WEP or TKIP as the unicast cipher. If you use these encryption methods, your data rat...

Pea

Does the problem with sectors writes solved?

No problem for me, simple home setup.

Pea

Thank you, I didn't know that page 42 describes the God mode universal password and secret port 666. But it has scary side effects when used by troll!

Pea

Don't feed the troll!

Pea

Troll Dantealighieri detected. Don't feed the troll!

Pea

You can also do tests with SFP VDSL2 module, e.g. https://www.proscend.com/en/product/VDS ... 180-T.html But no promises

Bridged modem or terminator from your provider will be likely the best anyway...

Pea

I can confirm that cloudflare https://1.1.1.1/dns-query works perfectly only with root cert "DigiCert Global Root CA".

Pea

Why do you think ROS is the cause for battery drain? This can be coincidence only.
Please do not forget that Google pushes several updates to your phone which can cause higher consumption and usually are fixed by new updates.

Pea

Congratulations, you have no firewall

Who did this?
Seeing the rest I recommend to start again with the default as proposed by anav. Then study documentation or ask here or follow the wiki advise (see second post).

Pea

Sorry but router wan port fully open to internet without firewall filtering is naive and seriously wrong. Even Mikrotik strongly suggest to keep at least default firewall on. Disabled or limited services are fine till new exploit comes...

Pea

NO!
Show your firewall setup first.

And follow these instructions:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Pea

Probably smaller chip was not available for production so 256MB was used temporarily. I have one with 256MB

Anyway 128MB is enough for usual use.

Pea

We need more people to contribute to this Cloudflare thread I created about DoH issues: https://community.cloudflare.com/t/cloudflares-doh-request-is-being-rejected-dropped-when-request-is-sent-from-a-mikrotik-routeros-device/184158/6 It is probably only your ISP or setup issue, we are using DoH Cl...

Pea

remove all those certificates and use just this one:

/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””

Pea

This is the only one and it is fine for simple use:
https://play.google.com/store/apps/deta ... oid.tikapp

Pea

Sorry but you - network admin - are the one who is responsible.
Do not blame others for your fault.
(I do not deny there are bugs, but testing for your network setup is your job)

Pea

What is default antenna-gain for wap ac and cap ac ? Because i cannot set even regulatory domain on my routers. In documentation written 0 is default but if i set 0 then it is not possible to set regulatory domain. https://mikrotik.com/product/RBwAPG-5HacT2HnD https://mikrotik.com/product/cap_ac an...

Pea

Is your client really using your router as DNS?

Pea

Probaly problem with your connection, but likely these short time errors you will not notice for normal use. You can also do DoH verification: /tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem /certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=”” /ip dns se...

Pea

No passphrase needed for this root CA cert. And no other DNS needed when you use this Cloudflare url "https:// 1.1.1.1 /dns-query" as it contains ip which is also included within the certificate. /tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem /certificate import file-name=...

Pea

where did you get the "the proper root cert for cloudflare-dns.com" ? Richard This is all you need: /tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem /certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase="" /ip dns set use-doh-server=https://1.1.1.1/dns-query...

Pea

RouterOS v7 limited beta:
viewtopic.php?f=1&t=152003

Pea

Prague
The street where usually walks 1 million people a day. How does it look like now with the current situation? Join us for this lonely video-tour to see the city centre without tourists.
https://youtu.be/XaBdIyE093A

Pea

Client device's Wi-Fi data rate will not exceed 54 Mbps when wired equivalent privacy (WEP) or temporal key integrity protocol (TKIP) encryption is configured. The IEEE* 802.11n prohibits using high throughput with WEP or TKIP as the unicast cipher. If you use these encryption methods, your data rat...

Pea

Yes, happy to help. It is really honest and fun too.
I would love if something similar would anyone do for countries/cities I am visiting

viewtopic.php?f=21&t=154244&p=762403#p762403

Pea

Cool, MUM in Prague will be BIG event at excellent place! Note, as in any other "tourist popular" city there are waiting for you some tourist traps which could ruin your experience. Check few HONEST GUIDE: PRAGUE short clips here to be smarted and prepared and get honest advice for places to visit :...

Pea

Backup your config.
Reset to default an test.
If everything is ok then track which part of your config is causing the issue.

Pea

Maybe this:
Old API authentication method will also no longer work, see documentation for new login procedure:
https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

Pea

Many DHCP leases? Try:

/ip dhcp-server config set store-leases-disk=never

Edit: I see you have this already, so it must be something else...

Pea

Probably power related, if you have - try another power adapter or PoE to confirm the cause.

Pea

Why do you think someone hacked in?
Your log shows only failed logins due to your poor firewall. You should rethink your firewall and running services.

Pea

Warning: Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic. https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack If you want to process the traffic fast then you cannot apply to it any CPU intensive processing, it is that s...

Pea

Try this, works perfectly: On your main Mikrotik router (C DHCP SERVER) /interface wireless set mode=ap-bridge ssid=YOUR-SSID wds-default-bridge=bridge-local wds-mode=static-mesh /interface wireless wds add disabled=no master-interface=wlan1 wds-address=xx.xx.xx.xx.xx.xx (wifi MAC of remote Mikrotik...

Pea

This is to accept CAP from the same board where runs CAPsMAN.

Pea

Replace the cable.

Pea

Move the specific MAC rule in the provisioning list on top.

Pea

https://i.mt.lv/cdn/rb_files/PWR-line-190410141212.pdf The PWR-Line is a replacement power adapter for your microUSB powered MikroTik router. It’s compatible with all the latest microUSB powered devices made by MikroTik, a simple software upgrade to v6.44+ enables this feature (supported by the ment...

Pea

I usually buy hw in shops

Google for: MikroTik PWR-LINE PL7400

Pea

Try searching for "PoE web ethernet temperature sensor" instead or similar ready solutions.

Pea

Yes, this is correct, you can buy new PWR-LINE adapter, all details here:
https://i.mt.lv/cdn/rb_files/PWR-line-190401111404.pdf

Pea

Did you try /interface wireless station-roaming enabled? Station Roaming feature is available only for 802.11 wireless protocol and only for station mode s. When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with speci...

Pea

This is not a bug, it tells you that you must install DHCP package now, read carefully the change list:
*) upgrade - made security package depend on DHCP package

Pea

I do not know if this is the best, but it is reliable and simple wireless connection with Mikrotik on both ends: On your Mikrotik AP_01: /interface wireless set mode=ap-bridge ssid=YOUR-SSID wds-default-bridge=bridge-local wds-mode=static-mesh /interface wireless wds add disabled=no master-interface...

Pea

*) capsman - always accept connections from loopback address; Hi, I tested but I still need input firewall rule to accept router IP to get working CAP on the same board as CAPsMAN: /ip firewall filter add action=accept chain=input protocol=udp dst-address="router IP" src-address="router IP" /caps-ma...

Pea

We're in 2019 and mobile operators sell 50GB/month for 5€, who needs hotspots anymore?

And which mobile operators?

Czech Vodafone 50GB for about 97€/month

Pea

1) Do not use space in SSID, do "ScottsTest" or "Scotts-Test" (iOS devices had problem with space in SSID, this could be the case) 2) try band=5ghz- a/n/ac 3) try authentication-types=wpa 2 -psk and mode=dynamic-keys 4) try preamble-mode= both or reset wireless to default and then connect and only t...

Pea

1) update RouterOS
2) your firewall is open and wrong on input chain
3) rework your firewall in style: accept only needed, drop all else

Or do "/ip firewall export" or better "/export hide-sensitive" and post here for advises (screenshot is not sufficient)

Pea

1) The Band/Frequency will be different in both configurations 2) The Hw. Supported Modes (you can use gn for 2.4GHz or ac for 5GHz) and Master Configuration will be different in both provisionings Based on those provisioning rules will CAPsMAN send correct configuration to CAP interface. Example: /...

Pea

Make 2 configurations (2.4 and 5GHz) for 2 provisioning rules with different hw-supported-modes=

Pea

Push-button WPS seems secure, but the vulnerability being that anyone with physical access to the AP could push the button and connect, even if they didn't know the Wi-Fi pass.

Pea

You need to define which interface to set:

/interface wireless set wlan1 wps-mode=push-button

Recommendation: Do not use insecure WPS and keep it disabled.

Pea

For home use with public IP you normally get few thousands hits per month.
Try instead of your final drop rule use this reject rule and see if hits get reduced after time:

add action=reject chain=input reject-with=icmp-admin-prohibited

Pea

Always use latest version, only for specific needs:
https://download.mikrotik.com/routeros/ ... winbox.exe

Pea

I never had roaming station on WDS link.
But I guess it should be possible to set AP with wds-mode=dynamic-mesh which allows WDS links with devices (mode=station-wds) by creating required entries dynamically.

Pea

Maybe this helps:

/interface wireless info country-info japan

Pea

Connect your hAPlite by WDS to your router. Then all should work the same as cable connection.

Pea

/ip dhcp-server lease add address=10.0.0.1 mac-address=XX:XX:XX:XX:XX:XX ... /ip firewall address-list add address=10.0.0.1 list="my known devices" ... /ip firewall nat add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address-list="my known devices" to-addresses=1.1.1.1 add action=dst-n...

Pea

Yes, these are 2 different things:
1) RouterOS update - go to "System/Packages" menu, click on "Check for Updates"
2) Firmware (bootloader) upgrade - go to "System/Routerboard" menu and click "Upgrade"
The version number of Router OS and Firmware is synchronised now.

Pea

1. Do not open SSH and Winbox to wild internet (use e.g. address list, VPN, port knock)
2. Use Fast track for better throughput https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack
3. Consider router upgrade

Pea

viewtopic.php?f=2&t=139351&p=707934#p707934

Pea

*) All tests are done with Xena Networks specialized test equipment (XenaBay),and done according to RFC2544 (Xena2544) Max throughput is determined with 30+ second attempts with 0,1% packet loss tolerance in 64, 512, 1518 byte packet sizes Test results show device maximum performance, and are reache...

Pea

Black tape is your friend to reduce LED brightness of whatever anytime

Pea

RB951G-2HnD: https://mikrotik.com/product/RB951G-2Hn ... estresults
hAP ac²: https://mikrotik.com/product/hap_ac2#fndtn-testresults

Pea

Maybe Fasttrack rule missing in your firewall?
https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
/ip firewall filter add chain=forward action=accept connection-state=established,related

Pea

Your firmware is already upgraded. Move on.

Pea

Did you change this?

You need to use Station pseudo bridge

Pea

Factory Firmware is what was originally loaded at factory. You can ignore this. Installed version is under Current Firmware.

Pea

IMHO it's not illegal to change a MAC address.
It's only illegal to change a MAC address to do something illegal.

Pea

Both options are possible, but this is my point of view: 2.4GHz indoor PtP: will reach longer distance and through more obstacles, only one 2.4GHz channel occupied by the link 5GHz indoor PtP: better throughput, but on longer distance or more walls weak signal, two 2.4GHz channels occupied by APs fo...

Pea

local-forwarding=no => the interface is part of bridge on the CAPsMAN, the interface shows as disabled on CAP
local-forwarding=yes => the interface stays as part of bridge on the CAP

Pea

First connect by laptop and login with username and password.
Then change your Mikrotik wlan1 MAC to your laptop MAC.
And then try to connect your Mikrotik as client to the wifi network.

Pea

For best performance I recommend to connect both by Ethernet cable if somehow possible.
Or upgrade to dual band routers and use 2.4GHz only to connect both wirelessly and use the 5GHz for wifi sharing.

Pea

Did you read the website briefly?
There is no reason to worry if you are an Internet user without your own domain name. This change is affecting you only indirectly and you do not need to take any other steps.

Pea

Try this:

Create a new configuration for the VirtualAP

Specify the new configuration in Provisioning rule as Slave configuration

Remove all CAP interfaces

Initiate Manual Provisioning on all the CAPs

Pea

Did you try to reset to factory default and test? What was the result?
You are connected via 2.4GHz or 5GHz?
Did you try to change channel?

Pea

Remote device keep on auto, it will act as client and take frequency from AP. If you do not have any 802.11b only device (and you probably don't) try this: /interface wireless set band=2ghz-g/n channel-width=20mhz bridge-mode=disabled country="your country" distance=indoors frequency-mode=regulatory...

Pea

https://youtu.be/rnMy_ffvskQ?t=239

Pea

Sure, WPA2-PSK as security profile and optionally disable PMKID. Simplified description: Run your secured WiFi normally on your router, add settings for WDS, add static WDS interface with MAC of second device. On other device start without any setup. Add bridge and DHCP client on bridge. Add securit...

Pea

You can use your wlan1 as WAN port and wireless mode station-pseudobridge on remote Mikrotik. Do not forget to synchronise time of remote device. Or below is what I use reliably with Mikrotik on both ends: On your Mikrotik router /interface wireless set mode=ap-bridge ssid=YOUR-SSID wds-default-brid...

Pea

Use manually non DSF channel (5200, 5220 or 5240). Problem solved.

Pea

You can try latest ROS beta which likely do not need below workaround anymore (I did not test this yet): *) capsman - always accept connections from loopback address; Otherwise this should fix it: /capsman manager interface set [find default=yes] forbid=no add forbid=yes interface=(here put interfac...

Pea

The CAPsMAN takes care about wifi1 and/or wifi2 interfaces only. The rest of functionality and interfaces you can use and configure as you like.

Pea

3) The worst: this is not documented anywhere besides user forums (it should be on CAPsMan manual to prevent people be fighting hours with something that isn´t going to work) https://wiki.mikrotik.com/wiki/Manual:Simple_CAPsMAN_setup#CAP_in_CAPsMAN But I agree that having firewall rule for CAP on C...

Pea

forgot to mention that this is one room condition - both phones, laptop and router are in one room max 3m away.

Ideal situation. Why you even use 2.4GHz? Stay with 5GHz only and problem solved.

Pea

This depends on your firewall rules. By default this is filtered.

Pea

Other option would be to setup different SSID for 5GHz. And never connect phone to your 2.4GHz

Pea

redirect - replaces destination port of an IP packet to one specified by to-ports parameter and destination address to one of the router's local addresses

Pea

The 802.11n prohibits using high throughput with WEP or TKIP as the unicast cipher. If you use these encryption methods (for example, WEP, WPA-TKIP), your data rate will drop to 54 Mbps.
Use only WPA2-AES for full 802.11n speed.

Pea

For standard home use you can remove safely all files and folders from File List
(flash folder cannot be removed but all sub folders yes)

Pea

There should be <1ms for ping even over wifi. What are you getting?

Pea

try to reboot first to clean some memory...

Pea

When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a pac...

Pea

Separate configs are for various devices you want to manage from CAPsMAN. Then you push the correct config to the device. E.g. 2,4GHz only config to older 2,4GHz only CAP.
If all your CAP devices support the same standards you can have only one config.

Pea

Hi, this file should answer your questions about CAPsMAN VirtualAP Setup, Dual Band CAP, CAPsMAN and CAP in one board:
https://mum.mikrotik.com/presentations/BR14/Uldis.pdf
(little outdated, November 2014, but still nice explaining)

Pea

Use latest version of RouterOS.
The wireless-fp was long time ago replaced by standard wireless package which is included.

Pea

Use Long term or Stable:
https://wiki.mikrotik.com/wiki/Manual:U ... _numbering

Pea

Yes but this is likely not going to happen for home use

Therefore it is IMHO useless at the end.

Pea

This is not the best example.
Why those rules open udp port 69 (TFTP)?
Also there is defined address list which won't be used later (the rule is after general drop)...

Pea

This simplification should explain the difference: Reject : someone comes to your address and try to open door of your house, but you tell him that it is well locked Drop : someone comes to your address but there is no house or door to open and he gives up after while (timeout) It is up to you what ...

Pea

I am surprised that there was no default firewall. I really thought you removed it

I am sorry.
And I am happy that you fixed it for your needs.

Pea

But you can dual boot to RouterOS on this CRS and this should have default firewall. If not then it would be good idea to add it

Pea

it scared the hell out of me!!!

Yes, you do inappropriate configuration changes. Scary.
Study some basics about firewall and fix it.
If you don't want to study then reset your router to default to get firewall back.

Pea

If this is a mobile device on your hotspot then this is rather normal, isn't it? Just a battery savings and therefore wifi switch off temporary on the mobile device.
Why do you think this is a problem?

Pea

As mentioned by Normis they sell them as single units.
You can buy one or two or... 8 or... 1000 or even more

Pea

There is better way than drop selectively not used ports:
1) accept only what you need
2) reject/drop everything else
That's it.

Pea

Disable DHCP server, put all ports to bridge, add DHCP client on bridge, modify firewall and nat.
It should work then.

Pea

You re mixing RouteOS update and Firmware upgrade. These are 2 different things.
Press the Download&Install button in Check For Updates window to update RouterOS.
After reboot you can press Upgrade button in Routerboard window to upgrade also the firmware.

Pea

This is what I do. If you use Mikrotik DHCP server just make static DHCP lease for MAC address of iPad from Santa, then dstnat its DNS queries to e.g. OpenDNS FamilyShield: /ip dhcp-server lease add address=10.0.0.123 mac-address=AA:BB:CC:DD:EE:FF /ip firewall nat add action=dst-nat chain=dstnat dst...

Pea

There will be RouterOS so many possibilities for setup are expected. It should be possible to simply disable wifi interface if not needed.

Pea

Not available yet, search for PL7411-2nD: The PWR-LINE AP is a wireless access point with a single Ethernet port , a built-in 802.11b/g/n WiFi radio and capability to connect to other PWR-LINE devices through the electrical lines in your premises. Details and pictures: https://i.mt.lv/cdn/rb_files/P...

Pea

I will also share positive update results:
hAP ac, hAP ac lite, hAP ac², hAP lite, RB951
All fine, no problem.

Pea

Is your SSID unique?
Or do you use something common as "Internet" or "wifi"? Then many devices will try to connect when they know this SSID.

Pea

According to this shop PL7411-2nD will come 12.12.2018: https://www.wifihw.cz/default.asp?cls=stoitem&stiid=4329 Product code: PL7411-2nD CPU: QCA9533 CPU: nominal frequency 650 MHz PLC chipset: AR7420 Size of RAM: 64 MB Memory: 16 MB Flash 10/100 Ethernet ports: 1 Wireless Built-in: 2.4 GHz 802.11b...

Pea

What is the correct and clean procedure to update from main package to separate packages?
Just upload needed separate packages only of higher version and reboot?

Pea

https://wiki.mikrotik.com/wiki/Manual:System/File Warning: If device has a directory named "flash" in its file list, then files which you want to be kept after system reboot/power cycle must be stored within it. As anything outside of it is kept within a RAM disk and will be lost upon reboot. Note: ...

Pea

Check the channel, some devices do not see 2.4g wifi channel 13 (e.g. Kindle Paperwhite)

Pea

Hi, did you noticed this warning? :) /system note set note="DEVICE HACKED - ACCOUNT admin HAD UNSAFE PASSWORD" and this is not your code, right? /system scheduler add interval=1d name=Auto113 on-event="/system reboot" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\ o...

Pea

https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack Packet marking for fast processing. Warning: Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic. Make exception in your Fasttrack firewall rule for the IP where you want t...

Pea

I am just curious why you still try to use "Use Peer NTP" from your ISP while you know it is not working?

And did you try to contact your ISP to fix his DHCP NTP address setup?

Pea

still cant change any user names.
introduced in 6.43.0

viewtopic.php?f=2&t=139091

Pea

This link may help you to find suitable emoji:
https://unicode.org/emoji/charts/emoji-list.html
https://unicode.org/emoji/charts/full-emoji-list.html

/interface wireless set [find] ssid="\F0\9F\92\A3\F0\9F\92\A9"

Pea

flynno: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Pea

Just start reading!

[time=1535139686 user_id=118648]
how fix this please help me !
1. Please don't put questions not related to a specific release into the release topic, make new topic!
2. You are killing your router by Sector Writes, maybe logging on disc? Check your config, stop it!

Pea

how fix this please help me ! 1. Please don't put questions not related to a specific release into the release topic 2. You are killing your router by Sector Writes, maybe logging on disc? Check your config, stop it! :) 3. You can try netinstall, helped me to recover bad blocks, just give it a try

Pea

And this is how to use the button with scripting:
https://wiki.mikrotik.com/wiki/Manual:R ... ode_button

Pea

When will be available PWR-Line AP announced in April 2018?

Pea

The same here, but no complain

version: 6.42.6 (stable)
factory-software: 6.42.3
free-memory: 205.3MiB
total-memory: 233.2MiB

board-name: hAP ac^2
model: RBD52G-5HacD2HnD

Pea

Yes, this is all fine.
The firmware version increases (synchronize) now with ROS version. Even there is no update in the firmware.
(I do not know the reason why MikroTik made this change)

Pea

port 53

Search for DNS Amplification
And fix your firewall on input chain!

Pea

Currently you are running current-firmware 3.24.
You should upgrade to upgrade-firmware 6.42.6.

Pea

So what about version 6.40.8, is vulnerable or not? Could somebody from Mikrotik finally confirm it? Bugfix release tree Release 6.40.8 2018-04-24 What's new in 6.40.8 (2018-Apr-23 11:34): !) winbox - fixed vulnerability that allowed to gain access to an unsecured router; https://mikrotik.com/downl...

Pea

Yes, last bugfix 6.40.8 is fine (+ change your passwords after upgrading, restore your configuration and inspect it for unknown settings, implement a good firewall)

What's new in 6.40.8 (2018-Apr-23 11:34):
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router

Pea

Did you change all your passwords after update?

Pea

You are running vulnerable version, so no surprise that someone can change your settings when they can get all your usernames and passwords.
It was mentioned in this topic, upgrade, change passwords, add firewall...
viewtopic.php?f=21&t=133533

Pea

This is what I do, working perfectly: Add static DHCP leases Create firewall FamilyShield list for required static IP addresses Add 2 dst-nat rules for the FamilyShield list to the OpenDNS address 8) /ip dhcp-server lease add address=10.0.0.xx comment="FamilyShield" mac-address=xx:xx:xx:xx:xx:xx ser...

Pea

Well, follow this advice for update and password change, proper firewall, etc.:
viewtopic.php?f=21&t=132499
viewtopic.php?f=21&t=133533

Pea

It will not happen if we could see all open windows within the Winbox as on this simulation:

Pea

This happens when you have several terminals hidden behind other windows. Close some windows and you will find those eight terminals. And close them.

Pea

It's a pity!
But good inspiration to MikroTik for Winbox improvement. Maybe someday

And next would be option to disable/remove Quick Set based on setup on router (e.g. /system routerboard settings quickset=disabled).

Pea

Tell me how to get these window buttons there? I like it! But I do not have it

(I hope this is not a "photoshop" joke)

Pea

Hello, don' use layer 7, use this instead : /ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.facebook.com action=reject add chain=forward dst-port=80 protocol=tcp tls-host=*.speedtest.net action=reject Hello. One question. Do I have to do something for the filter to take e...

Pea

I see, nothing interesting then...
I am setting it back to default "compression=no"

Pea

Anyone?

Pea

I'm curious about this wireless option: interface wireless set compression=yes Wiki says: Setting this property to yes will allow the use of the hardware compression. Wireless interface must have support for hardware compression. Connections with devices that do not use compression will still work. ...

Pea

Jahir: oh dear, you have no firewall, your router is fully open, unprotected Webfig and Winbox, and now you even post your admin password in forum... And what's more your Router OS is 6.39.2 which is known to be vulnerable. So don't be surprised about random config changes, everyone can login and ch...

Pea

What is your Router OS version?

Pea

This sounds as really good deal:
https://www.[REDACTED].com/pages/exclusive-offer.php
(Get 5 Years of [REDACTED] For Just $69!)

Pea

Maybe defective power adapter? Do you have any other to test?

Pea

If the hotel keeps login based on device MAC address:
1) Change your laptop MAC address to your router MAC address
2) Pass the login on your laptop
3) Change the laptop MAC address back to default/original
4) Switch on your router, fill the SSID and enjoy "own network"

Pea

No, PoE works in 6.42.1 correctly for me same as with previous versions. Did you try to connect different device?

Pea

I am just curious why you want to block ping? Anyway if you insist on it start with simple input icmp drop rule placed somewhere on top. If this works then do fine tuning in more detail. If this does not work then you are actually pinging different device (you modem - as you wrote that your WAN is e...

Pea

Click on Neighbors card and then simply click on MAC address (or IP address) of the device you want to connect to...

Pea

My experience beyond specifications is to keep the Ethernet cable as short as possible, as isolated as possible

Maximum is really about 100 metres then collision detection mechanisms "break" the link.
Use some repeater in the middle and you should be fine.

Pea

Very nice tutorial on port knocking: http://blog.cactiusers.org/2009/04/17/m ... -knocking/
to: 9939781 - it is with Layer 7 packet sniffing if you insist on it

Pea

pe1chl: yes, this is clear. The report about problem in this version is due to missing feedback in log after pressing the Upgrade button. This " Firmware upgraded successfully, please reboot for changes to take effect! " did not appear in log. And this is unusual. This information line was always th...

Pea

maybe...
did you try to check how many lines you have setup?
/system logging action print
look for "memory-lines= ..."

Or go to System / Logging / Actions / memory / Lines

Pea

skullzaflare: see viewtopic.php?f=21&t=128915
Please, note that downgrading to previous RouterOS versions (below 6.41) will not restore "master-port" configuration, so use backups to restore configuration on downgrade.

Pea

Hi strods, this happened for the first time that log message about upgrade was missing completely. Unfortunately all my devices are upgraded already, so I cannot check if the warning was in System/Routerboard/Settings. But it was definitely missing in log. Now if I look into terminal I still see 2 l...

Pea

The same with missing line in log "Firmware upgraded successfully, please reboot for changes to take effect!" happened to me today on RB951G-2HnD. Little scary on 50km away device :) Did the upgrade failed? Should I reboot or better not? Anyway I sent the reboot command - and all seems fine - after ...

Pea

You have very likely double NAT.
If you cannot use bridge mode on ISP router then try if setting DMZ is available there.
Or use IPv6 address of your computer for external access.

Pea

There is already linux style option - SSH CLI

If you like click with mouse in windows then it is time for Windows...

Pea

What is in the log when you click on Upgrade button?

Pea

There are two LEDs for the wireless section and two LEDs for the 5th port section in the hAP ac (RB962UiGS-5HacT2HnT) case. The green wireless LED shows 2.4GHz wireless status and the red wireless LED shows 5GHz wireless status. Sometimes their blinking times match and colors blend together. The gr...

Pea

I had seldom this problem with Samsung TV and Samsung BD player, not getting IP from DHCP. Only disconecting the Samsung device from power a connecting after a while fixed the problem. It must be some problem or incompatibility at Samsung side. I finaly fixed it by switching both devices to Sony bra...

Pea

Already answered in this topic:
viewtopic.php?f=21&t=129034&start=150#p640819

Pea

Try this tool to debug the MTU values between you and a host:
https://elifulkerson.com/projects/mturoute.php
(I probably found this on this forum recommended by someone)

Pea

Thank you Steveocee, based on the tutorial I will try to use this now, Option C: /ip firewall nat add action=masquerade chain=srcnat comment="LAN to Server" dst-address=10.0.0.0/25 src-address=10.0.0.0/25 add action=masquerade chain=srcnat out-interface="PPPoE client" src-address=10.0.0.0/25 add act...

Pea

Hi, I would like to ask you to review my Hairpin NAT to internal server on 10.0.0.50 The WAN IP is dynamic (VDSL). I access my Server from Internet and also from LAN by using the domain name (WAN IP). Option A: /ip firewall nat add action=masquerade chain=srcnat out-interface="PPPoE client" add acti...

Pea

#2: Just try "Copy" button...

Pea

470k writes after 2 hours? You are likely killing the router by your settings.
Time for a new device... and setup with reduced writes to storage.

Pea

Do you have your domain DNS/DDNS name registered with your WAN IP address? If yes, then you can do it with NAT. These 3 lines will make your web server accessible from internet and also from LAN by your domain name: /ip firewall filter add action=accept chain=forward comment="Accept dstnat pinholes"...

Pea

The ether5 connector looks perfect, same as others ether1-4. So it seems it is hardware failure.
It is still in warranty, I will contact my dealer to exchange device.

Pea

I use only CAT6 cables.
For test I connected only one computer which negotiates with ether1-4 on 1G but when I move that only cable to ether5 it negotiates on 100M.
From my logic this cannot be caused by cable or connected device. Anyway I tested 3 gigabit devices and few cables with same result.

Pea

Hi, I have RB951G-2HnD (v6.37.1, fw3.33), which has five Gigabit Ethernet ports. The ether1-4 (my WAN, LAN1-LAN3) sync on 1G normally. But ether5 (my LAN4) sync only on 100M (and negotiation takes longer). Attached screenshot shows log when I move one cable from ether2 (LAN1) to ether3 (LAN2)...to e...

Pea

I confirm, Tik-App v0.0.33 does not work with 6.36 ROS, stuck on "Downloading plugins..." with Mikrotik RB951G-2HnD

Pea

It should be enough to do reboot and then update.
How much free-memory you have after reboot?
Anyway 8,6MiB visible in your export should be good for update.

Pea

Use this:

dst-address-type=local

Matches destination address if dst-address is assigned to one of router's interfaces.

Pea

Just question:
Why you do not run PPPoE client on Mikrotik and your adsl router in bridge mode?
This should be imho easier and more obvious for setup.

Pea

Use search, it is easy to find this topic:
http://forum.mikrotik.com/viewtopic.php?p=527754

Pea

You can use Port Knocking to add actual address into allowed address list for WebFig access.
http://wiki.mikrotik.com/wiki/Port_Knocking

Pea

It's not like the AP can recognize a client radio's voice or anything...

nice one

Pea

I will jump here to get answer what is the best practise for the firewall last input rule: 1a - Pretend that there is nothing just black hole: add chain=input action=drop 1b - Shut the front door and lock it: add chain=input action=reject protocol=tcp reject-with=tcp-reset add chain=input action=rej...

Pea

Remove those 4 NAT rules: add action=masquerade chain=srcnat out-interface=all-ethernet add chain=dstnat dst-address-type=local dst-address=!192.168.0.0/16 action=jump jump-target=pinholes add chain=pinholes protocol=tcp dst-port=80,443 action=dst-nat to-address=192.168.1.198 add chain=pinholes pro...

Pea

I think it was never there. Just write a comment and set Inline Comments in Settings and the comment column will show.

Pea

Just tested:
Upload... button does not work, no popup, nothing.
The download option on file works. BUT no warning that file with same name already exists and existing file is overwritten!

Drag and drop works fine as before.
Winbox 3.4 on RB951G-2HnD

Pea

Just small note: Maybe you can add higher resolution app icon...
If you pin it on taskbar, you will have it with a good resolution

Yes, pinned icon on taskbar looks nice.
But when I click it and Winbox is running it gets pixelated

Pea

Just small note: Maybe you can add higher resolution app icon...

Pea

This is answer to your question: What's new in 6.33.5 (2015-Dec-28 09:13): *) wireless - regular “wireless” package is now retired and replaced by "wireless-fp" and "wireless-cm2"; This means that in update you are trying to do is the old wireless package missing - intentionally. Therefore upload wi...

Pea

I was solving the same setup. At the end successfully, works for weeks without problem

See my solution: http://forum.mikrotik.com/viewtopic.php ... 09#p518647

Pea

+1 for Winbox Log filter. Or colour highlight of search phrase at least

Search found 227 matches