MikroTik

onlineuser

If you would like more assistance with piece by pice migration, post the old config and we can try to help Why is there no tool available for migrating configuration from older to newer Mikrotik devices? I had a lot of firewall rules inside my configuration. I solved it by replacing the right inter...

onlineuser

Thanks.

onlineuser

Hello,

is it possible to migrate all the settings 1:1 from a RB2011UiAS-2HnD to a L009UiGS-2HaxD-IN?

Thanks.

onlineuser

*push*

onlineuser

Any updates for this issue?

I tried it on ROS 7.13.2 - same problem.

onlineuser

Ok, but this could be filtered with a regex.
Other socks proxies also do this.

The nslookup command also does this - nslookup google.de delivers the IP address, nslookup 127.127.127.127 delivers the hostname.

onlineuser

Ok yes, I could resolve it by resolving the hostnames locally or with other tools but RFC shows that remote resolving through the proxy also should work.

With the socks proxy "srelay" for example it works fine.

onlineuser

What do you want to say with this? Locally resolving of domains with third party tool? This is not necessary. Other socks proxies do the same like mikrotik socks - remote resolving works fine for vaid domains (for example google.com). If I want to open an webserver on for example 123.123.123.123, no...

onlineuser

Hi, I use the socks5 proxy on mikrotik with remote dns resolving. This works fine for resolving hostnames (google.de for example) but for inputs like 123.123.123.123 it does not work. Normally for such URL the socks5 proxy needs not to resolv the IP address but it looks like that this will be tried....

onlineuser

Hello, I let to connect some clients (6.48.6) to my OVPN server (also running on 6.48.6). Now I added a hAP ac3 with ROS 7.6. On this device it only works when I deactivate the "Verify Server Certificate". If this is also activated on ROS 7.6, I get an TLS error while establishing the OVPN...

onlineuser

noone?

onlineuser

Hi,

sometimes, when my OVPN connection breaks or has an timeout I need to delay the reconnect.
So I tried to add :delay 10s to the PPP profile of my OVPN connection ("On Down").

But it seemsthat this does not work.
I use the latest ROS release of version 6.

Thanks.

onlineuser

Also no dns-server feature in RouterOS7?

The fastest an easiest way would be to adapt maradns to RouterOS.

onlineuser

SOCKS proxy with remote dns resolving and a upstream proxy for the SOCKS proxy itself.

onlineuser

Any news about this feature?

onlineuser

this solves the problem - viewtopic.php?f=13&t=97755&p=866829#p866829

onlineuser

A picture is worth a thousand words... Bug.png When I connect my RB2011 (tested with ROS 6.40.1 and ROS 6.47.10) to the white UPC (Magenta) Connect box (I use port 6 - 100 Mbit/sec) the RB2011 only connects with the speed of 10 Mbit/sec. If I force 100 Mbit/sec no link will be established (the cable...

onlineuser

Ok, I did. :-)

onlineuser

Hi, I use some ovpn connections (4096 bit) on my RB750 (mipsbe). Sometimes it takes very long that the tunnel is established. The CPU load goes while connecting on 100%. OVPN: initializing OVPN: connecting [i]sometimes up to 30 seconds later...[/i] OVPN: terminating - could not negotiate TLS in time...

onlineuser

@Mikrotik: A software solution for this "issue" would be fine.

onlineuser

It works fine with UPC-WiFree - but UPC disconnects the signal every hour. Then I loose some seconds until my ovpn connection to this gateway is established again. :-)

onlineuser

We are working on SOCK5 improvements, please be patient. :)

Any news about this feature?

onlineuser

Are there any news about the new feature?

onlineuser

great, this is implemented :-)

onlineuser

Hello, is it possible to get a notification (call via /tool fetch url="https://...) when a vpn connection from outside to the OpenVPN server will be established? Sure, I could make a script which parses the syslog logfile for such incoming connections but maybe this would be possible directly b...

onlineuser

I wish most features from maradns.
maradns is open source - and offers simple configuration as an authoritatived dns server.
It also can be used for internal dns server (non-authoritatived).

dnssec extension would be fine for feature but it is not very important at moment.

onlineuser

Hello, my ovpn connection works fine with ip-mode. I try to set up a UniFi access point through an ovpn tunnel, but the access point cannot be detected by the UniFi controller software. In the local network it works but not through the Mikrotik ovpn tunnel in bridge-mode. Are there any changes on th...

onlineuser

Ok, thanks for explanation.

onlineuser

Sorry, I read it inaccurately.

Good news.

onlineuser

It's sad. On OpenWrt based devices it's no problem to compile any package you need. Mikrotik should begin to integrate some additional packages which the community want to use. They offer some packages like ntpd, hotspot, ups, advanced-tool and etc. but I miss socks proxy (srelay) or an authoritativ...

onlineuser

Hello, on "real" OpenVPN server it is possible to consider the dh params file (dh.pem) and the file with revoked certificates (crl.pem). The DH params are not security sensitive and are only used by an "real" OpenVPN server. On Mikrotik server this seems not to be possible. Why i...

onlineuser

Thanks.

It would be nice if ROS would get any "real" SOCKS proxy implementation (srelay would be a open source socks proxy).

onlineuser

Any news about this feature? maradns or powerdns (both open source) would be perfect for ROS. It's sad. On OpenWrt based devices it's no problem to compile any package you need. Mikrotik should begin to integrate some additional packages which the community want to use. They offer some packages like...

onlineuser

I found no workaround.

onlineuser

stable UDP and SHA512

Btw I now noticed that ovpn in ROS only supports md5 and sha1 (sha256, sha224, sha384, sha512). SHA512 would be fine!

onlineuser

Thanks.

But btw I now noticed that ovpn in ROS only supports md5 and sha1 (sha256, sha224, sha384, sha512). In beta UDP and sha256 are implemented but nowadays sha512 would be fine.

onlineuser

Hello,

I created a certificate for 36500 days (100 years).

openssl outputs the right validity of dates but in Winbox I only can see that it is valid for 6526 days (up to 01/01/2038).

Is this a problem in ROS with any old openssl release which cannot interpret the right validity?

Thanks.

onlineuser

Dear Mikrotik developer

are there any news about this feature?

onlineuser

Hello,

is it possible to use the socks proxy server on a mikrotik router with remote dns?

I tried to set up but it was not possible that the router opened an outgoing connection to the target server.

onlineuser

There is another discussion on the topic: viewtopic.php?f=2&t=140569&p=722876

onlineuser

Up to 6.40.1 it worked to filter DHCP requests on the WAN port. On later releases I tried to enable the "use-ip-firewall" feature and added a rouge DHCP rule. /interface bridge settings set use-ip-firewall yes/no [admin@Client] > /interface bridge settings print use-ip-firewall: yes use-ip...

onlineuser

http websites can be accessed without problems - also https after the client has authenticated on the hotspot website.

Yes, please share - a solution for the Mikrotik device would be fine because it would not be possible to fix every client device.

onlineuser

Hello, I setup a hotspot. On most devices it works fine that the welcome (login) page will be loaded. But on some Huawei and Samsung devices I noticed that the redirect to the login page does not work. When I enter the hostname manually the login page will be loaded. Does anyone know this issue? Is ...

onlineuser

Hello, in supplement to this thread (still unsolved) - https://forum.mikrotik.com/viewtopic.php?f=2&t=101896 - I want to ask the same question again. When my firewall rules on my testing router with ROS 6.40 dropped the whole WAN traffic, it was not possible that the WAN port got an IP address f...

onlineuser

Are there any news about this feature request?

onlineuser

Thanks, it works.

onlineuser

Hello, I created a bridge called "ovpn" which includes the ovpn interfaces "ovpn-in1" to "ovpn-in4" (my ovpn server on the RB offers up to 4 clients a connections to the RB). Because it is not possible to add dynamic interfaces (which are not running all the time) to fi...

onlineuser

1.1.1.1 ist in the subnet /28
2.2.2.2 is in the subnet 29

Requests to the 1.1.1.1 or 2.2.2.2-2.2.2.4 will be routed from the provider to my WAN port.

onlineuser

Hello, I have one WAN port with one WAN IP (transport IP for outgoing traffic [also ingoing traffic] - 1.1.1.1) and four static IP adresses(2.2.2.2-2.2.2.5). Now, the WAN IP packets and all the static IP adresses packets comes up to the Mikrotik RB. How can I configure it that the all packets to the...

onlineuser

Hello,

Is it possible that fetch supports proxy support?

@ Mikrotik: If no, please add the feature that the fetch command is able to work via http/https/socks proxy.

Thanks.

onlineuser

19 connections on the ~100MB memory used router and 10 connections on the ~55MB memory used router Normally the router with the usage of 55MB has more traffic than the other one. On the router which uses more memory I just have more entries in the address list. The partition size has 128MB on both d...

onlineuser

Hello,

I noticed on an RB2011 that the memory usage is the half one than on any other RB2011.
Although on the router with less memory usage there I installed the ntp server package, the other router has default packages and just a little bite more firewall rules.

Where does this come from?

onlineuser

I have tested it on a RB2011 with license level 5 and on a RB70 with license level 4. On both devices the WinBox entry is missing (bug in WinBox because on the item list in the documentation it is listed). Trough terminal I can set the flags. Ok, AES-256 instead of AES-128. :-) And it is also strang...

onlineuser

Hello, where do I find the ssh settings in WinBox? /ip ssh set strong-crypto=yes In WinBox 3.12 I can not find it. The option "/ip ssh set strong-crypto=yes" does not change the key-size (no difference between no and yes). The keysize can be changed with "/ip ssh set host-key-size=......

onlineuser

Nice, but an offline viewer would be better. :shock: Is there something in planning? The architecture of filesystem seems to be public or where did this guy got the source for his viewer ( did not try it with my supout files)? http://k3dt.eu/supout-reader/ (not serious to upload the supout file on a...

onlineuser

Hi,

last time I has configured a RB2011 (6.41.2). When I disabled the SFP interface the blue LED switched off.
Today I configured any older RB2011 (6.40.1) and there I was not able to switch off the SFP LED.

Both RB2011 has no SFP adapter in the slot.

onlineuser

Hi, how is it possible to set a guaranteed bandwidth for a bridge or one ethernet port. I want that the bandwidht on one port / bridge always offers 100kbps upload and 200kpbs download. In worst case the bandwidth for the other bridges must be reduced. The problem is that the WAN connection also doe...

onlineuser

Hi, when I click in WinBox to "Quick Set" I see on the left side all the wireless clients with the signal strength (graphic). Is the same graphical overview also in other menu available? Because the quick set window is for changing the config and not just for getting information about all ...

onlineuser

Such of these features would make Mikrotik more popular and additional hardware would not be necessary. All of us trust on RB software although we do not know anything about the source code and possible backholes. Here the OpenWrt was the better solution but the UI is clearer and easier (faster) to ...

onlineuser

Tunneling WinBox through Permeo or SocksCap works, but an integrated proxy feature would be better!

onlineuser

A lightweight DNS server like "maradns" would be fine for Mikrotik devices.
The configuration could be done through text files like on any OpenWRT device.

Why such a service will not be offered by Miktrotik?

onlineuser

Hello,

it would be nice if WinBox would has a proxy support (socks-proxy) to be able to connect to any external RB through a proxy server.

onlineuser

onlineuser - It might affect your situation, however, we can not give you precise yes or no answer. If the problem that you have is caused by delayed/slow responses to/from OVPN server, then this might help and your problem might go away; It looks good. At the first connection establishment the con...

onlineuser

*) ovpn - fixed resource leak on systems with high CPU usage;

Does this fix this problem I reported here?
viewtopic.php?f=2&t=129459

onlineuser

What's new in 6.41.1 (2018-Jan-30 10:26):
*) ovpn - fixed resource leak on systems with high CPU usage;

Does this fix the problem?

onlineuser

Yes, I will upgrade to a more powerful device. But a user-defined timeout also would be fine. In my case there are some seconds missing because after several tries it works. If the device never would be able to establish a connection it would be clear. But the problem only occurs with the two outgoi...

onlineuser

Thanks but why does it work sometimes immediately to establish the connection.
@Mikrotik: Maybe it would be possible to fix this in software for slower devices?

onlineuser

With 2048 bits it should be no problem, but it also works with 4096 bits sometimes to establish the tunnel, so I think it is only a timeout problem of RB. If Mikrotik would give the ssl command more cpu time an set a higher timeout it could be solved. I have other RB2011 with 2048 bit certificates a...

onlineuser

No, there is no packet loss.
I think because of the the high cpu power the timeout will be reached before the connection is esablished.
I use for all three OVPN configs certificates with 4096 bit.

onlineuser

Yes, single core - RB750.

I am running two OVPN clients and one OVPN server on it.

Sometimes, the reconnect takes few seconds, sometimes it takes 30 minutes.

onlineuser

Any known bug?

100% CPU while (re)connecting.

onlineuser

Hello, sometimes it happens that the VPN tunnel interrupts. Then I get this error message: OpenVPN Server error: TLS failed or terminating... - TLS failed (while reconnecting) Then the RB tries to reconnect to the server (Linux OVPN server, not a other RB). Sometimes it takes more than one retry and...

onlineuser

Good news! Did you try it within the UPC Wi-Free network? Is it possible to use a RB2011 or any other wireless RB as wireless client with WPA2-Enterprise client (WAN) and as accesspoint (LAN) for the home network? In fact I only want to tunnel all internal traffic over the Wi-Free network through an...

onlineuser

Hello,

did anyone try to use a RB2011 or any other wireless RB as wireless client with WPA2-Enterprise client and as accesspoint for the home network?

Thanks.

onlineuser

Hello, I have three questions about new features in ROS. 1) !) bridge - implemented software based vlan-aware bridges; https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering Were the default settings be changed in 6.4x compared to 6.39? 2) !) switch - "master-port" co...

onlineuser

*push*

onlineuser

Maybe in one of the next releases.

onlineuser

Thanks

onlineuser

Why this? Will this be changed in one of the next releases? What is the difference between the button "OVPN Server" in PPP and the adding of a new interface "OVPN Server Binding"? So it would be possible to create more OVPN server bindings configs but only one server instance. Th...

onlineuser

Thanks, very much.

onlineuser

Hello,

is it possible to run two ovpn servers on one RB?
Via Winbox it seems not to work.

Thanks.

onlineuser

Hello,

is it possible only to reset the password of a RB (with physically access to the hardware) that the intruder gets all the settings?
I want to prevent that anyone gets the settings - if the intruder uses the reset-button, the configuration is gone but he does not get the settings.

Thanks.

onlineuser

Hello, on my RB2011 I noticed that sometimes the interface-statistics is flapping (except on port 2; the WAN port is on port 6) - see attached screenshot. When the statistics window is opened one second the bandwidh data on all interfaces are quite ok and then one second later all ports shows 0 bps ...

onlineuser

Is there any example in the documentation?
But changing of the gateway is not enough, the destination IP address also must be changed to reach the proxy server - is this also possible?

onlineuser

Hello, I have three OVPN connection on my Mikrotik. That my server has access to all three networks and proxy servers I added three srcnat-masquerade rules. This works fine. server----10.10.1.1====10.10.1.2:8080, 1080 server----10.20.2.1====10.10.3.2:8080, 1080 server----10.20.3.3====10.10.3.2:8080,...

onlineuser

Hello,

is it not possible to set more than one ICMP type option to one rule?

I want to define type 0 (echo reply) and type 8 (echo request) for one ICMP rule.

The same thing is for the ICMP code: a range or more than one code would be fine.

Thanks.

onlineuser

Are there any news about pushing a route from the mikrotik server to the openvpn client?

onlineuser

OpenVPN client works with 6.40.1 again.

onlineuser

Thanks, very much.

onlineuser

Thanks.

onlineuser

Noone any idea why this behavior was changed?
Or is it an unintentional bug?

onlineuser

OVPN default route behaviour:

Take a look to this post - why did you change the default route behaviour?
viewtopic.php?f=13&t=124005&p=610512#p610512

onlineuser

The problem is a wrong dynamic route when OVPN connection is established. screenshot: 6.39: the dynamic set route is set correct 6.40: after upgrading with the wo default routes OVPN connection does not work 6.40 fixed: after removing the DS enrty and adding the AS route, the OVPN connectio nworks a...

onlineuser

Thanks!
With 6.39 it works again.

I hope the OVPN interface bug in 6.40 will be fixed soon.

onlineuser

Hello, after upgrade from 6.39 to 6.40 the OpenVPN client does not work any longer - the connection will be established but the interface will not be created, so most rules do not work any longer (for example: srcnat to openvpn interface). How can I downgrade to 6.39? Copying the file to the device ...

onlineuser

Some comments are longer than 31 characters.
It would be no problem if there will be an user-defined length be implemented.

Moreover, the ID of the rule in the beginning of each line on LOG which occurs an log entry would be helpful (F13 for filter rule #13, N14 for NAT rule #14 for example).

onlineuser

Hello, when the Log-prefix is too long, the prefix-string in the LOG will be shorten. Maybe this limit can be extended - or better, the user should be able to decide the maximum length of the entry which will be shown in LOG. On the attached picture you see that the prefix was cut (instead of "...

onlineuser

Any news concerning WPA2-Enterprise (EAP)?

onlineuser

Hello, I want to use a wifi-connection as WAN-port. SSID: <ssid> Authentication: WPA2-Enterprice (EAP) Encryption: CCMP PSK: EAP method : PEAP Identity: <identity> Password: <password> inner auth: EAP-MSCHAPV2 Is this WPA2-Enterprise configuration possible with Mikrotik for a WAN-port?

onlineuser

Thx.

onlineuser

Hello, I log different rules. A nice feature would be that the LOG-windows can show all log entries / entries with level 1 / entries with level 2 and so on. If logging is activated for a rule beside the level could be entered (number 0-x). Actually the LOG-window only offers to show all entries or t...

onlineuser

*push*

onlineuser

Hello,

normally I use for OpenVPN tls-auth a static key.
client: tls-auth static.key 1
server: tls-auth static.key 0

When I use a Mikrotik as client it is not possible to specify a static key.

Is this a security risk when the tls-auth runs without encryption?

onlineuser

First I used OpenWrt with iptables and my own scripts but Mikrotik is really good.
I think it is simple to configure a Mikrotik and this forum also helps you.

onlineuser

Webif is also comfortable but in meantime I prefer the CLI.

onlineuser

Thanks, very much.

onlineuser

Thanks.

Will the entries of the address lists also be stored in a binary-backup (the export is without address lists)?

onlineuser

Ok, thanks. I thought when the NAT rule could drop the packet then the firewall rules get a little bit more clearly to read because then there would be less rules in it.

onlineuser

For NAT rules there is no DROP available.
A RETURN jumps back where the jump came from.
Why there is no DROP for NAT rules available?

Is a return equivalent to a drop?

onlineuser

Cool, thanks - why do not use the same schema like on firewall rules - good idea.

onlineuser

Hello,

when I save my settings will there be saved the whole settings (also VPN certificates and keyfiles)?

After importing the certificate I tried to delete the uploaded files and the VPN tunnel works further.

onlineuser

Yeah, in meantime I solved it in this way - but it would be also nice if a rule (firewall or NAT) could consider more than one address list.

onlineuser

No, it's not possible. example: address list 1: block_scanner address list 2: block_permanent_blacklisted When there are two rules (first one only allows IP addresses which are not in block_scanner , this rule will be taken without checking the second one if the IP is maybe on the block_permanent_bl...

onlineuser

Hello, I have more address lists which should be ignored for my destination NAT rules. It would be fine if there could be specified more than one address list - it also should be possible to negate some of the address lists. Or can I create dynamically a new address list which contains the IP addres...

onlineuser

noone any idea?

onlineuser

Everything works fine but I get a lot of TCP Resets on the 33.3 router. The tunnel and bandwidth are stable. On the OpenVPN server there are no suspicious entries. 15:05:04 firewall,info LAST DROP - INPUT input: in:OpenVPN out:(none), proto TCP (RST), 10.1.0.1:8080->10.1.0.6:61832, len 40 15:05:06 f...

onlineuser

Yeah but since I have deactivated the automatic timezone checking there was no outgoing request.

onlineuser

I think it was the TimeZoneAutodetect flag in System/Clock.

Haha, will the timezone be guessed by my IP address?

onlineuser

Hello, my RB tries to establish a connection to 81.198.87.240:15252 UDP. IP/Cloud DDNS and NTP are disabled. I also disabled the SNTP client (System/SNTP Client) Where does this come from? I can remember that I had the same problem on other device but I can not remember which settings caused this pr...

onlineuser

ISP is on 11.0 on another port of R1. Ok, I will try it with static routes. UPDATE_1: On R1 I set following route: 10.1.0.0/29 via 192.168.33.3 (now from 34.0 10.1.0.6 is reachable). But from 34.0 I cannot ping 10.1.0.1 (only 10.1.0.6 is reachable). UPDATE_2: Ok, now it runs, I forgot the two forwar...

onlineuser

Yes, 33.0 and 34.0 are NAT routed to the gateway (33.1) but 33.0 also routed directly to 34.0 without NAT (34.0 can directly communicate with 33.0). Or can I solve it with port forwarding, that 33.1:1080 will be routed to 33.3:1080 and this will be routed through the tunnel to 10.1.0.1:1080? I would...

onlineuser

Hello,

the VPN tunnel from 33.3 to the external VPN server works - the 10.1.0.0 is from both sites of the tunnel reachable.

Which routes and NAT rules must I set on R1 and R2 that 10.1.0.6/10.1.0.1 are reachable from the 34.0 network through the 33.1 and 33.30?

Thanks, very much.

onlineuser

Thanks for hints. lport parameter will be ignored. :-( @Mikrotik: Please implement this - then the firewall rules can be more restrictive. username and password are for locally certificates (although when they are not password protected it seems to be ignored - I just entered anything). OpenVPN supp...

onlineuser

Hello, I am running a OpenVPN server on any linux machine. Now I want that my RB connects to the OpenVPN server as client. Does this work? Why do the RB needs an user and password for dialout? Where can I put the certificate data [ca, cert, key, tls-auth] (under DD-WRT is was easy to paste the conte...

onlineuser

Exactly the same idea.

@Mikrotik: Why do you not want to implement this feature?
It would make the fast reading of a lot of rules quite easier!

onlineuser

I know - I only did the default config and then I tried to configure it though an other RB. I was too lazy to take the laptop again for Winbox.

onlineuser

Hello, if the list of filter rules becomes longer and longer it is hard to read. There would be a kind of separator line nice - maybe an empty line without line number and with the possiblity to set any comment for this line (comment in different textcolor or italic - maybe also the textcolor for ev...

onlineuser

Thanks, this is I was looking for. Now, it works.

First time I configured a RB via SSH instead of Winbox

onlineuser

This I also tried but the RB750 does not answer ping request which comes from 192.168.33.1 (RB2011). On the same network there is an other device (192.168.33.10/27 with gateway 192.168.33.1) and this device is answering the requests which comes through 192.168.33.1. So the RB750 has a wrong configur...

onlineuser

Ok thanks. I tried "ip routes" and "ip addresses" but both does not work. I want that one port of my RB750 has following configuration. IP: 192.168.33.30 Netmask: 255.255.255.224 Gateway: 192.168.33.1 How can I set this? Why always will be added the default gateway 192.168.33.30 ...

onlineuser

Hello, I tried to set an IP address on a RB750 for one port - 192.168.33.30/27. By default the gateway 192.168.33.30 will be set. Is it not possible that I set as gateway 192.168.33.1? Changing is not possible so I tried ti add a default gateway but it also not helps. Do anyone know any solution? # ...

onlineuser

Ok thanks, very much.

I will try to do like you suggested.

That the nat rule will be inactive when the limits of this rule are reached and the packets goes to the input chain, is not a good design principle but why does Mikrotik allow limits on nat rules?

onlineuser

Ok, I also set the limit and dst-limit on my nat rules for port 80 and 443. I thought that when Mikrotik offers these parameters, I also can use them. But I also not found out how to reproduce this behaviour - so I believed that it is a matter of manipulated or not valid packets. And one more thing ...

onlineuser

No, I do not use any proxy service on RB. Ahh, I only forward port 80 and 443 and maybe the incoming http/https requests are not good (clean) enough to be forwarded. And because no forwarding rule will be used on of the last dropping rules drop the invalid packets. So the webserver can't write anyth...

onlineuser

Hello, how can this happen? There comes a port 80 request from WAN and it will be routed via the NAT-rule to the DMZ server. But the webserver logfile has no entry that any request on port 80 came in (this sometime happens). And then there came three ICMP requests from the same IP to the WAN port. W...

onlineuser

Thanks, very much.

onlineuser

Hello,

I also have the same problem - I have two adress lists and when I use two rules (for every address list one rule) the traffic can't be filtered well.

How can I create a combined address list that contains all IP addresses of list A and list B which is also always synchronous?

onlineuser

Yes, you are right - but it is funny to play around with such "speacial rules".

Is it possible to write a script for ROS which sends me every hour a complete list of the address lists via mail or FTP upload (or even shown on the internal website)?

onlineuser

Now it works but when I activate the first drop rule for blacklisted IP addresses the other rules for extend the time to long won't be reached any longer. So it is only possible to extend the blacklist-time when the short time is expired and a new request from the same IP comes in. Why it is not pos...

onlineuser

Thanks, now it's clear. But now I have one last logicaly problem. chain=input action=add-src-to-address-list tcp-flags=syn connection-state=new protocol=tcp address-list=Port_Attack_List address-list-timeout=1d in-interface=WAN dst-port=!80,443 limit=2/1m,2:packet : log=yes log-prefix="PORT-ATT...

onlineuser

1) drop src-address-list=blacklist ... (normal set of rules) 2)default drop (with match rate limit, e.g. 5/5) 3)src not in abusers -> add src to blacklist timeout=short 4)src in abusers -> add src to blacklist timeout=long 5)add src to abusers timeout=something like 1 week or 1 month - at least as ...

onlineuser

Thanks, very much - I will try it.

onlineuser

1st rule, drop address list 2nd rule, match traffic up to some limit, then passthrough 3rd rule add to address list 4th rule drop traffic if ports are not 80 and 443. In this case, traffic would be dropped in both cases ( address list and not on address list sources) but you will be able to add tim...

onlineuser

Ok here my rules. The first blocks IPs from blacklist. The second tries to detect TCP requests on WAN port and the thirs should detect UDP requests on WAN port. Your example accepts incoming requests, I drop it because I only want to count such requests so that I can blacklist the IP after 2 or thre...

onlineuser

I tried - it only works if I set the inverse flag for limit. If it is not set the IP will be added after first request to blacklist. (Port 80 and 443 incoming are excepted from the blacklisting-rule) Moreover there seems to be another bug. I use the Dst-limit by "addresses and dst port". O...

onlineuser

Yes I tried 5/5 but per minute. That means that when 6 packets come in per minute the IP should be added to the Port_Attack_List. But when I test it the IP will be added after the first packet. I also tried to set the Dst. Limit (5/5 min, dst. address and port) but it also was unsuccesssfull. BTW, I...

onlineuser

I tried following rule. When more that 2 requests/minute comes in (also tried with Dst. Limit for port an adress) the IP should be added to the Port_Attack_List. But when I do not use the inverse feature the IP will be added after first request to the Port_Attack_List - moreover, I only set this rul...

onlineuser

I tried it with "limit" seen here: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter I want that IP addresses which sends about 4 requests per minute will added to a blocklist of 1 hour. The next step would be that when one IP address of this blocklist tries again after one hour that...

onlineuser

Hello, I added port detection rules (TCP and UDP) to my rules - it works fine. But how can I detect such a access trial like this one on the screenshot (when the source IP and port is always the same and there are about 10 requests per second)? And would it be possible that the first block-time take...

onlineuser

Has noone an idea how incoming connections could become more secure by checking the TCP flags?

onlineuser

noone?

onlineuser

This seems to be a configuration issue of your webserver.

onlineuser

Interessting question! http://wiki.mikrotik.com/images/2/2e/Hairpin_nat_1.png If any client from the subnet 192.168.1.0/24 tries to open the public IP the NAT-rule works. But what when I want the same thing for the webserver itself (192.168.1.2)? Here the schema: http://www2.pic-upload.de/img/294064...

onlineuser

Thanks. Yes, there are some different combinations possible but if I only allow the "good" combinations for port 80 forwarding and drop all the rest it should work. I tried to set at incoming port 80 rule the syn and ack flag to check if the handshake is right but it does not work. Moreove...

onlineuser

Ok, thx very much. All your hints I have already implemented. :-) My RB2011 has a CPU utilization about 3 up to 15 percent (about 30-40 permanent outgoing/incoming connections). So I thought the router could also check the traffic for any anomalies for example: initialitation, three-way handshake, r...

onlineuser

How can I set a fail2ban list for ip-adresses which tries several invalid combinations of tcp-flags?

It it possible to detect and filter manipulated requests?

onlineuser

Thanks.

onlineuser

Hello, I have two WAN ports on my RB2011. My default masquerade rule says that the traffic goes out via WAN_1. Now I want to set up an Socks Proxy on my DMZ which should route all the traffic via a masquerade rule out on WAN_2. Can I control this via a second masquerade rule where I set the src addr...

onlineuser

Yes, it makes no sense, I thought PPPoA must be used when running a modem in bridge mode. But it seems that a PPTP connection is enough.

onlineuser

Thx. I also have a modem in single user mode (bridged mode) - the Technicolor TG588. On your link I saw that he just added a PPTP-Client. Ithought in single user mode I also need a PPPoA client on my RB2011. Or is the PPPoA connection only necessary when the modem is still in multi user mode? UPDATE...

onlineuser

+1

Yes, come on, please add UDP and compression!

onlineuser

Hello,

please implement the PPPoA client in one of the next firmware releases.

PPP over ATM (RFC2364)
PPP over Ethernet (RFC2516)
IPoA (RFC1577/2225)

Thanks!

onlineuser

Hello, I have a modem in single user mode and the RB2011 must create a PPPoA connection to my modem - how can I set it up? ADSL (ITU-T G.992.x) > aINTERNET (PPPoA) VDSL (ITU-T G.993.x) > vINTERNET (PPPoE) PPPoE connectiosn are possible with ROS, but I could not find a PPPoA connection in ROS. :-(

onlineuser

Ok, I will contact the support - but this buggy behavior is simple to reproduce.

onlineuser

Why can the WAN port get an IP address from the DHCP server if there is no traffic allowed? I tried to drop everything on a WAN port but the router can communicate with the DHCP server. I tried it with my provider DHCP server and with an internal DHCP server. If I compare this behavior with an iptab...

onlineuser

Yes, also with 6.33.3.

onlineuser

Yes, the same device was recognized on port 4 as gigabit device. The interface settings were the same - I double-checked it. Totally strange - I also tried two other cables - same problem. Now, after some shaking, it works - maybe there was some dirt in the jack!? I am happy that the hardware is not...

onlineuser

Hello,

today I tried to connect the ether 5 port on my 2011 router.

The status says that there is no link - the cable is ok, because on ether 4 port it works.

When I reduce the speed to 10Mbit the ether 5 port works but on 100 or 1000Mbit it gets no link.

What can I do?

onlineuser

The first and second rule is a default rule but per default there were set 5 rules. 3 ACCEPT gre -- anywhere anywhere 4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable 5 REJECT tcp -- anywhere anywhere reject-with tcp-reset 6 TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TC...

onlineuser

Thx, very much!

onlineuser

On my testing router I upgraded to 6.33.1. licensing - fix unneeded connection attempts to 169.254.x.x must be CHR only (introduced in 6.33); This is now solved. :-) Because it was a licensing bug, will the router send any data to any of your servers for checking the registration? What does CHR mean?

onlineuser

noone?

onlineuser

Hello, I found on my OpenWrt router some default firewall rules. These rules makes sense and are clear how to realize it on ROS. DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED But how can these rules be realized in ROS and which sense have these...

onlineuser

ok, thx.

onlineuser

ok, thx.

onlineuser

You could write a script that checks the WAN IP and updates any rules or address lists if it changes. If your WAN address (almost) never changes, I'd say it's not worth the work. Ok thanks. I thought there is any variable like $WAN I could use and which always points to the current WAN IP. Did anyo...

onlineuser

noone?

onlineuser

noone?

onlineuser

Yes, yesterday I found the graphics.

The strategy of the 3 ways is good butthis bug is easy to find / detecting should be found by any tester before publication.
This is a bug which can be found without knowing the source code.

onlineuser

Thx. Is there any real stable 6.xx firmware available? I think ROS is good but such bugs should not pass the quality management - how long will new releases be tested by your engineers before publication? ;-) P.S. Here the reference link for the hint before: http://forum.mikrotik.com/viewtopic.php?f...

onlineuser

Yes, it seems to be the same problem. How did you sniff the URL which is always treid to open? x.x.x.x - - [09/Nov/2015:00:12:04 +0100] "GET /latest/meta-data/public-keys/0/openssh-key HTTP/1.1" 200 604 "-" "-" x.x.x.x - - [09/Nov/2015:00:12:05 +0100] "GET /latest/...

onlineuser

Yes, but I did not change anything from the 6.32.3 up to 6.33.

But why will the packets out from my public IP to port 169.254.169.254:80?

onlineuser

Hello,

since I have upgraded from 6.32.3 to 6.33 the RB wants to send strange packets.

6.33.PNG

Where does this come from?

onlineuser

Hello,

is it possible to set the current wan-IP as source address (or source address list entry) in a firewall rule?

onlineuser

If everything is blocked an I reboot the router, which requests must go out and which are allowed to come in for getting an IP from the dhcp server? Here is a correct example: http://www.linklogger.com/UDP67_68.htm first dhcp request: UDP 0.0.0.0:68 -> 255.255.255.255:67 UDP dhcp-server:67 -> 255.25...

onlineuser

It seems that renewing of the IP address (outgoing dhcp request) is allowed when the device had got an IP before. I tried to remove the cable modem and waited 5 minutes - then the RB did not get an IP any longer (I did not change my firewall rules). But it seems that the request to 255.255.255.255 c...

onlineuser

Yes, I have an outgoing rule with output and drop, so TCP and UDP and all other will be blocked. I have only allowed WinBox port on LAN and on my testing router I have disabled after this rule everything for input, output and forward and the RB2011 gets an IP from the DHCP server. :-( 5 rules: 1) in...

onlineuser

Yet, I blocked all outgoing traffic, too. I do not understand how the DHCP can be send out, because everything is blocked. :-( I also unchecked the DNS an NTP feature but in the parameter list these two things will be request furthermore. And then the DHCP server also delivers the DNS entries and th...

onlineuser

Hello, today I tried to block everything except Winbox port. 1) When I rebooted the RB2011 the WAN port got an IP from the DHCP server. Why is it possible for the WAN port to request an IP (discover to 255.255.255.255) when everything is blocked by firewall rules? The WAN port can enter <requesting>...

onlineuser

Yes I also thought to this solution. 1) setting all IP addresses from incoming dst-nat requests to a list 2) set the timout for this list to 60 seconds Is this possible with mikrotik? In dst-nat settings I only can set a limit to max. connections per time but no timeout for this connection. The sett...

onlineuser

You are right - I am also curious for RB3011.

onlineuser

onlineuser

Ok thx.
The RB3011 will has a USB 3.0 port. The external memory also should be used for the "graphing data".
Webproxy and FTP-server are a nice feature but there are more performance solutions available and should not be integrated on a router.

onlineuser

thx

The saving on external memory would be nice feature!

For what can be the external USB memory used?

onlineuser

When I activate the "storing on disk" in Graphing/Interface Rules or Ressource Rules, does the router save the data automatically on the stick instead of the internal memory? I tried to log the interface statistics (without saving to disk). When will the logged data be removed? Although I ...

onlineuser

Hello, for what could I use a connected USB stick? Which data can be stored on it? When I activate the "storing on disk" in Graphing/Interface Rules or Ressource Rules, does the router save the data automatically on the stick instead of the internal memory? If someone uses the Web Proxy ca...

onlineuser

Today happened the same thing. Request from tor-limits-scanning.cl.cam.ac.uk (128.232.110.28) to port 80 but no data was transferred. The connection stayed established. Would it be possible to put IP addresses from such incoming requests to port 80 to a list which will be automatically removed after...

onlineuser

Yeah, these graphs are nice but they need space on the internal file system. When the storing to disk is disabled, will it be saved in memory? graphs.PNG What happens when the memory of my RB2011 gets quite full? When 0.0.0.0/0 has access to the graphs I hope this setting does not override the firew...

onlineuser

onlineuser

Search found 250 matches