MikroTik

nescafe2002

/interface bridge port remove [ find bridge=bridgeLocal ]

nescafe2002

Not necessary, interface is member of WAN and there is already a masquerade rule for WAN. Just remove the general masquerade rule.

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:S ... l_commands

beep :beep <freq> <length> beep built in speaker

You can supply length without unit (defaults to number of seconds) or with unit, e.g. 200ms.

nescafe2002

mskoric; yes, sniffer disables fast path. The issue is fixed in 6.49beta11. https://forum.mikrotik.com/viewtopic.php?f=21&t=172259&p=842156#p844958 The reported SIP phone issue is fixed with this change: *) fastpath - fixed IP packet receive on bridge and bonding interfaces when destination ...

nescafe2002

No scripting required.

What's new in 6.41 (2017-Dec-22 11:55):
*) ipsec - allow to specify "remote-peer" address as DNS name;

nescafe2002

What's the name of the file?

nescafe2002

Not really. It has been mentioned before on the forum. https://forum.mikrotik.com/viewtopic.php?f=2&t=103739&p=515485#p515505 I just confirmed that Winbox 3.0 still has the behavior where typing a hostname into "Ping To" will use the client's DNS resolver, and not the remote Mikrot...

nescafe2002

The host is resolved in Winbox on the client device..

Try this in Terminal:

[admin@MikroTik] > /ping [:resolve www.cnn.com] 
failure: dns server failure

nescafe2002

Please don't quote posts entirely - quote selectively and don't quote if you're replying to the most recent post. CAPsMAN will provision radios wlan1 and wlan2 based on provision rules based on mac address or hw mode (e.g. gn/ac). In the documented example provision is not filtered so both radios (2...

nescafe2002

Users are omitted on export, probably to prevent the creation of passwordless users on import. Also users can be kept on configuration reset.

Use /user export to export users.

nescafe2002

Please post your CAPsMAN configuration. If I remember correctly, devices in cap mode somehow only work if a CAPsMAN controller is available in the network. /caps-man export should look something like this: /caps-man configuration add country=latvia datapath.client-to-client-forwarding=yes datapath.l...

nescafe2002

Use watchdog timer with watch address instead of netwatch. https://wiki.mikrotik.com/wiki/Manual:System/Watchdog watch-address (IP; Default: none) The system will reboot, in case 6 sequential pings to the given IP address will fail. If set to none this feature is disabled. By default router will reb...

nescafe2002

Mail support.. the forum is no official support channel.

nescafe2002

Is there no relevant line in the firewall connection tracking table?

nescafe2002

Yep.. that should work.

nescafe2002

Sorry, I misguided you.. PBX should be set to gateway 192.168.1.254.

nescafe2002

PBX should have set 192.168.2.254 as gateway.
Not sure why you couldn't ping 192.168.2.254 from your existing lan.. could you post your config (/export hide-sensitive)?

nescafe2002

System > Packages > Check for upgrades => upgrade.mikrotik.com IP > Cloud > DDNS Enabled => cloud2.mikrotik.com Interfaces > Detect Internet => cloud.mikrotik.com These are all subdomains. Are you sure the device is actually resolving the domain name 'mikrotik.com' (without subdomain)? Are there cli...

nescafe2002

Nope, not really.

Perhaps you're trying to remote configure CPE's, then you could take a look at https://wiki.mikrotik.com/wiki/Manual:TR069-client

nescafe2002

Was Winbox designed to dock the child window to the main window (when maximized)? Or has this behavior changes in recent version?

Perhaps this is not a bug but rather a suggestion or feature request.. better contact support.

nescafe2002

You want to pass-through option 43 from dhcp-client to dhcp-server? That's gonna require some scripting. E.g. :if ($bound=1) do={ :local acs ($"lease-options"->"43"); :log info "DHCP Option 43: $acs"; /ip dhcp-server option set option-43 value="'$acs'"; } Or, ...

nescafe2002

Add ip address 192.168.2.x/24 to LAN interface (bridge) takes care of routing between two subnets on same interface. /ip address add address=192.168.2.254/24 interface=bridge network=192.168.2.0 Extend ip pool and add dhcp-network for this segment. /ip dhcp-server network add address=192.168.2.0/24 ...

nescafe2002

Option 55 is a dhcp client options (requested parameter list). If you want to request more than the standard options, you'll have to supply the complete request list including 1 (subnet mask), 3 (gateway) and 6 (dns). Note that the MT probably will ignore option 43, but maybe you could do something ...

nescafe2002

Will be there no further V6.48.XX versions?
From the doomed V6.48 straight to V6.49?

Check the version numbering schema: https://wiki.mikrotik.com/wiki/Manual:U ... _numbering

Changes (fixes) from 6.49beta/rc can be merged to 6.48.x.

nescafe2002

Perhaps the package is disabled. Check System > Packages.

nescafe2002

viewtopic.php?f=1&t=169992#p832375

Export problem is known, /routing menu export is the one that fails.

nescafe2002

Mail support.

nescafe2002

Which version of WinBox? Have you tried clearing Cache (via connection dialog)?

nescafe2002

Nope, but you are trying to tunnel via a bridged device.. should work nevertheless, but I have not tested that scenario.

nescafe2002

Yes, if 192.168.10.254 is the default gateway of the device, 192.168.10.21 will not be able to reach either the other subnet or the internet via site B. Set the default gateway to 192.168.10.1. Actually nske noticed this earlier: a) 192.168.10.21 would be using the local ipsec terminating router (19...

nescafe2002

For 192.168.10.21 initiated traffic no additional configuration (route, firewall, nat) is required in default configuration. https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS There is 'some' routing decision before ipsec policy matching, but routing is done twice, so the actual (out...

nescafe2002

It should work out of the box.. Are the PH2 states of the new policies established?

nescafe2002

This rule translates all connections with a destination port of 25, 465. add action=dst-nat chain=dstnat comment=email dst-port=25,465 protocol=tcp \ to-addresses=192.168.2.7 So, even outgoing connections will be rewritten to destination ip 192.168.2.7. If this is the desired behavior, you should al...

nescafe2002

No need for additional protocols or interfaces. This scenario will work in standard ipsec tunneling mode. On site A create an additional policy: /ip ipsec policy add dst-address=0.0.0.0/0 peer=siteB src-address=192.168.10.21/32 tunnel=yes On site B create an additional policy: /ip ipsec policy add d...

nescafe2002

No need to add another filter rule. Your nat rule is dstnatting both incoming and outgoing connections. Limit the nat rule instead (e.g. dst-address-type=local and dst-address=!192.168.0.0/16). Note that you already made this effort on the first nat rule (ssh) with src-address=!192.168.2.0/24. To pr...

nescafe2002

Connect via mac to bypass firewall.

nescafe2002

This has been discussed before: https://www.reddit.com/r/mikrotik/comments/6kgln8/anonymous_and_weak_ssl_ciphers_on_mikrotik/ Disabling/firewalling www-ssl and api-ssl should fix the issue. If you're concerned about security, you should learn to properly and securely configure (e.g. firewall) the de...

nescafe2002

Did you clean the connector or the optical side? And how?

nescafe2002

*.phillipcarroll.local is not a valid regex entry because the first * quantifier is not preceded by a character (sequence).

But since partial matching takes place, I choose to omit the subdomain (.*) in general.

So.. \.domain\.local$ is simpler than ^.*\.domain\.local$

nescafe2002

The wiki example is escaped for pasting in terminal, you pasted the terminal example in the winbox dns static entry window (not the terminal).

nescafe2002

Your tld is .local, not .local$. Don't escape the last $ in the regex. In fact you should unescape the CLI syntax, e.g. \\. => \. when pasting directly in Winbox. Omitting the slashes will make it match with other characters as well. E.g. philipcarrollBlocalWhateveryoulike would match. Better use th...

nescafe2002

You're welcome. Increasing dhcp lease time (from 15m to 2h) might also help.

nescafe2002

7.1beta has support for DNS in RA, until then use DHCPv6 option 23

nescafe2002

You can use 6to4 (6in4) to tunnel ipv6 traffic over ipv4. /interface 6to4 add !keepalive name=6to4-branch remote-address=branch.tld /ipv6 route add distance=1 dst-address=2001:db8:10:10::/64 gateway=6to4-branch /interface list member add interface=6to4-branch list=LAN /interface 6to4 add !keepalive ...

nescafe2002

User Cha0s has answered this question earlier on SO:

https://serverfault.com/questions/88496 ... tik-router

AFAIK you cannot disable this on MikroTik.

nescafe2002

not sure why it wasn't applied automatically.

Default configuration is not re-applied on module activation. Maybe it should (for firewall) but that's up to the product team.

nescafe2002

After enabling ipv6 package, the ipv6 firewall is in the default configuration. https://help.mikrotik.com/docs/display/ROS/Default+configurations /system default-configuration print You can copy/paste the /ipv6 firewall part from there (make sure your terminal window is wide enough for all contents ...

nescafe2002

Is the DHCP server service not active, or not listed? Those are two different concepts..

The IP Services list is list of services not specified elsewhere. E.g. IPSEC server, PPTP/L2TP server services are not listed under IP Services. So it is 'by design'.

nescafe2002

Correct, they serve the same purpose. I like to leave the default firewall alone, give the dummy route a higher distance and a comment regarding device initiated ipsec connections. Also for unenstablished dynamic policies, the dummy route prevents unencrypted packets from leaving through wan. But se...

nescafe2002

Running EoIP to link two sites and then deal with the undesired effects (broadcasts, same subnet) is.. not the best advice imo. Just plain ipsec tunneling should work fine. To start, get rid of all the custom proposal and profile and use static peer for tunneling. Default firewall needs no adjustmen...

nescafe2002

Please see below link what I want to elaborate you. https://aacable.wordpress.com/2018/03/27/separating-natting-from-routing-in-mikrotik/ Your link provides the correct information: "When using Masquarade, RouterOS has to do full connection tracking recalculation on EACH interface connect/disc...

nescafe2002

msatter understood your question and pointed you in the right direction. The linked post contains all you need to know to create a failover solution.

Next time, don't quite entire posts especially if it's the most recent post you are replying to.. thanks :)

nescafe2002

monitor.ExecuteAsync(re => responses.Add(re)); This does not give me nay responses. It does give a response in the error callback: monitor.ExecuteAsync( re => responses.Add(re), e => Console.WriteLine(e.ToString())); Error: ApiTrapSentence:.tag=1|message=unknown parameter You can use parameter .id ...

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:Product_Naming

Compared to the RB2011UiAS-2HnD, the RB2011UAS-2HnD has no PoE (out).

Watch out for NAND wear (bad blocks) on older, used devices. Performance should be comparable between both (244 Mbps w/o fasttrack).

nescafe2002

Also note the 'S' flag in the cache table - it refers to Static

nescafe2002

Since this thread went offtopic anyway, if you could limit the amount of quotes in your posts, that whould be helpful for rss readers :-)

(Or use Post reply instead of Reply with quote)

nescafe2002

Also, system shutdown is not required before power off.

viewtopic.php?t=123124#p607056

Mikrotik devices are safe to loose power in normal operation mode. No need to shut down the system before the power outage.

nescafe2002

/ipv6 dhcp-server option add code=23 name="dns" value="'2001:db8::1''2001:db8::2'" add code=24 name="search" value="0x04'home'0x05'local'" /ipv6 dhcp-server add dhcp-option="dns,search" interface=bridge-lan name=default /ipv6 nd set [ find default=y...

nescafe2002

"Bad" programmer? Incomplete requirements or missed in QA; but actual the programmer did a fine job here. Input is properly validated and saved according to some spec. Be a "good" user and report your findings to support via mail (support@) or https://help.mikrotik.com/servicedes...

nescafe2002

Make dhcp entries static then assign dhcp option 6; they will override dhcp network setting. /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.2,192.168.88.3 domain=home.local gateway=192.168.88.1 /ip dhcp-server option add code=6 name="alt-dns1" value="'192.16...

nescafe2002

I used to have a script in /system/schedule to change NAT address ip.

Why don't you add pppoe-client to WAN interface list to take advantage of masquerade rule in default configuration?

nescafe2002

Check the default forwarding property of your wireless interface, the forwarding property of your access list entry or the client-to-client forwarding property of your capsman (datapath) profile. Check the client isolation setting on your TP-Link device :) Disable this checkbox: AP Isolation: Selec...

nescafe2002

Check the DHCP client status tab to find out which device assigned the ip

nescafe2002

But...I could not come up with any combination of routing definitions or NAT that would allow me to reach 192.168.42.1 from the main router. When using plain ipsec tunnel mode (no gre/ipip/...), you'll have to make sure the router picks the correct local address to be matched with ipsec policy. Thi...

nescafe2002

valemal, if you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device.

nescafe2002

https://mikrotik.com/download/changelogs/stable-release-tree (Stable release tree) What's new in 6.47.3 (2020-Sep-01 05:24): *) dns - fixed multiple TXT string replies; (Testing release tree) What's new in 6.48beta35 (2020-Sep-02 07:50): *) dns - fixed multiple TXT string replies; Are you on long te...

nescafe2002

Hello,

This is a known issue. You can set the endpoint (IPv6 address with port) via terminal:

/interface/wireguard/peers
print
set 0 endpoint="[2001:0db8:85a3::8a2e:0370:7334]:12321"

nescafe2002

Thx.. It's mistake for typing, but I really can't download update. Are you sure download.mikrotik.com resolves to one of the following ip addresses? ~$ openssl s_client -connect [2a02:610:7501:1000::196]:443 | openssl x509 -noout -text | grep DNS: DNS:*.mikrotik.com, DNS:mikrotik.com ~$ openssl s_c...

nescafe2002

Try enabling logging for the invalid rule. I've had some problems with lan-to-lan connections which were flagged invalid.

nescafe2002

Enabling IP Cloud will not automatically allow access to the device. It is just a free ddns service provided by MikroTik along with time sync and a backup slot.

You can find the exact specifications in the wiki, https://wiki.mikrotik.com/wiki/Manual:IP/Cloud

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:IP/Cloud#Advanced use-local-address (yes | no; Default: no) By default, the DNS name will be assigned to the detected public address (from the UDP packet header). If you wish to send your "local" or "internal" IP address, then set this to yes...

nescafe2002

https://forum.mikrotik.com/viewtopic.php?t=136036#p670044 Found the answer. The option "ip cloud" is not supported on x86 due to the inability to verify hardware reliably. https://forum.mikrotik.com/viewtopic.php?p=430762#p430762 The DNS is assigned to valid serial numbers, for X86, we hav...

nescafe2002

No somehow the dialect is bound to the connection context. Can't you use ssh to export your configuration as it's just a single command?

nescafe2002

Forum related issues can be reported to support (via help.mikrotik.com or e-mail) but I doubt the admins will disable IPv6 to resolve your specific issue (and causing outage for all IPv6-only users).

nescafe2002

Actually setting dns ttl equal to lease time doesn't make any sense and only leads to unexpected behavior especially for longer lease times..

nescafe2002

Users are excluded from full export. You can export them individually:

/user export file=users.rsc

I suspect this is to prevent accidental creation of passwordless users when importing a full export.

nescafe2002

Afaik OpenDNS has configurable options, so better check that out. Pihole is targeted towards ads but maybe you can find porn based block lists.

nescafe2002

By not enabling local forwarding, the traffic will be forwarded to the CAPsMAN manager, effectively creating a new data path and separating the traffic from your home network.

nescafe2002

The easiest way is to use capsman forwarding mode, by defining the bridge in capsman datapath configuration and not enabling local forwarding traffic for the new ssid will be sent to the bridge without vlans.

nescafe2002

Yes, then separate subnets, add ip, bridge, dhcp server, dhcp network, ip pool, capsman configuration for guest network, update provisioning rule with new guest network and check your firewall rules. You could reverse logic: set static entries with own dns for known devices and set opendns in dhcp n...

nescafe2002

Wow.. if your intention was never to separate your networks, but (quoted from opening post) "to point specific clients" to another dns server: /ip dhcp-server option add code=6 name="opendns" value="'208.67.222.222''208.67.220.220'" /ip dhcp-server lease add address=172...

nescafe2002

Can't add key in wireguard via cli with "=" at the end. But can add it later via edit and can add it via gui. Put the key value between quotes, you may find the correct syntax using the export command. [admin@MikroTik] /interface/wireguard> add private-key="EMjwk8mpDylWKGU0c/z9TR1e5u...

nescafe2002

Dear @nescafe2002, unfortunately, I cannot access the DNS server via script. My provider does not allow automatic interaction. You can point a CNAME to a self hosted ACME dns server. This works quite well for me for several projects. e.g. To set up an ACME server on auth.domain.com: auth.domain.com...

nescafe2002

I usually switch to dns-01 challenge if the machine is not reachable (either directly or via reverse proxy). Is this an option?

nescafe2002

... or quick set (after checking "Bridge All LAN Ports"):

2020-08-17_18-58-59.png

nescafe2002

Actually 192.168.88.1 on (slave interface) ether2 is a default configuration (or quick set) thingy. And; I think we're here to share & learn, not to call BS on each other.

nescafe2002

Yes, issue is submitted to support but i encourage everyone (in general) to contact support.. before checking out other devices or brands. Mikrotik is working really hard for all customers so best you can do is "help them to help you", provide as much information as possible and give them ...

nescafe2002

Give them a few business days to respond. Update manually if you need to switch between branches.

nescafe2002

Looks like a problem in the local resolver. Only the A record is requested. [admin@MikroTik] > /system package update check-for-updates channel: stable installed-version: 6.47.1 status: ERROR: no internet connection [admin@MikroTik] > /log print 08:06:29 dns local query: #21 upgrade.mikrotik.com. A ...

nescafe2002

Ether2 is the first port in the bridge. As soon as you remove that port, ROS assignes a new mac address (hw addr of ether3). Nothing to worry about, just reconnect and it will work. Or set an administrative mac to avoid this kind of flopping.

nescafe2002

And remember to change the interface of your dhcp client or pppoe client from ether1 to ether2.

Before and after modifications, export your config to check for any "ether1" leftovers using text search.

nescafe2002

It's described in the documentation: https://wiki.mikrotik.com/wiki/Manual:RouterBOARD_settings#Mode_and_Reset_buttons Reset button additional functionality is supported by all MikroTik devices running RouterOS Some RouterBOARD devices have a mode button that allows you to run any script when the bu...

nescafe2002

It's in the documentation: https://wiki.mikrotik.com/wiki/Manual:IP/DNS#Static_DNS_Entries It is also possible to forward specific DNS requests to a different server using FWD type. This will fordward all subdomains of "example.com" to server 10.0.0.1: [admin@MikroTik] ip dns static> add r...

nescafe2002

Winbox has an update function in the connect dialog ("loader screen").

Tools > Check for updates

nescafe2002

Why don't you just dynamically update the upstream dns servers?

nescafe2002

Just select a session file in connect dialog (Advanced view) and you're good. You can sync this file with other computers via OneDrive, Dropbox, etc.

nescafe2002

Auto-completion is also called HotLock mode.

https://wiki.mikrotik.com/wiki/Manual:C ... tLock_Mode

This mode is available in Winbox, ssh and webfig and frequently accidentally activated using the hotkey ctrl-v.

They should've really chosen another hotkey, or just remove the feature completely.

nescafe2002

This is based on default configuration (manually applied via /system default-configuration print) and speedtest.net.

explorer_2020-07-26_13-14-42.png

nescafe2002

Router should perform better - is the device up to date and are you running a recent default configuration?

You may post output of terminal command /export hide-sensitive here.

nescafe2002

Also try disabling internet detection:

/interface detect-internet
set detect-interface-list=none

nescafe2002

It says it needs 23W constant and it could take up to 44W.

The RB4011iGS+5HacQ2HnD-IN without attachments consumes max 23 W.
So if you don't supply power to PoE equipment on ether10, 23 W is max usage, not constant.

(Another example of attachment is USB equipment but the device has no USB port)

nescafe2002

Try removing the invalid bridge port member "ether2 Office Net" (in fact they are all invalid since there is no bridge, but the others are disabled): /interface bridge port add comment=defconf interface="ether2 Office Net" add comment=defconf disabled=yes interface=sfp1 add disab...

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:Netinstall Configure script (yes | no; Default: no) If set, then Netinstall will apply a custom configuration script after installing RouterOS. The file must be in .rsc file format and must be produced by the export command. The configuration script will replace...

nescafe2002

i don't know how to send info to check this issue, logs on WinBox don't show any error, after reboot DNS has back work..

When DNS is unresponsive again, before rebooting: add logging topic dns, perform name lookup from client, generate supout.rif, download supout.rif and send it to support.

nescafe2002

Sob, If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Edit: Issue has been reported to support (SUP-22228)

nescafe2002

hsd75, could you generate supout.rif of the device with sfp attached, preferably in both states (6.46.6/working vs 6.47/not working) and send them to support via mail or help.mikrotik.com?

nescafe2002

DNS entries are processed sequentially, just move the regex entry to the bottom (order by # column) and it will be checked last.

Sorry, regex seems to evaluated before static entries, which is indeed not to be expected.

nescafe2002

Note that with the new static DNS record types you can forward both forward and reverse lookups: E.g. server 192.168.100.1 is authoritative server for domain.lan and subnet 192.168.100.0/24: /ip dns static # For domain.lan add forward-to=192.168.100.1 name="domain.lan" type=FWD # For *.dom...

nescafe2002

on 6.47 system - auto-upgrade still problem since 6.46 please fix it. i've report this many times. If you haven't submitted this issue to MT support via mail or help.mikrotik.com, it will never be fixed. Forum post != bug report. Also, multiple forum posts != bug report. Posting this repeatedly is ...

nescafe2002

Better take a look at tik4net => https://github.com/danikf/tik4net

The author is present on the forum => viewtopic.php?t=99954

nescafe2002

Hello, the information seems incomplete. You'll need to get the IPv4 subnet associated to the 6RD server. Then calculate the IPv6 prefix using https://alephs.org/6rdcalc.html. Enter number (32-mask) in "using ... bits" field. Add 6rd interface /interface 6to4 add !keepalive name=6rd remote...

nescafe2002

You could contact MikroTik support and send a supout file

nescafe2002

No, but you could use a certificate with a subject alternative name or a wildcard certificate.

nescafe2002

It is possible, route the remote subnet to your local lan, It sounds counter intuitive, but the route won't be used for routing anyway. It's to make sure the router picks a source lan ip which is part of the ipsec policy (local subnet).

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:S ... ter_values

But for most entries with a identifier, you can use the name instead:

/ip dhcp-server disable default
/ip dhcp-server enable default

nescafe2002

"I cannot login via api after upgrade" Or: "I cannot login via api after upgrading from [version] to this v6.45.8. I am using [api implementation] in [language] documented here [url]. The code I am using is: [short login code fragment] I am getting the following result: [result from M...

nescafe2002

User is probably referring to the incomplete breadcumb in the page header.

Not a button, but a link to the current forum section is missing and maybe a link to the current topic as well.

nescafe2002

You may not be suprised if MT decides to ban you for that :) The minimum update interval, no scripting required, is 60 seconds: https://wiki.mikrotik.com/wiki/Manual:IP/Cloud#Properties ddns-update-interval (time, minimum 60 seconds; Default: none) If set DDNS will attempt to connect IP Cloud server...

nescafe2002

With one word of caution: You should never automate an import process from an untrusted source. It will make your router vulnerable to whatever the url is returning. Even when the scripts seems legit in browser, the author could inject malware based on user agent = Mikrotik/6.x Fetch. Therefore: If ...

nescafe2002

IP Cloud will update properly if your device has public IP. If MT is behind another router, you can force a periodic update using ddns-update-interval. No scripting required. /ip cloud set ddns-enabled=yes ddns-update-interval=10m Also, no scripting required for dstnat entries. Assuming you currentl...

nescafe2002

The find command can return multiple items. Have you tried specifying the search to limit the number of results? :put [ /ipv6 address get [ find interface=bridge-lan ] address ] invalid internal item number :put [ /ipv6 address get [ find interface=bridge-lan !link-local ] address ] 2a02::xx:xx:xxxx...

nescafe2002

That function works fine here. Have you tried running it in a Console Application?

I ran the example using LINQPad: https://www.linqpad.net/

Script: http://share.linqpad.net/6i2986.linq

nescafe2002

Not sure about sctp, but remember that there are multiple chains in the firewall (prerouting/postrouting and input/output/forward). This example sniffs ssh connections, both packets to the server (dst-port=22) and back to client (src-port=22). /ip firewall mangle add action=sniff-tzsp chain=prerouti...

nescafe2002

For a more permanent sniffing solution, you might take a look at firewall mangle, action sniff-tzsp:

https://wiki.mikrotik.com/wiki/Manual:I ... all/Mangle

nescafe2002

Search for multiple dhcp client => viewtopic.php?t=60453

nescafe2002

viewtopic.php?t=153321

nescafe2002

Get a cable and connect the other end to the wAP ac.

It's on the side:

<== POE + DATA
DATA ==>

nescafe2002

You can set a src-address (or src-address-list) in the forward rule:

/ip firewall address-list
add address=1.1.1.1 list=trusted
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 protocol=tcp src-address-list=trusted to-addresses=192.168.88.100

nescafe2002

You might want to create supout.rif of the device, running full bandwidth test and send it to support. Your device should be able to handle at least 3x those numbers with this config. (One supout with bridge ports ether6-10 enabled, one with bridge ports ether6-10 disabled). I suspect some sort of s...

nescafe2002

What's the link rate? It's in the interface property window, tab Status. Could you try disabling bridge ports 6 through 10? Disabling the LCD? Also, you're announcing a lot of dns servers in your dhcp network. You might want to limit the selection to just your routers address (192.168.2.1); the rout...

nescafe2002

I've set up my RB2011 according to your configuration. explorer_2019-11-24_11-10-03.png There is room for improvement, but 500Mbps is no problem. Maybe you should check cabling. What rate are the ethernet links? I´ve printed default config but i don´t see these two rules. The default config is longe...

nescafe2002

Whats the version of RouterOS? Why are you blocking output chain? You're e.g. blocking router originating DNS requests now. Also you may want to exclude ipsec from fasttracking, from default config: /ip firewall filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: acce...

nescafe2002

There are generally two ways to performs operations via Tik4Net. Method 1. Use low level API using (var conn = ConnectionFactory.OpenConnection(TikConnectionType.Api_v2, "192.168.88.1", 8728, "admin", "")) { var command = conn.CreateCommand("/interface/pppoe-server...

nescafe2002

Yes, you have found the right operation. Note that you shouldn't OR after the first entry because #| ORs the two preceding entries (in other words you'll have to follow the Reverse Polish notation (RPN)). Example in C# tik4net: explorer_2019-11-23_09-33-34.png Conversation: ./login =name=admin =pass...

nescafe2002

I usually look at the middle table (512 bytes) with 25 filter rules to compare synthetic tests to real world applications in default config but without fasttrack (e.g. IPv6). Great..! Please take a look at the test results for 25 filter rules and 512 Byte packets. Can you please tell me the speed ?...

nescafe2002

They are technically not comparable. Product page test results are synthetic tests (using packet generator), fasttrack page test result is based on a single stream TCP test. TCP packet sizes are not fixed. I usually look at the middle table (512 bytes) with 25 filter rules to compare synthetic tests...

nescafe2002

Ok @nescafe2002, you can then let Mikrotik know that the test results are wrong! :lol: https://mikrotik.com/product/RB2011UiAS-2HnD-IN#fndtn-testresults They are not wrong, these are just synthetical tests with certain preconditions. Fasttrack follows (semi-) fastpath for most of (*) the establishe...

nescafe2002

No need to disable firewall.

Fasttrack bypasses firewall filtering for established connections and is enabled in default config.

And there are no queues in default config.

TS is free to post config for further examination.

nescafe2002

Just stick with RB2011 and enable fasttrack. 800 Mbps is achievable in default configuration. https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack#FastTrack_on_RB2011 hAP ac2 is a good alternative with wireless. Don't invest in a RB3011. They are really fine devices but if you want a dedicated router,...

nescafe2002

You better download CHR and run it in a virtual environment:

https://wiki.mikrotik.com/wiki/Manual:CHR#60-day_trial

nescafe2002

API supports query words to filter. ~ is not a valid query operator. But if listName is exact, you can use the following code: mikrotik.Send("/ip/firewall/address-list/print"); mikrotik.Send("?list=listName", true); foreach (string h in mikrotik.Read()) { Console.WriteLine(h); } ...

nescafe2002

Try this:

		Send("/login")
		Send("=name=" + user)
		Send("=password=" + pass, True)

(Alternatively, use the tik4net package: viewtopic.php?f=9&t=99954)

nescafe2002

You can (should) use place-before with .id value in API: /ip/firewall/filter/print =.proplist=.id !re.=.id=*37 !re.=.id=*1 !re.=.id=*2 !done /ip/firewall/filter/add =chain=input =dst-address=192.168.1.1 =protocol=tcp =dst-port=81 =comment=TESTING PLACE BEFORE =place-before=*37 !done =ret=*38 /quit

nescafe2002

https://i.mt.lv/cdn/rb_files/1568200626 ... -%20qg.pdf

To connect this device to a wireless network managed by CAPsMAN, keep holding the button for 5 more
seconds, LED turns solid green, release now to turn on CAPs mode (total 10 seconds).

nescafe2002

Have you disabled fasttrack for ipsec? Could you share your configuration (/export hide-sensitive)?

nescafe2002

2. Set your radio provisioning rule to create enabled instead of create dynamic enabled.

https://wiki.mikrotik.com/wiki/Manual:C ... ovisioning

nescafe2002

No, process name can only be evaluated on the client computer, not on the mikrotik router.

You can script the firewall rule creation using netsh, powershell or group policy (domain joined pcs).

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:I ... pdate_time

Disable time zone autodetect

nescafe2002

Use CIDR notation, e.g. src-address=83.240.61.0/24 or src-address=83.240.0.0/16.

nescafe2002

There are related topics on the issue:

viewtopic.php?t=115316 (no solution)
viewtopic.php?t=63096 (no solution)

Have you tried rebooting the device? Are there active tasks under System > Scripts > Jobs?

nescafe2002

Create supout.rif and send to support@mikrotik.com. It's the one and only way to get (quick) support for your specific situation.

nescafe2002

PPP profile works for servers and clients. /ppp profile add name=profile1 on-down="/log info \"Client disconnected\"" on-up="/log info \"Client connected\"" /interface pppoe-client add name=pppoe-out1 profile=profile1 user=test Result: 12:05:10 pppoe,ppp,info ...

nescafe2002

$ wget https://download.mikrotik.com/routeros/6.45.3/routeros-mipsbe-6.45.3.npk Connecting to download.mikrotik.com (download.mikrotik.com)|2a02:610:7501:4000::226|:443... connected. routeros-mipsbe-6.4 100%[===================>] 11.54M 5.56MB/s in 2.1s IPv4: $ wget -4 https://download.mikrotik.com...

nescafe2002

You may want to use the built in profile feature to connect to any known network in the list. /interface wireless set [ find default-name=wlan1 ] default-authentication=no disabled=no ssid="" /interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=pro...

nescafe2002

Idea is that I cannot isolate WiFi devices from LAN devices and vice-versa. But in the same time I need to protect some LAN devices from being accessible by an unauthorized device that might plug into LAN using the exposed Ethernet cable used by external wAP. Consider ether3-5 trusted and ether2 un...

nescafe2002

Please take another look at the solution andriys proposed. You really don't want to disable network interfaces, because they will be disabled when you don't expect it (e.g. power outage, update, whatever) and require manualy intervention. Also, they are disabled after at most the chosen interval, so...

nescafe2002

For external DNS server: /ip firewall layer7-protocol add name=aaa.com regexp="\\x03aaa\\x03com" /ip firewall filter add place-before=0 action=reject chain=forward dst-port=53 layer7-protocol=aaa.com protocol=udp reject-with=icmp-network-unreachable Will block aaa.com, www.aaa.com, subdoma...

nescafe2002

2)We already share the necessary files with mikrotik support

Then thanks, that is helpful.

[/offtopic]

nescafe2002

It's actually rather annoying to see release topics filled with non-release specific replies, more annoying if you're replying to the post above and are still quoting the whole thing. 1. I have requested a mod to remove our posts, which are all offtopic. 2. If you want to be helpful, please do not p...

nescafe2002

Posted by spacex — Fri Aug 02, 2019 12:25 am Not fix dude snmp v3 ? Posted by spacex — Sun Aug 04, 2019 2:32 pm Hello, The dude snmp v3 problem not fix ? No, since it is not mentioned in the change log - Please keep this forum topic strictly related to this particular RouterOS release. - no need to ...

nescafe2002

These changes have been tested in stable channel, right?

Edit: installed on RB4011, (regular) SFP is detected and working.

nescafe2002

Use TikConnectionType.Api_v2: using (var conn = ConnectionFactory.OpenConnection(TikConnectionType.Api_v2, "192.168.88.1", "admin", "")) { var cmd = conn.CreateCommand("/system/identity/print"); var result = cmd.ExecuteSingleRow(); Console.WriteLine(result.Wor...

nescafe2002

JanezFord: Update your app to version 1.0.11 if you cannot connect to ROS >= 6.45:

1.0.11 Jul 23, 2019
- Login: Fixed connection issue for RouterOS 6.45

nescafe2002

Ether1 is standard WAN port and protected by firewall.

Connect your client to one of the LAN (ether2-10) ports and you can connect to ip or mac.

nescafe2002

Is there anything in the scheduler?

(we're just guessing here.. might as well post config /export hide-sensitive or send supout to support)

nescafe2002

Did you enable safe mode before creating the script?

nescafe2002

Add the policy with action=none and no peer:

/ip ipsec policy
add action=none dst-address=10.11.1.0/24 src-address=0.0.0.0/0

Peer is displayed as "unknown" in Winbox, but that's a cosmetic issue.

nescafe2002

No need to include asterisk for hostname. Add $ to mark end of word: /ip dns static add address=127.0.0.1 regexp="\\.example\\.com\$" @MT (if anyone is reading this), another example of why allowing static 0.0.0.0 and :: values as (intended) invalid dns entries would be a good idea (web si...

nescafe2002

is to make it happen in fasstrack for the RB

Example of a https://en.wikipedia.org/wiki/XY_problem

Describe what you are trying to achieve, perhaps it can be done without creating address lists.

nescafe2002

Your [find] example doesn't work because the API does not support composite CLI statements. Fetch the list of ids and then remove one-by-one: using (var conn = tik4net.ConnectionFactory.OpenConnection(TikConnectionType.Api, "192.168.88.1", 8728, "admin", "")) { var list...

nescafe2002

The API returns a result which is not expected by ExecuteNonQuery. Try this instead, ExecuteSingleRows assumes parameters are query words by default so you'll have to supply parameterformat NameValue: Using connection As ITikConnection = ConnectionFactory.CreateConnection(TikConnectionType.Api) conn...

nescafe2002

Please send your findings to support@mikrotik.com with supout.rif of the device to get it fixed (asap).

nescafe2002

View source, there are two posts with these links. Sat Jul 28, 2018 5:35 pm https://forum.mikrotik.com/viewtopic.php?f=23&t=137338#p676773 Mon Jul 30, 2018 11:36 pm https://forum.mikrotik.com/viewtopic.php?f=23&t=137338#p677134 I don't see a login dialog, only when i open the links manually.

nescafe2002

Common issue. Traffic to 192.168.2.0/24 will be routed to wan initially, therefore the router picks the ip address from the wan interface to initiate the connection. From there, the connection won't be picked up by ipsec policy. You can create a route to the remote subnet via the lan interface to fo...

nescafe2002

Why not just user=<user> and password=<pass>?

The basic authorization header is a base64 encoded string user:pass, e.g. from documentation:

$ base64 -d
QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Aladdin:open sesame

nescafe2002

http-header-field="Header1: Value1,Authorization: Basic dXNlcjpwYXNz"

But for basic authentication you can also use:

user=user password=pass

nescafe2002

viewtopic.php?f=21&t=145793&p=717744#p717744
viewtopic.php?t=129326
viewtopic.php?t=144359 (reported to support)

nescafe2002

Actually, this is not a BUG. The device simply cannot ping the address in the first few seconds after boot. Also, if a specific solution does not meet your requirement, it's not a BUG just not applicable to your case. There is built in watchdog functionality which has several delays built in to over...

nescafe2002

Click Advanced Mode

nescafe2002

If you want to automate configuration tasks, you'd better use the built in API functionality (or SSH at least).

https://wiki.mikrotik.com/wiki/Manual:API

nescafe2002

Have you completely shut down (disconnect power cable) the device at least once?

nescafe2002

You don't have to specify the predefined settings. Just fill To and Body and it works fine.

I wouldn't call the flexibility of customized server parameters per send action poor design, actually rather handy.

nescafe2002

Please create a supout file and send it to support. https://forum.mikrotik.com/viewtopic.php?f=21&t=146087&start=100#p726296 If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as ...

nescafe2002

Since it's part of the ppp package, you can find the server configuration under ppp menu option in Winbox or Webfig.

nescafe2002

Please create a supout.rif as soon as you realize something is wrong and send it - with description of what you expected versus what happened instead - to support with supout.rif . This instruction is posted in every release note: If you experience version related issues, then please send supout fil...

nescafe2002

Generate supout.rif and then e-mail it to them. Include backup if you want. Support is offering to look at your case for free. Please supply anything you can to explain your case:

- what you are doing (apps, buttons, screen)
- what you are seeing
- what you expected to happen
- what happens instead

nescafe2002

S+AO0005 is supported, please generate supout.rif while device is malfunctioning and send to support with problem description.

nescafe2002

https://www.roc-noc.com/mikrotik/routerboard/rb750.html

RouterBOARD 750 with AR7240 CPU, 32MB RAM (?), 5 LAN ports, RouterOS L4, plastic case, power supply, in a retail box.

nescafe2002

[admin@MikroTik] /ip cloud> print ddns-enabled: yes ddns-update-interval: none update-time: yes public-address: 82.x.x.x dns-name: 757bxxxxxxxx.sn.mynetname.net status: updated It displays public address, but will return local address in actual lookup. C:\>nslookup 757bxxxxxxxx.sn.mynetname.net Non...

nescafe2002

It's documented and known behavior. https://wiki.mikrotik.com/wiki/Manual:System/Time#Clock_and_Time_zone_configuration Note: Time-zone-autodetect by default is enabled on new RouterOS installation and after configuration reset. The time zone is detected depending on routers public IP address and ou...

nescafe2002

Same what?

Please show exactly what command you are running, what you expected to see/happen and what happens instead.

Include terminal output or screen dump when applicable.

What happens when you run

:put [ /system identity get name ]

in console?

nescafe2002

:put [ /system routerboard get serial-number ]

Prints serial number when run in terminal.

https://wiki.mikrotik.com/wiki/Manual:S ... l_commands

Command: put
Syntax: :put <expression>
Description: put supplied argument to console

nescafe2002

viewtopic.php?f=2&t=139091&p=685725#p685742

Make a new user, then re-login. There are big security changes in last versions, rename is no longer possible.

nescafe2002

Did you get an auto-reply? If yes, just wait. If not, resend mail (perhaps using another mail service, e.g. Gmail works fine).

nescafe2002

Note that port 5060 could by opened on your providers modem/router. We are in an audit process and this port is reported as unsafe. For this reason I want to close. # feb/18/2019 15:07:29 by RouterOS 6.32.3 Better look for another auditor if they didn't mention anything about your ROS version. You s...

nescafe2002

If you reset the device to CAP mode, the admin mac is set automatically. You can verify this by checking the default configuration script: [admin@MikroTik] > /system default-configuration print caps-mode-script: #------------------------------------------------------------------------------- # Note:...

nescafe2002

You need to apply hairpin nat OR add a local static dns entry pointing to your internal server.

https://wiki.mikrotik.com/wiki/Hairpin_NAT

nescafe2002

And Hannah25 is not even a real person, just a spam bot copying this post ( viewtopic.php?t=137572&start=200#p686945 ) and coming back later to edit in some spam links.

nescafe2002

Have you enabled internet detect? Try disabling it. If not, post config ( /export hide-sensitive )

nescafe2002

Use another DAC. https://mikrotik.com/product/s_ao0005 5m SFP+ 10Gbps Active Optics direct attach cable. This is highly cost-effective way to connect two SFP/SFP+ devices for very short distances, within racks and across adjacent racks. It works with all our products with SFP/SFP+ ports, including n...

Search found 763 matches