MikroTik

nescafe2002

Better take a look at tik4net => https://github.com/danikf/tik4net

The author is present on the forum => viewtopic.php?t=99954

nescafe2002

Hello, the information seems incomplete. You'll need to get the IPv4 subnet associated to the 6RD server. Then calculate the IPv6 prefix using https://alephs.org/6rdcalc.html. Enter number (32-mask) in "using ... bits" field. Add 6rd interface /interface 6to4 add !keepalive name=6rd remote-address=1...

nescafe2002

You could contact MikroTik support and send a supout file

nescafe2002

No, but you could use a certificate with a subject alternative name or a wildcard certificate.

nescafe2002

It is possible, route the remote subnet to your local lan, It sounds counter intuitive, but the route won't be used for routing anyway. It's to make sure the router picks a source lan ip which is part of the ipsec policy (local subnet).

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:S ... ter_values

But for most entries with a identifier, you can use the name instead:

/ip dhcp-server disable default
/ip dhcp-server enable default

nescafe2002

"I cannot login via api after upgrade" Or: "I cannot login via api after upgrading from [version] to this v6.45.8. I am using [api implementation] in [language] documented here [url]. The code I am using is: [short login code fragment] I am getting the following result: [result from Mikrotik] or the...

nescafe2002

User is probably referring to the incomplete breadcumb in the page header.

Not a button, but a link to the current forum section is missing and maybe a link to the current topic as well.

nescafe2002

You may not be suprised if MT decides to ban you for that :) The minimum update interval, no scripting required, is 60 seconds: https://wiki.mikrotik.com/wiki/Manual:IP/Cloud#Properties ddns-update-interval (time, minimum 60 seconds; Default: none) If set DDNS will attempt to connect IP Cloud server...

nescafe2002

With one word of caution: You should never automate an import process from an untrusted source. It will make your router vulnerable to whatever the url is returning. Even when the scripts seems legit in browser, the author could inject malware based on user agent = Mikrotik/6.x Fetch. Therefore: If ...

nescafe2002

IP Cloud will update properly if your device has public IP. If MT is behind another router, you can force a periodic update using ddns-update-interval. No scripting required. /ip cloud set ddns-enabled=yes ddns-update-interval=10m Also, no scripting required for dstnat entries. Assuming you currentl...

nescafe2002

The find command can return multiple items. Have you tried specifying the search to limit the number of results? :put [ /ipv6 address get [ find interface=bridge-lan ] address ] invalid internal item number :put [ /ipv6 address get [ find interface=bridge-lan !link-local ] address ] 2a02::xx:xx:xxxx...

nescafe2002

That function works fine here. Have you tried running it in a Console Application?

I ran the example using LINQPad: https://www.linqpad.net/

Script: http://share.linqpad.net/6i2986.linq

nescafe2002

Not sure about sctp, but remember that there are multiple chains in the firewall (prerouting/postrouting and input/output/forward). This example sniffs ssh connections, both packets to the server (dst-port=22) and back to client (src-port=22). /ip firewall mangle add action=sniff-tzsp chain=prerouti...

nescafe2002

For a more permanent sniffing solution, you might take a look at firewall mangle, action sniff-tzsp:

https://wiki.mikrotik.com/wiki/Manual:I ... all/Mangle

nescafe2002

Search for multiple dhcp client => viewtopic.php?t=60453

nescafe2002

viewtopic.php?t=153321

nescafe2002

Get a cable and connect the other end to the wAP ac.

It's on the side:

<== POE + DATA
DATA ==>

nescafe2002

You can set a src-address (or src-address-list) in the forward rule:

/ip firewall address-list
add address=1.1.1.1 list=trusted
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 protocol=tcp src-address-list=trusted to-addresses=192.168.88.100

nescafe2002

You might want to create supout.rif of the device, running full bandwidth test and send it to support. Your device should be able to handle at least 3x those numbers with this config. (One supout with bridge ports ether6-10 enabled, one with bridge ports ether6-10 disabled). I suspect some sort of s...

nescafe2002

What's the link rate? It's in the interface property window, tab Status. Could you try disabling bridge ports 6 through 10? Disabling the LCD? Also, you're announcing a lot of dns servers in your dhcp network. You might want to limit the selection to just your routers address (192.168.2.1); the rout...

nescafe2002

I've set up my RB2011 according to your configuration. explorer_2019-11-24_11-10-03.png There is room for improvement, but 500Mbps is no problem. Maybe you should check cabling. What rate are the ethernet links? I´ve printed default config but i don´t see these two rules. The default config is longe...

nescafe2002

Whats the version of RouterOS? Why are you blocking output chain? You're e.g. blocking router originating DNS requests now. Also you may want to exclude ipsec from fasttracking, from default config: /ip firewall filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in...

nescafe2002

There are generally two ways to performs operations via Tik4Net. Method 1. Use low level API using (var conn = ConnectionFactory.OpenConnection(TikConnectionType.Api_v2, "192.168.88.1", 8728, "admin", "")) { var command = conn.CreateCommand("/interface/pppoe-server/print"); command.AddParameter(".pr...

nescafe2002

Yes, you have found the right operation. Note that you shouldn't OR after the first entry because #| ORs the two preceding entries (in other words you'll have to follow the Reverse Polish notation (RPN)). Example in C# tik4net: explorer_2019-11-23_09-33-34.png Conversation: ./login =name=admin =pass...

nescafe2002

I usually look at the middle table (512 bytes) with 25 filter rules to compare synthetic tests to real world applications in default config but without fasttrack (e.g. IPv6). Great..! Please take a look at the test results for 25 filter rules and 512 Byte packets. Can you please tell me the speed ?...

nescafe2002

They are technically not comparable. Product page test results are synthetic tests (using packet generator), fasttrack page test result is based on a single stream TCP test. TCP packet sizes are not fixed. I usually look at the middle table (512 bytes) with 25 filter rules to compare synthetic tests...

nescafe2002

Ok @nescafe2002, you can then let Mikrotik know that the test results are wrong! :lol: https://mikrotik.com/product/RB2011UiAS-2HnD-IN#fndtn-testresults They are not wrong, these are just synthetical tests with certain preconditions. Fasttrack follows (semi-) fastpath for most of (*) the establishe...

nescafe2002

No need to disable firewall.

Fasttrack bypasses firewall filtering for established connections and is enabled in default config.

And there are no queues in default config.

TS is free to post config for further examination.

nescafe2002

Just stick with RB2011 and enable fasttrack. 800 Mbps is achievable in default configuration. https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack#FastTrack_on_RB2011 hAP ac2 is a good alternative with wireless. Don't invest in a RB3011. They are really fine devices but if you want a dedicated router,...

nescafe2002

You better download CHR and run it in a virtual environment:

https://wiki.mikrotik.com/wiki/Manual:CHR#60-day_trial

nescafe2002

API supports query words to filter. ~ is not a valid query operator. But if listName is exact, you can use the following code: mikrotik.Send("/ip/firewall/address-list/print"); mikrotik.Send("?list=listName", true); foreach (string h in mikrotik.Read()) { Console.WriteLine(h); } https://wiki.mikroti...

nescafe2002

Try this:

		Send("/login")
		Send("=name=" + user)
		Send("=password=" + pass, True)

(Alternatively, use the tik4net package: viewtopic.php?f=9&t=99954)

nescafe2002

You can (should) use place-before with .id value in API: /ip/firewall/filter/print =.proplist=.id !re.=.id=*37 !re.=.id=*1 !re.=.id=*2 !done /ip/firewall/filter/add =chain=input =dst-address=192.168.1.1 =protocol=tcp =dst-port=81 =comment=TESTING PLACE BEFORE =place-before=*37 !done =ret=*38 /quit

nescafe2002

https://i.mt.lv/cdn/rb_files/1568200626 ... -%20qg.pdf

To connect this device to a wireless network managed by CAPsMAN, keep holding the button for 5 more
seconds, LED turns solid green, release now to turn on CAPs mode (total 10 seconds).

nescafe2002

Have you disabled fasttrack for ipsec? Could you share your configuration (/export hide-sensitive)?

nescafe2002

2. Set your radio provisioning rule to create enabled instead of create dynamic enabled.

https://wiki.mikrotik.com/wiki/Manual:C ... ovisioning

nescafe2002

No, process name can only be evaluated on the client computer, not on the mikrotik router.

You can script the firewall rule creation using netsh, powershell or group policy (domain joined pcs).

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:I ... pdate_time

Disable time zone autodetect

nescafe2002

Use CIDR notation, e.g. src-address=83.240.61.0/24 or src-address=83.240.0.0/16.

nescafe2002

There are related topics on the issue:

viewtopic.php?t=115316 (no solution)
viewtopic.php?t=63096 (no solution)

Have you tried rebooting the device? Are there active tasks under System > Scripts > Jobs?

nescafe2002

Create supout.rif and send to support@mikrotik.com. It's the one and only way to get (quick) support for your specific situation.

nescafe2002

PPP profile works for servers and clients. /ppp profile add name=profile1 on-down="/log info \"Client disconnected\"" on-up="/log info \"Client connected\"" /interface pppoe-client add name=pppoe-out1 profile=profile1 user=test Result: 12:05:10 pppoe,ppp,info pppoe-out1: authenticated 12:05:10 pppoe...

nescafe2002

$ wget https://download.mikrotik.com/routeros/6.45.3/routeros-mipsbe-6.45.3.npk Connecting to download.mikrotik.com (download.mikrotik.com)|2a02:610:7501:4000::226|:443... connected. routeros-mipsbe-6.4 100%[===================>] 11.54M 5.56MB/s in 2.1s IPv4: $ wget -4 https://download.mikrotik.com...

nescafe2002

You may want to use the built in profile feature to connect to any known network in the list. /interface wireless set [ find default-name=wlan1 ] default-authentication=no disabled=no ssid="" /interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=profile1 wpa2...

nescafe2002

Idea is that I cannot isolate WiFi devices from LAN devices and vice-versa. But in the same time I need to protect some LAN devices from being accessible by an unauthorized device that might plug into LAN using the exposed Ethernet cable used by external wAP. Consider ether3-5 trusted and ether2 un...

nescafe2002

Please take another look at the solution andriys proposed. You really don't want to disable network interfaces, because they will be disabled when you don't expect it (e.g. power outage, update, whatever) and require manualy intervention. Also, they are disabled after at most the chosen interval, so...

nescafe2002

For external DNS server: /ip firewall layer7-protocol add name=aaa.com regexp="\\x03aaa\\x03com" /ip firewall filter add place-before=0 action=reject chain=forward dst-port=53 layer7-protocol=aaa.com protocol=udp reject-with=icmp-network-unreachable Will block aaa.com, www.aaa.com, subdomain.aaa.com...

nescafe2002

2)We already share the necessary files with mikrotik support

Then thanks, that is helpful.

[/offtopic]

nescafe2002

It's actually rather annoying to see release topics filled with non-release specific replies, more annoying if you're replying to the post above and are still quoting the whole thing. 1. I have requested a mod to remove our posts, which are all offtopic. 2. If you want to be helpful, please do not p...

nescafe2002

Posted by spacex — Fri Aug 02, 2019 12:25 am Not fix dude snmp v3 ? Posted by spacex — Sun Aug 04, 2019 2:32 pm Hello, The dude snmp v3 problem not fix ? No, since it is not mentioned in the change log - Please keep this forum topic strictly related to this particular RouterOS release. - no need to ...

nescafe2002

These changes have been tested in stable channel, right?

Edit: installed on RB4011, (regular) SFP is detected and working.

nescafe2002

Use TikConnectionType.Api_v2:

using (var conn = ConnectionFactory.OpenConnection(TikConnectionType.Api_v2, "192.168.88.1", "admin", ""))
{
  var cmd = conn.CreateCommand("/system/identity/print");
  var result = cmd.ExecuteSingleRow();
  Console.WriteLine(result.Words["name"]);
}

nescafe2002

JanezFord: Update your app to version 1.0.11 if you cannot connect to ROS >= 6.45:

1.0.11 Jul 23, 2019
- Login: Fixed connection issue for RouterOS 6.45

nescafe2002

Ether1 is standard WAN port and protected by firewall.

Connect your client to one of the LAN (ether2-10) ports and you can connect to ip or mac.

nescafe2002

Is there anything in the scheduler?

(we're just guessing here.. might as well post config /export hide-sensitive or send supout to support)

nescafe2002

Did you enable safe mode before creating the script?

nescafe2002

Add the policy with action=none and no peer:

/ip ipsec policy
add action=none dst-address=10.11.1.0/24 src-address=0.0.0.0/0

Peer is displayed as "unknown" in Winbox, but that's a cosmetic issue.

nescafe2002

No need to include asterisk for hostname. Add $ to mark end of word: /ip dns static add address=127.0.0.1 regexp="\\.example\\.com\$" @MT (if anyone is reading this), another example of why allowing static 0.0.0.0 and :: values as (intended) invalid dns entries would be a good idea (web site blockin...

nescafe2002

is to make it happen in fasstrack for the RB

Example of a https://en.wikipedia.org/wiki/XY_problem

Describe what you are trying to achieve, perhaps it can be done without creating address lists.

nescafe2002

Your [find] example doesn't work because the API does not support composite CLI statements. Fetch the list of ids and then remove one-by-one: using (var conn = tik4net.ConnectionFactory.OpenConnection(TikConnectionType.Api, "192.168.88.1", 8728, "admin", "")) { var list = conn.CreateCommandAndParame...

nescafe2002

The API returns a result which is not expected by ExecuteNonQuery. Try this instead, ExecuteSingleRows assumes parameters are query words by default so you'll have to supply parameterformat NameValue: Using connection As ITikConnection = ConnectionFactory.CreateConnection(TikConnectionType.Api) conn...

nescafe2002

Please send your findings to support@mikrotik.com with supout.rif of the device to get it fixed (asap).

nescafe2002

View source, there are two posts with these links.

Sat Jul 28, 2018 5:35 pm
viewtopic.php?f=23&t=137338#p676773

Mon Jul 30, 2018 11:36 pm
viewtopic.php?f=23&t=137338#p677134

I don't see a login dialog, only when i open the links manually.

nescafe2002

Common issue. Traffic to 192.168.2.0/24 will be routed to wan initially, therefore the router picks the ip address from the wan interface to initiate the connection. From there, the connection won't be picked up by ipsec policy. You can create a route to the remote subnet via the lan interface to fo...

nescafe2002

Why not just user=<user> and password=<pass>?

The basic authorization header is a base64 encoded string user:pass, e.g. from documentation:

$ base64 -d
QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Aladdin:open sesame

nescafe2002

http-header-field="Header1: Value1,Authorization: Basic dXNlcjpwYXNz"

But for basic authentication you can also use:

user=user password=pass

nescafe2002

viewtopic.php?f=21&t=145793&p=717744#p717744
viewtopic.php?t=129326
viewtopic.php?t=144359 (reported to support)

nescafe2002

Actually, this is not a BUG. The device simply cannot ping the address in the first few seconds after boot. Also, if a specific solution does not meet your requirement, it's not a BUG just not applicable to your case. There is built in watchdog functionality which has several delays built in to over...

nescafe2002

Click Advanced Mode

nescafe2002

If you want to automate configuration tasks, you'd better use the built in API functionality (or SSH at least).

https://wiki.mikrotik.com/wiki/Manual:API

nescafe2002

Have you completely shut down (disconnect power cable) the device at least once?

nescafe2002

You don't have to specify the predefined settings. Just fill To and Body and it works fine.

I wouldn't call the flexibility of customized server parameters per send action poor design, actually rather handy.

nescafe2002

Please create a supout file and send it to support. https://forum.mikrotik.com/viewtopic.php?f=21&t=146087&start=100#p726296 If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected...

nescafe2002

Since it's part of the ppp package, you can find the server configuration under ppp menu option in Winbox or Webfig.

nescafe2002

Please create a supout.rif as soon as you realize something is wrong and send it - with description of what you expected versus what happened instead - to support with supout.rif . This instruction is posted in every release note: If you experience version related issues, then please send supout fil...

nescafe2002

Generate supout.rif and then e-mail it to them. Include backup if you want. Support is offering to look at your case for free. Please supply anything you can to explain your case:

- what you are doing (apps, buttons, screen)
- what you are seeing
- what you expected to happen
- what happens instead

nescafe2002

S+AO0005 is supported, please generate supout.rif while device is malfunctioning and send to support with problem description.

nescafe2002

https://www.roc-noc.com/mikrotik/routerboard/rb750.html

RouterBOARD 750 with AR7240 CPU, 32MB RAM (?), 5 LAN ports, RouterOS L4, plastic case, power supply, in a retail box.

nescafe2002

[admin@MikroTik] /ip cloud> print ddns-enabled: yes ddns-update-interval: none update-time: yes public-address: 82.x.x.x dns-name: 757bxxxxxxxx.sn.mynetname.net status: updated It displays public address, but will return local address in actual lookup. C:\>nslookup 757bxxxxxxxx.sn.mynetname.net Non...

nescafe2002

It's documented and known behavior. https://wiki.mikrotik.com/wiki/Manual:System/Time#Clock_and_Time_zone_configuration Note: Time-zone-autodetect by default is enabled on new RouterOS installation and after configuration reset. The time zone is detected depending on routers public IP address and ou...

nescafe2002

Same what?

Please show exactly what command you are running, what you expected to see/happen and what happens instead.

Include terminal output or screen dump when applicable.

What happens when you run

:put [ /system identity get name ]

in console?

nescafe2002

:put [ /system routerboard get serial-number ]

Prints serial number when run in terminal.

https://wiki.mikrotik.com/wiki/Manual:S ... l_commands

Command: put
Syntax: :put <expression>
Description: put supplied argument to console

nescafe2002

viewtopic.php?f=2&t=139091&p=685725#p685742

Make a new user, then re-login. There are big security changes in last versions, rename is no longer possible.

nescafe2002

Did you get an auto-reply? If yes, just wait. If not, resend mail (perhaps using another mail service, e.g. Gmail works fine).

nescafe2002

Note that port 5060 could by opened on your providers modem/router. We are in an audit process and this port is reported as unsafe. For this reason I want to close. # feb/18/2019 15:07:29 by RouterOS 6.32.3 Better look for another auditor if they didn't mention anything about your ROS version. You s...

nescafe2002

If you reset the device to CAP mode, the admin mac is set automatically. You can verify this by checking the default configuration script: [admin@MikroTik] > /system default-configuration print caps-mode-script: #------------------------------------------------------------------------------- # Note:...

nescafe2002

You need to apply hairpin nat OR add a local static dns entry pointing to your internal server.

https://wiki.mikrotik.com/wiki/Hairpin_NAT

nescafe2002

And Hannah25 is not even a real person, just a spam bot copying this post ( viewtopic.php?t=137572&start=200#p686945 ) and coming back later to edit in some spam links.

nescafe2002

Have you enabled internet detect? Try disabling it. If not, post config ( /export hide-sensitive )

nescafe2002

Use another DAC. https://mikrotik.com/product/s_ao0005 5m SFP+ 10Gbps Active Optics direct attach cable. This is highly cost-effective way to connect two SFP/SFP+ devices for very short distances, within racks and across adjacent racks. It works with all our products with SFP/SFP+ ports, including n...

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:CAPsMAN#Master_Configuration_Profiles datapath.client-to-client-forwarding (yes | no; Default: no ) controls if client-to-client forwarding between wireless clients connected to interface should be allowed, in local forwarding mode this function is performed by ...

nescafe2002

Im not sure why this question gets posted here 1:1, after it was already answered on reddit:

It is a spamming account. Posts get edited and filled with spam links after a while.

nescafe2002

There is very useful information on the wifi, have you tried that? https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP#Application_Examples Please share your config ( /export hide-sensitive ) if you are stuck. Which clients are connecting? (Multiple sstp tunnels and road warrior setups running fine...

nescafe2002

Have you tried disabling STP on bridge? And did you report this issue to support?

nescafe2002

http://poe-world.com/Calculator/

iexplore_2019-03-06_11-57-26.png

2019-03-06_11-58-44.png

PoE in input Voltage 18-28 V

Voltage is OK but you should consider buying a 1.2A adapter.

nescafe2002

Why don't you use the built in "add-arp" setting? https://forum.mikrotik.com/viewtopic.php?t=87889#p442251 If you enabled this option, and set the interface ARP setting to "reply-only", it will mean that only DHCP clients will be able to access your network, statically configured IP addresses will n...

nescafe2002

The S-RJ01 is compatible with the RB4011, but will not operate at rate 1000, 100 or 10.

https://wiki.mikrotik.com/wiki/MikroTik ... ble#S-RJ01

So.. not supported I guess?

2019-03-03_13-47-36.png

nescafe2002

Undo that change, because enabling the firewall helper service won't activate the actual service.

Enable logging for topic tftp and disable/enable tftp rule. Check the log. Is the server starting?

nescafe2002

The dhcp package is mandatory, as mentioned in change log, but you should be able to delete / disable any dhcp servers or clients.

What's new in 6.44 (2019-Feb-25 14:11):

Changes in this release:

*) upgrade - made security package depend on DHCP package

nescafe2002

You have to enable connection tracking if you want to enable firewall service ports.

Note that these are ip service helpers, usually for NAT, not the actual services.

So it doesn't make sense to enable these helpers if you aren't natting or filtering.

nescafe2002

You are considering buying a new device because it cannot saturate the connection using the built-in bandwith tester? Even though RB3011 can handle 1Gpbs NAT traffic easily? Keep in mind that the device has to actually generate the traffic and cannot use any of the hardware offload functions, theref...

nescafe2002

ROS 6.44. When exporting
Code: Select all
/ip neighbor discovery-settings
, inversion is not taken into account. Be careful!
ROS_6.44_neighbor.jpg

This is strictly spoken not a 6.44 issue, as the problem exists in 6.43 as well. You are welcome to report it, with supout.rif, to support.

nescafe2002

In that case, please do not say V7 but instead say: Some version we might release in the (probably distant) future

Really?

nescafe2002

Reset to default configuration & got a fresh ip :) RB4011 @ 1Gbps [admin@MikroTik] > /tool bandwidth-test 87.121.0.45 user=neterra password=neterra direction=both ;;; results can be limited by cpu, note that traffic generation/termination performance might not be representative of forwarding perform...

nescafe2002

I updated and my coffee machine started smoking.

nescafe2002

Works fine here: RB3011 @ 500Mbps [admin@MikroTik] > /tool bandwidth-test 87.121.0.45 user=neterra password=neterra direction=both status: running duration: 57s tx-current: 543.9Mbps tx-10-second-average: 543.6Mbps tx-total-average: 456.1Mbps rx-current: 543.6Mbps rx-10-second-average: 543.5Mbps rx-...

nescafe2002

See: https://wiki.mikrotik.com/wiki/Manual:I ... _and_ports

UDP/20561 is used for MAC winbox connection.

It uses broadcasts to be able to connect to RB on L2 (no IP address required).

By connecting to IP address instead you will eliminate these broadcasts.

nescafe2002

Screenshots 1 shows ipsec policy template, screenshot 2 shows ipsec policy (not a template).

nescafe2002

Try the new rc (switch to testing channel), it has better support for 1Gbit SFP:

https://mikrotik.com/download/changelog ... lease-tree

What's new in 6.44rc1 (2019-Feb-15 07:12):

*) rb4011 - improved SFP+ interface linking to 1Gbps;

nescafe2002

Switch to testing channel. 6.44beta/rc handles SFP much better on RB4011.

viewtopic.php?f=21&t=139057&p=709663#p709663

What's new in 6.44beta61 (2019-Jan-17 13:24):

Changes in this release:

*) rb4011 - improved SFP+ interface linking to 1Gbps;

nescafe2002

You are correct

nescafe2002

WinBox v3.18 doesn't connect to RB with empty password out-of-the box.

Just login via WebFig / SSH / telnet and set a password (may even be empty).

WinBox login w/o password seems to works fine..

nescafe2002

Newer default configuration make use of interface lists, the provided example will work fine on recent configs.

If you don't have interface lists, we can only guess. Post config ( /export hide-sensitive ) or adept example to your liking.

nescafe2002

Do a Torch on the interface and you will see which host/protocol/port causes the most traffic.

You can enable logging on the specific rule, to memory will be fine for a limited time period.

nescafe2002

Reporting on forum again won't help much.

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

nescafe2002

You need to accept established connections in forward chain, then you can remove all reverse logic rules again. Now, everyone can reach your private network as long as they're using source port 80,443/tcp or 53/udp. Take a look at the default firewall, which is a good entry point anyway. Make sure i...

nescafe2002

Duplicate topic: viewtopic.php?f=2&t=145145

nescafe2002

Please update your router first, following the steps in this document: https://blog.mikrotik.com/security/winbox-vulnerability.html Update, change pwd, check config. For your ssh problem, you may be blocking ssh connections in firewall. After update, export config ( /export hide-sensitive ) and past...

nescafe2002

Have you enabled fasttrack? I will probably bypass raw firewall, however doesn't explain why tcp is working. Please do no post screenshots, just export config ( /export hide-sensitive ) and paste in code blocks. Also.. TomjNorthIdaho mentioned more than a terabyte of traffic per month hosting public...

nescafe2002

Nice work! You can check out the configuration of TomjNorthIdaho posted here: https://forum.mikrotik.com/viewtopic.php?f=2&t=104266&p=690150#p690150 /ip firewall raw add action=accept chain=prerouting comment="testers accepted" src-address-list=tester add action=drop chain=prerouting comment="previo...

nescafe2002

You can setup an ipsec transport policy with protocol=47 and ensure gre traffic is secured using the firewall ipsec policy matcher:

https://wiki.mikrotik.com/wiki/Manual:I ... ed_traffic

Dynamic peer will disappear as soon as you unset ipsec secret in gre tunnel.

nescafe2002

Rtfm?

https://wiki.mikrotik.com/wiki/Manual:I ... ess_points

nescafe2002

Still 100% CPU-load on one of the cores in my RB3011. The router is working, but still this indicate something is wrong. Anyone else with the same problem? Any suggestions on how to fix?

Yes, send supout.rif to support@mikrotik.com.

nescafe2002

Routing mark is not main, but empty (missing) for default route. https://wiki.mikrotik.com/wiki/Manual:API#Queries ?name pushes 'true' if item has value of property name, 'false' if it does not. ?-name pushes 'true' if item does not have value of property name, 'false' otherwise. You might try somet...

nescafe2002

The reason you're getting "no such command" is because "ip/dhcp-server/lease/set" is not a valid command. You're missing the leading "/" => "/ip/dhcp-server/lease/set" is valid :) Also, you cannot use [ find ] syntax in API. Print with filter to get id, then update by id. mk.Send("/ip/dhcp-server/le...

nescafe2002

Since I've spent some time restoring VPN functionality.. here are my 6.44beta61 IKEv2 settings for iOS, macOS and Windows clients. Windows only seems to work with identity my-id=auto and remote-id=auto. Afaik you cannot add a secondary peer for Windows default ipsec settings, so you should alter the...

nescafe2002

Replace screenshots with configuration export (/export hide-sensitive).

Enable ipsec logging (/system logging add topics=ipsec,!packet) and check/post the results (/log print or log window).

nescafe2002

when you try to access IP Socks router stuck at 100% cpu, How do you "access IP Socks"? Are you trying to use the IP socks service as a client? Are you opening the IP > Socks > Access window in WinBox? Are you printing the entries in Terminal? The most simple command to remove all entries is, in CL...

nescafe2002

Default firewall accepts untracked connections. Are you using default firewall? Are you pinging from/to routers or hosts? If routers, add route to remote subnet via local interface to ensure router picks correct source address.

nescafe2002

Kudos for the developers

nescafe2002

You can switch to testing channel to utilize multithreaded btest.

https://mikrotik.com/download/changelog ... lease-tree

What's new in 6.44beta39 (2018-Nov-27 12:14):

*) btest - added multithreading support for both UDP and TCP tests;

nescafe2002

For what it's worth, I experienced same outage, yesterday at 16:05 GMT. I thought it was a problem with my provider, since resolving via 8.8.8.8 worked. Problem was solved at 16:15 GMT. Issue re-appeared shortly thereafter. C:\Users\Admin>nslookup 968a09baxxxx.sn.mynetname.net 82.197.196.182 Server:...

nescafe2002

The Quick Guide contains the steps to follow to reset the device. If this is not working, please describe what model and what steps you are executing. If you have disabled a single ethernet interface on a multiple interface device, you may connect your computer to another ethernet port and discover ...

nescafe2002

Could you try applying pressure on the heat sink? This has been the issue with me and another user.

viewtopic.php?f=7&t=138928

nescafe2002

There's another discussion on the topic: viewtopic.php?t=36035

I don't understand why, but the behavior is reported, confirmed by MT and there is an acceptable workaround (use bridge filer).

Perhaps some documentation on this specific limitation would be nice.

nescafe2002

DHCP is over UDP, and CAN be firewalled and NEEDS to be allowed or it won't work... See https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol for protocol details Again, dhcp client cannot be firewalled using ip firewall. 2019-01-22_21-14-15.gif Only bridge firewall. 2019-01-22_21-18-51...

nescafe2002

IP firewall does not affect dhcp client.

See also: viewtopic.php?t=140569

nescafe2002

Have you tried the last beta?

https://mikrotik.com/download/changelog ... lease-tree

What's new in 6.44beta50 (2018-Dec-17 13:01):

*) capsman - always accept connections from loopback address;

nescafe2002

Explain the exact steps you are doing. I have done this procedure several times with success. Just make sure the configuration you are moving is fitting the new hardware model (by making adjustments), the required packages are installed and the version matches.

nescafe2002

It does work, but fails at line 24, probably due to a different set of interfaces or features between devices.

You better open the rsc file in a text editor, select the lines by hand and paste them in the terminal.

nescafe2002

Here they are, using: $ ssh admin@demo.mt.lv "/export" > demo.mt.lv.rsc

nescafe2002

This command is available since 6.44beta14. Switch to testing channel and upgrade if you want to use it now, or wait until 6.44 is considered stable. https://mikrotik.com/download/changelogs/testing-release-tree What's new in 6.44beta14 (2018-Oct-01 12:01): Changes in this release: *) lte - added "c...

nescafe2002

What's new in 6.44beta61 (2019-Jan-17 13:24): *) rb4011 - improved SFP+ interface linking to 1Gbps; I can confirm FS 1000BASE-BX BiDi SFP 1310nm-TX/1490nm-RX 20km DOM Transceiver Module ( https://www.fs.com/products/20184.html ) is working fine together with a 1Gbit FTTH provider, as long as the sp...

nescafe2002

Testing channel has multithreaded btest.

nescafe2002

Note that this is done automatically if you reset the device to CAPs mode - even if you don't have wireless interfaces or a CAPsMAN controller.

Keep holding the reset button for 5 more seconds, LED turns solid, release now to turn on CAPs mode (total 10 seconds).

nescafe2002

It has a level 6 license, so basically unlimited.

https://wiki.mikrotik.com/wiki/Manual:L ... nse_Levels

For featured packages, check the "Extra packages" link under TILE architecture in the MikroTik download page. Dude server is supported as well.

nescafe2002

viewtopic.php?t=134776

nescafe2002

At the end on Monday Im going to remove all my arm hardware it's too dificult for me and Too expensive but it's the solution. Bye Mikrotik see you in the hell... You made that promise earlier, why are you still here? https://forum.mikrotik.com/viewtopic.php?f=7&t=136002&p=693764#p693764 Five years ...

nescafe2002

API expects an attribute name and value. https://wiki.mikrotik.com/wiki/Manual:API#Attribute_word Attribute word structure consists of 5 parts in this order: encoded length content prefix equals sigh - = attribute name separating equals sign - = value of attribute if there is one. It is possible tha...

nescafe2002

You can ssh to demo.mt.lv and run export to fetch the running configuration.

nescafe2002

Switch to testing channel.

https://mikrotik.com/download/changelog ... lease-tree

What's new in 6.44beta14 (2018-Oct-01 12:01):

Changes in this release:

*) lte - added "cell-monitor" command for R11e-LTE international modem (CLI only);

nescafe2002

You're in the /interface ethernet poe context which means that only poe-capable interfaces are available. So there's exactly one item with number=0 available. Nevertheless you should fill the item number buffer by performing 'print' first, as these numbers are dynamically assigned, use [ find where ...

nescafe2002

To anyone experiencing connectivity issues on bridge interface after upgrade to 6.44beta50 like me: The RB is now sending out MNDP (udp/5678) packets with ip address of bridge and mac address of slave (physical port). (In 6.44beta40 and before the packets were sent with the bridges mac address as so...

nescafe2002

It's coming..

https://www.mikrotik.com/download/changelogs/testing

6.44beta39 changelog:

Changes in this release:

*) btest - added multithreading support for both UDP and TCP tests;

nescafe2002

No problem. Note that API is behaving exactly like CLI in these cases: To unset a comment, use: /interface ethernet set 0 comment="" The command contains a parameter (comment) with a value ("") To unset a bridge in ppp, use: /ppp profile set 0 !bridge The commands contains a parameter (!bridge) with...

nescafe2002

Print detail and google the vendor/device id to get more info. Looks like MT hasn't updated the PCI database yet: [admin@MikroTik] /system resource pci> print detail 0 device="00:05.0" name="unknown (rev: 1)" vendor="unknown" category="Generic system peripheral" vendor-id="0x1c36" device-id="0x0021"...

nescafe2002

Granted, this one isn't documented. But when in doubt, try to recreate console command first and convert that command with parameters to API words. This example was used to remove bridge1 from ppp profile: 0000004A 2f 70 70 70 2f 70 72 6f 66 69 6c 65 2f 73 65 74 /ppp/pro file/set 0000005A 07 3d 2e 6...

nescafe2002

=comment=<nothing> is the way to go, as documented: https://wiki.mikrotik.com/wiki/Manual:API#Attribute_word Atribute word structure consists of 5 parts in this order: encoded length content prefix equals sigh - = attribute name separating equals sign - = value of attribute if there is one. It is po...

nescafe2002

Just keep pressing button until some led starts blinking, then release.

You could also try connecting via mac address, check the neighbor tab in WinBox when connected to any lan port (ether2..ether10), click the mac address and connect.

nescafe2002

RB3011 w/fasttrack should reach 850Mbps easily, more or less depending on configuration.

RB3011 at 6.43.8 reaches 335 Mbps without fasttrack and 550Mbps with fasttrack (500Mbps capped connection) in a single TCP connection based browser test.

Are you perhaps using an IPv6 test server?

nescafe2002

This may be related (detect internet feature): viewtopic.php?f=13&t=142554

If not, please post your config for further analysis.

nescafe2002

Well, Windows can set the network to untrusted if it sees another router mac address.

Setting an administrative mac address on the bridge will prevent this from happening.

nescafe2002

So there's nothing in the log?

nescafe2002

Anything in the log after reboot? What's the factory software as listed in System > Resources?

nescafe2002

mynetname.net has no A or AAAA records defined, as your nslookup reveals.

Try [your_serial].sn.mynetname.net instead:

C:\>nslookup 000a09000195.sn.mynetname.net ns1.kissthenet.net
Server:  UnKnown
Address:  2a02:610:7501:1000::201

Name:    000a09000195.sn.mynetname.net
Address:  82.x.y.z

nescafe2002

RB2011 as a basic router can handle 890 Mbps of IPv4 TCP fasttracked traffic. Other configuration aspects can make it slower. Post config to be sure.

nescafe2002

Why do you need hotspot for your own laptop?

nescafe2002

Are you sure the sfp is configured full duplex on the other side? Then it seems a supported configuration. Have you contacted support?

nescafe2002

Have you disabled auto negotiation on both ends of the link?

https://wiki.mikrotik.com/wiki/MikroTik ... ansceivers

nescafe2002

You can only 'find' in print command using query words. https://wiki.mikrotik.com/wiki/Manual:API#Queries Alternative is to fetch (print) with criteria and move using acquired ID. Working (tested) example: mikrotik.Send("/ip/firewall/filter/print"); mikrotik.Send("=.proplist=.id"); mikrotik.Send("?c...

nescafe2002

/interface detect-internet set detect-interface-list=all This is the culprit. It will enable internet detection for slave interfaces and issue ARP requests with wrong source MAC address. Disable internet detect and it will work again. Response from support regarding this issue: The Detect-Internet ...

nescafe2002

You both should read vecernik87s post better. No need for serial cable. Unless MAC Winbox has been disabled and as long there is a link, you can always connect to the RB using WinBox and its Neighbors tab (click MAC address).

nescafe2002

Yes, but both RB2011 and RB260GSP have SFP ports, not SFP+

nescafe2002

You'll have to disable autonegotiation on both ends of the link for SFP to work correctly. https://wiki.mikrotik.com/wiki/MikroTik_SFP_module_compatibility_table#SFP.2B_interface_compatibility_settings_with_SFP_optical_transceivers If you cannot control the setting on the remote end, the scenario is...

nescafe2002

Same issue: viewtopic.php?t=142217

Create supout and send to support to get it fixed in upcoming releases.

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:Configuration_Management#Description The configuration backup can be used for backing up MikroTik RouterOS configuration to a binary file, which can be stored on the router or downloaded from it using FTP for future use. The configuration restore can be used for...

nescafe2002

Can you show the profiler running while the device is processing traffic?

I am getting a lot of firewall usage, but that is because SFP is not used and I am testing non-tcp packets.

nescafe2002

The problem could be related to your configuration. Post here ( /export hide-sensitive ) to confirm.

nescafe2002

Have you enabled IGMP Snooping in bridge settings?

Look here for other reasons why HW offload is deactivated.

https://wiki.mikrotik.com/wiki/Manual:S ... Offloading

RB2011 has AR8327 chip. So MSTP, IGMP snooping, VLAN filtering and bonding will deactivate hw offload.

nescafe2002

Ran some tests on my RB3011. Bonding ether2 & ether3, run packet generator on other device, one (dstnat) rule: explorer_2018-12-05_17-33-02.png Max traffic ~970Mbps, cpu1 maxed out. Same scenario but with ether2 & ether7 bonded: explorer_2018-12-05_17-45-15.png Most Tx/Rx rates are incorrect, but RB...

nescafe2002

Click on the Name column header. The list has to be sorted on any other than the # (number) column.

nescafe2002

or by name:

/interface disable lan4

nescafe2002

Yes, just take a copy of https://github.com/danikf/tik4net/blob/master/tik4net.objects/Interface/Interface.cs and include the properties: [TikProperty("last-link-down-time")] public string LastLinkDownTime { get; set; } [TikProperty("last-link-up-time")] public string LastLinkUpTime { get; set; }

nescafe2002

As the new IP Cloud implementation enters the bugfix-only stage, the old IP cloud will be disabled. Are you disabling the old cloud services as soon as the new IP cloud service hits the long-term branch? What about users who will wait for the next long-term version? Or have to wait for a maintenanc...

nescafe2002

API does not support query in set operation.

Normally you'd have to split your commands (print with query word to get id, then remove by id).

You can however use the primary name of an object as identifier:

/ip/hotspot/user/remove=.id=user1

nescafe2002

Based on: https://forum.mikrotik.com/download/file.php?id=34558 There are 5 connections from DNS servers to 192.168.190.10 via sstp-Amir. These could be DNS replies to requests received from sstp-Amir. Torch with Protocol and Port enabled to be sure. As the router processes packages from and to inte...

nescafe2002

Does the first packet counter (34) increment if you ping 192.168.100.124? And the second packet counter (12)?

nescafe2002

Your problem description: The issue is that when I refresh the ROS to 6.42.10 or 6.43 there will be an association with all DNS IP addresses from each interface with no ruin like sstp or l2dp or Ethernet , despite the fact that I have a standard in course that says the passage for dns is the thing t...

nescafe2002

The new cloud (in 6.43 and above) works fine, but be warned : this is the worst moment to update as you cannot disable the ddns cloud service properly before upgrade. https://mikrotik.com/download/changelogs/stable-release-tree What's new in 6.43 (2018-Sep-06 12:44): MAJOR CHANGES IN v6.43: --------...

nescafe2002

First add the following routes to routers A1 and A2: On router A1: /ip route add dst-address=10.3.0.0/16 gateway=[LAN address of router A2] On router A2: /ip route add dst-address=10.1.0.0/16 gateway=[LAN address of router A1] After this, you should be able to ping site B from router A2 and site C f...

nescafe2002

You may even better block the sites based on dns, e.g. to block all dns lookups ending on windowsupdate.microsoft.com (including windowsupdate.microsoft.com): /ip dns static add address=127.0.0.1 regexp="windowsupdate\\.microsoft\\.com\$" (I have requested to allow address=0.0.0.0 in static dns to b...

nescafe2002

So there are two problems: Unknown/unwanted dynamic DNS servers appear in IP > DNS configuration PPP clients get assigned these unknown/unwanted dynamic servers If you can solve problem 1, problem 2 will be solved as well: Check all ppp and dhcp clients for use-peer-dns setting. Note that in ovpn-cl...

nescafe2002

hEX S is MMIPS architecture, so you should download this file: https://download.mikrotik.com/routeros/ ... 6.43.4.zip

nescafe2002

I have added your content filters to my RB4011 and this is the result: explorer_2018-11-29_09-39-17.png explorer_2018-11-29_09-38-46.png In comparison, same speedtest with disabled mangle rules (without fasttrack): explorer_2018-11-29_09-41-28.png explorer_2018-11-29_09-47-12.png You should really l...

nescafe2002

Make sure the architecture matches (which model?)
Make sure the version matches
Check the log after reboot for information regarding package installation

nescafe2002

It depends on the actual mangle rule set. Post your rules. Perhaps some optimization can be applied and not all packets have to be inspected. Personally I'd get rid of the content filters and apply queueing to distribute bandwith, but it depends on whether your provider has a montly maximum upload/d...

nescafe2002

The problem is that when I update the ROS to 6.42.10 or 6.43 there will be a TX traffic to all DNS IP addresses from every interface with no mangle like sstp or l2dp or Ethernet , although I have a rule in route that says the gateway for dns is what interface. Still not clear what the actual proble...

nescafe2002

@MirhosseiniAmir could you please create a new topic for your question?

This problem is not related to this specific release (6.42.10).

Please do not post screenshots but state your issue as clear as possible, with examples, and with a configuration export ( Terminal > /export hide-sensitive ).

nescafe2002

Current 750Gr3 has a temporary file system. If you want to keep your files, store them in /flash:

explorer_2018-11-27_16-52-39.png

Search found 654 matches