MikroTik

nescafe2002

Hello,

This is a known issue. You can set the endpoint (IPv6 address with port) via terminal:

/interface/wireguard/peers
print
set 0 endpoint="[2001:0db8:85a3::8a2e:0370:7334]:12321"

nescafe2002

Thx.. It's mistake for typing, but I really can't download update. Are you sure download.mikrotik.com resolves to one of the following ip addresses? ~$ openssl s_client -connect [2a02:610:7501:1000::196]:443 | openssl x509 -noout -text | grep DNS: DNS:*.mikrotik.com, DNS:mikrotik.com ~$ openssl s_c...

nescafe2002

Try enabling logging for the invalid rule. I've had some problems with lan-to-lan connections which were flagged invalid.

nescafe2002

Enabling IP Cloud will not automatically allow access to the device. It is just a free ddns service provided by MikroTik along with time sync and a backup slot.

You can find the exact specifications in the wiki, https://wiki.mikrotik.com/wiki/Manual:IP/Cloud

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:IP/Cloud#Advanced use-local-address (yes | no; Default: no) By default, the DNS name will be assigned to the detected public address (from the UDP packet header). If you wish to send your "local" or "internal" IP address, then set this to yes If your router is b...

nescafe2002

https://forum.mikrotik.com/viewtopic.php?t=136036#p670044 Found the answer. The option "ip cloud" is not supported on x86 due to the inability to verify hardware reliably. https://forum.mikrotik.com/viewtopic.php?p=430762#p430762 The DNS is assigned to valid serial numbers, for X86, we have no way o...

nescafe2002

No somehow the dialect is bound to the connection context. Can't you use ssh to export your configuration as it's just a single command?

nescafe2002

Forum related issues can be reported to support (via help.mikrotik.com or e-mail) but I doubt the admins will disable IPv6 to resolve your specific issue (and causing outage for all IPv6-only users).

nescafe2002

Actually setting dns ttl equal to lease time doesn't make any sense and only leads to unexpected behavior especially for longer lease times..

nescafe2002

Users are excluded from full export. You can export them individually:

/user export file=users.rsc

I suspect this is to prevent accidental creation of passwordless users when importing a full export.

nescafe2002

Afaik OpenDNS has configurable options, so better check that out. Pihole is targeted towards ads but maybe you can find porn based block lists.

nescafe2002

By not enabling local forwarding, the traffic will be forwarded to the CAPsMAN manager, effectively creating a new data path and separating the traffic from your home network.

nescafe2002

The easiest way is to use capsman forwarding mode, by defining the bridge in capsman datapath configuration and not enabling local forwarding traffic for the new ssid will be sent to the bridge without vlans.

nescafe2002

Yes, then separate subnets, add ip, bridge, dhcp server, dhcp network, ip pool, capsman configuration for guest network, update provisioning rule with new guest network and check your firewall rules. You could reverse logic: set static entries with own dns for known devices and set opendns in dhcp n...

nescafe2002

Wow.. if your intention was never to separate your networks, but (quoted from opening post) "to point specific clients" to another dns server: /ip dhcp-server option add code=6 name="opendns" value="'208.67.222.222''208.67.220.220'" /ip dhcp-server lease add address=172.32.100.65 dhcp-option="opendn...

nescafe2002

Can't add key in wireguard via cli with "=" at the end. But can add it later via edit and can add it via gui. Put the key value between quotes, you may find the correct syntax using the export command. [admin@MikroTik] /interface/wireguard> add private-key="EMjwk8mpDylWKGU0c/z9TR1e5u1D75OUz2jsv3lZu...

nescafe2002

Dear @nescafe2002, unfortunately, I cannot access the DNS server via script. My provider does not allow automatic interaction. You can point a CNAME to a self hosted ACME dns server. This works quite well for me for several projects. e.g. To set up an ACME server on auth.domain.com: auth.domain.com...

nescafe2002

I usually switch to dns-01 challenge if the machine is not reachable (either directly or via reverse proxy). Is this an option?

nescafe2002

... or quick set (after checking "Bridge All LAN Ports"):

2020-08-17_18-58-59.png

nescafe2002

Actually 192.168.88.1 on (slave interface) ether2 is a default configuration (or quick set) thingy. And; I think we're here to share & learn, not to call BS on each other.

nescafe2002

Yes, issue is submitted to support but i encourage everyone (in general) to contact support.. before checking out other devices or brands. Mikrotik is working really hard for all customers so best you can do is "help them to help you", provide as much information as possible and give them time to in...

nescafe2002

Give them a few business days to respond. Update manually if you need to switch between branches.

nescafe2002

Looks like a problem in the local resolver. Only the A record is requested. [admin@MikroTik] > /system package update check-for-updates channel: stable installed-version: 6.47.1 status: ERROR: no internet connection [admin@MikroTik] > /log print 08:06:29 dns local query: #21 upgrade.mikrotik.com. A ...

nescafe2002

Ether2 is the first port in the bridge. As soon as you remove that port, ROS assignes a new mac address (hw addr of ether3). Nothing to worry about, just reconnect and it will work. Or set an administrative mac to avoid this kind of flopping.

nescafe2002

And remember to change the interface of your dhcp client or pppoe client from ether1 to ether2.

Before and after modifications, export your config to check for any "ether1" leftovers using text search.

nescafe2002

It's described in the documentation: https://wiki.mikrotik.com/wiki/Manual:RouterBOARD_settings#Mode_and_Reset_buttons Reset button additional functionality is supported by all MikroTik devices running RouterOS Some RouterBOARD devices have a mode button that allows you to run any script when the bu...

nescafe2002

It's in the documentation: https://wiki.mikrotik.com/wiki/Manual:IP/DNS#Static_DNS_Entries It is also possible to forward specific DNS requests to a different server using FWD type. This will fordward all subdomains of "example.com" to server 10.0.0.1: [admin@MikroTik] ip dns static> add regexp=".*\...

nescafe2002

Winbox has an update function in the connect dialog ("loader screen").

Tools > Check for updates

nescafe2002

Why don't you just dynamically update the upstream dns servers?

nescafe2002

Just select a session file in connect dialog (Advanced view) and you're good. You can sync this file with other computers via OneDrive, Dropbox, etc.

nescafe2002

Auto-completion is also called HotLock mode.

https://wiki.mikrotik.com/wiki/Manual:C ... tLock_Mode

This mode is available in Winbox, ssh and webfig and frequently accidentally activated using the hotkey ctrl-v.

They should've really chosen another hotkey, or just remove the feature completely.

nescafe2002

This is based on default configuration (manually applied via /system default-configuration print) and speedtest.net.

explorer_2020-07-26_13-14-42.png

nescafe2002

Router should perform better - is the device up to date and are you running a recent default configuration?

You may post output of terminal command /export hide-sensitive here.

nescafe2002

Also try disabling internet detection:

/interface detect-internet
set detect-interface-list=none

nescafe2002

It says it needs 23W constant and it could take up to 44W.

The RB4011iGS+5HacQ2HnD-IN without attachments consumes max 23 W.
So if you don't supply power to PoE equipment on ether10, 23 W is max usage, not constant.

(Another example of attachment is USB equipment but the device has no USB port)

nescafe2002

Try removing the invalid bridge port member "ether2 Office Net" (in fact they are all invalid since there is no bridge, but the others are disabled): /interface bridge port add comment=defconf interface="ether2 Office Net" add comment=defconf disabled=yes interface=sfp1 add disabled=yes interface="e...

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:Netinstall Configure script (yes | no; Default: no) If set, then Netinstall will apply a custom configuration script after installing RouterOS. The file must be in .rsc file format and must be produced by the export command. The configuration script will replace...

nescafe2002

i don't know how to send info to check this issue, logs on WinBox don't show any error, after reboot DNS has back work..

When DNS is unresponsive again, before rebooting: add logging topic dns, perform name lookup from client, generate supout.rif, download supout.rif and send it to support.

nescafe2002

Sob, If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Edit: Issue has been reported to support (SUP-22228)

nescafe2002

hsd75, could you generate supout.rif of the device with sfp attached, preferably in both states (6.46.6/working vs 6.47/not working) and send them to support via mail or help.mikrotik.com?

nescafe2002

DNS entries are processed sequentially, just move the regex entry to the bottom (order by # column) and it will be checked last.

Sorry, regex seems to evaluated before static entries, which is indeed not to be expected.

nescafe2002

Note that with the new static DNS record types you can forward both forward and reverse lookups: E.g. server 192.168.100.1 is authoritative server for domain.lan and subnet 192.168.100.0/24: /ip dns static # For domain.lan add forward-to=192.168.100.1 name="domain.lan" type=FWD # For *.domain.lan ad...

nescafe2002

on 6.47 system - auto-upgrade still problem since 6.46 please fix it. i've report this many times. If you haven't submitted this issue to MT support via mail or help.mikrotik.com, it will never be fixed. Forum post != bug report. Also, multiple forum posts != bug report. Posting this repeatedly is ...

nescafe2002

Better take a look at tik4net => https://github.com/danikf/tik4net

The author is present on the forum => viewtopic.php?t=99954

nescafe2002

Hello, the information seems incomplete. You'll need to get the IPv4 subnet associated to the 6RD server. Then calculate the IPv6 prefix using https://alephs.org/6rdcalc.html. Enter number (32-mask) in "using ... bits" field. Add 6rd interface /interface 6to4 add !keepalive name=6rd remote-address=1...

nescafe2002

You could contact MikroTik support and send a supout file

nescafe2002

No, but you could use a certificate with a subject alternative name or a wildcard certificate.

nescafe2002

It is possible, route the remote subnet to your local lan, It sounds counter intuitive, but the route won't be used for routing anyway. It's to make sure the router picks a source lan ip which is part of the ipsec policy (local subnet).

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:S ... ter_values

But for most entries with a identifier, you can use the name instead:

/ip dhcp-server disable default
/ip dhcp-server enable default

nescafe2002

"I cannot login via api after upgrade" Or: "I cannot login via api after upgrading from [version] to this v6.45.8. I am using [api implementation] in [language] documented here [url]. The code I am using is: [short login code fragment] I am getting the following result: [result from Mikrotik] or the...

nescafe2002

User is probably referring to the incomplete breadcumb in the page header.

Not a button, but a link to the current forum section is missing and maybe a link to the current topic as well.

nescafe2002

You may not be suprised if MT decides to ban you for that :) The minimum update interval, no scripting required, is 60 seconds: https://wiki.mikrotik.com/wiki/Manual:IP/Cloud#Properties ddns-update-interval (time, minimum 60 seconds; Default: none) If set DDNS will attempt to connect IP Cloud server...

nescafe2002

With one word of caution: You should never automate an import process from an untrusted source. It will make your router vulnerable to whatever the url is returning. Even when the scripts seems legit in browser, the author could inject malware based on user agent = Mikrotik/6.x Fetch. Therefore: If ...

nescafe2002

IP Cloud will update properly if your device has public IP. If MT is behind another router, you can force a periodic update using ddns-update-interval. No scripting required. /ip cloud set ddns-enabled=yes ddns-update-interval=10m Also, no scripting required for dstnat entries. Assuming you currentl...

nescafe2002

The find command can return multiple items. Have you tried specifying the search to limit the number of results? :put [ /ipv6 address get [ find interface=bridge-lan ] address ] invalid internal item number :put [ /ipv6 address get [ find interface=bridge-lan !link-local ] address ] 2a02::xx:xx:xxxx...

nescafe2002

That function works fine here. Have you tried running it in a Console Application?

I ran the example using LINQPad: https://www.linqpad.net/

Script: http://share.linqpad.net/6i2986.linq

nescafe2002

Not sure about sctp, but remember that there are multiple chains in the firewall (prerouting/postrouting and input/output/forward). This example sniffs ssh connections, both packets to the server (dst-port=22) and back to client (src-port=22). /ip firewall mangle add action=sniff-tzsp chain=prerouti...

nescafe2002

For a more permanent sniffing solution, you might take a look at firewall mangle, action sniff-tzsp:

https://wiki.mikrotik.com/wiki/Manual:I ... all/Mangle

nescafe2002

Search for multiple dhcp client => viewtopic.php?t=60453

nescafe2002

viewtopic.php?t=153321

nescafe2002

Get a cable and connect the other end to the wAP ac.

It's on the side:

<== POE + DATA
DATA ==>

nescafe2002

You can set a src-address (or src-address-list) in the forward rule:

/ip firewall address-list
add address=1.1.1.1 list=trusted
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 protocol=tcp src-address-list=trusted to-addresses=192.168.88.100

nescafe2002

You might want to create supout.rif of the device, running full bandwidth test and send it to support. Your device should be able to handle at least 3x those numbers with this config. (One supout with bridge ports ether6-10 enabled, one with bridge ports ether6-10 disabled). I suspect some sort of s...

nescafe2002

What's the link rate? It's in the interface property window, tab Status. Could you try disabling bridge ports 6 through 10? Disabling the LCD? Also, you're announcing a lot of dns servers in your dhcp network. You might want to limit the selection to just your routers address (192.168.2.1); the rout...

nescafe2002

I've set up my RB2011 according to your configuration. explorer_2019-11-24_11-10-03.png There is room for improvement, but 500Mbps is no problem. Maybe you should check cabling. What rate are the ethernet links? I´ve printed default config but i don´t see these two rules. The default config is longe...

nescafe2002

Whats the version of RouterOS? Why are you blocking output chain? You're e.g. blocking router originating DNS requests now. Also you may want to exclude ipsec from fasttracking, from default config: /ip firewall filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in...

nescafe2002

There are generally two ways to performs operations via Tik4Net. Method 1. Use low level API using (var conn = ConnectionFactory.OpenConnection(TikConnectionType.Api_v2, "192.168.88.1", 8728, "admin", "")) { var command = conn.CreateCommand("/interface/pppoe-server/print"); command.AddParameter(".pr...

nescafe2002

Yes, you have found the right operation. Note that you shouldn't OR after the first entry because #| ORs the two preceding entries (in other words you'll have to follow the Reverse Polish notation (RPN)). Example in C# tik4net: explorer_2019-11-23_09-33-34.png Conversation: ./login =name=admin =pass...

nescafe2002

I usually look at the middle table (512 bytes) with 25 filter rules to compare synthetic tests to real world applications in default config but without fasttrack (e.g. IPv6). Great..! Please take a look at the test results for 25 filter rules and 512 Byte packets. Can you please tell me the speed ?...

nescafe2002

They are technically not comparable. Product page test results are synthetic tests (using packet generator), fasttrack page test result is based on a single stream TCP test. TCP packet sizes are not fixed. I usually look at the middle table (512 bytes) with 25 filter rules to compare synthetic tests...

nescafe2002

Ok @nescafe2002, you can then let Mikrotik know that the test results are wrong! :lol: https://mikrotik.com/product/RB2011UiAS-2HnD-IN#fndtn-testresults They are not wrong, these are just synthetical tests with certain preconditions. Fasttrack follows (semi-) fastpath for most of (*) the establishe...

nescafe2002

No need to disable firewall.

Fasttrack bypasses firewall filtering for established connections and is enabled in default config.

And there are no queues in default config.

TS is free to post config for further examination.

nescafe2002

Just stick with RB2011 and enable fasttrack. 800 Mbps is achievable in default configuration. https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack#FastTrack_on_RB2011 hAP ac2 is a good alternative with wireless. Don't invest in a RB3011. They are really fine devices but if you want a dedicated router,...

nescafe2002

You better download CHR and run it in a virtual environment:

https://wiki.mikrotik.com/wiki/Manual:CHR#60-day_trial

nescafe2002

API supports query words to filter. ~ is not a valid query operator. But if listName is exact, you can use the following code: mikrotik.Send("/ip/firewall/address-list/print"); mikrotik.Send("?list=listName", true); foreach (string h in mikrotik.Read()) { Console.WriteLine(h); } https://wiki.mikroti...

nescafe2002

Try this:

		Send("/login")
		Send("=name=" + user)
		Send("=password=" + pass, True)

(Alternatively, use the tik4net package: viewtopic.php?f=9&t=99954)

nescafe2002

You can (should) use place-before with .id value in API: /ip/firewall/filter/print =.proplist=.id !re.=.id=*37 !re.=.id=*1 !re.=.id=*2 !done /ip/firewall/filter/add =chain=input =dst-address=192.168.1.1 =protocol=tcp =dst-port=81 =comment=TESTING PLACE BEFORE =place-before=*37 !done =ret=*38 /quit

nescafe2002

https://i.mt.lv/cdn/rb_files/1568200626 ... -%20qg.pdf

To connect this device to a wireless network managed by CAPsMAN, keep holding the button for 5 more
seconds, LED turns solid green, release now to turn on CAPs mode (total 10 seconds).

nescafe2002

Have you disabled fasttrack for ipsec? Could you share your configuration (/export hide-sensitive)?

nescafe2002

2. Set your radio provisioning rule to create enabled instead of create dynamic enabled.

https://wiki.mikrotik.com/wiki/Manual:C ... ovisioning

nescafe2002

No, process name can only be evaluated on the client computer, not on the mikrotik router.

You can script the firewall rule creation using netsh, powershell or group policy (domain joined pcs).

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:I ... pdate_time

Disable time zone autodetect

nescafe2002

Use CIDR notation, e.g. src-address=83.240.61.0/24 or src-address=83.240.0.0/16.

nescafe2002

There are related topics on the issue:

viewtopic.php?t=115316 (no solution)
viewtopic.php?t=63096 (no solution)

Have you tried rebooting the device? Are there active tasks under System > Scripts > Jobs?

nescafe2002

Create supout.rif and send to support@mikrotik.com. It's the one and only way to get (quick) support for your specific situation.

nescafe2002

PPP profile works for servers and clients. /ppp profile add name=profile1 on-down="/log info \"Client disconnected\"" on-up="/log info \"Client connected\"" /interface pppoe-client add name=pppoe-out1 profile=profile1 user=test Result: 12:05:10 pppoe,ppp,info pppoe-out1: authenticated 12:05:10 pppoe...

nescafe2002

$ wget https://download.mikrotik.com/routeros/6.45.3/routeros-mipsbe-6.45.3.npk Connecting to download.mikrotik.com (download.mikrotik.com)|2a02:610:7501:4000::226|:443... connected. routeros-mipsbe-6.4 100%[===================>] 11.54M 5.56MB/s in 2.1s IPv4: $ wget -4 https://download.mikrotik.com...

nescafe2002

You may want to use the built in profile feature to connect to any known network in the list. /interface wireless set [ find default-name=wlan1 ] default-authentication=no disabled=no ssid="" /interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=profile1 wpa2...

nescafe2002

Idea is that I cannot isolate WiFi devices from LAN devices and vice-versa. But in the same time I need to protect some LAN devices from being accessible by an unauthorized device that might plug into LAN using the exposed Ethernet cable used by external wAP. Consider ether3-5 trusted and ether2 un...

nescafe2002

Please take another look at the solution andriys proposed. You really don't want to disable network interfaces, because they will be disabled when you don't expect it (e.g. power outage, update, whatever) and require manualy intervention. Also, they are disabled after at most the chosen interval, so...

nescafe2002

For external DNS server: /ip firewall layer7-protocol add name=aaa.com regexp="\\x03aaa\\x03com" /ip firewall filter add place-before=0 action=reject chain=forward dst-port=53 layer7-protocol=aaa.com protocol=udp reject-with=icmp-network-unreachable Will block aaa.com, www.aaa.com, subdomain.aaa.com...

nescafe2002

2)We already share the necessary files with mikrotik support

Then thanks, that is helpful.

[/offtopic]

nescafe2002

It's actually rather annoying to see release topics filled with non-release specific replies, more annoying if you're replying to the post above and are still quoting the whole thing. 1. I have requested a mod to remove our posts, which are all offtopic. 2. If you want to be helpful, please do not p...

nescafe2002

Posted by spacex — Fri Aug 02, 2019 12:25 am Not fix dude snmp v3 ? Posted by spacex — Sun Aug 04, 2019 2:32 pm Hello, The dude snmp v3 problem not fix ? No, since it is not mentioned in the change log - Please keep this forum topic strictly related to this particular RouterOS release. - no need to ...

nescafe2002

These changes have been tested in stable channel, right?

Edit: installed on RB4011, (regular) SFP is detected and working.

nescafe2002

Use TikConnectionType.Api_v2:

using (var conn = ConnectionFactory.OpenConnection(TikConnectionType.Api_v2, "192.168.88.1", "admin", ""))
{
  var cmd = conn.CreateCommand("/system/identity/print");
  var result = cmd.ExecuteSingleRow();
  Console.WriteLine(result.Words["name"]);
}

nescafe2002

JanezFord: Update your app to version 1.0.11 if you cannot connect to ROS >= 6.45:

1.0.11 Jul 23, 2019
- Login: Fixed connection issue for RouterOS 6.45

nescafe2002

Ether1 is standard WAN port and protected by firewall.

Connect your client to one of the LAN (ether2-10) ports and you can connect to ip or mac.

nescafe2002

Is there anything in the scheduler?

(we're just guessing here.. might as well post config /export hide-sensitive or send supout to support)

nescafe2002

Did you enable safe mode before creating the script?

nescafe2002

Add the policy with action=none and no peer:

/ip ipsec policy
add action=none dst-address=10.11.1.0/24 src-address=0.0.0.0/0

Peer is displayed as "unknown" in Winbox, but that's a cosmetic issue.

nescafe2002

No need to include asterisk for hostname. Add $ to mark end of word: /ip dns static add address=127.0.0.1 regexp="\\.example\\.com\$" @MT (if anyone is reading this), another example of why allowing static 0.0.0.0 and :: values as (intended) invalid dns entries would be a good idea (web site blockin...

nescafe2002

is to make it happen in fasstrack for the RB

Example of a https://en.wikipedia.org/wiki/XY_problem

Describe what you are trying to achieve, perhaps it can be done without creating address lists.

nescafe2002

Your [find] example doesn't work because the API does not support composite CLI statements. Fetch the list of ids and then remove one-by-one: using (var conn = tik4net.ConnectionFactory.OpenConnection(TikConnectionType.Api, "192.168.88.1", 8728, "admin", "")) { var list = conn.CreateCommandAndParame...

nescafe2002

The API returns a result which is not expected by ExecuteNonQuery. Try this instead, ExecuteSingleRows assumes parameters are query words by default so you'll have to supply parameterformat NameValue: Using connection As ITikConnection = ConnectionFactory.CreateConnection(TikConnectionType.Api) conn...

nescafe2002

Please send your findings to support@mikrotik.com with supout.rif of the device to get it fixed (asap).

nescafe2002

View source, there are two posts with these links.

Sat Jul 28, 2018 5:35 pm
viewtopic.php?f=23&t=137338#p676773

Mon Jul 30, 2018 11:36 pm
viewtopic.php?f=23&t=137338#p677134

I don't see a login dialog, only when i open the links manually.

nescafe2002

Common issue. Traffic to 192.168.2.0/24 will be routed to wan initially, therefore the router picks the ip address from the wan interface to initiate the connection. From there, the connection won't be picked up by ipsec policy. You can create a route to the remote subnet via the lan interface to fo...

nescafe2002

Why not just user=<user> and password=<pass>?

The basic authorization header is a base64 encoded string user:pass, e.g. from documentation:

$ base64 -d
QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Aladdin:open sesame

nescafe2002

http-header-field="Header1: Value1,Authorization: Basic dXNlcjpwYXNz"

But for basic authentication you can also use:

user=user password=pass

nescafe2002

viewtopic.php?f=21&t=145793&p=717744#p717744
viewtopic.php?t=129326
viewtopic.php?t=144359 (reported to support)

nescafe2002

Actually, this is not a BUG. The device simply cannot ping the address in the first few seconds after boot. Also, if a specific solution does not meet your requirement, it's not a BUG just not applicable to your case. There is built in watchdog functionality which has several delays built in to over...

nescafe2002

Click Advanced Mode

nescafe2002

If you want to automate configuration tasks, you'd better use the built in API functionality (or SSH at least).

https://wiki.mikrotik.com/wiki/Manual:API

nescafe2002

Have you completely shut down (disconnect power cable) the device at least once?

nescafe2002

You don't have to specify the predefined settings. Just fill To and Body and it works fine.

I wouldn't call the flexibility of customized server parameters per send action poor design, actually rather handy.

nescafe2002

Please create a supout file and send it to support. https://forum.mikrotik.com/viewtopic.php?f=21&t=146087&start=100#p726296 If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected...

nescafe2002

Since it's part of the ppp package, you can find the server configuration under ppp menu option in Winbox or Webfig.

nescafe2002

Please create a supout.rif as soon as you realize something is wrong and send it - with description of what you expected versus what happened instead - to support with supout.rif . This instruction is posted in every release note: If you experience version related issues, then please send supout fil...

nescafe2002

Generate supout.rif and then e-mail it to them. Include backup if you want. Support is offering to look at your case for free. Please supply anything you can to explain your case:

- what you are doing (apps, buttons, screen)
- what you are seeing
- what you expected to happen
- what happens instead

nescafe2002

S+AO0005 is supported, please generate supout.rif while device is malfunctioning and send to support with problem description.

nescafe2002

https://www.roc-noc.com/mikrotik/routerboard/rb750.html

RouterBOARD 750 with AR7240 CPU, 32MB RAM (?), 5 LAN ports, RouterOS L4, plastic case, power supply, in a retail box.

nescafe2002

[admin@MikroTik] /ip cloud> print ddns-enabled: yes ddns-update-interval: none update-time: yes public-address: 82.x.x.x dns-name: 757bxxxxxxxx.sn.mynetname.net status: updated It displays public address, but will return local address in actual lookup. C:\>nslookup 757bxxxxxxxx.sn.mynetname.net Non...

nescafe2002

It's documented and known behavior. https://wiki.mikrotik.com/wiki/Manual:System/Time#Clock_and_Time_zone_configuration Note: Time-zone-autodetect by default is enabled on new RouterOS installation and after configuration reset. The time zone is detected depending on routers public IP address and ou...

nescafe2002

Same what?

Please show exactly what command you are running, what you expected to see/happen and what happens instead.

Include terminal output or screen dump when applicable.

What happens when you run

:put [ /system identity get name ]

in console?

nescafe2002

:put [ /system routerboard get serial-number ]

Prints serial number when run in terminal.

https://wiki.mikrotik.com/wiki/Manual:S ... l_commands

Command: put
Syntax: :put <expression>
Description: put supplied argument to console

nescafe2002

viewtopic.php?f=2&t=139091&p=685725#p685742

Make a new user, then re-login. There are big security changes in last versions, rename is no longer possible.

nescafe2002

Did you get an auto-reply? If yes, just wait. If not, resend mail (perhaps using another mail service, e.g. Gmail works fine).

nescafe2002

Note that port 5060 could by opened on your providers modem/router. We are in an audit process and this port is reported as unsafe. For this reason I want to close. # feb/18/2019 15:07:29 by RouterOS 6.32.3 Better look for another auditor if they didn't mention anything about your ROS version. You s...

nescafe2002

If you reset the device to CAP mode, the admin mac is set automatically. You can verify this by checking the default configuration script: [admin@MikroTik] > /system default-configuration print caps-mode-script: #------------------------------------------------------------------------------- # Note:...

nescafe2002

You need to apply hairpin nat OR add a local static dns entry pointing to your internal server.

https://wiki.mikrotik.com/wiki/Hairpin_NAT

nescafe2002

And Hannah25 is not even a real person, just a spam bot copying this post ( viewtopic.php?t=137572&start=200#p686945 ) and coming back later to edit in some spam links.

nescafe2002

Have you enabled internet detect? Try disabling it. If not, post config ( /export hide-sensitive )

nescafe2002

Use another DAC. https://mikrotik.com/product/s_ao0005 5m SFP+ 10Gbps Active Optics direct attach cable. This is highly cost-effective way to connect two SFP/SFP+ devices for very short distances, within racks and across adjacent racks. It works with all our products with SFP/SFP+ ports, including n...

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:CAPsMAN#Master_Configuration_Profiles datapath.client-to-client-forwarding (yes | no; Default: no ) controls if client-to-client forwarding between wireless clients connected to interface should be allowed, in local forwarding mode this function is performed by ...

nescafe2002

Im not sure why this question gets posted here 1:1, after it was already answered on reddit:

It is a spamming account. Posts get edited and filled with spam links after a while.

nescafe2002

There is very useful information on the wifi, have you tried that? https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP#Application_Examples Please share your config ( /export hide-sensitive ) if you are stuck. Which clients are connecting? (Multiple sstp tunnels and road warrior setups running fine...

nescafe2002

Have you tried disabling STP on bridge? And did you report this issue to support?

nescafe2002

http://poe-world.com/Calculator/

iexplore_2019-03-06_11-57-26.png

2019-03-06_11-58-44.png

PoE in input Voltage 18-28 V

Voltage is OK but you should consider buying a 1.2A adapter.

nescafe2002

Why don't you use the built in "add-arp" setting? https://forum.mikrotik.com/viewtopic.php?t=87889#p442251 If you enabled this option, and set the interface ARP setting to "reply-only", it will mean that only DHCP clients will be able to access your network, statically configured IP addresses will n...

nescafe2002

The S-RJ01 is compatible with the RB4011, but will not operate at rate 1000, 100 or 10.

https://wiki.mikrotik.com/wiki/MikroTik ... ble#S-RJ01

So.. not supported I guess?

2019-03-03_13-47-36.png

nescafe2002

Undo that change, because enabling the firewall helper service won't activate the actual service.

Enable logging for topic tftp and disable/enable tftp rule. Check the log. Is the server starting?

nescafe2002

The dhcp package is mandatory, as mentioned in change log, but you should be able to delete / disable any dhcp servers or clients.

What's new in 6.44 (2019-Feb-25 14:11):

Changes in this release:

*) upgrade - made security package depend on DHCP package

nescafe2002

You have to enable connection tracking if you want to enable firewall service ports.

Note that these are ip service helpers, usually for NAT, not the actual services.

So it doesn't make sense to enable these helpers if you aren't natting or filtering.

nescafe2002

You are considering buying a new device because it cannot saturate the connection using the built-in bandwith tester? Even though RB3011 can handle 1Gpbs NAT traffic easily? Keep in mind that the device has to actually generate the traffic and cannot use any of the hardware offload functions, theref...

nescafe2002

ROS 6.44. When exporting
Code: Select all
/ip neighbor discovery-settings
, inversion is not taken into account. Be careful!
ROS_6.44_neighbor.jpg

This is strictly spoken not a 6.44 issue, as the problem exists in 6.43 as well. You are welcome to report it, with supout.rif, to support.

nescafe2002

In that case, please do not say V7 but instead say: Some version we might release in the (probably distant) future

Really?

nescafe2002

Reset to default configuration & got a fresh ip :) RB4011 @ 1Gbps [admin@MikroTik] > /tool bandwidth-test 87.121.0.45 user=neterra password=neterra direction=both ;;; results can be limited by cpu, note that traffic generation/termination performance might not be representative of forwarding perform...

nescafe2002

I updated and my coffee machine started smoking.

nescafe2002

Works fine here: RB3011 @ 500Mbps [admin@MikroTik] > /tool bandwidth-test 87.121.0.45 user=neterra password=neterra direction=both status: running duration: 57s tx-current: 543.9Mbps tx-10-second-average: 543.6Mbps tx-total-average: 456.1Mbps rx-current: 543.6Mbps rx-10-second-average: 543.5Mbps rx-...

nescafe2002

See: https://wiki.mikrotik.com/wiki/Manual:I ... _and_ports

UDP/20561 is used for MAC winbox connection.

It uses broadcasts to be able to connect to RB on L2 (no IP address required).

By connecting to IP address instead you will eliminate these broadcasts.

nescafe2002

Screenshots 1 shows ipsec policy template, screenshot 2 shows ipsec policy (not a template).

nescafe2002

Try the new rc (switch to testing channel), it has better support for 1Gbit SFP:

https://mikrotik.com/download/changelog ... lease-tree

What's new in 6.44rc1 (2019-Feb-15 07:12):

*) rb4011 - improved SFP+ interface linking to 1Gbps;

nescafe2002

Switch to testing channel. 6.44beta/rc handles SFP much better on RB4011.

viewtopic.php?f=21&t=139057&p=709663#p709663

What's new in 6.44beta61 (2019-Jan-17 13:24):

Changes in this release:

*) rb4011 - improved SFP+ interface linking to 1Gbps;

nescafe2002

You are correct

nescafe2002

WinBox v3.18 doesn't connect to RB with empty password out-of-the box.

Just login via WebFig / SSH / telnet and set a password (may even be empty).

WinBox login w/o password seems to works fine..

nescafe2002

Newer default configuration make use of interface lists, the provided example will work fine on recent configs.

If you don't have interface lists, we can only guess. Post config ( /export hide-sensitive ) or adept example to your liking.

nescafe2002

Do a Torch on the interface and you will see which host/protocol/port causes the most traffic.

You can enable logging on the specific rule, to memory will be fine for a limited time period.

nescafe2002

Reporting on forum again won't help much.

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

nescafe2002

You need to accept established connections in forward chain, then you can remove all reverse logic rules again. Now, everyone can reach your private network as long as they're using source port 80,443/tcp or 53/udp. Take a look at the default firewall, which is a good entry point anyway. Make sure i...

nescafe2002

Duplicate topic: viewtopic.php?f=2&t=145145

nescafe2002

Please update your router first, following the steps in this document: https://blog.mikrotik.com/security/winbox-vulnerability.html Update, change pwd, check config. For your ssh problem, you may be blocking ssh connections in firewall. After update, export config ( /export hide-sensitive ) and past...

nescafe2002

Have you enabled fasttrack? I will probably bypass raw firewall, however doesn't explain why tcp is working. Please do no post screenshots, just export config ( /export hide-sensitive ) and paste in code blocks. Also.. TomjNorthIdaho mentioned more than a terabyte of traffic per month hosting public...

nescafe2002

Nice work! You can check out the configuration of TomjNorthIdaho posted here: https://forum.mikrotik.com/viewtopic.php?f=2&t=104266&p=690150#p690150 /ip firewall raw add action=accept chain=prerouting comment="testers accepted" src-address-list=tester add action=drop chain=prerouting comment="previo...

nescafe2002

You can setup an ipsec transport policy with protocol=47 and ensure gre traffic is secured using the firewall ipsec policy matcher:

https://wiki.mikrotik.com/wiki/Manual:I ... ed_traffic

Dynamic peer will disappear as soon as you unset ipsec secret in gre tunnel.

nescafe2002

Rtfm?

https://wiki.mikrotik.com/wiki/Manual:I ... ess_points

nescafe2002

Still 100% CPU-load on one of the cores in my RB3011. The router is working, but still this indicate something is wrong. Anyone else with the same problem? Any suggestions on how to fix?

Yes, send supout.rif to support@mikrotik.com.

nescafe2002

Routing mark is not main, but empty (missing) for default route. https://wiki.mikrotik.com/wiki/Manual:API#Queries ?name pushes 'true' if item has value of property name, 'false' if it does not. ?-name pushes 'true' if item does not have value of property name, 'false' otherwise. You might try somet...

nescafe2002

The reason you're getting "no such command" is because "ip/dhcp-server/lease/set" is not a valid command. You're missing the leading "/" => "/ip/dhcp-server/lease/set" is valid :) Also, you cannot use [ find ] syntax in API. Print with filter to get id, then update by id. mk.Send("/ip/dhcp-server/le...

nescafe2002

Since I've spent some time restoring VPN functionality.. here are my 6.44beta61 IKEv2 settings for iOS, macOS and Windows clients. Windows only seems to work with identity my-id=auto and remote-id=auto. Afaik you cannot add a secondary peer for Windows default ipsec settings, so you should alter the...

nescafe2002

Replace screenshots with configuration export (/export hide-sensitive).

Enable ipsec logging (/system logging add topics=ipsec,!packet) and check/post the results (/log print or log window).

nescafe2002

when you try to access IP Socks router stuck at 100% cpu, How do you "access IP Socks"? Are you trying to use the IP socks service as a client? Are you opening the IP > Socks > Access window in WinBox? Are you printing the entries in Terminal? The most simple command to remove all entries is, in CL...

nescafe2002

Default firewall accepts untracked connections. Are you using default firewall? Are you pinging from/to routers or hosts? If routers, add route to remote subnet via local interface to ensure router picks correct source address.

nescafe2002

Kudos for the developers

nescafe2002

You can switch to testing channel to utilize multithreaded btest.

https://mikrotik.com/download/changelog ... lease-tree

What's new in 6.44beta39 (2018-Nov-27 12:14):

*) btest - added multithreading support for both UDP and TCP tests;

nescafe2002

For what it's worth, I experienced same outage, yesterday at 16:05 GMT. I thought it was a problem with my provider, since resolving via 8.8.8.8 worked. Problem was solved at 16:15 GMT. Issue re-appeared shortly thereafter. C:\Users\Admin>nslookup 968a09baxxxx.sn.mynetname.net 82.197.196.182 Server:...

nescafe2002

The Quick Guide contains the steps to follow to reset the device. If this is not working, please describe what model and what steps you are executing. If you have disabled a single ethernet interface on a multiple interface device, you may connect your computer to another ethernet port and discover ...

nescafe2002

Could you try applying pressure on the heat sink? This has been the issue with me and another user.

viewtopic.php?f=7&t=138928

nescafe2002

There's another discussion on the topic: viewtopic.php?t=36035

I don't understand why, but the behavior is reported, confirmed by MT and there is an acceptable workaround (use bridge filer).

Perhaps some documentation on this specific limitation would be nice.

nescafe2002

DHCP is over UDP, and CAN be firewalled and NEEDS to be allowed or it won't work... See https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol for protocol details Again, dhcp client cannot be firewalled using ip firewall. 2019-01-22_21-14-15.gif Only bridge firewall. 2019-01-22_21-18-51...

nescafe2002

IP firewall does not affect dhcp client.

See also: viewtopic.php?t=140569

nescafe2002

Have you tried the last beta?

https://mikrotik.com/download/changelog ... lease-tree

What's new in 6.44beta50 (2018-Dec-17 13:01):

*) capsman - always accept connections from loopback address;

nescafe2002

Explain the exact steps you are doing. I have done this procedure several times with success. Just make sure the configuration you are moving is fitting the new hardware model (by making adjustments), the required packages are installed and the version matches.

nescafe2002

It does work, but fails at line 24, probably due to a different set of interfaces or features between devices.

You better open the rsc file in a text editor, select the lines by hand and paste them in the terminal.

nescafe2002

Here they are, using: $ ssh admin@demo.mt.lv "/export" > demo.mt.lv.rsc

nescafe2002

This command is available since 6.44beta14. Switch to testing channel and upgrade if you want to use it now, or wait until 6.44 is considered stable. https://mikrotik.com/download/changelogs/testing-release-tree What's new in 6.44beta14 (2018-Oct-01 12:01): Changes in this release: *) lte - added "c...

nescafe2002

What's new in 6.44beta61 (2019-Jan-17 13:24): *) rb4011 - improved SFP+ interface linking to 1Gbps; I can confirm FS 1000BASE-BX BiDi SFP 1310nm-TX/1490nm-RX 20km DOM Transceiver Module ( https://www.fs.com/products/20184.html ) is working fine together with a 1Gbit FTTH provider, as long as the sp...

nescafe2002

Testing channel has multithreaded btest.

nescafe2002

Note that this is done automatically if you reset the device to CAPs mode - even if you don't have wireless interfaces or a CAPsMAN controller.

Keep holding the reset button for 5 more seconds, LED turns solid, release now to turn on CAPs mode (total 10 seconds).

nescafe2002

It has a level 6 license, so basically unlimited.

https://wiki.mikrotik.com/wiki/Manual:L ... nse_Levels

For featured packages, check the "Extra packages" link under TILE architecture in the MikroTik download page. Dude server is supported as well.

nescafe2002

viewtopic.php?t=134776

nescafe2002

At the end on Monday Im going to remove all my arm hardware it's too dificult for me and Too expensive but it's the solution. Bye Mikrotik see you in the hell... You made that promise earlier, why are you still here? https://forum.mikrotik.com/viewtopic.php?f=7&t=136002&p=693764#p693764 Five years ...

nescafe2002

API expects an attribute name and value. https://wiki.mikrotik.com/wiki/Manual:API#Attribute_word Attribute word structure consists of 5 parts in this order: encoded length content prefix equals sigh - = attribute name separating equals sign - = value of attribute if there is one. It is possible tha...

nescafe2002

You can ssh to demo.mt.lv and run export to fetch the running configuration.

nescafe2002

Switch to testing channel.

https://mikrotik.com/download/changelog ... lease-tree

What's new in 6.44beta14 (2018-Oct-01 12:01):

Changes in this release:

*) lte - added "cell-monitor" command for R11e-LTE international modem (CLI only);

nescafe2002

You're in the /interface ethernet poe context which means that only poe-capable interfaces are available. So there's exactly one item with number=0 available. Nevertheless you should fill the item number buffer by performing 'print' first, as these numbers are dynamically assigned, use [ find where ...

nescafe2002

To anyone experiencing connectivity issues on bridge interface after upgrade to 6.44beta50 like me: The RB is now sending out MNDP (udp/5678) packets with ip address of bridge and mac address of slave (physical port). (In 6.44beta40 and before the packets were sent with the bridges mac address as so...

nescafe2002

It's coming..

https://www.mikrotik.com/download/changelogs/testing

6.44beta39 changelog:

Changes in this release:

*) btest - added multithreading support for both UDP and TCP tests;

nescafe2002

No problem. Note that API is behaving exactly like CLI in these cases: To unset a comment, use: /interface ethernet set 0 comment="" The command contains a parameter (comment) with a value ("") To unset a bridge in ppp, use: /ppp profile set 0 !bridge The commands contains a parameter (!bridge) with...

nescafe2002

Print detail and google the vendor/device id to get more info. Looks like MT hasn't updated the PCI database yet: [admin@MikroTik] /system resource pci> print detail 0 device="00:05.0" name="unknown (rev: 1)" vendor="unknown" category="Generic system peripheral" vendor-id="0x1c36" device-id="0x0021"...

Search found 697 matches