Community discussions

Search found 119 matches

by Larsa
Tue Feb 12, 2019 9:07 pm
Forum: Useful user articles
Topic: Using Splunk to analyse MikroTik logs 2.7 (Graphing everything) Topic is solved
Replies: 222
Views: 67351

Re: Using Splunk to analyse MikroTik logs 2.6 (Graphing everything) Topic is solved

Not sure if I could help with this. But when you have a lot of data, its sometime better to do a summary indexes that is based of for example 1 hour reports. Then you get less data to search trough.I do recommend that you start a thread about your problem over here: https://answers.splunk.com/index...
by Larsa
Mon Feb 11, 2019 12:35 pm
Forum: General
Topic: SXT LTE Kit (R11e-LTE) - to lock on 3G 900Mhz
Replies: 8
Views: 1135

Re: SXT LTE Kit (R11e-LTE) - to lock on 3G 900Mhz

We operate LTE as backup in some rural areas and always force the CPE to utilize 800/900 Mhz since the higher frequency bands are much to sensitive for trees, rain and snow in longer distances and when you don't have LIS.
by Larsa
Mon Feb 11, 2019 12:04 pm
Forum: Useful user articles
Topic: Using Splunk to analyse MikroTik logs 2.7 (Graphing everything) Topic is solved
Replies: 222
Views: 67351

Re: Using Splunk to analyse MikroTik logs 2.6 (Graphing everything) Topic is solved

Since I'm not a Splunk expert I wonder if anyone has some bright ideas how to optimize Splunk / Mongodb? We have about 15.5 million entries and the reports are getting really slow to produce. In a regular SQL database you can run a "Query Execution Plan" and then add indexes to columns that performs...
by Larsa
Sat Jan 19, 2019 10:33 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1076

Re: Firewall: dynamic ip lookup instead of static address list?

According to firehol Linux ipsets are affected only by the number of different subnets ". I suppose this also applies to RoS since it utilize iptables, right?? " If you are going to use this IP list as a blocklist / blacklist at a firewall, its size can be important for the performance of the firewa...
by Larsa
Fri Jan 18, 2019 8:35 pm
Forum: Wireless Networking
Topic: LTE modems - Compatibility list?
Replies: 4
Views: 598

Re: LTE modems - Compatibility list?

Not sure how many operators that will actually upgrade till Cat-12. 5G r15 will be release in April and initial test starts sometime this summer nearby where I live.
by Larsa
Tue Jan 15, 2019 3:59 pm
Forum: RouterOS v7
Topic: v7 routeros
Replies: 12
Views: 2854

Re: v7 routeros

죄송합니다.이 포럼은 영어로되어 있습니다. RouterOS v7이 개발 중에 있습니다. CHR에서 x86 버전의 현재 한계를 해결하기 위해 노력하는 것이 좋습니다.

나는 유창한 한국어를 할 줄도 몰랐다. 당신은 진정한 다재다능한 예술가입니다! :-디
by Larsa
Mon Jan 14, 2019 11:55 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1076

Re: Firewall: dynamic ip lookup instead of static address list?

Thanks for the info and walk of shame for me :oops: If one care to read carefully, It's actually stated with clear text regarding firehol_level1

"To accomplish this, we include the following IP lists:
. . .
spamhaus drop and edrop - Don't Route Or Peer IPs
. . .

"
by Larsa
Mon Jan 14, 2019 11:24 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1076

Re: Firewall: dynamic ip lookup instead of static address list?

Yeah, hope they plan to do something about it or create a more manageable/flexible solution in the future. How many lines (give or take) is the end result? I'm wondering since I'm interested to use the Spamhaus drop/edrop "real-time" lists. Will the total aggregate work on a CCR do you think? My CC...
by Larsa
Mon Jan 14, 2019 11:11 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1076

Re: Firewall: dynamic ip lookup instead of static address list?

Absolutely brilliant, altering the block-rules is of course the fastest and most secure way to do it! :idea: Why didn't I think about it myself! :lol: Now I only need to perform some tests to figure out the actual storage limitation on a CCR as I need room for both current and new lists simultaneou...
by Larsa
Mon Jan 14, 2019 10:19 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1076

Re: Firewall: dynamic ip lookup instead of static address list?

Any thoughts about a secure way to update the address list online that doesn't take forever ? The wipe and clean method is highly insecure because the lengthy import times that is direct related to the huge import volumes. Btw, what lists are you using from FireHOL ( iplists.firehol.org ) ? why not...
by Larsa
Mon Jan 14, 2019 9:43 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1076

Re: Firewall: dynamic ip lookup instead of static address list?

Any thoughts about a secure way to update the address list online that doesn't take forever ? The wipe and clean method is highly insecure because the lengthy import times that is direct related to the huge import volumes. Btw, what lists are you using from FireHOL ( iplists.firehol.org ) ? Untill ...
by Larsa
Mon Jan 14, 2019 9:21 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1076

Re: Firewall: dynamic ip lookup instead of static address list?

I remeber seeing somewhere that addresslist can be feed an dns and it will do resolution on it's own (basically keeping itself updated) Documented (a big word for just small syntax note) in the meantime: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list Thanks for the tip but unfortuna...
by Larsa
Mon Jan 14, 2019 7:23 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1076

Re: Firewall: dynamic ip lookup instead of static address list?

Thanks! :) Regarding MT blocking capabilities, I take it you've been there, done that and found the bitter dead end! :lol:

Besides MT, did you solve it any other way?
by Larsa
Mon Jan 14, 2019 7:10 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1076

Re: Firewall: dynamic ip lookup instead of static address list?

@anav: I have absolutely no opinion about MOAB since I really don't know anything about it :!: and furthermore it's not the subject of this discussion. With respect, please keep focus to my original question regarding how to manage problems related to huge address lists in RoS, etc. Many thanks in a...
by Larsa
Mon Jan 14, 2019 6:36 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1076

Re: Firewall: dynamic ip lookup instead of static address list?

Any thoughts about a secure way to update the address list online that doesn't take forever ? The wipe and clean method is highly insecure because the lengthy import times that is direct related to the huge import volumes.

Btw, what lists are you using from FireHOL (iplists.firehol.org) ?
by Larsa
Mon Jan 14, 2019 6:24 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1076

Re: Firewall: dynamic ip lookup instead of static address list?

Insofar as ip address lookup within the firewall (with eg DNSBL check) --- IMO that would impose a significant performance hit plus setting something like that up locally requires significant time and resources adding another point of failure. Well, IMO some few ms really doesn't really matter duri...
by Larsa
Mon Jan 14, 2019 5:15 pm
Forum: General
Topic: Firewall: dynamic ip lookup instead of static address list?
Replies: 21
Views: 1076

Firewall: dynamic ip lookup instead of static address list?

Is there any way to use some kind of "dynamic" ip address lookup within the firewall (with eg DNSBL check) in the instead of using the build-in static address lists? The objective is to move out all the static address lists to a server since they've grown to big for RoS. Background to my question is...
by Larsa
Wed Nov 21, 2018 5:45 pm
Forum: RouterBOARD hardware
Topic: LHG LTE (RBLHGR&R11e-LTE) Specifications [SOLVED]
Replies: 3
Views: 918

Re: LHG LTE (RBLHGR&R11e-LTE) Specifications [SOLVED]

Excellent thank you!
by Larsa
Wed Nov 21, 2018 1:51 pm
Forum: RouterBOARD hardware
Topic: LHG LTE (RBLHGR&R11e-LTE) Specifications [SOLVED]
Replies: 3
Views: 918

Re: Product info regarding LHG LTE [SOLVED]

Any sales folks that are willing to answers questions in this forum or someone who can comment on how the product works?
by Larsa
Tue Nov 20, 2018 10:27 am
Forum: RouterBOARD hardware
Topic: LHG LTE (RBLHGR&R11e-LTE) Specifications [SOLVED]
Replies: 3
Views: 918

LHG LTE (RBLHGR&R11e-LTE) Specifications [SOLVED]

The LHG LTE kit ( https://mikrotik.com/product/lhg_lte_kit ) looks promising. Some questions I couldn't find info about from the product page: 1. Can someone please supply somewhat more detailed info regarding the antenna characteristics like radiation patterns as lobe angles, mimo, etc. Doesn't nee...
by Larsa
Mon Nov 12, 2018 10:11 am
Forum: Announcements
Topic: Newsletter 85
Replies: 30
Views: 9589

Re: Newsletter 85

The LHG LTE kit (with a high gain 17dBI parabolic antenna) looks really promising. A few questions though: 1. Where can you find more detailed info regarding the antenna characteristics like MIMO, radiation patterns as lobe angles, etc. Doesn't need to be precise, a general descrioption will do. 2. ...
by Larsa
Fri Aug 31, 2018 3:22 pm
Forum: RouterBOARD hardware
Topic: RB922UAGS-5HPacD/RBM33G+R11e-5HacD comparison: which one should I use?
Replies: 6
Views: 855

Re: RB922UAGS-5HPacD/RBM33G+R11e-5HacD comparison: which one should I use?

I was more thinking about the actual routerboards. This is for a LTE-solution with 18 dBi tube mimo antennas. I'm a bit concerned about the 16MB flash on RBM11G and if in any way will force ROS to run in a limited way?
by Larsa
Wed Aug 29, 2018 7:40 pm
Forum: RouterBOARD hardware
Topic: RB922UAGS-5HPacD/RBM33G+R11e-5HacD comparison: which one should I use?
Replies: 6
Views: 855

Re: RB922UAGS-5HPacD/RBM33G+R11e-5HacD comparison: which one should I use?

I was thinking about the same. Which did you pick?
by Larsa
Mon Jun 25, 2018 8:21 pm
Forum: General
Topic: Format of certificate "subject-alt-name" ? [SOLVED]
Replies: 3
Views: 986

Re: Format of certificate "subject-alt-name" ? [SOLVED]

Many thanks, exactly what I was looking for!
by Larsa
Sun Jun 24, 2018 8:36 pm
Forum: General
Topic: Format of certificate "subject-alt-name" ? [SOLVED]
Replies: 3
Views: 986

Re: Format of certificate "subject-alt-name" ? [SOLVED]

Anyone? Any ideas are welcome!
by Larsa
Sun Jun 24, 2018 11:09 am
Forum: General
Topic: Format of certificate "subject-alt-name" ? [SOLVED]
Replies: 3
Views: 986

Format of certificate "subject-alt-name" ? [SOLVED]

Can someone please point out where the various formats for certificate "subject-alt-name" (IP, DNS, etc) are defined and how to add multiple alternative names? Didn't manage to find any detailed info regarding this in the wiki...
--

Thanks in advance!
by Larsa
Wed Jun 20, 2018 8:50 pm
Forum: General
Topic: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]
Replies: 11
Views: 976

Re: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]

Yes indeed!

Rumors say some of the co workers got very puzzled when their personal hotspot stopped working but were still able to use their laptop on the same connection.
by Larsa
Tue Jun 19, 2018 12:06 pm
Forum: General
Topic: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]
Replies: 11
Views: 976

Re: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]

Well, the regular access is somewhat limited because of previously misuse and someone got the brilliant idea to bypass that limitation. So i'm not quite convinced regarding the business case this time! :lol:
by Larsa
Mon Jun 18, 2018 4:28 pm
Forum: General
Topic: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]
Replies: 11
Views: 976

Re: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]

Well, it's good enough to prevent a "normal" ad hoc installation and not for the professional villain with deeper technical knowledge :-)
by Larsa
Mon Jun 18, 2018 11:23 am
Forum: General
Topic: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]
Replies: 11
Views: 976

Re: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]

Excellent, thanks for the pointer! Since it's "flat switched" (like the term btw ;-) it should probably work in this case.
by Larsa
Mon Jun 18, 2018 10:57 am
Forum: General
Topic: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]
Replies: 11
Views: 976

Re: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]

Thanks, I'll try TTL to start with!

Any suggestion on a decent value to start filtering on? Btw, is the internal TTL translated/terminated in src-nat and gets another TTL on the outbound side?
by Larsa
Mon Jun 18, 2018 10:22 am
Forum: General
Topic: Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]
Replies: 11
Views: 976

Prevent usage of SMHO WiFi-routers on corporate network? [SOLVED]

Is there a any way to prevent people to setting up "personal hotspots" using SMHO WiFi-routers on an enterprise office network? Presume the SOHO-router is assinged a correct ip-address from corporate DHCP-server and is using its own srs-nat, is there a way to detect and block thees kind of connectio...
by Larsa
Tue Jun 05, 2018 5:55 pm
Forum: Announcements
Topic: MikroTik News June 2018 (Issue #83)
Replies: 44
Views: 13271

Re: MikroTik News June 2018 (Issue #83)

A reflection regarding the "new" LTE SXT. What purpose does higher speeds have if the downlink still just is 100 Mbit?

Please give us a LTE CAT6 SXT with a MIMO pointing antenna + GbE downlink. Thanks ;-)
by Larsa
Tue Apr 17, 2018 12:22 pm
Forum: Announcements
Topic: Future of LTE products, user feedback requested
Replies: 84
Views: 18369

Re: Future of LTE products, user feedback requested

First of all, please make the transceiver module exchangeable thus do not limit the solution to some specific bands. In that way we can future-proof our customer installations for emerging transmission technologies only by replacing the transceiver module. Think a SXT LTE with a M2 or PCI-SIG compat...
by Larsa
Wed Dec 13, 2017 4:26 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Thanks for the thorough answer and hands-on guidance is always much appreciated as well!
by Larsa
Tue Dec 12, 2017 11:08 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

dead peer detection should be enabled by default (interval 120 tries 5)

Normally, you set stuff like DPD and Lifetime using the ipsec peer config but what settings are used for the GRE dynamic IPSec tunnels? The GRE Wiki seems pretty brief (or actually completly empty) on this subject ...
by Larsa
Tue Dec 12, 2017 10:10 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Don't do it that way! Delete the IPsec Peer and Policy you have now, create a GRE interface, specify source and destination address (the public IPs of the routers) and set an IPsec secret. Then put a /30 network on the GRE interfaces (e.g. 10.0.0.1/30 and 10.0.0.2/30) and route the networks on each...
by Larsa
Tue Dec 12, 2017 7:20 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Sorry for the delay- I was a bit more than just busy. So I tested everything again and it is definitely working and I am passing traffic through the tunnel. What I noticed is that the tunnel breaks if one or both of the routers do not have a default route. That was new to me too. -Chris Chris, than...
by Larsa
Tue Dec 12, 2017 7:16 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Packet flow diagram will illustrate why you need route for destination even if gateway of that route will not be used: https://wiki.mikrotik.com/images/6/68/IpsecFlow.png So if I understand it correcly, then the only way to set the outbound address of the tunnel is to control pref-src by for exampl...
by Larsa
Tue Dec 12, 2017 6:40 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Now you mention it... that makes sense. Thanks.
And I second the proposal for GRE/IPsec
-Chris

I concur, but even if you put GRE/L2PT on top of the tunnel you'll probably get the same issue with the outbound address as before...
by Larsa
Fri Dec 08, 2017 12:00 am
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Sorry, but I forgot to mention that the tunnel gets established but cannot pass any packets since the remote peer gets pref-source from the sending side as the return address i.e outbound address = pref-source. If possible, please enable logging for protocol 50 (ESP) and check for the same behavior....
by Larsa
Thu Dec 07, 2017 2:28 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Not back in the office, but I have an idea to check in the mean time: Do you have any masquerade rules configured in /ip firewall nat? I could bet you have. Masquerade always uses the lowest address on the interface, no matter what is defined beforehand. Convert this rule to src-nat (and to-address...
by Larsa
Thu Dec 07, 2017 1:04 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Dumb questions -just to be sure: Did you specify that desired address as local-address in the peer definition? Is that address actually really assigned to the router? I have a couple of IPsec tunnels running here with multiple WAN addresses and they're running just fine as expected... -Chris Our tu...
by Larsa
Thu Dec 07, 2017 12:33 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

You need to set the "prefered source" on the route - it will set the outbound router ip address. Ok, so if I understand you correctly pref-source is the only way you can control the outbound address for a IPsec tunnel. So in case you have a "/29" subnet defined for your WAN, then you need to assign...
by Larsa
Thu Dec 07, 2017 12:05 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Instead of a direct IPsec tunnel, use GRE over IPsec or L2TP over IPsec to establish a tunnel, and route your LAN traffic via that tunnel. That will end all your problems with NAT avoidance etc. Hi! Thanks for the suggestion, but In this case it's not the NAT avoidance that is the main issue, but r...
by Larsa
Wed Dec 06, 2017 11:16 am
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outgoing subnet address on WAN? [SOLVED]

Any suggestion how this can be solved?
by Larsa
Tue Dec 05, 2017 6:54 pm
Forum: General
Topic: Outbound Port 25
Replies: 8
Views: 1393

Re: Outbound Port 25

I recommend you skip the router and hook up a PC directly to the WAN port where you have your mail server. If you are using Windows download nc.exe and then run an outbound test using: C:\> nc -v smtp.gmail.com 25 gmail-smtp-msa.l.google.com [64.233.161.108] 25 (smtp) open 220 smtp.gmail.com ESMTP w...
by Larsa
Mon Dec 04, 2017 9:47 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Re: Setup IPSec to use specific outgoing subnet address on WAN? [SOLVED]

I have picked a number off the 5 of a block and it works fine. Well, thats what we tried. But the outbound ip address always defaults to Pref Source i.e first usable address in the subnet. Since you have to use "accept srcnat Src.Addresse Dst.Adresses" as the first entry to bypass any further NAT-t...
by Larsa
Mon Dec 04, 2017 8:36 pm
Forum: General
Topic: Outbound Port 25
Replies: 8
Views: 1393

Re: Outbound Port 25

It quite normal nowadays that operators block outbound smtp port 25 on consumer connections to prevent spam-bots. Test outbound port 25 using Netcat (nc) with verbose and debug flags (usually -D -and -v) from a computer connected directly to the WAN-port. For example use the following command line: ...
by Larsa
Mon Dec 04, 2017 6:48 pm
Forum: General
Topic: Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]
Replies: 27
Views: 2047

Setup IPSec to use specific outbound subnet address on WAN? [SOLVED]

Is it possible to setup an IPSec tunnel to use a specific public address on a WAN interface that consist of a "/29" subnet (i.e any of the 5 public IP addresses) ? I'm asking since we had some issues with IPsec and the only way to resolve the problem was to pick to the lowest address from the public...