Community discussions

Search found 52 matches

by satish143
Wed Jun 29, 2016 6:10 pm
Forum: General
Topic: mikrotik check-for-updates failed
Replies: 3
Views: 1825

mikrotik check-for-updates failed

What is wrong here?  I can ping upgrade.mikrotik.com IP address, also i don't have any firewall blocking anything. I have same identical device in VRRP (HA) pair which has no issue.  [admin@fw5] > /system package update check-for-updates           channel: bugfix   current-version: 6.34.2           ...
by satish143
Wed Jun 29, 2016 5:44 pm
Forum: General
Topic: mikrotik console connect back to back
Replies: 1
Views: 414

mikrotik console connect back to back

We have two mikrotik A & B  box  so is there a way i can connect both mikrotik console port back to back using null modem (DB9) so i can take console of access of A using B? 

I want console on them so in case i screwed up something i can get console access of using other mikrotik, Does it possible?
by satish143
Thu Apr 28, 2016 6:44 pm
Forum: General
Topic: fasttrack counter vs rules counter
Replies: 1
Views: 825

fasttrack counter vs rules counter

I have firewall running with "special dummy rule to show fasttrack counter", I have seen it is showing 500G Bytes pass from this rules but i check other rules understand they are just below 100MB and even deny any any also few MB so i don't know why fasttrack is 500G, what traffic it is counting?
by satish143
Thu Apr 07, 2016 9:48 pm
Forum: Scripting
Topic: remote ssh via script
Replies: 52
Views: 30685

Re: remote ssh via script

Guys! any solution? I need this option bady to sync two VRRP MT. This is stupid issue. why SSH not allowed to run over script? :?
by satish143
Thu Apr 07, 2016 9:48 pm
Forum: Scripting
Topic: remote ssh via script
Replies: 52
Views: 30685

Re: remote ssh via script

Guys! any solution? I need this option bady to sync two VRRP MT. This is stupid issue. why SSH not allowed to run over script? :? :? :?
by satish143
Thu Apr 07, 2016 8:03 pm
Forum: General
Topic: why ssh not working in script?
Replies: 2
Views: 774

why ssh not working in script?

I have setup SSH key between two MT but following command not working in script it does work on terminal. Why?

RouterOS version: 6.34.2

/system ssh 10.0.0.2 user=sync-config command="/ip service enable 1"

what is the work around ?
by satish143
Thu Apr 07, 2016 7:40 pm
Forum: Scripting
Topic: why ssh not working in script?
Replies: 0
Views: 591

why ssh not working in script?

I have setup SSH key between two MT but following command not working in script it does work on terminal. Why?

RouterOS version: 6.34.2
/system ssh 10.0.0.2 user=sync-config command="/ip service enable 1"
what is the work around ?
by satish143
Wed Apr 06, 2016 4:36 am
Forum: General
Topic: mikrotik scp/sftp client to transfer file between MT
Replies: 13
Views: 9587

Re: mikrotik scp/sftp client to transfer file between MT

I am trying to sync firewall rules between two VRRP mikrotik and setup SSH key between them. is there any scp/sftp client available in RouterOS so i can transfer file between two mikrotik? I don't want to use ftp or third party server to transfer file between two MT. forget ssh and use directly the...
by satish143
Wed Apr 06, 2016 12:54 am
Forum: General
Topic: mikrotik scp/sftp client to transfer file between MT
Replies: 13
Views: 9587

mikrotik scp/sftp client to transfer file between MT

I am trying to sync firewall rules between two VRRP mikrotik and setup SSH key between them. is there any scp/sftp client available in RouterOS so i can transfer file between two mikrotik? I don't want to use ftp or third party server to transfer file between two MT.
by satish143
Mon Apr 04, 2016 5:57 pm
Forum: General
Topic: RouterOS (RoS) v7 beta Release date
Replies: 1
Views: 2936

RouterOS (RoS) v7 beta Release date

When RouterOS (RoS) v7 beta coming for testing? any ETA
by satish143
Mon Apr 04, 2016 5:50 pm
Forum: General
Topic: Feature request for v7.x
Replies: 269
Views: 63679

Re: Feature request for v7.x

When v7 coming out? is there any beta or testing version available?
by satish143
Mon Apr 04, 2016 5:30 pm
Forum: General
Topic: Best Interface Queue type for CCR routers?
Replies: 3
Views: 2208

Re: Best Interface Queue type for CCR routers?

If you are intending to use fastpath forwarding on the CCRs, you are required to use only-hardware-queue, as any other kind of interface queue will disable fastpath. multi-queue-ethernet-default should be worth trying on x86 systems with compatible NICs (in system - resource - irq you see several i...
by satish143
Mon Mar 28, 2016 11:39 pm
Forum: General
Topic: /tool fetch failure: poll err
Replies: 5
Views: 1867

/tool fetch failure: poll err

I am trying to fetch this file but getting error. I have confirmed ftp is working fine. I am using version 6.34.2
[admin@fw] > /tool fetch address=10.10.10.1 src-path=EXPORT.FW_filter.rsc mode=ftp port=21 user=admin password=123456
  status: failed

failure: poll err
by satish143
Mon Mar 28, 2016 11:09 pm
Forum: General
Topic: Poor mans config sync: vrrp
Replies: 7
Views: 3452

Re: Poor mans config sync: vrrp

I am also looking for firewall sync script, which sync between two VRRP device.

Anybody has any example script?
by satish143
Fri Mar 25, 2016 2:33 am
Forum: General
Topic: VRRP up but VIP isn't pinging
Replies: 1
Views: 444

Re: VRRP up but VIP isn't pinging

I have following setup with my ISP. I can ping Mikrotik from public network but not able to ping VRRP VIP address. Failover is working fine if i unplug cable etc. anybody seeing this issue? my version is 6.34.2 ISP link terminated on SW1 and SW2 cisco switch and from Cisco Switch my both mikrotik c...
by satish143
Fri Mar 25, 2016 2:32 am
Forum: General
Topic: VRRP error received packet from 66.X.X.X bad version (2 != 3)
Replies: 6
Views: 1344

Re: VRRP error received packet from 66.X.X.X bad version (2 != 3)

Use different VRID.
You are right.. as soon as i change VRID it works!! does VRID suppose to be unique?
by satish143
Thu Mar 24, 2016 6:23 pm
Forum: General
Topic: VRRP error received packet from 66.X.X.X bad version (2 != 3)
Replies: 6
Views: 1344

Re: VRRP error received packet from 66.X.X.X bad version (2 != 3)

This error is because ISP side is also running VRRP and sends packets to Mikrotik routers. You are right i talked to ISP and they said they are running VRRP too. how to fix this issue? Just block ISP VRRP packet in firewall? Question: I have L2 switch connected to ISP and behind that switch I have ...
by satish143
Thu Mar 24, 2016 6:10 pm
Forum: General
Topic: VRRP up but VIP isn't pinging
Replies: 1
Views: 444

VRRP up but VIP isn't pinging

I have following setup with my ISP. I can ping Mikrotik from public network but not able to ping VRRP VIP address. Failover is working fine if i unplug cable etc. anybody seeing this issue? my version is 6.34.2 ISP link terminated on SW1 and SW2 cisco switch and from Cisco Switch my both mikrotik co...
by satish143
Thu Mar 24, 2016 4:43 pm
Forum: General
Topic: VRRP error received packet from 66.X.X.X bad version (2 != 3)
Replies: 6
Views: 1344

Re: VRRP error received packet from 66.X.X.X bad version (2 != 3)

If i changed my MT vrrp version 3 to 2 i am getting following error, any idea what is wrong? received packet from 66.XX.XX.27 misconfigured IP addresses [66.XX.XX.25](my) != [66.XX.XX.26](received) Mikrotik 66.XX.XX.23 - Master 66.XX.XX.24 - Slave 66.XX.XX.25 - Mickrotik VIP (vrrp IP) ISP (HSRP) 66....
by satish143
Thu Mar 24, 2016 3:12 pm
Forum: General
Topic: VRRP error received packet from 66.X.X.X bad version (2 != 3)
Replies: 6
Views: 1344

VRRP error received packet from 66.X.X.X bad version (2 != 3)

I have setup VRRP with my ISP (I believe they are using Cisco HSRP). As soon as link is up i am getting this error in my Interface > VRRP tab received packet from 66.X.X.X bad version (2 != 3) My VRRP configuration is very standard. VRID=1 Version=3 Authentication=none Do you think ISP (HSRP) casing...
by satish143
Wed Mar 02, 2016 11:51 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3348

Re: Block DDoS on Prerouting chain on firewall

You are right, if connection tracking is enabled then you will never be able to find fragmented packet because it get assembly at door. How other company handling this kind of attack? I hope the fragments you want to eliminate are part of some DDoS attack. For example if the attack is made by DNS p...
by satish143
Tue Mar 01, 2016 11:41 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3348

Re: Block DDoS on Prerouting chain on firewall

Okay! Enable IP Fragment option in "Prerouting" chain to mark fragmented packet but its not matching any single packet. If i disable check mark "IP fragment" it start matching packet.. As you already mentioned the problem is probably that ROS does the fragment reassembly automatically when connecti...
by satish143
Tue Mar 01, 2016 11:40 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3348

Re: Block DDoS on Prerouting chain on firewall

maybe you need a powerfull routerboard than actual?? I have CCR1036-8G-2S+ 16GB memory 32 CPUs, Does it enough? ccr1036 has 36 cpu tile cores not 32 bandwidth an pps of legitimate traffic?? bandwidth and pps of offending traffic when attacked?? You are right, its 36 core. 100kpps and total bandwidt...
by satish143
Tue Mar 01, 2016 9:29 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3348

Re: Block DDoS on Prerouting chain on firewall

maybe you need a powerfull routerboard than actual??
I have CCR1036-8G-2S+ 16GB memory 32 CPUs, Does it enough?
by satish143
Tue Mar 01, 2016 8:11 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3348

Re: Block DDoS on Prerouting chain on firewall

This won't improve your performance. Only the forward or input chain can actually block packets. Mangle is like a paint sprayer - it can mark packets and change some interesting values on them, but it doesn't do any discarding. Even if it did, this would not improve the performance, because the sam...
by satish143
Tue Mar 01, 2016 7:02 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3348

Re: Block DDoS on Prerouting chain on firewall

maybe limiting specific application destination port to a max size of packet?? looks like ip firewall has the option of match ip fragments Here is the problem, even if i identify my packet is IP Fragmented but i want to drop then in PREROUTING chain itself. because if i block them in INPUT or FORWA...
by satish143
Tue Mar 01, 2016 3:57 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3348

Re: Block DDoS on Prerouting chain on firewall

is important to establish if offending traffic is toward the router itself or is in transit traffic
Its transit traffic toward my servers.
by satish143
Tue Mar 01, 2016 3:56 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3348

Re: Block DDoS on Prerouting chain on firewall

new mangle rule/extra/[x] ip fragment as mentioned before - fragmented traffic is perfectly legal. By dropping subsequent fragments you will probably make more problems than you solve are application is voice base RTP packet which data size is less than 512 bytes. We did all kind of study and final...
by satish143
Mon Feb 29, 2016 4:24 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3348

Re: Block DDoS on Prerouting chain on firewall

You could make action=mark-packet new-packet-mark=dropme and then in filter table: chain=input packet-mark=dropme action=drop chain=forward packet-mark=dropme action=drop Do be aware that this could break other things that are legitimately having packet fragmentation along the path. Is there a way ...
by satish143
Sat Feb 27, 2016 9:08 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3348

Re: Block DDoS on Prerouting chain on firewall

You could make action=mark-packet new-packet-mark=dropme and then in filter table: chain=input packet-mark=dropme action=drop chain=forward packet-mark=dropme action=drop Do be aware that this could break other things that are legitimately having packet fragmentation along the path. Is there a way ...
by satish143
Fri Feb 26, 2016 9:49 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3348

Re: Block DDoS on Prerouting chain on firewall

You could make action=mark-packet new-packet-mark=dropme and then in filter table: chain=input packet-mark=dropme action=drop chain=forward packet-mark=dropme action=drop Do be aware that this could break other things that are legitimately having packet fragmentation along the path. Is there a way ...
by satish143
Fri Feb 26, 2016 9:01 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3348

Block DDoS on Prerouting chain on firewall

We are getting lots of IP Fragmentation style DDoS, Packets are marked with MF (more fragment flag) and Mikrotik is super busy in assemble packets. CPU is 100% that time. Is there a way i can block or stop IP Fragmented packet with MF bit on Prerouting chain? But prerouting chain doesn't support "DR...
by satish143
Mon Feb 22, 2016 6:33 pm
Forum: General
Topic: Mikrotik Firewall rules sequesnse
Replies: 6
Views: 982

Re: Mikrotik Firewall rules sequesnse

While you already answer my question so i have one question related firewall.

Do i need fasttrack rules? Having it and not having it what make difference?

http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack
by satish143
Sun Feb 21, 2016 5:32 pm
Forum: General
Topic: Does mikrotik support HAProxy style load balancing?
Replies: 2
Views: 1890

Re: Does mikrotik support HAProxy style load balancing?

Does mikrotik support HAProxy style loadbalancing? we have WWW server and i want to do load sharing between them like F5. How to do that?
Guys any idea?
by satish143
Sun Feb 21, 2016 5:30 pm
Forum: General
Topic: Mikrotik Firewall rules sequesnse
Replies: 6
Views: 982

Re: Mikrotik Firewall rules sequesnse

When you are modifying rules and fear to be locked out, just enable the safe mode, do what you need to do, test it well, and then disable safe mode again to commit your changes. Normally there will not be any problem because new rules are inserted at the bottom where they are not reached, and you t...
by satish143
Sat Feb 20, 2016 11:41 pm
Forum: General
Topic: Does mikrotik support HAProxy style load balancing?
Replies: 2
Views: 1890

Does mikrotik support HAProxy style load balancing?

Does mikrotik support HAProxy style loadbalancing? we have WWW server and i want to do load sharing between them like F5. How to do that?
by satish143
Sat Feb 20, 2016 11:39 pm
Forum: General
Topic: Mikrotik Firewall rules sequesnse
Replies: 6
Views: 982

Re: Mikrotik Firewall rules sequesnse

Just grab the line and drag it where you want it to be...
But what if i want to put that rules in right place if not then it can break functionality. I thought it would be good to have option like Insert rule, like ASDM :)
by satish143
Thu Feb 18, 2016 7:28 pm
Forum: Announcements
Topic: v6.34.1 [current] is released!
Replies: 59
Views: 16128

Re: v6.34.1 [current] is released!

when 6.34.2 going to release? I am waiting for specific bugfix..
by satish143
Wed Feb 17, 2016 6:30 pm
Forum: General
Topic: Mikrotik Firewall rules sequesnse
Replies: 6
Views: 982

Mikrotik Firewall rules sequesnse

Just playing with mikrotik firewall rules and had a question, How do i insert specific rules in specific place?

Ex: we have 20 rules and i want to insert rule in line number 8 then how to do that? in GUI there isn't any way to define line number?
by satish143
Wed Feb 17, 2016 6:26 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 609
Views: 154988

Re: RouterOS v7.0 beta1 - when?

I heard they are releasing v7 beta second half of this year... :D
by satish143
Wed Feb 17, 2016 6:11 pm
Forum: General
Topic: When 6.34.2 bugfix release coming??
Replies: 2
Views: 1143

When 6.34.2 bugfix release coming??

When 6.34.2 bugfix release coming??
by satish143
Wed Feb 17, 2016 6:10 pm
Forum: General
Topic: CCR-1036 got rebooted with DDoS
Replies: 5
Views: 935

Re: CCR-1036 got rebooted with DDoS

Update:

Worked with support on this issue and finally it resolved in 6.34rc6 version :)

They said they mark this bugfix in 6.34.2 + releases, Any idea when 6.34.2 coming out?
by satish143
Thu Feb 04, 2016 6:29 pm
Forum: General
Topic: Decrease max-entires in connection tracking
Replies: 1
Views: 430

Decrease max-entires in connection tracking

I want to set limit to 300k for max-entries, how do i do that? because default is max-entries: 524288 [admin@MikroTik] > /ip firewall connection tracking print interval=2 enabled: auto tcp-syn-sent-timeout: 5s tcp-syn-received-timeout: 5s tcp-established-timeout: 6h tcp-fin-wait-timeout: 10s tcp-clo...
by satish143
Thu Feb 04, 2016 6:21 pm
Forum: General
Topic: Feature request for v7.x
Replies: 269
Views: 63679

Re: Feature request for v7.x

When it is going to release? Please in v7 make max-entries adjustable. so we can limit connection so kernel won't get crash :( I have notice in v6.35rc3 kernel crashing when limit reach to max :( I want to reduce max-entires but don't know how to :( [admin@MikroTik] > /ip firewall connection trackin...
by satish143
Thu Feb 04, 2016 5:27 pm
Forum: Announcements
Topic: v6.35rc [release candidate] is released, new wireless package!
Replies: 537
Views: 105771

Re: The Dude, work continues: v6.35rc test builds.

Yesterday I install 6.35rc3 on CCS-1036 Mikrotik Hardware and run following command to test network performance using firewall rules.. i added single rules in firewall to track connection hping3 --udp --data 512 --rand-source -i u10 <mikrotick ip> Above command created around ~500k connection in con...
by satish143
Wed Feb 03, 2016 9:58 pm
Forum: General
Topic: Max Entries: 524288 Only on x86!?
Replies: 8
Views: 2445

Re: Max Entries: 524288 Only on x86!?

Interesting post, I am looking for same answer, How to increase max-entries: I have recently bought CCR-1036 Hardware. I am doing lots of firewall stuff and i badly need that setting bump. Document lying about it, that it will increase base on available RAM. We have 16GB RAM and 14GB Free. What i sh...
by satish143
Wed Feb 03, 2016 2:24 pm
Forum: The Dude
Topic: The Dude, work continues: v6.35rc test builds.
Replies: 103
Views: 34971

Re: The Dude, work continues: v6.35rc test builds.

Mikrotik support suggested to try 6.35rc3 because my mikrotik was getting reboot in certain load. Where is the download link for 6.35rc3?
by satish143
Wed Jan 27, 2016 11:31 pm
Forum: General
Topic: CCR-1036 only get 500mbps through put
Replies: 10
Views: 1909

Re: CCR-1036 only get 500mbps through put

We need more info... How is the CCR configured? What ports are your devices connected to, how are those ports configured? Are you running any special services? i.e. firewall, encryption, VPN, etc... What size packets are you sending via iperf? When you connect each host directly together, what spee...
by satish143
Wed Jan 27, 2016 11:27 pm
Forum: General
Topic: CCR-1036 got rebooted with DDoS
Replies: 5
Views: 935

Re: CCR-1036 got rebooted with DDoS

Pay attention to Memory usage and CPU while you run the test. If you are hitting a max in one of those, yep, that can happen. In fact it can happen to any vendor. Further, What RouterOS are you running? I have check my CPU load it was around 30-40% but it has tons to memory, 16G and plenty free. I ...
by satish143
Sat Jan 23, 2016 10:15 pm
Forum: Announcements
Topic: v6.33.5 [current] is released!
Replies: 120
Views: 34050

Re: v6.33.5 [current] is released!

I have purchased CCS-1036 and upgrade to latest firmware 6.33.5 and found on high traffic getting kernel failure error and system getting reboot every 1 hours. Did anybody experience same issue? also i have send sup-output file to support and no reply back :( I am running following command to check ...
by satish143
Sat Jan 23, 2016 5:05 pm
Forum: General
Topic: CCR-1036 got rebooted with DDoS
Replies: 5
Views: 935

CCR-1036 got rebooted with DDoS

I have CCR-1036 and to test that i have plug it directly with Linux box to test network performance. I have added single IPtables rules to check firewall performance and run following command hping3 --udp --data 1024 --spoof --rand-source 192.168.88.1 Booooom!! mikrotik rebooted in 30 second.. i am ...
by satish143
Fri Jan 22, 2016 10:11 pm
Forum: General
Topic: CCR-1036 only get 500mbps through put
Replies: 10
Views: 1909

CCR-1036 only get 500mbps through put

Recently we got new CCR 1036 and i ran iperf utility to check through put but i am only getting MAX 500Mbits/sec

I have directly connected two Linux host to Mikrotik and running that test. I suppose to get 1Gbps right?

[Linux]-------[CCR 1036]-------[Linux]