Community discussions

MikroTik App

Search found 368 matches

  • 1
  • 2
by jvanhambelgium
Mon Nov 23, 2020 5:56 pm
Forum: General
Topic: Destination-Side Source Address Validation
Replies: 3
Views: 272

Re: Destination-Side Source Address Validation

You must use the FORWARD chain, you want to DROP effectively packets coming in SOURCED with your own public prefixes destined for some hosts behind the Mikrotik.
The INPUT chain is for traffic directed at the Mikrotik itself, this is not the case here.
by jvanhambelgium
Sat Nov 21, 2020 3:20 pm
Forum: General
Topic: Network architecture recommendations
Replies: 3
Views: 224

Re: Network architecture recommendations

I would go for the second topology (with red dotted flows) so use indeed separate interfaces towards ISP and clients.
Is this equipment located close to each other ? Or does "ether7" run across some provider L2-link to some remote location where the EdgeSwitch is located ?
by jvanhambelgium
Wed Nov 18, 2020 5:29 pm
Forum: General
Topic: How to Block URL's in Router OS? [SOLVED]
Replies: 12
Views: 553

Re: How to Block URL's in Router OS? [SOLVED]

And when the TLS Host Is used? and How dose it work? That's what I wrote above. It matches on the only part of the url you can see in plaintext for https connections - the fqdn. So you can use it to block https connections to the the whole play.google.com. I don't think that's what you want. Ok Tha...
by jvanhambelgium
Sun Nov 15, 2020 11:41 am
Forum: Scripting
Topic: how to get log records for last 5 mins?
Replies: 11
Views: 2328

Re: how to get log records for last 5 mins?

Works fine on my RB3011 running 6.47.7 "Stable" too !
by jvanhambelgium
Thu Nov 12, 2020 9:58 pm
Forum: Beginner Basics
Topic: Port 22 / SFTP/SSH Being Blocked
Replies: 15
Views: 425

Re: Port 22 / SFTP/SSH Being Blocked

Ah OK, the line below IS your generic masq rule providing "NAT'ed" access for all the internal 192.168.1.0/24 IP's. The comment was a bit misleading. >> add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.1.0/24 You have the rules in place in the forward-chain to accom...
by jvanhambelgium
Thu Nov 12, 2020 9:05 pm
Forum: Beginner Basics
Topic: Port 22 / SFTP/SSH Being Blocked
Replies: 15
Views: 425

Re: Port 22 / SFTP/SSH Being Blocked

You only posted parts of the config. Are you using some form of VPN tunnel and do you route specific traffic into a tunnel ? Do all other regular Internet services work from that same PC you are testing from ? (eg. generic browsing, dns lookups etc) Because : add action=masquerade chain=srcnat comme...
by jvanhambelgium
Thu Nov 12, 2020 8:50 pm
Forum: Beginner Basics
Topic: Port 22 / SFTP/SSH Being Blocked
Replies: 15
Views: 425

Re: Port 22 / SFTP/SSH Being Blocked

The first one works just fine for me, I issue sftp demo@test.rebex.net and I see a password prompt etc. web check test.rebex.net:22 demo/password Also supports SSH, FTP/SSL, FTP, IMAP, POP3 and Time protocols. Read-only. What you can do is really start LOGGING (add logging on rules) a bit so it migh...
by jvanhambelgium
Thu Nov 12, 2020 10:41 am
Forum: General
Topic: CPU stress test
Replies: 4
Views: 267

Re: CPU stress test

Disable STP and create some ethernet-loops ? That will get the fire going ;-)
by jvanhambelgium
Sun Nov 08, 2020 7:37 pm
Forum: General
Topic: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions
Replies: 24
Views: 838

Re: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions

I don't have any iOS device to test it, but quick search suggests that these random MAC addresses should correctly set the local bit. If you include bridge in your config (you could use one as "wrapper" for wlan interface, if you don't already have some), then bridge filters have option for matchin...
by jvanhambelgium
Sun Nov 08, 2020 4:05 pm
Forum: General
Topic: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions
Replies: 24
Views: 838

Re: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions

We do live in strange world indeed... The "kids control" feature on Mikrotik only uses MAC-addresses for identification (and then the IP is retrieved from the ARP-table using the MAC you provided). There seems, as far as the Wiki is up-to-date, no way to use other criteria. So yeah ... then you are...
by jvanhambelgium
Sun Nov 08, 2020 3:42 pm
Forum: General
Topic: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions
Replies: 24
Views: 838

Re: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions

Please read carefully, if one tries Time Restrictions then definitely not on a device that one controls physically... I read : Used to quite happily restrict kids time using MAC address of the iDevices So ... you have nothing to say about idevices of your KIDS ? Strange world we live in then. Perha...
by jvanhambelgium
Sun Nov 08, 2020 11:11 am
Forum: General
Topic: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions
Replies: 24
Views: 838

Re: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions

Simply disable the option?
I have a iOS device that updated to 14.x some days ago and started using this random MAC-address.
Go into setting of the phone, to the Wireless settings and disable "Private Network" and done...

Easy if the iOS devices are under your own control.
by jvanhambelgium
Sat Nov 07, 2020 9:51 am
Forum: Beginner Basics
Topic: Filter rule issue
Replies: 3
Views: 188

Re: Filter rule issue

WITHIN a chain, rules are evaluated TOP -> BOTTOM
Please understand the difference between INPUT chain, FORWARD chain, OUTPUT chain etc. (most important are INPUT/FORWARD)

https://wiki.mikrotik.com/wiki/Manual:I ... ter#Chains
by jvanhambelgium
Tue Nov 03, 2020 9:12 pm
Forum: Beginner Basics
Topic: Mikrotik router
Replies: 3
Views: 118

Re: Mikrotik router

That last . is probably causing the error (reason for the red color)

10.10.10.10/24 and not like you try 10.10.10.10./24
by jvanhambelgium
Tue Nov 03, 2020 8:50 am
Forum: General
Topic: How do we share a large common dhcp pool on a bridged interface to vlans out of that bridge?
Replies: 3
Views: 229

Re: How do we share a large common dhcp pool on a bridged interface to vlans out of that bridge?

What you want is PVLAN (Private VLAN). In the concept of PVLAN, there exist mainly two types of ports : Promiscuous port (P-Port) and Host port. Host port further divides in two types – Isolated port (I-Port) and Community port (C-port). Promiscuous port (P-Port): The switch port connects to a route...
by jvanhambelgium
Sun Nov 01, 2020 8:37 pm
Forum: Announcements
Topic: v6.47.7 [stable] is released!
Replies: 44
Views: 10097

Re: v6.47.7 [stable] is released!

I took the plunge and updated my RB3011 from 6.46.6 (Testing) to this latest "stable" Upgrade process without any issues, now I will be looking out for "interface resets/flaps" that have plagued me over the latest span of releases. It seemed the 6.46.6 (Testing) proved stable concerning these interf...
by jvanhambelgium
Sun Nov 01, 2020 9:49 am
Forum: General
Topic: Discover username and password used to try to access my routerboard
Replies: 1
Views: 184

Re: Discover username and password used to try to access my routerboard

Not the password, but the in the logs you will get 1 line indicating an attempt of that login ?
Who cares about the password at this stage...


Time Nov/01/2020 08:48:23
Buffer memory
Topics
system
error
critical
Message login failure for user invaliduser from IP.ADDRESS.OF.ATTEMPT via ssh
by jvanhambelgium
Thu Oct 22, 2020 9:17 pm
Forum: General
Topic: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.
Replies: 18
Views: 1169

Re: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.

Anyone that runs "SMB" on a router/firewall AND has it exposed to Internet should be thrown into the darkest dungeon of mount Doom!
by jvanhambelgium
Mon Oct 19, 2020 8:48 am
Forum: Beginner Basics
Topic: Each port of mikrotik is separate from others
Replies: 7
Views: 353

Re: Each port of mikrotik is separate from others

So you are looking for something like "(Private) VLAN" ? You want to avoid that each of the ports can communicated among them ? But please explain your usecase ? Are you offering something like Internet access for an apartment building where everybody has their own router ?? Where are all the differ...
by jvanhambelgium
Thu Oct 15, 2020 2:31 pm
Forum: Beginner Basics
Topic: Questions relating to Hotspot, https redirects, certificates + SUP-30646
Replies: 14
Views: 482

Re: Questions relating to Hotspot, https redirects, certificates + SUP-30646

Off course it will fix your issues.
Just make sure you have a valid certificate for any URL that an end-user is redirected/pointed to.
If you purchase a wildcard-cert for *.mycompany.com you are completely flexible in what you want to achieve.
by jvanhambelgium
Tue Oct 06, 2020 10:36 pm
Forum: General
Topic: Network Lock Down
Replies: 6
Views: 398

Re: Network Lock Down

MAC addresses are easy to spoof, you should really be looking at 802.1x for wired and WPA2-Enterprise for wireless authentication against a RADIUS server Not always possible. Depends on the devices. If these devices have no "supplicant" embedded in their software, MAC-authentication is the best thi...
by jvanhambelgium
Sat Oct 03, 2020 9:07 am
Forum: Wireless Networking
Topic: antenna
Replies: 2
Views: 496

Re: antenna

Antenna design is complex. (you can have a Phd in RF-transmission) Any antenna not specifically "matched" to its intended purpose will not work at all, work very bad or even cause some damage because of the energy that cannot be radiated into the air that needs to be dissipated somewhere along the w...
by jvanhambelgium
Fri Oct 02, 2020 9:09 am
Forum: RouterBOARD hardware
Topic: So, there is a 100g switch coming?
Replies: 9
Views: 714

Re: So, there is a 100g switch coming?

Operating at these speeds requires some serious engineering, fully redundant "non stop" fabric, separate control & data-planes (and preferably redundant offcourse) Cool, how much do you want to pay ? More then a few minutes downtime in (such) environments may already start paying for this. Sure you...
by jvanhambelgium
Thu Oct 01, 2020 9:45 pm
Forum: RouterBOARD hardware
Topic: So, there is a 100g switch coming?
Replies: 9
Views: 714

Re: So, there is a 100g switch coming?

Yeah. a 100g x 12 "top of rack" with a decent SOC - look at the prices of those switches and Mikrotik kan make a real dent in the market. With free daily flappings of the interfaces ;-) Operating at these speeds requires some serious engineering, fully redundant "non stop" fabric, separate control ...
by jvanhambelgium
Fri Sep 18, 2020 8:40 pm
Forum: Beginner Basics
Topic: Syslog remote to unique port
Replies: 2
Views: 138

Re: Syslog remote to unique port

You might want to have the "Log" box ticked ? Your screenshot-NAT rules would never generate a logging without ticking that box obviously.
by jvanhambelgium
Tue Sep 15, 2020 9:34 am
Forum: General
Topic: Blocking Facebook, Tiktok and other websites
Replies: 7
Views: 459

Re: Blocking Facebook, Tiktok and other websites

The bottom-line is that a Mikrotik product simply is not suited anymore in this domain. It might have been so 10 years ago, but not anymore. I'm doing some projects using Palo Alto at the moment and their App-ID (signature based) detects all these web-applications without a problem (> 3000 different...
by jvanhambelgium
Mon Sep 14, 2020 10:41 am
Forum: General
Topic: Blocking Facebook, Tiktok and other websites
Replies: 7
Views: 459

Re: Blocking Facebook, Tiktok and other websites

That was in 2012 and now 'they' use HTTPS instead of HTTP. Which means that i do not stand a chance? If yes, then it makes it strange for me to believe that Mikrotik has left this area untouched. You might make it work "somewhat" by really blocking large portions of IP-space owned by "them". You pr...
by jvanhambelgium
Wed Sep 09, 2020 9:32 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 96
Views: 26306

Re: RB3011 port flopping - bad design

Any advice for SFP users with this problem? I am currently about to downgrade to 6.45.9 as it seemed to be working for other users. Very frustrating. Not using any SFP on my RB3011 but I'm running 6.46.6 (testing) without port-flaps for months now. I'm pretty sure that if I upgrade to the latest "s...
by jvanhambelgium
Mon Sep 07, 2020 4:37 pm
Forum: General
Topic: VLAN vs Firewall Rules for Isolating
Replies: 7
Views: 374

Re: VLAN vs Firewall Rules for Isolating

I mean if I used the same IP range and network with wireless, but used firewall rules to segregate the devices, is this as effective as a VLAN?
I think you can consider this also as a "yes"
But again : I don't use Mikrotik for wireless.
by jvanhambelgium
Mon Sep 07, 2020 4:07 pm
Forum: General
Topic: blocking windows update (both ipv4 and ipv6)
Replies: 6
Views: 459

Re: blocking windows update (both ipv4 and ipv6)

Are you running some DNS-filtering server ? (eg. Pi-hole ??) If so, you could add the following below and block them. http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.wi...
by jvanhambelgium
Mon Sep 07, 2020 2:46 pm
Forum: General
Topic: blocking windows update (both ipv4 and ipv6)
Replies: 6
Views: 459

Re: blocking windows update (both ipv4 and ipv6)

Simply configure your PC's NOT to check at Microsoft for updates ?? Possible with Win7 , Win10 etc.
Some problems should not be fixed at the network layer.

Offcourse, I don't think it is always smart NOT to install updates ... some updates you really WANT to install.
by jvanhambelgium
Mon Sep 07, 2020 2:43 pm
Forum: General
Topic: VLAN vs Firewall Rules for Isolating
Replies: 7
Views: 374

Re: VLAN vs Firewall Rules for Isolating

Good point about the wired cables. Will the firewall isolation work for wireless? If you make a separate SSID/Network for your "IoT" related stuff this can be linked to separate IP-range and then yes, you can filter accordingly. I don't use Mikrotik for any wireless, but this should be well documen...
by jvanhambelgium
Mon Sep 07, 2020 2:03 pm
Forum: General
Topic: VLAN vs Firewall Rules for Isolating
Replies: 7
Views: 374

Re: VLAN vs Firewall Rules for Isolating

Note the "firewall" approach will only work if these IoT things are cabled DIRECTLY on a Mikrotik port! (but I guess you knew that) I think both approaches are about equally "safe" if executed correctly. But if you have several devices it is not easy to cable every IoT "thing" directly on a wired po...
by jvanhambelgium
Mon Sep 07, 2020 8:36 am
Forum: Beginner Basics
Topic: access IPTV Cameras from outside
Replies: 8
Views: 446

Re: access IPTV Cameras from outside

Hi, >> I have Static IP address given by ISP 10.179.238.36 to which to the Main WiFi Router is connected. Sure you have a static IP, but you do not have a PUBLIC IP , this means all the NAT-mapping must also be performed on the "outer" contour (router) AND also on the Mikrotik. You have access to th...
by jvanhambelgium
Fri Sep 04, 2020 9:20 am
Forum: Beginner Basics
Topic: IP is leased but no internet access [SOLVED]
Replies: 7
Views: 403

Re: IP is leased but no internet access [SOLVED]

You are running the latest "stable" RouterOS 6.47.3
When did you upgrade ? Because this release is only out since September 01 which seems closely related to the last date your setup worked ;-)

Revert to 6.47.2 (or 6.47.1) and I guess all will be fine again ;-)
by jvanhambelgium
Wed Sep 02, 2020 5:28 pm
Forum: General
Topic: How separate Radius Request By Domain [SOLVED]
Replies: 1
Views: 166

Re: How separate Radius Request By Domain [SOLVED]

Create 2 "RADIUS" client profiles ? Each with their own "realm" to make the split ?

Eg myuser@realm1 can go do RADIUS1 and myuser@realm2 can go to RADIUS2

https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client
by jvanhambelgium
Sun Aug 30, 2020 10:45 am
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4886

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

I use mikrotik for my bras. Over the last few months, I started moving the gateways to juniper mx 204. Because of static addresses, it could take 20 plus seconds for the routes to come up in the mikrotk with a full route. The juniper only took a few seconds to update from the bras. Juniper îs The K...
by jvanhambelgium
Sun Aug 30, 2020 10:44 am
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4886

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

I use mikrotik for my bras. Over the last few months, I started moving the gateways to juniper mx 204. Because of static addresses, it could take 20 plus seconds for the routes to come up in the mikrotk with a full route. The juniper only took a few seconds to update from the bras. Juniper îs The K...
by jvanhambelgium
Thu Aug 27, 2020 9:14 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4886

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

Aside - anyone else think that massive PoE switches are on the danger list with the use of physical handsets being on the wane? My largest client moved office just before the pandemic and I finally got them to dump the handsets. They've gone pure Teams telephony with USB headsets and/or using their...
by jvanhambelgium
Thu Aug 27, 2020 7:32 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4886

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

True that I consider Cisco today more really as a software company, where 5-10 years ago "hardware" was more the focus with monolithic software designs. Agree on the licensing too, you almost need a phd to understand that (same with Microsoft etc) and pricing. Like you say, sooo much equipment out t...
by jvanhambelgium
Thu Aug 27, 2020 6:56 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4886

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

So yes ... they pack a lot of performance. Should jolly well hope so for £3,500!! Do Mikrotik do a 48 port switch? I can find MikroTik CRS328-24P so would need two for £750. Serious question, what extra does the Cisco Catalyst 9300 bring to the table? stacking, stack-power, SDN (Simplified device d...
by jvanhambelgium
Thu Aug 27, 2020 6:11 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4886

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

Don't they understand CPU cycles or what? x86 (I think they are possibly x64?) enough said. That's high-horsepower. You could do a bunch of things that's not possible on arm, arm64, MIPS etc Intel® x86 CPU complex with 8-GB (DDR4 2400 MT/s) memory, and 16 GB of flash and external USB 3.0 SSD plugga...
by jvanhambelgium
Thu Aug 27, 2020 4:26 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4886

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

Don't they understand CPU cycles or what? Generally, no - people don't tend to realise that network devices are computers with a CPU, RAM, storage and IO with inherent resource constraints. I fell slightly into this camp until I started learning RouterOS in more detail and started to realise how it...
by jvanhambelgium
Thu Aug 27, 2020 10:57 am
Forum: Beginner Basics
Topic: Just when I thought I had it figured out..
Replies: 3
Views: 387

Re: Just when I thought I had it figured out..

On each of the systems, can you ping other end of the 10Gbits/s link ? Ping 1.1.1.1 (on Windows to Ubuntu) and ping 1.1.1.2 (on Ubuntu to Windows) gives you a reply ? If not, don't ever bother looking any further and fix that first. IF you get a reply, did you try to effectively MAP a network drive ...
by jvanhambelgium
Wed Aug 26, 2020 11:48 pm
Forum: RouterOS v7 BETA
Topic: Add sFlow
Replies: 6
Views: 557

Re: Add sFlow

So what's actually broken?.. Well ... flowStartMilliseconds and flowEndMilliseconds fields in the template are not correctly embedded, putting 1970-01-01 00:00:00 (Epoch) in there. So basically useless. I've tried some netflow tooling and they cannot really work with that IPFIX data like this. It s...
by jvanhambelgium
Wed Aug 26, 2020 10:42 pm
Forum: RouterOS v7 BETA
Topic: Add sFlow
Replies: 6
Views: 557

Re: Add sFlow

Is it broken in v7 only? Nope, also in 6.4x I've opened a case for that long ago ... latest reply on 21/07. Let's hope the release-notes from any future 6.x release contain the fix. This is so very trivial. Probably never tested or something after coding it....how else could you miss this one. ----...
by jvanhambelgium
Wed Aug 26, 2020 7:50 pm
Forum: RouterOS v7 BETA
Topic: Add sFlow
Replies: 6
Views: 557

Re: Add sFlow

Add sFlow
Perhaps they should start to FIX the broken IPFIX implementation to start with...
by jvanhambelgium
Tue Aug 25, 2020 10:18 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4886

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

The reason that Cisco is the standard is because their product support is OUTSTANDING ..... Also I am quite astonished how long that oldish Cisco gear lasts. Just think of the venerable C3750 or C6500 series. The C6500 platform was the most successful switch/platform product on this planet ever! (>...
by jvanhambelgium
Tue Aug 25, 2020 9:37 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 89
Views: 4886

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

I was the Network Architect in charge of designing the company's new flagship Data Center in New York. Originally, the DC was supposed to use 4 Cisco ASR1006-X routers (2 for IP Transit and 2 for aggregation of MPLS L3VPN circuits - I think it was approximately $200,000 USD worth of gear ), we foun...
by jvanhambelgium
Tue Aug 25, 2020 5:43 pm
Forum: General
Topic: How to redirect all traffic to IPS
Replies: 7
Views: 472

Re: How to redirect all traffic to IPS

You have another (free) interface on the IPS that you can cable to the Mikrotik ? So not "IPS-on-a-stick" but different interface? Then configure another 172.16.4.x/30 subnet between them. I don't see why this should not work with some policy-route constructions ? I have to say I don't have experie...
by jvanhambelgium
Tue Aug 25, 2020 2:04 pm
Forum: General
Topic: How to redirect all traffic to IPS
Replies: 7
Views: 472

Re: How to redirect all traffic to IPS

You have another (free) interface on the IPS that you can cable to the Mikrotik ? So not "IPS-on-a-stick" but different interface? Then configure another 172.16.4.x/30 subnet between them. I don't see why this should not work with some policy-route constructions ? I have to say I don't have experien...
by jvanhambelgium
Mon Aug 24, 2020 6:50 pm
Forum: General
Topic: How to redirect all traffic to IPS
Replies: 7
Views: 472

Re: How to redirect all traffic to IPS

What mangle rule did you use ? What was the action ? If you use "route" know that it only works in the "pre-routing chain" Perhaps you should use the "mark-routing" action to mark these packets and process them with PBR (Policy Based Routing) ? Most experts here will probably ask you as a start to p...
by jvanhambelgium
Mon Aug 24, 2020 2:07 pm
Forum: General
Topic: Simple method remote router shutdown (using android and Wi-Fi)
Replies: 4
Views: 438

Re: Simple method remote router shutdown (using android and Wi-Fi)

Connect a power-plug (Zwave/Zigbee/Wifi) between router and outlet on the wall. Note this is not really a "clean" shutdown ;-) Not sure if that could be problem. It would more be in a panic/kill-switch situation. This is also the only way to ACTIVATE the router again. If you choose "shutdown" you ca...
by jvanhambelgium
Sun Aug 23, 2020 1:33 pm
Forum: Beginner Basics
Topic: Basic NAT from outside not working
Replies: 5
Views: 1186

Re: Basic NAT from outside not working

It seems your connection is processed by some CGNAT (Carrier Grade NAT) from the operator/provider. If so, you will never be able to have any inbound mappings like you try. You need a PUBLIC address on any of your interfaces, but I don't see that. 10.2.x.x IP's on your LTE-interface are not public I...
by jvanhambelgium
Fri Aug 21, 2020 11:31 am
Forum: Beginner Basics
Topic: Remote Management Access using Public IP
Replies: 11
Views: 1171

Re: Remote Management Access using Public IP

1) IP whitelisting provides limited security. Your ISP and any 3rd party in between your SRC and DST is in full control over data going through and can simulate connection with a fake IP. 2) Nonstandard port provides also very limited security. Technically, it is a "security through obscurity" and ...
by jvanhambelgium
Fri Aug 14, 2020 2:29 pm
Forum: General
Topic: IPSEC Monitoring traffic
Replies: 2
Views: 766

Re: IPSEC Monitoring traffic

If you would have a "VPN" towards Azure this would not be an option. (I think, things evolve off course but...) Only IPSEC/IKE2 supported as far as I know.
I'm running such IPSEC connection into Azure (on my RB3011) but indeed it does not show as "an interface".
by jvanhambelgium
Mon Aug 03, 2020 6:17 pm
Forum: General
Topic: NetFlow. No longer showing NAT'd destination address - Something chnaged
Replies: 30
Views: 5497

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

You may simply sniff your Traffic Flow packets and check with WireShark if there are postNATSourceIPv4Address, postNATDestinationIPv4Address, postNAPTSourceTransportPort and postNAPTDestinationTransportPort fields. I've done this recently and can confirm v9 DOES have these field populated. Captured...
by jvanhambelgium
Mon Aug 03, 2020 1:56 pm
Forum: General
Topic: WebFig UI sometimes incomplete
Replies: 4
Views: 858

Re: WebFig UI sometimes incomplete

Alright, I see. Thx! I'm mostly running on non-Windows machines, so WinBox is not a good option for me. Of course I use SSH, but once in a while WebFig UI is what I want to use. I guess the next release will be out in a few weeks, so hopefully that'll be fixed then. Winbox runs "fine" (does have so...
by jvanhambelgium
Mon Jul 27, 2020 10:21 pm
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 96
Views: 26306

Re: RB3011 port flopping - bad design

Later today I am going to upgrade back to 4.47 again ;-) and re-evaluate. Hello - any results? How does it work now after the upgrade to 4.47? Nope, I'm running 4.46.6 "testing release" for quite some time now (25 days), "hardly" any portflaps anymore. Not completely free of flaps, but difficult to...
by jvanhambelgium
Thu Jul 23, 2020 8:21 am
Forum: Beginner Basics
Topic: Should Proxy-Arp be enabled on bridges or interfaces?
Replies: 2
Views: 649

Re: Should Proxy-Arp be enabled on bridges or interfaces?

Nope normally you do not enable this, but how does your whole network look like ? You have S2S VPN's attached ? Incoming VPN-clients ? Other lines attached to the Mikrotik ? Or just a classic "LAN" with some bridges & VLAN's ? As per wiki, it is a technique by which a proxy device on a given network...
by jvanhambelgium
Wed Jul 22, 2020 9:32 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved

Would it be possible to allow more then 20-characters on a firewall-rule index in Splunk ?? Increase it to 25 or so ?
For some rules in Splunk where my label exceed 20-chars, I get :

too_long_Prefix_max_20_characters


Especially some custom NAT/Portknock rules that contain a somewhat larger label..
by jvanhambelgium
Sun Jul 19, 2020 2:27 pm
Forum: General
Topic: help locating/identifying unknown Mikrotik device
Replies: 5
Views: 1317

Re: help locating/identifying unknown Mikrotik device

Don't waste your time too much on things like trying to login or using some fancy tools. Do like was suggested earlier : logon onto you (hopefully) managed LAN-switches and simply locate the physical ports this Mikrotik MAC is seen (if you use VLAN's trace it further down to the access-switch where ...
by jvanhambelgium
Fri Jul 17, 2020 10:37 am
Forum: Wireless Networking
Topic: Mikrotik Opinions
Replies: 9
Views: 2313

Re: Mikrotik Opinions

Our worst nightmare is that Cisco or someone finally gets tired of the competition and buys them. Cisco would have not have any interest in Mikrotik. Compared to the current generation of Cisco hardware & software, Mikrotik are prosumer toys. (but with a very attractive pricing so they do have thei...
by jvanhambelgium
Fri Jul 17, 2020 10:29 am
Forum: RouterOS v7 BETA
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 4875

Re: Traffic to blocked address still succeeds. Why? A bug?

Force the DNS resolver to a server you have under control and null the blocked domains out there. I'm pretty sure the smart android clients in the very near future then revert to some DoH lookup mechanism if they feel something is "off", go out on the Internet on port 443 and still perform the look...
by jvanhambelgium
Fri Jul 17, 2020 9:05 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved

Yes I'm using the official splunk image with internal syslog stored on local volume (I'm using Docker on my Synology NAS). With "internal syslog" you mean the Synology syslog. In the Splunk container I do not see a syslog. You don't need to "look" for any Syslog in Splunk. Syslog is just 1 of many ...
by jvanhambelgium
Fri Jul 17, 2020 12:25 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved

Jotne,
Did you spend some time in looking on the Netflow story with Splunk ? Possible integration into your current application/set of dashboards ?
by jvanhambelgium
Wed Jul 15, 2020 11:25 am
Forum: Beginner Basics
Topic: Setup suggestion (multiple goups interconected and standalone)
Replies: 3
Views: 710

Re: Setup suggestion (multiple goups interconected and standalone)

Hi, thanks for reply unfortunately we need the routers there as each robot has its special needs, also we need DHCP, so people can connect notebooks to the robot network without setting up fixed address etc. Interesting ; can you elaborate what "special needs" have to do with using routers ? The DH...
by jvanhambelgium
Tue Jul 14, 2020 7:36 pm
Forum: General
Topic: Stealth port scanning protection
Replies: 13
Views: 2315

Re: Stealth port scanning protection

So my question is simple! How much better performance (positive impact) is 'created' with port scanning rules VICE simply DROP ALL ELSE at end of input chain and forward chain. Is it worth it?? (Plus if it is found to be of sufficient extra value, is it better to detect in input chain and drop in r...
by jvanhambelgium
Tue Jul 14, 2020 9:18 am
Forum: General
Topic: Stealth port scanning protection
Replies: 13
Views: 2315

Re: Stealth port scanning protection

@jvanhambelgium ... that's what I was trying to explain ... one has to be careful and understand things. If OP blindly applied your setting of DelayThreshold=12h without knowing background of you extensively tweaking other FW settings things might bite him mightly.
8) :D
by jvanhambelgium
Tue Jul 14, 2020 9:07 am
Forum: General
Topic: Stealth port scanning protection
Replies: 13
Views: 2315

Re: Stealth port scanning protection

My "DelayThreshold" is even set to a whopping 12 hours. So basically anyone probing my WAN-IP from the same IP on ports not related to DNAT etc within a 12h time-span are registered. I have a constant 450-500 IP's on that list which remains quite stable. In this case you have to be careful with ord...
by jvanhambelgium
Tue Jul 14, 2020 8:41 am
Forum: General
Topic: Stealth port scanning protection
Replies: 13
Views: 2315

Re: Stealth port scanning protection

My "DelayThreshold" is even set to a whopping 12 hours. So basically anyone probing my WAN-IP from the same IP on ports not related to DNAT etc within a 12h time-span are registered.
I have a constant 450-500 IP's on that list which remains quite stable.
by jvanhambelgium
Fri Jul 10, 2020 5:12 pm
Forum: RouterOS v7 BETA
Topic: Feature Request: firewall: besides remote IP:port log optionally also its hostname
Replies: 2
Views: 684

Re: Feature Request: firewall: besides remote IP:port log optionally also its hostname

I'm not sure if this should be done on the Mikrotik itself. Again wasting valuable cpu-cycles on this. If you have a large(r) infrastructure I don't think you are going to look at the logs through Winbox or Webfig but you are going to push these logs into something else (eg. Splunk) or some custom S...
by jvanhambelgium
Thu Jul 09, 2020 11:58 am
Forum: Beginner Basics
Topic: Setup suggestion (multiple goups interconected and standalone)
Replies: 3
Views: 710

Re: Setup suggestion (multiple goups interconected and standalone)

You don't even need a router for that ? A simple switch on each table would be fine, take a large IP-space that you split into some blocks for oversight. Cable all the switches on all tables to each other. If everything is connected with SWITCHES all "groups" can talk to each other and off course al...
by jvanhambelgium
Tue Jul 07, 2020 10:00 am
Forum: General
Topic: [OT] Which IPFIX collector on Debian ?
Replies: 3
Views: 713

Re: [OT] Which IPFIX collector on Debian ?

Correction : I *AM* using the Splunk Addon that processed the Netflow v5 data straight into Splunk. If you use the NFDUMP tools and write out CSV's (other possibilities exist also) then you have also quite some options. I've explored if my InfluxDB could be used, but the type of data is not really s...
by jvanhambelgium
Tue Jul 07, 2020 8:30 am
Forum: General
Topic: Performance Problem ?
Replies: 4
Views: 924

Re: Performance Problem ?

You are probably dropping out of the "fastpath" ? Due to you PCC/Mangle rules, so performance will take a huge hit. And something with fragmentation also I think? This device, when routing small 64byte packets with some queues & ip-filter rules etc only reaches 1.5Gbits/sec anymore...(see official t...
by jvanhambelgium
Mon Jul 06, 2020 12:17 pm
Forum: General
Topic: [OT] Which IPFIX collector on Debian ?
Replies: 3
Views: 713

Re: [OT] Which IPFIX collector on Debian ?

Hi, I've learned that the v9 & IPFIX data produced by Mikrotik is not entirely correct when it comes to timestamps...(flow start/stop is always 1970-00-00) I've opened a ticket for this some weeks ago but never got any response. Currently I'm using Netflow v5 which seems to be working correctly. In ...
by jvanhambelgium
Sun Jul 05, 2020 9:52 am
Forum: Beginner Basics
Topic: Am I protected with this settings?
Replies: 34
Views: 5154

Re: Am I protected with this settings?

Yes, I see now, there is uPnP enabled in the application settings. But I also see that it is not enabled on the router. Then disable uPNP in the application, set a range of ports and configure a DNAT (portforwarding) that matches this range. Eg in my case, on the INPUT-chain ; add action=dst-nat ch...
by jvanhambelgium
Sun Jul 05, 2020 9:00 am
Forum: Beginner Basics
Topic: Am I protected with this settings?
Replies: 34
Views: 5154

Re: Am I protected with this settings?

Also, I see many packets for Bittorrent 6881 port, in the log file, that are dropped, both UDP and TCP. Could the firewall be too restrictive? I have no port-forwarding set-up for the Bittorrent port. You have uPNP enabled ? (you should NOT btw) Because then your application might punch holes in th...
by jvanhambelgium
Sat Jul 04, 2020 10:48 pm
Forum: Beginner Basics
Topic: Am I protected with this settings?
Replies: 34
Views: 5154

Re: Am I protected with this settings?

How do I enable the firewall? By adding the rules stated here? https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Firewall /ip firewall filter add action=accept chain=input comment="default configuration" connection-state=established,related add action=accept chain=input src-address-list=al...
by jvanhambelgium
Sat Jul 04, 2020 10:40 pm
Forum: Beginner Basics
Topic: Am I protected with this settings?
Replies: 34
Views: 5154

Re: Am I protected with this settings?

I want to understand how did my config made my router vulnerable. Can you give an example? Certain RouterOS versions had really some flaws in them in the sense that IF you ever exposed the mangement interfaces externally (eg. http/https) your device could be hacked! No login needed ;-) I was under ...
by jvanhambelgium
Sat Jul 04, 2020 1:09 pm
Forum: Beginner Basics
Topic: Am I protected with this settings?
Replies: 34
Views: 5154

Re: Am I protected with this settings?

NO! Show your firewall setup first. And follow these instructions: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router I do not agree with you. All services are disabled, the Winbox is running but protected with ACL 10/8 To protect THE ROUTER, this is already pretty good. Even if you do not ...
by jvanhambelgium
Tue Jun 30, 2020 7:55 am
Forum: Scripting
Topic: IP cloud public address into variable
Replies: 3
Views: 780

Re: IP cloud public address into variable

Hi, RTFM I guess, use-local-address (yes | no; Default: no) By default, the DNS name will be assigned to the detected public address (from the UDP packet header). If you wish to send your "local" or "internal" IP address, then set this to yes So no, you don't want to enable this feature if you inten...
by jvanhambelgium
Mon Jun 29, 2020 9:41 am
Forum: Scripting
Topic: How to get SrcIP address from PPTP Auth failure log?
Replies: 4
Views: 2600

Re: How to get SrcIP address from PPTP Auth failure log?

Is there a certain "pattern" in the source IP's of the failed attempts ? You could try get these IP's on a access-list if they setup more then 3x / minute to the VPN service Each of these IP's will go trough the SYN - SYN ACK - ACK TCP-setup states, so you could "watch" for incoming "SYN" packets an...
by jvanhambelgium
Fri Jun 26, 2020 4:19 pm
Forum: Beginner Basics
Topic: Bridge between 1G and 10G internal subnets [SOLVED]
Replies: 8
Views: 1896

Re: Bridge between 1G and 10G internal subnets [SOLVED]

>I have a simple home 1G network where I've recently added some 10G NICs to two hosts in addition to their existing 1G and wifi. All my original 1G addresses work in the 192.168.10.x range via >DHCP. The internet gateway is 192.168.10.254. >After adding the 10G cards to two hosts, I've added a Mikro...
by jvanhambelgium
Fri Jun 26, 2020 12:18 pm
Forum: General
Topic: Recommendations for campus network with over 6000 users. Can CCR1072 handle this?
Replies: 1
Views: 362

Re: Recommendations for campus network with over 6000 users. Can CCR1072 handle this?

What is the design of the network? Topology etc. Specific features you are looking for ? Closed network ? 802.1X needed etc,etc. 6000 users really doesn't mean anything. You have large server-farms in scope pushing a lot data ? Sure the 1072 is a beast with plenty of 10Gbits/sec ports. I think you c...
by jvanhambelgium
Fri Jun 26, 2020 9:56 am
Forum: Beginner Basics
Topic: Bridge between 1G and 10G internal subnets [SOLVED]
Replies: 8
Views: 1896

Re: Bridge between 1G and 10G internal subnets [SOLVED]

Be aware the performance will be *terrible* if you even consider ROUTING/BRIDGING between the 1G <> 10G subnet. Your total performance in the best case will only be slightly more then 1G, so I don't understand why you even bother plugging 10G interfaces on the "server" side. This product is a SWITCH...
by jvanhambelgium
Fri Jun 26, 2020 8:33 am
Forum: Beginner Basics
Topic: From in to out
Replies: 1
Views: 424

Re: From in to out

Your Winbox machine is in the same IP-network then your SMTP host ? If so, you need some rules for "Hairpin NAT" or "NAT Loopback" . Search this on the forum and you will have many many examples. Hairpin is required if you try to reach INTERNAL hosts by calling your PUBLIC-IP on the router when sour...
by jvanhambelgium
Wed Jun 24, 2020 5:54 pm
Forum: General
Topic: how to setting cloudflare IPv6 mikrotik ? [SOLVED]
Replies: 4
Views: 1562

Re: how to setting cloudflare IPv6 mikrotik ? [SOLVED]

You don't need any special settings. Make sure you are running IPv6 correctly and get something assigned by your ISP and then it will publish your IPv6 public too. At least, I did not do anything "special" for IPv6. It just works. EDIT : Cloudflare ?? What are you talking about ? DDNS ? Or DNS-servi...
by jvanhambelgium
Tue Jun 23, 2020 7:52 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

It's clear that the 2 Github examples of dashboard have some errors in them. Example the one with a pie-graph "Top Destination IP's" I see large chunck that has MY own public IP address which does not make sense and this is because of NAT and just returning traffic. Sure the "dest_ip" field in the p...
by jvanhambelgium
Tue Jun 23, 2020 6:53 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

What you can see with Netflow is how much traffic going inn or out and from what IP to what IP. Ports however are not solvable. I would not say that, in a previous project we had a global deployed Riverbed solution with a very large Netflow collector appliance (taking in millions of flows per day f...
by jvanhambelgium
Tue Jun 23, 2020 6:49 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

After talking more than one hour with a super spesialist in Netflow, I do start to get the grip on how things works. There are no way you can se in a Netflow packets, if its traffic returning from an started inside session or if it some from outside starting to sending inn data. You can look at por...
by jvanhambelgium
Tue Jun 23, 2020 9:55 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

I've posted on Splunk community this question on the NAT-fields and why there are not per-direct usable as fields in Splunk ... hopefully ... In the mean time, it seems the approach below is a good reference to what is coming IN en what is going OUT First of all, I've limited "Netflow" currently onl...
by jvanhambelgium
Mon Jun 22, 2020 11:20 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

I've taken Wireshark captures of both IPFIX & v9 streams, starting with the exchange of the templates etc describing all the fields. I have the impression that the Splunk Stream does not utilize ALL available "fields". I'm going to see if the "dictionary" contains these fields. Probably you can "add...
by jvanhambelgium
Mon Jun 22, 2020 12:13 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

Maybe this should be an add on module for the MikroTik app since it would involve lots of extra stuff. Using wan IP as a trigger is not good enough, since this will change for many user and then you need to have some sort of auto update. But after looking at input_snmpidx and output_snmpidx (input/...
by jvanhambelgium
Sun Jun 21, 2020 11:36 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

in bytes og out bytes shows the same data, just renamed name :) On the dashboard/XML I posted ? Because I did that , since there is no "bytes_out" I simply put for temporary the same "bytes_in" also ;-) So indeed solid grouping must be done to clearly identify what is IN en what is OUT. Also some f...
by jvanhambelgium
Sun Jun 21, 2020 9:08 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

For anyone that wants to give a crack at it, see below the links to the XML templates that make up these dashboards in Splunk. http://vanham-franck.be/pics/splunk/splunkflowtemplate1.xml http://vanham-franck.be/pics/splunk/splunkflowtemplate2.xml PS : Perhaps now is good time to file another bug wit...
by jvanhambelgium
Sun Jun 21, 2020 8:46 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

In the meantime I searched some already existing dashboards and got some hits on Github. I adapted the XML since my netflow is not sitting in the main-index and some of the names of the fields where different. etc.etc However , there are some issues. In 1 of these dashboard the field "bytes_out" is ...
by jvanhambelgium
Sun Jun 21, 2020 6:13 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

Have not had time to look at much yet, but it look possible som complicated to set up. It have to much possibility, not sure of saved format is ok. I would like a small program that listen for netflow and save them one line at a time. Then Splunk can index it. System we have to day with just sendin...
by jvanhambelgium
Sun Jun 21, 2020 2:24 pm
Forum: General
Topic: allow NAT not to ip but to mac?
Replies: 10
Views: 2056

Re: allow NAT not to ip but to mac?

I will exlain my "problem" I have a camera 10.0.0.105 connected to mikrotik router with public ip x.x.x.x on port 8081 now , everybody who will try to enter the x.x.x.x:8081 will see the camera login page I want to limit the transfer to "allowed" mac address in the same netwrok it has no meaning be...
by jvanhambelgium
Sun Jun 21, 2020 11:22 am
Forum: Useful user articles
Topic: Is there a reasone why I cannot send private messages ?
Replies: 4
Views: 817

Re: Is there a reasone why I cannot send private messages ?

Recipient mailbox full?

Do not accept new messages (New messages will be held back until enough space is available)
Possibly indeed ... thx for the info.
It can't be that hard for forum software to just tell me this ;-) bit it seems this feature is not present.
by jvanhambelgium
Sun Jun 21, 2020 10:31 am
Forum: General
Topic: allow NAT not to ip but to mac?
Replies: 10
Views: 2056

Re: allow NAT not to ip but to mac?

I don't understand the use-case. The Mikrotik has to know the IP-address of your phone anyway in order to communicate with it...
Just make sure with DHCP you give the phone always the same IP and you're done.
by jvanhambelgium
Sun Jun 21, 2020 10:00 am
Forum: Useful user articles
Topic: Is there a reasone why I cannot send private messages ?
Replies: 4
Views: 817

Is there a reasone why I cannot send private messages ?

Hi,
Don't really know where to place this, but why can't I transmit a private message to a fellow user ??
It keeps stuck in the "Outbox" ?
I don't really see a link"contact board administrators" or something.
by jvanhambelgium
Sat Jun 20, 2020 5:46 pm
Forum: General
Topic: ICMP requests from internet to WAN IP
Replies: 5
Views: 1380

Re: ICMP requests from internet to WAN IP

Typical "ping" indeed. This is only "noise" and you should not worry.
Sure you could filter them out, it might prevent the other side(s) to "probe" more ports if they find out your router replies to ping.

I have thousands and thousands on a daily basis...
by jvanhambelgium
Fri Jun 19, 2020 9:33 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

Do you have experience with the "Splunk Stream" (app) ?? https://splunkbase.splunk.com/app/1809/ This could natively ingest & decode Netflow ""Capture Flow-type records, including NetFlow v5, v9, jFlow, and sFlow, and IPFIX, and send Flow Records directly into your Indexers, with optional filtering ...
by jvanhambelgium
Fri Jun 19, 2020 9:04 am
Forum: Beginner Basics
Topic: block Imo, Whatsapp, Viber in Mikrotik router
Replies: 3
Views: 1024

Re: block Imo, Whatsapp, Viber in Mikrotik router

True to some extend, if the endpoint (PC or mobile) is not controlled in any way by some IT-policies in a corporate environment. If this question is for public users (eg. topicstarter is an ISP) yeah then forget about my DNS proposal ;-) because that's not going to work. The main conclusion is that ...
by jvanhambelgium
Fri Jun 19, 2020 8:12 am
Forum: Beginner Basics
Topic: block Imo, Whatsapp, Viber in Mikrotik router
Replies: 3
Views: 1024

Re: block Imo, Whatsapp, Viber in Mikrotik router

Hi, As I said in another topic, this is going to be very difficult with a Mikrotik product. (other advanced FW/UTM products might detect "signatures" on this traffic identifying them more precise!) For "Whatsapp" there you may want to read : https://forum.mikrotik.com/viewtopic.php?t=75263 However, ...
by jvanhambelgium
Thu Jun 18, 2020 6:43 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

Did you ever considered extending your (already) very nice dashboard(s) with some NETFLOW information to gain more insights in the traffic + protocol distribution. (bit like the "accounting" section on your dashboard, but with more info) I'm currently playing around with the PMACCT-packages and writ...
by jvanhambelgium
Thu Jun 18, 2020 12:26 pm
Forum: General
Topic: Firewall Rules issue.
Replies: 2
Views: 564

Re: Firewall Rules issue.

Is it not going to be very straightforward, but you might look at : https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_lyo Here you have the cur...
by jvanhambelgium
Thu Jun 18, 2020 11:14 am
Forum: General
Topic: Adding dynamic firewall rules to mikrotik - Suricata - Axiom Shield
Replies: 9
Views: 1569

Re: Adding dynamic firewall rules to mikrotik - Suricata - Axiom Shield

Hmm..MT is absolutely not a "next-generation" player in the firewall area...filtering at L7 is getting more & more useless and kills the performance of these units. My MikroTik has a firewall? Yes! Mikrotik’s firewall capabilities outperform some of the most expensive and elaborate firewall solution...
by jvanhambelgium
Wed Jun 17, 2020 2:13 pm
Forum: General
Topic: Netflow (IPFIX) issue
Replies: 6
Views: 964

Re: Netflow (IPFIX) issue

Interesting! Thanks for sharing. I will give it a try here on my environment.
by jvanhambelgium
Wed Jun 17, 2020 1:22 pm
Forum: General
Topic: Ping from LAN to AP on hotspot network
Replies: 3
Views: 461

Re: Ping from LAN to AP on hotspot network

There is currently an interface to the corporate LAN 10.0.0.0/23 but currently this purely as a management interface only for the Mikrotik. We still dont want the corporate and hotspot AP network connected other than pings Well then it is just a matter of routing + firewall-filter ? I don't see any...
by jvanhambelgium
Wed Jun 17, 2020 12:37 pm
Forum: General
Topic: Ping from LAN to AP on hotspot network
Replies: 3
Views: 461

Re: Ping from LAN to AP on hotspot network

How is your hotspot network (with the AP's) "connected" to the corporate RB3011 ? Or is there NO connection at all today and is this hotspot network a remote "island" somewhere... Perhaps a simple VPN-tunnel would be solution (eg. across Internet) and then you can decide what traffic you allow throu...
by jvanhambelgium
Wed Jun 17, 2020 11:32 am
Forum: General
Topic: Netflow (IPFIX) issue
Replies: 6
Views: 964

Re: Netflow (IPFIX) issue

Slightly offtopic but which Netflow platform do you use ? Something commercial or opensource ?
I've been playing some days ago with Netflow/IPFIX on my RB3011.
by jvanhambelgium
Wed Jun 17, 2020 7:24 am
Forum: General
Topic: IP Cloud
Replies: 64
Views: 27232

Re: IP Cloud

Sure it works. Do NOT enable the "use-local-address" as the result will be that not your public IP is pushed to the cloud-DNS service but your private/internal one. Not very useful. [user@gateway] > /ip cloud print ddns-enabled: yes ddns-update-interval: none update-time: yes public-address: my.publ...
by jvanhambelgium
Wed Jun 17, 2020 12:00 am
Forum: General
Topic: Can't Connect to Ubiquiti AP Pro
Replies: 6
Views: 1218

Re: Can't Connect to Ubiquiti AP Pro

Please provide a conceptual schematic where we can see the position of the Mikrotik <> other attached LAN-switches. Are you using VLAN's , trunk-interfaces etc ? If you are running a flat network (VLAN's) then it is hard to believe the AP Pro would not get an IP via DHCP while another device on a sw...
by jvanhambelgium
Tue Jun 16, 2020 4:06 pm
Forum: General
Topic: Can't Connect to Ubiquiti AP Pro
Replies: 6
Views: 1218

Re: Can't Connect to Ubiquiti AP Pro

If your AP cannot obtain an IP through DHCP (=the default) then it will revert to a fixed IP of 192.168.1.20. So this means your Mikrotik is not handing out anything to the Pro AP Is this environment doing VLAN stuff ? Or a flat network ? If you put something else then the Pro AP in the switch-port,...
by jvanhambelgium
Mon Jun 15, 2020 8:05 am
Forum: General
Topic: Core switch or RB4011? [SOLVED]
Replies: 5
Views: 1480

Re: Core switch or RB4011? [SOLVED]

Sorry, I forgot to answer your question, no it's at home but have outbuildings and garden wired in cat 6, have over 30 IP cams and a couple of workstations, NAS unraid, T320, 5 gaming consoles, 4 laptops, tablets where ever I look, 7 TV's, 4 PC's, Video editing workstation and DAW so can get a bit ...
by jvanhambelgium
Mon Jun 15, 2020 12:20 am
Forum: General
Topic: Block ICMP tunnel - best practice
Replies: 5
Views: 951

Re: Block ICMP tunnel - best practice

Yeah that seems like a nice solution actually. That would really minimize the use case of using a tunnel if you can get hardly "leak" any data through it.
by jvanhambelgium
Sun Jun 14, 2020 9:33 pm
Forum: General
Topic: Block ICMP tunnel - best practice
Replies: 5
Views: 951

Re: Block ICMP tunnel - best practice

Well, I think ICMP tunnels mainly use the Echo (type 8) / Echo Reply (type 0) so I guess you simply need to block that. There is not much else you can do. I don't think you want to go building L7 firewall rules which look into the packets ... It will kill performance anyway. Block all ICMP altogethe...
by jvanhambelgium
Sun Jun 14, 2020 6:16 pm
Forum: Beginner Basics
Topic: Help separating vlans for iot and smart-tvs ?
Replies: 10
Views: 1901

Re: Help separating vlans for iot and smart-tvs ?

Doesn‘t this introduce bridges between the various networks which can potentially become security holes ? Lars Potentially/theoretically yes. You are in effect "short cutting" your firewall. So you must manage the firewall on the Synology NAS to really restrict it to only the required traffic. So y...
by jvanhambelgium
Sun Jun 14, 2020 9:48 am
Forum: General
Topic: Core switch or RB4011? [SOLVED]
Replies: 5
Views: 1480

Re: Core switch or RB4011? [SOLVED]

Is this an office environment ? You have an idea on the traffic-levels of your current coreswitch ? Obviously if you make the RB4011 "coreswitch" it will be seeing a lot of ethernet-traffic between the several downstream switches apart from handling the 1Gbps PPPoE + some firewall + VPN The RB is in...
by jvanhambelgium
Sat Jun 13, 2020 6:44 pm
Forum: Beginner Basics
Topic: How to measure and improve RouterBOARD performances when connected to a FTTH ISP ?
Replies: 2
Views: 502

Re: How to measure and improve RouterBOARD performances when connected to a FTTH ISP ?

The CRS is a good SWITCH (Layer2) with some routing capabilities, but for sure not a powerfull one! Basically you need ROUTING from/to your ISP in order to fully use the 500Mbps WAN and also additional NAT/Firewall-rules. Then the performance of the single-core box drops rapidly. See the "performanc...
by jvanhambelgium
Fri Jun 12, 2020 8:33 pm
Forum: RouterOS v7 BETA
Topic: v7.0beta8 [development] is released!
Replies: 180
Views: 66035

Re: v7.0beta8 [development] is released!

What do I use then to get traffic data from each client that I do use in Splunk for MikroTik? NetFlow is an obvious choice for that kind of data. So far I've not been able to find a free Netflow collector that actually works. I've tried dozens...almost got it working with ElasticFlow (https://www.c...
by jvanhambelgium
Fri Jun 12, 2020 2:42 pm
Forum: General
Topic: Hardware Upgrade
Replies: 4
Views: 783

Re: Hardware Upgrade

Indeed I think the only possible match within Mikrotik portfolio would be CRS354 > Use the 4 * 10Gbps for bonding towards each DC , like today give you a 40Gbits/s pipe (best case) > Use the 2 * QSPF+ with 40Gbps port to connect towards the other DC with similar CRS354 Now I don't know for caveats, ...
by jvanhambelgium
Fri Jun 12, 2020 2:25 pm
Forum: General
Topic: How to keep people from connecting PC instead of Access points or Cameras ?
Replies: 4
Views: 717

Re: How to keep people from connecting PC instead of Access points or Cameras ?

PVLAN's (Private VLAN, aka "Port Isolation") would also be something possible. In a PVLAN, there are mainly two types of ports : Promiscuous port (P-Port) and Host port and the Host port further divides in two types – Isolated port (I-Port) and Community port (C-port). Promiscuous port (P-Port): The...
by jvanhambelgium
Fri Jun 12, 2020 1:36 pm
Forum: General
Topic: How to keep people from connecting PC instead of Access points or Cameras ?
Replies: 4
Views: 717

Re: How to keep people from connecting PC instead of Access points or Cameras ?

802.1X is then the only way to go. But it depends on the sort of "endpoint" what capabilities are. If the endpoint has a supplicant you can work with username/password/certificates but for real dumb devices MAC "authentication" is a minimum. In *additional* to that, specific filtering indeed to cont...
by jvanhambelgium
Thu Jun 11, 2020 5:40 pm
Forum: General
Topic: nand writing counter on RB3011
Replies: 2
Views: 496

Re: nand writing counter on RB3011

Hello Mikrotik ? Can you elaborate on this ? The RB3011 also has NAND onboard so most likely also suffering from this ? I'm reading some ridiculous high write-cylce values here which so fure can shorten lifespan, but indeed on my RB3011 there seems no command to read it... I would like to know also...
by jvanhambelgium
Thu Jun 11, 2020 5:11 pm
Forum: Beginner Basics
Topic: Help separating vlans for iot and smart-tvs ?
Replies: 10
Views: 1901

Re: Help separating vlans for iot and smart-tvs ?

When using this VLAN separation, everything that uses stuff like mDNS, Bonjour (Apple) or multicast based service discovery will (probably) break. Mikrotik has no "relay" function for these protocols/services (eg. implementation of Avahi) across different VLAN's. That traffic with a TTL=1 was never ...
by jvanhambelgium
Wed Jun 10, 2020 11:23 pm
Forum: General
Topic: Forum giving ERROR 500 [SOLVED]
Replies: 17
Views: 2355

Re: Forum giving ERROR 500 [SOLVED]

The forum is probably running ForumOS 6.47 STABLE :lol:
by jvanhambelgium
Wed Jun 10, 2020 9:07 pm
Forum: General
Topic: UPDATE FIRMWARE [SOLVED]
Replies: 3
Views: 1037

Re: UPDATE FIRMWARE [SOLVED]

Friends, Every time a firmware update comes out in Mikrotik, is it recommended to do it to the RB? Another thing is what type of firmware is more advisable to update, stable or testing?. I would only use "stable" or "long term" for routers that you use in production. For each release, you can read ...
by jvanhambelgium
Wed Jun 10, 2020 10:26 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 96
Views: 26306

Re: RB3011 port flopping - bad design

This morning I've been hammering the "ether1" port which had a lot of flapping yesterday with traffic ... strangely enough while yesterday I have 15 flaps / hour today all seems rather silent... Currently I'm running 6.46.4 and I've disabled the flow-control with the command suggested by Mikrotik su...
by jvanhambelgium
Tue Jun 09, 2020 8:27 pm
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 96
Views: 26306

Re: RB3011 port flopping - bad design

Now I'm completely clueless ... even now the issues remain present ... so on 6.46.4 the flapping also occurs, although very limited so far.
Apparently I don't have enough data in my Splunk to go very far back in time to see when these messages first started to appear...
by jvanhambelgium
Tue Jun 09, 2020 7:34 pm
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 96
Views: 26306

Re: RB3011 port flopping - bad design

True, I've performed a downgrade back to where I came from at release 6.46.4 I had a today some annoying drops between a linked switch causing glitching in video-conf calls etc. So let's evaluate how 6.46.4 does ..... and then perhaps upgrade step-by-step to 6.46.5 , then 6.46.6 etc to see where thi...
by jvanhambelgium
Tue Jun 09, 2020 9:29 am
Forum: Scripting
Topic: Add to Address List
Replies: 6
Views: 1044

Re: Add to Address List

...you can call it quick & dirty but you can also call it plainly insecure... Is this something to be deployed in the public Internet ? As a minimum, your website should parse the client-IP headers (eg. X-Forwarder-For, HTTP_Client_IP) and extract this IP address! Then your webserver/appserver shoul...
by jvanhambelgium
Tue Jun 09, 2020 12:21 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 96
Views: 26306

Re: RB3011 port flopping - bad design

what was the config adoption? Id love to give it a try as well. I was asked to disable flow-control on the CPU and performed following on my 3011 /interface ethernet switch set 0 cpu-flow-control=no name="Switch 1" set 1 cpu-flow-control=no name="Switch 2" Although today it seems in general the amo...
by jvanhambelgium
Mon Jun 08, 2020 6:19 pm
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 96
Views: 26306

Re: RB3011 port flopping - bad design

I have one on my office "RouterBOARD 3011UiAS" from 9 Jul 2016, and is still working flawlessly (factory is 6.35.3, now have 6.44.6) Mine was working fine with 6.44.x too, but some days ago I moved to the latest 6.47 stable. Today I was asked by Mikrotik support to make some config-adaption on my R...
by jvanhambelgium
Mon Jun 08, 2020 9:19 am
Forum: General
Topic: unstable LAN
Replies: 7
Views: 969

Re: unstable LAN

Hmm, what a coincidence you are also running RB3011 ....
But even more strange you cannot find any such events happening (link down/up) in the logs. So perhaps it is something else...
When did you upgrade ? Was there also a problem before the upgrade?
by jvanhambelgium
Mon Jun 08, 2020 8:06 am
Forum: General
Topic: unstable LAN
Replies: 7
Views: 969

Re: unstable LAN

In the logs of the router, do you see any "link down" "link up" messages from ethernet ports lately ? Since the latest update to 6.47 stable, my RB3011 device is seeing certain ethernet ports flip / flop very regularly resulting in a missed "ping" here and there. At the moment I don't seem to "suff...
by jvanhambelgium
Sat Jun 06, 2020 1:41 pm
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 96
Views: 26306

Re: RB3011 port flopping - bad design

Nope, did not really fix it ;-)
I've seen some transitions again ... in the last hour.
by jvanhambelgium
Sat Jun 06, 2020 10:57 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 96
Views: 26306

Re: RB3011 port flopping - bad design

But if your config stays stable jvanhambelgium (since you had problems on fabric 1-5) it could be safe to assume the bug was reintroduced in 6.47? I think so,I've never seen this happening actually. I did run a couple of versions behind, so I went from 6.44 or something straight to 6.47 I'll be eva...
by jvanhambelgium
Sat Jun 06, 2020 10:46 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 96
Views: 26306

Re: RB3011 port flopping - bad design

I've grouped some ports together now, the first switch-module (1-5) now only has 1Gbits/s clients. At present no more transitions/flappings. Will evaluate over some time. The other port-group (6-10) now contains some 100Mbit/s but also still 1 client with 1Gbits/s link (= ISP modem). However I don't...
by jvanhambelgium
Sat Jun 06, 2020 10:10 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 96
Views: 26306

Re: RB3011 port flopping - bad design

Same here! Since upgrade to 6.47 on my RB3011. I've generated supout.rif and forwarded it to Mikrotik. In my case, it seems to be ports ether3 (1Gits/s, Unify AP groundfloor) and ether5 (1Gits/s, some D-LINK 8-port small switch connected on the other end on a floor)seeing transitions, but ether5 mu...
by jvanhambelgium
Sat Jun 06, 2020 9:40 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 96
Views: 26306

Re: RB3011 port flopping - bad design

Same here! Since upgrade to 6.47 on my RB3011. I've generated supout.rif and forwarded it to Mikrotik. In my case, it seems to be ports ether3 (1Gits/s, Unify AP groundfloor) and ether5 (1Gits/s, some D-LINK 8-port small switch connected on the other end on a floor)seeing transitions, but ether5 muc...
by jvanhambelgium
Sat Jun 06, 2020 12:13 am
Forum: General
Topic: Switch chip random resets RB3011 on 6.47?
Replies: 4
Views: 1105

Re: Switch chip random resets RB3011 on 6.47?

It is not problem in 6.47, but old problem... https://forum.mikrotik.com/viewtopic.php?f=3&t=128762&p=793927&hilit=port+flapping#p793927 I have never in several years encountered this on my RB3011 ! Now I'm seeing dozens of these flappings in the last hour or so, but I checked my Splunk and these m...
by jvanhambelgium
Fri Jun 05, 2020 11:08 pm
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 99115

Re: v6.47 [stable] is released!

Some issues start to appear also here on my RB3011 since my 6.47 upgrade , ethernet-ports are flapping down/up.
So far only port3 / port5 and altough I upgrade already yesterday it only started just now...

I prepared a support-file and will deliver it to Mikrotik.
by jvanhambelgium
Fri Jun 05, 2020 10:56 pm
Forum: General
Topic: Switch chip random resets RB3011 on 6.47?
Replies: 4
Views: 1105

Re: Switch chip random resets RB3011 on 6.47?

Hi,
Yep I just noticed this too!
RB3011 on the latest 6.47

In my case, ports 3 & 5 are flapping like hell.
Port 3 has a Wireless AP connected, port 5 a simple L2-switch on the floor somewhere.

Time to open a ticket I guess. The first ever in many years of RB3011 utilisation ;-)
by jvanhambelgium
Fri Jun 05, 2020 5:50 pm
Forum: Beginner Basics
Topic: Firewall rule - block "upper network"
Replies: 5
Views: 1115

Re: Firewall rule - block "upper network"

Be careful with specifying 192.168.1.1 in here..remember this "upstream" router is your gateway out, NOT the final destination! So you do not need to really "address" it in your policy like this UNLESS you really WANT to make a connection to this router ? (eg. web-interface or something, you want to...
by jvanhambelgium
Fri Jun 05, 2020 4:38 pm
Forum: Beginner Basics
Topic: Local Port definition and Port Forwarding
Replies: 47
Views: 5941

Re: Local Port definition and Port Forwarding

If you rdp with the local address rather than the domain name do you experience latency? Yes, I'm talking about local address direct connection (between two computers on a same network range). So latency in the INITIAL RDP setup right ? Not a CONTINUOUS SLOW/DELAYED operation during a session ? Sme...
by jvanhambelgium
Thu Jun 04, 2020 8:47 pm
Forum: Beginner Basics
Topic: IPV6 in a first firewall [SOLVED]
Replies: 2
Views: 967

Re: IPV6 in a first firewall [SOLVED]

But I am not trying to build an IVP6 network, so I'm confused as to what needs to be in my first firewall or if I even need to address IPV6. Can an attacker use IPV6 against the router even though it has an IPV4 address? Do I need to leave an IPV6 door open in case the ISP ever decides to use IPV6?...
by jvanhambelgium
Thu Jun 04, 2020 5:09 pm
Forum: General
Topic: Filter to block incoming connections, blocks outgoing too [SOLVED]
Replies: 6
Views: 1119

Re: Filter to block incoming connections, blocks outgoing too [SOLVED]

You can't do it because RAW does not differentiate "forward" packets from "return" packets. Only connection state machine can do that. What about "accept" rule from LAN before the drop rule? It will help? No because in "raw" you can only provide a few "criteria" like source-IP (you cannot have TCP-...
by jvanhambelgium
Thu Jun 04, 2020 8:21 am
Forum: Beginner Basics
Topic: Expected Lease Behaviour
Replies: 3
Views: 584

Re: Expected Lease Behaviour

Is the pool in another VLAN, where the AppleTV does work smooth also a few IP's in size or exact the same approach ? You have like 1 bridge on which you have several vlan's ? Or are you running multiple dhcp-services ? I think 2 small packet capture would be interesting to compare : 1 x AppleTV on t...
by jvanhambelgium
Wed Jun 03, 2020 10:11 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

In case you missed my edits ; I always believed I had to craft my pool "outside" the range I configure "static" for device. (which is > 90% of them). But apparently I can simply make my pool a real /24 (eg 192.168.1.2 -> 192.168.1.253 and the *.254 would be Mikrotik) and even in that space IP's that...
by jvanhambelgium
Wed Jun 03, 2020 9:39 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

OK, I think we hit a special case here ;-) Usually all my systems at home receive a reserved DHCP-entry ("lease"), so my "pool" is actually very small and your script is correct to this extend... I forgot how small I made it. The script summarizes ; script=pool pool=Pool 1 used=45 total=10 The pool ...
by jvanhambelgium
Wed Jun 03, 2020 6:02 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

I'm seeing some weird values on in the DHCP-section -> the "DHCP Pool Information" seems to give a faulty % value (eg. 450%) Looking at the performed query for this : litsearch (sourcetype=mikrotik module=script script=pool) | eval percent=used*100/ total, host_name=coalesce(identity,host) | fields ...
by jvanhambelgium
Wed Jun 03, 2020 4:27 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

If your edit is interesting for other, you could send me them, and I could add it in v3.0
I only removed some items not applicable for me at all, so no real enhancements.
I'm now using your supplied 3.0 Splunk Dashboard and it looks good enough for me ! I'm going to leave it as-is.
Thanks!
by jvanhambelgium
Wed Jun 03, 2020 12:31 pm
Forum: General
Topic: how to configure mikrotik ccr router to work as ntp server while using its time as source of time
Replies: 5
Views: 774

Re: how to configure mikrotik ccr router to work as ntp server while using its time as source of time

i want to configure one of my ccr routers as an ntp server and i dont want him to synchronize its time from internet i want him to use it local time Local time ? A CCR does not have an internal RTC (RealTime Clock) as far as I understood so that is a bad plan to trust the time on a CCR that was not...
by jvanhambelgium
Wed Jun 03, 2020 10:37 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

Splunk for MikroTik updated to v3.0 Mayor changes is the PPPoE view and support for IPv6 in the MikroTik Firewall Rules module To upgrade, delete the folder /splunk/etc/app/Mikrotik Then install the unpacked spl (use winrar/winzip) file, install app from "Manage app" -> "Install app from file" To g...
by jvanhambelgium
Tue Jun 02, 2020 10:42 pm
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 99115

Re: v6.47 [stable] is released!

Upgrade on my RB3011 went smooth, coming straight from 6.46.4 or something.
by jvanhambelgium
Tue Jun 02, 2020 1:57 pm
Forum: General
Topic: block computer name in mikrotik routerOS
Replies: 1
Views: 410

Re: block computer name in mikrotik routerOS

Not really possible directly, and it would not make much sense ... If you users have the rights to change their IP & MAC, what would stop them to change their computer-name.... You need to solve this issue in other ways. 1) Restrict your users by means of policy so they cannot change stuff on the co...
by jvanhambelgium
Sun May 31, 2020 3:13 pm
Forum: Scripting
Topic: [Script] Automatically change DNS if Pi-hole is no longer working
Replies: 8
Views: 2300

Re: [Script] Automatically change DNS if Pi-hole is no longer working

This will not work for all clients that have received their DHCP-lease. I don't know how many hours of lease-time you provide so these clients don't really benefit from the switchover you make on RouterOS. If their (only) DNS-server fails it is over & out. Multiple DNS would be a / the only true "re...
by jvanhambelgium
Sun May 31, 2020 12:12 pm
Forum: Beginner Basics
Topic: Missing HTTP packets [SOLVED]
Replies: 4
Views: 1153

Re: Missing HTTP packets [SOLVED]

It is very normal that you do not "see" this traffic on the Raspberry Pi on a SWITCHED environment. (and a CRS is a switch) Broadcasts still "flood" out of the ports, that is why you see them arriving at the Raspberry. The Mikrotik does allow you to see this, since this is where everything comes tog...
by jvanhambelgium
Sat May 30, 2020 7:20 pm
Forum: Beginner Basics
Topic: How to make Port knocking working on vpn/pptp connection ?
Replies: 7
Views: 1393

Re: How to make Port knocking working on vpn/pptp connection ?

Concerning some config lines. add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp add action=accept chain=input com...
by jvanhambelgium
Sat May 30, 2020 5:09 pm
Forum: Beginner Basics
Topic: How to make Port knocking working on vpn/pptp connection ?
Replies: 7
Views: 1393

Re: How to make Port knocking working on vpn/pptp connection ?

How to make Port knocking working on vpn/pptp connection ? I try this ( https://wiki.mikrotik.com/wiki/Port_Knocking ) but is not working on vpn/pptp connection Anyone could help ? Port knocking is intended and used primarily with normal/usual connections. I really don't see a reason why one would ...
by jvanhambelgium
Sat May 30, 2020 1:15 pm
Forum: General
Topic: DDos protection
Replies: 4
Views: 774

Re: DDos protection

You should also drop traffic on your LAN-side (so "forward" chain, interface depending on your model & topology) that is not originated from the effective IP address of the VM/Client itself! So at least you try to stop facilitating "spoofed" traffic towards the internet! Normally if you run a PPPoE ...
by jvanhambelgium
Sat May 30, 2020 12:26 am
Forum: General
Topic: Routing of live IP
Replies: 6
Views: 1363

Re: Routing of live IP

So you have separate wireless AP's ? I would take a look at the Wiki's for the different topics you need : 1) Routing https://wiki.mikrotik.com/wiki/Manual:Simple_Static_Routing 2) Securing services https://wiki.mikrotik.com/wiki/Manual:IP/Services (so really make sure you add your "LAN" subnet in t...
by jvanhambelgium
Fri May 29, 2020 10:20 pm
Forum: General
Topic: Routing of live IP
Replies: 6
Views: 1363

Re: Routing of live IP

Just like this ? 1) Make bridge and group all you interfaces and give this bridge the IP of 172.20.18.1 255.255.255.224 (this will become the "default gateway" for all you PC/devices connected on LAN) Then plug what whatever device you want on the ethernet-ports (all member of the bridge) and you ca...
by jvanhambelgium
Fri May 29, 2020 5:25 pm
Forum: General
Topic: Help with AirPrint network printer over VPN on the same subnet
Replies: 6
Views: 1117

Re: Help with AirPrint network printer over VPN on the same subnet

Wow Thank you! You have to understand that things like Airprint/Bonjour/mDNS/whatever where NEVER designed to "leave" the local LAN of your home. So yes, it is very normal these things just don't work so easily with more complex setups like home VLAN's, remote VPN's etc,etc. There might be ways, bu...
by jvanhambelgium
Thu May 28, 2020 11:41 am
Forum: General
Topic: Port forwarding to External OpneVPN Server [SOLVED]
Replies: 4
Views: 1033

Re: Port forwarding to External OpneVPN Server [SOLVED]

Would that rule work? /ip firewall nat add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445 Add it just before or just after any already existing rules in chain=dstnat - it is for a particular port, so it is unlikely to get shadowed ...
by jvanhambelgium
Wed May 27, 2020 2:09 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 4679

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

I don't use "tarpit". It will only consume more resources (cpu/mem) on your side with the idea to slow the attacker down by holding the connection, but... For metered connections, only your upstream ISP can truly provide some useful action. If the packet hits your interface, it consumed already band...
by jvanhambelgium
Wed May 27, 2020 1:30 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 4679

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

I have an access rule that if anyone tries one port that is not open on the outside, he will be blocked for 24 hour on any port. This gives me an access list with from 2000 to 15000 IPs at any time. If this for some reason is me that has been blocked from outside, I can use port knock to whitelist ...
by jvanhambelgium
Wed May 27, 2020 7:46 am
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 4679

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

Somedays I think I need a hardware FW in front of my router...If MT can focus on security with every new release, I will stick with them...if not...will be time to give up on MT after 8 years and move onto something else. There is no such thing as "a hardware firewall" . Sure there are brands with ...
by jvanhambelgium
Sun May 24, 2020 12:12 am
Forum: Beginner Basics
Topic: How can i pass my Lan network withouth having to make NAT [SOLVED]
Replies: 4
Views: 959

Re: How can i pass my Lan network withouth having to make NAT [SOLVED]

Are you sure this is going to work ? Many "home" grade routers for example will only perform NAT (I mean the Alcatel box) when packets arrive in the range of their own LAN-interface. Or is the Alcatel configured that it will do NAT for 10.15.165.0/24 ?? Well, now you just need simple routing (and po...
by jvanhambelgium
Sun May 24, 2020 12:05 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 18283

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Is there a reasonable way of bypassing Mk's limit or another approach? I'm a Mk hardcore user but I'm considering other vendors if they do not apply a better concept to protect our equipments. Nothing wrong with the concept I think. The idea of deploying such huge massive IP-lists and filter agains...
by jvanhambelgium
Sat May 23, 2020 8:38 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 18283

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Is there a reasonable way of bypassing Mk's limit or another approach? I'm a Mk hardcore user but I'm considering other vendors if they do not apply a better concept to protect our equipments. Nothing wrong with the concept I think. The idea of deploying such huge massive IP-lists and filter agains...
by jvanhambelgium
Sat May 23, 2020 1:09 pm
Forum: Beginner Basics
Topic: The extra packages in RouterOS [SOLVED]
Replies: 21
Views: 3115

Re: The extra packages in RouterOS [SOLVED]

Don't think you can specify a specific version. Just upgrade (to the latest) or downgrade (to previous) within the channel chosen (eg. stable/long-term/...) (and I'm not even sure on the channel-flag)
by jvanhambelgium
Sat May 23, 2020 12:32 pm
Forum: General
Topic: Flooding UDP port 1194
Replies: 14
Views: 2612

Re: Flooding UDP port 1194

Why not change the port (port translation in router) to your customers. like use 54332 dydns name/url:54332 add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=54332 protocol =tcp? to-addresses=IPserver to-ports=1194 Why would udp scans be stopped by a TCP rule (title of thread- "FLOODIN...
by jvanhambelgium
Sat May 23, 2020 8:23 am
Forum: Beginner Basics
Topic: Deny ip PUBLIC traffic
Replies: 10
Views: 1951

Re: Deny ip PUBLIC traffic

Sorry, but what should I look for in the nat, since basically I tag the traffic, I redirect traffic to other services that are not the mail, and finally it forwards it to my linux firewall. If the rule worked, the traffic coming from those IPs would not have to be sent to this Linux server, and the...
by jvanhambelgium
Fri May 22, 2020 9:46 pm
Forum: General
Topic: Flooding UDP port 1194
Replies: 14
Views: 2612

Re: Flooding UDP port 1194

Problem is the source IP + source port remain the same. Don't think the PSD attributed are going to be very useful here...they operate on the DESTINATION PORT and (same) SOURCE-IP but does not look at the SRC-PORT of the SOURCE-IP. If your OpenVPN needs to be really .... open and globally accessibl...
by jvanhambelgium
Fri May 22, 2020 9:38 pm
Forum: General
Topic: Flooding UDP port 1194
Replies: 14
Views: 2612

Re: Flooding UDP port 1194

I still want users with a valid certificate to connect, so just closing port 1194 is not really an option. Moving to port 1196 for example is just a matter of time.. That is the issue with running a full public service... Off course I don't know your userbase, but perhaps a script before the connec...
by jvanhambelgium
Fri May 22, 2020 9:34 pm
Forum: General
Topic: Flooding UDP port 1194
Replies: 14
Views: 2612

Re: Flooding UDP port 1194

Problem is the source IP + source port remain the same. Don't think the PSD attributed are going to be very useful here...they operate on the DESTINATION PORT and (same) SOURCE-IP but does not look at the SRC-PORT of the SOURCE-IP. If your OpenVPN needs to be really .... open and globally accessible...
by jvanhambelgium
Fri May 22, 2020 8:15 pm
Forum: Beginner Basics
Topic: Deny ip PUBLIC traffic
Replies: 10
Views: 1951

Re: Deny ip PUBLIC traffic

Check your NAT rules...
by jvanhambelgium
Thu May 21, 2020 11:59 am
Forum: General
Topic: Firewall Rule not work with Microsoft DHCP server
Replies: 11
Views: 1408

Re: Firewall Rule not work with Microsoft DHCP server

Same outcome. Your "unmanaged switch" is a simple L2-switch right ? With a design like this, it is IMPOSSIBLE to intervene/filter/capture/firewall traffic between PC1/PC2/PC3/PC4/SERVER because they all share the same IP-SUBNET. A device will only "contact" the Mikrotik if it needs to reach somethin...
by jvanhambelgium
Thu May 21, 2020 11:15 am
Forum: General
Topic: Firewall Rule not work with Microsoft DHCP server
Replies: 11
Views: 1408

Re: Firewall Rule not work with Microsoft DHCP server

Well ... drawn like this the Mikrotik will NOT "see" any DHCP or DNS requests from clients fly by. These PC's can communicate DIRECTLY with the server (because they are in the IP-network) For DHCP, the clients will yell with a "broadcast" and the DHCP will answer that. Also, impossible to limit the ...
by jvanhambelgium
Thu May 21, 2020 9:54 am
Forum: General
Topic: Firewall Rule not work with Microsoft DHCP server
Replies: 11
Views: 1408

Re: Firewall Rule not work with Microsoft DHCP server

I use "forward" now but it seem like the router rule doesn't work. I see the Byte and Package doesn't counted. Can you make small drawing ? Reading your post is very weird. You say PC's & servers are on the SAME IP-network, but perhaps you made a typo in writing. All the IP's below are in the same ...
by jvanhambelgium
Thu May 21, 2020 8:30 am
Forum: General
Topic: Best way to prevent attack from external
Replies: 9
Views: 1603

Re: Best way to prevent attack from external

Not really a problem to keep adding to the list but obviously this takes some time (administration) and is always reactive! You should review your management strategy. - Allow Winbox only from inside ? - If over Internet, your remote location/office does not have a STATIC IP so you can build your fi...
by jvanhambelgium
Wed May 20, 2020 6:11 pm
Forum: General
Topic: BLOCK TORRENT w/ ROUTER OS 6.45.9
Replies: 1
Views: 517

Re: BLOCK TORRENT w/ ROUTER OS 6.45.9

Hi, Is there a way to totally block torrent using the mentioned router OS version. If not, can we apply download limit for torrent traffic only. Many thanks, Gerry You could go quite aggressive : -> Deny any inbound traffic not part of client-initiated sessions. (but with exceptions that are applic...
by jvanhambelgium
Mon May 18, 2020 3:39 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 18283

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Don't think so. That Wiki page states : This page was last edited on 18 October 2017, at 10:37.
As it says on the page : After RouterOS v4.0beta4, Lua support is removed until further notice
by jvanhambelgium
Mon May 18, 2020 3:37 pm
Forum: General
Topic: namecheap.com dynamic dns
Replies: 10
Views: 3804

Re: namecheap.com dynamic dns

I use dynu and it works great, and it has the ability to assign a C-name, so I point my FREE service at the MT CLOUD. Perhaps in Belgium you like to torture friends or businesses with a long ass winded name to use to reach servers :-PPP, but I prefer being human!! :-) Well I have my own domain too ...
by jvanhambelgium
Mon May 18, 2020 1:47 pm
Forum: General
Topic: namecheap.com dynamic dns
Replies: 10
Views: 3804

Re: namecheap.com dynamic dns

After spending 2 days searching for a working script to update my wan IP to Namecheap, I want to say this script is excellent. Short and precise. thx a lot @mattsawatzky Why not use the built-in feature in RouterOS ? I use this for years now without any issues or need for 3e party services. https:/...
by jvanhambelgium
Sun May 17, 2020 8:55 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 18283

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

How do we get around this 63KiB limit? can we ask mikrotik about this We are trying to automate the download and add of https://www.ipdeny.com/ipblocks/data/countries/gb.zone which is 124KiB Perhaps the only way is to have some really smart script parse this list further into large(r) CIDR-blocks ....
by jvanhambelgium
Sat May 16, 2020 11:14 am
Forum: General
Topic: Using CGNAT (NAT444) to contain an flooding attack
Replies: 1
Views: 541

Re: Using CGNAT (NAT444) to contain an flooding attack

This gives 499 ports for traffic going out from clients and you can make the source port range changing every so much time to avoid that an attacker is targeting your port range. But if I have 1500 people behind the Mikrotik I will have a problem with exhausted ports on the source-side to choose fr...
by jvanhambelgium
Sat May 16, 2020 8:38 am
Forum: Beginner Basics
Topic: Network topology for portable test rig
Replies: 6
Views: 1140

Re: Network topology for portable test rig

He's asking me what I need, I'm not sure what to tell him, but I don't think mapping a bunch of IPs 1:1 is the right way to go, since if I change my IP addresses it'll break. So here's what I'm thinking: All the stuff on the test rig is 192.168.0.x, and the stuff on the LAN is 172.16.x.x. Can I ask...
by jvanhambelgium
Fri May 15, 2020 8:20 pm
Forum: Beginner Basics
Topic: Network topology for portable test rig
Replies: 6
Views: 1140

Re: Network topology for portable test rig

Thanks, I'll give it a try. I was wondering if it's possible, if the factory network is 192.168.1.x, to have my sub-network to be 192.168.2.x, and still be able to get in from remote computers on the 192.168.1.x network? (Assuming the local IT will do anything for me, I know them well.) I have logg...
by jvanhambelgium
Fri May 15, 2020 2:07 pm
Forum: RouterBOARD hardware
Topic: Testing Methodology differs for Switches and Routers [SOLVED]
Replies: 12
Views: 6271

Re: Testing Methodology differs for Switches and Routers [SOLVED]

CCR's with full 100% CPU utilization seem not really usable to have this in production under these kinds of load...nice for a lab-stress-test to max it out but...
Do you have stats on effective packet drops under these loads ?
Hard to believe it is "0" with all cores at 100% etc.
by jvanhambelgium
Thu May 14, 2020 12:26 pm
Forum: General
Topic: Strange behavior when host is down.
Replies: 1
Views: 459

Re: Strange behavior when host is down.

I don't have this behavior.
Tested on Linux, running 6.46.4 on RB3011
by jvanhambelgium
Wed May 13, 2020 7:43 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved
Replies: 362
Views: 143350

Re: Tool: Using Splunk to analyse MikroTik logs 2.9 (Graphing everything) Topic is solved

Is it "normal" that Splunk is quite slow? I have it running since 4-5 hours and the Traffic Accounting Dashboard takes 2 minutes until some results are shown... No that seems not normal... The "Traffic" dashboard show here in about 2 seconds when selecting "Time Range = last 4 hours". I run Splunk ...
by jvanhambelgium
Wed May 13, 2020 10:43 am
Forum: Beginner Basics
Topic: Network topology for portable test rig
Replies: 6
Views: 1140

Re: Network topology for portable test rig

The possibilities depend a bit on what the local IT will allow! So you have already some "VPN" services that connect you to the factory network ? You speak about connecting the CRS as a wireless-client onto the corporate network right ? Perhaps you could ask localIT if they can provide you with a ST...
by jvanhambelgium
Wed May 13, 2020 10:35 am
Forum: General
Topic: Firewall Rule against Botnet Attacks?
Replies: 6
Views: 1419

Re: Firewall Rule against Botnet Attacks?

Hello everyone, we are an little Internetprovider from Germany and use Mikrotik Routers. In the last Time our costumers get attacks from i think that are botnets. The Botnets are attacking one address from the pppo pool with most from port 389 and 53, so that we added some firewall rules in raw to ...
by jvanhambelgium
Wed May 13, 2020 9:13 am
Forum: Beginner Basics
Topic: Linking 2 switches (2 LANs) directly with each other
Replies: 8
Views: 1673

Re: Linking 2 switches (2 LANs) directly with each other

@jvanhambelgium, the router creates automatically routes to the attached 2 LANs, as normal/usual. But the goal with this direct link approach between the two Switches is that local traffic between them (LAN1 and LAN2) shall not go over the router, e xcept when WAN is explicitly involved , then the ...
by jvanhambelgium
Tue May 12, 2020 7:07 pm
Forum: Beginner Basics
Topic: Linking 2 switches (2 LANs) directly with each other
Replies: 8
Views: 1673

Re: Linking 2 switches (2 LANs) directly with each other

I'm no real expert. 1.) can these two switches (ie. the two LANs) also be linked directly with each other over a spare port on each switch, so that the local traffic between them then does not go over the router? >> How are these interface on the router configured ? Are these routed-interfaces ? So ...
by jvanhambelgium
Tue May 12, 2020 4:35 pm
Forum: Beginner Basics
Topic: Address range in firewall address list
Replies: 14
Views: 1892

Re: Address range in firewall address list

jvan - would you capture the offenders in the regular firewall (add to firewall address list) and then drop them in raw? Depends on the current load on your box. Sure if you drop them raw they consume the least amount of resources on your box. Here on my small home network I have them all in ACL's ...
by jvanhambelgium
Tue May 12, 2020 12:52 pm
Forum: Beginner Basics
Topic: Address range in firewall address list
Replies: 14
Views: 1892

Re: Address range in firewall address list

Thanks again for the feedback. Yes, the server is a public SMTP server. It is handligng emails for just a handful of people - providing web and imap email as well as schedule to users both in the LAN and "on the road". The reason for running it ourselves is that we've been selling the mailserver so...
by jvanhambelgium
Tue May 12, 2020 9:12 am
Forum: Beginner Basics
Topic: Address range in firewall address list
Replies: 14
Views: 1892

Re: Address range in firewall address list

These types of issues cannot really be solved with networking/firewall equipment like Mikrotik. Especially if you are dealing with SMTP you need to take other criteria into mind (eg. reputation). In essence SMTP is a general public service so IF you decided to run your own public SMTP-host, you shou...
by jvanhambelgium
Mon May 11, 2020 8:28 pm
Forum: Beginner Basics
Topic: ssh connection to mikrotik not working (timeout)
Replies: 12
Views: 1970

Re: ssh connection to mikrotik not working (timeout)

I can be many reasons why it does not work... I advise you to start over, re-deploy the VM again with only 1 interface and make sure this interface is effectively in the LAN as your Ubuntu VM 192.168.15.x In your config you posted I cannot find a single interface having any 192.168.15.x assigned to ...
by jvanhambelgium
Mon May 11, 2020 5:51 pm
Forum: Beginner Basics
Topic: Unable to connect to Microsoft Teams when using RB4011IGS+5HACQ2HND-IN [SOLVED]
Replies: 7
Views: 2031

Re: Unable to connect to Microsoft Teams when using RB4011IGS+5HACQ2HND-IN [SOLVED]

What are your DNS settings ? Your clients use some direct ISP DNS servers or is the Mikrotik intermediate ?
All other web-access works fine I guess ?
by jvanhambelgium
Mon May 11, 2020 5:22 pm
Forum: Beginner Basics
Topic: ssh connection to mikrotik not working (timeout)
Replies: 12
Views: 1970

Re: ssh connection to mikrotik not working (timeout)

I expected this somewhat ... There is some confusing aspects 1) "ether1" yet it seems connected to some Wifi WLAN adapter ? Since you run the Mikrotik as a VM, I guess you have BRIDGED networking onto the network on which the Ubuntu (=HOST) is running ?? 2) I see 2x the gateway of 192.168.15.1 using...
by jvanhambelgium
Mon May 11, 2020 4:21 pm
Forum: Beginner Basics
Topic: ssh connection to mikrotik not working (timeout)
Replies: 12
Views: 1970

Re: ssh connection to mikrotik not working (timeout)

Everytime I see you post jvan I get hungry for belgium chocolates :-) They are indeed not bad ;-) Are you effectively residing in Nova Scotia Canada ? We have excellent chocolates (and beers etc), you have some awesome outdoors & nature... To the topic-starter : yes, draw up a little diagram too! :D
by jvanhambelgium
Mon May 11, 2020 3:35 pm
Forum: General
Topic: Advanced ideas you can't do with MikroTik products...
Replies: 8
Views: 1268

Re: Advanced ideas you can't do with MikroTik products...

@jvanhambelgium, we need max security in and out, as well max possible performance at the same time, obviously. We have multiples of such small but for us important in-house projects in the pipeline, for example an Advanced Application Layer Firewall that operates as a C/S solution: the S part bein...
by jvanhambelgium
Mon May 11, 2020 3:00 pm
Forum: General
Topic: Advanced ideas you can't do with MikroTik products...
Replies: 8
Views: 1268

Re: Advanced ideas you can't do with MikroTik products...

Any other alternatives? Cisco Catalyst 3650 Series Switches This one will meet all of your security objectives plus it will route at wire speed plus do things that you have yet to imagine. :-) I doubt a Cisco device will meet my listed requirements , as it is IMO even more closed-source than MikroT...
by jvanhambelgium
Mon May 11, 2020 11:28 am
Forum: Beginner Basics
Topic: ssh connection to mikrotik not working (timeout)
Replies: 12
Views: 1970

Re: ssh connection to mikrotik not working (timeout)

Clearly we need more info. What is the IP address of the system ("speedio-26") you are launching the SSH-command from ? Because it could be caused by something in between, we have no clue. This is a wired system ? Wireless ? If wired, is it directly connected to the Mikrotik, switches in between ? e...
by jvanhambelgium
Sun May 10, 2020 8:24 pm
Forum: Beginner Basics
Topic: "sandboxed" network
Replies: 2
Views: 806

Re: "sandboxed" network

Are these embedded boards also isolated ? Or sitting in some network with lots of other gear? I guess simple L2TP VPN, then a simple firewall-rule only allowing access to IP addresses X,Y,Z (the embedded systems). And you can additional specify protocols that can be used, eg. https/http and ssh or s...
by jvanhambelgium
Sun May 10, 2020 3:02 pm
Forum: Beginner Basics
Topic: MultiCast between VLANS (Chromecast vlan1) to/from (PC/Mobile vlan2)
Replies: 13
Views: 4634

Re: MultiCast between VLANS (Chromecast vlan1) to/from (PC/Mobile vlan2)

It's just a shame that a capable os doesn't have a process to handle multicast across bridge/vlans! No, it's not. The topic is about link-local multicast and that's the way it is supposed to work. routerOS does in fact offer "real" multicast routing with PIM and multicast package. -Chris Hi Chris C...
by jvanhambelgium
Sun May 10, 2020 8:17 am
Forum: General
Topic: Bidirectional Load Balancing for 2 LANs using 2 WANs
Replies: 8
Views: 1557

Re: Bidirectional Load Balancing for 2 LANs using 2 WANs

No way to handle load-balancing on another layer ? Just thinking out loud here. Depending on the application-design, you could build out the LAN-network using some multihomed HPC systems yet keep the LAN rather straightforward and have more capable products (eg. haproxy,nginx,traefic) handle it. htt...
by jvanhambelgium
Sat May 09, 2020 6:10 pm
Forum: Forwarding Protocols
Topic: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]
Replies: 10
Views: 2434

Re: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]

@jvanhambelgium, thx for the explanation. Exactly the very same use-case I was meaning. Btw, in the said example, the ACL action copy-to-cpu=yes is used. Do you happen to know what this action or the other one named redirect-to-cpu=yes practically means? I try to understand these two ACL CPU action...
by jvanhambelgium
Sat May 09, 2020 4:01 pm
Forum: Forwarding Protocols
Topic: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]
Replies: 10
Views: 2434

Re: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]

But, I could swear I read somewhere about MAC subnet addressing, but can't find where it was... :-( I guess that's why ;-) MAC addresses only have "local significance" on the same segment. Sure there are broadcast & multicast concepts at the ethernet-level. IEEE also has a concept of a registry wit...
by jvanhambelgium
Sat May 09, 2020 2:51 pm
Forum: Forwarding Protocols
Topic: port forwading
Replies: 13
Views: 2122

Re: port forwading

I can ping from 192.168.10.8(pc/Xammp) to 192.168.10.1(router) and it works fine. I can't ping from 192.168.10.8(pc/Xammp) to 192.168.6.1(hotspot) I can ping from 192.168.10.8(pc/Xammp) to 192.168.10.1(router) and it works fine. >> You don't need any routes/gateway for that. Its considered "Direct ...
by jvanhambelgium
Sat May 09, 2020 11:22 am
Forum: Forwarding Protocols
Topic: port forwading
Replies: 13
Views: 2122

Re: port forwading

(http(s)://192.168.10.8 ) When I enter this on local machine web-browser it doesn't work but if I enter this (http://192.168.10.8) it works. And another very stupid but essential question : your Windows machine does have a default-gateway set back to the AP/router right ? As you are doing DNAT, the...
by jvanhambelgium
Sat May 09, 2020 9:15 am
Forum: Forwarding Protocols
Topic: port forwading
Replies: 13
Views: 2122

Re: port forwading

Stupid question, you are sure your Xammp services are not bound to 127.0.0.1 (=localhost) only on the PC ? That might explain a lot. You are running this on Windows OS I read ? Are you sure no host-side firewall is active ? On that local machine, when opening a webbrowser to test it, do you issue so...
by jvanhambelgium
Fri May 08, 2020 8:59 pm
Forum: General
Topic: router randomly drops WAN connection
Replies: 9
Views: 2709

Re: router randomly drops WAN connection

You have a small LAN-switch you could put between them ?
Perhaps there is some interoperability issues between the ethernet-port in Mikrotik and the device of your ISP.

That is perhaps the reason the problem remained even after getting a new router from the same vendor ;-)
Give it a try.
by jvanhambelgium
Fri May 08, 2020 7:14 pm
Forum: Beginner Basics
Topic: Building a 500+ apartment network for internet access
Replies: 7
Views: 1285

Re: Building a 500+ apartment network for internet access

Hi. I have a task of building a 500+ user network using mesh technologies The 500+ apartments are located in 62 different buildings. My plan is to create a backbone of 10Gbit fiber supplying a switch in every apartment staircase with 10Gbit fiber, and supplying all flats with 1Gbit either fiber or ...
by jvanhambelgium
Fri May 08, 2020 8:46 am
Forum: Beginner Basics
Topic: Blocking all unused/unneeded protocols, keeping only bare minimum essential ones [SOLVED]
Replies: 24
Views: 4165

Re: Blocking all unused/unneeded protocols, keeping only bare minimum essential ones [SOLVED]

Finally solved! Doing tests now. Reason was that this switch device uses besides the shown few L2 protocols also some IP L3 protocols internally. Will analyze them later. Whatever you are doing might be "fun" and you are probably learning a lot (always good), but let me tell you this is absolutely ...
by jvanhambelgium
Thu May 07, 2020 11:28 pm
Forum: Beginner Basics
Topic: Block Intervlan one direction but not other? [SOLVED]
Replies: 3
Views: 1595

Re: Block Intervlan one direction but not other? [SOLVED]

I am used to Ubiquiti more, and on there I had LAN_LOCAL rules that prevented VLAN20 from talking to VLAN100, but the opposite worked. This is useful to me as I need VLAN100 to be able to manage all VLANs and ssh them across. Is it possible on Mikrotik? I tried some basic drop rules for VLAN20 to V...
by jvanhambelgium
Thu May 07, 2020 10:19 pm
Forum: Forwarding Protocols
Topic: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]
Replies: 10
Views: 2434

Re: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]

But, I could swear I read somewhere about MAC subnet addressing, but can't find where it was... :-( I guess that's why ;-) MAC addresses only have "local significance" on the same segment. Sure there are broadcast & multicast concepts at the ethernet-level. IEEE also has a concept of a registry wit...
by jvanhambelgium
Thu May 07, 2020 9:18 pm
Forum: Forwarding Protocols
Topic: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]
Replies: 10
Views: 2434

Re: Ethernet traffic capture/analysis of a whole MAC subnet [SOLVED]

There is no such thing as a "MAC subnet" and if you have several MAC's almost identical is this pure luck or by intent because eg these are VM's of which you can craft the MAC's. Just create the list you want filtered : tcpdump ether src D0:50:99:84:01:36 or ether src D0:50:99:84:01:36 or ether src ...
by jvanhambelgium
Thu May 07, 2020 5:15 pm
Forum: General
Topic: Intelligent port forwarding rule
Replies: 10
Views: 1644

Re: Intelligent port forwarding rule

Confusing request? Simply give users for RDPA - a unique dyndns name give users for RDPB - a different name give users for RDPC - a different name. This would not solve anything as there is only 1 public IP-address to my understanding. IF there are multiple public IP's available sure you could alre...
by jvanhambelgium
Thu May 07, 2020 4:34 pm
Forum: General
Topic: Intelligent port forwarding rule
Replies: 10
Views: 1644

Re: Intelligent port forwarding rule

I would not expose "N" RDP servers directly (to Internet?). In stead use some loadbalancing/frontend like HAProxy or something. https://www.haproxy.com/documentation/haproxy/deployment-guides/remote-desktop/rdp-gateway/ Then your RouterOS requires a single D-NAT entry pointing to HAProxy where you c...
by jvanhambelgium
Thu May 07, 2020 11:23 am
Forum: General
Topic: Many attempt to log in from "winbox" [SOLVED]
Replies: 11
Views: 1686

Re: Many attempt to log in from "winbox" [SOLVED]

Thank you for your replay Normis. I only want to access winbox from my work. If i disable winbox from the internet how can i log in only from my work's? Appreciate your help! Best, If "your work" has a set of fixed public IP's you could add them to the Winbox service so you are allowed from there. ...
by jvanhambelgium
Thu May 07, 2020 8:09 am
Forum: Scripting
Topic: How to update more than one port by scripting to one rule?
Replies: 2
Views: 823

Re: How to update more than one port by scripting to one rule?

I would : -> Disable uPNP all together. -> Configure fixed rules using a set of FIXED ports that you also configured on your torrent application. Eg. I have 2 rules (for UDP & TCP) for my Deluge torrent environment using ports 6800 to 6900 and fixed the Deluge config accordingly. Then when these rul...
by jvanhambelgium
Wed May 06, 2020 9:43 am
Forum: Forwarding Protocols
Topic: Accessing my server outside of the LAN network
Replies: 18
Views: 3539

Re: Accessing my server outside of the LAN network

Tried what all of you guys were saying, and exausted most of the internet, still cannot get it to work... But again, "I run on my server tcpdump and saw that my server is reciving SYN packiet but the SYN ACK from my server is not returning" DO you see this SYN-ACK packet leave the server back to th...
by jvanhambelgium
Mon May 04, 2020 5:11 pm
Forum: Forwarding Protocols
Topic: Accessing my server outside of the LAN network
Replies: 18
Views: 3539

Re: Accessing my server outside of the LAN network

@jero111, if you have a personal firewall on your web server machine, check also its rules: you must open port 80/tcp for incoming requests. In case your own web surfing machine has a personal firewall then of course port 80/tcp for outgoing traffic must be opened. And on the router, port 80/tcp to...
by jvanhambelgium
Mon May 04, 2020 8:21 am
Forum: Forwarding Protocols
Topic: Accessing my server outside of the LAN network
Replies: 18
Views: 3539

Re: Accessing my server outside of the LAN network

For sure you need at least 1 rule in the FORWARD chain for the traffic returning from the webserver back out to the Internet. In your config ... I see this rule but DISABLED ?? add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,relat...
by jvanhambelgium
Sat May 02, 2020 2:56 pm
Forum: Forwarding Protocols
Topic: Accessing my server outside of the LAN network
Replies: 18
Views: 3539

Re: Accessing my server outside of the LAN network

So, I have a server with IP address 192.168.1.145. I set up my DNS record to point to public address of my network. When trying to access it by hostname while im connected on cable or lan inside my network, I can access it, but, when im on some other network(mobile), I cannot access it. I have set ...
by jvanhambelgium
Sat May 02, 2020 8:33 am
Forum: Beginner Basics
Topic: What is the Best Practice for detecting/preventing unauthorized devices in LAN?
Replies: 24
Views: 3261

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

As said: the answer seems to be "Dot1x". In 7.0beta5 under /interface/dot1x/ in CLI one finds both client and server (btw. the Webfig GUI does not have them yet). Then now I'm missing the 3rd part: the part on the PCs/servers. And here I could take wpa_supplicant or an older software named xsuplica...
by jvanhambelgium
Fri May 01, 2020 6:51 pm
Forum: Beginner Basics
Topic: What is the Best Practice for detecting/preventing unauthorized devices in LAN?
Replies: 24
Views: 3261

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

@tdw, thanks for the explanation, but I wonder when the username and userpassword has to be used. Let's say a user in the morning comes to his seat and turns his office computer on (it was ordinarily shut down the previous work day). So, what happens next? Does he need to login to the RADIUS server...
by jvanhambelgium
Fri May 01, 2020 2:27 pm
Forum: Beginner Basics
Topic: What is the Best Practice for detecting/preventing unauthorized devices in LAN?
Replies: 24
Views: 3261

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

Port-based security, 802.1X will prevent this. Basically only after authentication/authorization the port can be used. Sure on RouterOS you can do a lot with scripts, you could collect the MAC/ARP entries on a regular basis, process this, compare it, do something with it. On the other hand, MAC-addr...
by jvanhambelgium
Fri May 01, 2020 8:54 am
Forum: General
Topic: VLan data center management
Replies: 6
Views: 1948

Re: VLan data center management

Sure I have experience, but not with Mikrotik and not in such specific context. It is very important to understand that we are talking about LAN-ports changing state (eg. server with MAC-address 11:22:33:44:55:66) so plugged onto your network right ? DOT1X cannot be used on a device to work on "inte...
by jvanhambelgium
Thu Apr 30, 2020 8:51 am
Forum: Beginner Basics
Topic: 2 LAN Cables from Mikrotik to Switch
Replies: 24
Views: 3879

Re: 2 LAN Cables from Mikrotik to Switch

Will there be 100mbps x 2 bandwidth between Mikrotik and the switch? > Yes if you configured some form of link-aggregation / bonding. Obviously your LAN-switch needs to support this. If yes, then will all traffic be divided equally between 2 LAN cables? > Probably not so easy to really get 50/50 exa...
by jvanhambelgium
Tue Apr 28, 2020 8:33 am
Forum: General
Topic: How it help to play digital menu boards?
Replies: 2
Views: 974

Re: How it help to play digital menu boards?

It cannot specifically help you (more then hundreds of other type of home/soho routers can do) This menu board (app/software) seems to only need internet connectivity. Any router will do. Its a cloud-based signage solution. So what is your current network setup? You have some wired/wireless solution...
by jvanhambelgium
Mon Apr 27, 2020 11:28 am
Forum: Beginner Basics
Topic: Port forward with webserver
Replies: 16
Views: 2550

Re: Port forward with webserver

Do you use your Mikrotik as DNS-server ? Then simply add some "static" entries that point "www.mydomain.pl" to "192.168.1.210" Test it by doing "ping www.mydomain.pl" on your PC and see if reply comes from 192.168.1.210 Alternative is simply adapt your host file on your PC, on Linux box simply edit ...
by jvanhambelgium
Fri Apr 24, 2020 10:18 pm
Forum: Beginner Basics
Topic: I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.
Replies: 7
Views: 1825

Re: I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.

Advice from previous poster for hairpin nat is close but there is no TO rule for that config line. Should be add action=masquerade chain=srcnat comment="Mikrotik Hairpin NAT" dst-address=192.168.88.0/24 protocol=tcp src-address=192.168.88.0/24 Interesting finding indeed. So my Webfig/Winbox have in...
by jvanhambelgium
Fri Apr 24, 2020 6:21 pm
Forum: Beginner Basics
Topic: Hacker attacks on CCR [SOLVED]
Replies: 9
Views: 3564

Re: Hacker attacks on CCR [SOLVED]

Hello, you can add the following lines into a script which will create and address-list will all the IP address from Bulgaria ( just an example ) and based on that you can create a firewall rule to drop the connections from those ip's. /tool fetch url=http://www.iwik.org/ipcountry/mikrotik/BG /impo...
by jvanhambelgium
Fri Apr 24, 2020 4:42 pm
Forum: Beginner Basics
Topic: I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.
Replies: 7
Views: 1825

Re: I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.

Disable webfig simple in the ip -> services and disable "www" and "www-ssl" to disable webfig. In CLI this would be something like /ip service set www-ssl address=office.internal.IP-range disabled=yes set www address=office.internal.IP-range disabled=yes Then for the hairpin (to be able to access yo...
by jvanhambelgium
Fri Apr 24, 2020 2:04 pm
Forum: Beginner Basics
Topic: I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.
Replies: 7
Views: 1825

Re: I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.

Disabling Webfig alone will not fix it.
What you need is HAIRPIN NAT (aka "NAT Loopback")
There are dozens of examples on this forum, basically you needs to add a specific rules to make it work.

https://wiki.mikrotik.com/wiki/Hairpin_NAT
by jvanhambelgium
Wed Apr 22, 2020 1:01 pm
Forum: General
Topic: Port forwarding partially working on ports 80, 22, 443
Replies: 24
Views: 2975

Re: Port forwarding partially working on ports 80, 22, 443

Hmm, strange.
Not really too much anymore I can think of, perhaps a full reset and start from scratch...
I've in the past tested TCP/80/443 DNAT pointing to my NGINX which worked just as predictable as dozens of other DNAT's I have on my RB3011
by jvanhambelgium
Wed Apr 22, 2020 11:51 am
Forum: General
Topic: Port forwarding partially working on ports 80, 22, 443
Replies: 24
Views: 2975

Re: Port forwarding partially working on ports 80, 22, 443

You have the capability to also capture CLIENT-side ? To see if anything actually arrives there ?? Because you have several (4x) SYNACK's coming from your server, then followed by the remote client that retries and issues another SYN and again the same sequence....the timing between them is very sh...
by jvanhambelgium
Wed Apr 22, 2020 10:45 am
Forum: General
Topic: Port forwarding partially working on ports 80, 22, 443
Replies: 24
Views: 2975

Re: Port forwarding partially working on ports 80, 22, 443

Why do you have following ??

add admin-mac=C4:AD:34:49:5F:81 arp=proxy-arp auto-mac=no comment=defconf name=bridge

My Bridge-interface is just using "arp" ;-)
by jvanhambelgium
Wed Apr 22, 2020 10:12 am
Forum: General
Topic: Port forwarding partially working on ports 80, 22, 443
Replies: 24
Views: 2975

Re: Port forwarding partially working on ports 80, 22, 443

I can see the NAT rule counter going up but I haven't set on the logs for drop rules. Reason being is that I have temporarily disabled all of these and tried and it didn't make any difference. Can I log all the packets coming from an IP/HW Addr on the Mikrotik? I would like to know if the SYN/ACK r...
by jvanhambelgium
Wed Apr 22, 2020 9:10 am
Forum: General
Topic: Port forwarding partially working on ports 80, 22, 443
Replies: 24
Views: 2975

Re: Port forwarding partially working on ports 80, 22, 443

Did you add some logging to all drop rules so at least in the RouterOS logs you see when & why packets are dropped ?? What about the "counters" you can which counter is "going up" when you try ??? Perhaps one of these default rules you have drop packets marked "invalid" ? and for some reason you hit...
by jvanhambelgium
Wed Apr 22, 2020 8:34 am
Forum: General
Topic: Port forwarding partially working on ports 80, 22, 443
Replies: 24
Views: 2975

Re: Port forwarding partially working on ports 80, 22, 443

Does this mean the HTTP/HTTPS service "ports" are still active ? Did you also added that only internal IP's are allowed to call these www & www-ssl services? (www & www-ssl services) I wonder if they muck up somehow? Dunno, just guessing. In my config anyway, any of these ports are strictly limited ...
  • 1
  • 2