Community discussions

MikroTik App

Search found 444 matches

  • 1
  • 2
by jvanhambelgium
Fri May 07, 2021 1:38 pm
Forum: Beginner Basics
Topic: Remote RADIUS server - auto authenticate ether2
Replies: 1
Views: 83

Re: Remote RADIUS server - auto authenticate ether2

It depends a bit on the AAA-product used, but in general you could quite easily make a policy to "ACCEPT" if the NAS-Port is "ether2" (or anything else) Yesterday we've configure similar thing but then on Cisco ISE + Cisco SDN-fabric for put indeed certain ports automagically in ...
by jvanhambelgium
Fri May 07, 2021 12:32 pm
Forum: General
Topic: Block domains using wildcard
Replies: 6
Views: 353

Re: Block domains using wildcard

;;; Drop Layer7 Web Filter Rule chain=forward action=reject reject-with=icmp-admin-prohibited layer7-protocol=blockwebsite protocol=tcp in-interface-list=LAN out-interface-list=WAN dst-port=80,443 log=no log-prefix="" --------------------- ^.+(anten.ir|filimo.com|youtube.com).*$ You might...
by jvanhambelgium
Mon May 03, 2021 10:26 pm
Forum: General
Topic: IPv6 ICMP ok but no TCP traffic
Replies: 20
Views: 701

Re: IPv6 ICMP ok but no TCP traffic

If an MTU issue would be the cause, then it would also be applicable on IPv4 ? We weird broken connections, sites that don't open well etc.
I'm not aware IPv6 / IPv4 follow different MTU rules on an underlying common PPPoE transport link?
by jvanhambelgium
Mon May 03, 2021 8:25 pm
Forum: General
Topic: IPv6 ICMP ok but no TCP traffic
Replies: 20
Views: 701

Re: IPv6 ICMP ok but no TCP traffic

Hmm, strange indeed. Did you also enable logging for the rule below ?? add action=accept chain=forward comment="Accept routed established connections (forward)" connection-state=established,related \ in-interface-list=WAN out-interface-list=LAN That rule should let the ACK's back through t...
by jvanhambelgium
Mon May 03, 2021 6:51 pm
Forum: General
Topic: IPv6 ICMP ok but no TCP traffic
Replies: 20
Views: 701

Re: IPv6 ICMP ok but no TCP traffic

If you don't have much Ipv6 traffic just enable the logging also on the other rule ? So at least you are SURE the packet is actually leaving the Mikrotik ?! Your claim on the ISP filtering out is very,very unlikely if they hand out IPv6 prefixes... activate logging on : add action=accept chain=forwa...
by jvanhambelgium
Mon May 03, 2021 5:44 pm
Forum: General
Topic: IPv6 ICMP ok but no TCP traffic
Replies: 20
Views: 701

Re: IPv6 ICMP ok but no TCP traffic

Looks ok to me for this case, do you have "log" flag enabled on the last 2 rules ?? add action=drop chain=input comment="Drop any other incoming traffic" add action=drop chain=forward comment="Drop any other routed traffic" If not, please do so and look if anything is d...
by jvanhambelgium
Mon May 03, 2021 4:53 pm
Forum: General
Topic: IPv6 ICMP ok but no TCP traffic
Replies: 20
Views: 701

Re: IPv6 ICMP ok but no TCP traffic

What about the IPv6 firewal rules ? Can you list them ?
by jvanhambelgium
Sun May 02, 2021 12:31 pm
Forum: General
Topic: MAC based port forwarding rule
Replies: 7
Views: 414

Re: MAC based port forwarding rule

its work from other router from others ISP, but I want when request send from other router of other ISP then my router check sender MAC address, if sender MAC same then work forwarding rule. Perhaps some form of " port-knocking " is the second best thing you can do ? Agree with the remote...
by jvanhambelgium
Sun Apr 25, 2021 7:57 pm
Forum: Beginner Basics
Topic: Port forwarding dst-nat on 2nd WAN
Replies: 17
Views: 1011

Re: Port forwarding dst-nat on 2nd WAN

And if you unplug ISP1 and only use Orange do things then work ?
by jvanhambelgium
Sun Apr 25, 2021 12:37 pm
Forum: Beginner Basics
Topic: Port forwarding dst-nat on 2nd WAN
Replies: 17
Views: 1011

Re: Port forwarding dst-nat on 2nd WAN

(11) Y ou seem to be missing the generic rule required to permit dst-nat to come through the WAN interface (port forwarding). This new rule needs to be placed before the LAST Rule you have in the forward chain which blocks all not coming from the LAN. add action=accept chain=forward comment="A...
by jvanhambelgium
Sat Apr 24, 2021 11:23 am
Forum: Beginner Basics
Topic: Port Forwarding
Replies: 25
Views: 1111

Re: Port Forwarding

yeah this was not much help at all. Thanks guys.. My suggestion also did not work ? > Can you test IF a packet actually arrives at the destination device/appliance ? Or can you quickly adapt the NAT to a "test" system in the same LAN and look with tcpdump if it actually arrives ?? > logs,...
by jvanhambelgium
Sat Apr 24, 2021 12:04 am
Forum: Beginner Basics
Topic: Port Forwarding
Replies: 25
Views: 1111

Re: Port Forwarding

nc -vz 23.31.142.153 9100 nc: connectx to 23.31.142.153 port 9100 (tcp) failed: Network is unreachable Your PC, or the device were you launch netcat, where are? Outside the network, or inside? Looking at his log snippet it states 50.216.82.97 as source so I think he is really testing coming in exte...
by jvanhambelgium
Fri Apr 23, 2021 11:50 pm
Forum: Beginner Basics
Topic: Port Forwarding
Replies: 25
Views: 1111

Re: Port Forwarding

That forward rule with the flag "dnat" ? Can you uncheck "new" please ? The NEW state tells us that the packet is the first packet that we see. This means that the first packet that the conntrack module sees, within a specific connection, will be matched. For example, if we see a...
by jvanhambelgium
Sat Apr 17, 2021 5:46 pm
Forum: General
Topic: High Density Scenario - 30k client
Replies: 7
Views: 586

Re: High Density Scenario - 30k client

Pushing the traffic will not be an issues, but perhaps a large churn will impact DHCP services & wait times? No clue what Mikrotik DHCP servers has been tested for. Eg. 1000 concurrent requests arriving at the same time. But its true this is probably a "gradually" process as visitors a...
by jvanhambelgium
Fri Apr 16, 2021 12:46 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved

Like the devil is playing with it. 5 minutes after I wrote the previous post the HAPac2 stopped again with sending log data to Splunk. Yesterday it lasted 2,5 hours today 3 hours. So I have made little progress :( Then clearly a bug on the RouterOS of that box ? Can you check the logging, if you do...
by jvanhambelgium
Fri Apr 16, 2021 12:15 pm
Forum: General
Topic: High Density Scenario - 30k client
Replies: 7
Views: 586

Re: High Density Scenario - 30k client

"Concurrent" clients does not mean that much. I mean, of these 30k connected Wifi most could be pretty idle, only doing few 100 kbits/sec for som sync tasks. If we think about 1Mbps / user (if your Wifi setup supports this) then you are looking at 30Gbit/sec Internet backhaul. That is quit...
by jvanhambelgium
Fri Apr 16, 2021 12:05 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved

For the licensing,go to "Settings" -> "Licensing" and there you will see howmuch MBytes you've consumed today. If it worked for a couple of hours then I suspect the HAPac2 ? If you go to the "Apps" then "Search" and then you have this button "Data Summary...
by jvanhambelgium
Mon Apr 12, 2021 12:16 am
Forum: RouterOS v7 BETA
Topic: mDNS repeater feature
Replies: 4
Views: 479

Re: mDNS repeater feature

Please bring mDNS repeater feature in Rosv7. It is a very important feature for home routers. This is only an issue if you start fiddling around with multiple LAN / VLAN's Guess what, like 0.00001% or something of "home users" is actually toying around with that in their home setup. Don't...
by jvanhambelgium
Sun Apr 11, 2021 9:50 am
Forum: Beginner Basics
Topic: Trigger script on new entries in wireless registration-table
Replies: 6
Views: 521

Re: Trigger script on new entries in wireless registration-table

Few more questions: * Does RouterOS have cron daemon or something similar? Can it schedule job to run each 15s? Sure it has. Check under /system scheduler * Would it be significant load increment for Mikrotik to run such script each 15s or 1min if there is no such fine granularity? Hmm, your action ...
by jvanhambelgium
Fri Apr 09, 2021 8:00 pm
Forum: Beginner Basics
Topic: Port forwarding not working?
Replies: 17
Views: 905

Re: Port forwarding not working?

(4) As for Jvans, advice, BOOO!!! I dont see it will help as YOU ALREADY STATE (as per the default firewall rules): add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN Which means all traff...
by jvanhambelgium
Fri Apr 09, 2021 6:15 pm
Forum: Beginner Basics
Topic: Port forwarding not working?
Replies: 17
Views: 905

Re: Port forwarding not working?

If I'm outside my network www.domainname.com resolves and points to my raspberry pi. If I'm inside my network www.domainname.com refuses to connect. /ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=...
by jvanhambelgium
Wed Apr 07, 2021 11:34 pm
Forum: Beginner Basics
Topic: HELP: access external web page:port
Replies: 4
Views: 394

Re: HELP: access external web page:port

If you indeed are testing from the internal LAN trying to connect to the public FQDN AND this server has the same internal IP as your test-machine I think the hairpin should be put in place : In the NAT-section, put this in the SRC-NAT section add action=masquerade chain=srcnat comment="Mikroti...
by jvanhambelgium
Wed Apr 07, 2021 11:28 am
Forum: Scripting
Topic: Script to convert ip to address-list
Replies: 14
Views: 6129

Re: Script to convert ip to address-list

I think I would add the addresses to the list with some huge timeout so they are not written to flash...
This list probably is not so "dynamic" compared to others. So 1 update per day (or even per week) should be OK.
I'm going to check IF there are some hits against the counters anyway.
by jvanhambelgium
Wed Apr 07, 2021 11:02 am
Forum: Scripting
Topic: Script to convert ip to address-list
Replies: 14
Views: 6129

Re: Script to convert ip to address-list

Hi,
Made a copy-paste and now it works indeed! I've set the permissions exactly like you mentioned in your example.

Weird, but I'm happy it works now as I was pulling the last strands of hair from my skull !

Thx!
by jvanhambelgium
Tue Apr 06, 2021 7:13 pm
Forum: Scripting
Topic: Script to convert ip to address-list
Replies: 14
Views: 6129

Re: Script to convert ip to address-list

As long the file is smaller than 64KB you could use the script written by Shumkov: https://forum.mikrotik.com/viewtopic.php?f=9&t=152632&p=758435 List is only 5Kb big, but the script does not work, just throws an error in the log as the script is instructed to do. Looking at the original sc...
by jvanhambelgium
Tue Apr 06, 2021 5:51 pm
Forum: Scripting
Topic: Script to convert ip to address-list
Replies: 14
Views: 6129

Re: Script to convert ip to address-list

Anyone that can help me out why this does not work ? Basically I combined some posting in order to make a script that should work, but it only cleans/empties my "DNS" address-list. I've download the link below containing a bunch of DOH/DOT public servers that I want to convert into an ACL....
by jvanhambelgium
Mon Apr 05, 2021 7:16 pm
Forum: General
Topic: why youtube is not blocked?
Replies: 13
Views: 1659

Re: why youtube is not blocked?

As I have written before, you can have full control and block stuff by using products like Forecepoint. To make this to work, you need to have full control of the client as well, some you can do with company polices. I'm working on some projects with Palo Alto equipment. Even without full SSL-decry...
by jvanhambelgium
Sun Apr 04, 2021 11:41 pm
Forum: General
Topic: RB951G-2HnD, ether port is going up and down
Replies: 6
Views: 586

Re: RB951G-2HnD, ether port is going up and down

What other releases then 6.47.4 did you try ?
by jvanhambelgium
Sun Apr 04, 2021 9:14 am
Forum: General
Topic: Traffic Flow use 100% CPU of CCR1072
Replies: 3
Views: 1533

Re: Traffic Flow use 100% CPU of CCR1072

Does anyone on this forum know why MikroTik does not support random sampling?
Well RouterOS does not even have Netflow v9/IPFIX properly implemented the last time I checked.
I've opened a ticket on this long time ago, was never addressed.
Currently using v5 and that seems to work.
by jvanhambelgium
Sat Apr 03, 2021 1:14 pm
Forum: General
Topic: port 53 open despite firewall rules
Replies: 42
Views: 2141

Re: port 53 open despite firewall rules

What is a bit disturbing is the fact that you've tried with a RB941 and that box seems to behave as it should... Not being able to even capture these nmap packets on the RB4011 is ... weird to say the least... I'm running 6.47.7 on my RB3011 Feel free to probe my system on services.vanham-franck.be ...
by jvanhambelgium
Sat Apr 03, 2021 12:27 pm
Forum: General
Topic: port 53 open despite firewall rules
Replies: 42
Views: 2141

Re: port 53 open despite firewall rules

i have used Packet sniffer inside routerOS. Filters: ether 01, tcp 53, direction any, filter operation AND. When sudo nmap -sS -Pn <IP> packets are visible, firewall is working and packets blocked. Nmap says all ports are filtered. When sudo nmap -sS -Pn -p 53 <IP> packets not coming, and obviously...
by jvanhambelgium
Sat Apr 03, 2021 11:46 am
Forum: General
Topic: port 53 open despite firewall rules
Replies: 42
Views: 2141

Re: port 53 open despite firewall rules

This is really a weird story.
Can you take a packet CAPTURE in the ingress interface in the case you log remains empty ? (sudo nmap -sS -sU -Pn -p53 <WANIP>) just to confirm the nmap probing actually arrives ?!
by jvanhambelgium
Fri Apr 02, 2021 9:42 pm
Forum: General
Topic: port 53 open despite firewall rules
Replies: 42
Views: 2141

Re: port 53 open despite firewall rules

Configuration looks OK. Normally you should not need to block port 53 on outside, nor should it be open by it self. I have no linux server outside, so can not test my port. https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap Just try a free scan ? It will test 53 a...
by jvanhambelgium
Fri Apr 02, 2021 8:44 pm
Forum: General
Topic: port 53 open despite firewall rules
Replies: 42
Views: 2141

Re: port 53 open despite firewall rules

Can you post some logging ? And also enable the logging for the other 3 rules below. Then basically perform this nmap scan from exterior and post some logging ? Just to make sure these rules are effectively hit ? add action=drop chain=input dst-port=53 in-interface-list=WAN log=yes protocol=tcp add ...
by jvanhambelgium
Fri Apr 02, 2021 6:24 pm
Forum: General
Topic: port 53 open despite firewall rules
Replies: 42
Views: 2141

Re: port 53 open despite firewall rules

/ip dns
set servers=1.1.1.1

And what else if configured ?? "Allow remote requests" ???
by jvanhambelgium
Fri Apr 02, 2021 9:26 am
Forum: General
Topic: Port forwarding from a different subnet [SOLVED]
Replies: 15
Views: 1049

Re: Port forwarding from a different subnet [SOLVED]

No. What I was doing before adding the MT was port forward from 192.168.3.5 to 192.168.1.71. So if I went directly to 192.168.3.5 it would still activate the port forward. Now, with MT, I get an error connection not established.... Perhaps you should try to take a packet capture behind the MT to se...
by jvanhambelgium
Thu Apr 01, 2021 3:51 pm
Forum: General
Topic: Port forwarding from a different subnet [SOLVED]
Replies: 15
Views: 1049

Re: Port forwarding from a different subnet [SOLVED]

My mistake. It is on 192.168.1.71 Ok so if you can ping them right through the Mikrotik (with all FW policies off) that is already a good thing. In order to do this you added a static-route on this ISP Modem/Wifi thing?? Because without one you would never be able to reach 192.168.1.x By default it...
by jvanhambelgium
Thu Apr 01, 2021 3:13 pm
Forum: General
Topic: Port forwarding from a different subnet [SOLVED]
Replies: 15
Views: 1049

Re: Port forwarding from a different subnet [SOLVED]

Regarding : It is devices from 192.168.3.0/24 that cannot reach the servers.... Are you sure these wireless-clients have no sort of "isolation" mode-setting active, so they cannot reach their neighbors (basically dropping all RFC1918 IP space) and only allowing "Internet" I beli...
by jvanhambelgium
Thu Apr 01, 2021 12:17 pm
Forum: General
Topic: Port forwarding from a different subnet [SOLVED]
Replies: 15
Views: 1049

Re: Port forwarding from a different subnet [SOLVED]

Regarding : It is devices from 192.168.3.0/24 that cannot reach the servers.... But you do get packet hits on the MT ? Do you get *any* logging hit indicating a station on 192.168.3.x can reach the MT at all ?? So the wireless clients on the ISP-modem/Wifi receive a 192.168.3.x IP and seem "bri...
by jvanhambelgium
Sun Mar 28, 2021 11:44 am
Forum: General
Topic: Dhcp relay and dhcp server
Replies: 1
Views: 379

Re: Dhcp relay and dhcp server

Perhaps you want to make sure you have 2 "relays" configured ? And then arrange things on the DHCP-server side. There are various ways to make a solid DHCP-architecture depending on the type of DHCP-server in use. Alternatively I think could configure some "netwatch" entry on the...
by jvanhambelgium
Fri Mar 26, 2021 10:27 pm
Forum: General
Topic: Mikrotik - Traffic Flow- Getting only RX traffic [SOLVED]
Replies: 9
Views: 837

Re: Mikrotik - Traffic Flow- Getting only RX traffic [SOLVED]

Fixed it.. guys

Just changed the version to 5

😀👍
Like I told you before, indeed Netflow v5 seems to work "OK" and at least has a minimum of info in it.
There are more things on Mikrotik that "kind of work" but are not implemented fully...
by jvanhambelgium
Fri Mar 26, 2021 10:14 am
Forum: Beginner Basics
Topic: Home Setup NEWBIE
Replies: 4
Views: 807

Re: Home Setup NEWBIE

RB4011iGS+5HacQ2HnD-IN or RB4011iGS+RM or something probably.
by jvanhambelgium
Mon Mar 22, 2021 8:42 am
Forum: General
Topic: Mikrotik - Traffic Flow- Getting only RX traffic [SOLVED]
Replies: 9
Views: 837

Re: Mikrotik - Traffic Flow- Getting only RX traffic [SOLVED]

Thanks for the reply guys, My current firmware is 6.48 Then open a ticket. What version of Netflow are you using ? v5 / v9 / IPFIX Long time ago I opened a ticket due to a structural problem on IPFIX, it was never fixed. I'm currently using basic v5 , but here on 6.47.7 I seem to be getting both Rx...
by jvanhambelgium
Sun Mar 21, 2021 11:33 pm
Forum: General
Topic: NAT / Hairpin ? [SOLVED]
Replies: 2
Views: 468

Re: NAT / Hairpin ? [SOLVED]

Well does you Internet router support NAT-Loopback / Hairpin / U-Turn NAT / whats-in-a-name also and was it configured ? Because without it is normal the router will not know what do to with it and no src-translation will occur. With a packet capture it is very easy to investigate what happens, does...
by jvanhambelgium
Sat Mar 20, 2021 9:23 am
Forum: General
Topic: Mikrotik - Traffic Flow- Getting only RX traffic [SOLVED]
Replies: 9
Views: 837

Re: Mikrotik - Traffic Flow- Getting only RX traffic [SOLVED]

@Jotne, Mikrotik will remove IP-accounting in v7, as far as I know , Netflow will not be removed I may hope... Above example clearly seems Netflow based based on the config. @msaini, hope you are not running a very old release ? ""Starting 6.0rc14 release setting interface will show RX and...
by jvanhambelgium
Sat Mar 20, 2021 9:08 am
Forum: General
Topic: Compromised clients / Firewall question
Replies: 3
Views: 438

Re: Compromised clients / Firewall question

Looking at the repetitive sequences of "SYN" (the very first packet in the 3-way handshake process of TCP transmission) it seems the internal device cannot really establish a dialogue with the outside 64.233.185.101 and keep trying. (that IP belongs to Google for example) Same behavior for...
by jvanhambelgium
Thu Mar 18, 2021 10:50 pm
Forum: Beginner Basics
Topic: DHCP
Replies: 2
Views: 355

Re: DHCP

And a simple wireless network card was not an option for each of these LAN-PC's without Wifi ? Now you are making things so complex. I think you need to look into "dhcp relay" where you want to capture the DHCP request on the LAN-side (from the PC's) and forward it towards a Microsoft DHCP...
by jvanhambelgium
Tue Mar 16, 2021 10:29 am
Forum: General
Topic: Web monitoring analyzer
Replies: 2
Views: 213

Re: Web monitoring analyzer

We are all suffering in real-time ;-) You probably mean surfing/browsing ;-) Well, that is going to difficult. Most traffic these days is HTTPS or some form of encryption so its going to be hard to peek into that. Impossible with a product like Mikrotik. You want to see actual "content" of...
by jvanhambelgium
Mon Mar 15, 2021 9:47 pm
Forum: Beginner Basics
Topic: Port 22 / SFTP/SSH Being Blocked
Replies: 34
Views: 1991

Re: Port 22 / SFTP/SSH Being Blocked

Any other suggestions? I'm about ready to buy a new router at this point. :( Why is your config containing some lines with add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes To me, this looks...
by jvanhambelgium
Sat Mar 13, 2021 10:19 pm
Forum: General
Topic: How do you know that Mikrotik had become popular ?
Replies: 5
Views: 591

Re: How do you know that Mikrotik had become popular ?

Yeah was working on some Palo Alto boxes today and it did not take long for a user "MikroTik" to give it a try ;-)
by jvanhambelgium
Sun Mar 07, 2021 11:02 pm
Forum: Beginner Basics
Topic: Firewall whitelist setup
Replies: 3
Views: 533

Re: Firewall whitelist setup

Start with a simple schematic please ;-) Apart from that, why is this measurement device so "chatty" ? What does it try to contact as you wrote "...and it is always trying to ping servers and is consuming large volumes of data unchecked" What is that BGAN terminal ? A Linux host ...
by jvanhambelgium
Sun Feb 28, 2021 1:12 pm
Forum: Beginner Basics
Topic: Exclude local IP from internal resources, allow internet access only
Replies: 6
Views: 464

Re: Exclude local IP from internal resources, allow internet access only

If the switch supports some VLAN's you can also get the Wifi-router traffic across a dedicated VLAN to the Mikrotik. From there on, you can filter all you want and your scenario will work. However the "WAN" IP of the Wifi-router must change, you cannot use 10.1.1.2 with a mask 255.255.0.0 ...
by jvanhambelgium
Sun Feb 28, 2021 11:40 am
Forum: Beginner Basics
Topic: Exclude local IP from internal resources, allow internet access only
Replies: 6
Views: 464

Re: Exclude local IP from internal resources, allow internet access only

>> The wifi router as well as Mikrotik router are connected to a general purpose switch. The same switch being used by desktops, laptops and wired printers. Your above sentence caught my attention. Like this, it is impossible to control traffic! No way you can prevent your Wifi users (on that router...
by jvanhambelgium
Sun Feb 28, 2021 10:03 am
Forum: Beginner Basics
Topic: Exclude local IP from internal resources, allow internet access only
Replies: 6
Views: 464

Re: Exclude local IP from internal resources, allow internet access only

So to understand better, That Wifi-router is connected with it's WAN port onto the Mikrotik LAN and all Wifi client's are NAT'ted behind the IP-adres of this Wifi router, 10.1.1.2 ??? Basically you only ever see packets from 10.1.1.2 coming from that device with several clients connected ? And secon...
by jvanhambelgium
Mon Feb 15, 2021 3:32 pm
Forum: Beginner Basics
Topic: Malicious VPN connection attempts?
Replies: 12
Views: 797

Re: Malicious VPN connection attempts?

MAC is not relevant here (they only have significance on the local LAN), but public IP's are in this case. Sure it would be a better way to whitelist and ONLY allows these IP's on the Internet to initiate IPSEC towards you, but this is not always possible unless all endpoint you know have fixed stat...
by jvanhambelgium
Fri Feb 12, 2021 1:12 pm
Forum: General
Topic: Logs to Elastic Kibana (Logstash on Windows Server)
Replies: 5
Views: 517

Re: Logs to Elastic Kibana (Logstash on Windows Server)

On the logstash host, take a quick look using "tcpdump" to see if any log-messages actually arrive from the Mikrotik
It's not rocket science.
by jvanhambelgium
Thu Feb 11, 2021 11:27 pm
Forum: General
Topic: Home Network is Failing
Replies: 10
Views: 657

Re: Home Network is Failing

>> RouterOS 6.48


You might want to step down a notch, say to version 6.47.7 or 6.47.8
This 6.48 has some serious issues, port-flappings etc.
Nothing in the logs in interface-flaps?
by jvanhambelgium
Mon Jan 25, 2021 11:20 pm
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

Flipping (ha ha) typical! I was just about to pull the trigger on one of these (literally right now), thinking I had found the perfect router with this one since the switch chips will do hardware VLAN unlike the 4011. So much for that. Oh well, at least for once I found out about an issue before pu...
by jvanhambelgium
Sat Jan 23, 2021 8:43 pm
Forum: General
Topic: Firewall Filtering ICMP Packet [SOLVED]
Replies: 5
Views: 534

Re: Firewall Filtering ICMP Packet [SOLVED]

Just add a rule above this one in the input chain where you simply accept "icmp" " echo-reply ". (so protocol "icmp" and further icmp-type use "echo-reply") You don't even have to specify any source-IP's or interfaces. Just make it very general. Basically the ...
by jvanhambelgium
Sat Jan 23, 2021 1:20 pm
Forum: General
Topic: Is it possible to use one of our assigned Public IPs on external router connected to another ISP?
Replies: 3
Views: 341

Re: Is it possible to use one of our assigned Public IPs on external router connected to another ISP?

It all depends actually. "this other ISP" might not be interested in playing TRANSIT for IP-space not belonging to them, OR you might have the make the correct commercial agreements and pay for this transit. Now the IP space you received from Vultr is effectively part of their (larger) all...
by jvanhambelgium
Fri Jan 15, 2021 6:45 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 114
Views: 9818

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

We also divide our network up, we have some 15 network areas now. Simply saying "move away from PPPoE" does not help, specially while also saying "my company has millions of PPPoE customers". My complaint is we don't have clear specs as to how many sessions will be supported by ...
by jvanhambelgium
Thu Jan 14, 2021 9:13 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 114
Views: 9818

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

Sooooo move away from PPPoE to what exactly? We are talking 15.000 CPEs, I’m open to suggestions. Movistar, my home fibre ISP, with millions of customers, runs PPPoE... The company I work for also has millions of PPPoE users/customers too ;-) But we are running several "areas" & "...
by jvanhambelgium
Fri Jan 08, 2021 12:20 am
Forum: General
Topic: RB3011UiAS-RM severely bad upload speed on charter cable
Replies: 26
Views: 1403

Re: RB3011UiAS-RM severely bad upload speed on charter cable

The logs are clean in terms of interface problems ? No flappings on this port?, did you check the Rx/Tx statistics to spot for issues at the ethernet level ? When you say "flappings" what do you mean? Are talking about link transitions? I have not checked the Rx/Tx stats... I'm always con...
by jvanhambelgium
Thu Jan 07, 2021 11:20 pm
Forum: General
Topic: RB3011UiAS-RM severely bad upload speed on charter cable
Replies: 26
Views: 1403

Re: RB3011UiAS-RM severely bad upload speed on charter cable

The logs are clean in terms of interface problems ? No flappings on this port?, did you check the Rx/Tx statistics to spot for issues at the ethernet level ? Your setup should be really simple, even less challenging than using PPPoE or something. (eg. causing MTU-issues etc) My RB3011 for sure has n...
by jvanhambelgium
Mon Jan 04, 2021 3:30 pm
Forum: General
Topic: LAN speed issue
Replies: 15
Views: 972

Re: LAN speed issue

If you downgrade to your previous release, is the issue gone ?
If so, open a bug-report.
This 6.48 release seems to cause a lot of issues on various architectures. I'm not updating my equipment for sure...

PS : I assume you are talking MBbps (MegaBYTES/sec) , not Mbps (=MegaBITS/sec)
by jvanhambelgium
Fri Dec 18, 2020 7:31 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved

Dear Sir, Thanks for Tool. I get below error (log/splunkd.log) and after that logging stopped. WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Thu Dec 17 04:11:00 2020). Context: source=udp:514|...
by jvanhambelgium
Fri Dec 11, 2020 2:27 pm
Forum: RouterBOARD hardware
Topic: RB3011 took hit from the storm [SOLVED]
Replies: 4
Views: 1006

Re: RB3011 took hit from the storm [SOLVED]

It would really surprise me if, by replacing the chip, the Routerboard will work again. But always good to give it a try! It is very likely indeed that other components have been impacted too and that this voltage-regulator was the most visible one ;-) But hey, its only a 70 cent part and some easy...
by jvanhambelgium
Fri Dec 11, 2020 10:15 am
Forum: RouterBOARD hardware
Topic: RB3011 took hit from the storm [SOLVED]
Replies: 4
Views: 1006

Re: RB3011 took hit from the storm [SOLVED]

I think it looks like this one , since it is located in the power-supply section of the board, probably some voltage regulator (like LMxxxx models) http://www.liteon-semi.com/upfiles/tecfile01325657516.pdf (LSP5522 : 2A DC/DC convertor) https://datasheetspdf.com/pdf-file/903448/Lite-On/LSP5523/1 (LS...
by jvanhambelgium
Wed Dec 09, 2020 3:35 pm
Forum: Scripting
Topic: Block youtube,FB and games
Replies: 8
Views: 1817

Re: Block youtube,FB and games

Conclusion : Mikrotik is just not the correct product for such requirements in 2020 and beyond. Using any sort of blocking based on IP's (static, via BGP or any other means) is not the way to go. Much more advanced products exist that inspect this traffic and know the signatures, understand the dyna...
by jvanhambelgium
Mon Dec 07, 2020 11:12 am
Forum: Beginner Basics
Topic: Limited Wifi Services
Replies: 7
Views: 501

Re: Limited Wifi Services

Another approach would be to extremely control DNS-lookups and control/limit clients like that. So basically deny any client to perform a lookup to any "outside" DNS server Have a local DNS that will only answer certain things. Eg. if you would try to resolve *.microsoft.com it would alway...
by jvanhambelgium
Mon Dec 07, 2020 9:10 am
Forum: Beginner Basics
Topic: Limited Wifi Services
Replies: 7
Views: 501

Re: Limited Wifi Services

So you are basically blocking everything and then want to "open up" for specific things like Whatapps and the Be Safe thing ? Now you also want to allow GMail ? Just want to tell you that this way of thinking hardly works anymore in 2020 and Mikrotik product are not that advanced that they...
by jvanhambelgium
Sun Dec 06, 2020 8:28 pm
Forum: General
Topic: ARP for hosts that migrate across (non-MTik) WiFi access points?
Replies: 8
Views: 694

Re: ARP for hosts that migrate across (non-MTik) WiFi access points?

Roaming is a client-side "decision", but there are some settings on the AP that can "assist" in this in asking a connected client to move off the AP (eg. RSSI-values, certain "Fast Roaming" settings) I have 2 AP's in the house (Ubiquity Networks) that are connected to a...
by jvanhambelgium
Sat Dec 05, 2020 12:05 am
Forum: General
Topic: Firewall oddity
Replies: 10
Views: 1115

Re: Firewall oddity

Enable some logging on the 3e rule so you can get more info on what makes the counter go up ?
by jvanhambelgium
Wed Dec 02, 2020 6:19 pm
Forum: General
Topic: RouterOS as central DHCP
Replies: 8
Views: 605

Re: RouterOS as central DHCP

Unless you run a smaller shop I would not consider letting a Mikrotik take over DHCP services... The DHCP-implementation is Windows Server is much more advanced then what you would find on RouterOS. Eh. Server 2016/2019 has "high available" (not using the old fashioned way of splitting sco...
by jvanhambelgium
Tue Dec 01, 2020 9:51 pm
Forum: General
Topic: Port scanner filling up connection tracking
Replies: 21
Views: 1307

Re: Port scanner filling up connection tracking

You run BGP and don't understand how stateful / stateless firewalls work? I second the suggestion to get a consultant (though not the one above that is also a useless blacklist). You're clearly in over your head here. Using PSD just opens you to further attack when someone decides to spoof the IP o...
by jvanhambelgium
Mon Nov 23, 2020 5:56 pm
Forum: General
Topic: Destination-Side Source Address Validation
Replies: 3
Views: 452

Re: Destination-Side Source Address Validation

You must use the FORWARD chain, you want to DROP effectively packets coming in SOURCED with your own public prefixes destined for some hosts behind the Mikrotik.
The INPUT chain is for traffic directed at the Mikrotik itself, this is not the case here.
by jvanhambelgium
Sat Nov 21, 2020 3:20 pm
Forum: General
Topic: Network architecture recommendations
Replies: 6
Views: 637

Re: Network architecture recommendations

I would go for the second topology (with red dotted flows) so use indeed separate interfaces towards ISP and clients.
Is this equipment located close to each other ? Or does "ether7" run across some provider L2-link to some remote location where the EdgeSwitch is located ?
by jvanhambelgium
Wed Nov 18, 2020 5:29 pm
Forum: General
Topic: How to Block URL's in Router OS?
Replies: 12
Views: 788

Re: How to Block URL's in Router OS?

And when the TLS Host Is used? and How dose it work? That's what I wrote above. It matches on the only part of the url you can see in plaintext for https connections - the fqdn. So you can use it to block https connections to the the whole play.google.com. I don't think that's what you want. Ok Tha...
by jvanhambelgium
Sun Nov 15, 2020 11:41 am
Forum: Scripting
Topic: how to get log records for last 5 mins?
Replies: 11
Views: 3043

Re: how to get log records for last 5 mins?

Works fine on my RB3011 running 6.47.7 "Stable" too !
by jvanhambelgium
Thu Nov 12, 2020 9:58 pm
Forum: Beginner Basics
Topic: Port 22 / SFTP/SSH Being Blocked
Replies: 34
Views: 1991

Re: Port 22 / SFTP/SSH Being Blocked

Ah OK, the line below IS your generic masq rule providing "NAT'ed" access for all the internal 192.168.1.0/24 IP's. The comment was a bit misleading. >> add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.1.0/24 You have the rules in place in the fo...
by jvanhambelgium
Thu Nov 12, 2020 9:05 pm
Forum: Beginner Basics
Topic: Port 22 / SFTP/SSH Being Blocked
Replies: 34
Views: 1991

Re: Port 22 / SFTP/SSH Being Blocked

You only posted parts of the config. Are you using some form of VPN tunnel and do you route specific traffic into a tunnel ? Do all other regular Internet services work from that same PC you are testing from ? (eg. generic browsing, dns lookups etc) Because : add action=masquerade chain=srcnat comme...
by jvanhambelgium
Thu Nov 12, 2020 8:50 pm
Forum: Beginner Basics
Topic: Port 22 / SFTP/SSH Being Blocked
Replies: 34
Views: 1991

Re: Port 22 / SFTP/SSH Being Blocked

The first one works just fine for me, I issue sftp demo@test.rebex.net and I see a password prompt etc. web check test.rebex.net:22 demo/password Also supports SSH, FTP/SSL, FTP, IMAP, POP3 and Time protocols. Read-only. What you can do is really start LOGGING (add logging on rules) a bit so it migh...
by jvanhambelgium
Thu Nov 12, 2020 10:41 am
Forum: General
Topic: CPU stress test
Replies: 4
Views: 446

Re: CPU stress test

Disable STP and create some ethernet-loops ? That will get the fire going ;-)
by jvanhambelgium
Sun Nov 08, 2020 7:37 pm
Forum: General
Topic: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions
Replies: 25
Views: 1646

Re: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions

I don't have any iOS device to test it, but quick search suggests that these random MAC addresses should correctly set the local bit. If you include bridge in your config (you could use one as "wrapper" for wlan interface, if you don't already have some), then bridge filters have option f...
by jvanhambelgium
Sun Nov 08, 2020 4:05 pm
Forum: General
Topic: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions
Replies: 25
Views: 1646

Re: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions

We do live in strange world indeed... The "kids control" feature on Mikrotik only uses MAC-addresses for identification (and then the IP is retrieved from the ARP-table using the MAC you provided). There seems, as far as the Wiki is up-to-date, no way to use other criteria. So yeah ... th...
by jvanhambelgium
Sun Nov 08, 2020 3:42 pm
Forum: General
Topic: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions
Replies: 25
Views: 1646

Re: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions

Please read carefully, if one tries Time Restrictions then definitely not on a device that one controls physically... I read : Used to quite happily restrict kids time using MAC address of the iDevices So ... you have nothing to say about idevices of your KIDS ? Strange world we live in then. Perha...
by jvanhambelgium
Sun Nov 08, 2020 11:11 am
Forum: General
Topic: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions
Replies: 25
Views: 1646

Re: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions

Simply disable the option?
I have a iOS device that updated to 14.x some days ago and started using this random MAC-address.
Go into setting of the phone, to the Wireless settings and disable "Private Network" and done...

Easy if the iOS devices are under your own control.
by jvanhambelgium
Sat Nov 07, 2020 9:51 am
Forum: Beginner Basics
Topic: Filter rule issue
Replies: 3
Views: 306

Re: Filter rule issue

WITHIN a chain, rules are evaluated TOP -> BOTTOM
Please understand the difference between INPUT chain, FORWARD chain, OUTPUT chain etc. (most important are INPUT/FORWARD)

https://wiki.mikrotik.com/wiki/Manual:I ... ter#Chains
by jvanhambelgium
Tue Nov 03, 2020 9:12 pm
Forum: Beginner Basics
Topic: Mikrotik router
Replies: 3
Views: 250

Re: Mikrotik router

That last . is probably causing the error (reason for the red color)

10.10.10.10/24 and not like you try 10.10.10.10./24
by jvanhambelgium
Tue Nov 03, 2020 8:50 am
Forum: General
Topic: How do we share a large common dhcp pool on a bridged interface to vlans out of that bridge?
Replies: 3
Views: 329

Re: How do we share a large common dhcp pool on a bridged interface to vlans out of that bridge?

What you want is PVLAN (Private VLAN). In the concept of PVLAN, there exist mainly two types of ports : Promiscuous port (P-Port) and Host port. Host port further divides in two types – Isolated port (I-Port) and Community port (C-port). Promiscuous port (P-Port): The switch port connects to a route...
by jvanhambelgium
Sun Nov 01, 2020 8:37 pm
Forum: Announcements
Topic: v6.47.7 [stable] is released!
Replies: 45
Views: 12616

Re: v6.47.7 [stable] is released!

I took the plunge and updated my RB3011 from 6.46.6 (Testing) to this latest "stable" Upgrade process without any issues, now I will be looking out for "interface resets/flaps" that have plagued me over the latest span of releases. It seemed the 6.46.6 (Testing) proved stable con...
by jvanhambelgium
Sun Nov 01, 2020 9:49 am
Forum: General
Topic: Discover username and password used to try to access my routerboard
Replies: 1
Views: 279

Re: Discover username and password used to try to access my routerboard

Not the password, but the in the logs you will get 1 line indicating an attempt of that login ?
Who cares about the password at this stage...


Time Nov/01/2020 08:48:23
Buffer memory
Topics
system
error
critical
Message login failure for user invaliduser from IP.ADDRESS.OF.ATTEMPT via ssh
by jvanhambelgium
Thu Oct 22, 2020 9:17 pm
Forum: General
Topic: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.
Replies: 18
Views: 1752

Re: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.

Anyone that runs "SMB" on a router/firewall AND has it exposed to Internet should be thrown into the darkest dungeon of mount Doom!
by jvanhambelgium
Mon Oct 19, 2020 8:48 am
Forum: Beginner Basics
Topic: Each port of mikrotik is separate from others
Replies: 7
Views: 577

Re: Each port of mikrotik is separate from others

So you are looking for something like "(Private) VLAN" ? You want to avoid that each of the ports can communicated among them ? But please explain your usecase ? Are you offering something like Internet access for an apartment building where everybody has their own router ?? Where are all ...
by jvanhambelgium
Thu Oct 15, 2020 2:31 pm
Forum: Beginner Basics
Topic: Questions relating to Hotspot, https redirects, certificates + SUP-30646
Replies: 14
Views: 850

Re: Questions relating to Hotspot, https redirects, certificates + SUP-30646

Off course it will fix your issues.
Just make sure you have a valid certificate for any URL that an end-user is redirected/pointed to.
If you purchase a wildcard-cert for *.mycompany.com you are completely flexible in what you want to achieve.
by jvanhambelgium
Tue Oct 06, 2020 10:36 pm
Forum: General
Topic: Network Lock Down
Replies: 6
Views: 612

Re: Network Lock Down

MAC addresses are easy to spoof, you should really be looking at 802.1x for wired and WPA2-Enterprise for wireless authentication against a RADIUS server Not always possible. Depends on the devices. If these devices have no "supplicant" embedded in their software, MAC-authentication is th...
by jvanhambelgium
Sat Oct 03, 2020 9:07 am
Forum: Wireless Networking
Topic: antenna
Replies: 2
Views: 634

Re: antenna

Antenna design is complex. (you can have a Phd in RF-transmission) Any antenna not specifically "matched" to its intended purpose will not work at all, work very bad or even cause some damage because of the energy that cannot be radiated into the air that needs to be dissipated somewhere a...
by jvanhambelgium
Fri Oct 02, 2020 9:09 am
Forum: RouterBOARD hardware
Topic: So, there is a 100g switch coming?
Replies: 9
Views: 1269

Re: So, there is a 100g switch coming?

Operating at these speeds requires some serious engineering, fully redundant "non stop" fabric, separate control & data-planes (and preferably redundant offcourse) Cool, how much do you want to pay ? More then a few minutes downtime in (such) environments may already start paying for ...
by jvanhambelgium
Thu Oct 01, 2020 9:45 pm
Forum: RouterBOARD hardware
Topic: So, there is a 100g switch coming?
Replies: 9
Views: 1269

Re: So, there is a 100g switch coming?

Yeah. a 100g x 12 "top of rack" with a decent SOC - look at the prices of those switches and Mikrotik kan make a real dent in the market. With free daily flappings of the interfaces ;-) Operating at these speeds requires some serious engineering, fully redundant "non stop" fabri...
by jvanhambelgium
Fri Sep 18, 2020 8:40 pm
Forum: Beginner Basics
Topic: Syslog remote to unique port
Replies: 2
Views: 227

Re: Syslog remote to unique port

You might want to have the "Log" box ticked ? Your screenshot-NAT rules would never generate a logging without ticking that box obviously.
by jvanhambelgium
Tue Sep 15, 2020 9:34 am
Forum: General
Topic: Blocking Facebook, Tiktok and other websites
Replies: 7
Views: 1392

Re: Blocking Facebook, Tiktok and other websites

The bottom-line is that a Mikrotik product simply is not suited anymore in this domain. It might have been so 10 years ago, but not anymore. I'm doing some projects using Palo Alto at the moment and their App-ID (signature based) detects all these web-applications without a problem (> 3000 different...
by jvanhambelgium
Mon Sep 14, 2020 10:41 am
Forum: General
Topic: Blocking Facebook, Tiktok and other websites
Replies: 7
Views: 1392

Re: Blocking Facebook, Tiktok and other websites

That was in 2012 and now 'they' use HTTPS instead of HTTP. Which means that i do not stand a chance? If yes, then it makes it strange for me to believe that Mikrotik has left this area untouched. You might make it work "somewhat" by really blocking large portions of IP-space owned by &quo...
by jvanhambelgium
Wed Sep 09, 2020 9:32 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

Any advice for SFP users with this problem? I am currently about to downgrade to 6.45.9 as it seemed to be working for other users. Very frustrating. Not using any SFP on my RB3011 but I'm running 6.46.6 (testing) without port-flaps for months now. I'm pretty sure that if I upgrade to the latest &q...
by jvanhambelgium
Mon Sep 07, 2020 4:37 pm
Forum: General
Topic: VLAN vs Firewall Rules for Isolating
Replies: 7
Views: 558

Re: VLAN vs Firewall Rules for Isolating

I mean if I used the same IP range and network with wireless, but used firewall rules to segregate the devices, is this as effective as a VLAN?
I think you can consider this also as a "yes"
But again : I don't use Mikrotik for wireless.
by jvanhambelgium
Mon Sep 07, 2020 4:07 pm
Forum: General
Topic: blocking windows update (both ipv4 and ipv6)
Replies: 6
Views: 1347

Re: blocking windows update (both ipv4 and ipv6)

Are you running some DNS-filtering server ? (eg. Pi-hole ??) If so, you could add the following below and block them. http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.wi...
by jvanhambelgium
Mon Sep 07, 2020 2:46 pm
Forum: General
Topic: blocking windows update (both ipv4 and ipv6)
Replies: 6
Views: 1347

Re: blocking windows update (both ipv4 and ipv6)

Simply configure your PC's NOT to check at Microsoft for updates ?? Possible with Win7 , Win10 etc.
Some problems should not be fixed at the network layer.

Offcourse, I don't think it is always smart NOT to install updates ... some updates you really WANT to install.
by jvanhambelgium
Mon Sep 07, 2020 2:43 pm
Forum: General
Topic: VLAN vs Firewall Rules for Isolating
Replies: 7
Views: 558

Re: VLAN vs Firewall Rules for Isolating

Good point about the wired cables. Will the firewall isolation work for wireless? If you make a separate SSID/Network for your "IoT" related stuff this can be linked to separate IP-range and then yes, you can filter accordingly. I don't use Mikrotik for any wireless, but this should be we...
by jvanhambelgium
Mon Sep 07, 2020 2:03 pm
Forum: General
Topic: VLAN vs Firewall Rules for Isolating
Replies: 7
Views: 558

Re: VLAN vs Firewall Rules for Isolating

Note the "firewall" approach will only work if these IoT things are cabled DIRECTLY on a Mikrotik port! (but I guess you knew that) I think both approaches are about equally "safe" if executed correctly. But if you have several devices it is not easy to cable every IoT "thin...
by jvanhambelgium
Mon Sep 07, 2020 8:36 am
Forum: Beginner Basics
Topic: access IPTV Cameras from outside
Replies: 8
Views: 613

Re: access IPTV Cameras from outside

Hi, >> I have Static IP address given by ISP 10.179.238.36 to which to the Main WiFi Router is connected. Sure you have a static IP, but you do not have a PUBLIC IP , this means all the NAT-mapping must also be performed on the "outer" contour (router) AND also on the Mikrotik. You have ac...
by jvanhambelgium
Fri Sep 04, 2020 9:20 am
Forum: Beginner Basics
Topic: IP is leased but no internet access [SOLVED]
Replies: 7
Views: 866

Re: IP is leased but no internet access [SOLVED]

You are running the latest "stable" RouterOS 6.47.3
When did you upgrade ? Because this release is only out since September 01 which seems closely related to the last date your setup worked ;-)

Revert to 6.47.2 (or 6.47.1) and I guess all will be fine again ;-)
by jvanhambelgium
Wed Sep 02, 2020 5:28 pm
Forum: General
Topic: How separate Radius Request By Domain [SOLVED]
Replies: 1
Views: 241

Re: How separate Radius Request By Domain [SOLVED]

Create 2 "RADIUS" client profiles ? Each with their own "realm" to make the split ?

Eg myuser@realm1 can go do RADIUS1 and myuser@realm2 can go to RADIUS2

https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client
by jvanhambelgium
Sun Aug 30, 2020 10:45 am
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 114
Views: 9818

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

I use mikrotik for my bras. Over the last few months, I started moving the gateways to juniper mx 204. Because of static addresses, it could take 20 plus seconds for the routes to come up in the mikrotk with a full route. The juniper only took a few seconds to update from the bras. Juniper îs The K...
by jvanhambelgium
Sun Aug 30, 2020 10:44 am
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 114
Views: 9818

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

I use mikrotik for my bras. Over the last few months, I started moving the gateways to juniper mx 204. Because of static addresses, it could take 20 plus seconds for the routes to come up in the mikrotk with a full route. The juniper only took a few seconds to update from the bras. Juniper îs The K...
by jvanhambelgium
Thu Aug 27, 2020 9:14 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 114
Views: 9818

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

Aside - anyone else think that massive PoE switches are on the danger list with the use of physical handsets being on the wane? My largest client moved office just before the pandemic and I finally got them to dump the handsets. They've gone pure Teams telephony with USB headsets and/or using their...
by jvanhambelgium
Thu Aug 27, 2020 7:32 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 114
Views: 9818

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

True that I consider Cisco today more really as a software company, where 5-10 years ago "hardware" was more the focus with monolithic software designs. Agree on the licensing too, you almost need a phd to understand that (same with Microsoft etc) and pricing. Like you say, sooo much equip...
by jvanhambelgium
Thu Aug 27, 2020 6:56 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 114
Views: 9818

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

So yes ... they pack a lot of performance. Should jolly well hope so for £3,500!! Do Mikrotik do a 48 port switch? I can find MikroTik CRS328-24P so would need two for £750. Serious question, what extra does the Cisco Catalyst 9300 bring to the table? stacking, stack-power, SDN (Simplified device d...
by jvanhambelgium
Thu Aug 27, 2020 6:11 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 114
Views: 9818

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

Don't they understand CPU cycles or what? x86 (I think they are possibly x64?) enough said. That's high-horsepower. You could do a bunch of things that's not possible on arm, arm64, MIPS etc Intel® x86 CPU complex with 8-GB (DDR4 2400 MT/s) memory, and 16 GB of flash and external USB 3.0 SSD plugga...
by jvanhambelgium
Thu Aug 27, 2020 4:26 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 114
Views: 9818

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

Don't they understand CPU cycles or what? Generally, no - people don't tend to realise that network devices are computers with a CPU, RAM, storage and IO with inherent resource constraints. I fell slightly into this camp until I started learning RouterOS in more detail and started to realise how it...
by jvanhambelgium
Thu Aug 27, 2020 10:57 am
Forum: Beginner Basics
Topic: Just when I thought I had it figured out..
Replies: 3
Views: 489

Re: Just when I thought I had it figured out..

On each of the systems, can you ping other end of the 10Gbits/s link ? Ping 1.1.1.1 (on Windows to Ubuntu) and ping 1.1.1.2 (on Ubuntu to Windows) gives you a reply ? If not, don't ever bother looking any further and fix that first. IF you get a reply, did you try to effectively MAP a network drive ...
by jvanhambelgium
Wed Aug 26, 2020 11:48 pm
Forum: RouterOS v7 BETA
Topic: Add sFlow
Replies: 6
Views: 875

Re: Add sFlow

So what's actually broken?.. Well ... flowStartMilliseconds and flowEndMilliseconds fields in the template are not correctly embedded, putting 1970-01-01 00:00:00 (Epoch) in there. So basically useless. I've tried some netflow tooling and they cannot really work with that IPFIX data like this. It s...
by jvanhambelgium
Wed Aug 26, 2020 10:42 pm
Forum: RouterOS v7 BETA
Topic: Add sFlow
Replies: 6
Views: 875

Re: Add sFlow

Is it broken in v7 only? Nope, also in 6.4x I've opened a case for that long ago ... latest reply on 21/07. Let's hope the release-notes from any future 6.x release contain the fix. This is so very trivial. Probably never tested or something after coding it....how else could you miss this one. ----...
by jvanhambelgium
Wed Aug 26, 2020 7:50 pm
Forum: RouterOS v7 BETA
Topic: Add sFlow
Replies: 6
Views: 875

Re: Add sFlow

Add sFlow
Perhaps they should start to FIX the broken IPFIX implementation to start with...
by jvanhambelgium
Tue Aug 25, 2020 10:18 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 114
Views: 9818

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

The reason that Cisco is the standard is because their product support is OUTSTANDING ..... Also I am quite astonished how long that oldish Cisco gear lasts. Just think of the venerable C3750 or C6500 series. The C6500 platform was the most successful switch/platform product on this planet ever! (>...
by jvanhambelgium
Tue Aug 25, 2020 9:37 pm
Forum: General
Topic: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]
Replies: 114
Views: 9818

Re: Mikrotik or NOT!!! Industry standarts say no!! Why? [SOLVED]

I was the Network Architect in charge of designing the company's new flagship Data Center in New York. Originally, the DC was supposed to use 4 Cisco ASR1006-X routers (2 for IP Transit and 2 for aggregation of MPLS L3VPN circuits - I think it was approximately $200,000 USD worth of gear ), we foun...
by jvanhambelgium
Tue Aug 25, 2020 5:43 pm
Forum: General
Topic: How to redirect all traffic to IPS
Replies: 7
Views: 655

Re: How to redirect all traffic to IPS

You have another (free) interface on the IPS that you can cable to the Mikrotik ? So not "IPS-on-a-stick" but different interface? Then configure another 172.16.4.x/30 subnet between them. I don't see why this should not work with some policy-route constructions ? I have to say I don't ha...
by jvanhambelgium
Tue Aug 25, 2020 2:04 pm
Forum: General
Topic: How to redirect all traffic to IPS
Replies: 7
Views: 655

Re: How to redirect all traffic to IPS

You have another (free) interface on the IPS that you can cable to the Mikrotik ? So not "IPS-on-a-stick" but different interface? Then configure another 172.16.4.x/30 subnet between them. I don't see why this should not work with some policy-route constructions ? I have to say I don't hav...
by jvanhambelgium
Mon Aug 24, 2020 6:50 pm
Forum: General
Topic: How to redirect all traffic to IPS
Replies: 7
Views: 655

Re: How to redirect all traffic to IPS

What mangle rule did you use ? What was the action ? If you use "route" know that it only works in the "pre-routing chain" Perhaps you should use the "mark-routing" action to mark these packets and process them with PBR (Policy Based Routing) ? Most experts here will pr...
by jvanhambelgium
Mon Aug 24, 2020 2:07 pm
Forum: General
Topic: Simple method remote router shutdown (using android and Wi-Fi)
Replies: 4
Views: 592

Re: Simple method remote router shutdown (using android and Wi-Fi)

Connect a power-plug (Zwave/Zigbee/Wifi) between router and outlet on the wall. Note this is not really a "clean" shutdown ;-) Not sure if that could be problem. It would more be in a panic/kill-switch situation. This is also the only way to ACTIVATE the router again. If you choose "s...
by jvanhambelgium
Sun Aug 23, 2020 1:33 pm
Forum: Beginner Basics
Topic: Basic NAT from outside not working
Replies: 5
Views: 1339

Re: Basic NAT from outside not working

It seems your connection is processed by some CGNAT (Carrier Grade NAT) from the operator/provider. If so, you will never be able to have any inbound mappings like you try. You need a PUBLIC address on any of your interfaces, but I don't see that. 10.2.x.x IP's on your LTE-interface are not public I...
by jvanhambelgium
Fri Aug 21, 2020 11:31 am
Forum: Beginner Basics
Topic: Remote Management Access using Public IP
Replies: 11
Views: 4261

Re: Remote Management Access using Public IP

1) IP whitelisting provides limited security. Your ISP and any 3rd party in between your SRC and DST is in full control over data going through and can simulate connection with a fake IP. 2) Nonstandard port provides also very limited security. Technically, it is a "security through obscurity&...
by jvanhambelgium
Fri Aug 14, 2020 2:29 pm
Forum: General
Topic: IPSEC Monitoring traffic
Replies: 2
Views: 951

Re: IPSEC Monitoring traffic

If you would have a "VPN" towards Azure this would not be an option. (I think, things evolve off course but...) Only IPSEC/IKE2 supported as far as I know.
I'm running such IPSEC connection into Azure (on my RB3011) but indeed it does not show as "an interface".
by jvanhambelgium
Mon Aug 03, 2020 6:17 pm
Forum: General
Topic: NetFlow. No longer showing NAT'd destination address - Something chnaged
Replies: 34
Views: 6546

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

You may simply sniff your Traffic Flow packets and check with WireShark if there are postNATSourceIPv4Address, postNATDestinationIPv4Address, postNAPTSourceTransportPort and postNAPTDestinationTransportPort fields. I've done this recently and can confirm v9 DOES have these field populated. Captured...
by jvanhambelgium
Mon Aug 03, 2020 1:56 pm
Forum: General
Topic: WebFig UI sometimes incomplete
Replies: 4
Views: 999

Re: WebFig UI sometimes incomplete

Alright, I see. Thx! I'm mostly running on non-Windows machines, so WinBox is not a good option for me. Of course I use SSH, but once in a while WebFig UI is what I want to use. I guess the next release will be out in a few weeks, so hopefully that'll be fixed then. Winbox runs "fine" (do...
by jvanhambelgium
Mon Jul 27, 2020 10:21 pm
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

Later today I am going to upgrade back to 4.47 again ;-) and re-evaluate. Hello - any results? How does it work now after the upgrade to 4.47? Nope, I'm running 4.46.6 "testing release" for quite some time now (25 days), "hardly" any portflaps anymore. Not completely free of fla...
by jvanhambelgium
Thu Jul 23, 2020 8:21 am
Forum: Beginner Basics
Topic: Should Proxy-Arp be enabled on bridges or interfaces?
Replies: 2
Views: 1153

Re: Should Proxy-Arp be enabled on bridges or interfaces?

Nope normally you do not enable this, but how does your whole network look like ? You have S2S VPN's attached ? Incoming VPN-clients ? Other lines attached to the Mikrotik ? Or just a classic "LAN" with some bridges & VLAN's ? As per wiki, it is a technique by which a proxy device on a...
by jvanhambelgium
Wed Jul 22, 2020 9:32 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved

Would it be possible to allow more then 20-characters on a firewall-rule index in Splunk ?? Increase it to 25 or so ?
For some rules in Splunk where my label exceed 20-chars, I get :

too_long_Prefix_max_20_characters


Especially some custom NAT/Portknock rules that contain a somewhat larger label..
by jvanhambelgium
Sun Jul 19, 2020 2:27 pm
Forum: General
Topic: help locating/identifying unknown Mikrotik device
Replies: 5
Views: 1476

Re: help locating/identifying unknown Mikrotik device

Don't waste your time too much on things like trying to login or using some fancy tools. Do like was suggested earlier : logon onto you (hopefully) managed LAN-switches and simply locate the physical ports this Mikrotik MAC is seen (if you use VLAN's trace it further down to the access-switch where ...
by jvanhambelgium
Fri Jul 17, 2020 10:37 am
Forum: Wireless Networking
Topic: Mikrotik Opinions
Replies: 9
Views: 2568

Re: Mikrotik Opinions

Our worst nightmare is that Cisco or someone finally gets tired of the competition and buys them. Cisco would have not have any interest in Mikrotik. Compared to the current generation of Cisco hardware & software, Mikrotik are prosumer toys. (but with a very attractive pricing so they do have ...
by jvanhambelgium
Fri Jul 17, 2020 10:29 am
Forum: RouterOS v7 BETA
Topic: Traffic to blocked address still succeeds. Why? A bug?
Replies: 24
Views: 5503

Re: Traffic to blocked address still succeeds. Why? A bug?

Force the DNS resolver to a server you have under control and null the blocked domains out there. I'm pretty sure the smart android clients in the very near future then revert to some DoH lookup mechanism if they feel something is "off", go out on the Internet on port 443 and still perfor...
by jvanhambelgium
Fri Jul 17, 2020 9:05 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved

Yes I'm using the official splunk image with internal syslog stored on local volume (I'm using Docker on my Synology NAS). With "internal syslog" you mean the Synology syslog. In the Splunk container I do not see a syslog. You don't need to "look" for any Syslog in Splunk. Syslo...
by jvanhambelgium
Fri Jul 17, 2020 12:25 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.1 (Graphing everything) Topic is solved

Jotne,
Did you spend some time in looking on the Netflow story with Splunk ? Possible integration into your current application/set of dashboards ?
by jvanhambelgium
Wed Jul 15, 2020 11:25 am
Forum: Beginner Basics
Topic: Setup suggestion (multiple goups interconected and standalone)
Replies: 3
Views: 822

Re: Setup suggestion (multiple goups interconected and standalone)

Hi, thanks for reply unfortunately we need the routers there as each robot has its special needs, also we need DHCP, so people can connect notebooks to the robot network without setting up fixed address etc. Interesting ; can you elaborate what "special needs" have to do with using router...
by jvanhambelgium
Tue Jul 14, 2020 7:36 pm
Forum: General
Topic: Stealth port scanning protection
Replies: 13
Views: 2634

Re: Stealth port scanning protection

So my question is simple! How much better performance (positive impact) is 'created' with port scanning rules VICE simply DROP ALL ELSE at end of input chain and forward chain. Is it worth it?? (Plus if it is found to be of sufficient extra value, is it better to detect in input chain and drop in r...
by jvanhambelgium
Tue Jul 14, 2020 9:18 am
Forum: General
Topic: Stealth port scanning protection
Replies: 13
Views: 2634

Re: Stealth port scanning protection

@jvanhambelgium ... that's what I was trying to explain ... one has to be careful and understand things. If OP blindly applied your setting of DelayThreshold=12h without knowing background of you extensively tweaking other FW settings things might bite him mightly.
8) :D
by jvanhambelgium
Tue Jul 14, 2020 9:07 am
Forum: General
Topic: Stealth port scanning protection
Replies: 13
Views: 2634

Re: Stealth port scanning protection

My "DelayThreshold" is even set to a whopping 12 hours. So basically anyone probing my WAN-IP from the same IP on ports not related to DNAT etc within a 12h time-span are registered. I have a constant 450-500 IP's on that list which remains quite stable. In this case you have to be carefu...
by jvanhambelgium
Tue Jul 14, 2020 8:41 am
Forum: General
Topic: Stealth port scanning protection
Replies: 13
Views: 2634

Re: Stealth port scanning protection

My "DelayThreshold" is even set to a whopping 12 hours. So basically anyone probing my WAN-IP from the same IP on ports not related to DNAT etc within a 12h time-span are registered.
I have a constant 450-500 IP's on that list which remains quite stable.
by jvanhambelgium
Fri Jul 10, 2020 5:12 pm
Forum: RouterOS v7 BETA
Topic: Feature Request: firewall: besides remote IP:port log optionally also its hostname
Replies: 2
Views: 840

Re: Feature Request: firewall: besides remote IP:port log optionally also its hostname

I'm not sure if this should be done on the Mikrotik itself. Again wasting valuable cpu-cycles on this. If you have a large(r) infrastructure I don't think you are going to look at the logs through Winbox or Webfig but you are going to push these logs into something else (eg. Splunk) or some custom S...
by jvanhambelgium
Thu Jul 09, 2020 11:58 am
Forum: Beginner Basics
Topic: Setup suggestion (multiple goups interconected and standalone)
Replies: 3
Views: 822

Re: Setup suggestion (multiple goups interconected and standalone)

You don't even need a router for that ? A simple switch on each table would be fine, take a large IP-space that you split into some blocks for oversight. Cable all the switches on all tables to each other. If everything is connected with SWITCHES all "groups" can talk to each other and off...
by jvanhambelgium
Tue Jul 07, 2020 10:00 am
Forum: General
Topic: [OT] Which IPFIX collector on Debian ?
Replies: 3
Views: 872

Re: [OT] Which IPFIX collector on Debian ?

Correction : I *AM* using the Splunk Addon that processed the Netflow v5 data straight into Splunk. If you use the NFDUMP tools and write out CSV's (other possibilities exist also) then you have also quite some options. I've explored if my InfluxDB could be used, but the type of data is not really s...
by jvanhambelgium
Tue Jul 07, 2020 8:30 am
Forum: General
Topic: Performance Problem ?
Replies: 4
Views: 1063

Re: Performance Problem ?

You are probably dropping out of the "fastpath" ? Due to you PCC/Mangle rules, so performance will take a huge hit. And something with fragmentation also I think? This device, when routing small 64byte packets with some queues & ip-filter rules etc only reaches 1.5Gbits/sec anymore...(...
by jvanhambelgium
Mon Jul 06, 2020 12:17 pm
Forum: General
Topic: [OT] Which IPFIX collector on Debian ?
Replies: 3
Views: 872

Re: [OT] Which IPFIX collector on Debian ?

Hi, I've learned that the v9 & IPFIX data produced by Mikrotik is not entirely correct when it comes to timestamps...(flow start/stop is always 1970-00-00) I've opened a ticket for this some weeks ago but never got any response. Currently I'm using Netflow v5 which seems to be working correctly....
by jvanhambelgium
Sun Jul 05, 2020 9:52 am
Forum: Beginner Basics
Topic: Am I protected with this settings?
Replies: 34
Views: 5955

Re: Am I protected with this settings?

Yes, I see now, there is uPnP enabled in the application settings. But I also see that it is not enabled on the router. Then disable uPNP in the application, set a range of ports and configure a DNAT (portforwarding) that matches this range. Eg in my case, on the INPUT-chain ; add action=dst-nat ch...
by jvanhambelgium
Sun Jul 05, 2020 9:00 am
Forum: Beginner Basics
Topic: Am I protected with this settings?
Replies: 34
Views: 5955

Re: Am I protected with this settings?

Also, I see many packets for Bittorrent 6881 port, in the log file, that are dropped, both UDP and TCP. Could the firewall be too restrictive? I have no port-forwarding set-up for the Bittorrent port. You have uPNP enabled ? (you should NOT btw) Because then your application might punch holes in th...
by jvanhambelgium
Sat Jul 04, 2020 10:48 pm
Forum: Beginner Basics
Topic: Am I protected with this settings?
Replies: 34
Views: 5955

Re: Am I protected with this settings?

How do I enable the firewall? By adding the rules stated here? https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Firewall /ip firewall filter add action=accept chain=input comment="default configuration" connection-state=established,related add action=accept chain=input src-addre...
by jvanhambelgium
Sat Jul 04, 2020 10:40 pm
Forum: Beginner Basics
Topic: Am I protected with this settings?
Replies: 34
Views: 5955

Re: Am I protected with this settings?

I want to understand how did my config made my router vulnerable. Can you give an example? Certain RouterOS versions had really some flaws in them in the sense that IF you ever exposed the mangement interfaces externally (eg. http/https) your device could be hacked! No login needed ;-) I was under ...
by jvanhambelgium
Sat Jul 04, 2020 1:09 pm
Forum: Beginner Basics
Topic: Am I protected with this settings?
Replies: 34
Views: 5955

Re: Am I protected with this settings?

NO! Show your firewall setup first. And follow these instructions: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router I do not agree with you. All services are disabled, the Winbox is running but protected with ACL 10/8 To protect THE ROUTER, this is already pretty good. Even if you do not ...
by jvanhambelgium
Tue Jun 30, 2020 7:55 am
Forum: Scripting
Topic: IP cloud public address into variable
Replies: 3
Views: 1056

Re: IP cloud public address into variable

Hi, RTFM I guess, use-local-address (yes | no; Default: no) By default, the DNS name will be assigned to the detected public address (from the UDP packet header). If you wish to send your "local" or "internal" IP address, then set this to yes So no, you don't want to enable this ...
by jvanhambelgium
Mon Jun 29, 2020 9:41 am
Forum: Scripting
Topic: How to get SrcIP address from PPTP Auth failure log?
Replies: 5
Views: 3036

Re: How to get SrcIP address from PPTP Auth failure log?

Is there a certain "pattern" in the source IP's of the failed attempts ? You could try get these IP's on a access-list if they setup more then 3x / minute to the VPN service Each of these IP's will go trough the SYN - SYN ACK - ACK TCP-setup states, so you could "watch" for incom...
by jvanhambelgium
Fri Jun 26, 2020 4:19 pm
Forum: Beginner Basics
Topic: Bridge between 1G and 10G internal subnets [SOLVED]
Replies: 8
Views: 2256

Re: Bridge between 1G and 10G internal subnets [SOLVED]

>I have a simple home 1G network where I've recently added some 10G NICs to two hosts in addition to their existing 1G and wifi. All my original 1G addresses work in the 192.168.10.x range via >DHCP. The internet gateway is 192.168.10.254. >After adding the 10G cards to two hosts, I've added a Mikro...
by jvanhambelgium
Fri Jun 26, 2020 12:18 pm
Forum: General
Topic: Recommendations for campus network with over 6000 users. Can CCR1072 handle this?
Replies: 1
Views: 440

Re: Recommendations for campus network with over 6000 users. Can CCR1072 handle this?

What is the design of the network? Topology etc. Specific features you are looking for ? Closed network ? 802.1X needed etc,etc. 6000 users really doesn't mean anything. You have large server-farms in scope pushing a lot data ? Sure the 1072 is a beast with plenty of 10Gbits/sec ports. I think you c...
by jvanhambelgium
Fri Jun 26, 2020 9:56 am
Forum: Beginner Basics
Topic: Bridge between 1G and 10G internal subnets [SOLVED]
Replies: 8
Views: 2256

Re: Bridge between 1G and 10G internal subnets [SOLVED]

Be aware the performance will be *terrible* if you even consider ROUTING/BRIDGING between the 1G <> 10G subnet. Your total performance in the best case will only be slightly more then 1G, so I don't understand why you even bother plugging 10G interfaces on the "server" side. This product i...
by jvanhambelgium
Fri Jun 26, 2020 8:33 am
Forum: Beginner Basics
Topic: From in to out
Replies: 1
Views: 529

Re: From in to out

Your Winbox machine is in the same IP-network then your SMTP host ? If so, you need some rules for "Hairpin NAT" or "NAT Loopback" . Search this on the forum and you will have many many examples. Hairpin is required if you try to reach INTERNAL hosts by calling your PUBLIC-IP on ...
by jvanhambelgium
Wed Jun 24, 2020 5:54 pm
Forum: General
Topic: how to setting cloudflare IPv6 mikrotik ? [SOLVED]
Replies: 4
Views: 1839

Re: how to setting cloudflare IPv6 mikrotik ? [SOLVED]

You don't need any special settings. Make sure you are running IPv6 correctly and get something assigned by your ISP and then it will publish your IPv6 public too. At least, I did not do anything "special" for IPv6. It just works. EDIT : Cloudflare ?? What are you talking about ? DDNS ? Or...
by jvanhambelgium
Tue Jun 23, 2020 7:52 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

It's clear that the 2 Github examples of dashboard have some errors in them. Example the one with a pie-graph "Top Destination IP's" I see large chunck that has MY own public IP address which does not make sense and this is because of NAT and just returning traffic. Sure the "dest_ip&...
by jvanhambelgium
Tue Jun 23, 2020 6:53 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

What you can see with Netflow is how much traffic going inn or out and from what IP to what IP. Ports however are not solvable. I would not say that, in a previous project we had a global deployed Riverbed solution with a very large Netflow collector appliance (taking in millions of flows per day f...
by jvanhambelgium
Tue Jun 23, 2020 6:49 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

After talking more than one hour with a super spesialist in Netflow, I do start to get the grip on how things works. There are no way you can se in a Netflow packets, if its traffic returning from an started inside session or if it some from outside starting to sending inn data. You can look at por...
by jvanhambelgium
Tue Jun 23, 2020 9:55 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

I've posted on Splunk community this question on the NAT-fields and why there are not per-direct usable as fields in Splunk ... hopefully ... In the mean time, it seems the approach below is a good reference to what is coming IN en what is going OUT First of all, I've limited "Netflow" cur...
by jvanhambelgium
Mon Jun 22, 2020 11:20 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

I've taken Wireshark captures of both IPFIX & v9 streams, starting with the exchange of the templates etc describing all the fields. I have the impression that the Splunk Stream does not utilize ALL available "fields". I'm going to see if the "dictionary" contains these field...
by jvanhambelgium
Mon Jun 22, 2020 12:13 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

Maybe this should be an add on module for the MikroTik app since it would involve lots of extra stuff. Using wan IP as a trigger is not good enough, since this will change for many user and then you need to have some sort of auto update. But after looking at input_snmpidx and output_snmpidx (input/...
by jvanhambelgium
Sun Jun 21, 2020 11:36 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

in bytes og out bytes shows the same data, just renamed name :) On the dashboard/XML I posted ? Because I did that , since there is no "bytes_out" I simply put for temporary the same "bytes_in" also ;-) So indeed solid grouping must be done to clearly identify what is IN en what...
by jvanhambelgium
Sun Jun 21, 2020 9:08 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

For anyone that wants to give a crack at it, see below the links to the XML templates that make up these dashboards in Splunk. http://vanham-franck.be/pics/splunk/splunkflowtemplate1.xml http://vanham-franck.be/pics/splunk/splunkflowtemplate2.xml PS : Perhaps now is good time to file another bug wit...
by jvanhambelgium
Sun Jun 21, 2020 8:46 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

In the meantime I searched some already existing dashboards and got some hits on Github. I adapted the XML since my netflow is not sitting in the main-index and some of the names of the fields where different. etc.etc However , there are some issues. In 1 of these dashboard the field "bytes_out...
by jvanhambelgium
Sun Jun 21, 2020 6:13 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

Have not had time to look at much yet, but it look possible som complicated to set up. It have to much possibility, not sure of saved format is ok. I would like a small program that listen for netflow and save them one line at a time. Then Splunk can index it. System we have to day with just sendin...
by jvanhambelgium
Sun Jun 21, 2020 2:24 pm
Forum: General
Topic: allow NAT not to ip but to mac?
Replies: 10
Views: 2442

Re: allow NAT not to ip but to mac?

I will exlain my "problem" I have a camera 10.0.0.105 connected to mikrotik router with public ip x.x.x.x on port 8081 now , everybody who will try to enter the x.x.x.x:8081 will see the camera login page I want to limit the transfer to "allowed" mac address in the same netwrok ...
by jvanhambelgium
Sun Jun 21, 2020 11:22 am
Forum: Useful user articles
Topic: Is there a reasone why I cannot send private messages ?
Replies: 4
Views: 1097

Re: Is there a reasone why I cannot send private messages ?

Recipient mailbox full?

Do not accept new messages (New messages will be held back until enough space is available)
Possibly indeed ... thx for the info.
It can't be that hard for forum software to just tell me this ;-) bit it seems this feature is not present.
by jvanhambelgium
Sun Jun 21, 2020 10:31 am
Forum: General
Topic: allow NAT not to ip but to mac?
Replies: 10
Views: 2442

Re: allow NAT not to ip but to mac?

I don't understand the use-case. The Mikrotik has to know the IP-address of your phone anyway in order to communicate with it...
Just make sure with DHCP you give the phone always the same IP and you're done.
by jvanhambelgium
Sun Jun 21, 2020 10:00 am
Forum: Useful user articles
Topic: Is there a reasone why I cannot send private messages ?
Replies: 4
Views: 1097

Is there a reasone why I cannot send private messages ?

Hi,
Don't really know where to place this, but why can't I transmit a private message to a fellow user ??
It keeps stuck in the "Outbox" ?
I don't really see a link"contact board administrators" or something.
by jvanhambelgium
Sat Jun 20, 2020 5:46 pm
Forum: General
Topic: ICMP requests from internet to WAN IP
Replies: 5
Views: 1563

Re: ICMP requests from internet to WAN IP

Typical "ping" indeed. This is only "noise" and you should not worry.
Sure you could filter them out, it might prevent the other side(s) to "probe" more ports if they find out your router replies to ping.

I have thousands and thousands on a daily basis...
by jvanhambelgium
Fri Jun 19, 2020 9:33 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

Do you have experience with the "Splunk Stream" (app) ?? https://splunkbase.splunk.com/app/1809/ This could natively ingest & decode Netflow ""Capture Flow-type records, including NetFlow v5, v9, jFlow, and sFlow, and IPFIX, and send Flow Records directly into your Indexers, ...
by jvanhambelgium
Fri Jun 19, 2020 9:04 am
Forum: Beginner Basics
Topic: block Imo, Whatsapp, Viber in Mikrotik router
Replies: 3
Views: 1676

Re: block Imo, Whatsapp, Viber in Mikrotik router

True to some extend, if the endpoint (PC or mobile) is not controlled in any way by some IT-policies in a corporate environment. If this question is for public users (eg. topicstarter is an ISP) yeah then forget about my DNS proposal ;-) because that's not going to work. The main conclusion is that ...
by jvanhambelgium
Fri Jun 19, 2020 8:12 am
Forum: Beginner Basics
Topic: block Imo, Whatsapp, Viber in Mikrotik router
Replies: 3
Views: 1676

Re: block Imo, Whatsapp, Viber in Mikrotik router

Hi, As I said in another topic, this is going to be very difficult with a Mikrotik product. (other advanced FW/UTM products might detect "signatures" on this traffic identifying them more precise!) For "Whatsapp" there you may want to read : https://forum.mikrotik.com/viewtopic.p...
by jvanhambelgium
Thu Jun 18, 2020 6:43 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

Did you ever considered extending your (already) very nice dashboard(s) with some NETFLOW information to gain more insights in the traffic + protocol distribution. (bit like the "accounting" section on your dashboard, but with more info) I'm currently playing around with the PMACCT-package...
by jvanhambelgium
Thu Jun 18, 2020 12:26 pm
Forum: General
Topic: Firewall Rules issue.
Replies: 2
Views: 655

Re: Firewall Rules issue.

Is it not going to be very straightforward, but you might look at : https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_lyo Here you have the cur...
by jvanhambelgium
Thu Jun 18, 2020 11:14 am
Forum: General
Topic: Adding dynamic firewall rules to mikrotik - Suricata - Axiom Shield
Replies: 9
Views: 1774

Re: Adding dynamic firewall rules to mikrotik - Suricata - Axiom Shield

Hmm..MT is absolutely not a "next-generation" player in the firewall area...filtering at L7 is getting more & more useless and kills the performance of these units. My MikroTik has a firewall? Yes! Mikrotik’s firewall capabilities outperform some of the most expensive and elaborate fir...
by jvanhambelgium
Wed Jun 17, 2020 2:13 pm
Forum: General
Topic: Netflow (IPFIX) issue
Replies: 6
Views: 1153

Re: Netflow (IPFIX) issue

Interesting! Thanks for sharing. I will give it a try here on my environment.
by jvanhambelgium
Wed Jun 17, 2020 1:22 pm
Forum: General
Topic: Ping from LAN to AP on hotspot network
Replies: 3
Views: 583

Re: Ping from LAN to AP on hotspot network

There is currently an interface to the corporate LAN 10.0.0.0/23 but currently this purely as a management interface only for the Mikrotik. We still dont want the corporate and hotspot AP network connected other than pings Well then it is just a matter of routing + firewall-filter ? I don't see any...
by jvanhambelgium
Wed Jun 17, 2020 12:37 pm
Forum: General
Topic: Ping from LAN to AP on hotspot network
Replies: 3
Views: 583

Re: Ping from LAN to AP on hotspot network

How is your hotspot network (with the AP's) "connected" to the corporate RB3011 ? Or is there NO connection at all today and is this hotspot network a remote "island" somewhere... Perhaps a simple VPN-tunnel would be solution (eg. across Internet) and then you can decide what tra...
by jvanhambelgium
Wed Jun 17, 2020 11:32 am
Forum: General
Topic: Netflow (IPFIX) issue
Replies: 6
Views: 1153

Re: Netflow (IPFIX) issue

Slightly offtopic but which Netflow platform do you use ? Something commercial or opensource ?
I've been playing some days ago with Netflow/IPFIX on my RB3011.
by jvanhambelgium
Wed Jun 17, 2020 7:24 am
Forum: General
Topic: IP Cloud
Replies: 72
Views: 32168

Re: IP Cloud

Sure it works. Do NOT enable the "use-local-address" as the result will be that not your public IP is pushed to the cloud-DNS service but your private/internal one. Not very useful. [user@gateway] > /ip cloud print ddns-enabled: yes ddns-update-interval: none update-time: yes public-addres...
by jvanhambelgium
Wed Jun 17, 2020 12:00 am
Forum: General
Topic: Can't Connect to Ubiquiti AP Pro
Replies: 6
Views: 1592

Re: Can't Connect to Ubiquiti AP Pro

Please provide a conceptual schematic where we can see the position of the Mikrotik <> other attached LAN-switches. Are you using VLAN's , trunk-interfaces etc ? If you are running a flat network (VLAN's) then it is hard to believe the AP Pro would not get an IP via DHCP while another device on a sw...
by jvanhambelgium
Tue Jun 16, 2020 4:06 pm
Forum: General
Topic: Can't Connect to Ubiquiti AP Pro
Replies: 6
Views: 1592

Re: Can't Connect to Ubiquiti AP Pro

If your AP cannot obtain an IP through DHCP (=the default) then it will revert to a fixed IP of 192.168.1.20. So this means your Mikrotik is not handing out anything to the Pro AP Is this environment doing VLAN stuff ? Or a flat network ? If you put something else then the Pro AP in the switch-port,...
by jvanhambelgium
Mon Jun 15, 2020 8:05 am
Forum: General
Topic: Core switch or RB4011? [SOLVED]
Replies: 5
Views: 1818

Re: Core switch or RB4011? [SOLVED]

Sorry, I forgot to answer your question, no it's at home but have outbuildings and garden wired in cat 6, have over 30 IP cams and a couple of workstations, NAS unraid, T320, 5 gaming consoles, 4 laptops, tablets where ever I look, 7 TV's, 4 PC's, Video editing workstation and DAW so can get a bit ...
by jvanhambelgium
Mon Jun 15, 2020 12:20 am
Forum: General
Topic: Block ICMP tunnel - best practice
Replies: 5
Views: 1117

Re: Block ICMP tunnel - best practice

Yeah that seems like a nice solution actually. That would really minimize the use case of using a tunnel if you can get hardly "leak" any data through it.
by jvanhambelgium
Sun Jun 14, 2020 9:33 pm
Forum: General
Topic: Block ICMP tunnel - best practice
Replies: 5
Views: 1117

Re: Block ICMP tunnel - best practice

Well, I think ICMP tunnels mainly use the Echo (type 8) / Echo Reply (type 0) so I guess you simply need to block that. There is not much else you can do. I don't think you want to go building L7 firewall rules which look into the packets ... It will kill performance anyway. Block all ICMP altogethe...
by jvanhambelgium
Sun Jun 14, 2020 6:16 pm
Forum: Beginner Basics
Topic: Help separating vlans for iot and smart-tvs ?
Replies: 12
Views: 2701

Re: Help separating vlans for iot and smart-tvs ?

Doesn‘t this introduce bridges between the various networks which can potentially become security holes ? Lars Potentially/theoretically yes. You are in effect "short cutting" your firewall. So you must manage the firewall on the Synology NAS to really restrict it to only the required tra...
by jvanhambelgium
Sun Jun 14, 2020 9:48 am
Forum: General
Topic: Core switch or RB4011? [SOLVED]
Replies: 5
Views: 1818

Re: Core switch or RB4011? [SOLVED]

Is this an office environment ? You have an idea on the traffic-levels of your current coreswitch ? Obviously if you make the RB4011 "coreswitch" it will be seeing a lot of ethernet-traffic between the several downstream switches apart from handling the 1Gbps PPPoE + some firewall + VPN Th...
by jvanhambelgium
Sat Jun 13, 2020 6:44 pm
Forum: Beginner Basics
Topic: How to measure and improve RouterBOARD performances when connected to a FTTH ISP ?
Replies: 2
Views: 585

Re: How to measure and improve RouterBOARD performances when connected to a FTTH ISP ?

The CRS is a good SWITCH (Layer2) with some routing capabilities, but for sure not a powerfull one! Basically you need ROUTING from/to your ISP in order to fully use the 500Mbps WAN and also additional NAT/Firewall-rules. Then the performance of the single-core box drops rapidly. See the "perfo...
by jvanhambelgium
Fri Jun 12, 2020 8:33 pm
Forum: RouterOS v7 BETA
Topic: v7.0beta8 [development] is released!
Replies: 180
Views: 70791

Re: v7.0beta8 [development] is released!

What do I use then to get traffic data from each client that I do use in Splunk for MikroTik? NetFlow is an obvious choice for that kind of data. So far I've not been able to find a free Netflow collector that actually works. I've tried dozens...almost got it working with ElasticFlow (https://www.c...
by jvanhambelgium
Fri Jun 12, 2020 2:42 pm
Forum: General
Topic: Hardware Upgrade
Replies: 4
Views: 922

Re: Hardware Upgrade

Indeed I think the only possible match within Mikrotik portfolio would be CRS354 > Use the 4 * 10Gbps for bonding towards each DC , like today give you a 40Gbits/s pipe (best case) > Use the 2 * QSPF+ with 40Gbps port to connect towards the other DC with similar CRS354 Now I don't know for caveats, ...
by jvanhambelgium
Fri Jun 12, 2020 2:25 pm
Forum: General
Topic: How to keep people from connecting PC instead of Access points or Cameras ?
Replies: 6
Views: 1104

Re: How to keep people from connecting PC instead of Access points or Cameras ?

PVLAN's (Private VLAN, aka "Port Isolation") would also be something possible. In a PVLAN, there are mainly two types of ports : Promiscuous port (P-Port) and Host port and the Host port further divides in two types – Isolated port (I-Port) and Community port (C-port). Promiscuous port (P-...
by jvanhambelgium
Fri Jun 12, 2020 1:36 pm
Forum: General
Topic: How to keep people from connecting PC instead of Access points or Cameras ?
Replies: 6
Views: 1104

Re: How to keep people from connecting PC instead of Access points or Cameras ?

802.1X is then the only way to go. But it depends on the sort of "endpoint" what capabilities are. If the endpoint has a supplicant you can work with username/password/certificates but for real dumb devices MAC "authentication" is a minimum. In *additional* to that, specific filt...
by jvanhambelgium
Thu Jun 11, 2020 5:40 pm
Forum: General
Topic: nand writing counter on RB3011
Replies: 2
Views: 602

Re: nand writing counter on RB3011

Hello Mikrotik ? Can you elaborate on this ? The RB3011 also has NAND onboard so most likely also suffering from this ? I'm reading some ridiculous high write-cylce values here which so fure can shorten lifespan, but indeed on my RB3011 there seems no command to read it... I would like to know also...
by jvanhambelgium
Thu Jun 11, 2020 5:11 pm
Forum: Beginner Basics
Topic: Help separating vlans for iot and smart-tvs ?
Replies: 12
Views: 2701

Re: Help separating vlans for iot and smart-tvs ?

When using this VLAN separation, everything that uses stuff like mDNS, Bonjour (Apple) or multicast based service discovery will (probably) break. Mikrotik has no "relay" function for these protocols/services (eg. implementation of Avahi) across different VLAN's. That traffic with a TTL=1 ...
by jvanhambelgium
Wed Jun 10, 2020 11:23 pm
Forum: General
Topic: Forum giving ERROR 500 [SOLVED]
Replies: 17
Views: 2721

Re: Forum giving ERROR 500 [SOLVED]

The forum is probably running ForumOS 6.47 STABLE :lol:
by jvanhambelgium
Wed Jun 10, 2020 9:07 pm
Forum: General
Topic: UPDATE FIRMWARE [SOLVED]
Replies: 3
Views: 1236

Re: UPDATE FIRMWARE [SOLVED]

Friends, Every time a firmware update comes out in Mikrotik, is it recommended to do it to the RB? Another thing is what type of firmware is more advisable to update, stable or testing?. I would only use "stable" or "long term" for routers that you use in production. For each re...
by jvanhambelgium
Wed Jun 10, 2020 10:26 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

This morning I've been hammering the "ether1" port which had a lot of flapping yesterday with traffic ... strangely enough while yesterday I have 15 flaps / hour today all seems rather silent... Currently I'm running 6.46.4 and I've disabled the flow-control with the command suggested by M...
by jvanhambelgium
Tue Jun 09, 2020 8:27 pm
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

Now I'm completely clueless ... even now the issues remain present ... so on 6.46.4 the flapping also occurs, although very limited so far.
Apparently I don't have enough data in my Splunk to go very far back in time to see when these messages first started to appear...
by jvanhambelgium
Tue Jun 09, 2020 7:34 pm
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

True, I've performed a downgrade back to where I came from at release 6.46.4 I had a today some annoying drops between a linked switch causing glitching in video-conf calls etc. So let's evaluate how 6.46.4 does ..... and then perhaps upgrade step-by-step to 6.46.5 , then 6.46.6 etc to see where thi...
by jvanhambelgium
Tue Jun 09, 2020 9:29 am
Forum: Scripting
Topic: Add to Address List
Replies: 6
Views: 1601

Re: Add to Address List

...you can call it quick & dirty but you can also call it plainly insecure... Is this something to be deployed in the public Internet ? As a minimum, your website should parse the client-IP headers (eg. X-Forwarder-For, HTTP_Client_IP) and extract this IP address! Then your webserver/appserver s...
by jvanhambelgium
Tue Jun 09, 2020 12:21 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

what was the config adoption? Id love to give it a try as well. I was asked to disable flow-control on the CPU and performed following on my 3011 /interface ethernet switch set 0 cpu-flow-control=no name="Switch 1" set 1 cpu-flow-control=no name="Switch 2" Although today it seem...
by jvanhambelgium
Mon Jun 08, 2020 6:19 pm
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

I have one on my office "RouterBOARD 3011UiAS" from 9 Jul 2016, and is still working flawlessly (factory is 6.35.3, now have 6.44.6) Mine was working fine with 6.44.x too, but some days ago I moved to the latest 6.47 stable. Today I was asked by Mikrotik support to make some config-adapti...
by jvanhambelgium
Mon Jun 08, 2020 9:19 am
Forum: General
Topic: unstable LAN
Replies: 7
Views: 1264

Re: unstable LAN

Hmm, what a coincidence you are also running RB3011 ....
But even more strange you cannot find any such events happening (link down/up) in the logs. So perhaps it is something else...
When did you upgrade ? Was there also a problem before the upgrade?
by jvanhambelgium
Mon Jun 08, 2020 8:06 am
Forum: General
Topic: unstable LAN
Replies: 7
Views: 1264

Re: unstable LAN

In the logs of the router, do you see any "link down" "link up" messages from ethernet ports lately ? Since the latest update to 6.47 stable, my RB3011 device is seeing certain ethernet ports flip / flop very regularly resulting in a missed "ping" here and there. At th...
by jvanhambelgium
Sat Jun 06, 2020 1:41 pm
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

Nope, did not really fix it ;-)
I've seen some transitions again ... in the last hour.
by jvanhambelgium
Sat Jun 06, 2020 10:57 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

But if your config stays stable jvanhambelgium (since you had problems on fabric 1-5) it could be safe to assume the bug was reintroduced in 6.47? I think so,I've never seen this happening actually. I did run a couple of versions behind, so I went from 6.44 or something straight to 6.47 I'll be eva...
by jvanhambelgium
Sat Jun 06, 2020 10:46 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

I've grouped some ports together now, the first switch-module (1-5) now only has 1Gbits/s clients. At present no more transitions/flappings. Will evaluate over some time. The other port-group (6-10) now contains some 100Mbit/s but also still 1 client with 1Gbits/s link (= ISP modem). However I don't...
by jvanhambelgium
Sat Jun 06, 2020 10:10 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

Same here! Since upgrade to 6.47 on my RB3011. I've generated supout.rif and forwarded it to Mikrotik. In my case, it seems to be ports ether3 (1Gits/s, Unify AP groundfloor) and ether5 (1Gits/s, some D-LINK 8-port small switch connected on the other end on a floor)seeing transitions, but ether5 mu...
by jvanhambelgium
Sat Jun 06, 2020 9:40 am
Forum: RouterBOARD hardware
Topic: RB3011 port flopping - bad design
Replies: 115
Views: 31261

Re: RB3011 port flopping - bad design

Same here! Since upgrade to 6.47 on my RB3011. I've generated supout.rif and forwarded it to Mikrotik. In my case, it seems to be ports ether3 (1Gits/s, Unify AP groundfloor) and ether5 (1Gits/s, some D-LINK 8-port small switch connected on the other end on a floor)seeing transitions, but ether5 muc...
by jvanhambelgium
Sat Jun 06, 2020 12:13 am
Forum: General
Topic: Switch chip random resets RB3011 on 6.47?
Replies: 4
Views: 1246

Re: Switch chip random resets RB3011 on 6.47?

It is not problem in 6.47, but old problem... https://forum.mikrotik.com/viewtopic.php?f=3&t=128762&p=793927&hilit=port+flapping#p793927 I have never in several years encountered this on my RB3011 ! Now I'm seeing dozens of these flappings in the last hour or so, but I checked my Splunk...
by jvanhambelgium
Fri Jun 05, 2020 11:08 pm
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 112118

Re: v6.47 [stable] is released!

Some issues start to appear also here on my RB3011 since my 6.47 upgrade , ethernet-ports are flapping down/up.
So far only port3 / port5 and altough I upgrade already yesterday it only started just now...

I prepared a support-file and will deliver it to Mikrotik.
by jvanhambelgium
Fri Jun 05, 2020 10:56 pm
Forum: General
Topic: Switch chip random resets RB3011 on 6.47?
Replies: 4
Views: 1246

Re: Switch chip random resets RB3011 on 6.47?

Hi,
Yep I just noticed this too!
RB3011 on the latest 6.47

In my case, ports 3 & 5 are flapping like hell.
Port 3 has a Wireless AP connected, port 5 a simple L2-switch on the floor somewhere.

Time to open a ticket I guess. The first ever in many years of RB3011 utilisation ;-)
by jvanhambelgium
Fri Jun 05, 2020 5:50 pm
Forum: Beginner Basics
Topic: Firewall rule - block "upper network"
Replies: 5
Views: 1309

Re: Firewall rule - block "upper network"

Be careful with specifying 192.168.1.1 in here..remember this "upstream" router is your gateway out, NOT the final destination! So you do not need to really "address" it in your policy like this UNLESS you really WANT to make a connection to this router ? (eg. web-interface or so...
by jvanhambelgium
Fri Jun 05, 2020 4:38 pm
Forum: Beginner Basics
Topic: Local Port definition and Port Forwarding
Replies: 47
Views: 6752

Re: Local Port definition and Port Forwarding

If you rdp with the local address rather than the domain name do you experience latency? Yes, I'm talking about local address direct connection (between two computers on a same network range). So latency in the INITIAL RDP setup right ? Not a CONTINUOUS SLOW/DELAYED operation during a session ? Sme...
by jvanhambelgium
Thu Jun 04, 2020 8:47 pm
Forum: Beginner Basics
Topic: IPV6 in a first firewall [SOLVED]
Replies: 2
Views: 1143

Re: IPV6 in a first firewall [SOLVED]

But I am not trying to build an IVP6 network, so I'm confused as to what needs to be in my first firewall or if I even need to address IPV6. Can an attacker use IPV6 against the router even though it has an IPV4 address? Do I need to leave an IPV6 door open in case the ISP ever decides to use IPV6?...
by jvanhambelgium
Thu Jun 04, 2020 5:09 pm
Forum: General
Topic: Filter to block incoming connections, blocks outgoing too [SOLVED]
Replies: 6
Views: 1432

Re: Filter to block incoming connections, blocks outgoing too [SOLVED]

You can't do it because RAW does not differentiate "forward" packets from "return" packets. Only connection state machine can do that. What about "accept" rule from LAN before the drop rule? It will help? No because in "raw" you can only provide a few "c...
by jvanhambelgium
Thu Jun 04, 2020 8:21 am
Forum: Beginner Basics
Topic: Expected Lease Behaviour
Replies: 3
Views: 680

Re: Expected Lease Behaviour

Is the pool in another VLAN, where the AppleTV does work smooth also a few IP's in size or exact the same approach ? You have like 1 bridge on which you have several vlan's ? Or are you running multiple dhcp-services ? I think 2 small packet capture would be interesting to compare : 1 x AppleTV on t...
by jvanhambelgium
Wed Jun 03, 2020 10:11 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

In case you missed my edits ; I always believed I had to craft my pool "outside" the range I configure "static" for device. (which is > 90% of them). But apparently I can simply make my pool a real /24 (eg 192.168.1.2 -> 192.168.1.253 and the *.254 would be Mikrotik) and even in ...
by jvanhambelgium
Wed Jun 03, 2020 9:39 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

OK, I think we hit a special case here ;-) Usually all my systems at home receive a reserved DHCP-entry ("lease"), so my "pool" is actually very small and your script is correct to this extend... I forgot how small I made it. The script summarizes ; script=pool pool=Pool 1 used=4...
by jvanhambelgium
Wed Jun 03, 2020 6:02 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

I'm seeing some weird values on in the DHCP-section -> the "DHCP Pool Information" seems to give a faulty % value (eg. 450%) Looking at the performed query for this : litsearch (sourcetype=mikrotik module=script script=pool) | eval percent=used*100/ total, host_name=coalesce(identity,host)...
by jvanhambelgium
Wed Jun 03, 2020 4:27 pm
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

If your edit is interesting for other, you could send me them, and I could add it in v3.0
I only removed some items not applicable for me at all, so no real enhancements.
I'm now using your supplied 3.0 Splunk Dashboard and it looks good enough for me ! I'm going to leave it as-is.
Thanks!
by jvanhambelgium
Wed Jun 03, 2020 12:31 pm
Forum: General
Topic: how to configure mikrotik ccr router to work as ntp server while using its time as source of time
Replies: 5
Views: 891

Re: how to configure mikrotik ccr router to work as ntp server while using its time as source of time

i want to configure one of my ccr routers as an ntp server and i dont want him to synchronize its time from internet i want him to use it local time Local time ? A CCR does not have an internal RTC (RealTime Clock) as far as I understood so that is a bad plan to trust the time on a CCR that was not...
by jvanhambelgium
Wed Jun 03, 2020 10:37 am
Forum: Useful user articles
Topic: Tool: Using Splunk to analyse MikroTik logs 3.2 (Graphing everything) Topic is solved
Replies: 401
Views: 178112

Re: Tool: Using Splunk to analyse MikroTik logs 3.0 (Graphing everything) Topic is solved

Splunk for MikroTik updated to v3.0 Mayor changes is the PPPoE view and support for IPv6 in the MikroTik Firewall Rules module To upgrade, delete the folder /splunk/etc/app/Mikrotik Then install the unpacked spl (use winrar/winzip) file, install app from "Manage app" -> "Install app ...
by jvanhambelgium
Tue Jun 02, 2020 10:42 pm
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 349
Views: 112118

Re: v6.47 [stable] is released!

Upgrade on my RB3011 went smooth, coming straight from 6.46.4 or something.
by jvanhambelgium
Tue Jun 02, 2020 1:57 pm
Forum: General
Topic: block computer name in mikrotik routerOS
Replies: 1
Views: 488

Re: block computer name in mikrotik routerOS

Not really possible directly, and it would not make much sense ... If you users have the rights to change their IP & MAC, what would stop them to change their computer-name.... You need to solve this issue in other ways. 1) Restrict your users by means of policy so they cannot change stuff on th...
by jvanhambelgium
Sun May 31, 2020 3:13 pm
Forum: Scripting
Topic: [Script] Automatically change DNS if Pi-hole is no longer working
Replies: 24
Views: 5160

Re: [Script] Automatically change DNS if Pi-hole is no longer working

This will not work for all clients that have received their DHCP-lease. I don't know how many hours of lease-time you provide so these clients don't really benefit from the switchover you make on RouterOS. If their (only) DNS-server fails it is over & out. Multiple DNS would be a / the only true...
by jvanhambelgium
Sun May 31, 2020 12:12 pm
Forum: Beginner Basics
Topic: Missing HTTP packets [SOLVED]
Replies: 4
Views: 1387

Re: Missing HTTP packets [SOLVED]

It is very normal that you do not "see" this traffic on the Raspberry Pi on a SWITCHED environment. (and a CRS is a switch) Broadcasts still "flood" out of the ports, that is why you see them arriving at the Raspberry. The Mikrotik does allow you to see this, since this is where ...
by jvanhambelgium
Sat May 30, 2020 7:20 pm
Forum: Beginner Basics
Topic: How to make Port knocking working on vpn/pptp connection ?
Replies: 7
Views: 1759

Re: How to make Port knocking working on vpn/pptp connection ?

Concerning some config lines. add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp add...
by jvanhambelgium
Sat May 30, 2020 5:09 pm
Forum: Beginner Basics
Topic: How to make Port knocking working on vpn/pptp connection ?
Replies: 7
Views: 1759

Re: How to make Port knocking working on vpn/pptp connection ?

How to make Port knocking working on vpn/pptp connection ? I try this ( https://wiki.mikrotik.com/wiki/Port_Knocking ) but is not working on vpn/pptp connection Anyone could help ? Port knocking is intended and used primarily with normal/usual connections. I really don't see a reason why one would ...
by jvanhambelgium
Sat May 30, 2020 1:15 pm
Forum: General
Topic: DDos protection
Replies: 4
Views: 869

Re: DDos protection

You should also drop traffic on your LAN-side (so "forward" chain, interface depending on your model & topology) that is not originated from the effective IP address of the VM/Client itself! So at least you try to stop facilitating "spoofed" traffic towards the internet! Norm...
by jvanhambelgium
Sat May 30, 2020 12:26 am
Forum: General
Topic: Routing of live IP
Replies: 6
Views: 1519

Re: Routing of live IP

So you have separate wireless AP's ? I would take a look at the Wiki's for the different topics you need : 1) Routing https://wiki.mikrotik.com/wiki/Manual:Simple_Static_Routing 2) Securing services https://wiki.mikrotik.com/wiki/Manual:IP/Services (so really make sure you add your "LAN" s...
by jvanhambelgium
Fri May 29, 2020 10:20 pm
Forum: General
Topic: Routing of live IP
Replies: 6
Views: 1519

Re: Routing of live IP

Just like this ? 1) Make bridge and group all you interfaces and give this bridge the IP of 172.20.18.1 255.255.255.224 (this will become the "default gateway" for all you PC/devices connected on LAN) Then plug what whatever device you want on the ethernet-ports (all member of the bridge) ...
by jvanhambelgium
Fri May 29, 2020 5:25 pm
Forum: General
Topic: Help with AirPrint network printer over VPN on the same subnet
Replies: 6
Views: 1419

Re: Help with AirPrint network printer over VPN on the same subnet

Wow Thank you! You have to understand that things like Airprint/Bonjour/mDNS/whatever where NEVER designed to "leave" the local LAN of your home. So yes, it is very normal these things just don't work so easily with more complex setups like home VLAN's, remote VPN's etc,etc. There might b...
by jvanhambelgium
Thu May 28, 2020 11:41 am
Forum: General
Topic: Port forwarding to External OpneVPN Server [SOLVED]
Replies: 4
Views: 1203

Re: Port forwarding to External OpneVPN Server [SOLVED]

Would that rule work? /ip firewall nat add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445 Add it just before or just after any already existing rules in chain=dstnat - it is for a particular port, so it is unlikely to get shadowed ...
by jvanhambelgium
Wed May 27, 2020 2:09 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 7601

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

I don't use "tarpit". It will only consume more resources (cpu/mem) on your side with the idea to slow the attacker down by holding the connection, but... For metered connections, only your upstream ISP can truly provide some useful action. If the packet hits your interface, it consumed al...
by jvanhambelgium
Wed May 27, 2020 1:30 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 7601

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

I have an access rule that if anyone tries one port that is not open on the outside, he will be blocked for 24 hour on any port. This gives me an access list with from 2000 to 15000 IPs at any time. If this for some reason is me that has been blocked from outside, I can use port knock to whitelist ...
by jvanhambelgium
Wed May 27, 2020 7:46 am
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 7601

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

Somedays I think I need a hardware FW in front of my router...If MT can focus on security with every new release, I will stick with them...if not...will be time to give up on MT after 8 years and move onto something else. There is no such thing as "a hardware firewall" . Sure there are br...
by jvanhambelgium
Sun May 24, 2020 12:12 am
Forum: Beginner Basics
Topic: How can i pass my Lan network withouth having to make NAT [SOLVED]
Replies: 4
Views: 1137

Re: How can i pass my Lan network withouth having to make NAT [SOLVED]

Are you sure this is going to work ? Many "home" grade routers for example will only perform NAT (I mean the Alcatel box) when packets arrive in the range of their own LAN-interface. Or is the Alcatel configured that it will do NAT for 10.15.165.0/24 ?? Well, now you just need simple routi...
by jvanhambelgium
Sun May 24, 2020 12:05 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 22606

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Is there a reasonable way of bypassing Mk's limit or another approach? I'm a Mk hardcore user but I'm considering other vendors if they do not apply a better concept to protect our equipments. Nothing wrong with the concept I think. The idea of deploying such huge massive IP-lists and filter agains...
by jvanhambelgium
Sat May 23, 2020 8:38 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 82
Views: 22606

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Is there a reasonable way of bypassing Mk's limit or another approach? I'm a Mk hardcore user but I'm considering other vendors if they do not apply a better concept to protect our equipments. Nothing wrong with the concept I think. The idea of deploying such huge massive IP-lists and filter agains...
  • 1
  • 2