MikroTik

elico

@alexcherry what is your configuration looking like? Please send me your configuration i will give a try on that. Agent-Circuit-Id should be configurable with placeholders like %m = MAC-Address of Interface %n = Name of Interface (custom name) %i = ID of Interface XX (eg 01, 02, 03....) The informa...

elico

What about squid/nginx/varnish?

Squid-Cache is the general solution for http/1.x .
If you have a specific service you want to cache there might be a solution for this specific issue.
What do you need it for? windows updates?

elico

based on: https://forum.mikrotik.com/viewtopic.php?f=9&t=171750&p=840220#p840220 I have just tested that it's possible to do the same as on-up with lease-script. You don't need to set a global variable and just need to use the dont-require-permissions and use a script for the lease-script. /...

elico

Thanks, Eventually I managed to make it work with the next is my script: :do { :local Url ("http://ngtech.co.il/index.html"); /tool fetch url=$Url keep-result=no; :log info "*****$user Connected"; } on-error={ :log info "Error"; } :log info "#####$user Connected&qu...

elico

@mrz, I am trying to figure out how to do that but can't. I have the next in the ppp on-up script: :log info "****** $user Connected"; /system script run test; and in the test script: :log info "#####$user Connected"; The logs shows: ****** eliezer Connected ##### Connected So it...

elico

My main concern is the user variable.
I need it for the fetch script.

What are my options?

elico

I have a nice setup with pppoe/l2tp/pptp server it works great of course. I wanted to trigger a remote api call using "/tool fetch" however it doesn't work. I am trying to run the next: /tool fetch address=192.168.200.80 host=192.168.200.80 mode=http src-path=login output=none; :log info &...

elico

I tried the script from the wiki at: https://wiki.mikrotik.com/wiki/Manual:Scripting-examples#Block_access_to_specific_websites But it just didn't ran.. So I came up with: :foreach i in=[/ip dns cache find name~"(youtube-ui.l.google.com|youtube.com|googlevideo.com)\$" && $type ~ &q...

elico

OK Now I got it.
I will try it later and see how it goes.

elico

There's no "/ip firewall remove". This works for me: /ip firewall address-list remove [/ip firewall address-list find list="test" address="1.2.3.4"] but only when I write list name and address like this, I can't find a way how to make it work with variables. I assume i...

elico

I have a set of lists I want to cleanup a specific IP from another address list. It's not working.. What am I doing wrong? :local lists {"test1"; "test2"; "test3";}; :foreach ip in=[/ip firewall address-list find where list="CLEANUP"] do={ :local ipAddresss [/...

elico

I am curious how this went for you. I have been bombarded with zoom problems and they always seem to be mikrotik customers. I have tried disabling sip alg and udplite but it still seems like I get a lot of complaints from my customers at sites where I am running mikrotik routers and waps. Today I f...

elico

Hey,

You can send me or anyone else a supfie or export the router config so we can see if there is something specific.
The issues are limited to:
* Routing
* DNS
* Firewall

Since you are receiving a 403 it's probably not basic Firewall rules.

elico

Hi again As I wrote, it's a hub and spoke topology. Ipsec, OSPF, tunnels, - everything runs fine. Connected clients on the spokes gets a iperf3 throughput ~180Mb. That's fine. If I implement "VRF Lite" on a spoke router,- thoughput becomes very unstable, 180Mb - then 1Kb - then 0 - then 1...

elico

Hey @elico, you obviously use sub-optimal config for your hardware. Furthermore, the link you provided suggest 1Gbps routing performance for gr3... Wrt testing, have a look at https://mum.mikrotik.com/presentations/MX19/presentation_6766_1555080654.pdf & https://youtu.be/rQX0inNcPuM Just poping...

elico

So....disabling route cache got you the speeds you were looking for? I'm having the same problem as you. I don't want to downgrade if I don't have to. Disabling route cache means disabling also FastTrack which technically is a "flow" offload into either hardware or software. For normal an...

elico

Hey, The basic config of a GRE tunnel between PA and MT would be a bit different from MT to MT. With MT to MT the IPSec tunnel would be negotiated with the PSK defined in the GRE configuration. With PA and MT I assume that you would be required to to create another tunnel ontop of the IKE and the ip...

elico

You might be able to use IP routes with different metrics per gateway to force the VPN via a specific ISP.
ISP 1 metric 10
ISP 2 metric 20
Route of specific subnet or /32 host via ISP X Gateway/Interface with metric 5.

elico

Have you tried to look at:

/tool mac-server export verbose

Output?

For the winbox to be open to eveywhere you should first set these:

/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes

elico

Hey, What have you tried until now? There are some missing pieces to understand the technical issue. Who is behind the Mikrotik device? What are the routes on the Mikrotik device? /ip route print Might help to understand. What you technically need to do is add a dnat rule on the l2tp\sstp interface ...

elico

The network structure is not well understood to me. What is the IP of each device in each end of the setup? From what I remember both RB2011 and Powerbox Pro has the same CPU and they cannot perform better then 200Mbps ~ without RouteCache +FastTrack and FastPath. In any case a PtP it is preferable ...

elico

Can you please share more about this setup details?
I wan to try and run it locally with couple devices.

elico

Hey, Pings can be dropped from time to time on the Internet so it's not a solid measurement for RDP. I would start with basic RDP debug. What Windows versions are you using? What connection are you using? TCP+UDP or just TCP? What do you see in the windows event log? You can try to disable Route-Cac...

elico

Hey, I am working here on an IPSEC s2s setup with Palo Alto and Mikrotik CHR. It would help to understand both sides setup. In the PA side you can use the default PH1 and PH2 IKEv2 and IPSEC profiles. ** EDIT ** For most use cases you will need to set on the PA side the IKE Gateway side "Peer I...

elico

Also, IPv6 has redirect message that end user hosts has to obey if received - that is, if network infrastructure knows a better route to the host via another router in the same network, it can send the redirect to the end user host. After that, the end user host has to send all the traffic using ga...

elico

Hey please! After 6 years, still not WoL in Winbox. It is just a button (for example in the DHCP Server/Leases menu, It would be great to wake computers by clicking on the MAC, mouse right button, WAKE!). +1 here I actually tested a nice script that runs every specified interval and checks for a li...

elico

EDIT: It appears that the browser on client cannot reach higher speed then 500 ~ Mbps on the HTTP SpeedTest. So I tried again with iperf and found out the next: via RB2011 using iperf with or without NAT I am able to reach 750 ~ Mbps. However when I am disabling route cache I am reaching a limit of:...

elico

I am missing a full "fasttracked" rule-set with these protection rules. I assume that the ESTABLISHED,RELATED and INVALID (ACCEPT, FASTTRACK and DORP) can be matched before these filtering rules. Even if some of the TCP packets are malformed I am assuming the attacked side would not accept...

elico

I have a local RB2011 (FW 6.44.3)with 2 LAN segments: LAN - 10.0.0.138/24 SERVERS - 192.168.89.1/24 Client: 10.0.0.65 LAN SpeedTest Server: 10.0.0.79/10.0.0.13 SERVERS SpeedTest Server: 192.168.89.42 It works for a very long time now but always with the same max routing speed of 250-280 Mbps from on...

elico

I have couple RB750Gr3 but none of them were able to reach more then 300 Mbps for file transfer in routing only mode (No NAT). To test this issue try to use the "Bandwidth Test" tool of mikrotik. Take a look at this post: https://forum.mikrotik.com/viewtopic.php?t=104266 It has ip addresse...

elico

Hi normis, can this "issue" or "feature" can be published in the product wireless chip spec so I and others can see it while evaluating the product?
(this post is good enough for me but if it was on the specs I wouldn't be required to search the forum)
Sounds fair?

elico

<r>Depends on the OS forced limit and also the CPU arch. Iptables mark can be up to very very high ie from: https://www.frozentux.net/iptables-tutorial/chunkyhtml/x2702.html section "10.3.10. Mark match" it seems that the mark themselves can be much higher then 250. The next link give some...

elico

What about memory?

elico

I have a bunch(20+) HAP and RB750G devices which has a USB port. I have a USB Disk On Key with static html files that I want to be accessible via the network. The way I did that until now is using SMB and a public read-only share. I was wondering if it's possible to serve static files on a specific ...

elico

Was this answered?
I can write a tutorial on how to make a Linux squid work with mikrotik.
I have been working on som daemon that will throw rules to the edge router about what IP's to intercept and to what proxy forward the traffic.

elico

Anyone tried to configure RouterOS devices with ansible? Basically it's based on ssh so it should be doable and maybe in some way Anisble can be used as the "controller" for a RouterOS cluster. It would be similar to a "Control Plane" which is a cli\scripting\webui that sends com...

elico

You can use FastNetMon for DDoS Sync attack. It has support for rOS.

https://github.com/pavel-odintsov/fastnetmon

M.

When taking a peek at the FastNetMon github issues I have seen that there is an open issue about a specific issue and it's yet clear to me if it was fixed or not.

elico

I am connected to work over a PPPOE connection but to some systems I am required to have a L2TP tunnel. I tried to follow the next tutorials: http://wiki.mikrotik.com/wiki/Policy_Base_Routing http://wiki.mikrotik.com/wiki/PBR_PTP_IPIP In order to implement PBR for specific hosts on my network. The f...

elico

Will it only work for routers or also for SWOS?

elico

I tried to upgrade a 260GSP using firefox and it required me to rely on a the wiki article: http://wiki.mikrotik.com/wiki/SwOS#Reinstall_SwOS_firmware But on a rb750gr2 the defaults are to have 192.168.88.0/24 I had to use the combination of the article and use the existing address-pool instead of c...

Search found 40 matches