MikroTik

td32

I confirm session windows inside main winbox windows are saved but their size seams to be restored to a kind of default preset size at each start

first start windows set up

on new session, also the same on winbox restart

td32

only RB3011, hap ac2 has 2.0

td32

both have USB 2.0 if i'm not wrong, so its a no go.

td32

all i can think is replacing the hotspot login page or kind of that

td32

most probably you are blocking port 80 with some firewall rule, https uses port 443 so you don't have the same problem as with http
have a look at the forward chain for a block/drop port 80 rule

td32

hAP ac2, 256MB ram: With v6.46.* I get a random reboot.

some suggest disabling the ntp package
viewtopic.php?f=21&t=156825&sid=81b15b9 ... 47#p773118
viewtopic.php?f=21&t=156825&sid=81b15b9 ... 47#p773712

td32

yes it's weatherproof so you can mount it outside, the only thing i would suggest the white version, you should avoid black colors for outside devices, you want them to absorb less heat possible form the sun (unless you live somewhere near the pole)

td32

i think you better go with wap ac's for access points, based on number of user that should connect you chose the quantity and the location.
RB4011 is fine as main router and you can set as capsman, hotspot users can be managed through usermanager

td32

on windows only by using the cisco client vpn utility
i dont think windows supports it natively

td32

set this
my-id=key-id
my-id=groupID

td32

ros should have custom code for implementing ssh.
I thing mikrotik has its own public honeypot devices with traffic monitoring, so i guess they already have whats needed to diagnose it.

td32

so from what has been posted above
it seams like some kind of ssh authentication bypass.
it seams also that at least the user name must be known.

td32

Public ip here on 6.42.12 NOT affected.
SSH enable on non default port
winbox enabled on default port
icmp allowed
access restricted to single ip, port knock and lan
admin user not present

td32

Remote location a continent away, stay on lts as long as you can, if you want to update wait weeks after a new release(lts) and read forum comments about that specific release, before even attempting to update.
Stable channel has been full of serious bugs lately.

td32

6.45.2 in my case appears to Cause in WAP AC ( RBwAPG-5ACT2HnD Models) some issues with older HP Laptops ( N max speed Intel Centrino Wireless Cards Circa 2015 Drivers ) (not AC) The PC cannot see the Access Points for 2.4 and 5 GHz appear not Visible at all ( Either using the Built in Wifi Search ...

td32

wouldn't a simple dns block work for this case, redirect all dns port 53 requests to your local dns resolver(in case they use any third party dns) and set a static dns to 0.0.0.0 for youtube.com

td32

if i'm not wrong user manager does not supports WPA2 enterprise

td32

I've tried going into the "Interfaces" tab and disabling one of the WLAN interfaces at a time, but it appears that no matter which one I disable the other defaults back to 5GHz. There is no way for this to happen, default wlan1 interface is 2.4GHz and wlan2 is the 5Ghz only If your IoT is only 2.4G...

td32

it might be a failing power adapter.

td32

were does your pihole get its dns?
you must allow requests from pihole ip to reach the dns resolver the pihole uses

td32

well you can block access to port 80 to the modem ip from all ips in your subnet and add an allow rule over the drop one only for the ips you want to access it

td32

doubt this was on default config.
On default config wan port drops all input traffic

td32

Post full IPsec debug logs. If I recall correctly, you have to use my-id=key-id when connecting to cisco XAuth server.

thanks this was the missing info

my-id=key-id
my-id=groupID

td32

# mar/02/2019 00:22:06 by RouterOS 6.42.12 /ip ipsec policy group set [ find default=yes ] name=groupID /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5 \ enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,3des pfs-group=none add auth-algorithms=sha256 enc-algorith...

td32

i'm bumping this once again
Anyone has any idea if this can be done?
does ROS support IPSec Xauth PSK client-to-site with a cisco router?

td32

So, if you don't have allowed addresses in Winbox IP service, but you have an input accept filter rule with address list for 8291, you're vulnerable?

only from the accept list ips

td32

its not enough, change your password also

td32

I'm afraid of upgrading my 941 and 952 devices as they don't have the 60mb for the leak and most of them are remote (like 20 hour plane ride away)

"20 hour plane ride away", my god Please don't. Stay on bugfix or Long-term how it's called now.

td32

try to sleep a second between knocks

td32

SAFE MODE- reinventing the wheel

td32

try to run netinstall as admin
try another ros version like 6.42.9

td32

you can change the password all day long but if someone has remote access on you pc most probably has installed a keyloger also 11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet system,info,account user NewUserCreated logged in from ??:3B:??:22:...

td32

what about this

http://openwrt.wk.cz/trunk/mr-mips/packages/openssl-util_1.0.1-1_mr-mips.ipk

td32

i think you can get the ssl packages directly from the openwrt website, available with each release
example

https://archive.openwrt.org/chaos_calmer/15.05/ar71xx/mikrotik/packages/

td32

there are some issues with the device communication with netistall, i have had luck different times setting the speed&duplex to 10Mbps Full Duplex, or 100Mbps Full Duplex,

last time i had luck with 100Mbps Full Duplex

td32

here you can try this ugly solution 1- create a batch file containing the following ::@echo off SET NewWifiPass= SET /p NewWifiPass= NewWifiPass(min 8 char long): copy /Y changewifi.txt changewifi.temp.txt sed -i s/OldWIFIPASS/%NewWifiPass%/g changewifi.txt START /W putty.exe -ssh mikrotikUSER@mikro...

td32

It looks like the default routerboot boot mode has changed from "nand if fail then ethernet" to "try-ethernet-once-then-nand". This wasn't mentioned in the release note. However, I think it is a good idea, I already set difficult-to-access devices that way. Advantage: you can netinstall a device by...

td32

whoever has a vertical screen resolution of 768 and below is faced with the No scroll issue. CLI is a work around, but it is still an issue in winbox

td32

i guess he got pwned on the previous version(stolen user pass), then upgraded but did not change access credentials.
But they still have the credentials to login.

td32

https://mikrotik.com/product/RB951-2n#f ... ifications
24V 0.8A power adapter

https://mikrotik.com/product/RB951G-2Hn ... ifications
12V 1A power adapter

td32

sure you can, set the wireless interface in station mode, set it as dhcp client and as gateway

td32

Does this indicate that my OVPN has been compromised??? I've disabled my ovpn in the meantime.

nope just service scanners

td32

not supported for STX lte
viewtopic.php?f=7&t=103377&p=649246&hil ... ge#p626478

td32

what ros version is the hap ac?
it might be infected.

td32

its just a simple fix, there is no need for a third part solution only for this.

td32

I have noticed this issue is present with Huawei P10lite also, max you can get on 2.4Ghz is 54Mbps.

td32

bump for this feature, i hope it gets on the todo list

td32

add the following over that rule to allow lan access

/ip firewall filter
chain=input action=accept src-address=YourLanRange dst-port=8291 protocol=tcp

or you can just drop input only from your wan interface

/ip firewall filter
chain=input action=drop in-interface=YourWanInterface

td32

get on bug fix, no issues at all on my side

td32

The notifications caused the 40 second delay on each post submission. You can vote which one you prefer :) There are a LOT of users on this forum, notifications seem to be broken in latest PHPBB releases, we will keep following on any changes in that regard. well for sure posting is the Main featur...

td32

The hAP ac2 is missing a few features that the hAP ac had:
- PoE out on ether5
- SFP port

dual chain wireless vs triple chain for hAP ac

td32

hAP ac² - CPU is IPQ-4018 716 MHz
PDF: https://uloz.to/!KboRhNGccV6O/en-datash ... -tower-pdf

Storage size 16 MB!!!!
yet another 16MB flash device...

td32

In this release address list entry timeout option is broken! Entry is removed from address list randomly, but much more faster than specified amount of time

many have raised this bug but no answer yet, perhaps it will be fixed in the next bugfix

td32

Is there a notification problem withe the forum in the last days, i don't get notifications anymore about the subscribed topic? (on the user account icon in the top right there use to be a red sign).

td32

*) userman - added support for ARM and MMIPS platforms;

a miracle after 3 years

what a news...
so next step: support EAP

td32

create a mangle rule
preroute destination port 5060, action mark routing, l2tpvpn
then add a static route that points to l2tp interface with routing mark l2tpvpn

td32

The Mikrotik had a public IP and it wasn't doing any DHCP. It was working purely as a router. Not sure how will that help ? Thanks, The wireless Network was not doing DHCP. I just connect to it, but I don't get an IP from it. There is no way I can get in via the IP perhaps. if the wireless interfac...

td32

What if you assign a static ip to your windows client?

td32

never run btest on the same device you want to measure performance, you will get much lower results because btest consumes most of the cpu resources

td32

Wap by default won't let you connect through the ethernet port because it is configured as WAN. By default it has an open wifi AP, you can connect through wifi and it will let you connect with winbox, you can modify the firewall rules this way so that you can connect from the ethernet port in the fu...

td32

User-Manager does not support any EAP method
you can use freeradius on an external machine

td32

you must test final client(pc) to client(pc), testing is cpu hungry and running it on the same mikrotik device will not show real link results since cpu is used for generating traffic and the remaining for routing it.

td32

Hi, When adding a IP to an IP>firewall>address list with a timeout (say 4d 00:00:00) and adding a comment in 6.39.3, it drops off within 24hours (and not when the timeout is reached). Doing the same in v6.38.7 it doesnt drop off and continues to count down till its timeout is reached. I have tested...

td32

Well routeros is closed source.
You should look at lede/openwrt if you need to customize stuff (hardware compatibility and features)

td32

it seams the CRS is enough for your needs

td32

known problem, it was fixed in the 6.40rc

td32

Poe-in that the device itself can be powered by poe, poe-out it can power other devices attached to that port.
From the picture it says port1 is poe-in but nothing is shown about this in the quick guide powering section, neither in the brochure.

td32

Well just for "office lan" is not enough to suggest anything. You have to describe what you are planing to achieve.

td32

you have to look at the switch benchmark
bridge goes through cpu

td32

you need a server machine x86/x64 to run the call of duty server software, a complete different device.

td32

i'm for this too

td32

Anyone had luck with this type of configuration.
I have read the other topics in here about IPSec Xauth PSK on cisco but they provide no final conclusion if it is supported or not.
viewtopic.php?t=92819

td32

Hello I have the following details from the Cisco vpn IPSec Xauth PSK ip: x.x.x.x group: groupID secret: Pass2 user: user1 pass: pass1 I can set this up fine on my phone and it connects easily. I tried to connect my mikrorik router as a client to the cisco vpn and route all the mikrotik clients traf...

td32

if my channels can be transferred continuously from site 1 to site 2 No this cant be done with ROS(neither with any other root os ). You need special software(if it exists)that runs on a server on site2 to replicate the iptv server. Mikrotik devices manage traffic, it can't "repeat" and handle your...

td32

sometimes wAP dont like shielded cables when powered from certain poe devices, but since you are using unshielded cables this doesn't seam the case. I guess the switch is crappy and it cant manage the load requested on all port groups. Once you connect the 4-th wAP something drops below the limit le...

td32

Have you tried switching cables? Are you using shielded ones?

td32

Power off then power on the switch , well...all WAP-AC dead and the other different ones immediately up and running .........still a switch issue ?? Any thougth or suggestion from MT guys please ?? P.S. Does routerOS version affect PoE behaviour ? all of them are 6.38.5 you can try and downgrade ht...

td32

PoE Capable Ports • DGS-1210-28P: • Ports 1 to 4: Up to 30W (802.3at) • Ports 5 to 24: Up to 15.4W (802.3af) PoE Power Budget • DGS-1210-28P: Max. 193W wAP ac Max Power consumption 12W 9x12w=108W i would suggest to fill the 1-4 ports and the other 5 port 5 10 15 20 24. it might be that any wAP ac un...

td32

You can enable them from the terminal, no need to press the reset button

/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=ether1 enabled=yes interfaces=\
    wlan1,wlan2

td32

its 2017 and this must be a priority feature.

td32

RB1100aHX2 BRICKED, man, this is a RC, not an alpha, can't even think how this happend. Trying to downgrade to earlier version, unfortunately at this time i'm 250 miles away from the RB, so only can connect through layer2 (MAC) and i'm lossing the connection every X seconds and I can't upload de 11...

td32

So it seams you don't have to do the copy caps setting to a new one just to set a custom name and make the cap static. nice!
Edit:
mm perhaps i didn't understand it right
what i wrote up can already be done by adding a cap manually.

td32

Your problem can be solved easily.
Drink a bottle of rum and see if you still care.
What a helpful post.

maybe go post on the ubnt forums instead ?

@Jajeblonsky is spamming the board left and right with this type of silly post in the last days

td32

did you reboot after that?
A reboot is necessary.

td32

Perhaps you can play with this command

:delay (($var1 + $var2 + $var3) / 5)

td32

Under maintenance rebuild database that should fix it, or reboot.
I had the same issue.

td32

would you kindly post the script here
it would be very useful

td32

Hi, I have the same issue ( http://forum.mikrotik.com/viewtopic.php?f=10&t=116521&p=576251 ). As nobody answered, I opened a ticket for it. Regards, Wolfgang what ros version are you using? Searching though the changelogs i found this on 6.37.1 *) userman - always re-fetch table data when switching...

td32

yes i mean on the ap, the out of the box configuration of example wap ac is #| * WAN port is protected by firewall and enabled DHCP client #| * Wireless interfaces are part of LAN bridge connect form the wireless side and you will be able to connect through winbox, and then set a firewall rule to al...

td32

most probably firewall blocking access from wan port (ethernet1)

td32

Hi I have user manager running with hotspot on a rb1100ahx2 on latest bugfix 6.36.4 In the Users window in user manger, timing values for each user are not displayed at all. For all user profiles 'Starts' is set to 'At first Logon' As you can see in the attached screenshot Users with Time left = Unk...

td32

hi, write me at ferkop1@gmail.com and i can help you.

can't this be public?

td32

any news about this?
made the mistake of purchasing this model to be used for user-manager.
It should have been stated somewhere in the product page that this does not support user-manger yet, at least i could have avoided wasting my money!

td32

what would be the recommended tx-power for a 150m length connection?

td32

Use non-standard port + Strong Password and username != admin. Throttle connection attempts. Mikrotik disconnects connection on invalid login, so only allow one connection per 15 seconds. http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention I use this sneaky trick: - Server listens on non-stan...

td32

Thanks for the reply.
Would it be possible to catch the reveiving STX 5 and the AP following it, with CAPSMAN, or does it work only on wired connection?

td32

Please
anybody con confirm this will work?

td32

Hello I was wondering if someone could confirm that the following configuration can be implemented. I have to build this network were i have to send the signal 200 m away by radio, and i was thinking of using 2 SXT 5 ac. the access gateway is a RB3011UiAS-RM it will be used as hotspot controller for...

Search found 98 matches