Community discussions

Search found 1795 matches

by sebastia
Sat Dec 08, 2018 3:50 pm
Forum: Wireless Networking
Topic: wireless scanning results
Replies: 4
Views: 629

Re: wireless scanning results

Hey, in Winbox you normally have tooltips on hover. Have you tried holding your mouse over that column?
by sebastia
Sat Dec 08, 2018 3:35 pm
Forum: Beginner Basics
Topic: Simple Queue does not work [SOLVED]
Replies: 5
Views: 820

Re: Simple Queue does not work [SOLVED]

Hello, please list your config: "/export hide-sensitive compact"
by sebastia
Sat Dec 08, 2018 2:06 am
Forum: General
Topic: Tls host not work
Replies: 9
Views: 2463

Re: Tls host not work

So the question is then: how do we identify and block QUIC so that fall-back scenario will engage (=> tls over tcp, which we CAN filter)? Edit: as easy as blocking 80 & 443 over udp? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC Edit2: so firewalled udp:80&443, mo...
by sebastia
Sat Dec 08, 2018 1:01 am
Forum: General
Topic: Packet Marking/VoIP QOS
Replies: 8
Views: 819

Re: Packet Marking/VoIP QOS

I know... but the default doesn't have queues either ;-). And it's not wrong, FOR packets. It is wrong for connections. A UDP "connection" has packets travelling in both directions. So which connection mark should it have: RTP In or RTP Out??? try this /queue tree add limit-at=100M max-limit=100M na...
by sebastia
Sat Dec 08, 2018 12:36 am
Forum: General
Topic: the pcc dose not work when it works with fasttrack
Replies: 18
Views: 1849

Re: the pcc dose not work when it works with fasttrack

Yes The rule /ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related src-address=!192.168.41.0/24 will do following * LAN -> WAN will not fasttrack if the src is .41. network. * WAN -> LAN will fasttrack ALL connections as none have src from .41. range ...
by sebastia
Fri Dec 07, 2018 11:46 pm
Forum: General
Topic: the pcc dose not work when it works with fasttrack
Replies: 18
Views: 1849

Re: the pcc dose not work when it works with fasttrack

I've created rule such as this: /ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related src-address=!192.168.41.0/24 That rule gets applied in both directions ... on the way back from internet to internal src-address exclude will not do the job... Fast...
by sebastia
Fri Dec 07, 2018 11:38 pm
Forum: General
Topic: Packet Marking/VoIP QOS
Replies: 8
Views: 819

Re: Packet Marking/VoIP QOS

Some remarks: global don't work with fasttracking TODO: * change global -> ether1 (=wan) add max-limit=20M name="Upload Parent" parent=ether1 queue=default you are fasttracking everything TODO: * you need to exclude traffic for "RTP" from fasttracking add action=fasttrack-connection chain=forward co...
by sebastia
Fri Dec 07, 2018 11:11 pm
Forum: General
Topic: Supplier requires Iperf Speedtest program
Replies: 8
Views: 769

Re: Supplier requires Iperf Speedtest program

and port forwarding not an option?

Then again, if you have continuous load, what will doing the test with iPerf prove? It will definitely not reach the quoted speed due to bandwidth being used...
by sebastia
Fri Dec 07, 2018 11:08 pm
Forum: General
Topic: Using action=route in Mangle
Replies: 4
Views: 468

Re: Using action=route in Mangle

Hey

Just a thought: are you natting these packets? I would expect that to still be needed. Or does the remote site knows what networks are reachable over the tunnel?
by sebastia
Fri Dec 07, 2018 10:27 pm
Forum: General
Topic: DNS Flood
Replies: 5
Views: 831

Re: DNS Flood

Hi

You could rate limit access to dns /ip basis. can be done in firewall

Ex:
add action=accept chain=prerouting comment="Accept: dns < limit" dst-limit=10,20,src-address/1m protocol=udp ...
add action=drop chain=prerouting comment="Drop: dns" protocol=udp ...
by sebastia
Fri Dec 07, 2018 10:00 pm
Forum: General
Topic: Supplier requires Iperf Speedtest program
Replies: 8
Views: 769

Re: Supplier requires Iperf Speedtest program

install it on comp behind MT, and port forward if needed.

Or just replug that comp for a while.
by sebastia
Fri Dec 07, 2018 9:47 pm
Forum: General
Topic: the pcc dose not work when it works with fasttrack
Replies: 18
Views: 1849

Re: the pcc dose not work when it works with fasttrack

Hey I've the following for selective fast-tracking and working fine: add action=fasttrack-connection chain=forward comment="FastTrack: established & related" connection-bytes=8000-0 \ connection-mark=FT connection-state=established,related add action=accept chain=est_rel comment="Accept: established...
by sebastia
Fri Dec 07, 2018 9:37 pm
Forum: Beginner Basics
Topic: rbsxtr&r11e-lte-us Poor speeds
Replies: 13
Views: 1216

Re: rbsxtr&r11e-lte-us Poor speeds

Hi Edit: have you tried with a phone, for same provider? I'm using SXT LTE kit for backup line. Just did a test and I can't complain http://www.speedtest.net/result/7861969630 . Do note that both up- and download are manually (queues) limited to 20/40Mbps. No fancy setup here. List your config and s...
by sebastia
Fri Dec 07, 2018 9:29 pm
Forum: Scripting
Topic: Netwatch script does not allow ":execute"
Replies: 1
Views: 433

Re: Netwatch script does not allow ":execute"

Hey From documentation at https://wiki.mikrotik.com/wiki/Manual:Tools/Netwatch Warning: Since RouterOS v6.42 Netwatch is limited to read,write,test,reboot script policies. If the owner of the script does not have enough permissions to execute a certain command in the script, then the script will not...
by sebastia
Fri Dec 07, 2018 6:07 pm
Forum: General
Topic: Dynamic nat rules above static rules
Replies: 3
Views: 341

Re: Dynamic nat rules above static rules

Not my domain of expertise...
I did notice that natting is optional.
by sebastia
Fri Dec 07, 2018 5:47 pm
Forum: General
Topic: Packet Marking/VoIP QOS
Replies: 8
Views: 819

Re: Packet Marking/VoIP QOS

Hi

Please provide the full config, so that others have all the needed info / elements
/export hide-sensitive compact
by sebastia
Fri Dec 07, 2018 3:15 pm
Forum: General
Topic: Dynamic nat rules above static rules
Replies: 3
Views: 341

Re: Dynamic nat rules above static rules

A related question: which process is creating these dynamic nat rules?
by sebastia
Fri Dec 07, 2018 3:09 pm
Forum: Beginner Basics
Topic: SXT LTE traffic Monitor
Replies: 2
Views: 381

Re: SXT LTE traffic Monitor

Hi A low effort option would be to reset the interface counters on a specific day of month: the counters on that interface would be then totals for current month. The reset could be scripted. Another option would be to use traffic flow data to keep track of it (in a much more detailed view) external...
by sebastia
Fri Dec 07, 2018 12:14 pm
Forum: General
Topic: Bridge Leakage in 6.42.x and above.
Replies: 12
Views: 911

Re: Bridge Leakage in 6.42.x and above.

Could it be because of Romon? Is it enabled on your router?
https://wiki.mikrotik.com/wiki/Manual:RoMON
by sebastia
Fri Dec 07, 2018 12:07 pm
Forum: General
Topic: Self Signed SSL Wrapper/Wizard
Replies: 1
Views: 313

Re: Self Signed SSL Wrapper/Wizard

Hi

Yes, we can! Having it integrated into Quickset would be even simpler -> feature request maybe?

See:
https://wiki.mikrotik.com/wiki/Manual:C ... rtificates
https://wiki.mikrotik.com/wiki/Manual:S ... rtificates
by sebastia
Thu Dec 06, 2018 6:25 pm
Forum: Beginner Basics
Topic: SLX LTE Kit
Replies: 5
Views: 969

Re: SLX LTE Kit

Out of the box eth1 & 2 are bridged. So:
1. remove eth2 from bridge (and optionally delete the bridge)
2. configure lte to pass-through on the eth2 interface
by sebastia
Thu Dec 06, 2018 3:06 pm
Forum: Beginner Basics
Topic: Choosing router+switch pair for home net
Replies: 7
Views: 754

Re: Choosing router+switch pair for home net

Hi 2011 is aging, don't go for it. For router would suggest 3011 or 4011 (with wifi). Then you could plug all cables into that one box. (The 4011 can do 10g on one port, but cabling you are stuck with won't support it.) For the lab, that depends on what you are planning: if just local 10g and nothin...
by sebastia
Thu Dec 06, 2018 2:44 pm
Forum: General
Topic: Port Forwarding Not Working
Replies: 6
Views: 441

Re: Port Forwarding Not Working

Some observations # You know what your internet interface is => pppoe, would suggest to disable it as it caused issues in other instances /interface detect-internet set detect-interface-list=all # There is a fixed ip set & dhcp together? dhcp-client can / should probably be disabled/removed. /ip dhc...
by sebastia
Thu Dec 06, 2018 1:58 am
Forum: General
Topic: Port Forwarding Not Working
Replies: 6
Views: 441

Re: Port Forwarding Not Working

would you mind posting your config?

"/export hide-sensitive compact"
by sebastia
Thu Dec 06, 2018 1:55 am
Forum: General
Topic: block p2p on router os version 6.4
Replies: 7
Views: 1290

Re: block p2p on router os version 6.4

Hi

You could try with Layer7 matching patterns to mark connections as "p2p" based on the first (usually) 2k of data in connection, and then in second step block connections with that mark.
There are some patterns to be found on line.
by sebastia
Thu Dec 06, 2018 1:42 am
Forum: Beginner Basics
Topic: RouterOS basic vlan config
Replies: 15
Views: 1480

Re: RouterOS basic vlan config

what you've defined so far is just the trunk port and ids of the vlans But You'll need to redefine / update the ports definitions -> /interface bridge port These vlans, except for 1, end there, as no other port is participating / propagating any of these vlans. -> /interface bridge vlan the ip on MT...
by sebastia
Thu Dec 06, 2018 1:30 am
Forum: General
Topic: Port Forwarding Not Working
Replies: 6
Views: 441

Re: Port Forwarding Not Working

Hi

The forward needs to be allowed in filter table too. In default config, it's done auto for all "dst-nat"-ed connections. If you have modified it, you need to allow it.

/ip firewall filter add chain=forward ...
by sebastia
Wed Dec 05, 2018 11:23 pm
Forum: Beginner Basics
Topic: group permission "test"
Replies: 1
Views: 364

Re: group permission "test"

Hey

I don't think "it's just you". Same experience here: the policy grouping / consistency / effectiveness needs to be looked at by Mikrotik.
by sebastia
Wed Dec 05, 2018 11:10 pm
Forum: RouterBOARD hardware
Topic: pleaaaas help :CCR1036 ether ports doen't respond
Replies: 6
Views: 836

Re: pleaaaas help :CCR1036 ether ports doen't respond

Hi does your laptop have a GBit port? these are auto-cross and don't need a cross-over cable. but with anything slower you do. It could also be a compatibility issue, have you tried with a switch inbetween? further it would be that dhcp is disabled, so you might need to set ip manually. Are the mac ...
by sebastia
Wed Dec 05, 2018 11:03 pm
Forum: General
Topic: HELP MIKROTIK STATIC ROUTE
Replies: 3
Views: 378

Re: HELP MIKROTIK STATIC ROUTE

Hi Make sure that: on MT: add route 190.10.150.38 to ISP1 add route 172.32.21.10 to ISP2 add route 172.16.0.20/18 to pbx (I'm guessing pbx is not doing nat?) on pbx: default route is 10.0.101.1, your router but the first two are publicly routable ip's and it normally doesn't matter if you go left or...
by sebastia
Wed Dec 05, 2018 5:34 pm
Forum: Beginner Basics
Topic: RouterOS basic vlan config
Replies: 15
Views: 1480

Re: RouterOS basic vlan config

Hi

Have you looked at this already? https://wiki.mikrotik.com/wiki/Manual:B ... _switching
by sebastia
Wed Dec 05, 2018 5:24 pm
Forum: General
Topic: Asymmetric routing
Replies: 4
Views: 1035

Re: Asymmetric routing

Hi

Just to be clear: RP filter is only for incoming packets. see https://wiki.mikrotik.com/wiki/Manual:I ... Properties
It has no impact on routing within the router.
by sebastia
Wed Dec 05, 2018 5:06 pm
Forum: General
Topic: How to make webui listen on multiple IPs
Replies: 1
Views: 231

Re: How to make webui listen on multiple IPs

Hi If you want to test forwarding, then you would want to distinguish the different targets from each other I guess? So that would mean a different page for each forward. A simple / static page on bare minimum http server would suffice. Grab any linux distro and start some instances of httpd / light...
by sebastia
Wed Dec 05, 2018 3:35 pm
Forum: General
Topic: pcc does not work with fasttrack
Replies: 4
Views: 391

Re: pcc does not work with fasttrack

Hi

By design: fasttrack bypasses mangle rules which are needed for pcc to work.
by sebastia
Wed Dec 05, 2018 3:29 pm
Forum: Beginner Basics
Topic: Setting up a dedicated Management Port
Replies: 4
Views: 1527

Re: Setting up a dedicated Management Port

Hi

I'm i'm not mistaken, the default config makes use of interface lists. Since you removed the eth3 from bridge, it's not part of known list and disallowed in firewall.
Either add it to LAN again, or create new List and allow that list to access the router in firewall.
by sebastia
Tue Dec 04, 2018 8:50 pm
Forum: Beginner Basics
Topic: SSH login
Replies: 6
Views: 619

Re: SSH login

Not sure what you mean? The ssh server version mikrotik uses is v2.
by sebastia
Tue Dec 04, 2018 8:42 pm
Forum: General
Topic: Public Subnet - Misunderstanding [SOLVED]
Replies: 4
Views: 406

Re: Public Subnet - Misunderstanding [SOLVED]

Another option would be to not do nat and keep all (the main) devices in same subnet, BUT put a transparent firewall in-between: basically forward all bridge traffic to firewall and validate it there. One can even do packet mangling and priotisation if needed Edit: similar to this https://www.youtub...
by sebastia
Tue Dec 04, 2018 8:32 pm
Forum: General
Topic: What is main differences between stable and long-term? [SOLVED]
Replies: 7
Views: 4505

Re: What is main differences between stable and long-term? [SOLVED]

long term contains bugs too ;)... I think of stable as good enough for general public (out of beta).
by sebastia
Tue Dec 04, 2018 8:26 pm
Forum: General
Topic: License Problem [SOLVED]
Replies: 5
Views: 764

Re: License Problem [SOLVED]

I would suggest to contact support directly. Forum is user driven mostly.
by sebastia
Tue Dec 04, 2018 12:44 pm
Forum: General
Topic: Logging of traffic in output chain after mangle rule
Replies: 4
Views: 386

Re: Logging of traffic in output chain after mangle rule

I misunderstood your statement, routing is indeed "adjusted" as last step, and hence results in incorrect logging for both mangle & filter in output chain.

I you want the right log, put that log rule in postrouting chain, at which point packet should be updated.
by sebastia
Tue Dec 04, 2018 9:56 am
Forum: General
Topic: Priority to Port
Replies: 3
Views: 352

Re: Priority to Port

There's nothing you can do to increase priority in DL direction ... that's up to your ISP to arrange. You can, though, increase priority in UL. For that, wan1 will be out -interface. From my experience, that's is not entirely true. Since most of the traffic on net is tcp based, one can limit the th...
by sebastia
Tue Dec 04, 2018 9:46 am
Forum: General
Topic: Logging of traffic in output chain after mangle rule
Replies: 4
Views: 386

Re: Logging of traffic in output chain after mangle rule

Hi

To affect routing decision, route mark needs to be made in prerouting, as routing is executed right after. Any later will be too late and irrelevant.

see: Image
by sebastia
Mon Dec 03, 2018 4:07 pm
Forum: General
Topic: Static route not working
Replies: 8
Views: 627

Re: Static route not working

Hi To my knowledge, you can't force a route from netwatch directly, but... You can force route through route package: # to add a new table for wan1 add comment=Wan1 distance=20 gateway=<wan1 gw> routing-mark=wan1 add distance=100 routing-mark=wan1 type=blackhole # to route for that ip using that tab...
by sebastia
Mon Dec 03, 2018 1:53 pm
Forum: Beginner Basics
Topic: Liberty Shield VPN router not seeing NAS
Replies: 7
Views: 536

Re: Liberty Shield VPN router not seeing NAS

If possible, try changing vpn server. or use your normal isp: forum is protected by ssl (->https)
by sebastia
Mon Dec 03, 2018 12:14 pm
Forum: Scripting
Topic: Using "find" to match partial comment
Replies: 6
Views: 5558

Re: Using "find" to match partial comment

api allow to search on number of parameters, including comment. The match can be full or partial. Ex:

print where comment~"est_rel"
by sebastia
Mon Dec 03, 2018 12:05 pm
Forum: Beginner Basics
Topic: Help With VPN and Remote Access
Replies: 3
Views: 477

Re: Help With VPN and Remote Access

Hi The vpn is just another way to "exit to the world", in general it's not an entry into your network. When you VPN you'll usually share some internet routable ip with other users of that VPN service. Maybe your vpn can do some forwarding for you, check with them as the configuration will need to be...
by sebastia
Mon Dec 03, 2018 11:54 am
Forum: Beginner Basics
Topic: Watchdog timer
Replies: 9
Views: 1409

Re: Watchdog timer

Hello

Watchdog will reboot the system because it has become unresponsive, ex: CPU overload or crashed. In such situation proper shutdown is not possible. And it will generate warning indeed on restart.
by sebastia
Mon Dec 03, 2018 11:52 am
Forum: General
Topic: Mikrotik sniffer droped packets
Replies: 4
Views: 381

Re: Mikrotik sniffer droped packets

Hi

Sniffer will capture all traffic on the interface / wire, so in incoming side before any rules are applied, and on the outgoing side after all changes/filtering has been applied.
Basically what one would see in the wire.
by sebastia
Mon Dec 03, 2018 11:40 am
Forum: Wireless Networking
Topic: Improve PTMP download
Replies: 11
Views: 1220

Re: Improve PTMP download

A while back ratio feature was added to give priority to up or download

See: viewtopic.php?f=21&t=132181
by sebastia
Mon Dec 03, 2018 11:33 am
Forum: Beginner Basics
Topic: state-connection "new" not detected [SOLVED]
Replies: 2
Views: 343

Re: state-connection "new" not detected [SOLVED]

Hi

all new connection passing through the firewall will be selected by this rule, as long as these aren't processed somewhere before.

What will not be processed by this rule is all new connections to the firewall itself (chain=input) or originating from the firewall (chain=output)
by sebastia
Mon Dec 03, 2018 1:26 am
Forum: Beginner Basics
Topic: Liberty Shield VPN router not seeing NAS
Replies: 7
Views: 536

Re: Liberty Shield VPN router not seeing NAS

Good to hear that your nas is accessible.

Regarding Spamhouse, you mean when accessing this forum?
by sebastia
Mon Dec 03, 2018 12:16 am
Forum: Beginner Basics
Topic: Liberty Shield VPN router not seeing NAS
Replies: 7
Views: 536

Re: Liberty Shield VPN router not seeing NAS

Hi

what ip's are these devices getting?
Also note that there is a note about that at theirs site: https://libertyshield.kayako.com/articl ... sable-dhcp
by sebastia
Sat Dec 01, 2018 10:05 pm
Forum: General
Topic: PPC Load balancing on Source IP
Replies: 1
Views: 274

Re: PPC Load balancing on Source IP

Hi Not sure: what is your question? To validate? * These are missing an action: add chain=prerouting dst-address=192.168.1.0/24 in-interface=Local add chain=prerouting dst-address=192.168.2.0/24 in-interface=Local add chain=prerouting dst-address=192.168.3.0/24 in-interface=Local * these will balanc...
by sebastia
Sat Dec 01, 2018 9:33 pm
Forum: Scripting
Topic: How to pass variable between scripts
Replies: 10
Views: 1881

Re: How to pass variable between scripts

Actually I did see it, but ... if the scripts are related say script1 call on script2, named variables can be used.
If one can't call on the other then that won't fly naturally.

In other way, another option for a developer
by sebastia
Sat Dec 01, 2018 9:23 pm
Forum: General
Topic: Block VPN access to VLAN
Replies: 11
Views: 800

Re: Block VPN access to VLAN

If you have other opinion, elaborate on it. That remark of your is everything but constructive.
What's the point of you being here on the forum?

If you want to help others, then be constructive!
by sebastia
Sat Dec 01, 2018 9:17 pm
Forum: Wireless Networking
Topic: lost configuration on every reboot
Replies: 5
Views: 946

Re: lost configuration on every reboot

You don't have any remaining npk files on them which would trigger an upgrade ?
by sebastia
Sat Dec 01, 2018 9:15 pm
Forum: Wireless Networking
Topic: Multiple APs + seamless + wired backbone
Replies: 3
Views: 629

Re: Multiple APs + seamless + wired backbone

Hi Based on your description, you don't seem to have loops in your network, then there is no need for xSTP. Regarding wifi, there are quite a bit of threads here about roaming. In general: * you want to make sure that you can connect to all stations * make sure they don't interfere / overlap ex 40MH...
by sebastia
Sat Dec 01, 2018 8:32 pm
Forum: General
Topic: Address Lists in Firewal rules
Replies: 16
Views: 1290

Re: Address Lists in Firewal rules

I don't WISH anything (in this context :) ). Was offering possible explanation to current / observed behaviour. That's all.
Lets close...
by sebastia
Sat Dec 01, 2018 6:26 pm
Forum: General
Topic: Address Lists in Firewal rules
Replies: 16
Views: 1290

Re: Address Lists in Firewal rules

Consider this: there is a list of 100 entries. * with no order, each entry has to be considered -> this will result in 100 comparisons => linear search * with order, the order can be used to search for a possible match, starting in the middle, if "equal" -> bingo, if "smaller" -> take middle of lowe...
by sebastia
Sat Dec 01, 2018 3:44 pm
Forum: General
Topic: Address Lists in Firewal rules
Replies: 16
Views: 1290

Re: Address Lists in Firewal rules

You have misinterpreted my answer: current algo is the right way to go, as it WILL save on CPU cycles, BUT development => Mikrotik should have ordered the list first before using internally. I did NOT meant that we => the users should be doing the ordering. Basically, I fully expect to be two versio...
by sebastia
Sat Dec 01, 2018 3:36 pm
Forum: RouterBOARD hardware
Topic: RB230 and RB44g?
Replies: 5
Views: 1613

Re: RB230 and RB44g?

Is it still economical to invest in that platform?
by sebastia
Fri Nov 30, 2018 9:23 pm
Forum: Scripting
Topic: How to pass variable between scripts
Replies: 10
Views: 1881

Re: How to pass variable between scripts

I pass values by using named variables, there is no need for globals here:
ex:
:local rtt [$getRTT target=$target intf=$intfP count=$pcount timeout=$ptimeout]

:global getRTT do={
#:log info "getRTT: target: $target, intf: $intf, count: $count, timeout: $timeout"
...
by sebastia
Fri Nov 30, 2018 9:08 pm
Forum: General
Topic: SFP+ copper module (FS 10G-T) incompatible with Mikrotik CRS 3xx?
Replies: 5
Views: 750

Re: SFP+ copper module (FS 10G-T) incompatible with Mikrotik CRS 3xx?

It is indeed meshy. About mixed usage the wiki talks about that, almost at the bottom of the page:
https://wiki.mikrotik.com/wiki/MikroTik ... lity_table
that's for optical only
by sebastia
Fri Nov 30, 2018 8:53 pm
Forum: General
Topic: Block VPN access to VLAN
Replies: 11
Views: 800

Re: Block VPN access to VLAN

another option: deny routing from vpn to that vlan in /ip route rule
by sebastia
Fri Nov 30, 2018 8:51 pm
Forum: Beginner Basics
Topic: public ip to lan?
Replies: 6
Views: 567

Re: public ip to lan?

remove/disable them both and replace with
/ip firewall nat
add chain=srcnat action=masquerade out-interface=<external if> 
Basically:
you only need one, the second could be good if you only have bridge and external if, but better make it explicit
by sebastia
Fri Nov 30, 2018 8:40 pm
Forum: General
Topic: Address Lists in Firewal rules
Replies: 16
Views: 1290

Re: Address Lists in Firewal rules

that would be actually a SMART algo, as it could exit early and save cpu cycles, but indeed somebody probably forgot to order first!
by sebastia
Fri Nov 30, 2018 8:35 pm
Forum: Beginner Basics
Topic: 750Gr3 Private Internet Access PPTP
Replies: 8
Views: 1141

Re: 750Gr3 Private Internet Access PPTP

that can still be done in routing: see /ip route rule. based on source ip give preference to lookup in a "vpn" table...
(And no need to mange. that will save you quite a bit of cpu)
by sebastia
Fri Nov 30, 2018 6:58 pm
Forum: General
Topic: Address Lists in Firewal rules
Replies: 16
Views: 1290

Re: Address Lists in Firewal rules

some other thoughts:
* does the target respond to ping?
* how is the routing setup on the target?
* is there any packet loss?
by sebastia
Fri Nov 30, 2018 6:45 pm
Forum: Beginner Basics
Topic: 750Gr3 Private Internet Access PPTP
Replies: 8
Views: 1141

Re: 750Gr3 Private Internet Access PPTP

Hi

If you want to route all (0.0.0.0/0) over vpn, I would suggest to work with routing priorities, instead of changing every packet.

So you pia would be distance say 10, with/without ping check
and have your normal route with distance of ex 20.

edit: corrected for terminology: priority -> distance
by sebastia
Tue Nov 27, 2018 3:56 pm
Forum: Beginner Basics
Topic: Two Internet lines to improve speed
Replies: 3
Views: 335

Re: Two Internet lines to improve speed

https://wiki.mikrotik.com/wiki/Load_Balancing

You have few options, depending on preference / needs.
by sebastia
Tue Nov 27, 2018 3:52 pm
Forum: Beginner Basics
Topic: NAT internal address to external
Replies: 8
Views: 631

Re: NAT internal address to external

Isn't the 8080 port nat supposed to go from outside to inside? So dstnat instead of srcnat
by sebastia
Tue Nov 27, 2018 3:45 pm
Forum: General
Topic: Backup/restore without mac-addresses
Replies: 2
Views: 560

Re: Backup/restore without mac-addresses

Hi

Normally macs are not exported, unless these have been set manually. ex on bridge level.
Try:
/interface export => no macs included
by sebastia
Tue Nov 27, 2018 12:20 pm
Forum: Beginner Basics
Topic: Two Internet lines to improve speed
Replies: 3
Views: 335

Re: Two Internet lines to improve speed

Hi It's doable: if you have multiple connections going out, these could be spread over the two links. If you want to be reachable from outside, you would need to setup destination nat rules on the VDSL interface. Wrt VPN, I'm guessing you'll have a single vpn session active. If it can support mobile...
by sebastia
Tue Nov 27, 2018 12:05 pm
Forum: Beginner Basics
Topic: Need help with DHCP server
Replies: 3
Views: 300

Re: Need help with DHCP server

Hi

is that line correct "1. bridge includes eth2 and eth3"?
Or did you mean eth5 instead of eth3?

Keep in mind that bridged interfaces behave as one! -> it's the same broadcast domain.
by sebastia
Tue Nov 27, 2018 12:00 pm
Forum: General
Topic: Traffic-flow collector
Replies: 1
Views: 203

Re: Traffic-flow collector

Hi

I'm using nfsen (https://github.com/p-alik/nfsen, this one is a fork, with some customisations), It's not fancy but does the job.

Cheers
by sebastia
Mon Nov 26, 2018 12:26 pm
Forum: General
Topic: Queue-Bandwidth vs Latency with dedicated speed
Replies: 2
Views: 406

Re: Queue-Bandwidth vs Latency with dedicated speed

Hi I would suggest to use hierarchical queue structure, with the top queue being limited to the allotted bandwidth. The subqueues can can have reserved bandwidth, but can borrow form top queue if it isn't full yet. Adv * all of bandwitdh used * guaranteed latency Disadv: * htb queues were (are?) lim...
by sebastia
Fri Nov 23, 2018 10:26 pm
Forum: General
Topic: Changing DSCP field for traffic passing (not routed) through the router
Replies: 3
Views: 344

Re: Changing DSCP field for traffic passing (not routed) through the router

yes, can be done for routed and bridged traffic /interface bridge settings set use-ip-firewall=yes (=> forward bridge traffic to firewall) /ip firewall mangle> add new-dscp=... (=> change the packets dscp) but mangling all packets in high throughput (assumption of mine based on your description) env...
by sebastia
Fri Nov 23, 2018 9:24 pm
Forum: General
Topic: access to wifi subnet via lan subnet
Replies: 2
Views: 244

Re: access to wifi subnet via lan subnet

Please list your configuration, so it's clear what is where...
/export compact hide-sensitive
by sebastia
Fri Nov 23, 2018 6:36 pm
Forum: General
Topic: Management process - High CPU usage
Replies: 1
Views: 864

Re: Management process - High CPU usage

which version of software are you running? versions prior to 6.41 had some security bugs which could result in routers being taken over. is your router accessible from internet? Normally the down load be able to put the image into ramdrive / memory and upgrade from there. What do you see if you list...
by sebastia
Fri Nov 23, 2018 6:30 pm
Forum: Beginner Basics
Topic: HEX S sftp port for WAN, port 1 to 5 for LAN
Replies: 1
Views: 248

Re: HEX S sftp port for WAN, port 1 to 5 for LAN

Yes, see block diagram

this one is for when ports 1-5 are switched

Image
by sebastia
Fri Nov 23, 2018 6:28 pm
Forum: RouterBOARD hardware
Topic: RB4011 POE problem [SOLVED]
Replies: 10
Views: 1764

Re: RB4011 POE problem [SOLVED]

My bad: no injectors involved. Have you checked with support, as that's hardware related?
by sebastia
Fri Nov 23, 2018 6:15 pm
Forum: General
Topic: EoIP doenst work without torch
Replies: 6
Views: 716

Re: EoIP doenst work without torch

Hey

agree that FP != FT

what I meant by my short reply, that EOIP probably runs over an existing & secured tunnel (pptp, ipsec, ...). This tunnels may require to exclude it's packets from being fasttracked.

and just for info, torch disabled FP & FT (=FP+conn tracking)
by sebastia
Fri Nov 23, 2018 6:00 pm
Forum: Wireless Networking
Topic: Wireless home network without internet access
Replies: 1
Views: 375

Re: Wireless home network without internet access

no it doesn't. you can take any router off the shelf, If there is no cable in the "internet" socket, there won't be any internet BUT internal ip assignment will still work (dhcp server).
You could customise the hotspot capture page to direct users to specific location with shred media.
by sebastia
Fri Nov 23, 2018 5:49 pm
Forum: Forwarding Protocols
Topic: Redirect DNS to Local Server
Replies: 12
Views: 7445

Re: Redirect DNS to Local Server

Actually it's not misinterpretation: listen between 5:00-6:00 of https://www.youtube.com/watch?v=D80_a_O86jc.

But good to learn of this usage.
Thx
by sebastia
Fri Nov 23, 2018 3:38 pm
Forum: Forwarding Protocols
Topic: Redirect DNS to Local Server
Replies: 12
Views: 7445

Re: Redirect DNS to Local Server

Mikrotik itself stated that L7 needs at least 2k of data / few packets, and router will buffer the connection. See slide 8 in https://mum.mikrotik.com/presentations/ ... 948376.pdf.

Not an issue here?
by sebastia
Fri Nov 23, 2018 3:24 pm
Forum: Forwarding Protocols
Topic: Manual Multiple_TE_VPLS on the wiki
Replies: 3
Views: 569

Re: Manual Multiple_TE_VPLS on the wiki

Hi

You can determine that based on the ip-ranges. 192.168.33.1/30 & 192.168.33.2/30 in same range => these are connected.
by sebastia
Fri Nov 23, 2018 3:19 pm
Forum: General
Topic: Slow network and internet throughput
Replies: 9
Views: 2404

Re: Slow network and internet throughput

I don't know your requirements and situation so I'm not going to say that your config is wrong. But it is definitely sub-optimal. Further current config treats this CRS as router while it's not the intended use. Basically your CPU maxes out at 100 impacting all communications through it. As said bef...
by sebastia
Fri Nov 23, 2018 3:11 pm
Forum: Beginner Basics
Topic: Simple queue, download max limit not working
Replies: 14
Views: 6087

Re: Simple queue, download max limit not working

it makes sense in the context that fasttrack disables simple queues.
https://wiki.mikrotik.com/wiki/Manual:I ... escription
by sebastia
Fri Nov 23, 2018 3:07 pm
Forum: Beginner Basics
Topic: Triggering DNS updates when WAN link fails or recovers
Replies: 2
Views: 310

Re: Triggering DNS updates when WAN link fails or recovers

Hi some options: * if dhcpc is used, attach a script to client config, doing the update https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Client#Lease_script_example * configure dyn dns name (cname) to point to mikrotik cloud address (a record). The last one would be updated by mikrotik soft itself http...
by sebastia
Thu Nov 22, 2018 10:26 pm
Forum: Forwarding Protocols
Topic: Redirect DNS to Local Server
Replies: 12
Views: 7445

Re: Redirect DNS to Local Server

have a look here: same question - viewtopic.php?f=2&t=141775
by sebastia
Thu Nov 22, 2018 10:12 pm
Forum: General
Topic: Conditional DNS forwarding for internal AD Server
Replies: 3
Views: 1380

Re: Conditional DNS forwarding for internal AD Server

try something like this, correcting the dns name with "\03" as length indicator & correct AD ip.
/ip firewall nat
add action=dst-nat chain=dstnat comment="Reroute AD requests" content="isc\03org" dst-port=53 protocol=udp to-addresses=8.8.8.8
by sebastia
Thu Nov 22, 2018 8:38 pm
Forum: General
Topic: EoIP doenst work without torch
Replies: 6
Views: 716

Re: EoIP doenst work without torch

You can keep FastTrack enabled, just exclude in firewall entry for FastTrack the ip tunnel used for EOIP.
by sebastia
Thu Nov 22, 2018 8:33 pm
Forum: RouterBOARD hardware
Topic: RB4011 POE problem [SOLVED]
Replies: 10
Views: 1764

Re: RB4011 POE problem [SOLVED]

Are you guys(?) using GB compatible POE injectors?
https://mikrotik.com/product/RBGPOE
by sebastia
Thu Nov 22, 2018 8:25 pm
Forum: RouterBOARD hardware
Topic: cAP ac - "Made in china"?
Replies: 5
Views: 1351

Re: cAP ac - "Made in china"?

Some cropped up frustrations? I don't believe the initial question was biased.
by sebastia
Thu Nov 22, 2018 1:51 pm
Forum: General
Topic: ** WE WANT A LTE BRIDGE-MODE **
Replies: 80
Views: 22905

Re: ** WE WANT A LTE BRIDGE-MODE **

Another suggested solution from support: bridge lte to a vlan interface.
I haven't tested it though.
by sebastia
Thu Nov 22, 2018 10:48 am
Forum: Beginner Basics
Topic: Fast failover
Replies: 4
Views: 568

Re: Fast failover

Add a routing rule and table for wan1 with a blackhole to ensure no other route will be lookedup if none available /ip route rule add action=lookup-only-in-table comment="Force over wan1" dst-address=8.8.8.8/32 table=wan1 /ip route add comment=Wan1 distance=20 gateway=<gw ip> routing-mark=wan1 add d...
by sebastia
Wed Nov 21, 2018 9:35 pm
Forum: Wireless Networking
Topic: Devices does not see the wifi [SOLVED]
Replies: 12
Views: 1054

Re: Devices does not see the wifi [SOLVED]

depends on country setting: ex us is limited to 11 I believe. eu has 13
by sebastia
Wed Nov 21, 2018 9:29 pm
Forum: General
Topic: Disabling users that try to connect with a Static Ip
Replies: 3
Views: 272

Re: Disabling users that try to connect with a Static Ip

Variation on the previous, only allow forward for known macs on bridge / switch, as reported to dhcp server. Access through router can be controlled too.
by sebastia
Wed Nov 21, 2018 9:05 pm
Forum: Beginner Basics
Topic: PCC Load Balancing 2 WAN on Mikrotik HEX
Replies: 16
Views: 2997

Re: PCC Load Balancing 2 WAN on Mikrotik HEX

since with pcc you need to mangle all packets, FastTrack is out. what kind of cpu usage do you see under load?
by sebastia
Wed Nov 21, 2018 5:30 pm
Forum: General
Topic: Queue Trees, CPU Utilization and Watchdog reboots
Replies: 12
Views: 1336

Re: Queue Trees, CPU Utilization and Watchdog reboots

If these reboots are just because router is slow to respond due to high cpu load, but does respond, you could disable watchdog for time being...
by sebastia
Wed Nov 21, 2018 5:07 pm
Forum: Beginner Basics
Topic: PCC Load Balancing 2 WAN on Mikrotik HEX
Replies: 16
Views: 2997

Re: PCC Load Balancing 2 WAN on Mikrotik HEX

Current distribution is 3:1 for conn1 <> conn2, but the routes have same bandwidth. Error?
4G is not exactly stable, it can change from one second to another. I would suggest to test single against balanced on a quiet moment, night maybe?
by sebastia
Wed Nov 21, 2018 2:16 pm
Forum: General
Topic: RB2001UiAS-2HnD-in poor routing speed
Replies: 3
Views: 403

Re: RB2001UiAS-2HnD-in poor routing speed

Hi 1. i would suggest to answer that question yourself: save your conifg & revert router to default factory config for soho router, and test it. 2 quite a bit of internal logic changed in latest RouterOS, which may result in deference in performance. 3. depends on the complexity of your conifg, but ...
by sebastia
Wed Nov 21, 2018 1:09 am
Forum: General
Topic: QOS not working with file hosting sites like Megaupload
Replies: 16
Views: 1155

Re: QOS not working with file hosting sites like Megaupload

There should be 2 pcq by default: one for upload & one for download
upload pcq: group on src address only
download pcq: group on dest address only

with pcq / sfq / red there is no need for marking / mangling, as the queue implementation does it on it's own
by sebastia
Tue Nov 20, 2018 11:29 pm
Forum: General
Topic: Qos hints
Replies: 5
Views: 428

Re: Qos hints

yes, rebalancing is implicit and based on demand/usage
by sebastia
Tue Nov 20, 2018 11:19 pm
Forum: General
Topic: Slow network and internet throughput
Replies: 9
Views: 2404

Re: Slow network and internet throughput

I see a few curious settings in your config relevant to this thread: * "speed=100Mbps": are these manually set to 100mbps * "hw=no" you mentioned it before, but it's preferred to be enabled * "use-ip-firewall=yes use-ip-firewall-for-vlan=yes" is that needed? * "add action=masquerade chain=srcnat out...
by sebastia
Tue Nov 20, 2018 10:51 pm
Forum: General
Topic: Qos hints
Replies: 5
Views: 428

Re: Qos hints

with
pcq-download set to dst-address
pcq-upload set to src-address

you will
by sebastia
Tue Nov 20, 2018 10:46 pm
Forum: Beginner Basics
Topic: Simple queue, download max limit not working
Replies: 14
Views: 6087

Re: Simple queue, download max limit not working

and traffic leaving WAN interface goes where ... => Internet...
by sebastia
Tue Nov 20, 2018 10:21 pm
Forum: General
Topic: QOS not working with file hosting sites like Megaupload
Replies: 16
Views: 1155

Re: QOS not working with file hosting sites like Megaupload

set the pcq to the internal ip only -> all of available bandwidth will be split over active internal ip's
by sebastia
Tue Nov 20, 2018 9:22 pm
Forum: Beginner Basics
Topic: Simple queue, download max limit not working
Replies: 14
Views: 6087

Re: Simple queue, download max limit not working

it will limit all traffic leaving on specified interface, that was your goal

hotspot-default is just a predefined queue type, which uses sfq, so a fair spread of load between all users. You can change / create a new one if want to
by sebastia
Tue Nov 20, 2018 9:10 pm
Forum: Beginner Basics
Topic: need help to deal with simple port forwarding
Replies: 8
Views: 553

Re: need help to deal with simple port forwarding

Do you have a filter rule that allows dnat-ed or that specific traffic through?

You need both: one to remap and other to allow. as these are located in different ip tables.
by sebastia
Tue Nov 20, 2018 3:13 pm
Forum: Beginner Basics
Topic: Simple queue, download max limit not working
Replies: 14
Views: 6087

Re: Simple queue, download max limit not working

Fasttrack and simple queues don't work together. So you can't use: /queue simple add max-limit=512k/512k name=private queue=pcq-upload-default/pcq-download-default target=192.168.88.0/24 you would need to create queue (tree) on wan => for upload and lan => for download Ex: /queue tree add max-limit=...
by sebastia
Tue Nov 20, 2018 2:42 pm
Forum: Beginner Basics
Topic: Exclude a static IP from the internet. [SOLVED]
Replies: 2
Views: 466

Re: Exclude a static IP from the internet. [SOLVED]

Actually I would prefer the reject over drop. as this will prevent timeouts on the device in question. Applications will be notified about lack of connectivity
by sebastia
Tue Nov 20, 2018 2:29 pm
Forum: Beginner Basics
Topic: Simple queue, download max limit not working
Replies: 14
Views: 6087

Re: Simple queue, download max limit not working

fasttrack works on connection level, so for both inbound & outbound traffic.

Remember that you can flag connections for fasttrack selectively

Also, fasttracked connections bypass simple queues and mangling among others, but won't bypass queue tree attached to interface.
by sebastia
Tue Nov 20, 2018 2:27 pm
Forum: Beginner Basics
Topic: Want to go IPv6, some devices don't support it
Replies: 2
Views: 309

Re: Want to go IPv6, some devices don't support it

Hi Keep in mind that some parts of internet are still only ipv4. - Support my 2 IPv4 devices (preferably on a different, routed network segment => they will be in different segments by definition as ipv4 & v6 don't share segments - Be able to access the web interface on one of these IPv4 devices fro...
by sebastia
Tue Nov 20, 2018 2:03 pm
Forum: General
Topic: Need help to fix this Pleaseeee!!!!!!O_O
Replies: 1
Views: 234

Re: Need help to fix this Pleaseeee!!!!!!O_O

Hello

How about using directional antenna(s)? if they are geographically separated, the decoy would have lower intensity and not be selected.

Regards
by sebastia
Tue Nov 20, 2018 1:53 pm
Forum: General
Topic: Qos hints
Replies: 5
Views: 428

Re: Qos hints

Hi

Equals distribution depends on the configuration of pcq: make sure you group traffic based on internal ip only.

Queue tree needs all packets to be marked with associated tag, so it will recognise it and assign to its queue.
by sebastia
Tue Nov 20, 2018 12:56 pm
Forum: General
Topic: QOS not working with file hosting sites like Megaupload
Replies: 16
Views: 1155

Re: QOS not working with file hosting sites like Megaupload

1. Don't know mega downloads: is it using tcp? udp can't be controlled as its connectionless 2. Is mega downloading in chunks? what granuarity is pcq setup with? /ip or also /port. => with multiple chunks with different connections from different ports and /port balancing for pcq a single user can s...
by sebastia
Tue Nov 20, 2018 12:47 pm
Forum: General
Topic: Slow network and internet throughput
Replies: 9
Views: 2404

Re: Slow network and internet throughput

* do you get errors / fault on these ports Where exactly should I look? => Statistics on each interface: tabs Rx stats & Tx stats. * what if you try to transfer to/from CRS? I am not sure I understand the question? Buying new switches are not an option. => try transferring over "single leg", smalle...
by sebastia
Mon Nov 19, 2018 10:58 pm
Forum: General
Topic: Counters in NAT
Replies: 1
Views: 277

Re: Counters in NAT

Natting is usually (tcp) connection oriented, while filtering is usually packet based. Since tcp connections consist of many packet exchanges, counter will grown with different rates.
by sebastia
Mon Nov 19, 2018 10:46 pm
Forum: General
Topic: QOS not working with file hosting sites like Megaupload
Replies: 16
Views: 1155

Re: QOS not working with file hosting sites like Megaupload

Do you have FastTrack enabled? It bypasses simple queues...
by sebastia
Mon Nov 19, 2018 10:33 pm
Forum: General
Topic: Queue Trees, CPU Utilization and Watchdog reboots
Replies: 12
Views: 1336

Re: Queue Trees, CPU Utilization and Watchdog reboots

Hi You could start investigating where the most of your cpu goes to => cpu profile. But that will probably be firewall... please confirm. To be honest, single core @720 is not that much, given what you want to do: load balance & prioritise -> both require mangling on packets which is cpu intensive. ...
by sebastia
Mon Nov 19, 2018 10:16 pm
Forum: General
Topic: IPv6 fe80 address get changed on every reboot
Replies: 4
Views: 548

Re: IPv6 fe80 address get changed on every reboot

Hello

fe80 is a link local ip. You should have received a routeable ipv6 from your isp: either static, ra or dhcp. Use that one.
by sebastia
Mon Nov 19, 2018 10:13 pm
Forum: General
Topic: Conditional DNS forwarding for internal AD Server
Replies: 3
Views: 1380

Re: Conditional DNS forwarding for internal AD Server

Hello

L7 will _not_ work for you here, as it needs several packets / at least 2k of stream data to do it's work.

Maybe you coudl try "content" filter instead? https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter
by sebastia
Mon Nov 19, 2018 10:06 pm
Forum: General
Topic: Slow network and internet throughput
Replies: 9
Views: 2404

Re: Slow network and internet throughput

No it doesn't, but it's not a configuration with any future...

With regards to switching, few ideas:
* is the switch/bridge HW offload active/enabled
* do you get errors / fault on these ports
* any MTU changes?
* what if you try to transfer to/from CRS?
by sebastia
Mon Nov 19, 2018 9:57 pm
Forum: Beginner Basics
Topic: How to replace firewall with MK
Replies: 1
Views: 259

Re: How to replace firewall with MK

sure, it can be done. You would probably need a good dedicated router and maybe a separate switch depending on how the infrastructure network would look like.

BUT
you would need to get your "hands dirty" to fine tune the config, as it won't be out of the box.

Are you up to it?
by sebastia
Mon Nov 19, 2018 9:24 pm
Forum: Beginner Basics
Topic: How to secure a network using ARP
Replies: 1
Views: 357

Re: How to secure a network using ARP

if some interfaces are bridged / switched they are part of same broadcast domain = what one interfaces will see is same as the other.

In such a case, arp should be controlled on the bridge level.
by sebastia
Mon Nov 19, 2018 9:10 pm
Forum: Beginner Basics
Topic: How to get Bandwidth Usage using Queues?
Replies: 1
Views: 273

Re: How to get Bandwidth Usage using Queues?

I you just want to know the stats, there is no need for queues. Have a look at https://wiki.mikrotik.com/wiki/Manual:IP/Accounting
by sebastia
Mon Nov 19, 2018 8:34 pm
Forum: Beginner Basics
Topic: alternate DNS for specific IP on LAN, is it possible? [SOLVED]
Replies: 19
Views: 1870

Re: alternate DNS for specific IP on LAN, is it possible? [SOLVED]

is that rule still active?

/ip firewall nat
add action=redirect chain=dstnat comment=DNS dst-port=53 protocol=udp \
to-ports=53

That would cause it redirect all dns traffic to local dns afterall...
by sebastia
Sun Nov 18, 2018 7:44 pm
Forum: Beginner Basics
Topic: PCC Load Balancing 2 WAN on Mikrotik HEX
Replies: 16
Views: 2997

Re: PCC Load Balancing 2 WAN on Mikrotik HEX

PCC works with mangling https://wiki.mikrotik.com/wiki/Manual:PCC, and by enabling fasttrack you are BYPASSING mangling.
by sebastia
Sun Nov 18, 2018 7:18 pm
Forum: Beginner Basics
Topic: Hardware recomendations
Replies: 10
Views: 961

Re: Hardware recomendations

Just for clarity 1100ahx4 & 4011 have same internals, and similar price
by sebastia
Sun Nov 18, 2018 2:30 pm
Forum: General
Topic: dst-nat with multiple gateways
Replies: 16
Views: 1360

Re: dst-nat with multiple gateways

I tried out marking the packets on input coming from the new ips to the router and routing them back through the appropriate gateway, and this worked as expected. Hi Move your inbound (=into your network) marking from input to preroute chain in the mangle table. The difference is: * input: traffic ...
by sebastia
Sun Nov 18, 2018 2:20 pm
Forum: General
Topic: Unstable 10Gbit connection of Mikrotik CSS326-24G-2S+RM with Mikrotik S+RJ10 SFP [SOLVED]
Replies: 12
Views: 1240

Re: Unstable 10Gbit connection of Mikrotik CSS326-24G-2S+RM with Mikrotik S+RJ10 SFP [SOLVED]

Maybe a shielding problem? Have you tried other cables? Also, what do the stats on these interfaces tell you: error packets and / or dropped packets?
by sebastia
Sat Nov 17, 2018 4:33 pm
Forum: General
Topic: mesh wifi
Replies: 1
Views: 522

Re: mesh wifi

Hi Assuming that: * you have free wired connections on sophos * that these connections can be in same networks as wireless nets You can just add any AP, with same ssid/pass for both wireless nets. If you have some limitations applied to the guest, then you would need to separate the traffic on the a...
by sebastia
Sat Nov 17, 2018 2:33 am
Forum: General
Topic: the problem about that extending the port of router
Replies: 8
Views: 829

Re: the problem about that extending the port of router

Hi

take one of the switch groups of 1100 and connect it to switch => you'll get 4 (5p-1p for connection to switch) + 23 (24p -1p conn) = 27p total
by sebastia
Sat Nov 17, 2018 2:21 am
Forum: General
Topic: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!
Replies: 12
Views: 888

Re: 2011UiAS-2HnD: Fastpath + PBR + GRE - terrible performance!

All fastpath/track traffic will bypass mangling. your setup relies on mangling for policy based routing, so you need to disable FP for that traffic.
by sebastia
Sat Nov 17, 2018 2:16 am
Forum: General
Topic: HW Offload drops packets
Replies: 2
Views: 449

Re: HW Offload drops packets

hi

wlan is not part of the hw bridge/switch, see Image

hence, bridging it all will not work in hardware
by sebastia
Sat Nov 17, 2018 2:11 am
Forum: General
Topic: Cloud router Switch CRS123-24G-1S-RM Trunk and access
Replies: 1
Views: 323

Re: Cloud router Switch CRS123-24G-1S-RM Trunk and access

Hi

Should be same as the first: trunk port means all vlans are communicated to it (with tags obviously). So if you assign all vlans with tags to the second port to, it will be fine.
by sebastia
Sat Nov 17, 2018 1:52 am
Forum: General
Topic: How to secure port on the switch?
Replies: 8
Views: 721

Re: How to secure port on the switch?

don't understand your question. Note that switches don't have macs only network devices. Wow! I'm going to have to tell all my switches that they don't really have a MAC. That will be a shock to them. How do you suppose layer two works without a MAC? I would suggest to go back to network school... ...
by sebastia
Sat Nov 17, 2018 12:29 am
Forum: General
Topic: How to secure port on the switch?
Replies: 8
Views: 721

Re: How to secure port on the switch?

don't understand your question. Note that switches don't have macs only network devices.
by sebastia
Sat Nov 17, 2018 12:21 am
Forum: General
Topic: Slow network and internet throughput
Replies: 9
Views: 2404

Re: Slow network and internet throughput

CRS is not a core router, but a core switch with routing functionality. it's main purpose is to switch. You have the wrong hardware. get a hex r3 (or better) in front as the router and use CRS as switch only
by sebastia
Sat Nov 17, 2018 12:07 am
Forum: General
Topic: router rebooted because some critical program crashed
Replies: 5
Views: 1812

Re: router rebooted because some critical program crashed

Hi, I'm not good at English. Sorry. I am having difficulties with the same problem lately. The solution I found is to fix the speed of the LAN interface to 100M manually, not automatically. Then the problem does not happen again. However, this problem is only seen in mikrotik devices. how is that r...
by sebastia
Sat Nov 17, 2018 12:02 am
Forum: General
Topic: PCC Load Balancing 50Mbit and 100Mbit Connection
Replies: 1
Views: 292

Re: PCC Load Balancing 50Mbit and 100Mbit Connection

What is your cpu usage during testing? if close to or at 100 then hex is not enough

Do note: PCC works with mangling https://wiki.mikrotik.com/wiki/Manual:PCC
And by enabling fasttrack you are BYPASSING mangling, hence going over single connection.
by sebastia
Fri Nov 16, 2018 11:33 pm
Forum: General
Topic: Only Telnet is working (no ssh and webfig anymore)
Replies: 1
Views: 290

Re: Only Telnet is working (no ssh and webfig anymore)

First place to look: firewall on mikrotik

If not that, have a look at routing maybe the answers get routed somewhere else... (but that's unlikely as it's a connected route)
by sebastia
Fri Nov 16, 2018 11:16 pm
Forum: Announcements
Topic: URGENT security reminder
Replies: 84
Views: 35716

Re: URGENT security reminder

Hey martinees, did you had a backup partition on that router? If you do, switch to it and override the primary?
by sebastia
Fri Nov 16, 2018 11:01 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7589

Re: Script implementing Active Congestion Control

Hi Frank Assumption: ACC scripting functions are defined in ACC script under /system script. /system script print brief Flags: I - invalid # NAME OWNER LAST-STARTED RUN-COUNT 0 e-mail-backup frank nov/13/2018 00:00:00 8 1 ACC frank nov/13/2018 11:25:38 22469 <= here? Below assumes this is the case. ...
by sebastia
Tue Nov 13, 2018 8:29 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7589

Re: Script implementing Active Congestion Control

So if you run from terminal, the script changes settings on your queues and/or you see some log messages?
You said it didn't work via scheduler? What makes you conclude that?
by sebastia
Tue Nov 13, 2018 2:22 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7589

Re: Script implementing Active Congestion Control

Hey Frank, just for mutual understanding, how do you know that it works when run from terminal?
by sebastia
Mon Nov 12, 2018 4:02 pm
Forum: General
Topic: Efficient queue management with three classes
Replies: 1
Views: 324

Re: Efficient queue management with three classes

Hey

Do you have any specific questions?

Cheers

Update: Some more info can be found at beginning of this thread
viewtopic.php?f=9&t=129294&p=697419
by sebastia
Mon Nov 12, 2018 4:00 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7589

Re: Script implementing Active Congestion Control

Hi

Does the counter on the scheduled task go up every "interval time"?
what if you run the scheduled command from terminal?

what are the outputs of?
/system script print brief

/system script environment print

/interface print

/queue tree export

/ip route print
by sebastia
Fri Nov 09, 2018 11:32 am
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7589

Re: Script implementing Active Congestion Control

With regards to startup, I got: * scripts are loaded on "startup" in an "init" script, where all the functions are defined * applyACC is triggered on schedule with start time "00:00:00" and interval "00:00:10" /system scheduler add name=_init on-event=_initScripting policy=read,write,policy,test sta...
by sebastia
Thu Nov 08, 2018 5:51 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7589

Re: Script implementing Active Congestion Control

Hi In manual there is stated If more than one script has to be executed simultaneously, they are executed in the order they appear in the scheduler configuration. But also: Note: if scheduler item has start-time set to startup, it behaves as if start-time and start-date were set to time 3 seconds af...
by sebastia
Thu Nov 08, 2018 10:51 am
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7589

Re: Script implementing Active Congestion Control

Hi Frank

Could you tell me how you're trying to use it and was is the result?

Sebastian
by sebastia
Mon Nov 05, 2018 9:50 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7589

Re: Script implementing Active Congestion Control

Hi, i'm still around but less offen. What's up?
by sebastia
Wed Sep 12, 2018 4:21 pm
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 148
Views: 29646

Re: v6.43 [current] is released!

Hi Upgraded from 6.42.7 on SXT LTE Kit (gen2), with LTE in pass-through. The host (dhcp client) received 100.x/32 address with 10.177.0.1 as "gw / remote point" ip. Routing tables was updated too: with a DAC for 10.177.0.1 + backup route for 0/0 over same interface. So far so good. But, there was no...
by sebastia
Thu Sep 06, 2018 4:25 pm
Forum: General
Topic: Preventing fasttrack only on wan interface on uoloads
Replies: 3
Views: 293

Re: Preventing fasttrack only on wan interface on uoloads

Hi Fasttracked packets bypass the mangling, hence they arrive at interface queue WITHOUT packet-mark -> you need to have a queue matching "no-mark" mark. If you still need to process some connections with priority, you MAY NOT fasttrack them. and exclude them from "forward fasttrack" rule. That way ...
by sebastia
Mon Jul 30, 2018 3:33 pm
Forum: General
Topic: ** WE WANT A LTE BRIDGE-MODE **
Replies: 80
Views: 22905

Re: ** WE WANT A LTE BRIDGE-MODE **

The vlan interface created on the "host" (client machine) needs to be wrapped in a bridge to allow the change of MAC. Current impl of pass-through (SXT lte kit with 6.42.2) hijacks all traffic by mac (of the host), disregarding the vlan tags. Like so: https://wiki.mikrotik.com/wiki/Change_MAC_addres...
by sebastia
Mon Jul 30, 2018 3:29 pm
Forum: General
Topic: Wap lte kit vlan connection setup
Replies: 4
Views: 886

Re: Wap lte kit vlan connection setup

Run into same problem with vlan: When enabling the pass-through, all traffic from "host" as identified by MAC will be forwarded to LTE module. Since the naked vlan will inherit MAC from physical interface, it's traffic will be hijacked as well. So one needs to change mac of the vlan: https://wiki.mi...
by sebastia
Wed Jul 18, 2018 1:26 am
Forum: General
Topic: RBSXTR and signal LED's
Replies: 3
Views: 2526

Re: RBSXTR and signal LED's

Hey I've tried the above on 6.42.6 but got an error (may be related to previous entry for led1) /system leds add interface=lte1 leds=led1,led2,led3,led4,led5 modem-signal-treshold=-91 type=modem-signal failure: One led can't have multiple assigments! If I modify from WinBox, it seems to take it, and...
by sebastia
Wed Jul 18, 2018 12:38 am
Forum: Wireless Networking
Topic: SXT LTE Kit signal strength LEDS black
Replies: 2
Views: 2351

Re: SXT LTE Kit signal strength LEDS black

Same question here...

See also viewtopic.php?f=2&t=135632
by sebastia
Tue Jul 17, 2018 10:39 pm
Forum: Beginner Basics
Topic: Send specific traffic over LTE interface
Replies: 15
Views: 1924

Re: Send specific traffic over LTE interface

Hi

In Mangle:PreRouting you can add a routing mark based on required conditions, which would point to a new routing table (other than the default one), an where one would route that traffic over a different gateway, being your lte.
by sebastia
Sun Mar 11, 2018 10:24 pm
Forum: General
Topic: IP Routes with "DS" Flags?
Replies: 5
Views: 1519

Re: IP Routes with "DS" Flags?

Maybe you mean "DAC"?
by sebastia
Sat Mar 03, 2018 4:20 pm
Forum: RouterBOARD hardware
Topic: CCR1009-7G-1C-1S+ single stream TCP performance limit with queues
Replies: 27
Views: 2898

Re: CCR1009-7G-1C-1S+ single stream TCP performance limit with queues

Speed of single stream depends on:
* speed of channel
* windows size
* latency of connection

by introducing the queue, the latency is affected, and may just be visible in your case.
To reduce latency, use hardware only queues and no other buffering.
by sebastia
Fri Mar 02, 2018 11:48 pm
Forum: Scripting
Topic: Get Uptime from Router in number
Replies: 1
Views: 866

Re: Get Uptime from Router in number

[Sebastian@firewall] > :put [:typeof  [/system resource get uptime ]]
time
=> time object
by sebastia
Fri Mar 02, 2018 11:44 pm
Forum: General
Topic: Mikrotik DHCP option
Replies: 2
Views: 593

Re: Mikrotik DHCP option

Hi

I remember having issues with Android & iphone devices when adding dhcp options forcefully to the offer.
Apparently in latest impl, these have to be explicitly requested first, for them to be accepted by client.
by sebastia
Fri Mar 02, 2018 11:23 pm
Forum: Scripting
Topic: send script output to a file
Replies: 6
Views: 1269

Re: send script output to a file

but it was not work. please correct my script if you can
Is that a challenge?

BTW, have you tried the suggestion?
by sebastia
Fri Mar 02, 2018 11:18 pm
Forum: Wireless Networking
Topic: VLAN tagged and untagged on existing bridge
Replies: 1
Views: 1755

Re: VLAN tagged and untagged on existing bridge

If the MT's are in bridge, you may not have to do anything. Every packet will be relayed, independent of vlan tag.

for Vlan doc: https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN

and general doc
https://wiki.mikrotik.com/wiki/Manual:TOC
by sebastia
Fri Mar 02, 2018 11:07 pm
Forum: General
Topic: Need help with Creating VLAN's without master port
Replies: 4
Views: 574

Re: Need help with Creating VLAN's without master port

In a switch one needs the functionality of frame forwarding between ports within switch fabric. That functionality is fulfilled by bridge (with hardware support from 6.41) and by switch master / slave port (pre 6.41). If these aren't used, one ends up with all individual ports. block diagram: https:...
by sebastia
Fri Mar 02, 2018 10:51 pm
Forum: General
Topic: Mikrotik as a SSH server
Replies: 5
Views: 1143

Re: Mikrotik as a SSH server

It has ssh support if this is what you mean. Sent from Tapatalk I want to connect MikroTik using SSH and manage another device with SSH. It is possible via WINBOX --> tool-telnet-->SSH, but not avaible via console.... As said it's possible, but ssh impl of ROS is quite limited. You could also consi...
by sebastia
Fri Mar 02, 2018 10:42 pm
Forum: General
Topic: Getting files from dead Mikrotik PC
Replies: 1
Views: 289

Re: Getting files from dead Mikrotik PC

I don't have experience with such setup, BUT mt is linux based, and I'm guessing it isn't using some proprietary file system.
I would suggest to use SystemRescueCD usb stick (or another linux system on a stick) and try access the files.
by sebastia
Fri Mar 02, 2018 10:34 pm
Forum: Beginner Basics
Topic: guaranteed bandwidth for a brigde
Replies: 1
Views: 334

Re: guaranteed bandwidth for a brigde

Hi

You should take a look at Queues: https://wiki.mikrotik.com/wiki/Manual:Queue
There is a choice between "Simple Queues" & "Queue Trees". (Keep in mind "Simple queue's are not simple as in limited).

You then allocate guaranteed bandwidth to desired group of recipients.
by sebastia
Fri Mar 02, 2018 5:11 pm
Forum: General
Topic: Two gateways NAT problem
Replies: 7
Views: 686

Re: Two gateways NAT problem

Wouldn't the dst-nat rule be applied before routing is performed?

add action=dst-nat chain=natfrompublic dst-address=94.124.109.71 to-addresses=10.140.4.2

Then then dst address should already be rewritten?
by sebastia
Fri Mar 02, 2018 4:55 pm
Forum: Beginner Basics
Topic: Firewall Layer 7 protocol issue
Replies: 1
Views: 254

Re: Firewall Layer 7 protocol issue

L7 works on first 2k bytes of connection, and needs to buffer enough packets to do that.
It's very intensive as it's pattern matching.

If you absolutely need L7, do it only once, mark connection accordingly and use that mark from then on.
by sebastia
Fri Mar 02, 2018 12:12 am
Forum: General
Topic: Two gateways NAT problem
Replies: 7
Views: 686

Re: Two gateways NAT problem

<del>
by sebastia
Thu Mar 01, 2018 11:41 pm
Forum: RouterBOARD hardware
Topic: Inaccessible rb750G3. How to restore *.backup file stored inside rb750G3 ?
Replies: 7
Views: 863

Re: Inaccessible rb750G3. How to restore *.backup file stored inside rb750G3 ?

Netinstall is not an option though:

Warning: All files stored on built in storage will be erased during Netinstall process.

But resetting might be, followed by restore of config, IF it was written under /flash
https://i.mt.lv/routerboard/files/15154 ... series.pdf
by sebastia
Thu Mar 01, 2018 11:21 pm
Forum: RouterBOARD hardware
Topic: Inaccessible rb750G3. How to restore *.backup file stored inside rb750G3 ?
Replies: 7
Views: 863

Re: Inaccessible rb750G3. How to restore *.backup file stored inside rb750G3 ?

Then your backup file is lost on reboot.

A SDcard is an optional item for the RB750Gr3.
Not quite I think, there is the ramdisk sure, but /flash is persisted in the nand.
by sebastia
Thu Mar 01, 2018 11:09 pm
Forum: Scripting
Topic: Scripting - Asking user for input.
Replies: 7
Views: 2715

Re: Scripting - Asking user for input.

You may want to have a look at this ones too:
viewtopic.php?t=41042
and
viewtopic.php?t=38683#p284764
by sebastia
Thu Mar 01, 2018 10:51 pm
Forum: Beginner Basics
Topic: help with design, please
Replies: 9
Views: 815

Re: help with design, please

depending on the throughput, and tasks, natting, conntracking, mangling?, queuing?, wireless retransmissions, the CPU might not be fast enough
by sebastia
Thu Mar 01, 2018 10:18 pm
Forum: Scripting
Topic: Refresh script values
Replies: 3
Views: 535

Re: Refresh script values

Are you just after scheduling of the script? have a look at /system scheduler.
https://wiki.mikrotik.com/wiki/Manual:System/Scheduler
by sebastia
Thu Mar 01, 2018 10:08 pm
Forum: Scripting
Topic: send script output to a file
Replies: 6
Views: 1269

Re: send script output to a file

Hey

(that's for whole script :execute script="..." file=<file>)

print ... file=<file>
https://wiki.mikrotik.com/wiki/Manual:S ... parameters
by sebastia
Thu Mar 01, 2018 9:33 pm
Forum: General
Topic: VLAN and MTU Problems
Replies: 6
Views: 1935

Re: VLAN and MTU Problems

Your topology is unclear to me and probably others. Please explain it more clearly, with a diagram.
by sebastia
Thu Mar 01, 2018 9:04 pm
Forum: Beginner Basics
Topic: help with design, please
Replies: 9
Views: 815

Re: help with design, please

Hi Just two remarks: * natting will need to be done at antenna A. Depending on the traffic amount, that can be taxing, as DD5 isn't that powerful. Have you considered putting a small router (ex: hex gr3) in between internet & dd5 A? then both DD5's can be in pure bridge * "set src-nat to IP on ether...
by sebastia
Thu Mar 01, 2018 8:48 pm
Forum: Beginner Basics
Topic: No internet connection with 5Ghz
Replies: 3
Views: 408

Re: No internet connection with 5Ghz

If you can connect ok to wifi, but have no internet access, it will have to do with your network / router configuration. Please post your config
by sebastia
Thu Mar 01, 2018 8:42 pm
Forum: Beginner Basics
Topic: Routing with 2 Mikrotik and 1 NAT
Replies: 8
Views: 676

Re: Routing with 2 Mikrotik and 1 NAT

simply don't specify source address in the nat rule
by sebastia
Thu Mar 01, 2018 3:40 pm
Forum: Beginner Basics
Topic: Routing with 2 Mikrotik and 1 NAT
Replies: 8
Views: 676

Re: Routing with 2 Mikrotik and 1 NAT

Pc's in office lan, which are statically configured, need to define R2 as their gateway.

Is that set?
by sebastia
Thu Mar 01, 2018 3:33 pm
Forum: Beginner Basics
Topic: Bridge problem
Replies: 12
Views: 975

Re: Bridge to Bridge connect problem

Few things to check: * can client & server connect to internet (=> this would indicate that they have proper network configuration) * can you ping between 192 & 10, to any other system, if necessary disable temporary firewalls * do you have some kind of filtering on server or client? (=> server-clie...
by sebastia
Thu Mar 01, 2018 10:46 am
Forum: Beginner Basics
Topic: Bridge problem
Replies: 12
Views: 975

Re: Bridge to Bridge connect problem

What have you tried? Could you explain how "it is not working"?

I'm asking as from pure router configuration, the network level communication is allowed.
by sebastia
Wed Feb 28, 2018 5:44 pm
Forum: Beginner Basics
Topic: I was delete all files in my 951UI...
Replies: 1
Views: 343

Re: I was delete all files in my 951UI...

Netinstalling is the right way to go. https://wiki.mikrotik.com/wiki/Manual:Netinstall
You do need to set the ip on computer to a fixed ip in range.
by sebastia
Wed Feb 28, 2018 5:37 pm
Forum: Beginner Basics
Topic: Bridge problem
Replies: 12
Views: 975

Re: Bridge to Bridge connect problem

The inter-network (172 <-> 10) communication should be working as is. How did you verify that it isn't?
by sebastia
Wed Feb 28, 2018 12:20 am
Forum: General
Topic: TTL=question
Replies: 6
Views: 584

Re: TTL=question

What's your full new rule?
by sebastia
Tue Feb 27, 2018 10:28 pm
Forum: Beginner Basics
Topic: Block specific port for WAN
Replies: 12
Views: 2524

Re: Block specific port for WAN

Another thought, isn't there a setting on nas, to only accept local connections or maybe even from specific ip or range?
by sebastia
Tue Feb 27, 2018 10:13 pm
Forum: Beginner Basics
Topic: Untagged vlan [SOLVED]
Replies: 23
Views: 8423

Re: Untagged vlan [SOLVED]

You have commands there for both pre & post 6.41.

You do need to adjust the commands there to your case, not just copy paste. Did you adapted the instructions?
by sebastia
Tue Feb 27, 2018 10:01 pm
Forum: Beginner Basics
Topic: Bridge problem
Replies: 12
Views: 975

Re: Bridge to Bridge connect problem

I don't see anything out of ordinary: No firewall rules (except nat masq) => all is ACCEPTed routing table no non-default entries: so should include connected routes for each network + default gateway from dhcp-client => please verify that? So, should be working as is. Few other remarks to look into...
by sebastia
Tue Feb 27, 2018 2:28 pm
Forum: Beginner Basics
Topic: Bridge problem
Replies: 12
Views: 975

Re: Bridge to Bridge connect problem

Start by removing all those listed rules: 2 firewall rules and 4 router rules.

"Default config" should be enough then. If not, please list your config:
/export hide-sensitive
by sebastia
Tue Feb 27, 2018 2:25 pm
Forum: RouterBOARD hardware
Topic: RB1100AHx4 latency spikes
Replies: 18
Views: 1730

Re: RB1100AHx4 latency spikes

With regards to dhcp renew, does the ip actually change? If not it means that a process will request extension, and process response, a pattern like so many running over the router. That in itself will not result in increased latency.
by sebastia
Tue Feb 27, 2018 2:13 pm
Forum: General
Topic: TTL=question
Replies: 6
Views: 584

Re: TTL=question

ip firewall mangle
add action=change-ttl chain=prerouting in-interface=WAN new-ttl=set:9 passthrough=no src-address=192.168.2.2
using src-address-list=<name> or src-address=<range of ip's>

in above you have confliction conditions from WAN interface and from private address
by sebastia
Tue Feb 27, 2018 2:02 pm
Forum: General
Topic: Slow connection speed when using policy route
Replies: 11
Views: 1821

Re: Slow connection speed when using policy route

Just for info

FastTrack = FastPath + connection tracking

So disabling FastPath, should conceptually also disable FastTrack.
by sebastia
Tue Feb 27, 2018 11:51 am
Forum: General
Topic: Low performance over EOIP tunnel
Replies: 11
Views: 3557

Re: Low performance over EOIP tunnel

by cpu limitation I meant processing limits of the cpu Where it sets? If it depends on the cpu limitation settings, why the speed is higher when the VLAN is not in the tunnel? when I reduce MTU to 1400 on my ethernet interface - speed up to 845 Mbits/sec :) LOL, not a setting, just what the cpu can...
by sebastia
Tue Feb 27, 2018 11:43 am
Forum: Beginner Basics
Topic: Bridge problem
Replies: 12
Views: 975

Re: Bridge to Bridge connect problem

Hi

Your current config is:
1 firewall: blocking communication between 172 & 10
2 routing: blocking routing between 172 & 10

But want them to be able to communicate, right ?
by sebastia
Tue Feb 27, 2018 12:25 am
Forum: Scripting
Topic: find where var~"hello" ... find where var!~"hello" [SOLVED]
Replies: 7
Views: 803

Re: find where var~"hello" ... find where var!~"hello" [SOLVED]

[find where !(var~"hello")]
and a bit wiser ;-). Thx
by sebastia
Tue Feb 27, 2018 12:13 am
Forum: Scripting
Topic: find where var~"hello" ... find where var!~"hello" [SOLVED]
Replies: 7
Views: 803

Re: find where var~"hello" ... find where var!~"hello" [SOLVED]

Few suggestions:
* check with support for their suggestion ;)
* manually work around (if possible): multiple matches + consolidate
* roll your own inverse function, based on full set + matching set
by sebastia
Mon Feb 26, 2018 11:42 pm
Forum: General
Topic: default offering lease without success
Replies: 15
Views: 4463

Re: default offering lease without success

I have watching some of your posts, if you have something to say, spit it out
Ignore it, probably an attention junkie ;)
by sebastia
Mon Feb 26, 2018 11:28 pm
Forum: Beginner Basics
Topic: Unable to ping anything on the internet from RB [SOLVED]
Replies: 4
Views: 401

Re: Unable to ping anything on the internet from RB [SOLVED]

Evening

Pls, provide your current config (/export hide-sensitive) so informed advice could be given.
by sebastia
Mon Feb 26, 2018 9:51 pm
Forum: Scripting
Topic: find where var~"hello" ... find where var!~"hello" [SOLVED]
Replies: 7
Views: 803

Re: find where var~"hello" ... find where var!~"hello" [SOLVED]

Evening

Don't think it's supported: https://wiki.mikrotik.com/wiki/Manual:S ... _Operators
=> the method, match by regex, is tightly coupled to what is being done: selection or not of an item
=> there is no possibility to inject additional operators in-between
by sebastia
Mon Feb 26, 2018 9:37 pm
Forum: General
Topic: Routers' "hard drive" chip. Is it possible to read information from it?
Replies: 5
Views: 641

Re: Routers' "hard drive" chip. Is it possible to read information from it?

Someone, cough Kackele cough, going to get kicked again...
by sebastia
Mon Feb 26, 2018 9:33 pm
Forum: General
Topic: Block DDoS on Prerouting chain on firewall
Replies: 24
Views: 3430

Re: Block DDoS on Prerouting chain on firewall

Was about to say same thing: drop in RAW...
by sebastia
Mon Feb 26, 2018 9:21 pm
Forum: General
Topic: default offering lease without success
Replies: 15
Views: 4463

Re: default offering lease without success

Maybe one of these:
* what if you where to configure this box to static ip? your internal network addressing is stable I assume
* or since the offers are unsuccessful, create a "lease" definition and "block-access=yes"
* drop in firewall any packets matching the desired mac
by sebastia
Mon Feb 26, 2018 3:23 pm
Forum: RouterBOARD hardware
Topic: RB750Gr3 temperature
Replies: 4
Views: 998

Re: RB750Gr3 temperature

Mine is at 35-ish too. These are low power devices, should be quite cool.
Maybe the sink isn't sitting properly: viewtopic.php?t=113068
by sebastia
Mon Feb 26, 2018 3:04 pm
Forum: General
Topic: Low performance over EOIP tunnel
Replies: 11
Views: 3557

Re: Low performance over EOIP tunnel

by cpu limitation I meant processing limits of the cpu
by sebastia
Mon Feb 26, 2018 1:10 pm
Forum: General
Topic: Low performance over EOIP tunnel
Replies: 11
Views: 3557

Re: Low performance over EOIP tunnel

It is possible depending on how vlans are configured, and can be caused by:
* cpu limitation
* bandwidth limitation of the cpu port

But you didn't provide any info in that regard.
by sebastia
Mon Feb 26, 2018 10:32 am
Forum: RouterBOARD hardware
Topic: Bandwidth limits
Replies: 6
Views: 598

Re: Bandwidth limits

So in this scenario where I have 3 adsl link where each has the 140mb speed the best RB would be the 1100 ?? In the tests results have the options 1518 bytes 512 bytes 64 bytes, what would these comparisons be? Would traffic be simultaneous on all ports with this packet size ?? But for the use of 3...
by sebastia
Mon Feb 26, 2018 10:22 am
Forum: RouterBOARD hardware
Topic: HAP AC2 PERFORMANCE NUMBERS
Replies: 14
Views: 7409

Re: HAP AC2 PERFORMANCE NUMBERS

It's currently only supported through the switch configuration (switch chip = AR8327), see https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29
by sebastia
Mon Feb 26, 2018 10:09 am
Forum: General
Topic: VPN and QOS Queue Tree
Replies: 16
Views: 3090

Re: VPN and QOS Queue Tree

I've a different experience with QoS. I think it's time to do: /export hide-sensitive
by sebastia
Mon Feb 26, 2018 12:11 am
Forum: RouterBOARD hardware
Topic: need help to find schematic diagram
Replies: 3
Views: 597

Re: need help to find schematic diagram

IMHO he is asking not for functional diagrams but for electrical service diagrams.
Also possible ...
by sebastia
Sun Feb 25, 2018 11:58 pm
Forum: General
Topic: Cable modem with a set of static ips
Replies: 5
Views: 391

Re: Cable modem with a set of static ips

Have a look here: https://www.youtube.com/watch?v=6eeYac5xBrE The steps you'll need are there too: * briding * L2 filtering * (mangling) (I don't like the presentation, but the general info is there...) And here: https://wiki.mikrotik.com/wiki/TransparentTrafficShaper => If you don't want queueing, ...
by sebastia
Sun Feb 25, 2018 11:50 pm
Forum: Beginner Basics
Topic: Lots of STP packets in network [SOLVED]
Replies: 7
Views: 630

Re: Lots of STP packets in network [SOLVED]

Hi

Have you tried disabling the ipv6 package?
by sebastia
Sun Feb 25, 2018 8:33 pm
Forum: General
Topic: Cable modem with a set of static ips
Replies: 5
Views: 391

Re: Cable modem with a set of static ips

Then option 1: transparent firewall is for you ;-)
by sebastia
Sun Feb 25, 2018 8:18 pm
Forum: RouterBOARD hardware
Topic: need help to find schematic diagram
Replies: 3
Views: 597

Re: need help to find schematic diagram

Hi

For some of the devices is available under documents, but not for all.
Ex: https://mikrotik.com/product/CCR1036-8G ... -downloads -> https://i.mt.lv/routerboard/files/CCR10 ... 132545.png
by sebastia
Sun Feb 25, 2018 8:06 pm
Forum: General
Topic: Cable modem with a set of static ips
Replies: 5
Views: 391

Re: Cable modem with a set of static ips

Hi "I assume the ip address of the modem is 66.1.1.241." => will be something else as that was your gateway, remember? You have a few options: bridge eth1 & eth2, and have a firewall in between => ~ "protected dmz" you can filter here traffic from internet to workstations, workstations will be other...
by sebastia
Sun Feb 25, 2018 7:47 pm
Forum: General
Topic: VPN and QOS Queue Tree
Replies: 16
Views: 3090

Re: VPN and QOS - routing mark and packet mark at the same time?

[*]But why the second rule should be necessary for it to work is not clear to me - are you throttling packets which come via VPN to leave more bandwidth for other download traffic? Because if you want to prioritize them instead, it cannot work as priority depends on the sending remote side. To be a...
by sebastia
Sun Feb 25, 2018 7:42 pm
Forum: General
Topic: VPN and QOS Queue Tree
Replies: 16
Views: 3090

Re: VPN and QOS - routing mark and packet mark at the same time?

The last one add action=mark-packet chain=output new-packet-mark=vpn-up out-interface=ether1 passthrough=no will mark any packet from router itself to eth1 as from vpn. This might not be a big issue, but just saying... If you look at https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#De...
by sebastia
Sun Feb 25, 2018 6:16 pm
Forum: Beginner Basics
Topic: R11e-LTE with no LTE options in the menu [SOLVED]
Replies: 2
Views: 554

Re: R11e-LTE with no LTE options in the menu [SOLVED]

Hi

I've heard of a few cases in the past where the unit got hot, and solution in all of these was to RMA and get a new / functioning one.
by sebastia
Sun Feb 25, 2018 3:55 pm
Forum: General
Topic: VLAN in new "Bridge Only" config
Replies: 64
Views: 18068

Re: VLAN in new "Bridge Only" config

Well,
1. CZFan hasn't expressed any need to do what you mentioned
2. even if he did, he can still chose to use the first switch group for that purpose.

So options are available.
by sebastia
Sun Feb 25, 2018 3:12 pm
Forum: RouterBOARD hardware
Topic: Bandwidth limits
Replies: 6
Views: 598

Re: Bandwidth limits

Hi

Best routerboard in which aspect(s)? What is important to you? What do you want to achieve?
by sebastia
Sun Feb 25, 2018 1:03 pm
Forum: Scripting
Topic: Mikrotik backup + upload to FTP /problem/
Replies: 8
Views: 1535

Re: Mikrotik backup + upload to FTP /problem/

Hi

Have you tried running script manually on the failing nodes? It should work in "one-of" mode, before you schedule it.

On the other hand, do you schedule 89 uploads on exactly the same time to one server? Can it handle all at once? You should probably spread the load over time.
by sebastia
Sun Feb 25, 2018 12:57 pm
Forum: Wireless Networking
Topic: Limiting the ability to connect to the server from the outside?
Replies: 3
Views: 343

Re: Limiting the ability to connect to the server from the outside?

Hi MAC based filtering is only useful for limiting access in same network / subnet. What I've understood is that the external router is port forwarding connection to an internal ip. If you use that forward from specific locations, you could update the forward rule to only apply for specific ip's or ...
by sebastia
Sun Feb 25, 2018 12:39 pm
Forum: General
Topic: VPN and QOS Queue Tree
Replies: 16
Views: 3090

Re: VPN and QOS - routing mark and packet mark at the same time?

Hi HzMeister You omitted the crucial part that the vpn is actually a virtual interface on the router itself. Any packet sent to it, will be encapsulated and any tags defined on it will not propagate to the retransmitted wrapping packet. If you want to prioritise outgoing/upload traffic within the vp...
by sebastia
Sun Feb 25, 2018 2:46 am
Forum: General
Topic: VPN and QOS Queue Tree
Replies: 16
Views: 3090

Re: VPN and QOS - routing mark and packet mark at the same time?

And no vlans involved either? That would also invalidate current queue tree def.

Another thing to try:
* connection/route mark in prerouting
* packet mark in postrouting

Only one choice for first, multiple for last.
by sebastia
Sun Feb 25, 2018 2:06 am
Forum: General
Topic: VPN and QOS Queue Tree
Replies: 16
Views: 3090

Re: VPN and QOS - routing mark and packet mark at the same time?

The regular route and the route to vpn send the packets over same outgoing interface = ether1?

That is what the upload queue assumes, as it is linked to ether1.
by sebastia
Sun Feb 25, 2018 1:43 am
Forum: General
Topic: VPN and QOS Queue Tree
Replies: 16
Views: 3090

Re: VPN and QOS - routing mark and packet mark at the same time?

Evening

You can combine action if previous actions are "passthrough", meaning they will not terminate traversal of the rules.
by sebastia
Sat Feb 24, 2018 5:17 pm
Forum: General
Topic: VLAN in new "Bridge Only" config
Replies: 64
Views: 18068

Re: VLAN in new "Bridge Only" config

This uncertainty is what makes me refrain from using the bridge and switch menu simultaneously. I can imagine the ROS to adjust the switch chip configuration according to the bridge settings to get the maximum possible hardware acceleration, but if you decide to have VLAN A tagged at port 1 and unt...
by sebastia
Sat Feb 24, 2018 2:25 pm
Forum: Beginner Basics
Topic: defualt gateway changes interfaces on router mikrotik 450g
Replies: 1
Views: 231

Re: defualt gateway changes interfaces on router mikrotik 450g

Hi

please provide your config so an informed advice can be given
/export hide-sensitive
by sebastia
Sat Feb 24, 2018 2:03 pm
Forum: General
Topic: Neighbour discovery unexpected entry
Replies: 3
Views: 487

Re: Neighbour discovery unexpected entry

Which version of RouterOs are you using?
Maybe you still have a master-slave config on some of the ports...
by sebastia
Sat Feb 24, 2018 11:56 am
Forum: General
Topic: Fetch file and perform a MD5 calculation
Replies: 4
Views: 987

Re: Fetch file and perform a MD5 calculation

MD5 is not available within routeros as stand-alone tool, but can be added by means of script.

See: viewtopic.php?f=9&t=62895&hilit=md5
by sebastia
Sat Feb 24, 2018 11:51 am
Forum: General
Topic: Seperate Network
Replies: 1
Views: 187

Re: Seperate Network

Hi What you need is "Home router" config, from quickset. Basically you'll get internet on "1" network => your uplink/internet from MT point of view, and have any other port go through masquerade. Result will be: NAT router behind a NAT router. Are you planning on any inbound connection from internet...
by sebastia
Sat Feb 24, 2018 11:39 am
Forum: General
Topic: ipv6 6in4 ISATAP traffic block
Replies: 2
Views: 293

Re: ipv6 6in4 ISATAP traffic block

On the security aspect, which "weaknesses and dangers" are you referring too?
The dangers of 6in4, are same as in native ipv6: injection, spoofing, ... Nothing new here.

Please remember that 6to4 is a different thing than 6in4.
by sebastia
Sat Feb 24, 2018 11:03 am
Forum: General
Topic: ipv6 6in4 ISATAP traffic block
Replies: 2
Views: 293

Re: ipv6 6in4 ISATAP traffic block

Hi

6in4 goes over protocol 41. If you don't want it, don't allow protocol41 over your routers.
by sebastia
Fri Feb 23, 2018 7:27 pm
Forum: Beginner Basics
Topic: New Router, cannot use ubnt discovery and windows SMB
Replies: 2
Views: 368

Re: New Router, cannot use ubnt discovery and windows SMB

If you know how to disable, you also know what not to do to allow it. Right?

List your config so at least someone would be able to advise you what to look at / change.
by sebastia
Thu Feb 22, 2018 10:50 pm
Forum: Beginner Basics
Topic: having trouble this early bad sign
Replies: 3
Views: 437

Re: having trouble this early bad sign

If you can ping from pc to both routers, then you should be ok: ping and response go in opposite directions. If PC is windows, it will by default block ping requests.
by sebastia
Tue Feb 20, 2018 9:27 pm
Forum: General
Topic: VLAN in new "Bridge Only" config
Replies: 64
Views: 18068

Re: VLAN in new "Bridge Only" config

From what I've understood from docs, if vlan filtering is done at switch (so under switch menu), it will be in hardware for select switch chips.
https://wiki.mikrotik.com/wiki/Manual:S ... troduction
by sebastia
Tue Feb 20, 2018 9:07 pm
Forum: Beginner Basics
Topic: Random drops during gaming
Replies: 7
Views: 841

Re: Random drops during gaming

Evening From experience, powerline adapters can be unreliable. Can you test a setup without them? With connection over vpn, which is most likely over TCP (?), the vpn will guarantee delivery of every packet, potentially delayed. That's probably the reason you can bridge the connection gap. On the ot...
by sebastia
Fri Feb 16, 2018 10:00 pm
Forum: General
Topic: Strange upload problem
Replies: 1
Views: 523

Re: Strange upload problem

Hi

Update your masquerade rule to only masq traffic leaving over your ppp interface.

Also have a look at: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
by sebastia
Fri Feb 16, 2018 9:51 pm
Forum: General
Topic: P2P connection to security camera recorder behind MTik
Replies: 7
Views: 1134

Re: P2P connection to security camera recorder behind MTik

We still need to know what the camera and client are doing, that isn't working any longer...
by sebastia
Fri Feb 16, 2018 9:31 pm
Forum: Beginner Basics
Topic: Loadbalancing and failover
Replies: 1
Views: 292

Re: Loadbalancing and failover

Good evening (CET time here)

The fact that it's marked for wan1 is expected, as that's the loadbalancing at work.

BUT if one of the wans in unavailable it will re rerouted over the other.
by sebastia
Fri Feb 16, 2018 9:18 pm
Forum: Beginner Basics
Topic: Layer7 Load Balancing & Aggregation
Replies: 2
Views: 448

Re: Layer7 Load Balancing & Aggregation

There are quite a bit of threads around that here on this subject. Please have a look.

Also wiki lists some possibilities: https://wiki.mikrotik.com/wiki/Load_Balancing

And btw: layer3 or 4 load balancing will do just fine too.
by sebastia
Fri Feb 16, 2018 8:09 pm
Forum: General
Topic: Slow speed on mikrotik crs125-24g-1s-rm
Replies: 4
Views: 460

Re: Slow speed on mikrotik crs125-24g-1s-rm

As Steveocee said, routing is not their main job. Put a router in front, and use CRS as smart switch only.
by sebastia
Fri Feb 16, 2018 7:55 pm
Forum: General
Topic: Mikrotik was hacked ans reset button disabled
Replies: 12
Views: 2298

Re: Mikrotik was hacked ans reset button disabled

Guys don't be hard on Kackele, he wants to help...

Kackele, I trust you, here is my ip: 127.52.78.2, it's FTTP.