Community discussions

Search found 1795 matches

by sebastia
Thu Feb 01, 2018 10:19 pm
Forum: General
Topic: How can i delete one Connection Mark name?
Replies: 8
Views: 768

Re: How can i delete one Connection Mark name?

If it's refereed in config, even if not actually used, it will be listed, as convenience.
by sebastia
Thu Feb 01, 2018 10:08 pm
Forum: Beginner Basics
Topic: QOS for VoIP - Confirmation
Replies: 17
Views: 3346

Re: QOS for VoIP - Confirmation

This is the leanest indeed. Just verify that packets coming from internet do have 46 tag set. You can verify that easily based on counts: if they increase for Download-Voice you're all set. You must assign "no-mark" to some queue, for you Rest_xx, if you don't they will bypass queue tree! I would al...
by sebastia
Thu Feb 01, 2018 9:59 pm
Forum: Announcements
Topic: Winbox 3.12 released!
Replies: 55
Views: 45042

Re: Winbox 3.12 released!

Being able to understand, would be nice...
by sebastia
Wed Jan 31, 2018 11:05 pm
Forum: Scripting
Topic: Assistance about ScripT
Replies: 5
Views: 596

Re: Assistance about ScripT

try this:
:local signal;:foreach i in=[ /int wir reg find ap=yes] do={ :set signal [int wir reg get $i signal-strength];:set signal [ :pick $signal 0 [:find $signal "dBm"]]
:if ($signal < -76) do={/tool e-mail send to="youremail.com" subject="signal too low" body=$signal}}
1+1
by sebastia
Wed Jan 31, 2018 10:21 pm
Forum: General
Topic: VLAN not working with Switch Chip [SOLVED]
Replies: 6
Views: 2217

Re: VLAN not working with Switch Chip [SOLVED]

Hi There is a bridge configuration AND a switch configuration, and they are conflicting. the configured bridge doesn't do vlan filtering, and bridges everything to everywhere: so untagged 15, tagged 2,140,145 => that's why you get ip from 15 network the configured switch doesn't redefine default-vla...
by sebastia
Wed Jan 31, 2018 10:05 pm
Forum: General
Topic: "ARP" Security on CRS and RB2011 using HW offloading
Replies: 3
Views: 428

Re: "ARP" Security on CRS and RB2011 using HW offloading

connection dev A -> dev B: packets need to be forwarded by router
A -> router: mac learned from packet
router -> B: mac of B needed, if not present in cache, and discovery disabled (only reply) won't know where to send to -> failure


BTW: vlan filtering is not in hardware on crs1x
by sebastia
Wed Jan 31, 2018 9:57 pm
Forum: General
Topic: Isolate an IP [SOLVED]
Replies: 5
Views: 1033

Re: Isolate an IP [SOLVED]

the easiest (and most consistent) way: isolate it in separate subnet only routed to internet
by sebastia
Wed Jan 31, 2018 9:50 pm
Forum: General
Topic: Bridge VLAN Filtering post 6.41 - please explain
Replies: 3
Views: 551

Re: Bridge VLAN Filtering post 6.41 - please explain

it is available on all platforms, it's only executed in hardware on CRS3xx.
by sebastia
Wed Jan 31, 2018 9:49 pm
Forum: General
Topic: Dynamic Firewall rules
Replies: 1
Views: 220

Re: Dynamic Firewall rules

To my knowledge it isn't. Some tools use fingerprinting (like nmap) to classify type of host, but that's not available out of the box on MT.
by sebastia
Wed Jan 31, 2018 9:45 pm
Forum: General
Topic: [Help] About Queue size (pfifo)
Replies: 4
Views: 1468

Re: [Help] About Queue size (pfifo)

Hi If you don't want any dropped packets you shouldn't use queuing. Then, if bandwidth is large enough no packet will be dropped. If bandwidth is limited on the other hand, if you want prio / QOS you will by definition be dropping packets. The only advantage of memory (buffers for packets) is that y...
by sebastia
Wed Jan 31, 2018 11:47 am
Forum: Beginner Basics
Topic: QOS for VoIP - Confirmation
Replies: 17
Views: 3346

Re: QOS for VoIP - Confirmation

By specifying additional condition:
/ip firewall mangle
add connection-mark=no-mark action=mark-connection new-connection-mark=...
To goal is not to override some specific logic applied earlier.
by sebastia
Tue Jan 30, 2018 11:48 pm
Forum: General
Topic: Blocking UDP attack in Mikrotik not working
Replies: 14
Views: 1964

Re: Blocking UDP attack in Mikrotik not working

I think it doesn't make sense even for TCP, as source ip of that ICMP will be the targeted ip, telling the attacker that host IS responding / up?
by sebastia
Tue Jan 30, 2018 11:44 pm
Forum: Beginner Basics
Topic: Why does this firewall rule block my internet? [SOLVED]
Replies: 3
Views: 535

Re: Why does this firewall rule block my internet? [SOLVED]

Al of these and related add chain=forward src-address=0.0.0.0/8 action=drop add chain=forward dst-address=0.0.0.0/8 action=drop add chain=forward src-address=127.0.0.0/8 action=drop add chain=forward dst-address=127.0.0.0/8 action=drop add chain=forward src-address=224.0.0.0/3 action=drop add chain=...
by sebastia
Tue Jan 30, 2018 10:13 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

The challenge with unpredictable upload, is that when a "slow" ping occurs (=high ping value), one can't determine whether it's because of full upload queue or full download queue... So what to adjust? Wrt queue: that's easy: remove all queues you don't use or have mangle rules for ;-). And keep in ...
by sebastia
Tue Jan 30, 2018 10:05 pm
Forum: Wireless Networking
Topic: Terrible NV2 Ac Network P2MP
Replies: 13
Views: 1712

Re: Terrible NV2 Ac Network P2MP

One thing poped up: in nv2 you have distance set to 10km, but you said the distance is 200m max. Try adjusting that. Also have a look here: try increasing period size, as in your setup number of client is fixed, which will not impact latency. Therefore you could go "high" https://forum.mikrotik.com/...
by sebastia
Tue Jan 30, 2018 9:48 pm
Forum: Wireless Networking
Topic: LTE Queses does not work
Replies: 6
Views: 577

Re: LTE Queses does not work

With the speed you're operating at this time, you don't need fasttrack. Disable it and reboot, and you'll have full functionality. If you do keep fasttrack, then delete simple queue. Use pcq, as noted, as queue type based on source ip (in your lan), 512k rate, and 1m queue max-limit. With fasttrack,...
by sebastia
Tue Jan 30, 2018 9:04 pm
Forum: General
Topic: Blocking UDP attack in Mikrotik not working
Replies: 14
Views: 1964

Re: Blocking UDP attack in Mikrotik not working

How might TTL mangle help in this case, with UDP with possibly blind transmission?
Also keep in mind, that the resulting ICMP will carry source ip, which would be targeted ip when transmitted by router, so how would it fool the attacker?
by sebastia
Tue Jan 30, 2018 2:36 pm
Forum: General
Topic: RB750Gr3 l2tp/ipsec unbearably slow
Replies: 19
Views: 3575

Re: RB750Gr3 l2tp/ipsec unbearably slow

Hi

Could it be packet size / MTU and/or fragmentation related?
Please try with smaller transmission unit.
by sebastia
Tue Jan 30, 2018 2:24 pm
Forum: Wireless Networking
Topic: LTE Queses does not work
Replies: 6
Views: 577

Re: LTE Queses does not work

Hi I would suggest to keep it simple and to one method. Above two method are used: * simple queue for /ip configuration * queue tree for overall interface upload setting But the tree approach requires packet marks to be used for traffic classification, which is not the case in the definition above. ...
by sebastia
Tue Jan 30, 2018 1:36 pm
Forum: General
Topic: "ARP" Security on CRS and RB2011 using HW offloading
Replies: 3
Views: 428

Re: "ARP" Security on CRS and RB2011 using HW offloading

Arp will be used for all connections originating at the router.
So if router tries to connect to other machine on connected network, if it doesn't have it's mac in cache/table, it will ask.

Packets from source ip coming into router are used for table update.
by sebastia
Tue Jan 30, 2018 1:26 pm
Forum: General
Topic: Blocking UDP attack in Mikrotik not working
Replies: 14
Views: 1964

Re: Blocking UDP attack in Mikrotik not working

Drop is better than reject, as reject will also generate outgoing traffic.
And best to do it in raw table.
by sebastia
Mon Jan 29, 2018 5:42 pm
Forum: General
Topic: DMZ on ETH5
Replies: 4
Views: 419

Re: DMZ on ETH5

Hi

Why don't you try this?

Eth1/Wan: independent port
Eth5/DMZ: independent port
Eth2-4/Lan: switched / in hw-bridge

each with different ip range: wan-assigned, lan-"2" & wan-"8"
In firewall
allow traffic from "2" to "8"
allow traffic from "8" to "2" if related/established
by sebastia
Mon Jan 29, 2018 5:23 pm
Forum: Beginner Basics
Topic: Beginner: Local + Guest network (VLAN)
Replies: 3
Views: 911

Re: Beginner: Local + Guest network (VLAN)

Hi

As I understand it (https://wiki.mikrotik.com/wiki/Manual:I ... AN_tagging) you don't need vlan definition on wAP or CRS: they will just pass through (so without vlan filtering).
You DO have to define a vlan interface on router (3011) assign IP and forward/masq traffic as you wish.
by sebastia
Sun Jan 28, 2018 10:23 pm
Forum: General
Topic: Chromecast not visible if going via RouterOS v6.38.5
Replies: 7
Views: 1123

Re: Chromecast not visible if going via RouterOS v6.38.5

Please list your MT config
by sebastia
Sat Jan 27, 2018 11:15 pm
Forum: Wireless Networking
Topic: SXT LTE lost lte interface
Replies: 35
Views: 7539

Re: SXT LTE lost lte interface

Hi

Considering a purchase and wondering if this is still an issue?
by sebastia
Sat Jan 27, 2018 8:52 pm
Forum: Wireless Networking
Topic: Wireless issues - can't figure out why
Replies: 7
Views: 946

Re: Wireless issues - can't figure out why

Don't go for 6.41 just yet, as it changes the switching configuration, and could cause you some headaches. You could try 6.39.3 as suggested, or go for 6.40.5 (last stable before switch change). _Normally_, the update should take all settings from previous system. But things can go south from time t...
by sebastia
Sat Jan 27, 2018 8:22 pm
Forum: General
Topic: Get public ip of ssh petition
Replies: 1
Views: 188

Re: Get public ip of ssh petition

Hi Not sure what you mean by petition, but... Your ssh server would get packets directed to it's ip (192.168.1.2) and the source of that packet should be unchanged, so somewhere from internet. If it is changed it means you also have some src-nat rule which gets applied, maybe your outgoing masquerad...
by sebastia
Sat Jan 27, 2018 8:16 pm
Forum: General
Topic: QoS and ipsec performance in CCR routers
Replies: 3
Views: 484

Re: QoS and ipsec performance in CCR routers

Best source is MT itself. Suggest you open a support ticket with that question.
And post the response ;-).
by sebastia
Sat Jan 27, 2018 8:08 pm
Forum: RouterBOARD hardware
Topic: Mikrotik Raspberry pi video buffering
Replies: 12
Views: 1904

Re: Mikrotik Raspberry pi video buffering

Also keep in mind that the wired network interface is 100mbit/s and off usb. https://raspberrypi.stackexchange.com/questions/46076/soc-cpu-and-ethernet-controller-internal-connection-in-raspberry-pi-3 Wondering if you wouldn't have better results with wireless as it has a dedicated interface... http...
by sebastia
Sat Jan 27, 2018 5:54 pm
Forum: RouterBOARD hardware
Topic: Mikrotik Raspberry pi video buffering
Replies: 12
Views: 1904

Re: Mikrotik Raspberry pi video buffering

try diagnosing the problem step by step, by eliminating possibilities what rate do you get with manual transfer from pc -> rpi and rpi -> pc then try transfer to another pc: pc1 -> pc2 and reverse * are these rates comparable? * are these rates expected? * how do the systems behave when doing so? * ...
by sebastia
Sat Jan 27, 2018 2:46 pm
Forum: General
Topic: QoS and ipsec performance in CCR routers
Replies: 3
Views: 484

Re: QoS and ipsec performance in CCR routers

Hi

Are you referring to the fact that queue tree on a CCR is processed by a single core? Therefore, for high bandwidth applications, Simple Queues are advised over queue tree as these can spread load over multiple cores.
by sebastia
Sat Jan 27, 2018 2:43 pm
Forum: General
Topic: Chromecast not visible if going via RouterOS v6.38.5
Replies: 7
Views: 1123

Re: Chromecast not visible if going via RouterOS v6.38.5

I understand that you have your chromecast on ap1 and client sometimes on ap1 and ap2. AP1 - AP1 works, but AP1 - AP2 doesn't.
What is new / extra in second case:
* ap2
* client itself

Have a look at their configuration wrt multicast processing.
by sebastia
Sat Jan 27, 2018 2:19 am
Forum: General
Topic: Upgraded from 6.38.5 to 6.41, script stopped working
Replies: 2
Views: 280

Re: Upgraded from 6.38.5 to 6.41, script stopped working

Hi I'm running 6.40.5, and I can confirm that on-startup script is launched before RB has fully functional. Have a look at the log below: jan/01/2002 02:00:01 system,info router rebooted jan/21 15:43:08 script,info Initialising scripting jan/21 15:43:13 interface,info e1_int link up (speed 1G, full ...
by sebastia
Sat Jan 27, 2018 1:38 am
Forum: Beginner Basics
Topic: CRS125-24G-1S, trying to set up 2 VLANs using switch chip
Replies: 3
Views: 491

Re: CRS125-24G-1S, trying to set up 2 VLANs using switch chip

Hi Q: what is the difference between section 1 & 2? seems like one and same to me, except dhcp could serve fixed leases to devices in section 1. your CRS can't do vlan filtering in hardware so don't try to, as it will cost you performance. https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#B...
by sebastia
Sat Jan 27, 2018 1:17 am
Forum: RouterBOARD hardware
Topic: Mikrotik Raspberry pi video buffering
Replies: 12
Views: 1904

Re: Mikrotik Raspberry pi video buffering

Linksys is using different antenna, external with likely higher gain, which will result in better wireless signal.

Better signal -> better bandwidth -> higher download speed -> less buffering

Consider different placement of the router & rpi3, to improve the signal quality. Or use wire.
by sebastia
Sat Jan 27, 2018 12:55 am
Forum: General
Topic: Blocking UDP attack in Mikrotik not working
Replies: 14
Views: 1964

Re: Blocking UDP attack in Mikrotik not working

Are you on dynamic ip? if so try resetting your modem to get a new ip.
And as mentioned, make sure you don't provoke it again in future.
by sebastia
Sat Jan 27, 2018 12:50 am
Forum: General
Topic: Chromecast not visible if going via RouterOS v6.38.5
Replies: 7
Views: 1123

Re: Chromecast not visible if going via RouterOS v6.38.5

Why do you assume: "Obviously multicast is being stopped at Mikrotik. It makes no sense, as ALL devices ARE on the SAME IP range" It worked with MT and the first AP. What is new now is AP2. Just to be sure you could plug AP2 in eth2, and try to reproduce. Back to the issue, it may be related to ARP....
by sebastia
Sat Jan 27, 2018 12:38 am
Forum: General
Topic: Allow per ip and protocol traffic inside ipsec vpn
Replies: 7
Views: 648

Re: Allow per ip and protocol traffic inside ipsec vpn

Same what I had in mind with "usual forward chain filter".
by sebastia
Fri Jan 26, 2018 11:55 pm
Forum: Beginner Basics
Topic: Bandwidth woes
Replies: 1
Views: 233

Re: Bandwidth woes

CRS is mainly a switch, but then what your are trying should be possible. According to specs, https://mikrotik.com/product/CRS125-24G-1S-2HnD-IN, it should be able to route at 1gbps with sufficiently large packets. Something else causing it? MTU? try to determine your max size packet loss? check int...
by sebastia
Fri Jan 26, 2018 11:46 pm
Forum: Beginner Basics
Topic: Config help req.: configuring permeable LAN, and remote management access between two local subnets [SOLVED]
Replies: 4
Views: 488

Re: Config help req.: configuring permeable LAN, and remote management access between two local subnets [SOLVED]

That dnat will be wide-open to anyone on internet. So depending on what will be dnat-ed, it might be an issue. Does the contractor use a fixed ip? If so that dnat rule could be quite selective => safe. /ip firewall nat add action=dst-nat chain=dstnat comment="Dnat" dst-address-type=local dst-port=<s...
by sebastia
Thu Jan 25, 2018 11:15 pm
Forum: General
Topic: DNS utilization
Replies: 15
Views: 5139

Re: DNS utilization

My question exactly, as it's configurable?
/ip dns
set allow-remote-requests=yes max-concurrent-queries=200 max-udp-packet-size=512
by sebastia
Thu Jan 25, 2018 11:04 pm
Forum: General
Topic: Bridge WAN to LAN for VLAN Is this possible
Replies: 1
Views: 661

Re: Bridge WAN to LAN for VLAN Is this possible

Hi

Yes, it's possible.
* define vlan on lan interface (tagged)
* define bridge
* add wan & vlan to that bridge

the bridge becomes "new wan" what you need to use for uplink
by sebastia
Thu Jan 25, 2018 11:00 pm
Forum: General
Topic: Allow per ip and protocol traffic inside ipsec vpn
Replies: 7
Views: 648

Re: Allow per ip and protocol traffic inside ipsec vpn

Maybe I misunderstood your problem. What do you mean by "specific IP's and protocols to be allowed inside the tunnel"?
Could you give an example of what you want to block?
by sebastia
Thu Jan 25, 2018 10:43 pm
Forum: Beginner Basics
Topic: Working VLAN configuration with HW-Offload
Replies: 5
Views: 1586

Re: Working VLAN configuration with HW-Offload

if bridging is in hw, then it's a "plain switch" and will do it at wirespeed.
But intervlan traffic, that is actually routing and that's were FathPath comes into play.
https://wiki.mikrotik.com/wiki/Manual:Fast_Path
by sebastia
Thu Jan 25, 2018 8:29 pm
Forum: Beginner Basics
Topic: Working VLAN configuration with HW-Offload
Replies: 5
Views: 1586

Re: Working VLAN configuration with HW-Offload

Bridging is hw assisted, but not all hw is equal, and their capabilities in hw will defer: https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Bridge_Hardware_Offloading Looks like the vlan filtering is only functioning in HW on CRS3xxx series... So the while the bridge has initially been sta...
by sebastia
Thu Jan 25, 2018 6:59 pm
Forum: General
Topic: Allow per ip and protocol traffic inside ipsec vpn
Replies: 7
Views: 648

Re: Allow per ip and protocol traffic inside ipsec vpn

Hi

Do you use bare ipsec? If so, you would want to filter as usual in the forward chain of filter table, on what is allowed to go out to/come in from ipsec.
Ipsec processing is implemented after firewall filter for outgoing and before it for incoming.
by sebastia
Thu Jan 25, 2018 5:07 pm
Forum: General
Topic: Limit bandwith (Where?)
Replies: 8
Views: 841

Re: Limit bandwith (Where?)

That's then confirmed that it is not MT, as PC could transfer good BW in same port.
Good luck with the investigation. Few things I can think off: verify cpu usage, io activity, tcp window size tuning
by sebastia
Thu Jan 25, 2018 1:09 pm
Forum: General
Topic: Queue size pfifo
Replies: 3
Views: 1808

Re: Queue size pfifo

Hi The packets from external interfaces being dropped, isn't that a consequence of the queue on the internal (egress) interface(s) shaping the download traffic. Whatever can't squeeze into internal, and can't be buffered would be dropped indeed. Regarding the queue, i would worry that it would becom...
by sebastia
Thu Jan 25, 2018 12:36 pm
Forum: Beginner Basics
Topic: Control communication between same local ip address
Replies: 3
Views: 350

Re: Conrol communication between same local ip address

Hi The solution would depend on your hardware. If these two are connected using unmanaged switch, then you can't limit the communication as-is. You would need to isolate server in a separate subnet and filter based on ip. If these two are connected using managed switch (or switched in MT itself), yo...
by sebastia
Thu Jan 25, 2018 12:31 pm
Forum: Beginner Basics
Topic: Beginner - Help needed to set up PTP [SOLVED]
Replies: 4
Views: 478

Re: Beginner - Help needed to set up PTP [SOLVED]

Happy to hear that! Don't have the hardware myself, so couldn't help you with detailed steps.
by sebastia
Thu Jan 25, 2018 12:16 pm
Forum: General
Topic: Limit bandwith (Where?)
Replies: 8
Views: 841

Re: Limit bandwith (Where?)

Would it be possible to plug a PC, with verified good BW, into server switch and do a test there? This would allow you to verify if its a software issue. If PC would then have a limited bandwidth, have a look at the bridge configuration, as that's the only thing i can think off, if there are no queu...
by sebastia
Wed Jan 24, 2018 8:04 pm
Forum: Beginner Basics
Topic: Slow WIFI connection
Replies: 8
Views: 4364

Re: Slow WIFI connection

Dense spectrum! From hardware point of view you can use 2312-2732 MHz range. Depending on your country (and setting) that range will be reduced. Based on the spectrum heatmap, upper frequencies / channels 12-14 are less used. Try using these. https://en.wikipedia.org/wiki/File:2.4_GHz_Wi-Fi_channels...
by sebastia
Wed Jan 24, 2018 7:26 pm
Forum: General
Topic: L2TP VPN stops responding
Replies: 12
Views: 1178

Re: L2TP VPN stops responding

If related it might be linked to the ip change itself, not how it is updated to a ddns server.
by sebastia
Wed Jan 24, 2018 7:07 pm
Forum: Beginner Basics
Topic: Slow WIFI connection
Replies: 8
Views: 4364

Re: Slow WIFI connection

Hi

You're using the 2g band, the most crowded of them all... Have you tried verifying with a scanner how busy the channels are and selecting the least used / with weakest signals?

Also you seem to have manual tx-signal settings set. Anything relevant there?
by sebastia
Wed Jan 24, 2018 6:51 pm
Forum: Forwarding Protocols
Topic: Forwarding DDoS
Replies: 3
Views: 928

Re: Forwarding DDoS

@sanka: To prevent the conntrack from tracking connections through the router, you can mark these packets as "no-track" in raw table. See https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Raw#Properties @shaoranrch: I was under the impression that a single queue is processed by a single cpu core? Is...
by sebastia
Wed Jan 24, 2018 5:55 pm
Forum: General
Topic: dual freeradius problem
Replies: 2
Views: 359

Re: dual freeradius problem

Hi

Why not monitor the mysql directly? There are a number of tools for that.
by sebastia
Wed Jan 24, 2018 5:02 pm
Forum: Beginner Basics
Topic: Newbie help - have I set this up right? [SOLVED]
Replies: 3
Views: 293

Re: Newbie help - have I set this up right? [SOLVED]

There are also quite a bit of topic in that area, have a look. And don't forget wiki
by sebastia
Wed Jan 24, 2018 4:24 pm
Forum: Beginner Basics
Topic: Newbie help - have I set this up right? [SOLVED]
Replies: 3
Views: 293

Re: Newbie help - have I set this up right? [SOLVED]

You got everything right. In default config: ports 2-5 are switched (bridged in hardware) and behave same way as that standalone switch Also from fixing the IP (v4) point of view, you have done it correctly. the dhcp server will serve same ip to the lease which you made static (If you have IPv6, the...
by sebastia
Wed Jan 24, 2018 4:17 pm
Forum: Beginner Basics
Topic: Dual WAN Load Balancing with Fail-over
Replies: 7
Views: 13635

Re: Dual WAN Load Balancing with Fail-over

3:1 is close enough i think
by sebastia
Wed Jan 24, 2018 4:09 pm
Forum: General
Topic: IPTABLES in RouterOs
Replies: 5
Views: 720

Re: IPTABLES in RouterOs

Vlan is considered a virtual interface in routeros, and supports/provides "same functionality" as physical interface.
by sebastia
Wed Jan 24, 2018 4:06 pm
Forum: General
Topic: L2TP VPN stops responding
Replies: 12
Views: 1178

Re: L2TP VPN stops responding

Hi Few considerations: * does a reboot always help / restore to working condition? * is the duration of "uptime" variable or more-or-less consistent? * have you tried same config with other hardware? * have you tried identifying the issue once it has occurred? * is it only vpn that goes down or also...
by sebastia
Wed Jan 24, 2018 4:00 pm
Forum: General
Topic: Basic to advanced setup
Replies: 1
Views: 230

Re: Basic to advanced setup

Hi

I would advise to update the MT to latest versions and then perform a configuration reset to gain latest default config.
The default config is in general quite secure. The latest default config is usually a good idea to start with as it will use all the latest features available.
by sebastia
Wed Jan 24, 2018 3:54 pm
Forum: General
Topic: Limit bandwith (Where?)
Replies: 8
Views: 841

Re: Limit bandwith (Where?)

Could you clarify what hardware you use and what your current config is:
* switching / briding
* routing
* natting

Have you verified what is the load on the RB in profiler while transferring?
by sebastia
Wed Jan 24, 2018 3:41 pm
Forum: Beginner Basics
Topic: QOS for VoIP - Confirmation
Replies: 17
Views: 3346

Re: QOS for VoIP - Confirmation

Hi This could work, but some remarks: * only mark connection if connection mark is empty * I usually mark packets at the last possible moment in postrouting just before going to interface * I wouldn't separate tcp & udp of voip, they are one application, one will not function without the other, => s...
by sebastia
Wed Jan 24, 2018 3:28 pm
Forum: Beginner Basics
Topic: Dual WAN Load Balancing with Fail-over
Replies: 7
Views: 13635

Re: Dual WAN Load Balancing with Fail-over

Hi

I'm guessing this has to do with the load factor on each WAN connection. If these are not equal in bandwidth, they should be loaded accordingly.
by sebastia
Wed Jan 24, 2018 11:56 am
Forum: General
Topic: Which fast USB Flash drive can I use with the CCR1036?
Replies: 4
Views: 418

Re: Which fast USB Flash drive can I use with the CCR1036?

On some RB you can do USB power cycle, but thats same as re-plugging it.
by sebastia
Wed Jan 24, 2018 2:35 am
Forum: General
Topic: Limit Public IPs
Replies: 1
Views: 224

Re: Limit Public IPs

For rate limiting you have two options:
* simple queue related to the affected ip(s)
* queue tree attached to the interface (egress only)

For simple queue to work, FastTrack may not be enabled on the related connections, as this would bypass the hooks in RouterOS.
by sebastia
Wed Jan 24, 2018 2:02 am
Forum: Beginner Basics
Topic: RouterOS PPPOE Server
Replies: 3
Views: 347

Re: RouterOS PPPOE Server

CCR are running a few thousand in production environments, with less memory. It all depends on what you are planning to do, right?
Number of tunnels, depends on the licence https://wiki.mikrotik.com/wiki/Manual:L ... nse_Levels
by sebastia
Tue Jan 23, 2018 10:27 pm
Forum: General
Topic: IPV6 DHCP Server
Replies: 4
Views: 720

Re: IPV6 DHCP Server

Looks like dhcpv6 leases are not persisted like v4. To be confirmed by Mikrotik?!? What you could do, is switch to stateless configuration with nd, where the clients will create ipv6 based on their mac. Since that mac is fixed, it will result in fixed ipv6. At least for the iterface part. If you get...
by sebastia
Tue Jan 23, 2018 10:16 pm
Forum: Beginner Basics
Topic: how to use two interfaces in trunk
Replies: 3
Views: 455

Re: how to use two interfaces in trunk

Hi

It is not clear what you want to achieve. Please clarify what your objective is.
by sebastia
Tue Jan 23, 2018 8:48 pm
Forum: Scripting
Topic: /tool fetch nightmare
Replies: 5
Views: 984

Re: /tool fetch nightmare

Are you aware that there is API (+ssl) available on MT?
https://wiki.mikrotik.com/wiki/Manual:API
by sebastia
Tue Jan 23, 2018 8:41 pm
Forum: General
Topic: PCQ not working as it should
Replies: 2
Views: 470

Re: PCQ not working as it should

Hi

I wouldn't be surprised if that's your ISP doing. Reducing download speed after first X mb.
by sebastia
Tue Jan 23, 2018 8:37 pm
Forum: General
Topic: IPV6 DHCP Server
Replies: 4
Views: 720

Re: IPV6 DHCP Server

Hi

You can define static mapping under /ipv6 dhcp-server binding.
by sebastia
Tue Jan 23, 2018 7:12 pm
Forum: General
Topic: 100% CPU - OVPN Server error: TLS failed
Replies: 13
Views: 1818

Re: 100% CPU - OVPN Server error: TLS failed

I think it would be cheaper for MT and faster for you to get faster RB. Multiple tunnels and large keys are, I think, not the targeted domain for 750.
by sebastia
Tue Jan 23, 2018 6:58 pm
Forum: General
Topic: NAT question?
Replies: 6
Views: 474

Re: NAT question?

So, may be stable as long as conntrack is not empty, but can change, definately between reboots.
No other feedback for support on alternatives?

So if you want stable ip at all times, define specific nat mapping manually, i guess.
by sebastia
Mon Jan 22, 2018 9:46 pm
Forum: General
Topic: Where did the notification icon go? [SOLVED]
Replies: 6
Views: 540

Re: Where did the notification icon go? [SOLVED]

Have you noticed that the forum got a lot faster...? Don't think this is a coincidence
by sebastia
Mon Jan 22, 2018 9:02 pm
Forum: Beginner Basics
Topic: Beginner - Help needed to set up PTP [SOLVED]
Replies: 4
Views: 478

Re: Beginner - Help needed to set up PTP [SOLVED]

Hi I would keep it simple as possible -> easier to maintain later. Question: will the 3/4G modem do NATing? If yes: put both SXTs in bridge mode, assign ips to both (in same range as provided by 4G modem) for easy access. If no: setup the SXT2 (first) as router/nat, SXT 2 lite (second) as bridge The...
by sebastia
Mon Jan 22, 2018 8:41 pm
Forum: Beginner Basics
Topic: Config help req.: configuring permeable LAN, and remote management access between two local subnets [SOLVED]
Replies: 4
Views: 488

Re: Config help req.: configuring permeable LAN, and remote management access between two local subnets [SOLVED]

Hi The sec contractor need to access "3" net right, and you all too? Then: * define new "3" net on the router * setup vpn for sec contractor, a separate net, say "5" * deny access from "3" to anything else in forward, except ntp on firewall * grant access from "5" to "3" (+established / related) in ...
by sebastia
Mon Jan 22, 2018 5:43 pm
Forum: General
Topic: Mikrotik Queue using OpenVPN [SOLVED]
Replies: 4
Views: 697

Re: Mikrotik Queue using OpenVPN [SOLVED]

You have the option to shape using Simple queues or queue tree attached to interface. Using simple queues would be easier here, as you could shape the "clear" traffic. Using tree, would be a bit more challenging, as only egress (exiting) traffic can be shaped, and that means that in some situations ...
by sebastia
Mon Jan 22, 2018 5:00 pm
Forum: General
Topic: 3 WAN PCC Load Balancing High CPU Usage
Replies: 6
Views: 1372

Re: 3 WAN PCC Load Balancing High CPU Usage

Hi You're not using FastTrack as you need mangling to assign traffic to WANs. Looking at your CPU profiler data, firewall is the hotspot, followed by queuing. You could try to optimise your firewall rules: * use connection markings in input/forward/output * mark packets on relevant interfaces only: ...
by sebastia
Mon Jan 22, 2018 4:49 pm
Forum: General
Topic: how to nat public ip subnet with mikrotik
Replies: 6
Views: 1330

Re: how to nat public ip subnet with mikrotik

A few thoughts: * i wouldn't be NATing these extra ips: configure them directly on the servers and attach to the CPE device of your ISP (modem, router, ...), "parallel" to RB * keep one ip reserved for NATing your internal network if needed * if you must NAT, put these servers on separate network ->...
by sebastia
Mon Jan 22, 2018 4:32 pm
Forum: RouterBOARD hardware
Topic: ARM based new goodies on the horizon
Replies: 76
Views: 14520

Re: ARM based new goodies on the horizon

Lol, so for when can we expect v8 then :lol: ? 2nd '18?
by sebastia
Mon Jan 22, 2018 12:54 pm
Forum: Beginner Basics
Topic: I have no internet connection help!!!
Replies: 10
Views: 641

Re: I have no internet connection help!!!

Use just static servers: 8.8.8.8 and 8.8.4.4. It may be as simple as that, but if these are added as part of dhcp config, it won't do anything, as this means that uplink is down You don't have to add them as a part of dhcp config. Just assign them statically in DNS config and they will be in dhcp c...
by sebastia
Mon Jan 22, 2018 12:53 pm
Forum: Beginner Basics
Topic: I have no internet connection help!!!
Replies: 10
Views: 641

Re: I have no internet connection help!!!

what is the output of?
/ip address print

and

/ip route print
by sebastia
Mon Jan 22, 2018 12:25 pm
Forum: Beginner Basics
Topic: I have no internet connection help!!!
Replies: 10
Views: 641

Re: I have no internet connection help!!!

can you ping 8.8.8.8 or 8.8.4.4?

so in terminal, wirte:
:ping count=4 8.8.8.8
Do you get replies?
by sebastia
Mon Jan 22, 2018 12:16 pm
Forum: General
Topic: Which fast USB Flash drive can I use with the CCR1036?
Replies: 4
Views: 418

Re: Which fast USB Flash drive can I use with the CCR1036?

For good results you would want something with low-latency writes, so the io won't slow down the proxy process itself "too much".
by sebastia
Mon Jan 22, 2018 12:02 pm
Forum: General
Topic: Multiple download interfaces for queue tree
Replies: 2
Views: 370

Re: Multiple download interfaces for queue tree

I think it should be doable with simple queues, with hierarchy.

Define a parent queue for WAN interface with up / down limits
define child queues for very VLAN using that WAN.

PS: remember that you CANT use Fasttrack with simple queues
by sebastia
Mon Jan 22, 2018 11:33 am
Forum: Beginner Basics
Topic: I have no internet connection help!!!
Replies: 10
Views: 641

Re: I have no internet connection help!!!

Use just static servers: 8.8.8.8 and 8.8.4.4.
It may be as simple as that, but if these are added as part of dhcp config, it won't do anything, as this means that uplink is down
by sebastia
Mon Jan 22, 2018 11:26 am
Forum: Beginner Basics
Topic: fasttrack dummy rules
Replies: 1
Views: 860

Re: fasttrack dummy rules

Hi

You seem to have performed an upgrade (auto upgrade maybe?) to the latest version 6.41. In that latest version master-slave notion has been replaced by a bridge. The other entires are most likely defaults for that profile.
by sebastia
Mon Jan 22, 2018 11:18 am
Forum: Beginner Basics
Topic: I have no internet connection help!!!
Replies: 10
Views: 641

Re: I have no internet connection help!!!

Hi

Did you modify your dns settings like this? If not, then it's a consequence not a reason. You probably lost your lease / session and hance dns servers have been removed from dns settings, as your uplink is down. If you get your uplink back up, these should be auto added.
by sebastia
Sun Jan 21, 2018 11:24 pm
Forum: Beginner Basics
Topic: ISP modem speed not match mikrotik LAN speed
Replies: 1
Views: 240

Re: ISP modem speed not match mikrotik LAN speed

Hi

Could you elaborate what router you are using?
Also have you monitored the cpu usage of the router during that test?
Further please also specify what is your current configuration & topology, so some advice can be given?
by sebastia
Sun Jan 21, 2018 10:58 pm
Forum: General
Topic: Obsolete connection table entries
Replies: 11
Views: 1459

Re: Obsolete connection table entries

I remember Mikrotik personnel explaining why a CCR with a few thousand PPPoE clients using masquerade, is not scalable when a few drop every second. In that case study, it was explained that when a PPPoE with masq would die, system would need to examine all connection tracking data and discard relat...
by sebastia
Sun Jan 21, 2018 1:32 pm
Forum: General
Topic: 2 default-gateways in router
Replies: 3
Views: 2180

Re: 2 default-gateways in router

Hi

You have some options. Have a look at: https://wiki.mikrotik.com/wiki/Load_Balancing

Just out of curiosity: are you multi-homing your eth1 with 2 static subnets?
by sebastia
Sun Jan 21, 2018 3:27 am
Forum: General
Topic: Deprecating old IPv6 prefix when removed or replaced RFC6204
Replies: 11
Views: 3015

Re: Deprecating old IPv6 prefix when removed or replaced RFC6204

Hi

Can't this issue be partially mitigated by having short ip lifecycle, ex:
/ipv6 nd prefix default
set preferred-lifetime=1h valid-lifetime=1h
by sebastia
Sun Jan 21, 2018 3:08 am
Forum: General
Topic: Show user ip on lan side [SOLVED]
Replies: 5
Views: 532

Re: Show user ip on lan side [SOLVED]

Most likely there's just:
/ip firewall nat
add action=masquerade chain=srcnat
instead of proper:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=<WAN>
Like this is even more precise
add action=masquerade chain=srcnat out-interface=<WAN> src-address-type=!local
by sebastia
Sun Jan 21, 2018 3:01 am
Forum: General
Topic: Mikrotik Queue using OpenVPN [SOLVED]
Replies: 4
Views: 697

Re: Mikrotik Queue using OpenVPN [SOLVED]

OpenVPN on the router is a virtual interface: it's traffic will still leave over your regular WAN interface but encapsulated in an encrypted TCP connection. So the only choise you have with this implementation, is to prioritise all of VPN or not. You can mangle on the output chain, in mangle table =...
by sebastia
Sun Jan 21, 2018 2:55 am
Forum: General
Topic: Obsolete connection table entries
Replies: 11
Views: 1459

Re: Obsolete connection table entries

Hi

Do you use as action "src-nat" or "masquerade"? I remember reading somewhere that in case of masq, the conntrack gets auto-cleared... Not for src-nat though
by sebastia
Fri Jan 19, 2018 8:19 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

Lol, nice try though ;).

Nice graph
by sebastia
Fri Jan 19, 2018 5:50 pm
Forum: General
Topic: Routing Issue accross multiple LANs
Replies: 7
Views: 563

Re: Routing Issue accross multiple LANs

Few other things to check:
* can you access winbox from other location(s) on these routers (at all)?
* is the windbox service enabled? Are there any limitations on it?
* has the user on these routers the right privileges?
* how are you accessing it? over ip or mac? if ip, which?
by sebastia
Fri Jan 19, 2018 4:29 pm
Forum: General
Topic: IPv6 Design Question
Replies: 7
Views: 663

Re: IPv6 Design Question

Another option:
setup DHCPv6 on hEX handing out the /6x from the /56 pool. Ex: https://wiki.mikrotik.com/wiki/Manual:I ... n_Examples
CRS a DHCPv6 client and distributing the ipv6's over nd

So still with DHCPv6 but only "internally"
by sebastia
Fri Jan 19, 2018 4:09 pm
Forum: General
Topic: NAT question?
Replies: 6
Views: 474

Re: NAT question?

I think the action "same" should suite you, but the documentation is quite limited. " same - gives a particular client the same source/destination IP address from supplied range for each connection. This is most frequently used for services that expect the same client address for multiple connection...
by sebastia
Fri Jan 19, 2018 3:42 pm
Forum: General
Topic: Routing Issue accross multiple LANs
Replies: 7
Views: 563

Re: Routing Issue accross multiple LANs

Your central RB, is directly connected to both RB "left" & "right". There are "connected" routes defined for them with distance 0.

You SHOULD be able to connect to them, if you can't check firewall settings.
by sebastia
Fri Jan 19, 2018 3:18 pm
Forum: Beginner Basics
Topic: Query about default filter rules of RB750GR3
Replies: 11
Views: 972

Re: Query about default filter rules of RB750GR3

To be on safe-side, disable first. If no side-effects delete
by sebastia
Fri Jan 19, 2018 3:09 pm
Forum: Beginner Basics
Topic: route a wan to a specific queues
Replies: 1
Views: 251

Re: route a wan to a specific queues

Hi I understood that you have more than one WAN connection. Correct? If so what you would want to do is to have a default route 0.0.0.0/0 over your current ISP with distance X And in specific cases define a route over the other connection That "specific cases" can be: * based on ip/range in the main...
by sebastia
Fri Jan 19, 2018 3:01 pm
Forum: Beginner Basics
Topic: RouterBoard without internet connection.
Replies: 1
Views: 201

Re: RouterBoard without internet connection.

Hi

My guesses, to be verified and confirmed:
* your wan's dhcp clients don't add default route (or are statically assigned): there is no route for 0.0.0.0/0 in the main table right?
* each of the "lans" have their own routing table including the default route to WAN

Are these correct?
by sebastia
Fri Jan 19, 2018 1:18 pm
Forum: General
Topic: NAT question?
Replies: 6
Views: 474

Re: NAT question?

You do have some options: have a look at https://wiki.mikrotik.com/wiki/Manual:I ... :1_mapping
by sebastia
Fri Jan 19, 2018 1:03 pm
Forum: General
Topic: Routing Issue accross multiple LANs
Replies: 7
Views: 563

Re: Routing Issue accross multiple LANs

Hi which network you you have defined between * left 3011 and centre * right 3011 and centre These routes are added automatically for you when you define the local ip. Then just access "left" & "right" 3011's by ip's on these networks.µ => that's just for RB's To access the whole network: * either s...
by sebastia
Fri Jan 19, 2018 11:51 am
Forum: General
Topic: Need assistance re VoIP Prioritization
Replies: 9
Views: 496

Re: Need assistance re VoIP Prioritization

Even more broadly, any queue with memory can be used for equalisation. No memory only rate limitation.
by sebastia
Fri Jan 19, 2018 10:39 am
Forum: General
Topic: IPv6 Design Question
Replies: 7
Views: 663

Re: IPv6 Design Question

Hey Acruhl, I meant either bridging or relay NOT both ;-)
by sebastia
Fri Jan 19, 2018 12:26 am
Forum: General
Topic: Need assistance re VoIP Prioritization
Replies: 9
Views: 496

Re: Need assistance re VoIP Prioritization

FT doesn't bypass firewall, you need to mark connection for FT IN firewall.

FT does bypass mangling.

PS: And FT will bypass simple queues, but not the queues attached to interfaces.
by sebastia
Fri Jan 19, 2018 12:19 am
Forum: General
Topic: Need assistance re VoIP Prioritization
Replies: 9
Views: 496

Re: Need assistance re VoIP Prioritization

Hi Sindy Actually no, what I understood is to limit the whole traffic with priority for voip. Than can exactly be achieved with what I suggested. The second / lower prio queue needs to match then on "no-mark" mark. So anything that isn't marked will go in second queue en be rate limited to 19-voip b...
by sebastia
Thu Jan 18, 2018 11:37 pm
Forum: Scripting
Topic: Playing defense, need help
Replies: 2
Views: 517

Re: Playing defense, need help

Another option: implement port knocking on your pptp.
For an good example: viewtopic.php?f=9&t=128722#p636651
by sebastia
Thu Jan 18, 2018 10:30 pm
Forum: Beginner Basics
Topic: VPN Client - Accessing remote IP addresses from client network
Replies: 4
Views: 464

Re: VPN Client - Accessing remote IP addresses from client network

Masquerading could replace the "to be added route" here but only in ONE way: if some computer from local network tries to contact remote. If some computer on remote network would like to connect to local computer, it will still not work if remote route is not present. So with routes defined on both ...
by sebastia
Thu Jan 18, 2018 9:53 pm
Forum: Beginner Basics
Topic: VPN Client - Accessing remote IP addresses from client network
Replies: 4
Views: 464

Re: VPN Client - Accessing remote IP addresses from client network

Hi

If you can ping from local RB the remote network -> your routing table is ok!

You're most likely pinging with the ip of the vpn which is known to the other router. But does the other router know about the 192.168.0/24?
it should have a route defined for in it's routing table to your router.
by sebastia
Thu Jan 18, 2018 9:48 pm
Forum: Beginner Basics
Topic: Trouble with Static IPs
Replies: 3
Views: 369

Re: Trouble with Static IPs

Can you plug a dummy switch (or switch/bridge in RB) in-between isp modem & RB, assign ip in that range and try getting in. If that works then it's definitely issue with ISP.
by sebastia
Thu Jan 18, 2018 9:12 pm
Forum: General
Topic: IPv6 Design Question
Replies: 7
Views: 663

Re: IPv6 Design Question

Hi I'm guessing that the /56 network you receive is a dynamic one being renewed every so often, or lost if router is down. You could configure a static /64 on your CRS in range of the /56, but if your /56 changes, you would need to manually change the nd config on CRS. how about bridging on CRS and ...
by sebastia
Thu Jan 18, 2018 8:58 pm
Forum: General
Topic: Need assistance re VoIP Prioritization
Replies: 9
Views: 496

Re: Need assistance re VoIP Prioritization

This should work, but... if you leave the "other" as is -> "no-mark" 1. less cpu usage as bulk will be left alone 2. you could use FastTrack for that "other" / "no-mark" traffic Ps: also, you don't need limits set on the child queue, they will get bandwidth based on their pirority, unless a guarante...
by sebastia
Thu Jan 18, 2018 8:54 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

No i didn't. I don't need 64 classes of traffic prioritisation... ;-) For my usage 3 is enough.
by sebastia
Thu Jan 18, 2018 7:56 pm
Forum: General
Topic: RB2011 Health parameters
Replies: 7
Views: 625

Re: RB2011 Health parameters

Okido
by sebastia
Thu Jan 18, 2018 7:48 pm
Forum: Beginner Basics
Topic: Route WAN traffic over IPSec tunnel possible?
Replies: 10
Views: 3566

Re: Route WAN traffic over IPSec tunnel possible?

Hi Client the gateway defined on the client side must be reachable to clients -> needs to be on same network. This should be the RB on the 10...-side. Within that RB you then should define a default gw to 192.168... and with ipsec config to encrypt that traffic that will work fine. Server RB there s...
by sebastia
Thu Jan 18, 2018 7:37 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

Happy to hear that it works for you! About the changing upload speed, if these hours are fixed, you could simply define a scheduled task to drop (another later to increase) the max upload speed. Ex: when to execute -> start time of script frequency -> 24h command: /queue tree set [find parent=WAN] m...
by sebastia
Thu Jan 18, 2018 4:06 pm
Forum: General
Topic: RB2011 Health parameters
Replies: 7
Views: 625

Re: RB2011 Health parameters

Hi vargdaff Why don't you try the command exactly as it has been given to you? If you wonder why.. [admin@firewall] > system health get voltage [admin@firewall] > :put [system health get voltage ] 246 "system health get voltage" will not print the value, it needs something else to do that -> :put Le...
by sebastia
Wed Jan 17, 2018 10:31 pm
Forum: RouterBOARD hardware
Topic: RB750Gr3 - Report and questions
Replies: 112
Views: 33468

Re: RB750Gr3 - Report and questions

That is my understanding too: I've asked support but didn't got conclusive answer.
viewtopic.php?f=3&t=128729
by sebastia
Wed Jan 17, 2018 10:29 pm
Forum: RouterBOARD hardware
Topic: RB750GR3 problem with boot
Replies: 5
Views: 1947

Re: RB750GR3 problem with boot

Try again?
the pakage you downloaded is the right one for Gr3
by sebastia
Wed Jan 17, 2018 10:26 pm
Forum: RouterBOARD hardware
Topic: Upgrade from 750Gr3
Replies: 2
Views: 670

Re: Upgrade from 750Gr3

Seems like the case indeed wrt VLAN filtering in software: https://wiki.mikrotik.com/wiki/Manual:S ... p_Features
by sebastia
Wed Jan 17, 2018 10:17 pm
Forum: RouterBOARD hardware
Topic: RB1100AHx4 - IPSec/Tunnel speed
Replies: 4
Views: 1110

Re: RB1100AHx4 - IPSec/Tunnel speed

The numbers reported by MT are for both directions accumulated. This was stated by MT personnel on this forum.

1100x4 has much better numbers, even if in ideal situation, is more powerful than 750Gr3
by sebastia
Wed Jan 17, 2018 10:09 pm
Forum: General
Topic: DHCPv6 client problem
Replies: 8
Views: 1056

Re: DHCPv6 client problem

Best to raise a support ticket with MT to get that fixed then?
by sebastia
Wed Jan 17, 2018 10:05 pm
Forum: Beginner Basics
Topic: Routing through VPN
Replies: 4
Views: 1491

Re: Routing through VPN

Mangling is bypassed with FastTrack enabled, that explains your issue.

But do you actually need mangling: if you were to define a route to the other part of your vpn in your main routing table, you wouldn't need to mangle and fast track could be enabled.
by sebastia
Wed Jan 17, 2018 9:57 pm
Forum: Beginner Basics
Topic: EOIP Tunnel
Replies: 2
Views: 400

Re: EOIP Tunnel

Could it possibly be related to fragmentation? HTTPS will most likely use full IP packets, but your EOIP needs some headers too and should still be <=1500. So the actual MTU is lower than 1500.

Try pinging between sites with different size of payload up to 1500, to confirm.
by sebastia
Wed Jan 17, 2018 9:49 pm
Forum: Beginner Basics
Topic: Query about default filter rules of RB750GR3
Replies: 11
Views: 972

Re: Query about default filter rules of RB750GR3

It has to do with IPSec and it's incompatibility with NAT. Have a look at https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6 IPSEC decryption is applied before prerouting / de-natting. Hence on the WAN interface you need to accept packets "not coming" from WAN. IPSEC encryption is applied after po...
by sebastia
Wed Jan 17, 2018 8:46 pm
Forum: General
Topic: Routing between two Mikrotik routers is not working [SOLVED]
Replies: 22
Views: 1633

Re: Routing between two Mikrotik routers is not working [SOLVED]

Hi

1. Do the two routers know about each other? Can you ping the other end from both sides from within the routers?
2. Are these the main routers on the respective networks?
by sebastia
Wed Jan 17, 2018 8:27 pm
Forum: Beginner Basics
Topic: Remote access my server connected to mikrotik LAN from internet
Replies: 1
Views: 232

Re: Remote access my server connected to mikrotik LAN from internet

Hi

I would suggest to port-forward traffic on CPE2 to the RB, and then preferably setup a vpn on that port on Mikrotik, which you could then connect to from your pc.
by sebastia
Tue Jan 16, 2018 10:32 pm
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 2901

Re: IPv6 router settings

Hi does the link address start with fe80? then it's a link-local address, not routable / reachable from internet. If not, then it's a routable ipv6 which you should set your wan to under "/ipv6 addresses" /ipv6 address add address=xxxx:yyyy:vvvv:e6c6::1/64 interface=LAN add address=xxxx:yyyy:zzzz:ss...
by sebastia
Tue Jan 16, 2018 6:46 pm
Forum: RouterBOARD hardware
Topic: RB1100AHx4 - IPSec/Tunnel speed
Replies: 4
Views: 1110

Re: RB1100AHx4 - IPSec/Tunnel speed

Have a look at specs https://mikrotik.com/product/RB1100Dx4
Mode		Configuration		1400 byte	512 byte	64 byte
					kpps	Mbps	kpps	Mbps	kpps	Mbps
Single tunnel	AES-128-CBC + SHA1	122.0	1366.4	124.9	511.6	127.0	65.0
by sebastia
Tue Jan 16, 2018 6:41 pm
Forum: RouterBOARD hardware
Topic: ARM based new goodies on the horizon
Replies: 76
Views: 14520

Re: ARM based new goodies on the horizon

Indeed...
by sebastia
Tue Jan 16, 2018 6:11 pm
Forum: General
Topic: RB2011 Health parameters
Replies: 7
Views: 625

Re: RB2011 Health parameters

You can read them on console:
:put [/system health get < parameter > ]

ex:
:put [/system health get voltage  ]
by sebastia
Tue Jan 16, 2018 1:03 pm
Forum: RouterBOARD hardware
Topic: ARM based new goodies on the horizon
Replies: 76
Views: 14520

Re: ARM based new goodies on the horizon

Probably same processor as in hEX?
by sebastia
Tue Jan 16, 2018 12:56 pm
Forum: General
Topic: problem : High cpu usage by networking at profile
Replies: 6
Views: 4965

Re: problem : High cpu usage by networking at profile

Please start a new thread, will be less confusing.
by sebastia
Tue Jan 16, 2018 12:46 pm
Forum: General
Topic: QoS on Openvpn Interface not working
Replies: 5
Views: 702

Re: QoS on Openvpn Interface not working

If the ssh session does NOT go over VPN, you can indeed prioritise it over vpn traffic. Simply assign a lower priority class to ssh traffic, and the queue tree will do the rest. BUT remember that this needs to be implemented on the real outgoing interface. AND mark in post routing, as prerouting doe...
by sebastia
Tue Jan 16, 2018 12:40 pm
Forum: General
Topic: Granular User Levels
Replies: 4
Views: 363

Re: Granular User Levels

To my knowledge, such filtering is currently not supported.
by sebastia
Tue Jan 16, 2018 1:36 am
Forum: Beginner Basics
Topic: Winbox
Replies: 2
Views: 339

Re: Winbox

It's probably not linked to Win10, as I run v3.11 on it without issues.
by sebastia
Tue Jan 16, 2018 1:31 am
Forum: Beginner Basics
Topic: How to block SSH attackers after 3 bad logins?
Replies: 16
Views: 3106

Re: How to block SSH attackers after 3 bad logins?

You could log all new connections to ssh. That would include yours too.
by sebastia
Mon Jan 15, 2018 5:32 pm
Forum: General
Topic: pcc load balance and statics routes
Replies: 4
Views: 680

Re: pcc load balance and statics routes

Do you use winbox? just select (click and hold) and drag to above the other rule.
by sebastia
Mon Jan 15, 2018 5:20 pm
Forum: General
Topic: QoS on Openvpn Interface not working
Replies: 5
Views: 702

Re: QoS on Openvpn Interface not working

You could indeed setup a tree on the ovpn interface, but remember that this is a virtual interface, and that it will encapsulate every packet into another. This encapsulation doesn't carry over the initial markings. So when the traffic is leaving real interface, you have no way to determine what tra...
by sebastia
Sun Jan 14, 2018 7:41 pm
Forum: Beginner Basics
Topic: How to block SSH attackers after 3 bad logins?
Replies: 16
Views: 3106

Re: How to block SSH attackers after 3 bad logins?

Hi

"1/1m,1,dst-address/1m" -> config for dst-limit matcher, have a look at https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter.

It will not work for ssh, as it's traffic is encrypted. You could do it on the machine itself, plugging into pam.
by sebastia
Sun Jan 14, 2018 2:51 pm
Forum: Beginner Basics
Topic: Rb450G on an hAP ac, weird problems [SOLVED]
Replies: 4
Views: 560

Re: Rb450G on an hAP ac, weird problems [SOLVED]

Hi

Sounds like a hardware issue... Just wondering if it's a power issue. Have you tried with different power supply for 450G?
by sebastia
Sun Jan 14, 2018 1:58 pm
Forum: Beginner Basics
Topic: 4 WAN + 3 LAN Upload Queue Issues
Replies: 2
Views: 235

Re: 4 WAN + 3 LAN Upload Queue Issues

Hi "During the setup I am trying to limit the upload to one of the LAN connections to 8M..." with queuing only the egress traffic (leaving RB) can be controlled. So: data leaving WAN interface is upload data leaving LAN interface id download As I see it your queue naming is reversed: "download-wan-1...
by sebastia
Sun Jan 14, 2018 2:37 am
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

It's bypassed for non-0 only, so 0 will still get fasttracked. and that's OK -> bulk will be fast but not marked => so mark="no-mark"

So you can limit the rate on upload now? and pings are consistent?
by sebastia
Sun Jan 14, 2018 2:22 am
Forum: Scripting
Topic: Portknock scripting
Replies: 6
Views: 1312

Re: Portknock scripting

thx for sharing!
by sebastia
Sun Jan 14, 2018 2:03 am
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

Aha!

So your upload traffic is not properly classified and bypasses the queue!

Do you have fasttrack for bulk?

Add "no-mark" to the 0 dscp and try again
add comment=dscp_0 name="Routine (pppoe-out1) (Pri: 8)" packet-mark=dscp_0 \
parent="8. Routine (pppoe-out1)" queue=ethernet-default
by sebastia
Sun Jan 14, 2018 1:34 am
Forum: General
Topic: Src-Nat based on website visited
Replies: 1
Views: 260

Re: Src-Nat based on website visited

One option: * mark connections to BoA with a connection-mark. You could match on ip's defined in BoA address list * define additional nat rule with condition the above mark, preceding the default nat rule (which you already have) Update: put that before your other rule /ip firewall nat add action=sr...
by sebastia
Sun Jan 14, 2018 1:10 am
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

which part? You mentioned "Are just a step away from the solution.... :lol::lol::lol: but the latency is always very high, both up and down!!" What I was saying: I think that your upload limit is TOO high, which means that data is being buffered in ISP modem, which increases the latency. Reduce it t...
by sebastia
Sun Jan 14, 2018 1:04 am
Forum: Beginner Basics
Topic: Assigning devices with IP addresses from different subnets.
Replies: 7
Views: 939

Re: Assigning devices with IP addresses from different subnets.

Hi I think you should be able to do everything with vlans, assuming support from devices . - Personal Computers (IP Address within 192.168.0.0/24) -> trunk on eth2, 3 & 5 - Wireless Clients (IP Address within 192.168.1.0/24) -> trunk on eth4 only, main SSID bridged with trunk - Wireless Non-Moving C...
by sebastia
Sun Jan 14, 2018 12:35 am
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

If your pings are put in right queue (63: check it with counters: note number, run 10 ping, note number -> should be +10 more or less) and you're still getting high latency, then that means you get into buffering: either on upload or download. On upload: you can verify when you queue by doing iterat...
by sebastia
Fri Jan 12, 2018 6:54 pm
Forum: General
Topic: VoIP/SIP problem with Siemens Gigaset
Replies: 3
Views: 733

Re: VoIP/SIP problem with Siemens Gigaset

Correction: Just "Torch-ed" it, and it is INDEED setting 46 dscp flag.
by sebastia
Fri Jan 12, 2018 6:19 pm
Forum: Scripting
Topic: Access date in UTC from script
Replies: 2
Views: 434

Re: Access date in UTC from script

How about:
:put ([/system clock get time] - [/system clock get gmt-offset ])

Regarding scheduler, it's local time based. You could setup your router with UTC time as a work-around...
by sebastia
Fri Jan 12, 2018 5:58 pm
Forum: General
Topic: Package [SOLVED]
Replies: 8
Views: 714

Re: Package [SOLVED]

Hi

You need to put the packages of same version (not sure if other versiion would work) in the root directory of your router ("/") and then restart the router.

The software can be had here: https://mikrotik.com/download
by sebastia
Fri Jan 12, 2018 5:40 pm
Forum: General
Topic: VoIP/SIP problem with Siemens Gigaset
Replies: 3
Views: 733

Re: VoIP/SIP problem with Siemens Gigaset

Hi I've 470IP behind a nat firewall, and it's working fine. The only config in place is prioritysing its traffic on out/in bound interfaces. And that through connection & packet mangling. From my experience, the sip service detection is not working, as it never triggered. So i'm marking based on pho...
by sebastia
Fri Jan 12, 2018 5:03 pm
Forum: Beginner Basics
Topic: upload speed is 25% below download speed
Replies: 4
Views: 995

Re: upload speed is 25% below download speed

Please post your router config, so others can have a look and make suggestions.
by sebastia
Fri Jan 12, 2018 3:03 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

Rule is being invoked: processed 487 packets. Verify that it gets in right queue. Your queues have counts too...
by sebastia
Fri Jan 12, 2018 12:03 am
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

"As for uploads, however, the latency is always very high as you can solve it?" wrt ping check, just make sure that ICMP traffic get high prio and it's packets are mangled / markted to go into right priority queue /ip firewall mangle add action=mark-packet chain=postrouting protocol=icmp new-packet-...
by sebastia
Thu Jan 11, 2018 10:24 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

I'm looking into the issue with file deletion...

Update: fixed.
by sebastia
Thu Jan 11, 2018 5:23 pm
Forum: General
Topic: Simple question - bridges
Replies: 7
Views: 458

Re: Simple question - bridges

Regarding "And now came the question, how can i make the 30.X see the 31.X network." Allow in forward: * traffic from 30 -> 31 * traffic from 31 -> 30 which is related and established ONLY. So no new connections allowed. * (optional) to ensure 31 can't learn of 30's ip, srcnat traffic from 30 to 31,...
by sebastia
Thu Jan 11, 2018 5:19 pm
Forum: General
Topic: Simple question - bridges
Replies: 7
Views: 458

Re: Simple question - bridges

Bridge addresses are local to RB, and traffic to them is bypassing forward firewall rules, as it's being directed to RB itself during routing, which is after prerouting but before forward.
by sebastia
Wed Jan 10, 2018 2:10 pm
Forum: General
Topic: Simple question - bridges
Replies: 7
Views: 458

Re: Simple question - bridges

"i can ping from 192.168.30.X to 192.168.31.X and vica versa" You can ping because your router routes traffic for network 30 from network 31 and vice versa. These (default) routes are defined under /ip route and are result of "connected networks". If you don't want them to reach each other you need ...
by sebastia
Wed Jan 10, 2018 1:42 pm
Forum: Beginner Basics
Topic: split bandwidth for Dedicated and shared internet RB3011
Replies: 7
Views: 720

Re: split bandwidth for Dedicated and shared internet RB3011

I would help to list what you've got already, so any missing pieces could be added. Would you mind listing (relevant) config?
by sebastia
Wed Jan 10, 2018 3:34 am
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

your (maxRt - minRt)/10 is <1 and gets translated to 0 10 being the current fixed number of steps in script -> suggest you adjust your limits to 20 -30 OR 24-30 and change :local rateStep (($maxRt-$minRt)/10) to :local rateStep (($maxRt-$minRt)/5) But basically if you limit the range from 28 to 31 o...
by sebastia
Tue Jan 09, 2018 12:43 am
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

"In queue tree I added to the bottom as per your schema, but the parameters as Priority as they are to be compiled.?" -> don't replicate my schema, you would need my mangling too... Maybe best go for the easy solution below. "I have a minRt of 28M and a maxRt of 31M and the script marks an error." -...
by sebastia
Tue Jan 09, 2018 12:09 am
Forum: Scripting
Topic: OVH.com Dynamic DNS Service update script
Replies: 8
Views: 2431

Re: OVH.com Dynamic DNS Service update script

Correct, and you could clean up your environment (/system/scripts/environment) of these variables.
by sebastia
Sat Jan 06, 2018 10:21 pm
Forum: RouterBOARD hardware
Topic: Hardware suggestion for 4 WAN
Replies: 2
Views: 355

Re: Hardware suggestion for 4 WAN

Hi

As you'll have 4 uplinks and at least 1 down link, you need something with at least 5 isolated ports.
Bandwidth wise you're not too high for RB750Gr3.
But if you need more ports, have a look at 2011 or 3011.
by sebastia
Sat Jan 06, 2018 10:07 pm
Forum: Scripting
Topic: OVH.com Dynamic DNS Service update script
Replies: 8
Views: 2431

Re: OVH.com Dynamic DNS Service update script

Some constructive criticism: all these :global could be changed to :local. There is no need to store "state" between runs.
by sebastia
Sat Jan 06, 2018 9:34 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

In solutions such as "gargoyle-router" a lot of plumbing is done already for you. With Mikrotik, you get much more control and possibilities but it also means doing it yourself and having some knowledge.

Script is here, if you want to give it a try in future.
by sebastia
Sat Jan 06, 2018 3:20 am
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

About that 30/3, I would suggest to do a speed test on a good day. The numbers reported can then be used as basis for your max upload (on ether1-WAN), download (on ??? ether2-LAN ???) and best case ping latency. Regarding the intfQ: it's the interface facing your LAN, on which there should be a HTB ...
by sebastia
Sat Jan 06, 2018 2:52 am
Forum: Scripting
Topic: script is not running
Replies: 12
Views: 833

Re: script is not running

Any editor will do. It's just text.

Some text editors, even have RouterOS syntax highlighting, there is a thread about that.
by sebastia
Fri Jan 05, 2018 7:11 pm
Forum: Scripting
Topic: Script help [SOLVED]
Replies: 3
Views: 380

Re: Script help [SOLVED]

Permissions of script maybe?
by sebastia
Fri Jan 05, 2018 5:52 pm
Forum: General
Topic: How to limit the traffic to 6G on a interface
Replies: 2
Views: 290

Re: How to limit the traffic to 6G on a interface

I've noticed recently some tickets about systems not being able to push that much over a single HTB. It was related to CCR1009 I believe, and it's current limitation of 1 cpu tile / 1 HTB queue.

Don't no if it applies to you.
by sebastia
Fri Jan 05, 2018 4:03 pm
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Re: Script implementing Active Congestion Control

0. these function need to imported first, suggest you put them in a script and execute that script. Then you can call on them from terminal. 1. For "first time" use, try running from terminal, once confirmed as working, you can schedule it, say every minute or so. 2. i've class-based HTB on the outg...
by sebastia
Fri Jan 05, 2018 3:46 pm
Forum: General
Topic: Check for updates via IPv6
Replies: 3
Views: 351

Re: Check for updates via IPv6

Then it's up to the dual stack impl in RouterOS and possibly application, which stack is preferred. One isn't better than other, the complement each other from the point of view of connectivity.
by sebastia
Fri Jan 05, 2018 3:36 pm
Forum: Beginner Basics
Topic: Change ip adress of mikrotik within same range
Replies: 4
Views: 460

Re: Change ip adress of mikrotik within same range

If your CRS is just switching, it doens't even need an ip. You could remove it, and access it by MAC.

If no other services are running on RB, indeed just change the static ip config in /ip/address as you mentioned.

Once that is done, and ip released, change the modem/router.
by sebastia
Fri Jan 05, 2018 3:30 pm
Forum: Beginner Basics
Topic: [SOLVED] Ping problems in LAN with basic Home AP setup
Replies: 9
Views: 1290

Re: Ping problems in LAN with basic Home AP setup

Have you tried printing arp table on the wireless devices? Is there some arp filtering along the way?
by sebastia
Fri Jan 05, 2018 1:33 pm
Forum: Beginner Basics
Topic: [SOLVED] Ping problems in LAN with basic Home AP setup
Replies: 9
Views: 1290

Re: Ping problems in LAN with basic Home AP setup

Sounds like arp issue: mapping from ip to mac address on wireless. Once you ping from wired to wireless, machines remember mac for a while.

Please verify arp is enabled on all interfaces in bridge.
by sebastia
Fri Jan 05, 2018 5:11 am
Forum: General
Topic: Active Congestion Controller (ACC)
Replies: 5
Views: 753

Re: Active Congestion Controller (ACC)

I gave it a try, see viewtopic.php?f=9&t=129294
by sebastia
Fri Jan 05, 2018 5:09 am
Forum: Scripting
Topic: Script implementing Active Congestion Control
Replies: 62
Views: 7590

Script implementing Active Congestion Control

Hi Updated : to v0.5 (11/01/18) I've implemented Active Congestion Control, based on the info from https://www.gargoyle-router.com/wiki/doku.php?id=qos . I'm using it for my wan connections. Usage: * meant to control buffering at ISP * needs QoS on upload to be implemented for reliable detection * w...
by sebastia
Thu Jan 04, 2018 10:45 pm
Forum: Beginner Basics
Topic: Limit Bandwith Wifi
Replies: 4
Views: 3131

Re: Limit Bandwith Wifi

You can limit the bandwidth leaving RB on any of the interfaces, using HTB queues. These limits are for all users together. See https://wiki.mikrotik.com/wiki/Manual:HTB For download, that's easy: add queue to wireless interface and limit it's rate. For upload, you'll be sharing the bandwidth with w...
by sebastia
Thu Jan 04, 2018 10:30 pm
Forum: General
Topic: WAN2 doesnt switch to WAN1 (failover)
Replies: 17
Views: 1668

Re: WAN2 doesnt switch to WAN1 (failover)

Please also add this one, for proper marking of packets leaving router itself
/ip firewall mangle
add action=mark-routing chain=output dst-address-list=testwan new-routing-mark=testwan \
    passthrough=yes
by sebastia
Thu Jan 04, 2018 10:04 pm
Forum: Beginner Basics
Topic: Port Forward NAT help
Replies: 2
Views: 350

Re: Port Forward NAT help

Hi

You have two options:
1. modify your nat rule to match that ip as source ip. (easiest)
2.a define specific filter rule to block any traffic in forward if source isn't that ip
2b and place it before the "accept dnatted" rule
by sebastia
Thu Jan 04, 2018 9:53 pm
Forum: Beginner Basics
Topic: Which mode - router or bridge?
Replies: 2
Views: 422

Re: Which mode - router or bridge?

Personally, I would prefer to have the inside box as router, and external as "accessory".
CPU-wize they are identical, although box has more headroom: mem, storage, bandwidth.

But it's working now and you're on wifi, so won't be pushing gigabit speeds anyways. I would say adjust on next big reorg.
by sebastia
Thu Jan 04, 2018 7:56 pm
Forum: General
Topic: WAN2 doesnt switch to WAN1 (failover)
Replies: 17
Views: 1668

Re: WAN2 doesnt switch to WAN1 (failover)

You said the fail-over was working before, hence I've taken your word for it. So now it's clear that netwatch is able to detect lost link, but is unable to do anything about that. Default routes can't be modified or disabled. Create your own then: 0. disable both netwatch configs 1. remove paths for...
by sebastia
Thu Jan 04, 2018 4:50 pm
Forum: General
Topic: WAN2 doesnt switch to WAN1 (failover)
Replies: 17
Views: 1668

Re: WAN2 doesnt switch to WAN1 (failover)

try the command in terminal to verify
by sebastia
Thu Jan 04, 2018 1:16 pm
Forum: General
Topic: Check for updates via IPv6
Replies: 3
Views: 351

Re: Check for updates via IPv6

Depends if the update url even provides an IPv6 ip...
by sebastia
Thu Jan 04, 2018 1:10 pm
Forum: Beginner Basics
Topic: DualWAN-DualLAN-seperated
Replies: 5
Views: 471

Re: DualWAN-DualLAN-seperated

The two wans would still be separate from each other: no switching / bridging.

Loadbalancing is in routing.https://wiki.mikrotik.com/wiki/Manual:PCC
by sebastia
Thu Jan 04, 2018 11:50 am
Forum: General
Topic: WAN2 doesnt switch to WAN1 (failover)
Replies: 17
Views: 1668

Re: WAN2 doesnt switch to WAN1 (failover)

the <> are just place holders for you to replace with the right names ;-)

Example
/interface ethernet disable ether1;
by sebastia
Thu Jan 04, 2018 11:41 am
Forum: Beginner Basics
Topic: DualWAN-DualLAN-seperated
Replies: 5
Views: 471

Re: DualWAN-DualLAN-seperated

I should have mentioned that all 4 ports, Wan1, Wan2, Lan1 & Lan2 should be separated from each other. So NO switching or bridging. Only routing for these. With port isolation it doesn't matter who's serving ip's on Lan1, from the point of view of Lan2. Lan2 is independent, and can be served by Mikr...
by sebastia
Thu Jan 04, 2018 1:33 am
Forum: RouterBOARD hardware
Topic: I have to do netinstall after UPDATE
Replies: 2
Views: 406

Re: I have to do netinstall after UPDATE

Hi

Can't you netinstall to latest version?
by sebastia
Thu Jan 04, 2018 1:16 am
Forum: Beginner Basics
Topic: 6.41: When Netinstall just doesn't cut it
Replies: 8
Views: 916

Re: 6.41: When Netinstall just doesn't cut it

Is it a software or hardware issue? is the port alive? Maybe it decided to die...
by sebastia
Thu Jan 04, 2018 1:08 am
Forum: Scripting
Topic: script is not running
Replies: 12
Views: 833

Re: script is not running

Add some additional log entries in the script, so you'll know where you get to. somethig like: :log info "After ..."; BTW, the script starts with: :local ch [/interface pppoe-client get value-name=keepalive-timeout $interface]; :if ($ch=60) do={ Is your keepalive-timeout set to 60 seconds? If not se...
by sebastia
Thu Jan 04, 2018 1:04 am
Forum: General
Topic: WAN2 doesnt switch to WAN1 (failover)
Replies: 17
Views: 1668

Re: WAN2 doesnt switch to WAN1 (failover)

I understand your dilemma. The behaviour is caused by route caching, which the vpn connection is refreshing and hence keeping in cache. What you could try as a bit more drastic approach: recycle the isp2 interface when isp1 comes up. That should force route cache flush. /tool netwatch add comment=Pr...
by sebastia
Wed Jan 03, 2018 11:39 pm
Forum: RouterBOARD hardware
Topic: router board model
Replies: 8
Views: 699

Re: router board model

[/quote]
So this decision should not be made for others.
[/quote]

We are in agreement on that one.
by sebastia
Wed Jan 03, 2018 10:34 pm
Forum: RouterBOARD hardware
Topic: router board model
Replies: 8
Views: 699

Re: router board model

That is what I mean! A new router that is cheap and fast. By the time you need more speed there would probably be a RB3011r2 or CCR1009r2 and you regret having spent that amount now, instead of less in 2 years (and getting a faster router). Please... hardware cost is peanuts...Even for CCR1009 that...
by sebastia
Wed Jan 03, 2018 10:13 pm
Forum: Beginner Basics
Topic: 6.41: When Netinstall just doesn't cut it
Replies: 8
Views: 916

Re: 6.41: When Netinstall just doesn't cut it

Hi

Have you tried factory restore? System>Reset configuration
Then you can apply your backup (if for same version) or export settings.
by sebastia
Wed Jan 03, 2018 10:06 pm
Forum: General
Topic: WAN2 doesnt switch to WAN1 (failover)
Replies: 17
Views: 1668

Re: WAN2 doesnt switch to WAN1 (failover)

If you want reliable connection, don't force switch-over. New connection will go over primary when it becomes available, exiting will continue as is, until they close.
by sebastia
Wed Jan 03, 2018 9:58 pm
Forum: General
Topic: WAN IP reuse?
Replies: 8
Views: 582

Re: WAN IP reuse?

You know very well what you're requirements are and the desired setup.
I'm interested to hear what the final solution is ;-).
by sebastia
Wed Jan 03, 2018 7:23 pm
Forum: General
Topic: WAN2 doesnt switch to WAN1 (failover)
Replies: 17
Views: 1668

Re: WAN2 doesnt switch to WAN1 (failover)

Your points: 1. that's for later, the switch over, lets get routing & detection right first 2. so the detection is not working correctly, as 8.8.8.8 gets routed over ISP2 => needs to be fixed 3. for later ;-) So to get routing right: # Fixed route definition /ip route add distance=2 routing-mark=tes...
by sebastia
Wed Jan 03, 2018 6:38 pm
Forum: Beginner Basics
Topic: DualWAN-DualLAN-seperated
Replies: 5
Views: 471

Re: DualWAN-DualLAN-seperated

So if I understand right: Wan1 is primary, but fails over to Wan2 => ensure that Wan1 distance is lower than Wan2 ex: /ip route add ... distance=10 & =20 ... => define route for Wan1 with ping check so it will be disabled when unavailable /ip route add ... check-gateway=ping ... Lan1 is "internal", ...
by sebastia
Wed Jan 03, 2018 6:21 pm
Forum: General
Topic: Active Congestion Controller (ACC)
Replies: 5
Views: 753

Re: Active Congestion Controller (ACC)

I would be interested in the answer as well, as it applies to any dynamic bandwidth connection (ex: wireless, mobile data, ...). Basically how can the limits for QoS be adjusted so that, buffering doesn't occur?
by sebastia
Wed Jan 03, 2018 4:21 pm
Forum: Beginner Basics
Topic: Service port filtering for just one interface
Replies: 4
Views: 414

Re: Service port filtering for just one interface

A slave port is switched in hardware, and sees any and all traffic (filtered by mac) the master port sees. It (usually) can not be filtered. (some switch chips allow for advanced rules definition)

If you want to filter, bridge it and then apply your filter on that bridge.
by sebastia
Wed Jan 03, 2018 12:50 pm
Forum: General
Topic: WAN2 doesnt switch to WAN1 (failover)
Replies: 17
Views: 1668

Re: WAN2 doesnt switch to WAN1 (failover)

Basis of your netwatch functionality are the selective forwards for 8.8.... ip's. These need to work first. 8.8.8.8 has to always go over isp1, .4.4 over isp2, independent of the fact of the link is up or not => if not up it needs to fail Do you get that behaviour? ISP up => ping ok, ISP down => pin...
by sebastia
Wed Jan 03, 2018 12:42 pm
Forum: General
Topic: WAN IP reuse?
Replies: 8
Views: 582

Re: WAN IP reuse?

Have you considered running RB1 as a filtering bridge: bridge ipv4 but route ipv6, so local ipv6 adresses only on RB1? Would need to be worked out further but is what you are looking for, i think. PS: had a further thought, this could work. Your topology: INTERNET <-> RB1 <-> DMZ <-> RB2 RB1: create...
by sebastia
Wed Jan 03, 2018 4:13 am
Forum: General
Topic: WAN2 doesnt switch to WAN1 (failover)
Replies: 17
Views: 1668

Re: WAN2 doesnt switch to WAN1 (failover)

Did you copied the lines for routing from somewhere? They don't match together... Some clean-up is suggested. 1. VPN client has it's own routing, hence it will not fail-over with the netwatch config. add distance=1 gateway=VPN_Client routing-mark=vpn 2. VPN backup is using different mark. Why is tha...
by sebastia
Wed Jan 03, 2018 2:23 am
Forum: General
Topic: WAN IP reuse?
Replies: 8
Views: 582

Re: WAN IP reuse?

I agree on the disadvantages, but disagree on the advantages: security is same as with ONE firewall as RB2 is directly exposed. And there is no double natting, everything is passed on, first RB is bypassed, so no double obscurity either... Conceptually what you end up with is: internet ------- RB --...
by sebastia
Wed Jan 03, 2018 1:58 am
Forum: General
Topic: WAN2 doesnt switch to WAN1 (failover)
Replies: 17
Views: 1668

Re: WAN2 doesnt switch to WAN1 (failover)

:delay 1 = sleep for 1 second What you're seeing now is side-effect of disabling "Providerd 2" route. Netwatch will think the link is lost and will also start suspending the routes... disable netwatch for Provider2 in meantime: /tool netwatch add comment=Provider1 host=8.8.8.8 down-script="/ip route...
by sebastia
Wed Jan 03, 2018 1:06 am
Forum: General
Topic: WAN2 doesnt switch to WAN1 (failover)
Replies: 17
Views: 1668

Re: WAN2 doesnt switch to WAN1 (failover)

The commands are already in the script above ;-) /tools netwatch add comment=Provider1 host=8.8.8.8 down-script="/ip route set [find distance=10] disabled=yes" up-script="/ip route set [find distance=10] disabled=no; /ip route set [find distance=11] disabled=yes; :delay 1;/ip route set [find distanc...
by sebastia
Wed Jan 03, 2018 1:03 am
Forum: Scripting
Topic: script is not running
Replies: 12
Views: 833

Re: script is not running

A bit more details? any output / errors / ... ?
by sebastia
Wed Jan 03, 2018 12:29 am
Forum: General
Topic: WAN2 doesnt switch to WAN1 (failover)
Replies: 17
Views: 1668

Re: WAN2 doesnt switch to WAN1 (failover)

Hi

How about recycle (down + up) fallback route when your primary is up? This would invalidate existing too? forcing switch to primary.
by sebastia
Wed Jan 03, 2018 12:11 am
Forum: Beginner Basics
Topic: Service port filtering for just one interface
Replies: 4
Views: 414

Re: Service port filtering for just one interface

Sure

/ip firewall filter add chain=input protocol=udp port=67,68 in-interface=ether5 action=drop

drop protocol udp, ports 67,68, coming into router on interface ether5.
by sebastia
Wed Jan 03, 2018 12:06 am
Forum: Beginner Basics
Topic: How to debug a script ?
Replies: 6
Views: 2455

Re: How to debug a script ?

Sure
:local msg "world!"
:log info "Hello $msg"
by sebastia
Wed Jan 03, 2018 12:02 am
Forum: Beginner Basics
Topic: call a function localized in a script
Replies: 1
Views: 198

Re: call a function localized in a script

Hi

You need to load / execute the first script first to introduce these functions.
I would suggest to run the first script on startup.

Then you can call on them from shell or other scripts with
$<function> <function params>
by sebastia
Tue Jan 02, 2018 11:05 pm
Forum: Beginner Basics
Topic: Port Forwarding Has Stopped Working
Replies: 3
Views: 578

Re: Port Forwarding Has Stopped Working

Hi On the far right of the first screen-shot you have "Packets" column. Does the count increase when you try to connect to these services? If yes: 1. connection are coming in 2 connections are being remapped Question: 1. do they pass firewall? -> verify counts on firewall? you could make explicit ru...
by sebastia
Tue Jan 02, 2018 10:56 pm
Forum: RouterBOARD hardware
Topic: router board model
Replies: 8
Views: 699

Re: router board model

With the ever increasing internet speeds, and uncertain load patterns, a slight "overkill" is advised.
by sebastia
Tue Jan 02, 2018 10:53 pm
Forum: RouterBOARD hardware
Topic: 750G r3 & 960PGS does not connect to gigabit speeds..
Replies: 6
Views: 735

Re: 750G r3 & 960PGS does not connect to gigabit speeds..

Gigabit ethernet uses all 4 pairs of RJ45, while fast ethernet only 2 pairs. GE requires special POE injectors: https://mikrotik.com/product/RBGPOE.
Might be that your injectors hijack 1 or 2 pairs rendering your cable only FE capable?
by sebastia
Tue Jan 02, 2018 2:01 am
Forum: Beginner Basics
Topic: Help with IPV6 on RB750
Replies: 2
Views: 432

Re: Help with IPV6 on RB750

Is your ISP supporting IPv6?
If yes, you could ask for >64 range of ips for internal allocation to all sunets.
If no, you could go for IPv6 over IPv4.
by sebastia
Tue Jan 02, 2018 1:44 am
Forum: General
Topic: WAN IP reuse?
Replies: 8
Views: 582

Re: WAN IP reuse?

The point of double firewall, is improved isolation of internal network. But this setup negates the advantage of second router/firewall, as the RB2 is exposed (external ip) to the internet, for all insistences and purposes, bypassing RB1 Just wondering, what do you gain of this extra router in pass-...
by sebastia
Tue Jan 02, 2018 1:06 am
Forum: General
Topic: Vlan trunk [SOLVED]
Replies: 7
Views: 952

Re: Vlan trunk [SOLVED]

Thx for info
by sebastia
Tue Jan 02, 2018 12:27 am
Forum: Beginner Basics
Topic: LAN Connection Issues - no route to host [SOLVED]
Replies: 3
Views: 6386

Re: LAN Connection Issues - no route to host [SOLVED]

Hi, some things to check: * is your ether1 in WAN interface list? that's for masquerade to work * there is apparently no accept for forward from lan to ether1. Only accept for established and related, but nothing to acutally create these. Currently only ipsec is allowed in forward. * is ip forwardin...
by sebastia
Mon Jan 01, 2018 11:49 pm
Forum: Beginner Basics
Topic: No internet access
Replies: 4
Views: 2224

Re: No internet access

Happy it's working for you.

As a side note, in the past I've had cases with cable modems that would remember the mac of bound interface and would reject any other traffic. hence if you tried with laptop, it could have remembered it, and rejected RB. Resetting modem solved it for me in the past.
by sebastia
Sun Dec 31, 2017 5:31 pm
Forum: General
Topic: Queue Tree / PCQ on CCR72
Replies: 5
Views: 1170

Re: Queue Tree / PCQ on CCR72

Just tried and it's allowed. So that might be another option, to spread the load.

BUT, i'm not sure how packets would be assigned to the relevant HTB... To the subqueues, that's clear, based on marks.
by sebastia
Sun Dec 31, 2017 5:17 pm
Forum: Beginner Basics
Topic: Got new Mikrotik/How to restore backup
Replies: 5
Views: 487

Re: Got new Mikrotik/How to restore backup

Please don't confuse export & backup. these are two different formats. Export: a script (text based) to recreate current config, through commands executions Backup: a binary extract of current state, linked to current hardware platform Export: could be used on different hardware Backup: may generate...
by sebastia
Sun Dec 31, 2017 5:13 pm
Forum: Beginner Basics
Topic: Port Forwarding Has Stopped Working
Replies: 3
Views: 578

Re: Port Forwarding Has Stopped Working

Is your main pc using dhcp for automatic ip configuration? Could it be that it has a different ip now and the forward is happening to wrong ip?
by sebastia
Sun Dec 31, 2017 5:06 pm
Forum: Beginner Basics
Topic: How to Read Router backup File (.backup)
Replies: 5
Views: 21196

Re: How to Read Router backup File (.backup)

The backup is binary and encrypted, to be used as a restore on same type of hardware. For migrations, better save export and use that.
by sebastia
Sun Dec 31, 2017 5:04 pm
Forum: Beginner Basics
Topic: accept vs return in mangle
Replies: 2
Views: 575

Re: accept vs return in mangle

I'm guessing that as there is no further rule to "reject" the packet, it will perform default "accept"
by sebastia
Sun Dec 31, 2017 4:59 pm
Forum: Beginner Basics
Topic: How to debug a script ?
Replies: 6
Views: 2455

Re: How to debug a script ?

Hi

You'll need to add some logging code into your script example:

:log info "Hello world!"
by sebastia
Sun Dec 31, 2017 4:51 pm
Forum: Beginner Basics
Topic: No internet access
Replies: 4
Views: 2224

Re: No internet access

I'm not familiar with specifics of 2011, but ... in default configuration one port should be internet uplink, usually ether1. When you login on WinBox you'll be able to identify it by dhcp client being configured for it, under /ip/dhcp client. DHCP In Home AP, there will be standard mascarade setup ...
by sebastia
Sun Dec 31, 2017 4:43 pm
Forum: Beginner Basics
Topic: OpenVPN certificate [SOLVED]
Replies: 1
Views: 303

Re: OpenVPN certificate [SOLVED]

If just for personal use, any method will do as long as you're comfortable with it.
by sebastia
Sun Dec 31, 2017 4:36 pm
Forum: Scripting
Topic: Portknock scripting
Replies: 6
Views: 1312

Re: Portknock scripting

Why do you want to almost listen for a port knock?

I have implemented port knocking successfully and love it!

It is all done in the firewall rules, no scripts...
Would you care to share the details so others could benefit/learn?
by sebastia
Sun Dec 31, 2017 2:48 am
Forum: General
Topic: Queue tree and Torch oddities
Replies: 2
Views: 322

Re: Queue tree and Torch oddities

With FastTrack connection Total queues are not processed, and hence bypassed.
Enabling Torch disables FastTrack, and re-enables global queues.

Do you have FastTrack enabled?
by sebastia
Sun Dec 31, 2017 2:00 am
Forum: General
Topic: Vlan trunk [SOLVED]
Replies: 7
Views: 952

Re: Vlan trunk [SOLVED]

Out of curiosity, with which tool did you create that schema?
by sebastia
Sun Dec 31, 2017 1:53 am
Forum: General
Topic: Dual WAN configured now I cant route VPN
Replies: 1
Views: 289

Re: Dual WAN configured now I cant route VPN

Your topology is not clear. Perhaps if you explain a bit better someone would be able to help.
by sebastia
Sun Dec 31, 2017 12:29 am
Forum: General
Topic: Queue Tree / PCQ on CCR72
Replies: 5
Views: 1170

Re: Queue Tree / PCQ on CCR72

Since HTB is linked to a single core, the more interfaces the more cores can be used.

so 1 HTB per physical interface (sfp)
so 1 HTB per vlan

Have you considerd SFQ instead of PCQ? These need less resources.
by sebastia
Sun Dec 31, 2017 12:09 am
Forum: General
Topic: Load balacing on layer 2 with failover
Replies: 1
Views: 190

Re: Load balacing on layer 2 with failover

If those two links are on SAME tower, then forget fail-over: both will fail simultaneously.

You can load-balance, but it will be on Layer3. Look in forum, there are numerous examples.
by sebastia
Sun Dec 31, 2017 12:03 am
Forum: General
Topic: Dual Stack PCQ?
Replies: 4
Views: 837

Re: Dual Stack PCQ?

A though: with queue tree and synced (v4 & v6) packet marking...

PS: v6 needs to be native, as when encapsulated, marking is lost
by sebastia
Sat Dec 30, 2017 11:58 pm
Forum: General
Topic: How to disconnect active SSH or Winbox or TCP session
Replies: 7
Views: 2547

Re: How to disconnect active SSH or Winbox or TCP session

variation on the blackhole -> firewall ip on input/output chain
by sebastia
Sat Dec 30, 2017 10:55 pm
Forum: Scripting
Topic: How to obtain the list of route marks programmatically [SOLVED]
Replies: 2
Views: 371

Re: How to obtain the list of route marks programmatically [SOLVED]

Have a look at this post: using some of these commands you could build an array with all marks: viewtopic.php?f=9&t=53157&p=374555#p270583
by sebastia
Sat Dec 30, 2017 5:30 pm
Forum: Scripting
Topic: Elavluating dynamic commands [SOLVED]
Replies: 2
Views: 249

Re: Elavluating dynamic commands [SOLVED]

Eureka ;) define global variable... [Admin@firewall] > :global extipWan2 "a.b.c.d" [Admin@firewall] > :return $extipWan2 a.b.c.d [Admin@firewall] > {:local label "Wan2"; :local wanip "unset"; :local cmd ":global extip$label; :return \$extip$la bel"; :put $cmd; :local getip [:parse $cmd ]; :put $geti...
by sebastia
Sat Dec 30, 2017 5:24 pm
Forum: Scripting
Topic: Elavluating dynamic commands [SOLVED]
Replies: 2
Views: 249

Re: Elavluating dynamic commands [SOLVED]

I've slightly modified the command to: [Admin@firewall] > :global extipWan2 "a.b.c.d" [Admin@firewall] > :return $extipWan2 a.b.c.d [Admin@firewall] > {:local label "Wan2"; :local wanip "unset"; :local cmd ":return \$extip$label"; :put $cmd; :loc al getip [:parse $cmd ]; :put $getip; :set $wanip [$g...
by sebastia
Sat Dec 30, 2017 4:50 pm
Forum: Scripting
Topic: Force DDNS update out WAN1
Replies: 10
Views: 1966

Re: Force DDNS update out WAN1

Since you specify the new address in the call, it shouldn't matter from which ip the update is coming:

/tool dns-update name=$host address=$currentIP key-name=$user key=$pass

I've tried that recently with changeip, and it happily updated to the passed ip, independent of the connecting ip.
by sebastia
Sat Dec 30, 2017 4:26 pm
Forum: Scripting
Topic: script is not running
Replies: 12
Views: 833

Re: script is not running

On-down without serial check: :local ch [/interface pppoe-client get value-name=keepalive-timeout $interface]; :if ($ch=60) do={ :local int ( "0x". [:pick $interface ([find $interface "*"]+1) [:len $interface]]) :local sec [:pick [/system clock get time] 6 8]; :local rr2 ("3","4","5","1","2","3","2"...