Community discussions

Search found 1795 matches

by sebastia
Mon Feb 25, 2019 10:38 pm
Forum: Wireless Networking
Topic: Great news: Terragraph
Replies: 12
Views: 2009

Re: Great news: Terragraph

It's available for a while already. And it's not competition, given the limited range. more like "last mile" solution.
by sebastia
Mon Feb 25, 2019 11:34 am
Forum: General
Topic: Access through 2nd ISP for port [SOLVED]
Replies: 7
Views: 833

Re: Access through 2nd ISP for port [SOLVED]

Please post your config: "/export hide-sensitive compact"
by sebastia
Mon Feb 25, 2019 12:23 am
Forum: General
Topic: Access through 2nd ISP for port [SOLVED]
Replies: 7
Views: 833

Re: Access through 2nd ISP for port [SOLVED]

I'm not sure if using interface=<ethx> would work in this case as these are grouped into bridge...

Cleanest solution would be to isolate ether5 (not part of bridge) to own subnet, and forward only to uplink as given in my previous post.
by sebastia
Sun Feb 24, 2019 10:26 pm
Forum: Beginner Basics
Topic: RB 3011 Gb/s Throughput problem with bandwidth test
Replies: 2
Views: 318

Re: RB 3011 Gb/s Throughput problem with bandwidth test

problem is that the bandwidth test generator is single threaded at this time and can't create enough throughput. It is the recommendation of MT to not test on the infra itself but THROUGH the component, so no _additional_ load.

And you confirmed this as ac2->3011->ac2 can sustain 1gb.
by sebastia
Sun Feb 24, 2019 10:22 pm
Forum: General
Topic: Access through 2nd ISP for port [SOLVED]
Replies: 7
Views: 833

Re: Access through 2nd ISP for port [SOLVED]

Hey, easiest would be to define a default routing rule for traffic from eth5 to pppoe2.

/ip route add gateway=<pppoe2 gateway> routing-mark=pppoe2
/ip route rule add action=lookup-only-in-table src-address=<range> table=pppoe2
by sebastia
Sun Feb 24, 2019 2:45 pm
Forum: General
Topic: Need some help...hex setup [SOLVED]
Replies: 7
Views: 946

Re: Need some help...hex setup [SOLVED]

Hey tough luck... Not the whole config but pointers, some todo's left for you: * bridge bridge1 with eth2-5, should be default config * assign vlans, see https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.231_.28Trunk_and_Access_Ports.29 eth2 & 3: trunk: all vlans should be tagged ...
by sebastia
Sun Feb 24, 2019 2:03 pm
Forum: General
Topic: How do I enable my network for IPv6
Replies: 5
Views: 513

Re: How do I enable my network for IPv6

Thank you for the reply. Would I need to change my network topology for ipv6 to work? Will it work over the current pppoe setup? Could you link me to some good resources to understand this better? It can be deployed on current topology, no problem. You'll need to enable some additional functionalit...
by sebastia
Sat Feb 23, 2019 11:28 pm
Forum: General
Topic: Streaming issue on indirectly connected accesspoints
Replies: 4
Views: 286

Re: Streaming issue on indirectly connected accesspoints

I really don't know what you mean by that. Both the microtic as the connected unmanaged switch are gigabit switches so implying that bandwith could be an issue makes no sense to me. Can you eleborate on this? that's good to know. And where in your previous post did you mention that exactly? Further...
by sebastia
Sat Feb 23, 2019 11:00 pm
Forum: General
Topic: Advanced VLAN setup HAP AC RouterOS
Replies: 9
Views: 806

Re: Advanced VLAN setup HAP AC RouterOS

So it would be better to do it this way? Eth1: Vlan 1, 2, 3, 4, 5 Tagged Eth2: Vlan1 - Untagged Vlan 2, 3, 4, 5 Tagged Eth3: Vlan1 - Untagged Vlan 3, 4, 5 Tagged Eth4: Vlan2 - Untagged Vlan 4 Tagged Eth5: Vlan1 - Untagged SFP: Routed WAN backup interface (not included in this question - no VLAN) US...
by sebastia
Sat Feb 23, 2019 10:51 pm
Forum: General
Topic: Advanced VLAN setup HAP AC RouterOS
Replies: 9
Views: 806

Re: Advanced VLAN setup HAP AC RouterOS

As of 6.41+ this advice is irrelevant and dated. Please use the bridge with automatic hardware offload. If you read his link in depth you'll see MikroTik suggest the same thing. The software in the device will toggle the hardware features on and off as needed or as is capable for your device. This ...
by sebastia
Sat Feb 23, 2019 9:19 pm
Forum: General
Topic: Streaming issue on indirectly connected accesspoints
Replies: 4
Views: 286

Re: Streaming issue on indirectly connected accesspoints

bandwidth limits imposed by connection/switch/port?
by sebastia
Sat Feb 23, 2019 9:17 pm
Forum: General
Topic: Hotspot - do not bypass dns router role how ?
Replies: 5
Views: 481

Re: Hotspot - do not bypass dns router role how ?

I've understood that hotspot applies it's own set of nat rules to control access, which usually (=default) get added in front and hence will take effect before existing rules. But whatever nat is applied, you can control what passes the router: just block any other dns traffic in "/ip firewall filte...
by sebastia
Sat Feb 23, 2019 9:08 pm
Forum: Beginner Basics
Topic: hapac2 low performance when copying files between vlan [SOLVED]
Replies: 7
Views: 702

Re: hapac2 low performance when copying files between vlan [SOLVED]

sure it is: https://mikrotik.com/product/hap_ac2#fndtn-testresults

furthermore, "add action=fasttrack-connection chain=forward connection-state=established,related". nuff said
by sebastia
Sat Feb 23, 2019 9:01 pm
Forum: General
Topic: Advanced VLAN setup HAP AC RouterOS
Replies: 9
Views: 806

Re: Advanced VLAN setup HAP AC RouterOS

Might be challenging for bridging. Further, your Tik might be a bit too short for the routing duties: it's only a single core, but MT rates it at 950mbps with full frames so might just work. But you'll need to use switch vlan filtering functionality, not the one of bridge. Examples are here https://...
by sebastia
Sat Feb 23, 2019 4:10 pm
Forum: Beginner Basics
Topic: hapac2 low performance when copying files between vlan [SOLVED]
Replies: 7
Views: 702

Re: hapac2 low performance when copying files between vlan [SOLVED]

You'll need to replicate the "/interface bridge port" config using switch functionality, see examples https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29
by sebastia
Sat Feb 23, 2019 12:56 pm
Forum: RouterBOARD hardware
Topic: RB962UiGS-5HacT2HnT
Replies: 4
Views: 549

Re: RB962UiGS-5HacT2HnT

Since you're new we should be welcoming you ;-)

Your issue is the user manager, it's a sizeable package and it eats up your free disk space. Host it on another platform if you wish to use it. Your RB962 is not meant for that with only 16mb of storage.
by sebastia
Sat Feb 23, 2019 12:45 pm
Forum: General
Topic: How do I enable my network for IPv6
Replies: 5
Views: 513

Re: How do I enable my network for IPv6

Hey You only have link-local addresses (fe80:...), these can be used for addressing within a subnet, but not across. You'll need to get at least /56 address so that you could distribute a /64 to each CPE. You might be able to get it from your uplink provider. Best to arrange for a fixed range, if po...
by sebastia
Sat Feb 23, 2019 12:35 pm
Forum: Beginner Basics
Topic: hapac2 low performance when copying files between vlan [SOLVED]
Replies: 7
Views: 702

Re: hapac2 low performance when copying files between vlan [SOLVED]

Hey

Note: next time use "code" tags.

The issue is that bridge level filtering is in hardware only on CRS3xx. On your platform, you can do it hardware only through switch menu.
/interface bridge
add name=bridge vlan-filtering=yes
by sebastia
Sat Feb 23, 2019 6:03 am
Forum: General
Topic: CRS106-1c-5s Throughput
Replies: 3
Views: 552

Re: CRS106-1c-5s Throughput

Having a usual bridge, the packet forwarding will be off-loaded to the switch. Only when you enable functions not supported by bridge for offloading in hardware, will the switching be done in software.
by sebastia
Fri Feb 22, 2019 1:24 am
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 6302

Re: Security issue when Winbox exposed

Software with fixed bug is better than software without fixed bug, you can't say that it's not an improvement, that description is 100% true. And MikroTik's approach to releasing details is well-thought strategy, carefully crafted to avoid both spreading unnecessary panic among users and tipping of...
by sebastia
Fri Feb 22, 2019 1:14 am
Forum: Beginner Basics
Topic: Block ethernet interface to VLAN - Bridge?
Replies: 2
Views: 252

Re: Block ethernet interface to VLAN - Bridge?

Hey

Think of vlan as just another subnet / independent port of the router. The your problem because "just" a routing / forwarding control issue.
You can solve / control it in firewall filter table or by using specific routing table. What kind of control do you search for?
by sebastia
Thu Feb 21, 2019 8:18 pm
Forum: General
Topic: Security issue when Winbox exposed
Replies: 68
Views: 6302

Re: Security issue when Winbox exposed

If it's fixed in .12 means you (@Mikrotik) knew about it for a while now. And you didn't warn your customers? What's the point of security blog if you don't use it (last update: 9th Oct, 2018)?

REALLY disappointed
by sebastia
Thu Feb 21, 2019 7:51 pm
Forum: Wireless Networking
Topic: Point 2 Point -2000M Boat Races
Replies: 11
Views: 1112

Re: Point 2 Point -2000M Boat Races

There are some developments wrt to 60GHz: viewtopic.php?f=7&t=133374&p=705390&hil ... ge#p705311
by sebastia
Thu Feb 21, 2019 12:56 pm
Forum: General
Topic: Mikrotik "Internet detect" problem
Replies: 18
Views: 6019

Re: Mikrotik "Internet detect" problem

But what is the goal of this function and how it is used / impacts others is not clarified.

Hence, in effect for me right now: disable.
by sebastia
Thu Feb 21, 2019 12:52 pm
Forum: General
Topic: vlan question
Replies: 6
Views: 627

Re: vlan question

why not?
by sebastia
Wed Feb 20, 2019 10:59 pm
Forum: General
Topic: Problem with DHCP Mikrotik RB962UIGS-5HACT2HNT
Replies: 11
Views: 643

Re: Problem with DHCP Mikrotik RB962UIGS-5HACT2HNT

What is connected to ether1?
My ISP gives the IP address - DHCP.

And i have second ISP with static IP. Static work fine.
Both on same interface?
by sebastia
Wed Feb 20, 2019 10:56 pm
Forum: RouterBOARD hardware
Topic: RBSXTR problem with LTE
Replies: 17
Views: 2263

Re: RBSXTR problem with LTE

hey

what do you mean by "the connection to the Internet is made several times a day"?
by sebastia
Wed Feb 20, 2019 10:54 pm
Forum: General
Topic: Is there any chance for SXT LTE or LHG LTE with 1 Gbps Ethernet?
Replies: 2
Views: 528

Re: Is there any chance for SXT LTE or LHG LTE with 1 Gbps Ethernet?

on sxtlte you could bond ether1 & 2. that would then be just enough for 150 theoretical max.
by sebastia
Wed Feb 20, 2019 10:51 pm
Forum: General
Topic: Load balancing and failover, EoIP, Bond.
Replies: 4
Views: 682

Re: Load balancing and failover, EoIP, Bond.

You shouldn't assign ip's to eoip tunnel (requirement of bonding) and you should use the bonding interface ip for arp check, so .41 & .42.
by sebastia
Wed Feb 20, 2019 9:10 pm
Forum: General
Topic: Issue with on-down in ppp profiles
Replies: 8
Views: 684

Re: Issue with on-down in ppp profiles

why not protect against this: set some :global variable in on-up, and only do the clean-up on on-down if present / set?
by sebastia
Wed Feb 20, 2019 9:02 pm
Forum: General
Topic: Problem with DHCP Mikrotik RB962UIGS-5HACT2HNT
Replies: 11
Views: 643

Re: Problem with DHCP Mikrotik RB962UIGS-5HACT2HNT

What is connected to ether1?
by sebastia
Tue Feb 19, 2019 12:21 am
Forum: Beginner Basics
Topic: Open VPN duplicate packet
Replies: 2
Views: 341

Re: Open VPN duplicate packet

Hey, did you try the search functionality before posting. Just saying, as this exact thing was discussed recently...
by sebastia
Mon Feb 18, 2019 11:02 pm
Forum: Scripting
Topic: Script for auto update of IPv6 DNS options in DHCP
Replies: 7
Views: 1172

Re: Script for auto update of IPv6 DNS options in DHCP

You can use "fixed" ip's with assigned pools... /ipv6 address add address=::1 from-pool=<some_pool> interface=etherX Anyway, you would want to put that logic into the dhcpcv6 script https://wiki.mikrotik.com/wiki/Manual:IPv6/DHCP_Client#Script , so that you do it only and when necessary. Yet another...
by sebastia
Mon Feb 18, 2019 10:30 pm
Forum: Beginner Basics
Topic: Encrypted communication
Replies: 4
Views: 411

Re: Encrypted communication

setup a tunnel with encryption on top of the vlan.
IPIP + IPSEC would work just fine (for the ipsec part, just specify a pre-shared key on both sides)

Another option, now I think of it, CAPsMan with encrypted channel to AP.
by sebastia
Mon Feb 18, 2019 10:25 pm
Forum: General
Topic: Convert to Switch Chip VLAN from Bridge VLAN
Replies: 6
Views: 557

Re: Convert to Switch Chip VLAN from Bridge VLAN

Hi

What hardware is it?

"the network throughput from my main network and VLAN are slow" how do you mean. slow within vlan / main network or between vlan & main network?
by sebastia
Mon Feb 18, 2019 10:13 pm
Forum: General
Topic: Traffic drop to zero when the simple queue is disabled
Replies: 2
Views: 333

Re: Traffic drop to zero when the simple queue is disabled

To answer that, we would need to know how simple queue functions internally. To my knowledge that info is not available (publicly).

Wild guess: some clean-up which occupies all cpus?
by sebastia
Mon Feb 18, 2019 10:07 pm
Forum: General
Topic: CLI Free File Memory
Replies: 3
Views: 335

Re: CLI Free File Memory

by sebastia
Mon Feb 18, 2019 10:01 pm
Forum: General
Topic: Packet flow when VLAN interface is over bridge [SOLVED]
Replies: 3
Views: 412

Re: Packet flow when VLAN interface is over bridge [SOLVED]

On which version are you?
If 6.x then look here https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

When vlan is in play, packets are processed a "second" time.
by sebastia
Mon Feb 18, 2019 9:59 pm
Forum: Beginner Basics
Topic: Issue with ping reply to additional Public IP Pool
Replies: 4
Views: 440

Re: Issue with ping reply to additional Public IP Pool

Have you tried pinging from your other internal networks?
Is there any firewall on the PC in question?
by sebastia
Mon Feb 18, 2019 9:48 pm
Forum: General
Topic: Port knocking alternative
Replies: 4
Views: 563

Re: Port knocking alternative

Goal of port knocking is to keep it hidden to public except the ones in the know. But at least easy to use.
by sebastia
Mon Feb 18, 2019 9:42 pm
Forum: General
Topic: I have 8 ISP modems and I want to load balancing with the 8 modems how to set the pcc in mangle rules
Replies: 5
Views: 600

Re: I have 8 ISP modems and I want to load balancing with the 8 modems how to set the pcc in mangle rules

Suppose you have 2 (less work for me) connections A & B:
1. A = B = some speed, then just mangle as documented
A: 2/0 & B: 2/1
2 A = 2B = some speed, then you want to assign 2x more to A than B, so
A: 3/0
A: 3/1
B: 3/2

Right?
by sebastia
Mon Feb 18, 2019 9:30 pm
Forum: General
Topic: Load balancing and failover, EoIP, Bond.
Replies: 4
Views: 682

Re: Load balancing and failover, EoIP, Bond.

Hey Make sure you have link monitoring configured using arp, since you route to your remote destination: https://wiki.mikrotik.com/wiki/Manual:Interface/Bonding#Link_monitoring You modified config by hand before post ;-)? e=eoip-tunnel2 remote-address=5.5.5.6 tunnel-id=501 & 1 dst-address=5.5.5.3/32...
by sebastia
Mon Feb 18, 2019 9:05 pm
Forum: General
Topic: Office 365 traffic shaping and priority on RouterOS
Replies: 3
Views: 555

Re: Office 365 traffic shaping and priority on RouterOS

Might be useful to provide English source links on English speaking forum...

https://docs.microsoft.com/en-gb/office ... ess-ranges
by sebastia
Mon Feb 18, 2019 9:01 pm
Forum: General
Topic: Public IP Address Blacklisted
Replies: 4
Views: 521

Re: Public IP Address Blacklisted

Check if the firewall is sufficient to not be an open relay or dns resolver.
by sebastia
Mon Feb 18, 2019 8:53 pm
Forum: General
Topic: CLI Free File Memory
Replies: 3
Views: 335

Re: CLI Free File Memory

it's under "/system resource"
by sebastia
Mon Feb 18, 2019 2:57 pm
Forum: General
Topic: Firewall on Mikrotik box outbound connection?
Replies: 9
Views: 688

Re: Firewall on Mikrotik box outbound connection?

rerouting on output works just fine: either by mangling or routing rule. But dst-nat isn't available.
by sebastia
Mon Feb 18, 2019 2:52 pm
Forum: General
Topic: I have 8 ISP modems and I want to load balancing with the 8 modems how to set the pcc in mangle rules
Replies: 5
Views: 600

Re: I have 8 ISP modems and I want to load balancing with the 8 modems how to set the pcc in mangle rules

Hey, quite well documented at https://wiki.mikrotik.com/wiki/Manual:PCC

the mangling depends on the spread of load: are all same throughput? then you can proceed as suggested.
by sebastia
Sun Feb 17, 2019 9:20 pm
Forum: General
Topic: Force SmartDNS DNS for PS4 only
Replies: 5
Views: 499

Re: Force SmartDNS DNS for PS4 only

The bridge is your lan bridge? Then that torch doesn't prove anything, as it's show the traffic client sees. Natting happens after the packets are received on the bridge.
If you want to verify that: try logging in forward table.
by sebastia
Sun Feb 17, 2019 3:41 pm
Forum: General
Topic: Firewall on Mikrotik box outbound connection?
Replies: 9
Views: 688

Re: Firewall on Mikrotik box outbound connection?

Hey, yes it's possible, you can do it in NAT table chain=dst-nat where you can rewrite the ip AND port

Indeed, was a bit too fast. Thanks for the correction @Sob
by sebastia
Sun Feb 17, 2019 3:38 pm
Forum: General
Topic: Force SmartDNS DNS for PS4 only
Replies: 5
Views: 499

Re: Force SmartDNS DNS for PS4 only

add to the above rules:
src-address=<ip ps4>

but easiest would be if you configure the dns server on ps4 itself.
by sebastia
Sun Feb 17, 2019 1:22 pm
Forum: General
Topic: Not boot up after upgrade
Replies: 1
Views: 307

Re: Not boot up after upgrade

Unfortunate, you'll need to netinstall it: https://wiki.mikrotik.com/wiki/Manual:Netinstall
by sebastia
Sun Feb 17, 2019 12:48 pm
Forum: Scripting
Topic: Script for auto update of IPv6 DNS options in DHCP
Replies: 7
Views: 1172

Re: Script for auto update of IPv6 DNS options in DHCP

In my opinion the context for that script is just wrong: if you provide a service (dns or any other), it should be served from a fixed ip. Then there is also no need for such scripts. Further this script won't work from time perspective: ip's are assigned for a specific period of time. the dns optio...
by sebastia
Sat Feb 16, 2019 12:27 pm
Forum: General
Topic: Access Remote resource over VPN
Replies: 6
Views: 543

Re: Access Remote resource over VPN

Was the vpn up?: route was in table so vpn must have been up

try setting the distance of default route (0.0.0.0/0 going to 251) to higher value, say 10.
by sebastia
Sat Feb 16, 2019 11:34 am
Forum: General
Topic: Routing L2TP/IPSEC
Replies: 4
Views: 475

Re: Routing L2TP/IPSEC

Hey You need to add routes on the CHR (and hex's) to the two networks with tunnel endpoint as the gateway. Something like: # on CHR /ip route add dst-address=192.168.10.0/24 gateway=<hex1 vpn ip> add dst-address=192.168.11.0/24 gateway=<hex2 vpn ip> # on Hex, add route to the other network /ip route...
by sebastia
Fri Feb 15, 2019 9:43 pm
Forum: General
Topic: Access Remote resource over VPN
Replies: 6
Views: 543

Re: Access Remote resource over VPN

# remove/disable this: there is no need to mangle, so also no list, see below /ip firewall filter add action=add-src-to-address-list address-list=to_VPN address-list-timeout=1m chain=forward comment=VPN dst-address=192.168.1.0/24 routing-mark=OPENVPN-SERVER src-address=10.1.0.0/17 # most accept rul...
by sebastia
Fri Feb 15, 2019 8:13 pm
Forum: General
Topic: Access Remote resource over VPN
Replies: 6
Views: 543

Re: Access Remote resource over VPN

Hey

Diagram is very helpful, pictures are nice but not informative enough: post your config: /export hide-sensitive compact between "code" tags
by sebastia
Fri Feb 15, 2019 4:53 pm
Forum: General
Topic: Multiple Public IP over Same Interface with Same Gateway
Replies: 7
Views: 587

Re: Multiple Public IP over Same Interface with Same Gateway

Try this
/ip firewall nat
add chain=srcnat action=src-nat src-address=your.vlan.10.range/24 dst-address=0.0.0.0/0 to-address=your.public.ip-forVlan10 out-interface=ether1

This rule should be before your current src-nat / masq rule.
by sebastia
Fri Feb 15, 2019 4:39 pm
Forum: Beginner Basics
Topic: Setting up incoming traffic [SOLVED]
Replies: 14
Views: 781

Re: Setting up incoming traffic [SOLVED]

Do you get a public ip? Or maybe private or CGNat specific one?
by sebastia
Fri Feb 15, 2019 4:36 pm
Forum: Beginner Basics
Topic: Failover with recursive routing stays on backup connection
Replies: 12
Views: 865

Re: Failover with recursive routing stays on backup connection

It it's name states, it keeps a list of previously calculated routes from x to y for later reuse. After a while an entry gets invalidated, removed and needs to be calculated a new.
by sebastia
Fri Feb 15, 2019 2:23 pm
Forum: Beginner Basics
Topic: Drop all and accept some ports
Replies: 8
Views: 700

Re: Drop all and accept some ports

if these communicate over port 80 (http) and 443 (https), then that's expected.
by sebastia
Fri Feb 15, 2019 1:50 pm
Forum: General
Topic: Remote SSH tunneling (ssh -R )
Replies: 3
Views: 5048

Re: Remote SSH tunneling (ssh -R )

I think it's a case of "PEBKAC", wrong usage. See https://linux.die.net/man/1/ssh and https://wiki.mikrotik.com/wiki/Manual:IP/SSH Compare as used: ssh admin@<mikrotik_ip> -R 8080:localhost:80 manual: ssh reamoteuser@remotehost -L port:remotehost:remoteport First: attaches to remote socket / port an...
by sebastia
Fri Feb 15, 2019 1:40 pm
Forum: Beginner Basics
Topic: Drop all and accept some ports
Replies: 8
Views: 700

Re: Drop all and accept some ports

As depicted, traffic from 10/8 for dns, http & https will be allowed. all the rest is blocked.

To allow more just add some "accept" rules before the drop rule.
by sebastia
Thu Feb 14, 2019 8:58 pm
Forum: General
Topic: How to make a RB device blink all of its LEDs? [SOLVED]
Replies: 6
Views: 593

Re: How to make a RB device blink all of its LEDs? [SOLVED]

When triggered, it will blink for few seconds and stop on it's own.
by sebastia
Thu Feb 14, 2019 4:22 pm
Forum: General
Topic: How to make a RB device blink all of its LEDs? [SOLVED]
Replies: 6
Views: 593

Re: How to make a RB device blink all of its LEDs? [SOLVED]

You can blink each interface separately though winbox ("Blink") or cli.

/interface ethernet blink <interface>
by sebastia
Thu Feb 14, 2019 4:12 pm
Forum: General
Topic: Guide to (possibly) hack RouterOS ... If yes please protect it
Replies: 10
Views: 1082

Re: Guide to (possibly) hack RouterOS ... If yes please protect it

Don't think so: it would mean that routerboard would only run proprietary (inhouse) software.
by sebastia
Thu Feb 14, 2019 11:26 am
Forum: Beginner Basics
Topic: Failover with recursive routing stays on backup connection
Replies: 12
Views: 865

Re: Failover with recursive routing stays on backup connection

Disabling fast route can help you but you need to be more careful about consequences in other hand You Assume your router has access to your ISP1 but your ISP1 has internal problem so in that case you never switch to the ISP2. You talk about consequences: which? Do note that the "recurive routing" ...
by sebastia
Thu Feb 14, 2019 10:49 am
Forum: General
Topic: Guide to (possibly) hack RouterOS ... If yes please protect it
Replies: 10
Views: 1082

Re: Guide to (possibly) hack RouterOS ... If yes please protect it

"Hacking" as presented on this post should be understood as setting up communication channel with a Tik while NOT using Winbox software package => reverse engineer the communications. This approach allows to analyse the channel and it's usage and allows to hunt for bugs in software / underlying syst...
by sebastia
Wed Feb 13, 2019 10:51 pm
Forum: Beginner Basics
Topic: 100 mbps limit in p2p
Replies: 12
Views: 1092

Re: 100 mbps limit in p2p

That's default config right? Did you try to change the number of p2p peers?

With that config, on eth4 for normal download you get 300+mb but for p2p much less. Correct?

Then it's not the Tik that's doing it, and as mentioned before probably uplink limitation.
by sebastia
Wed Feb 13, 2019 9:25 pm
Forum: Beginner Basics
Topic: 100 mbps limit in p2p
Replies: 12
Views: 1092

Re: 100 mbps limit in p2p

try this config change: /interface bridge remove WAN /interface ethernet set [ find default-name=ether1 ] name=WAN /interface bridge port # why is it in hw=no mode? set bridge=LAN interface=ether5 hw=yes # remove all rules from firewall and add these, they are mostly default rules, except for the SU...
by sebastia
Wed Feb 13, 2019 6:42 pm
Forum: General
Topic: vlan question
Replies: 6
Views: 627

Re: vlan question

Hey A Tik much more than managed switch ;) To do that: * merge both bridges * use vlans to separate current logic bridges * use these vlans as tagged / untagged on eth6 eth2 & 3 would become vlan x eth4 & 5 would become vlan y vlan x would be untagged on eth2, 3 & 6 vlan y would be untagged on eth4 ...
by sebastia
Wed Feb 13, 2019 4:45 pm
Forum: General
Topic: Prevent accidental deletion
Replies: 3
Views: 378

Re: Prevent accidental deletion

And le'ts not forget the undo / redo buttons.
by sebastia
Wed Feb 13, 2019 4:20 pm
Forum: General
Topic: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]
Replies: 20
Views: 1843

Re: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]

Won't be pointing fingers... Simple explanation: a tunnel is just a pipe, so if you connect 3 wan links into one tunnel, that's just a highway. How are you planning on using it? You mentioned to want to use the created / combined connection "for uplud the data to the main office"? So how are you goi...
by sebastia
Wed Feb 13, 2019 4:14 pm
Forum: Beginner Basics
Topic: Failover with recursive routing stays on backup connection
Replies: 12
Views: 865

Re: Failover with recursive routing stays on backup connection

depending on the hardware used, you might hit the limit before reaching max of you connection. You can still revert back later.
by sebastia
Wed Feb 13, 2019 4:12 pm
Forum: General
Topic: Prevent accidental deletion
Replies: 3
Views: 378

Re: Prevent accidental deletion

-> "Safe mode"

Or login with read-only user.
by sebastia
Wed Feb 13, 2019 3:36 pm
Forum: Beginner Basics
Topic: Failover with recursive routing stays on backup connection
Replies: 12
Views: 865

Re: Failover with recursive routing stays on backup connection

That is the consequence, but was wondering if it would solve your switching issue.
by sebastia
Wed Feb 13, 2019 3:17 pm
Forum: General
Topic: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]
Replies: 20
Views: 1843

Re: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]

upload using single connection, or many concurrent connections?

For single it will NOT work.

For many, bonding normally would as well as PCC. -> both will load balance connections over available links
by sebastia
Wed Feb 13, 2019 3:09 pm
Forum: Beginner Basics
Topic: Failover with recursive routing stays on backup connection
Replies: 12
Views: 865

Re: Failover with recursive routing stays on backup connection

Hi

for faster route switch back, have you tried switching the "/ip setting route-cache off"?
by sebastia
Wed Feb 13, 2019 2:54 pm
Forum: Beginner Basics
Topic: VLAN Basics
Replies: 8
Views: 890

Re: VLAN Basics

Could you give me some examples of configuring vlans in switch chip and inter-vlan routing please.
Have you seen this?
by sebastia
Wed Feb 13, 2019 2:50 pm
Forum: Beginner Basics
Topic: 100 mbps limit in p2p
Replies: 12
Views: 1092

Re: 100 mbps limit in p2p

Hey both download and p2p was over eth4 (wired)? what is the cpu usage during p2p download? what is the result of cpu profiler? config: * why do you use bridge for wan with only one interface in it? * what is the goal of "add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeo...
by sebastia
Wed Feb 13, 2019 2:25 pm
Forum: Beginner Basics
Topic: why we don't drop bogons address form input rules??
Replies: 3
Views: 610

Re: why we don't drop bogons address form input rules??

@sebastia: rp-filter=strict is not a defence against bogons coming from WAN because, you most likely have 0.0.0.0/0 route there, which will give a green light to any bogon.... Correct, on the inbound from upstream it's the responsibility of the ISP. But just in case these are in standard config of ...
by sebastia
Wed Feb 13, 2019 1:45 am
Forum: Beginner Basics
Topic: NAT 1:1 Questions
Replies: 9
Views: 411

Re: NAT 1:1 Questions

Based on what you shared: all you want is connect from .128. ip to .150. ip. For that normal routing would suffice, since .128. systems have proper gateway. (1) .150. systems don't have gateway set, so you'll need to communicate with an ip in their range, and one which can relay responses back: rout...
by sebastia
Wed Feb 13, 2019 1:25 am
Forum: Beginner Basics
Topic: VLAN Basics
Replies: 8
Views: 890

Re: VLAN Basics

See https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features (+examples) hap ac has very capable switch chip: QCA8337 https://i.mt.lv/cdn/rb_files/RB962UiGS-160210082257.png you can do a lot with vlans in hardware, but through the switch menu, not through bridge inter vlan routing: that's normal r...
by sebastia
Tue Feb 12, 2019 11:51 pm
Forum: Wireless Networking
Topic: Mikrotik SXT LTE kit V2 High Latency
Replies: 1
Views: 241

Re: Mikrotik SXT LTE kit V2 High Latency

How it's routed beyond your network, is out of control of the Tik. That's done by your isp or further up.
by sebastia
Tue Feb 12, 2019 11:40 pm
Forum: Beginner Basics
Topic: why we don't drop bogons address form input rules??
Replies: 3
Views: 610

Re: why we don't drop bogons address form input rules??

I say: replace both with strict reverse path filter
/ip settings set rp-filter=strict
by sebastia
Tue Feb 12, 2019 11:36 pm
Forum: Beginner Basics
Topic: hex lite (RB750r2) vs hex (RB750Gr3) for home network
Replies: 8
Views: 1456

Re: hex lite (RB750r2) vs hex (RB750Gr3) for home network

I'm with freemannnn, it's minor price diff, but it's your decision (viewtopic.php?t=144034)
(wifi can be disabled)
by sebastia
Tue Feb 12, 2019 11:34 pm
Forum: Beginner Basics
Topic: NAT 1:1 Questions
Replies: 9
Views: 411

Re: NAT 1:1 Questions

If you haven't understood my last response "between the lines" comment: "NAT 1:1 are NOT the droids you're looking for" ;-)
by sebastia
Tue Feb 12, 2019 11:31 pm
Forum: Beginner Basics
Topic: 100 mbps limit in p2p
Replies: 12
Views: 1092

Re: 100 mbps limit in p2p

Please post result of "/export hide-sensitive compact" between "code" tags.
by sebastia
Tue Feb 12, 2019 11:21 pm
Forum: General
Topic: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]
Replies: 20
Views: 1843

Re: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]

It's technically possible to bond eoip links which themselves are tunnelled, but ...is it worth it? quite a bit of complexity and overhead As stated https://wiki.mikrotik.com/wiki/Manual:Interface/Bonding#Summary this will not increase single connection speed. Then, why not keep it simpler and do 3 ...
by sebastia
Tue Feb 12, 2019 11:10 pm
Forum: General
Topic: how can I limit the connection to the router?
Replies: 8
Views: 942

Re: how can I limit the connection to the router?

to control you need the two rules:
* first allows based on criteria
* second blocks any "overflow"

If you look at doc for connection-limit:
Matches connections per address or address block up to and including given value.
by sebastia
Tue Feb 12, 2019 10:46 pm
Forum: Beginner Basics
Topic: NAT 1:1 Questions
Replies: 9
Views: 411

Re: NAT 1:1 Questions

what you need to do:
* on 128/24 network configure the MT as default gateway. If you MT is dhcp server for that network, just distribute gw setting with dhcp lease.
* configure src nat on traffic leaving on 150.55, so that replies will come back to router
by sebastia
Tue Feb 12, 2019 10:36 pm
Forum: Scripting
Topic: Help with script please
Replies: 1
Views: 250

Re: Help with script please

Sounds doable. I would suggest to hire a MT consultant for the implementation.
by sebastia
Tue Feb 12, 2019 10:32 pm
Forum: Wireless Networking
Topic: LTE FAIL
Replies: 4
Views: 449

Re: LTE FAIL

It's all marketing speak: LTE is not 4G.

https://www.digitaltrends.com/mobile/4g-vs-lte/
by sebastia
Mon Feb 11, 2019 9:52 pm
Forum: Scripting
Topic: Script for Mangle and Queue Tree
Replies: 11
Views: 10992

Re: Script for Mangle and Queue Tree

(you seem to have found out)
by sebastia
Mon Feb 11, 2019 8:20 pm
Forum: Scripting
Topic: Script for Mangle and Queue Tree
Replies: 11
Views: 10992

Re: Script for Mangle and Queue Tree

Post your question in new thread.
by sebastia
Mon Feb 11, 2019 6:41 pm
Forum: General
Topic: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]
Replies: 20
Views: 1843

Re: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]

Normally you could only specify target ip, but since you want to balance all three links, you need a way to steer traffic of the different links.

So in short, with only one or with different targets, then yes.
by sebastia
Mon Feb 11, 2019 4:01 pm
Forum: General
Topic: Hotspot in Mikrotik RB 3011 Ui AS-RM
Replies: 3
Views: 579

Re: Hotspot in Mikrotik RB 3011 Ui AS-RM

https warning? most os's use the unsecured path http to detect if a redirect is being done and present then the login page.

Redirect of https without warning is not possible.
by sebastia
Mon Feb 11, 2019 3:59 pm
Forum: RouterBOARD hardware
Topic: Hardware repair RB711-5Hn-MMCX
Replies: 3
Views: 632

Re: Hardware repair RB711-5Hn-MMCX

Most likely a resistor, but to know the value... Check with support maybe?
Or test a known good...
by sebastia
Mon Feb 11, 2019 2:49 pm
Forum: General
Topic: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]
Replies: 20
Views: 1843

Re: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]

This POC just proves / show you can. I'll need to adjust it to your situation (3 links, different ip's, different interfaces), but the general process from the linked wiki article is fine. Don't worry about M2, it's job is to pass packets, just like the internet. There is no specific config for M2, ...
by sebastia
Mon Feb 11, 2019 1:15 pm
Forum: General
Topic: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]
Replies: 20
Views: 1843

Re: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]

This was a proof of concept, just to demonstrate that it CAN be done and HOW it could be done. You're welcome! What do you mean by "I want M1 to go out with 3 address\interfaces"? "so I want to go from M1 to M3" M2 is there to "simulate" internet / cloud / any other routers in between. It doesn't ma...
by sebastia
Mon Feb 11, 2019 1:05 pm
Forum: Beginner Basics
Topic: "bridge" one device from one subnet to other subnet (OVPN)
Replies: 2
Views: 260

Re: "bridge" one device from one subnet to other subnet (OVPN)

Yes, with eoip tunnel (which can be secured by ipsec). you'll need to put the eoip interface in local bridge at both ends.
by sebastia
Mon Feb 11, 2019 12:59 pm
Forum: Beginner Basics
Topic: Monitor Users Web activity
Replies: 11
Views: 7594

Re: Monitor Users Web activity

Can't be done, unless you play "man-in-the-middle" with wildcard certificate, so that you can decrypt the traffic. That's because for any request / response flowing over the connection, a ssl socket is setup and used for communication. So all you CAN see is the dns / ip of other side, not the url, n...
by sebastia
Mon Feb 11, 2019 10:41 am
Forum: Scripting
Topic: DHCP server DNS update
Replies: 3
Views: 1378

Re: DHCP server DNS update

Since it's dhcp initiated, it's working on that basis: for existing dns entry with a different ip, it won't touch it. But you could adjust it if you wish?
For same ip, it will clean-up first.


Regarding conversion to static, it's probably possible, but I haven't looked into it.
by sebastia
Sun Feb 10, 2019 7:19 pm
Forum: General
Topic: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]
Replies: 20
Views: 1843

Re: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]

I followed wiki, https://wiki.mikrotik.com/wiki/Manual:Bonding_Examples , with some modifications: * when defining eoip tunnels at "many end", also specified src-address * added specific routing tables for each tunnel at "many end" * added specific routing rules for each tunnel at "many end" (instea...
by sebastia
Sun Feb 10, 2019 4:37 pm
Forum: General
Topic: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]
Replies: 20
Views: 1843

Re: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]

I don't think so...

because how do I "tell" the tunnel to go with ADSL 1\2\3?
connection marking? You would still have 3 tunnels on the "x1" side but all three using same endpoint.
by sebastia
Sun Feb 10, 2019 4:31 pm
Forum: Scripting
Topic: DHCP server DNS update
Replies: 3
Views: 1378

DHCP server DNS update

Hi I've written a script to update dns when dhcp server issues a lease. It consists of 3 parts: * script executed by dhcp server * two additional script used for mapping of the host name: conversion to lower case and replacement of forbidden characters The two auxiliary scripts should be loaded on s...
by sebastia
Sun Feb 10, 2019 1:40 pm
Forum: General
Topic: Duplicate packet drop error - OpenVPN
Replies: 7
Views: 3098

Re: Duplicate packet drop error - OpenVPN

Hi Do you see it often? If not just ignore, it's informative, and Tik did the right thing already: dropped the duplicate. It might be the consequence of tcp over tcp: opvn tunnel on Tik is tcp based, and if tcp connection is run through the tunnel, that might cause some (unnecessary) retransmissions.
by sebastia
Sun Feb 10, 2019 1:20 pm
Forum: General
Topic: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]
Replies: 20
Views: 1843

Re: Can I use bonding : 3 WAN to 1 WAN? [SOLVED]

wouldn't it be same as for 3x3 but with one side being same for 3 tunnels?
by sebastia
Sun Feb 10, 2019 1:14 pm
Forum: General
Topic: CRS326 multiple IP on different VLAN?
Replies: 2
Views: 338

Re: CRS326 multiple IP on different VLAN?

Hey

try this
/interface bridge vlan
add bridge=br.switch1 untagged=ether24 tagged=br.switch1 vlan-ids=969
by sebastia
Sun Feb 10, 2019 3:03 am
Forum: General
Topic: Reserve bandwidth for ICMP ping
Replies: 1
Views: 392

Re: Reserve bandwidth for ICMP ping

hoi

bandwidth can be controlled / reserved with queueing. it can be done on different levels / grouping.
See
https://wiki.mikrotik.com/wiki/Manual:Queue
https://www.youtube.com/watch?v=loaVBWq6cWA
by sebastia
Sun Feb 10, 2019 2:56 am
Forum: Beginner Basics
Topic: RB2011 slow internet even with fasttrack
Replies: 99
Views: 14865

Re: RB2011 slow internet even with fasttrack

My previous post was mean to provide perspective and context: performance depends not only on hardware, but also software, configuration and topology. There is no one good solution.
by sebastia
Sun Feb 10, 2019 2:42 am
Forum: General
Topic: Slow ethernet speeds with hAP AC
Replies: 1
Views: 395

Re: Slow ethernet speeds with hAP AC

Hey

What is the configuration of ports eth3 & 4? This will be relevant concerning the speed you can get.
Given the block diagram https://i.mt.lv/cdn/rb_files/RB962UiGS-160210082257.png, if these are switched, you should be getting wirespeed. If these are routed you'll be limited to 1gb/s total.
by sebastia
Sat Feb 09, 2019 6:14 pm
Forum: Beginner Basics
Topic: RB2011 slow internet even with fasttrack
Replies: 99
Views: 14865

Re: RB2011 slow internet even with fasttrack

As a Tik admin you have a lot of features / possibilities in your hands, but also responsibility, as the choices made have significant impact. Few examples: * vlans & bridging: latest software introduces bridge level vlans, but it's has only limited switch chip support. one ends up quickly with full...
by sebastia
Sat Feb 09, 2019 5:06 pm
Forum: Beginner Basics
Topic: Ports for ipcamera [SOLVED]
Replies: 4
Views: 357

Re: Ports for ipcamera [SOLVED]

yes, but the name should the fully qualified domain name you use to access camera over internet.

so that when on internal network the internal ip will be used, instead of external ip of router.
by sebastia
Sat Feb 09, 2019 11:48 am
Forum: Beginner Basics
Topic: Ports for ipcamera [SOLVED]
Replies: 4
Views: 357

Re: Ports for ipcamera [SOLVED]

Hey

Add an entry in your static dns cache for that dns name and it's internal ip.
by sebastia
Fri Feb 08, 2019 10:01 pm
Forum: Beginner Basics
Topic: Out of Box settings on RB2011
Replies: 2
Views: 288

Re: Out of Box settings on RB2011

It's a good point to start with.
You can improve it further: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
by sebastia
Fri Feb 08, 2019 8:24 pm
Forum: General
Topic: 802.11ac Wave2 Support?
Replies: 34
Views: 8377

Re: 802.11ac Wave2 Support?

Don't be so harsh. Issues come up in development, in life, ...
by sebastia
Fri Feb 08, 2019 8:19 pm
Forum: Scripting
Topic: MAC Telnet in scripts
Replies: 5
Views: 620

Re: MAC Telnet in scripts

well, if you deploy the public key to all clients and attach to a user, you could exec commands remotely
For telnet, it's asking (interactively) credentials. It might be possible to script that too with some code, but I haven't encountered such a thing yet
by sebastia
Fri Feb 08, 2019 7:01 pm
Forum: General
Topic: Why Fast Path not supported with hardware accelerated IPsec?
Replies: 1
Views: 428

Re: Why Fast Path not supported with hardware accelerated IPsec?

Packets of a fast-track-ed connection bypasses a lot of packet processing which is needed for ipsec.
IPSec processes (de- & encapsulation) each packet as it traverses the router, something that fast-track tries to avoid.
by sebastia
Fri Feb 08, 2019 6:53 pm
Forum: Beginner Basics
Topic: Navigation issue with Fasttrack in conjunction with pcc
Replies: 6
Views: 1852

Re: Navigation issue with Fasttrack in conjunction with pcc

This CAN'T be solved!

PCC needs mangling to work BUT Fast-track bypasses mangling

What you can do, is fast-track your default route (choose one), the other route needs to do the full processing, as done by @soonwai
by sebastia
Fri Feb 08, 2019 1:38 pm
Forum: Beginner Basics
Topic: interface/wireless .....installation=outdoor/indoor/any
Replies: 16
Views: 2765

Re: interface/wireless .....installation=outdoor/indoor/any

Er...?

It was an " or " question.

Did you mean "yes, "any" is the most loose setting"?
by sebastia
Fri Feb 08, 2019 11:13 am
Forum: Beginner Basics
Topic: Queue: Speedtest need advise
Replies: 4
Views: 530

Re: Queue: Speedtest need advise

Yes it will. Then again, I don't expect single speedtest session to need much more than that. If you don't want to touch that limit, you need some other way to exclude the speedtest from bandwidth manangement. * based on src-ip: from a specific system? * based on dst-ip: speedtest of you isp will be...
by sebastia
Fri Feb 08, 2019 9:57 am
Forum: Scripting
Topic: MAC Telnet in scripts
Replies: 5
Views: 620

Re: MAC Telnet in scripts

That's a good question... So tried, and you can. * Created keys (pub + priv): see https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login)#Configuration * imported pub in target system: see previous link * imported pub+priv in source system: see https://wiki.mikrotik.com/wiki/Manua...
by sebastia
Thu Feb 07, 2019 11:52 pm
Forum: Beginner Basics
Topic: Different DNS to different Mac addresses
Replies: 3
Views: 427

Re: Different DNS to different Mac addresses

Since your devices are already known, you could create static leases for those. Let the DHCP server add the lease a to an address list and use this list for your rules. -Chris Or reserve range for known devices and unknown (guests) AND define different dhcp network configurations for these ranges, ...
by sebastia
Thu Feb 07, 2019 10:21 pm
Forum: General
Topic: Bridge VLAN filtering blocks all traffic
Replies: 13
Views: 841

Re: Bridge VLAN filtering blocks all traffic

Thanks, I did that, but it didn't help. It's not an inter-VLAN routing problem, though, since I have only one VLAN. Unless I'm misunderstanding something, of course. /interface bridge vlan add bridge=bridge-lan tagged=bridge-lan vlan-ids=20 /interface bridge vlan print detail Flags: X - disabled, D...
by sebastia
Thu Feb 07, 2019 10:19 pm
Forum: Scripting
Topic: MAC Telnet in scripts
Replies: 5
Views: 620

Re: MAC Telnet in scripts

with private + public keys installed, what's the difference with ssh?
by sebastia
Thu Feb 07, 2019 9:18 pm
Forum: General
Topic: Bridge VLAN filtering blocks all traffic
Replies: 13
Views: 841

Re: Bridge VLAN filtering blocks all traffic

You need to include bridge itself as tagged member in "/interface bridge vlan" definition.

See also https://wiki.mikrotik.com/wiki/Manual:I ... _Bridge.29
by sebastia
Thu Feb 07, 2019 8:43 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM Multi LAN
Replies: 3
Views: 605

Re: RB4011iGS+RM Multi LAN

Delete the default bridge and each port will act like its own LAN.
not that easy...quite a bit of more steps
by sebastia
Thu Feb 07, 2019 8:28 pm
Forum: Wireless Networking
Topic: How to Configure (settings) Multiple Wireless Wire bridges (two wAP60G)s on Same Network
Replies: 15
Views: 1387

Re: How to Configure (settings) Multiple Wireless Wire bridges (two wAP60G)s on Same Network

I've understood that there were large improvements in latest software with regards to 60GHz products...
by sebastia
Thu Feb 07, 2019 8:19 pm
Forum: General
Topic: Address List Between Devices
Replies: 2
Views: 411

Re: Address List Between Devices

I don't think it's out-of-the-box available (MT is lacking any HA features). But you could do that yourself
* export into file
* transport file (ftp/ssh/...)
* execute remoteley (ex: via ssh)
by sebastia
Thu Feb 07, 2019 5:23 pm
Forum: Beginner Basics
Topic: interface/wireless .....installation=outdoor/indoor/any
Replies: 16
Views: 2765

Re: interface/wireless .....installation=outdoor/indoor/any

Hey @normis, is "any" the most loose setting then, requiring administrator to make sure regulation is not broken, or the most strict one complying with any regulation?
by sebastia
Thu Feb 07, 2019 5:19 pm
Forum: Beginner Basics
Topic: New connection added!!solution for load failover [SOLVED]
Replies: 10
Views: 679

Re: New connection added!!solution for load failover [SOLVED]

Is your company an AS (autonomous system) with it's own range of IP's for which you peer with these ISP's? If so, you you can indeed choose to whom you are sending traffic too. But, I'm guessing you're not, and just renting he use of ISP1 ranges? If yes, then you can't just use ISP1 ips through ISP2...
by sebastia
Thu Feb 07, 2019 4:41 pm
Forum: General
Topic: Tunnel which generates least traffic when IDLE
Replies: 13
Views: 1242

Re: Tunnel which generates least traffic when IDLE

Is that 400mb / day realistic? This translate to a continuous stream of data at about 5KB / s ???
Just pinging and rekeying isn't that expensive!
by sebastia
Thu Feb 07, 2019 3:18 pm
Forum: Beginner Basics
Topic: I need help for this configueation: RBSXTR&R11e-LTE and RB952Ui-5ac2nD
Replies: 2
Views: 228

Re: I need help for this configueation: RBSXTR&R11e-LTE and RB952Ui-5ac2nD

Yes you can!

The original device power supply will then power both at the same time. I've just one cable going to my SXTLTEkit: rj45, carrying power, lte data & vlan for management.
by sebastia
Thu Feb 07, 2019 2:59 pm
Forum: General
Topic: Different subnet slow speed
Replies: 7
Views: 532

Re: Different subnet slow speed

with fast-track enabled you can still do queuing as long as that queue is attached (parent) to an interface. Simple queues or global parents are indeed incompatible with fast-track. Do note that fast-track is a connection level flag: once a connection is fast-track-ed, most of it's packets, in any d...
by sebastia
Thu Feb 07, 2019 2:42 pm
Forum: Beginner Basics
Topic: interface/wireless .....installation=outdoor/indoor/any
Replies: 16
Views: 2765

Re: interface/wireless .....installation=outdoor/indoor/any

Wondering if "any" wouldn't be the worst, as it would need to comply with any conditions, so apply all restrictions...

Edit: Normis clarified below
by sebastia
Thu Feb 07, 2019 1:10 pm
Forum: Beginner Basics
Topic: interface/wireless .....installation=outdoor/indoor/any
Replies: 16
Views: 2765

Re: interface/wireless .....installation=outdoor/indoor/any

It has to do with regulatory rules relating to power & usage of transmission frequencies. Indoor regulations are usually different from outdoor.
Been mentioned recently by Tik personnel on this forum.
by sebastia
Thu Feb 07, 2019 12:10 pm
Forum: Beginner Basics
Topic: Port Forwarding to other subnet
Replies: 3
Views: 293

Re: Port Forwarding to other subnet

Hey

You didn't actually paste any config ...

About forwarding, you can't forward to a range, you can to a specific ip.
by sebastia
Thu Feb 07, 2019 12:07 pm
Forum: Beginner Basics
Topic: address notation for rules excluding one device - is it possible?
Replies: 3
Views: 241

Re: address notation for rules excluding one device - is it possible?

Sure
/ip firewall filter
add action=accept chain=test dst-address=!192.168.88.10
by sebastia
Thu Feb 07, 2019 10:49 am
Forum: General
Topic: Detect-internet causing internal packet loss
Replies: 10
Views: 1951

Re: Detect-internet causing internal packet loss

The problem that I have with "detect-internet" feature is that it's insufficiently documented and it's impact on internal process / usage are completely unclear.
by sebastia
Thu Feb 07, 2019 10:32 am
Forum: Beginner Basics
Topic: Vlan Tag injecter
Replies: 5
Views: 375

Re: Vlan Tag injecter

Indeed, why not:
* bridge uplink & downlink interface
* define vlan on the bridge for management purposes
* enable "forward to ip firewall" on bridge so transparent firewall can be implemented
by sebastia
Thu Feb 07, 2019 1:49 am
Forum: Beginner Basics
Topic: Beginner Ipv6 routing (ping) problem
Replies: 2
Views: 312

Re: Beginner Ipv6 routing (ping) problem

Hey

So, your router can ping internet. And you can ping router, on global address. -> question: is routing or firewall on router "wrong"?

route seems ok.

So how about firewall? /ipv6 firewall export?
by sebastia
Thu Feb 07, 2019 1:33 am
Forum: Beginner Basics
Topic: New connection added!!solution for load failover [SOLVED]
Replies: 10
Views: 679

Re: New connection added!!solution for load failover [SOLVED]

Just to confirm, you are using ip ranges of the ISP? Or do you have your own bought IP range? Or something else?

Then, what are your requirements from this backup? What do you expect?
by sebastia
Wed Feb 06, 2019 9:04 pm
Forum: Beginner Basics
Topic: New connection added!!solution for load failover [SOLVED]
Replies: 10
Views: 679

Re: New connection added!!solution for load failover [SOLVED]

Hey Have a look at https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP But it will not be transparent, as isps will have different ip ranges (so not because of limitations of VRRP). Because of that existing connections will need to be rebuild anew. You'll have redundancy on the level of uplink thou...
by sebastia
Wed Feb 06, 2019 2:49 pm
Forum: Beginner Basics
Topic: Subnet to Subnet marked as invalid [SOLVED]
Replies: 3
Views: 294

Re: Subnet to Subnet marked as invalid [SOLVED]

Forwarding a packet out of the interface on which it is received is considered invalid. You have to explicitly allow traffic which does this, typically for asymmetric routing as in your case, also for some multinetted and VRRP configurations as well. Connection-state is related to connection tracki...
by sebastia
Wed Feb 06, 2019 12:23 pm
Forum: Beginner Basics
Topic: Newbie Introduction
Replies: 5
Views: 376

Re: Newbie Introduction

Welcome!

Wish you good reading ;-)
by sebastia
Wed Feb 06, 2019 12:09 pm
Forum: General
Topic: how can i do iptables command in routeros?
Replies: 5
Views: 718

Re: how can i do iptables command in routeros?

# iptables -A PREROUTING -p tcp -m tcp -j DNAT -s 10.0.0.0/8 -d 211.65.64.43 --match multiport --dports 80,443,44449 --to-destination 219.230.144.123:80 -t nat /ip firewall nat add chain=dstnat protocol=tcp action=dst-nat src-address=10.0.0.0/8 dst-address=211.65.64.43 dst -port=80,443,44449 to-add...
by sebastia
Wed Feb 06, 2019 12:03 pm
Forum: General
Topic: Problematic destination NAT
Replies: 5
Views: 575

Re: Problematic destination NAT

Minor correction for above:
When MT does the SRC-NAT, PLC device will see request come from MT itself.
by sebastia
Wed Feb 06, 2019 12:41 am
Forum: General
Topic: Mikrotik sending out rogue DHCP requests [SOLVED]
Replies: 11
Views: 1163

Re: Mikrotik sending out rogue DHCP requests [SOLVED]

seen seemingly similar issue here viewtopic.php?f=2&t=144957
by sebastia
Tue Feb 05, 2019 11:54 pm
Forum: General
Topic: how can I limit the connection to the router?
Replies: 8
Views: 942

Re: how can I limit the connection to the router?

One more comment:

that first rule is heavy on system. If your router is being "bombarded" by API, rate-limit the first rule to only few reqs / s.
To adjust add to first rule: " limit=1,1:packet" (== 1/s with burst of 1)
by sebastia
Tue Feb 05, 2019 9:54 pm
Forum: Beginner Basics
Topic: one port only internet, no lan [SOLVED]
Replies: 20
Views: 1375

Re: one port only internet, no lan [SOLVED]

Hey guys/gals Why not setup a routing rule for a specific src ip/range/group to route to default route only, being the internet. any other routes would be implicitly denied. So * isolate to single port * create route to 0.0.0.0/0 to uplink in route table "internet-only" * create routing rule for spe...
by sebastia
Tue Feb 05, 2019 8:55 pm
Forum: General
Topic: how can I limit the connection to the router?
Replies: 8
Views: 942

Re: how can I limit the connection to the router?

try this <accept established / related should be before> add action=accept chain=input connection-limit=5,32 connection-state=new dst-address-type=local dst-port=8728 protocol=tcp add action=reject chain=input dst-address-type=local dst-port=8728 protocol=tcp Make sure accept established & related i...
by sebastia
Tue Feb 05, 2019 8:16 pm
Forum: General
Topic: MikroTik Bridget network got DDOS
Replies: 4
Views: 541

Re: MikroTik Bridget network got DDOS

If your uplink is full, there is nothing YOU can do on your own. If you're somehow lucky and the attack is directed at the specific client, ask the upstteams (and or its upstreams) to null-route / blackhole the ip. Client will be Fxxxxx, but the rest of the network will live. If it's your full range...
by sebastia
Tue Feb 05, 2019 8:11 pm
Forum: Beginner Basics
Topic: accessing the mikrotik behind another mikrotik [SOLVED]
Replies: 4
Views: 371

Re: accessing the mikrotik behind another mikrotik [SOLVED]

These other "router" and radio's are not Mikrotik I'm guessing? Then RoMon will not help
some options
* vpn to mikrotik
* ssh to mikrotik with port forwarding for ssh/web/telnet/...
* winbox/ssh to mikrotik, and from there ssh to other (a variation on previous)
by sebastia
Tue Feb 05, 2019 5:09 pm
Forum: General
Topic: how can I limit the connection to the router?
Replies: 8
Views: 942

Re: how can I limit the connection to the router?

Hi

You can do that in firewall, using connection-limit to local ip and API port.
by sebastia
Tue Feb 05, 2019 3:32 pm
Forum: Beginner Basics
Topic: incoming FACETIME Call ... Videostream problem
Replies: 2
Views: 221

Re: incoming FACETIME Call ... Videostream problem

Most likely these are the outbound connections, that need to be allowed (if not already). Facetime is supposed to work in any condition, even behind NAT.
Make sure your firewall forward rules don't block these.
by sebastia
Tue Feb 05, 2019 2:08 pm
Forum: Beginner Basics
Topic: Combine 2 lines
Replies: 4
Views: 270

Re: Combine 2 lines

If both lines are with same isp and they are willing to do that ... you could try. But from my experience, they usually don't do custom stuff.
by sebastia
Tue Feb 05, 2019 1:19 pm
Forum: Beginner Basics
Topic: Combine 2 lines
Replies: 4
Views: 270

Re: Combine 2 lines

Hey

PCC will balance connections over the two uplinks. To combine you would need to have isp support, as configuration changes are needed at their end.
by sebastia
Tue Feb 05, 2019 1:16 pm
Forum: General
Topic: DHCP keeps broadcasting and can not stop it!
Replies: 5
Views: 1051

Re: DHCP keeps broadcasting and can not stop it!

That's "dhcp client" requesting for an offer. Dynamic ip config still active?
by sebastia
Tue Feb 05, 2019 1:09 pm
Forum: General
Topic: Fasttrack Fails
Replies: 2
Views: 345

Re: Fasttrack Fails

Hey again

Fasttrack is a connection property, and behaves lake connection mark. So if fw rule is disabled, the relevant connections are already marked, and as long as they stay alive, they will be fasttracked.
by sebastia
Tue Feb 05, 2019 1:07 pm
Forum: Wireless Networking
Topic: Boosting LTE and WIFI on a boat [SOLVED]
Replies: 9
Views: 897

Re: Boosting LTE and WIFI on a boat [SOLVED]

About right. You could aggregate it, for multiple connections.
Note that the SXT LTE is a directional antenna, so you'll need to know the general direction of 4G mast.
by sebastia
Tue Feb 05, 2019 12:33 pm
Forum: General
Topic: DNS resolution vulnerability
Replies: 7
Views: 644

Re: DNS resolution vulnerability

Which version of software are they running? There were some vulnerabilities published last year It's possible that these routers got exploited and opened to wide world.
by sebastia
Tue Feb 05, 2019 11:37 am
Forum: Wireless Networking
Topic: Tweaking QoS queues - need advice
Replies: 1
Views: 261

Re: Tweaking QoS queues - need advice

Hi

I reserve traffic for what I absolutely need, rest is "fair game" (not mangled and fast-tracked)
All classes have reserved/guaranteed bandwidth, and prio defined on all.

technical: dns, acks, ping, ...
voip, audio streaming
rest, spread using pcq (by src-ip) for fairness
by sebastia
Tue Feb 05, 2019 11:06 am
Forum: General
Topic: Queue
Replies: 8
Views: 606

Re: Queue

by sebastia
Tue Feb 05, 2019 11:02 am
Forum: Beginner Basics
Topic: Queue: Speedtest need advise
Replies: 4
Views: 530

Re: Queue: Speedtest need advise

Hey

Why not increase the limit so that a single speedtest session doesn't go over it?
by sebastia
Tue Feb 05, 2019 10:51 am
Forum: Beginner Basics
Topic: 2 Fiber Lines Split depending on IP address
Replies: 2
Views: 223

Re: 2 Fiber Lines Split depending on IP address

Hey * make sure your pc gets same ip (either configure ip directly or make dhcp assignment static) * make the "youtube" line default route for 0.0.0.0/0 * route traffic from pc over "game" line: mark all packets from pc and destination != local with a routing mark * add a route for 0.0.0.0/0 to "gam...
by sebastia
Tue Feb 05, 2019 10:35 am
Forum: General
Topic: TCP vs UDP routing handled differently?
Replies: 4
Views: 616

Re: TCP vs UDP routing handled differently?

"Only default route" + "no firewall" <-?-> "asymmetric routing" and "selective forwarding"

Something doesn't add up...
by sebastia
Tue Feb 05, 2019 10:23 am
Forum: General
Topic: 2 Lans one bridge Routing [SOLVED]
Replies: 2
Views: 341

Re: 2 Lans one bridge Routing [SOLVED]

Hey You would need to adjust your mangle rules, they are to wide currently: # Now /ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=!to_mgts new-routing-mark=to_mgts passthrough=no src-address=192.168.20.0/24 add action=mark-connection chain=input dst-address=95.165.197.4...
by sebastia
Mon Feb 04, 2019 10:16 pm
Forum: Wireless Networking
Topic: Bonding - ping problem [SOLVED]
Replies: 11
Views: 1266

Re: Bonding - ping problem [SOLVED]

I replicated your setup in GNS3, together with your problem lost of packets and intermittent responses! Problem: to be able to ping A1 from A, packets need to go the "upper" route always, and that is not guaranteed with bonding. Solution for the above problem: define (management) vlans, one for uppe...
by sebastia
Mon Feb 04, 2019 12:24 pm
Forum: General
Topic: TCP vs UDP routing handled differently?
Replies: 4
Views: 616

Re: TCP vs UDP routing handled differently?

What is the config on E: /export hide-sensitive compact?
by sebastia
Mon Feb 04, 2019 12:20 pm
Forum: Wireless Networking
Topic: Bonding - ping problem [SOLVED]
Replies: 11
Views: 1266

Re: Bonding - ping problem [SOLVED]

What do you mean with "Аs of course eth1 and wlan1 is in the bridge"? A1,A2,B1 & B2 are separate hardware with internal bridging? When using the /32 address, the network is used to indicate the ip of other side. ex /ip add add interface=bond address=10.1.1.1/32 network=10.1.1.2 I would recommend to ...
by sebastia
Mon Feb 04, 2019 11:36 am
Forum: General
Topic: Problematic destination NAT
Replies: 5
Views: 575

Re: Problematic destination NAT

Is this the topology? PLC <---> Mikrotik <---> (rest of the world) There are two cases: * PLC has gateway set -> MT should be that gateway in communication from "rest of the world" to PLC, only dnat is needed. Response traffic will be routed to gateway anyway. * PLC doesn't have gateway set -> MT sh...
by sebastia
Mon Feb 04, 2019 12:56 am
Forum: General
Topic: Detect-internet causing internal packet loss
Replies: 10
Views: 1951

Re: Packets being dropped from one host only

Nothing that jumps out, but

* your wan interfaces are ppp-'s not ether1 /-5 -> forward drop rules need adjusting
* remove wan2,pppoe's from dscovery list
* disable detect-internet, it caused strange issues in the past.
by sebastia
Mon Feb 04, 2019 12:23 am
Forum: Beginner Basics
Topic: Question about correct fasttrask fules
Replies: 3
Views: 329

Re: Question about correct fasttrask fules

For a fasttrack-ed connection, not all packets are handled by fast-track to allow connection tracking to keep it's data "up-to-date" and connection active. What you have described might be related to this.
by sebastia
Mon Feb 04, 2019 12:19 am
Forum: General
Topic: MikroTik ROS SATA AHCI support
Replies: 3
Views: 422

Re: MikroTik ROS SATA AHCI support

Options you have today are:
* use Mikrotik dedicated hardware
* or CHR, with for example ESXi hypervisor, which is free, and with wider support for hardware
by sebastia
Sun Feb 03, 2019 11:28 pm
Forum: Wireless Networking
Topic: Bonding - ping problem [SOLVED]
Replies: 11
Views: 1266

Re: Bonding - ping problem [SOLVED]

Bonding doesn't actually need setting of ip's on link elements https://wiki.mikrotik.com/wiki/Manual:Interface/Bonding , but seems to work if present. Furthermore, you'll need to make sure that the wireless links are in wireless bridge mode. Finally, setup link monitoring to take care of link failure.
by sebastia
Sat Feb 02, 2019 6:12 pm
Forum: Wireless Networking
Topic: Bonding - ping problem [SOLVED]
Replies: 11
Views: 1266

Re: Bonding - ping problem [SOLVED]

Make sure your bonding & carrier networks don't overlap # bonding # siteA /ip add add interface=bond address=10.1.1.1/32 network=10.1.1.2 # siteB /ip add add interface=bond address=10.1.1.2/32 network=10.1.1.1 # carriers # siteA /ip add add interface=A1 address=10.1.2.1/32 network=10.1.2.2 /ip add a...
by sebastia
Sat Feb 02, 2019 3:25 pm
Forum: Beginner Basics
Topic: Failover Issue [SOLVED]
Replies: 14
Views: 1146

Re: Failover Issue [SOLVED]

(not a master...but) Routing is separate from masquerading. The last one is linked to active ip on the used interface. Only if that ip changes (or is lost) will the connection table be cleared. A routing change doesn't impact the ip assignment of an interface. So primary coming up, it's primary rout...
by sebastia
Sat Feb 02, 2019 3:11 pm
Forum: General
Topic: High number of established connections for one address
Replies: 20
Views: 1499

Re: High number of established connections for one address

you can work around (some of) these issues with "screen" https://www.rackaid.com/blog/linux-scre ... nd-how-to/

(and I don't mean the boss-issue ;-) )
by sebastia
Sat Feb 02, 2019 2:56 pm
Forum: General
Topic: Detect-internet causing internal packet loss
Replies: 10
Views: 1951

Re: Packets being dropped from one host only

Start by listing your current config: /export hide-sensitive compact
by sebastia
Sat Feb 02, 2019 2:54 pm
Forum: Wireless Networking
Topic: Bonding - ping problem [SOLVED]
Replies: 11
Views: 1266

Re: Bonding - ping problem [SOLVED]

Hey
I think you should make the bond elements A1-B1 & A2-B2 Point-to-Point, so /32.
by sebastia
Sat Feb 02, 2019 2:45 pm
Forum: Wireless Networking
Topic: Multiple SXT LTE's?
Replies: 4
Views: 344

Re: Multiple SXT LTE's?

Whether FDD or TDD, is part of LTE band specification: https://en.wikipedia.org/wiki/LTE_frequency_bands
by sebastia
Sat Feb 02, 2019 2:27 pm
Forum: General
Topic: VLAN and CPU Swich correct setting
Replies: 3
Views: 543

Re: VLAN and CPU Swich correct setting

Hey stef

You should list your current config: /export hide-sensitive compact, so that it can be examined.
by sebastia
Fri Feb 01, 2019 8:25 pm
Forum: Beginner Basics
Topic: Failover Issue [SOLVED]
Replies: 14
Views: 1146

Re: Failover Issue [SOLVED]

See https://mum.mikrotik.com/presentations/MX17/presentation_4265_1495639302.pdf 1. masq will clear connection tracking table if the related ip becomes inactive. Src-nat won't. slide 25 That is one of the measures as specified by Mikrotik, slide 28+, to ensure no leakage happens = packets don't leav...
by sebastia
Fri Feb 01, 2019 5:42 pm
Forum: Beginner Basics
Topic: Failover Issue [SOLVED]
Replies: 14
Views: 1146

Re: Failover Issue [SOLVED]

The routing will depend on the routing configuration. So if primary route comes back, traffic will be directed that way, but as connection tracking (especially natting) is still set of the backup route, natting won't take place. These connection should then be dropped by "invalid" check. Also le'ts ...
by sebastia
Fri Feb 01, 2019 3:21 pm
Forum: General
Topic: High number of established connections for one address
Replies: 20
Views: 1499

Re: High number of established connections for one address

In today's world of cloud, auto balancing & fail-over, auto upgrades and deployments, Agile release cycles of only few minutes, I don't think that expecting TCP to live "forever" is realistic. Ssh is still a different beast, but we also do much more patching today than ever. Since the infrastructure...
by sebastia
Fri Feb 01, 2019 12:51 pm
Forum: General
Topic: High number of established connections for one address
Replies: 20
Views: 1499

Re: High number of established connections for one address

You just did...

Anyway, why complain about imaginary issues if you can't substantiate them? Focusing on one specific element of answer to discredit the whole message??? That's just BOFH...

Ps: and lets keep it civil and on facts, so it's useful and productive.
by sebastia
Fri Feb 01, 2019 12:08 pm
Forum: General
Topic: Winbox Urgent Suggestion
Replies: 15
Views: 1128

Re: Winbox Urgent Suggestion

Obviously I'm not an expert, as you imply!

But since you have the numbers on the user groups, please share them! So how many users of LInux, iOS, MacOs, ... are there?
by sebastia
Fri Feb 01, 2019 11:42 am
Forum: General
Topic: Winbox Urgent Suggestion
Replies: 15
Views: 1128

Re: Winbox Urgent Suggestion

And Mikrotik has the right to allocate dev resources wisely and not waste it on supporting every small user group... Linux, apple, unix, bsd, ...
Exactly why web interface exists!
by sebastia
Fri Feb 01, 2019 11:39 am
Forum: General
Topic: High number of established connections for one address
Replies: 20
Views: 1499

Re: High number of established connections for one address

What is the use-case here of opening a ssh session and letting it sit for 30 minutes with NO data flowing in either direction? The established timeout is after last packet sent...

Edit: actually that would even be a security issue!
by sebastia
Fri Feb 01, 2019 11:29 am
Forum: General
Topic: Winbox Urgent Suggestion
Replies: 15
Views: 1128

Re: Winbox Urgent Suggestion

what is wrong with web access, which is platform independent???
by sebastia
Fri Feb 01, 2019 11:21 am
Forum: General
Topic: Connecting VPN Site Subnets
Replies: 5
Views: 459

Re: Connecting VPN Site Subnets

You need to make sure that routers at both sides, know what networks are present at the other end of vpn.

To do that, add to routing tables routes for the required networks with 172.0.0.x as gatways. -> so on site A for 10.0.1 and on site B for 10.0.0
by sebastia
Thu Jan 31, 2019 9:06 pm
Forum: Scripting
Topic: Why sometimes fails => /file remove [find]
Replies: 1
Views: 314

Re: Why sometimes fails => /file remove [find]

find also returns directories. Some may be protected. Also depending on the order some of these directories may not be emtpy.
by sebastia
Thu Jan 31, 2019 9:01 pm
Forum: General
Topic: Routing on VPN
Replies: 1
Views: 294

Re: Routing on VPN

Hey Luca

To start with, please post your current config, on Mikrotik: "/export hide-sensitive compact"

Sebastian
by sebastia
Thu Jan 31, 2019 4:31 pm
Forum: Scripting
Topic: ipv6 dhcp status change (na-valid / na-address)
Replies: 2
Views: 360

Re: ipv6 dhcp status change (na-valid / na-address)

Try construct the url upfront using $"na-address" & $"na-valid" instead.
by sebastia
Thu Jan 31, 2019 2:01 pm
Forum: General
Topic: Secondary WAN, router on a stick?
Replies: 4
Views: 368

Re: Secondary WAN, router on a stick?

Hey I could be as simple as defining a secondary/backup default route in the routing table on R1. Distance of that secondary route should be higher than primary. you would want to do gateway check, ex ping, so that if ISP1 fails that route becomes inactive and secondary kicks in. Best of all: no scr...
by sebastia
Wed Jan 30, 2019 7:08 pm
Forum: RouterBOARD hardware
Topic: DAC cables on CCR1036-12G-4S not working.
Replies: 3
Views: 408

Re: DAC cables on CCR1036-12G-4S not working.

for 10g you want to have the "S+" ports
by sebastia
Wed Jan 30, 2019 7:03 pm
Forum: General
Topic: 2 external ip on one router
Replies: 12
Views: 648

Re: 2 external ip on one router

List your config, it will be easier to advise something: /export hide-sensitive compact. Also specify how you get the ip's assigned/allocated.
by sebastia
Wed Jan 30, 2019 4:50 pm
Forum: General
Topic: 2 external ip on one router
Replies: 12
Views: 648

Re: 2 external ip on one router

with ROS 6.41+, you'll need to configure a bridge, with wan & server port in that bridge.
by sebastia
Wed Jan 30, 2019 4:46 pm
Forum: General
Topic: How to migrate RB3011 to CCR1009
Replies: 4
Views: 457

Re: How to migrate RB3011 to CCR1009

These are two different beasts, architecturally and configuration wise too. You'll need to:
* do "/export compact"
* review config in context of 1009
* apply with modifications, "line-by-line"
by sebastia
Wed Jan 30, 2019 11:04 am
Forum: Beginner Basics
Topic: All Internet traffic over OVPN Tunnel
Replies: 3
Views: 365

Re: All Internet traffic over OVPN Tunnel

tick that "add default route" option, it should also take care of the "except case" (and for info: the route to the vpn server (=tunneled traffic) needs to be excluded from the general route over vpn) if you have any networks on the client side other than the vpn ip itself: then you'll need to: * ei...
by sebastia
Wed Jan 30, 2019 12:59 am
Forum: SwOS
Topic: 2 untagged VLAN same interface
Replies: 11
Views: 1885

Re: 2 untagged VLAN same interface

To OP initial question: it can be done and is being done, and is based on mac based vlan assignment
see viewtopic.php?t=143692
by sebastia
Wed Jan 30, 2019 12:28 am
Forum: General
Topic: SOLVED: Added LTE interface now ping and traceroute timeout
Replies: 9
Views: 682

Re: Added LTE interface now ping and traceroute timeout

firewall, routing, ... list your config, maybe somebody will spot the issue: /export hide-sensitive compact

btw, traceroute != ping, it's using different protocol, try actual ping as well
see https://en.wikipedia.org/wiki/Traceroute
by sebastia
Wed Jan 30, 2019 12:19 am
Forum: General
Topic: SOLVED: Added LTE interface now ping and traceroute timeout
Replies: 9
Views: 682

Re: Added LTE interface now ping and traceroute timeout

as pc's can ping, it's not the network. Most likely local configuration.
by sebastia
Wed Jan 30, 2019 12:05 am
Forum: Beginner Basics
Topic: All Internet traffic over OVPN Tunnel
Replies: 3
Views: 365

Re: All Internet traffic over OVPN Tunnel

set default route on client site (except for the vpn server itself) to go to gateway at server
by sebastia
Wed Jan 30, 2019 12:02 am
Forum: General
Topic: High number of established connections for one address
Replies: 20
Views: 1499

Re: High number of established connections for one address

As said I've a time out of 30m, yet I can maintain an established connection far longer, as long as there is data flowing over that connection.
It's not documented, but I think it's <timeout> from last packet seen...That is also corroborated by connection list in firewall -> see timeout field
by sebastia
Tue Jan 29, 2019 12:17 pm
Forum: Beginner Basics
Topic: fasttrack ignores marked packets and port forwarding [SOLVED]
Replies: 5
Views: 483

Re: fasttrack ignores marked packets and port forwarding [SOLVED]

Do this (replace or modify existing)
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related out-interface=ether1-kabelnet
And you can remove any mangling for ether1-kabelnet, that will become your default.
by sebastia
Tue Jan 29, 2019 12:10 pm
Forum: General
Topic: High number of established connections for one address
Replies: 20
Views: 1499

Re: High number of established connections for one address

This works well. I use a 5 minute time and have no issues. There is almost nothing doing a keep-alive quicker than that.
... slower ... ;-)
by sebastia
Tue Jan 29, 2019 12:02 pm
Forum: General
Topic: SOLVED: Added LTE interface now ping and traceroute timeout
Replies: 9
Views: 682

Re: Added LTE interface now ping and traceroute timeout

Related to your primary:
0 ADS  0.0.0.0/0                          120.148.AAA.BBB           1
1  DS  0.0.0.0/0                          192.168.8.1               2
So the default route goes your your primary: "ADS" -> Active
by sebastia
Mon Jan 28, 2019 11:52 pm
Forum: General
Topic: High number of established connections for one address
Replies: 20
Views: 1499

Re: High number of established connections for one address

You could modify the settings under "/ip firewall connection tracking". Most connections will implement a keep-alive if they need it open for a long time.
I'm using est timeout of 30m with no issues
by sebastia
Mon Jan 28, 2019 11:40 pm
Forum: Forwarding Protocols
Topic: Policy based routing problem [SOLVED]
Replies: 16
Views: 1539

Re: Policy based routing problem [SOLVED]

"/ip route print" to print it all, the ones with no mark are in "main" table
"/ip route print where routing-mark=<your mark>" to print specific table only
by sebastia
Mon Jan 28, 2019 11:21 pm
Forum: General
Topic: Limit upload connection by SIZE.
Replies: 4
Views: 470

Re: Limit upload connection by SIZE.

Not in firewall, it only has notion of total usage. Maybe with hotspot (limit-bytes-out?)? (didn't try it myself...)
by sebastia
Mon Jan 28, 2019 11:14 pm
Forum: Beginner Basics
Topic: fasttrack ignores marked packets and port forwarding [SOLVED]
Replies: 5
Views: 483

Re: fasttrack ignores marked packets and port forwarding [SOLVED]

You can't do mangle based routing (to ensure response goes the same way out) and fast-track for all connections at the same time The reason is that fasttrack bypasses mangling, and so the needed packet marks are not set. add action=mark-connection chain=input in-interface=ether1-kabelnet new-connect...
by sebastia
Mon Jan 28, 2019 11:07 pm
Forum: Beginner Basics
Topic: Openvpn server on rRpi - how to aloow openvpn clients to acess Rpi LAN
Replies: 10
Views: 595

Re: Openvpn server on rRpi - how to aloow openvpn clients to acess Rpi LAN

hey try this
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.100.200.99 protocol=udp dst-address-type=local dst-port=1194
by sebastia
Mon Jan 28, 2019 4:49 pm
Forum: Forwarding Protocols
Topic: Policy based routing problem [SOLVED]
Replies: 16
Views: 1539

Re: Policy based routing problem [SOLVED]

By default, all routes go into default table, unless you configure something else.
by sebastia
Mon Jan 28, 2019 12:42 pm
Forum: Beginner Basics
Topic: Multiple VLANs, router all traffic from one VLAN to an alternate gateway
Replies: 2
Views: 319

Re: Multiple VLANs, router all traffic from one VLAN to an alternate gateway

Hey You can do it with policy based routing (for ipv4 only) 1. add new route to target server on vlan20 with a route-mark 2. define a route rule for src from vlan10 to "lookup" the route in the "route-mark" table or route-mark all packets for vlan10 3. make sure forward allows this forwarding Note: ...
by sebastia
Mon Jan 28, 2019 12:24 pm
Forum: Beginner Basics
Topic: Block Duckduckgo
Replies: 4
Views: 455

Re: Block Duckduckgo

You mean the "https://duckduckgo.com" ? You can identify with TLS SNI matcher using name "duckduckgo.com", as it's using that name in it's cert.
by sebastia
Mon Jan 28, 2019 12:15 pm
Forum: Forwarding Protocols
Topic: Policy based routing problem [SOLVED]
Replies: 16
Views: 1539

Re: Policy based routing problem [SOLVED]

Hey

Tables "are displayed" in main route list: a "route mark" identifies a table. So all rules with same route mark will end up in same routing table.
That routing table can then be selected by either route mark (a packet mark) or by rules as defined in the routing rule.
by sebastia
Wed Jan 23, 2019 8:41 pm
Forum: General
Topic: firewall rules for WAN interface - DHCP firewall rules without effect
Replies: 8
Views: 1146

Re: firewall rules for WAN interface - DHCP firewall rules without effect

There's another discussion on the topic: https://forum.mikrotik.com/viewtopic.php?t=36035 I don't understand why, but the behavior is reported, confirmed by MT and there is an acceptable workaround (use bridge filer). Perhaps some documentation on this specific limitation would be nice. Thx, indeed...
by sebastia
Tue Jan 22, 2019 11:58 pm
Forum: General
Topic: firewall rules for WAN interface - DHCP firewall rules without effect
Replies: 8
Views: 1146

Re: firewall rules for WAN interface - DHCP firewall rules without effect

Unfortunately you are correct. And I say "unfortunately" because it doesn't make any sense, and goes against logic, as the protocol is using UDP on top of IP, both normally handled by IP firewall. Further, in the past it had to be explicitly allowed. I run into it in ROS 2, 3 and still (I think) 4. ...
by sebastia
Tue Jan 22, 2019 9:37 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 4720

Re: Mark the traffic for YouTube, Facebook, etc.

I believe that at this moment it's only possible through L7 matching or maybe content matching (?), unless MT provides that as a option, like they did for TCP.
by sebastia
Tue Jan 22, 2019 5:22 pm
Forum: Beginner Basics
Topic: Bridges across 4011
Replies: 14
Views: 900

Re: Bridges across 4011

Today We have chained 2 Mikrotics, one of them pretending to be ISP and the second one was my R1. In log of the 'fake ISP' the broadcast packet of my Mikrotik was clearly seen going from port 68 to 67, BUT the firewall counter stays on 0 packets. What I'm doing wrong? Accepted before this rule alre...
by sebastia
Tue Jan 22, 2019 5:12 pm
Forum: Beginner Basics
Topic: Bridges across 4011
Replies: 14
Views: 900

Re: Bridges across 4011

Yes it does...
Do you have a dhcp client? Try to firewall it completely in input for UDP...


Corrected. (that's new for me)
by sebastia
Tue Jan 22, 2019 5:11 pm
Forum: General
Topic: firewall rules for WAN interface - DHCP firewall rules without effect
Replies: 8
Views: 1146

Re: firewall rules for WAN interface - DHCP firewall rules without effect

Well, the firewall is L3, DHCP happens on L2 until the lease is ack'ed by the DHCP server. -Chris DHCP is over UDP, and CAN be firewalled and NEEDS to be allowed or it won't work... See https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol for protocol details In context of the original...
by sebastia
Tue Jan 22, 2019 2:17 pm
Forum: General
Topic: Mark the traffic for YouTube, Facebook, etc.
Replies: 28
Views: 4720

Re: Mark the traffic for YouTube, Facebook, etc.

Maybe google is using and additional dns structure. What ip's are being streamed from? which doman is that? You can contribute to the thread.
by sebastia
Tue Jan 22, 2019 12:10 pm
Forum: General
Topic: Misterious Ethernet problem
Replies: 13
Views: 1349

Re: Misterious Ethernet problem

Cable sensing is something different than negotiation.
Cable sensing: which pairs to use for communication
negotiation: at what speed/ when

hence the suggestion to put switch in between to verify if that resolves the issue?
by sebastia
Tue Jan 22, 2019 10:18 am
Forum: Beginner Basics
Topic: QoS Tree VoIP problem
Replies: 42
Views: 2636

Re: QoS Tree VoIP problem

Didn't verify it all, but for VOIP it should be fine. packets are marked on output and matching packet-mark is defined on queue for that output interface. As mentioned before, on the inbound (download) side, I would recommend to also do mangling & class-based queueing, but if you're happy for the mo...
by sebastia
Mon Jan 21, 2019 9:49 pm
Forum: Beginner Basics
Topic: VLAN Shenanigans
Replies: 13
Views: 771

Re: VLAN Shenanigans

bridge: in ports, just remove the interface, , and leave the current bridge for the rest as is.

No need for another bridge

then configure ip for that interface, create new pool and then create dhcp server config

firewall config indeed

that's it
by sebastia
Mon Jan 21, 2019 9:39 pm
Forum: Beginner Basics
Topic: QoS Tree VoIP problem
Replies: 42
Views: 2636

Re: QoS Tree VoIP problem

1. that is better, it should point to pppoe

3. didn't encounter a "ppp-all" interface before, and it's not treated as a list "out-interface=all-ppp". Just to make sure I would use pppoe-out1 for now.
Once confirmed working, you can try with ppp-all, and verify.
by sebastia
Mon Jan 21, 2019 9:24 pm
Forum: General
Topic: Limiting per User Traffic with PCQ not working reliably on SXT LTE kit [SOLVED]
Replies: 11
Views: 1029

Re: Limiting per User Traffic with PCQ not working reliably on SXT LTE kit [SOLVED]

Don't immediately see a reason. What's the ip? Is there any local traffic?
by sebastia
Mon Jan 21, 2019 2:46 pm
Forum: General
Topic: RB951Ui-2HnD+usb LTE - high ping/www timeouts while downloading files
Replies: 1
Views: 242

Re: RB951Ui-2HnD+usb LTE - high ping/www timeouts while downloading files

You're filling your pipe and buffer at ISP by downlaod, and ping and other traffic can't get through in timely fashion. You need to implement QoS. This can be done either by Simple Queues or by Queue Tree, depending on your exact needs. Have a look at https://wiki.mikrotik.com/wiki/Manual:Queue Some...
by sebastia
Mon Jan 21, 2019 2:12 pm
Forum: Beginner Basics
Topic: QoS Tree VoIP problem
Replies: 42
Views: 2636

Re: QoS Tree VoIP problem

* "tree" You need one parent queue linked to an interface, with a number of child queues connected to that parent queue, ex: # e1_int is my interface to lan add max-limit=180M name=int parent=e1_int add name=int20 packet-mark=20 parent=int priority=2 add name=int30 packet-mark=30 parent=int priority...
by sebastia
Mon Jan 21, 2019 12:41 pm
Forum: Forwarding Protocols
Topic: Policy based routing problem [SOLVED]
Replies: 16
Views: 1539

Re: Policy based routing problem [SOLVED]

Like so, for all local networks
/ip route rule
add dst-address=192.168.1.0/24 table=main
add dst-address=192.168.2.0/24 table=main
...
by sebastia
Mon Jan 21, 2019 11:44 am
Forum: Beginner Basics
Topic: QoS Tree VoIP problem
Replies: 42
Views: 2636

Re: QoS Tree VoIP problem

Hey * your tree should be a tree, not a list! <some main queue linked to interface max=4M> <q1 priority=1> <q2 priority=2> .... Currently each queue can transmit at 4M...-> no QoS * you should also prioritise download, at least giving prio to VOIP * don't use "bucket-size=0" * "out-interface=all-ppp...
by sebastia
Mon Jan 21, 2019 11:32 am
Forum: Forwarding Protocols
Topic: Policy based routing problem [SOLVED]
Replies: 16
Views: 1539

Re: Policy based routing problem [SOLVED]

Routes for directly connected networks are added to main table. Since currently all traffic FROM .3., .4. & .251. are resolved in WAN-DZ, which only knows about internet, routing fails for internal targets.

Add rules to route (before current ones) using main table when targeting internal networks.
by sebastia
Mon Jan 21, 2019 11:11 am
Forum: Virtualization
Topic: Mikrotik CHR speed performance problem
Replies: 26
Views: 6781

Re: Mikrotik CHR speed performance problem

A method to get more speed out of a very busy CHR router: On the physical computer , in the BIOS , disable hyper-threading & set for maximum performance. That's official Intel recommendation, if virtualization is used. HyperThreading does more harm than good, in this case. :D Isn't that mainly beca...
by sebastia
Mon Jan 21, 2019 11:08 am
Forum: Beginner Basics
Topic: VLAN Shenanigans
Replies: 13
Views: 771

Re: VLAN Shenanigans

If it's on a fix port, you wouldn't even need vlan. 1. separate the port from the bridge 2. assign new subnet to it (with if needed dhcp server config) 2bis: for dhcp config, you might want to use an external dns, so that internal ip's aren't leaked 3. in firewall filter:forward disallow connection ...
by sebastia
Mon Jan 21, 2019 1:28 am
Forum: Beginner Basics
Topic: Isolate Computer [SOLVED]
Replies: 2
Views: 300

Re: Isolate Computer [SOLVED]

Isn't this question same as here viewtopic.php?f=13&t=144286 ?
by sebastia
Mon Jan 21, 2019 1:17 am
Forum: Beginner Basics
Topic: VLAN Shenanigans
Replies: 13
Views: 771

Re: VLAN Shenanigans

On a fixed port?
by sebastia
Mon Jan 21, 2019 1:15 am
Forum: RouterBOARD hardware
Topic: increase value sectors write since reboot in ROS 6.36.2
Replies: 5
Views: 1468

Re: increase value sectors write since reboot in ROS 6.36.2

Another ex: dhcp server persist to disk.

Best to go over full config, step by step, and disable anything not absolutely needed.
by sebastia
Sun Jan 20, 2019 6:19 pm
Forum: Beginner Basics
Topic: Bridges across 4011
Replies: 14
Views: 900

Re: Bridges across 4011

DHCP broadcast, request, etc is layer 2, firewall is layer 3 of OSI model
dhcp protocol is in UDP, based on IP, and using broadcast ip's when necessary.
See https://en.wikipedia.org/wiki/Dynamic_H ... n_Protocol
by sebastia
Sun Jan 20, 2019 6:15 pm
Forum: Beginner Basics
Topic: how to do Dynamic nat 100 private ip with /24 public ip
Replies: 10
Views: 924

Re: how to do Dynamic nat 100 private ip with /24 public ip

As already pointed out, al that is academical until @mukeshchaubey responds...
by sebastia
Sun Jan 20, 2019 6:12 pm
Forum: Beginner Basics
Topic: Bridges across 4011
Replies: 14
Views: 900

Re: Bridges across 4011

In dhcp protocol, server is on 67 client on 68, UDP. So what you should to is, allow outgoing (chain=output) to 67 and then allow "established & related" on inbound (chain=input). Connection tracking will take care of the rest. Did your config on primary router (connected to isp) change? If so post ...
by sebastia
Sun Jan 20, 2019 4:14 pm
Forum: Beginner Basics
Topic: how to do Dynamic nat 100 private ip with /24 public ip
Replies: 10
Views: 924

Re: how to do Dynamic nat 100 private ip with /24 public ip

Typically used when you have like lots of users / devices behind a NAT to prevent running out of port numbers (PAT) for a single IP NAT but not typically for 100 users/devices, never tested, but maybe:
There a wiki for that ;-) https://wiki.mikrotik.com/wiki/Manual:I ... :1_mapping
by sebastia
Sun Jan 20, 2019 2:25 pm
Forum: Forwarding Protocols
Topic: Policy based routing problem [SOLVED]
Replies: 16
Views: 1539

Re: Policy based routing problem [SOLVED]

Hey

What is the output of "/ip route export compact"?
by sebastia
Sun Jan 20, 2019 2:07 pm
Forum: General
Topic: IPSEC ROAD WARRIOR Site-to-Site with mode configs - no ping from client to server side
Replies: 1
Views: 272

Re: IPSEC ROAD WARRIOR Site-to-Site with mode configs - no ping from client to server side

Could you post your configs for both ends ? /export hide-sensitive compact
by sebastia
Sun Jan 20, 2019 1:53 pm
Forum: Beginner Basics
Topic: VLAN Shenanigans
Replies: 13
Views: 771

Re: VLAN Shenanigans

How do you connect that computer to LAN? In other words what is your infrastructure? That's important.
by sebastia
Sun Jan 20, 2019 1:36 pm
Forum: Beginner Basics
Topic: Connection between 3dhcp
Replies: 5
Views: 459

Re: Connection between 3dhcp

@anav You should point out what need to be corrected / improved so that it doesn't seem like a cheap shot and because otherwise the final result of rebuild will be the same configuration... For example, you could have pointed out that: * as of version 6.41 of RouterOS, the recommendation is to use s...