MikroTik

Chupaka

13 chain=atm-out protocol="" invert-match=no action=discard set-bgp-prepend-path="" isn't that the reason? seems like protocol="" won't match anything, that's why this rule won't discard anything. you need to unset 'protocol' field ('up' triangle at the right side of t...

Chupaka

sounds like ISP1 has prefix-limit, and CCR starts to announce all ISP2 routes to ISP1

looks like you need to setup filters to allow only your networks to be announced

Chupaka

Old versions are able to connect to 6.38 unless Dude package is installed

Chupaka

Tom, I heard this server is quite popular among RouterOS admins

If you do not mind, I'd like to make this topic sticky on the forum so it stay on top

Chupaka

/tool/torch
=interface=ether1

and then do 'Query & Listen'

if you need detailed info about some fields, add them with necessary ranges, like

/tool/torch
=interface=ether1
=src-address=0.0.0.0/0

Chupaka

http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

Chupaka

/ip firewall mangle add chain=prerouting action=change-ttl new-ttl=increment:1

Chupaka

Huh... I thought, 'priority' has 0-7 range in RouterOS

[admin@TestPlace] > ip fi man add new-priority=

NewPriority ::= NewPriority | NewPriority
  NewPriority ::= 0..63    (integer number)
  NewPriority ::= from-dscp | from-dscp-high-3-bits | from-ingress

Chupaka

*) ethernet - fixed interface speed reporting for x86 in log after reboot or if "disable-running-check=yes";

I'd rather say, removed, not fixed:

17:51:27 interface,info ether3 link up 
17:51:27 interface,info ether6 link up 
17:51:27 interface,info ether7 link up

No more speed info

Chupaka

Well, at least it should

Chupaka

local proxy-arp normally means: router will reply to ARP for hosts it can directly reach, not for hosts it can route to.

in other words, it will search only interface/connected (by the way, which of two exactly? tech guys, we need your knowledge!) routes in routing table, not all routes? thanks

Chupaka

*) arp - added local-proxy-arp feature;

when it will be in the manual?

need at least a short description...

Chupaka

The problem only occur when i connect DVR on one of the interface on Mikrotik

and what happens with ARP table when you do that? we're not telepathists

Chupaka

check IP -> ARP when problem appears

Chupaka

I'm 99,999% sure you will be fine with 500k

originally it was something like "I'm 99,999% sure you will be fine with 640k"

Chupaka

Sure, the link is in the top post

https://play.google.com/apps/testing/co ... oid.tikapp

Chupaka

So, have you increased it? IP -> Settings -> Max Neighbor Entries

Also, check IP -> ARP when problem appears

Chupaka

What do you do if this doesn't work?

what does it mean? try to plug 220V and repeat

Chupaka

Does anyone have problems with recursive routing? I used this manual (Multiple host checking per Uplink), and everything works fine on first router. But exactly the same configuration (except gateways, of course) doesn't work on another two routers. When i add default route via virtual host 10.1.1....

Chupaka

So my idea is simple too:

1) Create DHCP Relays with unique local-addresses from any private subnet
2) On DHCP lease, add necessary IP address to the vlan via API

You just need to check whether step 1 will work

Chupaka

and what happens instead?

Chupaka

its not work !

need more details. how do you mark necessary traffic, what do you expect and what goes wrong?

Chupaka

WinBox still show us in many paces the "zombie" tabs like comment
Please remove it because all new users try use the comment even from terminal.

I don't have this column

so new users won't see it too, I think

Chupaka

something strange again, just like the last time. this command DOES exist

/system/script/run
=.id=script1

!done
=ret=Hello, I'm a script! And this is my output

Chupaka

The only problem is that users are bound to bridge, not the unnumbered vlan, so Cisco like idea isn't work. what's the idea? why don't you like the bridge? 4) ip route client's with gateway to vlan if your IPs are static, you do /ip address add address=89.223.20.254/32 network=89.223.20.46 interfac...

Chupaka

so you add /24 address to the bridge, and cannot ping a client in some vlan added to that bridge?..

Chupaka

you can but RouterOS won't push it to VPN clients. it's some Microsoft's extension to PPP (?) and it's not supported by RouterOS

Chupaka

well, "/ip/hotspot/user/set" looks fine and works for me as a command

maybe a typo in your actual code?..

Chupaka

--- mikrotik.Read();
+++ List<string> test2 = mikrotik.Read();

and see what's in test2

Chupaka

and what message do you receive in response to the last request?

mikrotik.Send("/ip/hotspot/user/set");
mikrotik.Send("=comment=killed");

should be

mikrotik.Send("/ip/hotspot/user/set", false);
mikrotik.Send("=comment=killed", false);

I think

Chupaka

what mean host1 and host2?
how can i make it ping to 8.8.8.8 for example?

8.8.8.8 is host1

Chupaka

1) having a secondary (or multiple) IP address in the event the first IP becomes unavailable or times out.

just add one more Radius Server entry with the same settings

Chupaka

kids are so kids...

Chupaka

If there are specific IPv6 related interfaces to be created, why are there no tabs on the interface window for these IPv6 tunnels? If you would go the EoIP tunnel tab on the interfaces window, you could only add 'normal' IPv4 tunnels, no IPv6. The only way to add such IPv6 tunnel is via the main in...

Chupaka

Some time ago the possibility to change dynamic simple queues was removed, so my script which adds "packet-parks" parameter stopped working. what do you use them for? I want to exclude some traffic from the rate limitation (so called local traffic). I used to mark non-local traffic and ad...

Chupaka

This interface is not a Master port and I have not configure it as a bridge interface (it is unused interface), I think maybe it is a bug for x86, so pl check it thoroughly. Please not I have not find this problem in router board with same ROS v6.36.2 have you read my answer? http://forum.mikrotik....

Chupaka

can there be some detail "unnecessary CPU usage in simple queues", eg not sources code of course but explanations a bit ? Simple Queue hashing algorithm had an issue which caused hash rebuilds. This caused additional CPU load. This fix affects all Simple Queue configurations but improveme...

Chupaka

RouterOS X86: Show R before interface name of interface list but this interface not connected with any device, why?

/interface ethernet set etherX disable-running-check=no

Chupaka

Some time ago the possibility to change dynamic simple queues was removed, so my script which adds "packet-parks" parameter stopped working.

what do you use them for?

Chupaka

and what about the IPv6 EoIP?

as it was said, just add eoipv6 tunnel, not eoip:

[admin@TestPlace] /interface eoipv6> add remote-address=2a00:1028:8386:8c5e::1 tunnel-id=0

Chupaka

we don't have access to your conversations with Support

it's community forum, we are just people like you. if you need an answer from support - write to support@mikrotik.com

Chupaka

that's strange. you have an address on BV30, but there's no even Local MAC address on it, only on BV10 and BV20. that's weird

maybe try to reboot?..

p.s. that topic is 4 years old

Chupaka

so what do you see in Bridge Hosts?

Chupaka

/interface ethernet switch port
set 0 vlan-mode=disabled
set 1 vlan-mode=disabled
set 2 vlan-mode=disabled
set 3 vlan-mode=disabled
set 4 vlan-mode=disabled

maybe that's the reason? try to change this to default setting (vlan-mode=fallback), for example

Chupaka

I know that since the first post in this topic

did what?

do you see both MAC addresses under Bridge Hosts on 450?

try to ping both 192.168.1.1 and 192.168.1.5 from 450

Chupaka

Without crypto there is no way to protect against a transparent bridge sniffing everything.

what about first manual checking and then completely disabling port on link down (when some intruder tries to install transparent bridge)?

Chupaka

did what?

can't ping what?

what's with Hosts?

we're not telepathists

Chupaka

everything

do you see both MAC addresses under Bridge Hosts on 450?

add some address (like 192.168.1.2/24) to bridge-vlan10 and try to ping both 192.168.1.1 and 192.168.1.5 from 450

Chupaka

does your AP keep MAC addresses of bridged clients, or replaces it with its own MAC address?

if it keeps, then you want to force every wireless client, for example, to be authenticated via 802.1x?

or how should the router distinguish between AP and non-AP clients?

Chupaka

/ip route
add comment="iph route" distance=1 gateway=ether1 routing-mark=iph_route

are you sure that iph_nat_tbl addresses are directly accessible via ether1, without some gateway?..

Chupaka

not sure, but... can't you use 'http-referrer' field for this?

Chupaka

Figure this out, and you'll have produced a way to capture Mikrotik credentials.... https://en.wikipedia.org/wiki/Security_through_obscurity :) I been able to find part of the auth protocol. To do this i created small server on perl. If server sends a challenge "0000000000000000000000000000000...

Chupaka

redirect port 8001 to WebProxy, use redirection rule in WebProxy to redirect HTTP requests to your azure website

Chupaka

Why then created it ?: http://forum.mikrotik.com/viewtopic.php?f=21&t=110425 http://forum.mikrotik.com/viewtopic.php?f=21&t=110419 because it's just an announcements and there's a note on the bottom? "If you experience version related issues, then please send supout file from your rout...

Chupaka

by the way, in current RC you cannot add duplicate domain names too

Chupaka

Ok I solved it without using a if statement. :foreach i in=[interface wireless find default-forwarding=yes] do={/interface wireless set $i default-forwarding=no} :foreach i in=[interface wireless find default-authentication=yes] do={/interface wireless set $i default-authentication=no} :foreach i i...

Chupaka

what version of WinBox? have you checked another version?

Chupaka

And regarding how servers for queries are chosen that is correct - router will use 1 cache server and only if it starts to not respond will go to next entry and change only if current one is not responding. guys, please add this to the manual. was searching for it for about 10 minutes because it's ...

Chupaka

Kinda idea for geeks, anyway: working in Firewall via WinBox I thought it would be nice to see Terminal command for current rule on bottom, like this:

winbox-cli-cmd.png

so you don't need to click all tabs to see some accidentally set values

devs, how real is this?

Chupaka

That's why I say: set Watchdog Address to 127.0.0.1

Chupaka

One issue with the Mikrotik watchdog is --- when the simple queue kicks in and starts dropping packets in a RED (Random Early Detect) condition, the simple queue can and will also drop watchdog packets - which will result in un-needed reboots. but if 127.0.0.1 is not pingable after crash, you may u...

Chupaka

also, Watchdog should help in that case

Chupaka

why not use server's IP address ("server-address" variable) instead of MAC address? if you replace the router, IP address won't change, but MAC address will

Chupaka

How will I achieve such setup where some systems will have a static only on the range of 192.68.0.x while the hotspot on a different ip range, but all must pass thru the same interface. the only problem I see is you'll need to add static subnet to Walled Garden on Hotspot so they won't be asked for...

Chupaka

bwhaha, thanks, guys!

so many new buttons on users posts

Chupaka

I just saw that today is 10 years and 10 days of my registration on MikroTik forum. 7424 posts - it's a bit more than 2 posts a day, and every 70th post is mine :lol: Many versions of RouterOS changed (from 2.9.7 to current 6.35) And link speeds from ADSL & 100mbps grew upto 10G :) And... to be ...

Chupaka

I can't see any 'dst-limit' in your rules, so I don't know what you actually changed...

Chupaka

I know that currently this can be achieved by using Netwatch and some scripting but it would be much easier if it were available directly on the route's properties.

it is available even without scripting: http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting

Chupaka

This will open the gates for amazing dynamic realtime blacklists distributed via BGP, and would totally obviate the problem with the adding-as-dynamic issue (as being discussed here anyway) I don't like the idea of establishing BGP peer to my billing system, sometime in a future. I prefer RouterOS ...

Chupaka

Before you was able to manually add dynamic entry without timeout. Now there's no such possibility.

Chupaka

That doesn't make sense well, config versioning and NAND resource doesn't make sense for you? welcome to the world of telecom :) You want an item permanently in an address list, but you don't want it backed up and you don't want it saved? exactly. if your router reboots once a year just for OS upgr...

Chupaka

the answer was posted earlier: how to add dynamic entry in this version? the goal is excluding such entries from export and NOT writing them to NAND I don't want to backup some data that is continuously synced to billing system. and I don't want to kill NAND by writing that data to persistent storage

Chupaka

where can i find a freelancer to seutup this for me?

http://www.mikrotik.com/consultants

Chupaka

Address lists can still be dynamic. Creating an item with a timeout makes it dynamic. it really should not be a big issue.

And what if I need infinite timeout?

Chupaka

The only difference by which CloudFlare (and my provider) distinguishes sites is the name. So there MUST be a simple solution to provide an alias. Exactly. The name. So any DNS tricks won't work. You need to point original site to some proxy (for example, nginx) — it is done by A record, so RouterO...

Chupaka

*) address-list - make "dynamic=yes" as read-only option; why-y-y?.. how to add dynamic entry in this version? the goal is excluding such entries from export and NOT writing them to NAND it's also not possible to add it with very big timeout: [admin@TestPlace] /ip firewall address-list> a...

Chupaka

Isn't it much better and safer to use /interface set [find name="interfacename"] xxxx ?

also, why not just "/interface set interfacename xxxx"?

Chupaka

installed and set up the router
no UDP support for OVPN
looking forward to version 7

Chupaka

the Tao which you are following
is not the true Tao until you
install recent RouterOS version

Chupaka

three things are certain:
death, taxes and packet loss
guess what is happening right now

Chupaka

critical router just hung
don't rush to reboot it in haste
think about eternity

Chupaka

calm down, engineer
your anger's not worth much
the network is down

Chupaka

Following that t-shirt I saw on some EU MUM:

let your friends bridge their net
suddenly, looping occurs
you are no more their friend

Chupaka

I don't see that behavior here! The dynamic entries show no timeout value, they are apparently directly managed by the parent entry and it uses the DNS TTL as timeout. Maybe you have explicity assigned a timeout? add entry with timeout and address=IP-address. it will count to 0s and disappear. now ...

Chupaka

1 year uptime, almost 10 pebibytes of data transferred, 2,6 Gbps average traffic

[admin@BR] > :put [ /sys reso get uptime ]                                   
52w1d18:09:13
[admin@BR] > :put ([ /int get ether3 tx-byte ] / 1024 / 1024 / 1024 / 1024)
9456

Chupaka

With 186ms RTT, I'm getting 1912.4 Mbps/1933.6 Mbps Tx/Rx, not more. looks like there's somewhere 2G link in-between Belarus and USA

Chupaka

domain lists for firewall

please check dynamic entries with domain name. they count down to 0s and stay here forever

Chupaka

I must have missed the announcement of domain lists

the same thing here. Normis, could you add changes to the top or bottom of the changelist, not in the middle?

Chupaka

You cannot. RouterOS API still has 4kbytes limit on file size

Use ftp or scp for file transfer.

Chupaka

What happens if you set squid's port 8080 in browser's proxy settings with and without that NAT rule?

Chupaka

why not just

/ip fi nat add chain=dstnat in-interface=lan protocol=tcp dst-port=80 action=dst-nat to-addresses=10.0.0.2 to-ports=SQUID_PORT

?

Chupaka

API works only over TCP, it's not possible to use API over MAC connection

Chupaka

- Routing filter action "Update Address List" which adds/removes matching prefixes from an address list

oh my gosh!

shut up and take my money!

Chupaka

in v7, bgp is light speed, just wait for it to become public

Chupaka

Winbox 3.4 disconnects from Mikrotik

When I try to connect to Mikrotik using MAC address

and what if you connect by IP?

Chupaka

yep, finally working, thanks

Chupaka

Was anybody able to upgrade via 'Check for updates'?.. %)

Chupaka

devs don't visit this forum

Chupaka

is there any improvement in queue tree being assigned to a single core in a multi-core router?

is it with parent=global or parent=<interface>?

Chupaka

How can I generate his queue so that he does not bypass the limits?

1) authorization
2) just create a queue for 'everyone else' (10.0.0.0/16) with hard limits

Chupaka

Just available? So, new style will stay here in release version? %)

Chupaka

Hi all, Justo to report that after upgrading RB951G-2HnD to 6.34.3 , IPsec/L2TP VPN stopped working . upgrading from what version? for example, What's new in 6.34 (2016-Jan-29 10:25): *) ipsec - fix phase2 hmac-sha-256-128 truncation len from 96 to 128 This will break compatibility with all previou...

Chupaka

Avoid using magnet to attach your mAP Lite.

is it v6.34.3 problem? can you reproduce it on v6.35rc?

Chupaka

Small bug in console:
Code: Select all
MikroTik RouterOS 6.34.3 (c) 1999-2015       http://www.mikrotik.com/
It was released in 2016

What's new in 6.35rc29 (2016-Mar-14 15:30):
*) console - update copyright notice;

already fixed in RC

Chupaka

you're funny, but this topic is about API, not about Terminal, SSH or whatever

Chupaka

to completely block packets via routes with gateway 172.16.30.12 you may try something like /interface bridge add name=blackhole protocol-mode=none /ip ad ad ad=192.0.2.1/30 int=blackhole /ip route add dst-address=172.16.30.12 gateway=192.0.2.2 scope=1 yep, kinda perversion... but I don't see any g...

Chupaka

I can't see any reason to use slashes instead of spaces, moreover slash has different positions on different keyboards — I don't believe they will change current command style...

Chupaka

We can not make sure that everything can be done with single click. Why do not jut use "X" to close Winbox? in WinBox v2, pressing 'X' almost never saved current session, so it is MikroTik who taught us to press 'Exit' ;) so please return it back... You become responsible forever, for wha...

Chupaka

unfinsihed products

is it because this subforum is about RC and BETA versions?

Chupaka

to completely block packets via routes with gateway 172.16.30.12 you may try something like /interface bridge add name=blackhole protocol-mode=none /ip ad ad ad=192.0.2.1/30 int=blackhole /ip route add dst-address=172.16.30.12 gateway=192.0.2.2 scope=1 yep, kinda perversion... but I don't see any go...

Chupaka

C - connect, S - static, r - rip, b - bgp, o - ospf

and the very first v7 bug report

a typo: should be 'connected', I think

Chupaka

After upgrading to 6.34.2 Traffic Flow stopped recording Rx. Tx worked fine. I reverted back to 6.29. I didn't try any releases in-between. what NetFlow version do you use? ROS 6.29 (2015-May-27 11:19) introduced NAT info in TrafficFlow, and it was stabilized in 6.33 (2015-Nov-06 12:49), so now v1/...

Chupaka

Good day! Where to send a request to add functionality in Winbox?

support@mikrotik.com

Chupaka

if you have MTCRE, it is automatically assumed you have MTCNA. Even if you passed MTCNA 8 years ago, if your MTCRE is active, you automatically have MTCNA

Chupaka

*) winbox - incomplete ARP entries are not refreshed;

I think, it should be "are now refreshed" or "were not refreshed"

Chupaka

Bridge firewall has to be enabled explicitly. It is off by default.

did you mean 'use-ip-firewall' in bridge settings? it should not affect Bridge Filter

Chupaka

problem in arp entry ip and mac on cero 00:00:00:00:00:00 i put the bug fix and is the same and teh version v6.35rc and is the same

What's new in 6.33.5 (2015-Dec-28 09:13):
*) arp - show incomplete ARP entries;

Chupaka

e.g. :log warning "Hotspot login of User: $user with MAC: $mac-address" results in a log entry "Hotspot login of User: Test with MAC: -address" The new variables with the dash "-" seem not to work... Can someone confirm this? old variables show the same behaviour. you ...

Chupaka

why those changes are not added to RouterOS changelog?

Chupaka

I downgraded to v6.32.x — it shows x86_64 too

It's old good virtual machine on ESXi host

Chupaka

huh... so, there IS 64-bit version for PCs?..

ros_x86_64.gif

Chupaka

looks like "Watchdog Timer" is hardware watchdog. setting "Watch Address" enables software watchdog which pings that address independently of hardware one. so you also need to unset the address to disable this behaviour

Chupaka

Chupaka CU at the MUM

seems like I won't be there

I can't find affordable plane tickets from Minsk to Ljubljana. 500 euro is a bit expensive

Chupaka

*) kernel - general improvement for core process scheduling;

what does that mean for performance?

Chupaka

looking forward to EU MUM 2016

Chupaka

What is Byte() ?

a type cast?..

Chupaka

as I see, the problem is with Synapse, not with RouterOS API unit

seems like Embarcadero removed TimeSeparator and ShortMonthNames vars in Delphi XE* - google for the "synapse delphi xe*"

Chupaka

Hi Mates I am trying to create 2 trunks ports in Mikrotik 750. Can you please guide us achieve this task, Ether 1 – TRUNK 1 (Vlan 10, 20, 30) Etehr 2 – Vlan 10 Ether5 – TRUNK 2 (Vlan 20, 30) Thanks Abbas just create VLANs on ether1 and ether5, create three bridges, add necessary interfaces to them:...

Chupaka

on RB1100AHx2 or RB493G I not had this problem, immediately after reboot i receive private IP and DNS simultaneous. but on CCR1009 not receive DNS... can anyone explain me why this happens on CCR1009 ? well, then I'd first take a look on the Log to see the difference in, for example, event sequence...

Chupaka

this is a temporary solution until they fix the bug ?
or always use dns statically ?

Always. It's not a bug. Router reboots, gives out IPs via DHCP, and only after that he learns DNSs via PPPoE. DHCP Server cannot force clients to renew DHCP leases, AFAIR

Chupaka

use router's DNS for customers or set DNS IPs in DHCP Network statically

Chupaka

well, it works for us in usual way (hundreds of active users per PCQ queue, RouterOS v6.10 to v6.33) on 'global' parent, and seems like that 'feature' was fixed in early v6: What's new in 6.0beta1 (2012-Apr-13 15:26): *) pcq queue is NAT aware (just like "/queue simple" and "/ip traff...

Chupaka

It's working!!!)))) I'm sorry, there was no active users))
Thank you very-very much!))

bwahaha, glad to hear that =)

Chupaka

isn't YouTube going through https now?

Chupaka

VMs on ESXi generate traffic

Chupaka

Even more interesting was the fact that my workstation had two NICs - the primary and the lab. Guess what - the primary NIC worked for netinstall / neighbor discovery. seems like it's because both those tools use first enumerated NIC and work only with it. if you disable one NIC - second one starts...

Chupaka

There is no explanations about signs (* = ? .) http://wiki.mikrotik.com/wiki/Manual:API#Queries Could you please write a correct ROS.Query() for CLI command "/ip hotspot active print detail where user=username"? I need to get mac-address of username from the result, i tried different vari...

Chupaka

Use ssh with key, then forward WinBox port to local router

Chupaka

Use Netinstall

Chupaka

Tried few times to re-download file and re-upload it to winbox. It just doesnt want to install.
Any suggestions?

what's the reason? it should be in Log after reboot

Chupaka

When I want to enter the IP Winbox shows me a message "ERROR: could not connect to" ip " can you ping that IP? is http://IP working? When I want to enter the MAC winbox shows me the message "Incorrect user or password" is strange because no one has changed the user or passw...

Chupaka

Are language selection and web interface planned to brought back? Or maybe some Android client?

Chupaka

what parent do you use?

Chupaka

The same here. We're on v3.6 now, and if v4 is out of Beta now, I'd like to upgrade

Will new Dude be upgraded together with RouterOS, or it's independent package?

Will client upgrade itself automagically?

Chupaka

We will release it with one of the next RC builds

rc14 is here, but no dude*.npk around =(

Chupaka

http://wiki.mikrotik.com/wiki/Manual:The_Dude

can't find it in Download section... =(

Chupaka

"switch" is about hardware functionality. This menu should be removed on CHR, I think

Chupaka

Just a reminder that the export is still broken. what's in export file? [admin@Neighbours] > export file=test [admin@Neighbours] > export file=test-v verbose [admin@Neighbours] > file print where name~"test" # NAME TYPE SIZE CREATION-TIME 0 test.rsc script 15.4KiB dec/01/2015 15:04:18 1 t...

Chupaka

1) you cannot change template format in RouterOS (for example, you cannot remove unnecessary fields) 2) template format is sent in NetFlow packets every v9-template-refresh packets or every v9-template-timeout seconds, so netflow collector knows exact format even if it didn't know it ever before :) ...

Chupaka

Template format? What do you mean? NetFlow packets contain information about the format of actual NetFlow data

Chupaka

Bwhaha, 5 years xD

Have you read that article?

Chupaka

Unfortunately, all virtual features are being added to Cloud Hosted Router http://forum.mikrotik.com/viewtopic.php?f=21&t=98981

Chupaka

How do I run this command with api?:
Code: Select all
/tool user-manager user  remove [find username=demo]

http://forum.mikrotik.com/viewtopic.php?t=26790

Chupaka

Probably, it's changing dynamic queues' parameters, and now dynamic queues are read-only. You should switch to newly-added CoA

Chupaka

Hi all, I have this error : tr_mkrouter.msend /login tr_mkrouter.msend /login tr_mkrouter.msend =name=apiuser tr_mkrouter.msend =password=2010 <-----{My clear password} tr_mkrouter.msend =response=39582d42fb88ca42ae0958e46b24e318 tr_mkrouter.open opening router error = !trap=message=cannot log in D...

Chupaka

Second one, I'm running this on a router running a hotspot service - will masquerading options affect how flows are captured & sent to the targets? Ahhh, I saw "something unusual" in your data, but haven't read thoroughly. Sure, you see two different flows: from the client to hotspot ...

Chupaka

hm-m-m... NFv5 works fine for me (we're using 'interfaces=all'), and in v6.33 topic someone said that the problem is now fixed

Chupaka

So how do you move firewall / other rules in webfig? There is no re-ordering capability as far as I can tell so I have to keep using winbox.

well, I drag it - and it moves

just like in WinBox...

Chupaka

indeed before posting here, i did that. in IE, Firefox and also google chrome. sure it's not cached.

checked my x86 installation - the link points to mikrotik.com...

We plan to make a new Dude release this year

yahooo!!!

Chupaka

just replace "/ip firewall filter find" with "/ip firewall filter find dynamic=no", using item ids (like "*8") is router-dependent

Chupaka

Janis, that's what I wrote you on Sept, 14th: v5 should stay old way (because changing it breaks everything making v5 useless), v9 - receive additional NAT info

so, seems like 6.33 has ideal combination for NetFlow, thanks

Chupaka

What's new in 6.33rc33 (2015-Oct-26 11:50):
*) trafflow - report flow addresses in v1 and v5 without NAT awerness

Chupaka

this should fix that:

What's new in 6.33rc33 (2015-Oct-26 11:50):
*) trafflow - report flow addresses in v1 and v5 without NAT awerness

Chupaka

check with the latest version (6.33rc33) and NetFlow v9

Chupaka

huh, at last

this should fix that:

What's new in 6.33rc33 (2015-Oct-26 11:50):
*) trafflow - report flow addresses in v1 and v5 without NAT awerness

Chupaka

sounds like MTU problem. you may try to decrease MSS for TCP packets by Mangle rule and check again

Chupaka

I have setup a rule such as this

chain=srcnat action=masquerade src-address=10.10.10.21

I am not seeing any traffic hitting this rule at all this src nat is not working.

Any idea?

the reason could be some other srcnat rule before this one, for example

Chupaka

you mean, "/export" and "/export compact" produce different results? that should be considered a bug

Chupaka

Is it possible to provide the server spec and approximate bandwidth/packets ? Actually i afraid from x86 network adapter bottleneck , IRQ Balancing , blabla.... Maybe i can use your experience to choose an x86 server for QOS . huh, cannot find any signs on the server :( it's some SuperMicro with 2x...

Chupaka

@Chupaka Did you find any solution or workaround ? Sometimes the routers cpu remains 100%

knock-knock on the wood, no complains for the last years. but we don't use CCRs for queueing. only x86, only hardcore

Chupaka

in Terminal, you do 'find', then 'remove'. Why do you try 'remove' without 'find' in API?

http://forum.mikrotik.com/viewtopic.php?t=26790

Chupaka

*) firewall - fixed limit and dst-limit options.

requesting more details on this =)

Chupaka

Chupaka. Once more. Ignore this bug.

thanks, reinstalled to solve

I hoped there was easy way...

Chupaka

At this time you could still change the flavor of kernel used.

how can I do that now, without network access to the router? I have only CLI

Chupaka

marting , the hidden problem is that both facebook and youtube are in internal HSTS list of Chrome browser, so they will only open via HTTPS, not HTTP. if you redirect it to the server with non-FB/YT certificate, Chrome user will see strict error, not target website so, generally, it's not possible...

Chupaka

you can dst-nat only new TCP connections (without data transferred), and URL detection happens when data is being transferred - at that moment it's too late to do NAT

so it's only possible if you know destination IP address and don't care about actual data (URL, etc) inside the connection

Chupaka

So, enjoy that switch while it is there as in the future it will be removed.

so, it's WinBox-only switch? I cannot change it via CLI?

Chupaka

Huh... I disabled 'Allow x86-64' in System -> Resources -> Hardware, and now CHR on ESXi sees only 1 CPU core and no Ethernet (VMXNET3). How can I enable 'Allow x86-64' from console?

Chupaka

64 version for bare metal x86 - not planned?
unclear, but most likely CHR will get priority with all 64Bit and multicore support for now

so, what is 'Allow x86-64' tick in x86 RouterOS?

Chupaka

Вместо 32 ядер сервера - осталось только 1 ядро. I can confirm: 6.31on x86 detects only 1 CPU core: [admin@TestPlace] > sys hardware pr multi-cpu: yes [admin@TestPlace] > sys resource pr cpu-count: 1 if you check 'Allow x86-64' in WinBox under System -> Resources -> Hardware, then all CPUs are back...

Chupaka

find by link or what?..

Chupaka

It was for big enough files or i misunderstood it? My list is surely MUCH bigger than 4kib. It has 257969 lines (4341454 bytes). yes, RouterOS Scripting cannot read so big files and stops on hitting something in other ban list(which is dynamic list of attackers). what?.. (O_o) what attackers? what ...

Chupaka

so what exactly happens? how long is your list? it's not possible to work with files > 4KiB in RouterOS, for example

Chupaka

Sadly it does not work for me.
I tried it

what 'it'?

Chupaka

How can i disable 60+ firewall rules from terminal?
With "fasttrack dummy rule" I can't perform disable [find] because i can't disable dynamic rule.

disable [find dynamic=no]

Chupaka

so please fix this.

fix what? "I have some error, I won't tell you anything about it, but please fix it - aren't you a telepathists?"

Chupaka

*) winbox - restrict reversed ranges in dst-port under firewall

it's still allowed, at least on CCR:

reverse-port.gif

Chupaka

SSL in WinBox protocol?.. what do you mean?

Chupaka

is this incorrect command from the manual?.. a link?

Chupaka

furthermore the variation: { :local address1 [/ip address get [/interface ethernet find name=ether1] address] :put $address1 } is likely as not to give an address from a completely different interface under that situation. that's completely incorrect command. first, you get ID of 'ether1' interface...

Chupaka

When upgrade 6.30 tile,mips l2-tp default route problem. If select "Add default Route" then "Connect to address" added routing table. Why? have you read changelog? *) pptp & l2tp client: when adding default route, add special exception route for a tunnel itself (no need to a...

Chupaka

This is not the issue.

so what is the issue?
looks like you have many addresses on ether1, not a single one. check with

:put [/ip address find interface="ether1"]

Chupaka

For CCRs it shows negative memory size - problem with 32-bit signed integers

Chupaka

Average CPU load 29% vs 31%?..

Chupaka

I have access to several public IP addresses at each location. Can I use one IP for the IPsec EoIP tunnel and a different one for the L2TP server?

yep, that should work

Chupaka

let's wait for first ROS v7 betas

Chupaka

I can't make any of arp static due to "Couldn't add new ARP, Already have such ARP!" error. It would be awesome if there was a command for that too. making static is only possible on gui (I know with some scripts it is possible. I mean something like "/ip arp set x static=yes") ...

Chupaka

Feature request: Ability to specify boot-file-name on a per static lease basis. This would add much needed flexibility for rather than using the global setting at the 'ip dhcp-server networ' level where all clients receive the same file. for now you should be able to create Network entry per IP wit...

Chupaka

[dcc32 Fatal Error] RouterOSAPI.pas(67): F2613 Unit 'blcksock' not found. [dcc32 Fatal Error] RouterOSAPI.pas(67): F2613 Unit 'synautil' not found. [dcc32 Fatal Error] RouterOSAPI.pas(67): F2613 Unit 'synsock' not found. [dcc32 Fatal Error] RouterOSAPI.pas(67): F2613 Unit 'synacode' not found. thos...

Chupaka

then... use correct path to RouterOSAPI.pas

p.s. that file is not in APITest, have you downloaded it separately?

Search found 8681 matches