MikroTik

IntrusDave

So, I was hoping to simple run this, and have the output placed into a variable that I could then parse. Unfortunately, it appears that the telnet output is sent directly to the console and cannot be captured. Any ideas of a simple way to get text from an outside source into a variable WITHOUT writi...

IntrusDave

Older client scripts requested "dynamic" (the "get=dynamic" in the URL) requests for the old "dynamic" are currently being redirected to "medium", and will soon be switched to an automatic selection based on the CPU and memory. I'll be honest, I have no intere...

IntrusDave

Unfortunately it's not possible to tell the source of the block. The lists are generated from 12 different high profile blocklists, as well as a network of over 200 routers. Once the server has all of the sources, the IP addresses are extracted and then aggregated into a new list that has the subnet...

IntrusDave

Hoping that one of the MikroTik guys can comment on this... My blacklist is getting very large. I'm hoping to be able to send the script (about 200,000 "add" lines) in a compressed format. Is it possible to compress it on the server side and send it as an NPK, then import from that? Thanks

IntrusDave

I had a quick peek at 2017.7.3f and I have to admit that I am a bit lost on it. Update: Before the v [ScriptVer] would undergo a cleaning of spaces which are replaced by %20 for use in the URL which is not not more done. I have still the word (testing) in my version string with a space in front. It...

IntrusDave

Updated the script with minor bug fixes, speed ups, and more detail when run from the console.

IntrusDave

Next thought is to only supply the addresses itself and that would shrink the size of the medium file from 4.1MB to 729KB but then we have to split it up in more than 177 files due to 4096 bytes String limit present in RouterOS. With more than 80% of the routers pulling the list only having a MIPS ...

IntrusDave

I went through different options how to reduce traffic and the quick and easy one is removing the comment in the medium and large file and that gives a reduction in traffic of over 20% assuming that the users of the medium and large file know what that addresslist is named dynamicBlacklist stands f...

IntrusDave

please keep in mind that with all the chaos in the world now, the list is regenerated every 4 hours. I don't recommend holding on to an older list for more than 8 hours. Also, I have no bandwidth caps so I have no issue with people downloading several times a day - But I don't want it abused and pul...

IntrusDave

The new backend and script are live. Make sure you read the comments and select the correct script for your router. *** DO NOT SELECT THE LARGE LIST FOR ROUTERS WITH LESS THAN 20M FREE DISK OR LESS THAN 256M Memory! *** Recommendation: Routers with 32M~128M memory - "small" list Routers wi...

IntrusDave

were there thoughts about BGP feed?..

Too much work

IntrusDave

Today’s update is going to be huge. Not sure when I will push it it out though. I am rewriting the backend that builds the list. I will be pushing out 3 lists soon. Small - about 750kb - intended for home users Standard - about 2M - intended for businesses Full - about 14M - intended for internet se...

IntrusDave

Also, consider adding a RAW drop rule to drop the subnet that the attack is coming from.

IntrusDave

Are you running my BlackList? It will help protect you from many attacks.

If this is a DDoS attack, and you have a dynamic IP, the simple solution is to change your MAC address on the WAN port and reboot the modem to get a new IP address.

viewtopic.php?f=9&t=98804

IntrusDave

I think you need to check that you have a reliable date in the first place. It can be a while between boot up and acquiring the current date and time. I would not count on a simple delay being enough, I would sanity check the date. I second that. If I've learned anything about RouterOS, it's that y...

IntrusDave

That's why I have always had two scheduled tasks. One for Startup and one every 24 hours.

IntrusDave

I updated both the server and script to correct for the notification not displaying. I also changed the script so that the previous entries are not removed if the throttling kicks in. I would love to NOT have to throttle, but several people have set up their units to update every 5 minutes. at 2M ea...

IntrusDave

That could be just the update timing. Currently, my list collects the data a 5am PST and rebuilds then. several of the sources also rate limit, but I may be able to push it and rebuild it ever 6 hours. that may keep them more in sync.

Okay, I changed the cron job to run every 6 hours.

IntrusDave

Very odd indeed. This is one of those times that we may just not have an answer. If I was in front of the box and was able to go through the config line-by-line, I might be able to figure it out. But I've often just found that a fresh start is a better way to deal with it.

IntrusDave

I would make a backup of the config, then reset to factory and do a very simple config, then test each port. You may have inadvertently changed something in the config that killed the port. If you want a simple setup - clear the config, then set ports 2,3,4,5 to master port 1. Ports 7,8,9,10 to mast...

IntrusDave

So far so good. Doesn't help the low end units much.
a quick test...

RB2011 - 123 seconds
CCR1016 - 25 seconds
RB1100AHx4 - 20 seconds
RB3011 - 33 seconds

....WOW! The new RB1100AHx4 is faster than a 16 core CCR.

IntrusDave

That looks like a nice clean solution. I'll test it out on the gear I have and then update the code. Thanks!

IntrusDave

Updated the script with the recommended remove code. It appears to speed the update process by 38~75 seconds on most routers.

IntrusDave

deleted

IntrusDave

deleted

IntrusDave

I rewrote the backend this morning. It now takes all of the sources and purges the /32's into the their corresponding subnet, if it is listed. it cut the size by 50%. it was in the 42,000 range, now back down to 21,000.

IntrusDave

David, please consider including blocklist.de's block list. I've been using both your blocklist and the one from squidblacklist.org for a little bit and so far the only major difference is from blocklist.de. If you add that then I can drop squidblacklist.org.

Done.

IntrusDave

By the way, why is the default path "disk1/dynamic.rsc"? because that is the default path of a USB or SATA drive. If the driver does not exist, it simply creates that path. This way the USB is used if it's there. Anyway, fun fun. I hadn't tried this before: jun/23/2017 10:50:44 system,err...

IntrusDave

it didn't work for me (CCR1016-12G)
error :
/tool fetch url="https://mikrotikfilters.com/updateBlacklist.rsc" mode=https;
status: failed

failure: connection timeout

Connection Timout on that would imply that your IP may be blocked to start with.

IntrusDave

Not with SFTP, no. You could use an HTTPS PUT and upload it to a web server.

IntrusDave

then consider using both =) first quickly remove for recent versions, then slow cleanup for older ones if necessary

I'll do that for the next release.

IntrusDave

I think that C-z in "0KiBC-z" stands for Compression gzip so it is there and now it is how to get that working for the .RSC

the C-z means "Control-Z to Pause", not compressed-zip

IntrusDave

We can't remotely begin to help without seeing the config.
you need to post the compact export for interfaces, bridges, and firewall. Maybe even the queues.

IntrusDave

Use ssh on the server side. It's simpler and doesn't require anything special on the router side.

ssh username@ip_address "/export compact" > routerBackup_export.rsc

IntrusDave

The server does compress the content.... As seen by this compression test.

IntrusDave

The loop is to deal with older versions of RouterOS that would only remove the first item it found when using Find.

IntrusDave

No

1amp at 5 volts is 5 watts
1amp at 12 volts is 12 watts

It’s best to understand how many watts the device needs and what voltage it requires.

IntrusDave

deleted

IntrusDave

From the quick guide:

IntrusDave

The mangle rules created by the script only mark the packets for DSCP. You will need to create new rules to set the DSCP for the video packets. Keep in mind that QoS only works for your outbound traffic. Unless you are using an MPLS for your WAN, you can not control your inbound QoS.

IntrusDave

Don't pass the DNS to the clients. Have the clients use the router as the DNS, and have the router use the ISP. Allow the router to use it's cache to reduce the LTE load.

IntrusDave

Just enable RouterOS DHCP server, no any MS DHCP server.

This is your problem. You should use the MS DHCP. It will register your workstations in the DNS. Use the services that the AD provides. (DHCP, DNS, WINS)

IntrusDave

Yes, you would need to mangle rules to mark the packets with the priority that you want them to have.

IntrusDave

The bandwidth test in the switch will not show the true speed. You will need to use something like a Linux based test on two boxes connected to the switch.

IntrusDave

Why don't you built an address list of the PSN IP addresses, add a filter that blocks and logs the connections. Then you can see the local IP addresses that are attacking. Then clean them.

IntrusDave

two 12v deep cycle batteries, a 50w solar panel and a charge controller will do what you need.

IntrusDave

Your router will honor the QOS tagging in the packets

IntrusDave

It sounds like you are bridging or routing, and not switching.
The device can do wire-speed forwarding on all ports.
Did you remove the default config? Set all the ports in a bridge?
If you are using it as a switch, then all ports should have port 1 as it's master.

IntrusDave

The device / application sets the DSCP. You VoIP signaling is 26, while your VoIP audio is 46. It's best not to change from the defaults. You will want to configure the router to read and use the DSCP bits. I use the script in this post to setup the routers. https://forum.mikrotik.com/viewtopic.php?...

IntrusDave

DNS needs to be pointed at the AD server.
That's may only guess without any info on the design of the network.

IntrusDave

While I don’t know the solution to your problem, this topic has piqued my curiosity. If it were me, I would first try connecting a PC to Ether1 and see if I got the same result. Next I would try a Crossover cable between the port and the modem. Next I would try manually setting the port speed and du...

IntrusDave

Doing the copy and paste from post #1 worked. Still not sure why it stopped working. Thank you!

Sweet, glad it fixed it for you.

IntrusDave

try a copy/paste from the first post. Not sure what the issue is, the server isn't reporting any issues.

IntrusDave

Are you using EoIP for anything?

IntrusDave

Consider at least upgrading to ESXi 5.5, preferably 6.5. I had MANY issues with VM and even full host crashes with 5.1, most have been resolved after moving to 6.5

IntrusDave

Once you put VLANs in play, you no longer have a "flat" network. You can run a pig and trace route from a notebook to the printer. If you have more than 1 hop, then you are routing and AirPrint will not work. It is a broadcast protocol. You issue is likely the VLAN tagging on the WLAN inte...

IntrusDave

DDR1333 and DDR1600 have different latencies. MikroTik is providing throughput details for the CPU clocked at either 1GHz or 1.2GHz, using DDR3 1333 or DDR3 1600.

IntrusDave

SHouldn't be an issue for most. The server will flag routers that get excessive and throttle them to 4 download in a 24 hour period.

IntrusDave

Thanks to someone setting up 50 routers to download every 2 minutes, the server is now blocking any router that downloads more than 4 times in a 24 hour period.

IntrusDave

The script was updated last week to work with the new backend servers. You can find the update in the first post of this thread

IntrusDave

One of the bonuses of 2.4 and 5GHz is that the 5Ghz is half the wavelength of the 2.4Ghz. That means that you can use a single antenna tunes for 2.4Ghz as a ½ wave 5Ghz antenna. That said, just find a nice 2/5Ghz dual band omni and you are set. The wireless config in RouterOS will let you select whi...

IntrusDave

In that case, simply add (or change) the current IP on ether1 to the IP that you would like it to have. Optionally, you can use the DHCP client to have the CRS pull it's own address and configure it's gateway and DNS automatically.

IntrusDave

Also, it's easier to understand the rules if you post them using this:

/ip firewall filter export compact

IntrusDave

The detail and understanding is something that you will gain by reading. https://wiki.mikrotik.com/wiki/Manual:TOC Read the filter section of the Wiki first. Once you cover that, it will become clear as to what they are doing. Just having someone explain it here will not help you in the future. Once...

IntrusDave

Everything you need is all in one place: https://wiki.mikrotik.com/wiki/Manual:TOC Start there, get your basics covered, then post back here for help on refining the setup. You will need to read and learn about the RouterOS before anyone here will be able to help. Without the basic understanding, yo...

IntrusDave

Whitelisting is accomplished by creating a new address-list and a new filter rule. 1) Create an address list - say.. "Whitelist" and add the IP addresses that you need never be blocked. 2) create a new filter "Accept" rule, using the src-address-list you created. 3) place the new...

IntrusDave

I noticed today when I started Firefox that I were getting hits on the blacklist. I followed the IP and found that it lead to hackademix.net and secure.informaction.com and looking on the site it was probably an plug-in was generating the hits and that was No-script. I use this plug-in for years an...

IntrusDave

I've updated the statistics page today. It now normalizes the memory and shows the percentage of each category

IntrusDave

PMs are blocked here. You have Facebook or twitter?

IntrusDave

Jim - Do you work for DWP or SCE?

IntrusDave

Here is the first two lines of my startup script: :log info "Starting System Startup script" :delay 00:00:20 Note that all this script does is send me an E-Mail that lets me know that the router has booted. Leave it to the HAM's to understand. :) That's almost exactly what I use. It works...

IntrusDave

No problem at all. I enjoy it.

IntrusDave

Fixed. Sorry about that. typo in the code.

IntrusDave

Not sure why its not working all of a sudden. I updated the script a few days ago and was working as of yesterday... Now when the script runs, it says its downloading the blacklist but nothing else happens.

What are the last two octets of the public IP?

IntrusDave

I've cleared all my starts and started fresh. Here is a quick and dirty stats page on the hardware accessing the list.

https://mikrotikfilters.com/blstats.php

IntrusDave

Awesome! Thanks for still doing this. Now that you got more stats, you should create some public pages cause i love me some random statistics!

I was just starting on a page that shows each type and number of routers that pulls the list.

IntrusDave

Glad it's working for everyone now. Stats are MUCH more accurate now. The server was starting to block devices behind NAT routers because it thought some were downloading hundreds of times per hour. Now it sees each as a separate device.

IntrusDave

syntax error (line 62 column 11)[/code]

I found the line 62 error and corrected it. delete the items you have, and reinstall. it should be good to go.

IntrusDave

I've updated the script to deal with the CHR using system-id instead of software-id. Annoying that they are different... I've tested on the following units with no failures. CCR1009-7G-1C-1S+ CCR1009-8G-1S-1S+ CCR1016-12G CCR1036-12G-4S CHR CRS109-8G-1S-2HnD CRS125-24G-1S CRS125-24G-1S-2HnD hAP+ac h...

IntrusDave

I am on a RB951Ui-2HnD

can you post the /system license print ?

IntrusDave

I'm guessing that everyone with issues are running CHR. I've found the problem and I'm working on a fix right now. I'll post the update in about an hour.

IntrusDave

Sorry man. More than 500 routers already updated and working with the new script. You are having copy/paste issues. I can't fix that for you.

IntrusDave

That would mean that you need the current script. It's available in the first post.

IntrusDave

Your URL is wrong.
Note the ? between "download.php" and "get"

url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer&softid=$softid"

IntrusDave

Those are ANSI escape sequences. You need to use a terminal that supports ANSI.
Looks like you may be using Linux, you can use also use the screen command from a terminal window.

IntrusDave

Okay, I've updated the script again. It didn't like having the path and filename separate. # Import Intrus Managed Filter Lists # © 2016-2017 David Joyce, Intrus Technologies ##### Update your path, is you are using a USB Flash or other storage :global datapath "disk1/dynamic.rsc" ###### D...

IntrusDave

Yup, clearly a problem with the remove. I can't seem to get it to accept a variable

IntrusDave

Try this
:global datapath "/disk-8G/"

IntrusDave

I've updated the script with support for USB Flash as well as the new RB1100AHx4 with internal storage. I has also reworked the backend and script for more accurate accounting. Please update your scripts. # Import Intrus Managed Filter Lists # © 2016-2017 David Joyce, Intrus Technologies ##### Updat...

IntrusDave

I've pre-ordered one from Baltic Networks. It looks like a nice box and my be just what I'm looking for. The downside is that it should arrive the day before I leave for a 4 week vacation at the beach. Looks like I may be testing how it holds up to sun, sand, and humidity.

IntrusDave

The list is stored in memory while active.
If you need to use a flash drive for the update, just add the path of the usb drive to the path of the fetch and import lines.

IntrusDave

My list will not be moving to DNS. It over complicates the process and provides little if any advantages.

IntrusDave

Anyone have a release date for this? I'm ready to upgrade all of my sites and this unit would cover just about every use I can think of.

IntrusDave

Give this a try... # Import Intrus Managed Filter Lists # ©2016-2017 David Joyce, Intrus Technologies :log warning "Blacklist update in 30 seconds"; # :delay 10 :local model [/system resource get board-name] :local version [/system resource get version] :local memory [/system resource get ...

IntrusDave

Disable mangles, filters, & queues.

You have given us nothing to work with. What router? How much bandwidth? What are you filter & mangle rules? What kind of traffic?

IntrusDave

1. because you are bridging, and bridging passes all traffic.
2. enable firewall on the bridge and filter UDP 67 & 68 from passing on the ethernet

IntrusDave

I am always amazed when someone refuses to read the release notes, then posts here trying to shame and insult MikroTik for the end user ignorance. The only thing you have accomplished is showing us that you have no place in the I.T. field, and that you will not take responsibility for your own actio...

IntrusDave

Try downloading directly from here: https://mikrotikfilters.com/updateBlacklist.rsc Unfortunately, I don't have a router that gets this error, so I really can't troubleshoot it. If one of you want to give me access to a router that is having a problem with the script, I can try and figure out what t...

IntrusDave

Yes, You can create an address list with addresses that you never want blocked, then add an accept rule above the drop rules.

IntrusDave

That is the same unit I use for writing my scripts. I have just over 500 of them pulling the list every morning. The error you posted is almost always a simple format or encoding error.

IntrusDave

I don't know. I stopped using OpenBL a while back.

IntrusDave

Oh, and I ran some tests today. Filtering based on IP *ONLY* and not subnet.. the download was 112M and had over 2M entries.

IntrusDave

On that note - what is really pissing me off is that big hosts like AWS and Google aren't doing anything about shutting down the attacks coming from their networks. Much of the spam is coming from AWS servers that change IP's every hour. So the only way to stop them is to block the whole subnet.

IntrusDave

The filters are intended to be used as incoming filters, not outgoing. If you change your rules to only block new connections coming in on the WAN interface, all should be good. I don't recommend using the list with the RAW filters. By blocking incoming on the WAN and new connections, you prevent th...

IntrusDave

I don't blame them. Over the last 3 months my block list has gone from 5k entries to 30k. With most of the attacks coming from Russia and China. I'm starting to consider blocking all of Russia's IP ranges. I know that isn't good for most of the world, but my networks here in the USA are under consta...

IntrusDave

I'm not sure where the archive for SwitchOS is. But I would try to reset defaults and see if that helps. It sounds like the config corrupted in the upgrade.

IntrusDave

Congrats on being the first. Why not just put the switch into TFTP mode and upload the firmware? Not sure why you would have to drive two hours to do that. Or did you really update the firmware remotely without testing on a local device?

IntrusDave

Every time that I have seen a 400 Error, it is because the Copy/Paste didn't work. Something is the script is wrong... Maybe it has extra formatting, or maybe invalid characters. Make sure the OS that you are using supports UTF-8. Try copying and pasting the script to Notepad, and then copying and p...

IntrusDave

OpenBL is currently offline. So right now the filters are limited to my internal sources.

IntrusDave

The rules are just examples, and should always be adjusted to suit the needs of the network.

I don't know what's going on with OpenBL. I can only assume they have either shut down, or are under DDoS.

IntrusDave

Use this scanner - open this link from inside you network.

https://www.grc.com/x/ne.dll?bh0bkyd2

IntrusDave

It's possible that they are redirecting traffic on those ports. Maybe to try and protect you, or to prevent you from running servers on them.

IntrusDave

simplest explanation is normally the correct one.

You have ports open.

If you need a more detailed answer, you will need to post your firewall filter and nat exports.

IntrusDave

Glad it's working out for you.
List usage jumped from 4800 to 5100 in the last two days.

IntrusDave

I have not seen the device yet, but I would guess, yes.

IntrusDave

what is the propose of this "Woobm" device?

... (W)ireless (O)out (O)of (B)and (M)anagement.

that would be... Management of a device, wirelessly, while not requiring the network to connect.

IntrusDave

They have been pretty clear that there will be no status updates until a beta is released.

IntrusDave

No ROS 7 updates?

That's highly disappointing...

ROFL! Did you really expect that??

IntrusDave

Some interesting stats... +-----+--------------------+ | QTY | model | +-----+--------------------+ | 721 | RB951G-2HnD | | 548 | RB2011UiAS-2HnD | | 374 | RB2011UiAS | | 309 | hAP+ac | | 298 | RB951Ui-2HnD | | 182 | RB751G-2HnD | | 178 | CCR1016-12G | | 174 | SXT+Lite5 | | 166 | CCR1009-8G-1S-1S+ |...

IntrusDave

Then you will not be able to block brute force attacks.

IntrusDave

You can use this free tool, it works well.

http://www.terminalserviceplus.com/rdp-defender.php

IntrusDave

Okay, I spoke with my sister, and she was also to get my the engineering documents. Unfortunately, the drawer's interface used the Microsoft HID (Human interface device) interface. That means that the drawer receives commands, and sends back status to the system, instead of a simple Serial interface...

IntrusDave

A RB3011 with a regular configruation when upgraded from v6.38.5 to v6.39.55 or v6.39.58 device becomes unusable: reboots again and again until it is recovered with reset and netinstall.

I has this same issue. I think it may be from the addition of the partition support.

IntrusDave

Sister confirmed that it's one of her's sold in Ireland. She will get me the engineering specs on Monday.

IntrusDave

I'll look into this.
My sister is VP of customer service for M-S Cash Drawer.
I'll see if she can get me the details and maybe a sample.

What model drawer is it?

IntrusDave

I don't believe that they will change the warranty. However, with the very low price, I recommend ordering a few spare units to keep on hand.
I have only had 1 MikroTik fail - a LHC5 - but I believe that was because it was not grounded.

IntrusDave

Schedules are allowed to have the same name. -- The server side was updated today. I was forced to make the server require the identity. The public IP and Identity are used for accounting so I can track the bandwidth and number of requires. I understand that some will object to this, and I will prov...

IntrusDave

I'm not supposed leave the router in the network core.

what does this mean?

I'm not really sure what you are asking - but I use Mikrotik for everything except for my voice PRI's. I use them in each office and my datacenter. I have a total of 31 CCR1016's and 6 CCR1032.

IntrusDave

Glad to have helped. It took me several days of looking at every little thing to figure that out.

IntrusDave

I don't even know where to start with that. Maybe MTU? running pppoe? ssl proxy? wrong MTU? anything different about this router over others?

IntrusDave

Unfortunately, I don't know how to help you with this. I don't see any errors in my server logs. I can only assume that you are getting ssl errors. You should be able to manually install the scripts from the first post.

IntrusDave

You issue is that the router simply didn't complete the download. Today's download is 603k. If it's getting out off, you may want to see if your ISP is trying to proxy ssl connections.

IntrusDave

Any chance that you have a ppp or epio interface in a bridge? Everytime that I have seen this issue, it has been an MTU problem. When you add an interface into a bridge, the bridge will automatically lower the MTU of the bridge to the lowest MTU of all of the interfaces. This almost always breaks HT...

IntrusDave

This has been discussed many times before. If you must use the RAID controller, you will need to use CHR on ESXi 6.x.

IntrusDave

That's find, but make sure that the rule is placed above any accept rule for established connections.

IntrusDave

I agree with pukkita, a PC is going to cost double what a CCR1009 will cost. Even a CCR1016 is only is the US$500 range.
I use the CCR1016-1S-1S+ for my 500/500 fiber links. They support 50~150 PC's without even getting warm.

IntrusDave

You need to put in a filter rule (preferably in the RAW table) to block the blacklisted IP's

IntrusDave

You can use WinBox. Open System->Scripts, then create a new one. Paste the above script into the editor.

IntrusDave

Using that script will get you the framework that you need. Once you have that, you can add a few simple Mangle rules to mark the Plex video as a higher priority than the NAS file transfer. You will also want to keep the ACKs at a higher priority than the rest of the traffic.

IntrusDave

This is not a bug. czech republic allows 5725-5875MHz for A/N/AC at up to 14dBm for fixed point-to-point links. It is your responsibility to set the scan list to the range that is legal for your use. If MikroTik blocked that range, then someone would be upset that it was blocked, because they need i...

IntrusDave

MikroTik more or less gives you 100% control over everything. So you have to implement QoS using a Queue Tree and Mangle Rules. Simple queues can work, but a Queue Tree/Mangle Rules will do the big work for you. With the RB3011, you have more then enough power to implement full DSCP. with the lower ...

IntrusDave

You can try this script. It will setup QoS based on DSCP, honoring applications preferred DSCP packet marking. #Set interface here :local outboundInterface "wan0" #Set bandwidth of the interface (remember, this is for OUTGOING) :local interfaceBandwidth 4M #Set where in the chain the packe...

IntrusDave

*) ipsec - show hardware accelerated authenticated SAs; Is there any possibility that WinBox could highlight the algorithms that are hardware accelerated on each platform? You mean putting this information into winbox? https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_encryption. Couldn't hur...

IntrusDave

*) ipsec - show hardware accelerated authenticated SAs;

Is there any possibility that WinBox could highlight the algorithms that are hardware accelerated on each platform?

IntrusDave

You are correct. I will fix this.

IntrusDave

Use a serial console cable and repartition and reformat the NAND. Make sure you reinstall the latest stable release.

IntrusDave

The startup is not a permissions issue. It has to do with the interval. When the interval is 24 hours, the first run doesn't occur until 24 hours after the boot.

IntrusDave

Updated the first post and the timeout to 25 hours. The identity is never seen by anyone but me. I do have DOD clearance, so nothing to worry about.. Well, I guess that doesn't mean much now days. You are welcome to set a static name for each router in the script. The database is stored on a separat...

IntrusDave

At one point the list was updated every 48 hours, but as malware has spread faster and responses are faster, the list now expires after 24 hours. Maybe upping that to 26 hours will help some. My routers update themselves every 23 hours. The script does run from the terminal as a whole... /system scr...

IntrusDave

DNS and BGP both complicate things dramatically. The current distribution method is very simple, stable and requires very little to setup.

IntrusDave

that is correct.

IntrusDave

Nothing.
The rate changes due to environmental conditions, as well as power saving. No need for a device to be transmitting at full power and full bandwidth when it is idle.

IntrusDave

What do you define as CPE mode?

To provide wifi-to-ethernet bridge, you should be running the WiFi interface as "station-pseudobridge".

IntrusDave

Yes, do a Netinstall so the NAND can be formatted. Likely just OS corruption.

IntrusDave

Are you running current or development RouterOS?

IntrusDave

Really? Every day?
I'm most curious as to why you are changing such major things in production routers... everyday.
Then again, both of the item you described, I tested in my lab on several different routers and had no issues at all.

IntrusDave

Correct, Switch 2 will drop to a single gigabit link to the CPU, and SFP will have a single gigabit link.

IntrusDave

Just hit 4000 active routers using the BlackList.
Notable users are T-Mobile, using it on there Fixed LTE deployments. And even more so, several US Government sites have begun pulling the list.

IntrusDave

The default IP address is 192.168.88.1.
username is "admin" with no password.

IntrusDave

If possible, you should use

/ip cloud public-address

. The Interface address may not always be a public IP address.

IntrusDave

Posting this multiple times, in multiple places will not change the fact that this is an English based forum.

IntrusDave

Tools -> Advanced Mode
Then you can add comments.

IntrusDave

I wanted to give a status update on my blacklist. As of this morning, the Blacklist has 3,500 routers downloading the list everyday. They are pulling 1.7GB of data every 24 hours. Just about 52GB per month. I have moved the handling of the blacklist to a dedicated server. I currently use 4 high-prof...

IntrusDave

I'm sorry you have had such problems. Though I don't think quality is in question here. I have just under 200 Mikrotik devices deployed, and I have only had two issues with updated. Both were CCR1009's that had an flash error that was fixed very quickly.

IntrusDave

This is not a BUG. The rule will be invalid if you are using an inactive interface as a matcher.
Once the interface is active, then the rule will be valid.

IntrusDave

Sorry, not going to block TOR nodes. I am an active donor to the TOR project. It would be hypocritical of me to block it. But thank you for the input.

IntrusDave

You can use this script to setup the basic QoS based on DSCP. It works well and honors the DSCP set by the application you use. Make sure you set the WAN interface name and the *upload* bandwidth. #Set interface here :local outboundInterface "wan0" #Set bandwidth of the interface (remember...

IntrusDave

Nothing at all. They are blocking your IP address.

IntrusDave

you will need to contact Netflix and convince them that your clients are legit.

IntrusDave

https://mikrotik.com//thedude

IntrusDave

Then you should filter it. However, nearly impossible to track the ever changing exit nodes, and impossible to detect.

IntrusDave

If a user is using TOR, then they are on their own for security. At this time I have no interest in blocking TOR.

IntrusDave

No it doesn't. That is not something that I am interested in blocking. I am a big privacy advocate and I don't want to take away that option

IntrusDave

you can add a second schedule to run at startup.

IntrusDave

Do not appear to be an issue with RouterOS. Tested on 6.38.1 and it updated correctly.

IntrusDave

I get no errors with the script.

IntrusDave

For openwrt help, you will need to seek out an openwrt forum.
for RouterOS, the ports in each switch group need to be slave to the first port, and the first port in each switch needs to be in the bridge.

IntrusDave

80gbps on a CCR1072. Limitation is hardware and number of connections.

IntrusDave

You are welcome to change it as you like. I don't use flash drives in my routers.

IntrusDave

The RB3011 can do it. As can the CCR1009, CCR1016... What is the WAN bandwidth?

IntrusDave

sounds like the switch chip failed. You could try a factory reset, but I don't think that will help if the switch has failed.

IntrusDave

Have you tried a different network cable, and a different PC?

IntrusDave

This is a 6 year old topic. I'm sure the issue was resolved 6 years ago.

IntrusDave

I don't think such an incredibly rude response is going to help anyone here. Maybe take a step back and reread his response. I believe the response was intended as: 1) MPLS forwarding at wire speed is not a "hardware" issue, forwarding is done already. 2) MPLS Switching is not done at wire...

IntrusDave

I'm still waiting for a stable version of Windows...

IntrusDave

IntrusDave

maybe you should return it and buy something else. I have two CRS112's in service. both route 50mbps links just fine. I wouldn't expect such a low power CPU to route any faster. The specs on the site show a best case. Bottom line, if you need faster routing, buy a router that can handle double what ...

IntrusDave

I can tell you right off.. Change to 80Mhz Ceee

IntrusDave

These companies use CDNs. So what you see as blocked, I may not see blocked. When something is added to the block list, it is because that IP was found to have some form of malware. The filters can be used in many ways. The list can be used in the RAW or the standard filters. Both incoming and outgo...

IntrusDave

Mikrotik has NEVER said 7.0 would be soon. They have always stated "when it's ready"

IntrusDave

Mikrotik should communicate the situation around v7 in a more professional way - its not a free time or fan based project which could dare to keep responding in way "its ready when its ready". All the silence around the approximate release date is nothing but undermining company's credibi...

IntrusDave

it is not uncommon. The blacklist is an automated system that flags any IP that has served malware in the last 7 days. Just because a CDN is used/owned by Microsoft doesn't mean that it is impervious to malware. Again, as I have stated before, This system was designed by me to keep my paid clients a...

IntrusDave

I've never tried any wireless on the CHR or x86 RouterOS. You can look in the hardware list to find out what is supported

IntrusDave

The OS and firmware updates do not effect the configuration. Each unit should take about 45 seconds of downtime to update.

IntrusDave

http://www.mini-itx.com/store/?c=112
with ESXi and CHR.

Works perfectly.

IntrusDave

Try installing the latest 6.38RC41 and then upgrade the firmware in both to 3.33

IntrusDave

I don't have any of the wAP units, but I'm assuming they are all defaulted just like the rest. By default they are configured as a router. You will want to log in to it, remote all of the filter & nat rules. Then put ether1 and wlan1 / wlan2 into a bridge. Then change the DHCP client to use the ...

IntrusDave

That error occurs when you are Double-NATed. Switch the ISP modem to Bridge-mode and that will fix it. Or you will need to port-forward the WinBox tcp port.

IntrusDave

At some point, did you have an RC installed? Maybe you downgraded the RouterOS before updating the firmware.

IntrusDave

Use WinBox and see if the drive is listed in the System->Disk window. If it is, then format it. If not, then it wasn't detected.

Search found 1286 matches