MikroTik

ivicask

It's supposed to use TTL. What RouterOS version do you have? I noticed the same(any versions ever), what TTL you talk about ?In this case timeout value is empty because i never want entry to expire and get removed from address list, there is no TTL setting. I get over 1 Million DNS requests per day...

ivicask

Torch for IPv6 still not working. Can anyone confirm? @ Mafioso Please read through this and tell us where Torch is noted THEN copy and paste it into excel or any document and do FIND/SEARCH for the word Torch, just in case you missed it doing in manually. What's new in 7.2rc2 (2022-Jan-28 11:00): ...

ivicask

I dont understand, how it's possible to manufacture so called router os and still have this HUGE, 14 years nover solved problem? How to fix it??? I have Shelly device, it connects to wifi and after few seconds receives "disconnected, unicast key exchange timeout, signal strength -52". WHy...

ivicask

I have 7.1.1 on RB4011 with CAPS-man - here is some bug with bridge/capsman - any change with bridge (disable port, or change mode to rstp/none) cause almost frozen routerboard, reboot required. Simple: create bridge with eth ports, create caps-man with datapath add to bridge, then add cap. without...

ivicask

I have also alot of packet lost on ethernet interfaces and some on SFP when going from 10gb to 1gb, the fifo suggestion made it even worse, some ports have 100 000 drops in few days with it...
CRS354-48G-4S+2Q+RM

ivicask

While I think the minimum amount of flash should be higher 64M or 128M and Ram should start at 128M, this would increase the cost of the devices. In your case you reference the hap light which is basically the cheapest device mt sells (along with the hap mini) at $20 usd. It only has 16M of flash -...

ivicask

RB5009 arrived. Here's some brief testing of cake. ISP: Aussie Broadband Technology: Fibre To The Premise (FTTP) Down/Up: 1000M/50M /queue type add cake-diffserv=besteffort cake-nat=yes kind=cake name=cake-default add cake-ack-filter=filter cake-bandwidth=45.0Mbps cake-diffserv=besteffort cake-nat=...

ivicask

These addresses can be temporarily disabled I don't like the fact that I have to disable those for the memory leak to not occur, but I disabled the scheduler tasks, cleared out the dynamic addresses, and upgraded back to 7.2.rc1. After reboot CPU and memory were stable. So yes, my issue was also li...

ivicask

Dude, so far it looks like a bug in 7.1.1 and 7.2rc1, these topics are for problems related to these specific versions, please don't spam the forums with offtopic talk. Wasted 3 posts for nothing. For general "don't use v7, v7 bad" please open another topic. Thank you. So, on topic, did y...

ivicask

Updated from 7.1 hap ac2 crashing after 30mins out of memory, also cpu sticks at 35% with no traffic. Also memory leak on 2 other APs runing nothing but wifi..
Downgraded to 7.1.1 works fine so far.

ivicask

Did you add this for improved roaming?(fine tune the value to your liking) ... add action=reject allow-signal-out-of-range=6s client-to-client-forwarding=yes disabled=no interface=any signal-range=-120..-83 ssid-regexp="" At best it's not any better, at worse in your dark spots clients ge...

ivicask

Klembord-2.jpg . . To my experience this will not let you return to this AP for 6 sec, after you have been kicked out, even if your signal is now OK. Even if you set this to 1 sec, there is another cache for a short delay that says "banned(last failure ...)" This is a problem if the AP's ...

ivicask

Interesting article and I would be happy to see these improvements. One other thing that is different that I have already suggested in the past but didn't see any action except the very first days of discussion is the fact that ubnt controller is pushing the parameters to the APs and if we loose fo...

ivicask

Mikrotik : Constant ~1sec drop when roaming. We tried tried RSTP off/on, ROS 7/6.49.2, numerous resets and other tweaking. Constant ~1sec drop. Did you add this for improved roaming?(fine tune the value to your liking) /caps-man access-list add action=accept allow-signal-out-of-range=6s client-to-c...

ivicask

I also hope we don't see anymore same old wifi devices next year, wave2 and wifi 6 products are a must!

ivicask

v7.1 contains routing fixes and improvements in order to fully comply with 6.x setups.

Please give us more detailed changelogs, even if it only says briefly like you wrote now, if we have related issue, we than know to flash new version and check if issue is resolved..

ivicask

Thanks for the reply, now which model should i buy for AP and for wide beam,. My 2 stations are not in the same line, it will maximum 500mtr wide

Depends on distance and separation

How about you just buy another LHG5 and problem solved ?

ivicask

You can't, they come with level 3 licence and don't support ap mode, only bridge, so you can connect only one client. You could upgrade(buy) one to lvl 4 licence than it would work, but again this aps have very narrow beam so they would need to be positioned In same line behind each other in order t...

ivicask

I can confirm you, Wireguard is THE FASTEST for SQL from my own experience.
Also LTE is the worst for SQL

ivicask

You have virus i saw this at customers laptop also recently, it had some obvious name like crcs, i forgot exactly, and was even visible in regular startup entries...

Cleanup your pc dude.

ivicask

Buy 6x sxt Sq 5ghz models(for 50mbit even none ac ones will be enough) but I recommend ac models for futureproof and put one at each of the arrows from Pic and all will work perfect fine even at much greater distance.

ivicask

Using cake or codel? Thats what's crashing my 4011.

ivicask

Its strange, i didnt limit any ports at all. I will change the server port and after disable the port and make some test. I just got the same switch and copies just fine, but i installed V7 on it immediately as i got it, so cant hurt to try also its running perfectly stable(for now). Do you use Rou...

ivicask

CAKE queue still not fix yet on hexS with
pppoe-server

Router reboot

IM also able to crash my 4011 in matter of 5min by setting codel queue, sent several logs, i think they really need to add some better debugging, they never find any crash log in supout that router self generates...

ivicask

I just got the same switch and copies just fine, but i installed V7 on it immediately as i got it, so cant hurt to try also its running perfectly stable(for now).

ivicask

Hello, Can someone please confirm the problem on wifi 5Ghz under heavy load ( e.g. copying a larger file, iperf) There is no disconnection from wifi, it just stops forwarding data. Same problem on RC4 and RC5, firmware updated. Mikrotik RB962UiGS-5HacT2HnT Laptop Lenovo T580 Intel Wireless-AC 8265 ...

ivicask

I get this also often on may sites and im 100% sure there is no static IPs because its all served and reserved by mikrotik DHCP it self.
I even get this few times a day on hotspot controlled by mikrotik hotspot controller, i doubt ppl put random static IPs on their phones..

Its just mikrotik issue..

ivicask

Practicing for Alzheimer's. I've been using Mikrotik routers for many years, since the RB133. but as I get older and not need to modify configurations much, I've forgotten quite a bit. I just purchased a hAP ac3 to use as the core for my new home network. I am trying to add a second LAN to support ...

ivicask

Hello. I would like to block the users in my networks from accessing their private blogs in blogspot.com, since it turns out they are most of time spending there, and this angry the boss quite a bit. Anyway I've tried the solution by adding blogspot.com to the address list, and then drop the traffi...

ivicask

The question is simple.. I need to cover areas with a lot of people.. conference hall, restaurant, swimming pool.. I mean, hundreds. A single CAP XL AC, how many clients is able to carry? I know it's even a matter of throughput so I say I could give 10Mb/1Mb limits via captive to each connected cli...

ivicask

Cant upgrade 2x LHG 5 AC from 6.49beta22 to 6.49 Stable, not enough space, i got nothing on internal storage...

ivicask

Hi (again), this thread is quite mixed up with a lot of different things. My issue seems to be of the kind of "mainly related to Apple devices". (I've seen it once with a Samsung mobile as well but very rarely.) I'm really wondering how this can be an issue since 2018 w/o anyone (like Mik...

ivicask

As you can see from hes config above he did that, so did i, while you are right and old protocols are total performanse killers and cause problems, in this case its not helping. His config did not have those settings, thus the suggestion. Those are the settings I use with zero issues. I don't use a...

ivicask

I don't think it's config issue or anything we can do our side, I mostly only have issue with Apple devices and I think its something Mikrotik needs to resolve their side.

ivicask

I would set your 2ghz channels to 2ghz-onlyn or at least 2ghz-g/n. For 5ghz set it to 5ghz-n/ac. You could have issues negotiating the older protocols. As you can see from hes config above he did that, so did i, while you are right and old protocols are total performanse killers and cause problems,...

ivicask

I got same issues as you and i dont think there is anything left i didint try, other brands work fine on same setup with zero issues.

ivicask

Darn! After a reboot I lost about 5000 of my 22000 address-list entries. Good that I had a reasonable recent export so I could restore more than 99%. The router is a 4011. Manual reboot or crash?My 4011 crash rebooted 2nd time now after 4 day uptime, no supout was generated, just" router reboo...

ivicask

DNS issue is absolutely irritating and its existing in 2+ months of 6.49 releases and was reported so many times by users i just dont get it how was it not fixed yet?

ivicask

4011 rebooted after 1 day 15 hours uptime RC4, no crash log generated..

ivicask

Export creates code, that import can not read (starting with 7.1rc3): Export: /ip dhcp-client add add-default-route=no disabled=yes interface=FFNK script=":if (\$bound = \"\ Import: [admin@router] > import file-name=export.rsc verbose=yes #line 1 /ip dhcp-client #line 2 add add-default-ro...

ivicask

Maybe they are honeypots? I hope... :p

ivicask

And Crysis of course.

ivicask

Do not use backup, use export for configuration. Thing is, simple export/import is broken in 7.1rc3, "expected end of line error" when line-break inside double-quote, example : /user group set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\ sword,web,sniff...

ivicask

Yes you can restrict the number of clients. But it is for me by no means a measure for the load on that AP. 100 clients that are quiet give almost no load (happens more these days than some time ago with smartphones, smartwatches etc). 1 client, from far away, transmitting or receiving at 6 Mbps, c...

ivicask

@solarium14 How do you measure thet 2.4GHz "gets crowded"? Number of devices? Traffic? Signal quality? You can write a script which counts devices connected to 2.4 bands and then change ACL to drop block new connections or drop all these with quality below limits to "persuade" t...

ivicask

Please Mikrotik stop releasing from this point any new WIFI devices if they dont support at least new WAVE2, or even better WIFI6..

ivicask

Oh, well... now give all the instruction and information that the OP ask, I go to bed, my help here is not needed, you are present. Even by doing simple load balance for each new conection evenly between 2 isps he can achieve what he wants, and torrents are best candidates for this. I was just tryi...

ivicask

You are not the user than open the topic. The second line he have is already natted... Nat absolutely makes no difference, I use local hotspot to increase my torrent speeds, what's even funnier this hotspot blocks torrents you can't even open most of torrent sites, but I can use it just fine after ...

ivicask

Is impossible to combine two ISP speed to download/upload with higer speed than the faster line. (Unless some technology on remote side intervenes) Is also impossible to use one line only for download and the other for upload. The communication between same remote service can happen only on same li...

ivicask

thanks

Are you using cake or codel on simple queue with interface as target?

ivicask

The PPPoE through a SFP still drops back to a MTU of 1480...it was fixed in Beta 6.49 so please patch ROS 7.x also.
Just chiming in again that I can second this. Thanks msatter for testing I always look for your reports.

Same here

ivicask

Did you try runing 802.11 instead nv2 for link between them?

Also is your routerboard firmware updated to match software?

Otherwise no ideas to help you, you did everything OK.

ivicask

Kernel failure 5mins after setting cake to my simple queue..I sent you supout (SUP-58379)

ivicask

For me cake is crashing my SXTSQ 5 in matter of minutes even on RC2, its just simple wifi client with basic firewall rules..
It did create autosupout if any of devs wants it tell me,

ivicask

I have port-flapping issue on my hAP AC2 as well. It didnt have it when I purchased it 4 months ago, I guess the issue started happening 1 month ago, maybe due to the firmware version. Its between my router (ac2 on ether1) and mikrotik SXT on the roof. I changed the cable and reset the router but t...

ivicask

Interestingly, my RB4011 has fq_codel on all interfaces and never crashes because of fq_codel.

Same here 3 totally different devices, I set fq codel mixed configs, from wifi interfaces, pppoe and queues and they all have 3 days uptime now.

ivicask

This might sound bizarre, but anyone experiencing kernel crashes with cake/fq_codel, can you confirm the router is stable if there is no active WinBox session to the device? We currently think the crashes are caused by WinBox management session shaping. I had the Mikrotik Android app open on my pho...

ivicask

time=17:35:10 topics=pppoe,ppp,info message=pppoe-wan: disconnected time=17:35:10 topics=script,warning message=ivicask ppp profile on-down test, if you see this, it works. time=17:35:15 topics=pppoe,ppp,info message=pppoe-wan: initializing... time=17:35:15 topics=pppoe,ppp,info message=pppoe-wan: ...

ivicask

One more thing i found broken is under PPP->Profile-> On up / Down Scripts dont work anymore, hope can be fixed in next update because i have some scripts for fast failover and email sending there..

ivicask

Yes, it seems that limit and target-address are required. I don't think this should be the intended behavior, Mikrotik users (and guides on the internet) have been applying simple queues directly to interfaces for years without issues. It works great with the V6 queue types but V7 ones such as CAKE...

ivicask

After upgrade on one HEX S which i use only for Wireguard i get spamm of this for all peers constantly in log. wireguard1: =(peer): Handshake for peer did not complete after 5 seconds, retrying (try 16) But everything works fine, i also tried closing the WG port because i was thinking it may be inva...

ivicask

Hi @xvo, thanks for answering. What do you mean by "a wireless brigde"? I tried to do a setup in repeater mode with the third radio, but that did not work at all sadly. It means simple AP mode on one audience and client mode on other which connects them together like you used cable, but i...

ivicask

It's on by default afik

ivicask

There is no "capsman roaming". Any client roaming is unrelated to capsman.

So how im going thru 4 floors of school with my phone running ping to google servers, and drop zero pings, while switching between 15 different mikrotik aps?
Isnt this an example of what you want to achieve?

ivicask

Whats wrong with capsman roaming, works with any Mt hardware, and works wonderful.

ivicask

For me wifi is breaking when uploading anything on this test versions, fresh reseted wap ac,5ghz, download 300mbit fine, i go other direction hangs at 100kb few sec than wifi breaks and log says extensive data loss.Got same issue on devices like SXT 2ghz, WIFI disconnects on upload. Flashed back sta...

ivicask

Just upgraded to 6.49beta54 and I can confirm that the DNS cache issue is still present. I was able to reproduce it using the same POC I provided to support (SUP-51096). Not only that but my router is crashing, 6.49beta54, out of memory, DNS using absurd amounts of memory, the issue is even worse o...

ivicask

Why disable anything, for basic dns server with cache it worked fine and it's broken now, mikrotik should check and fix it so it works as before.

ivicask

Regarding 6.49beta54:

No fixes for the DNS memory leak introduced in 6.49beta46?

Just asking based on the changelog, haven't tried it yet.

I got same issue, it uses all up all memory set even that there are only few entries in dns cache.

ivicask

I install a WiFi4EU network with Mikrotik CCR1009 as Gateway and hotspot, I edit hotspot portal captive to permit access without authentication and load visibility, it works fine, but WiFi4EU authority need to see captive portal remotely to verify the visibility. How can I do to permit access to we...

ivicask

If you can switch your DNS to DoT (TCP/853) or DoH (TCP/443) you can close all traffic incoming with source port 53 (TCP/UDP). Then if that working for you then you could ask upstream to temporary block all traffic with source port 53 because you swichted the protocol for DNS. General remark. As wi...

ivicask

Get the RB4011, and maybe you can add a firewall rule in the Raw section that just blocks all UDP except for DNS and QUIC. Or just block all TCP/UDP/53 incoming from WAN from now, except from 8.8.8.8 and 1.1.1.1 and temporary use Google/Cloudflare for upstream resolving? This looks like some DNS am...

ivicask

Those messages are related to IPv6 on your local network. Unfortunately they do not include enough info to hunt down what device is causing them.
(there should be a MAC address or IPv6 address in those messages...)

Yeah i figured it already and disabled IPV6 as we dont use it at all.

ivicask

Anyone can tell me what is this?I only use this router (HEX) for wireguard and nothing else, first time i see this messages and thats only after beta 6

ivicask

Got same issue on one location, i see all romons devices and can ping and all but cant connect, completely shut down FW doesnt help, i think they broke it with some update again like same happen recently before, and cant updated them right now as i cant connect via romon...gona need to go to location.

ivicask

Can we get ICAP client support?

ivicask

Some notes to the wireless part. Radardetect/DFS is an increasing issue - The used chipsets cant distinguish wireless signals from Radar in a lot of situations - You could decrease the false detection rate using *correct* Gain-Data as this goes into the calculation - With newer Firmware, Vendors ha...

ivicask

You should remove this file from here and send to support@mikrotik.com. This file contains passwords etc so you should not post it in the forum here. Dont care its fresh router with mostly stock config passwords are unimportant EDIT:Checked file with rif viewer, there are no passwords inside at all..

ivicask

Anyone care to send autosupout.rif file from the crashes experienced with these versions?

HAP AC 3, crashes 100% when i connect via phone to main SSID, doesnt crash when i connect to vritual one. Same setup works on release software.

ivicask

Can one PWR-LINE AP also be used as Capsman controler to control other PWR-LINE AP?

ivicask

Is this a bug or some kinda of new feature, my bridge gets new MAC every time i reboot router (Hex), just installed beta3, so DHCP reservation is messed up as it gets new ip every reboot.

ivicask

I also have zoom issues with mikrotik, getting stuck on connecting etc, can't figure what to do

ivicask

hAP ac3 looks wonderful!
Finally you decided to add external antennas to routers, what happend to all the talk how they are not needed you where telling us all this years when we complained about poor signal? :D

ivicask

I think i had same or similar issue, made tunnel between 2 routers, and on other side i linked it to SSID, you can connect, you get IP from DHCP, you can ping anything, use ip scanner to scan entire network, ping servers like 8.8.8.8, but web pages dont open, cant open RDC(tcp), cant enter network s...

ivicask

BTW all this wont work on most new phones like Samsung etc as they by default generate new MAC address every time they connected, just keep that in mind..

ivicask

Radar detection on mikrotik is bullshit i have to change country also in order to avoid it, i even had radar detection in basements where no signal can even penetrate or places where not even remotely radars exists to be detect at first place..Even setting all properly, setting skip DFS or setting &...

ivicask

How about simple drop rule in firewall with source and destination IP same subnet? Maybe excluded wan interface if breaks net, not sure you can try.

ivicask

Are you sure about marking DNS / ICMP or ACK connections than their packet marks, because what im seeing that when i run speedtest some or sometimes entire bandwidth goes thru this QUEUE(DNS/ICMP/ACK) and as they have top prio actually choke my net. I changed it to only mark packets directly withou...

ivicask

Are you sure about marking DNS / ICMP or ACK connections than their packet marks, because what im seeing that when i run speedtest some or sometimes entire bandwidth goes thru this QUEUE(DNS/ICMP/ACK) and as they have top prio actually choke my net. I changed it to only mark packets directly withou...

ivicask

Are you sure about marking DNS / ICMP or ACK connections than their packet marks, because what im seeing that when i run speedtest some or sometimes entire bandwidth goes thru this QUEUE(DNS/ICMP/ACK) and as they have top prio actually choke my net. I changed it to only mark packets directly without...

ivicask

Not sure if was asked but can we get option to specify multiple adress lists inside single firewall rule?

ivicask

If cooler is hot it doesnt mean device is overheating it just means cooler is doing its job and taking the heat away from CPU or internal components.Did you ever had passively cooled GPU ?Its heatsink runs so hot even at idle that u cant touch it, but device is cool and works fine.

ivicask

Got same problem, no matter what chain of mangle rules i set, prerouting,postrouting,forward, no matter what queues i try randomly some traffic just goes over limits and its not even properly detected by queues or its parents as you can see in example, parent queue should also show this traffic that...

ivicask

Same problem here with Samsung A70 at one customer and capsman, when roaming from ap to ap it drops net, its connected to wifi but says Internet may not be avaiable, you need to turn Wifi on off several times or just wait 5+ mins and it starts working. On other hand I have S10+ from Samsung and no i...

ivicask

Well, if you use PCQ you have some knobs to twiddle. I have improved ADSL2+ responsiveness with PCQ in simple queues by making the buffers smaller than the default (which otherwise seem to work well with 50+MBit speeds). For example on an ADSL2 annex m line with max-limit=1400k/16500k these queues ...

ivicask

Guscht You need to send supout.rif file to support@mikrotik.com and brief problem description. We are currently unable to reproduce such issue. ivicask Have you tried the 6.46 stable and 6.47 testing versions? RoMoN works for me now. Make sure both the end user and the agent is updated. If it is no...

ivicask

ivicask - Have you reported this problem to support@mikrotik.com or https://help.mikrotik.com/servicedesk/customer/user/login?destination=portals ?? We are not aware of any RoMON problems; But some of your support confirmed it here, post #5 https://forum.mikrotik.com/viewtopic.php?f=21&t=154286...

ivicask

When is ROMON getting fixed?I need some other fixes from new betas, but they also break ROMON..

ivicask

Remove in your DHCP client setting if you want to use its dns or not.

ivicask

Is ROMON working on last 2 versions?It seams broken to me, simple wireless bridge between 2 routers, no firewall rules, i can see router listed(MAC,ROUTER OS version, Router model) but it cant connect it just timeouts with disconnected from ROMON after 10 sec.

ivicask

in this case CAT6 is not about speed, but about better coverage. Using the aggregation feature, you can get better signal, where there was no signal before. Otherwise you would not need such a big antenna, if we would be aiming for speed in good coverage areas. Did you notice that the 100Mbit port ...

ivicask

Seriously what a fail, you put CAT6 modems capable of up to 300mbit and than you put 100mbit lan ports on those 2 external routers?

ivicask

I think first rule is problem, app exepcts 80 to be web port, yet you redirected it to 8080, try for test change it from 8080 to original 80.

Also you may need 554 UDP/TCP for RSTP stream.

Try also forward UDP of that 8000 for test.

ivicask

/system scheduler add interval=30s name=YoutubeAdressList on-event="/system script run YoutubeDns" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/22/2019 start-time=12:24:55 Add this script with name "YoutubeDns" :local myServers { "g...

ivicask

I have one of those with uptime of one year, so wouldn't say its general issue, maybe rma it and ask for replacement? Or talk to mikrotik support first.

ivicask

Authentication failed for me.

ivicask

hello, tell me pls, the snippet from ue works on your mtik?

Ofc it works, you just need to unblock it in walled garden so it can load before user is authenticated to hotspot. Also their default snipet has typos different " and ' check that.

ivicask

I installed on my SXT 5, and now it cant connect to AP anymore(CLIENT BRIDGE MODE), authentication timeout or association timeout, it connected once for 5 sec than again breaks and loops this error.And when i perform scan it shows this single ap 10 times under all different channels which ofc isnt r...

ivicask

What AV you used to scan?

ivicask

Well for me torrent client would be most awesome for home use, schedule download/s over night when nobody is using net to download some stuff on external drive, silent, and low power use compared to PC, + you can use the same drive for direct access over network ..

Big + 1 from me.

ivicask

I'm using mikrotik only as hotspot controller, and Aruba for APs, they are expensive, but work way better than any mikrotik ever will.

ivicask

I allways have similar problems with mikrotik and 2.4 ghz , do you have b/g/n enabled? Try set it to -g/n only, or N only if all devices support it.

ivicask

Wishes for 6.46: - WinBox => CAPsMAN: Reboot button for CAPs Yes, I agree. It is annoying in CAPsMAN network to manual restart every AP. APs are updated automatically from CAPsMAN, and all APs have firmware autoupdate=yes, but still required additional manual restart for firmware update. +1 for that

ivicask

Got email from Mikrotik. Explained the problem and how to reproduce it. They did... And don't currently have a fix. So high density with interference... If you see 4-way handshake time out in Caps-man... Don't fight it. Don't mess with support. Just buy the Ruckus radio and move on. I get those als...

ivicask

That Audience with Cat6 LTE looks super interesting, cant wait to see full specs and price.

ivicask

Hello Mikrotik community, I am looking to deploy an outdoor AP for a hotspot, I was wondering what the maximum realistic range an outdoor AP can deliver for mobile phones, as far as I know, indoor APs can only deliver about 10-20 meters reliable before disconnections are experienced. Any help would...

ivicask

Thanks ivicask.
Rule was worked once. Now users from IP addresses of the Black list tring to connect to sip port 5060 and rule not working.

I think u should change all those blacklist to
for example from add address=37.0.0.0 -> address=37.0.0.0/24

ivicask

Thanks MKX. I tried all variants but rule is not working. I have task from my chief - block all connections on ports 5060-5080 from abroad. I tried to block one subnet 37.0.0.0 but rule not working :( Here are my firewall settings Regards. Rule actually seams working fine as u can see one block in ...

ivicask

Hmmm Okay, so that sounds promising. However what you are telling me is that initial traffic will ALWAYS get out and not be rerouted because its done in real time not prerouting. Also, the script is not timed to user access but to a rote timing scheme that will run regardless if streaming is done (...

ivicask

@anav, tls-host only works for TCP, you should use ivicask script to read googlevideo.com dns from catch and write it to address list Thats basically what OP @mladen074 did but in simpler script, i actually jumped to lasts posts and missed the first post from him :) Not sure which one is better if ...

ivicask

yeah good stuff, i noticed that when you are using Mobile app, it uses UDP 443 instead of TCP. For desktop, i believe that google QUIC protocol is disabled by default, hence should work with TCP. (in where tls-host only works) It streams to my Windows 10 PC (Chrome) in UDP protocol also. The above ...

ivicask

Maybe google is using and additional dns structure. What ip's are being streamed from? which doman is that? You can contribute to the thread. I figured it, its streaming it over UDP actualy for me, i had TCP protocol as TLS matcher requires it and this of course didint work for me. I added this scr...

ivicask

I also tried implementing you tube Traffic control via this and its absolutely not working. TSL host thing is totally useless in this case and doesnt pick actual IP of video stream *.googlevideo.com *.youtube.com give me about 4 ip to my address list, but when i start youtube video it comes from so...

ivicask

I also tried implementing you tube Traffic control via this and its absolutely not working. TSL host thing is totally useless in this case and doesnt pick actual IP of video stream *.googlevideo.com *.youtube.com give me about 4 ip to my address list, but when i start youtube video it comes from so...

ivicask

I also tried implementing you tube Traffic control via this and its absolutely not working. TSL host thing is totally useless in this case and doesnt pick actual IP of video stream *.googlevideo.com *.youtube.com give me about 4 ip to my address list, but when i start youtube video it comes from som...

ivicask

Can anyone support me this problem. Thank you! For me doesnt work without this rule also add action=masquerade chain=srcnat comment=HAIRPIN dst-address=192.168.1.0/24 out-interface=LAN src-address=192.168.1.0/24 Change ips and out interface to match your network. He have this rule already add actio...

ivicask

Can anyone support me this problem. Thank you! For me doesnt work without this rule also add action=masquerade chain=srcnat comment=HAIRPIN dst-address=192.168.1.0/24 out-interface=LAN src-address=192.168.1.0/24 Change ips and out interface to match your network. He have this rule already add actio...

ivicask

Can anyone support me this problem.
Thank you!

For me doesnt work without this rule also

add action=masquerade chain=srcnat comment=HAIRPIN dst-address=192.168.1.0/24 out-interface=LAN src-address=192.168.1.0/24

Change ips and out interface to match your network.

ivicask

this is not helping because i have more than 80 pppoe-out1-80 so any one disconect will be disconnect all Create several profiles for each pppoe with matching pppoe name inside, u can easy automate it to add via command line.. Or someone with a bit scripting knowlage could make u script which loops...

ivicask

Now i have set in my RDC connection file public dns name with ports matching which server i wanna access blablab.dyndns.org:3000 blablab.dyndns.org:4000 blablab.dyndns.org:5000 I see that could be a problem. But I would not have done it this way. For what you need to pay for dyndns.org each year to...

ivicask

server0.home.com 192.168.10.50 server1.home.com 192.168.10.51 server2.home.com 192.168.10.52 server3.home.com 192.168.10.53 server4.home.com 192.168.10.54 server5.home.com 192.168.10.55 server6.home.com 192.168.10.56 server7.home.com 192.168.10.57 server8.home.com 192.168.10.58 server9.home.com 192...

ivicask

Use internal DNS. When someone on the internet asks for your server web.myserver.com on inernal ip 192.168.10.50 he asks a public DNS and gets IP 85.12.134.20 (sample IP) Then when you are on the internal net, you will use the DNS server you get from your DHCP server. That should not be google or o...

ivicask

I agree with quoted comment by thirdstreetzero. Just think about going IPv6 ... no NAT there. So HairpinNAT really is an obscure solution to a specific problem ... and use case of @ivicask is just further exagerated misuse. Quite a few times people requested full-featured DNS server for ROS ... and...

ivicask

Not sure what your post means?Why not to use? Anyways, with DNS you can only do single internal host, if u need multiple ips to work with DNS name inside ur network u simple must use hairpin. For example how would you access 3 different IPs via dns name ?If you add static entry for like mydomain.dyn...

ivicask

what do you expect more if you bond 5ghz+60ghz? anyway there is 1gbps ethernet port, i dont get your idea (: my point, just to get ANY connection during bad weather, okay let it be at least 100mbps for snow fall or heavy rain, so the customers would not fuck up to red our phones :) What if you go a...

ivicask

Yes LHG60 is great hardware with improved distance and 5 GHZ backup it 'll be a must for 2019 wating for more info

I wonder if its only backup failover, or you can agregate 2 links 60+5ghz at the same time for bigger throughput along for instant failover.

ivicask

What do you mean with queue "parallelization"? Each parent queue already works on separate CPU core in v6. Really?Because when i asked support why cant my RB750Gr3 route more than 150mbit of traffic with queues and single core gets stuck at 100% while router all cores arent going even ove...

ivicask

I wonder is i possible to add some kinda of bandwidth test into this app?So i can quickly test actual wifi performance from router to my phone directly, it would be the most useful thing ever.

ivicask

Check if you have fastrack rule in firewall, disable it.

ivicask

I'm leaving some reserved bandwidth for dns and some other small packets, and also downloads get grouped under another parent which has limit a bit below my total download speed, this way it doesn't saturate download and gives time for queues to drop packets so everything works smooth. If u like i ...

ivicask

If you have drop rules that simply drop packets to ports/services you do not use like ssh, ftp, telnet, winbox, etc... what is the advantage to creating a timed black list and dropping that? Is it to gain the logs and perform further action? If you have the IP/Services turned for all those is there...

ivicask

If these reboots are just because router is slow to respond due to high cpu load, but does respond, you could disable watchdog for time being... I did that, than router froze and was not accessible for 5mins and until I force rebooted him via power, it still did switch traffic to my acces point con...

ivicask

If you have drop rules that simply drop packets to ports/services you do not use like ssh, ftp, telnet, winbox, etc... what is the advantage to creating a timed black list and dropping that? Is it to gain the logs and perform further action? If you have the IP/Services turned for all those is there...

ivicask

I'm leaving some reserved bandwidth for dns and some other small packets, and also downloads get grouped under another parent which has limit a bit below my total download speed, this way it doesn't saturate download and gives time for queues to drop packets so everything works smooth. If u like i c...

ivicask

add action=mark-connection chain=postrouting comment=DOWNLOADS_5+MB connection-bytes=\ 5000000-0 new-connection-mark=HTTP_DOWNLOADS_5+_2 passthrough=yes port=80,443,8080 protocol=\ tcp add action=mark-packet chain=postrouting connection-mark=DOWNLOADS_5+_2 new-packet-mark=\ HTTP_DOWNLOADS_5+ passthr...

ivicask

You using that download manager of theirs? I downloaded alot from mega thru browser directly this days and goes properly thru my queue for large downloads, simple mangle of ports 443,80,8080 and bytes set to 5+mb.

ivicask

I actually have the same issue with exact same router, got 3 random watchdoog reboots so far in past 10 days, but this first time ever happen to me since latest update (44beta28), but didint had much time to debug it or change versions..

ivicask

And more LTE products with old and slow cat4 modems...I dont understand how can anyone even get more than 100mbit from this, i cant get more than 30mbit sitting next to tower, while anything else from super old mobile phone(6-7 years) to 2x cheaper routers achieve at least 2x speed if not more.. Why...

ivicask

So im preparing one CRC router for my customer, and i want to make separate DHCP POOL for VPN users.And this does work without problem unless i un-tick the "use default gateway on remote network" under VPN profile under windows, than i cant ping between subnets anymore.But if i dont untick...

ivicask

Attacker can't use spoofed IP for scanning because such results wouldn't make it back to him (unless he is your ISP and all your traffic pass through him) Spoofed IP is used mostly for (D)DoS attacks where you don't care about response or where you want the response to be sent to someone else on pu...

ivicask

Best practice says you should drop all unknown input, there's no need to make rules specifically for port scanners. Yea, but than attacker can scan for ports and for example find my none standard RDP port and than do further attacks on it, this way he get IP block for port scan attempts and he does...

ivicask

https://i.imgur.com/xjwAmyu.jpg My DNS settings looks ok to me, i did not make any changes for years. This problem occurred yesterday without any modification from my side. I also noticed unauthorized attempt to log in into my router viewtopic.php?f=2&t=139702 My current suspicion is that someo...

ivicask

At the very leat, we should be able to import a backup into another device of same model and RoS/bootloader version. Certificates, users and all. I think that is working. But in practice it is not enough. E.g. I have 2 installs of CCR1009-8G-1S-1S+ which when broken is no longer available and would...

ivicask

I'm seeing them too. From two different routers: [admin@MikroTik] > /log print count-only where message~":60000->" 6 and [admin@MikroTik] > /log print count-only where message~":60000->" 14 They are stealth in the sense that they avoid typical blacklisting attempts; just a few c...

ivicask

... i was just wondering if anyone else is getting probed via this port as it seams im catching this on several locations and not 100% sure what to do about it. Could be, but I don't notice as I have a general drop rule at the end of firewall rules list. It does show increasing number of connection...

ivicask

... i was just wondering if anyone else is getting probed via this port as it seams im catching this on several locations and not 100% sure what to do about it. Could be, but I don't notice as I have a general drop rule at the end of firewall rules list. It does show increasing number of connection...

ivicask

I don't get it why would anybody want to allow connections to some random port (3389 is as nice random number as any other between 0 and 65536) from internet at large? Your firewall rule is not complete ... attacker can easily change source port to some other and your rule won't catch anything. I g...

ivicask

I don't get it why would anybody want to allow connections to some random port (3389 is as nice random number as any other between 0 and 65536) from internet at large? Your firewall rule is not complete ... attacker can easily change source port to some other and your rule won't catch anything. I g...

ivicask

After recently one of our server got hacked over RDC and got crpytolocker i noticed theres frequent port 60000 TCP to 3389 and also other random ports attemps. After bit googling it says that port 60000 is "deepthroat" trojan attack port. For now i added firewall rule to catch all source p...

ivicask

Hello As we all know it's very important how to configure firewall and services on our Miktotik routers. A lot of us are using Winbox for remote administrating because its easiest, changing port from 8021 to any other doesnt rise security level. So next step is to use SSH but I read that I can't fo...

ivicask

Why not create new PCQ queue with desired limits, but add a bit above burst limits, set this queue to hotspot interface, it should smoothen out browsing while downloading.

ivicask

I cant update CCR1009-7G-1C from 6.43rc51 to 6.43rc64, i click check for updates, download&install, after reboot i still have old version.Tried also manually downloading the file and puting into root and rebooting, same thing. EDIT:I figured it , i had other router package so it failed to select...

ivicask

I often have this problem with 2.4ghz, where its un-usable, without any close networks to interfere, what helps alot is set mode to G/N, or only N if you dont need backward compatibility.

ivicask

Anything new on this topic? CAPSMAN still uses the same frequency for all 5 GHz radios on my hap AC devices regardless of any configuration I might try. There is only one setup that works: in case I DON'T set any frequencies AND uncheck "skip DFS channels" I end up having different channe...

ivicask

HI, I haven't got a different DHCP server for each SSID because I couldn't create one. Couldn't add New DHCP server - can not run on slave interface (6) Sorry to be dum but this is my debut with routerboard OS. I think that having a different DHCP server for each SSID is the way I'll like to go for...

ivicask

Hi, I managed to create multiple SSID in my house. One of the SSID is for my children and their friends (9 years old). The idea of having multiple ssid was to be able to control the content on the kids wifi using OpenDNS. So far, I haven't managed to figure out how to set dns per ssid so that my ma...

ivicask

my phone does 4g 50+download and 15+ upload at same location, same provider, different SIM You can forget about it, alot of users including me already complained about it, dont bother with this device if u expect any normal speeds, its just terrible. https://forum.mikrotik.com/viewtopic.php?f=7&...

ivicask

I wonder if Mikrotik has honeypot routers, pretty sure they dont or they would already capture all the previous exploits before it would spread like they did.

Any official statement regarding this from mikrotik?

ivicask

Hey folks. We need to replace one of our 5Ghz Links due to high noise. We would like to switch to 60 Ghz. The Link is 2.4km and has 600 meters of altitude change. We don’t need a Gigabit. 100 mbits would be plenty. Has anyone any experience if this is even possible? We got about 15% less Air preass...

ivicask

Ok, Thanks for the replies. Local Forwarding isn't an option, so we need some model with higher CPU. Also Fast-Track can't be used, because we need some firewall rules to hide the rest of our network from the CAPs Clients. I think we will go with RB1100x4 or maybe we will try the RB3011. I will rep...

ivicask

What's wrong with RB750Gr3, I use it with 7 Wap Ac, we have 150mbit line, and few queue tree rules, one simple queue for guest network, and up to 70 clients, works fine. Note I use local forwarding, not sure if it would work so good with capsman forwarding, u may need use higher cpu power product th...

ivicask

- new, improved SXT LTE kit with two Ethernet ports Same price but ....inferior....:( Yes, hope MT stops recycling those old modems, and give us some LTE product with LTE 6+ category What do you guys mean? It is much better than SXT LTE first generation: "In comparison with our first generatio...

ivicask

- new, improved SXT LTE kit with two Ethernet ports

Same price but ....inferior....

Yes, hope MT stops recycling those old modems, and give us some LTE product with LTE 6+ category

ivicask

I have one wAP ac whos giving me problems for some time, but unfortunately is also out of warranty so i just wonder what are normal temps for this device?When i copy files over 5ghz interface at around (450mbit/s ) speeds, the router hits 80c and than randomly starts crashing and its not visible on ...

ivicask

I have couple of wAP ac devices that for some odd reason doesn't come up in the Winbox discovery. Connecting via MAC address fails too. Connecting over IP is OK. If I'm connected to Wifi, then everything works as expected (discovery + connecting over MAC and IP). Is this expected behavior? Coz for ...

ivicask

I would be happy with product like this

https://mikrotik.com/product/mant_lte_5o

But with integrated modem and 1 lan port, nothing more..
And atleast CAT6 is a MUST so it doesnt work like some 10 year old phone/device with horrific perfomance like current WAP LTE works.

ivicask

Just wondering if someone can tell me why there are no 3x3 MIMO antennas on the market much greater than 20dBi ? I have a couple of RB921UAGS-5SHPacD-NM(triple chain capable) doing about 8KM's point to point, but limited to 2x2 due to antenna limitations(cant find a commercial 28 to 30dBi antenna w...

ivicask

I'm doing WiFi coverage tests between 2 Models: RBD52G-5HacD2HnD-TC (I will call it hAPac2) RB962UiGS-5HacT2HnT (I will call it hAPac) WiFi comparison between hAP ac2 and hAP ac.png The suggested price of both models results in a price difference of $ 60.00 My question: Where is such a big differen...

ivicask

But that whats the point of this, i ran it 3 times and got all my ports listed 3 times before mikrotik blocked it, "attacker" already have all it needs. Scan this 93.155.148.98 - my IP address and tell me the open ports please! It shows none now, but is this site already on your block lis...

ivicask

But if i run it from https://mxtoolbox.com/SuperTool.aspx?action=scan, it finishes every time and shows my open ports on router without blocking it.. Try for your self. OK, try this : ip fi fi add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment=&...

ivicask

What do do : 1) Firewall the Winbox port from the public interface, and from untrusted networks. It is best, if you only allow known IP addresses to connect to your router to any services, not just Winbox. We suggest this to become common practice. As an alternative, possibly easier, use the "...

ivicask

So is this it https://www.securityweek.com/remotely-e ... s-routeros ?

As its over month old post..

ivicask

Hi Everyone, I am looking for a recommendation for hardware that is capable of doing traffic shaping on a line that is about 500dn/100up without choking. I currently have a 300/20 link and am using other vendor hardware that employs hardware offloading that is reaching it's limit due to QOS turning...

ivicask

I have one RB911G connected to another wifi as client, and i just want to use it as proxy server so i can add it to my Dropbox or Mozila settings so i can surf over other net. Moment i run speedtest CPU gets lucked down to 100% and cant pass more than 30mbit, while im having 50mbit speed.The cache i...

ivicask

Well it simple stopped, now it had like 30mb dns traffic in a week, i did nothing, upgraded or even rebooted router.

Will monitor if it happens again.

ivicask

6.41rc52, doubt it's infected, it was installed 2 months ago, had latest version of os since installed, I have very stric firewall rules, I drop dns requests from net etc.. router has complex pass etc.

ivicask

Wireshark shows all standard query packets, and gets responding ip addresses resolved back , but i do see them repeating, even it already got proper ip adresses reported back, and domain and ip exist. Still doesnt make sense, if it does return proper IP why is it repeating requests and not simple c...

ivicask

Check the DNS cache, but this is a likely explanation, depending on the number of clients using your DNS. Even if u unplug entire network, meaning only Mikrotik leaves, this DNS requests still go . And we are talking about like 20 clients max who use internet lightly, its impossible they do 100gb D...

ivicask

Check the DNS cache, but this is a likely explanation, depending on the number of clients using your DNS. Even if u unplug entire network, meaning only Mikrotik leaves, this DNS requests still go . And we are talking about like 20 clients max who use internet lightly, its impossible they do 100gb D...

ivicask

Ah common Mikrotik, mANT 5o LTE, at first i was YES, finally new LTE device, than realized its just antena. Was it a problem to give us such product with builtin LTE modem of higher category than current ones you have.Thats all pointless what you did.WAP LTE performs so bad, no antena will help it, ...

ivicask

I just installed one HAP ac at one customer, they got NEW HP switch with fiber connection to internet from ISP, and its connected to my LAN1 port on Mikrotik which has fixed ip 192.168.1.3, than all is routed out thru LAN port 2 on mikrotik on range 192.168.100.0/24 to customers internal netowrk. No...

ivicask

I don't think so. The RB750Gr3 is a nice router, check in the specs what its achievable performance is, but when you are talking about 1Gbps internet and of course you are going to speedtest that, this class of router is simply not going to cut it (with a manageable configuration w.r.t firewall and...

ivicask

Hello to disable DNS attacking please add listen address on better from use ip firewall filters /ip dns allow-remote-requist=yes /ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y Regards Cant you already do that via firewall, dont understand what more you need, if you want to block DNS requests...

ivicask

So i created an IPIP tunel between 2 locations, NAT and routes are properly added and i can ping without issue networks form both sides, enter network shares, RDC etc. Problem is i cant access any of them by hostname of server/computer. Mikrotik from its console can ping by name without issues, but ...

ivicask

The new hAPac^2 and cAPac have two chains, since most devices only have 2 chains and the third chain is rarely used. What about load balancing between chains?What if i have 20 + various devices which have mix of 1 or 2 chains, arent all 3 chains on Mikrotik device used and give better overall throu...

ivicask

I wonder if its posibble to shroten URL somehow from mine mikrotik router for one TV in network.I tried using online URL shortners but they are not realible or have link expiration or max opening.And its too complicated for me to enter this long URL who sometimes changes into TV. For xample link loo...

ivicask

I have same issue on several locations with different aps.. For example this is my HOME, and the client that says extnesive data loos is a TV who doesnt move inch, and as u can see signal is more than powerful(-48-62), still i get random disconnects for all devices at home, Philips TV, HTC phone, AS...

ivicask

New and exciting way to block things introduced in latest 6.41, block by SSL certificate name with TLS-HOST: /ip firewall filter add action=drop chain=forward protocol=tcp tls-host=*facebook.com What about sites who dont use SSL?Or does sites SSL certificate needs to be named same name as site?How ...

ivicask

That is indeed very simple, but unfortunately it will not work correctly! One IP address can handle multiple websites, so when you block this way you will block other sites as well. Well than in that case you can do DNS block /ip dns static add address=127.0.0.1 regexp=facebook.com etc And in order...

ivicask

Thanks Normis, By ip you mean to block the ip addresses of websites in Firewall->Filter Rules right? I ll try that /ip firewall address-list add address=facebook.com list=blocked_web add address=youtube.com list=blocked_web add address=whatever.com list=blocked_web etc continue the list from your e...

Search found 492 matches