MikroTik

IntrusDave

Hey guys, make sure you don't respond with an answer that he doesn't like. Honest and respectful answers get you rated negative by this noob.

IntrusDave

Sorry, forgot the answer.

You will need to disconnect pins 1 and 2 to cut the power to the unit.

IntrusDave

https://en.wikipedia.org/wiki/Power_ove ... et#Pinouts

I still think just power cycling the power supplying the power would be much simpler.

IntrusDave

Allowing 3rd party binaries to run on a router/firewall is a massive security hole that could/would be used as an exploit and backdoor. I could not imagine any situation that I would ever trust a router that will run an arbitrary executable. Maybe a little linksys or something, but this isn't going ...

IntrusDave

No, not at this time. (maybe in ros 7)

IntrusDave

https://wiki.mikrotik.com/wiki/Manual:Interface/LTE

IntrusDave

RouterOS is a closed platform. You can not run a 3rd party binary.

IntrusDave

Port speed / activity..

IntrusDave

Look into an external solution.

I use a UNIX server - The server makes an SSH connection, creates a backup, downloads the backup, then places it into an SVN repository. That way I can roll back to any config needed.

IntrusDave

RouterOS will only install on a SATA based device. the m.2 interface on most boards support both mSATA and PCIe. Make sure the drive is SATA based and not NVMe based. The NVMe (PCIe) require a much newer Linux kernel (something in 4.x range) while RouterOS is current still running a 2.x kernel.

IntrusDave

Log into it and use Quick Set.

IntrusDave

for those interested, the DNS now holds the list sizes. { :local list1 [ :resolve server=mikrotikfilters.com server-port=6502 domain-name=127.0.0.4 ]; :local list2 [ :resolve server=mikrotikfilters.com server-port=6502 domain-name=127.0.0.5 ]; :local list3 [ :resolve server=mikrotikfilters.com serve...

IntrusDave

Maybe wrong interface names?

IntrusDave

You are going to have far more problems trying to get this working than is you simply use unique subnets for each site. While reverse NAT is possible, you will find that it is not practical and very complicated to manage.

IntrusDave

I've updated the server side to prevent units with 64M or less from pulling list 3. It's simply too big and causes the units to panic with an out of memory error. I watched one unit download the list and reboot more than 30 times last night, until I forced it to grab list two on the server side.

IntrusDave

The previous version has been disabled because of abuse. Please remove all the blacklist scripts, and run the installer from the first post.
It provides you with a much more stable and flexible platform. Once installed, read over the .conf file and make changes to suit your needs.

IntrusDave

can you manually add a dynamic entry and see what happens?
/ip firewall address-list add address=1.1.1.1 list=zzTest timeout=00:00:15

IntrusDave

This is great, and I love port knocking... except the current RouterOS broke the timeout for address-list items. Right now, when they expire, they just sit their at 00:00:00 and are never removed. What version does that? I use Port Knocks quite a bit and had not seen that I was able to get in when ...

IntrusDave

I do not. I run Mac

But I will look into it. I haven't yet because of the timeout issue.

IntrusDave

The script is called once an hour, however that only means that you will make a single DNS lookup to see if the filters have changed. If there is no change, then no update is downloaded. If the DNS returns a newer serial number than the current installed list, then the new list is downloaded. The li...

IntrusDave

I think you should consider using port knocking for what you want.

This is great, and I love port knocking... except the current RouterOS broke the timeout for address-list items.
Right now, when they expire, they just sit their at 00:00:00 and are never removed.

IntrusDave

I have no issue with getting 100mbps. That the line speed of my fastest IPSec partner.

IntrusDave

Make sure you buy the correct model for your carrier. Most LTE modems come in 2 varieties, WCDMA & GMS.

IntrusDave

I go away for a week and everything has changed. :shock: @IntrusDave, thank you again for all your work on this blacklist. Unfortunately for me, the automated scripting is now too intrusive and is itself a serious security risk, so I'm out. If in the future you resume publishing a blacklist of addr...

IntrusDave

I use this code to fix it. The Global creates a reusable function, then use the "$removeSpace t=" to call the function :global removeSpace do={ :local temp; :for i from=0 to=([:len $t] - 1) do={ :local char [:pick $t $i]; :if ($char = " ") do={ :set $char ""; } :set tem...

IntrusDave

The RB922UAGS-5HPacD does not come with an LTE modem installed. The SIM in on the system board, but you must install the modem into the Mini PCIe socket.

IntrusDave

This isn't something supported by MikroTik. A good solution would be setting up a VPN service and requiring a VPN connection first.

IntrusDave

Likely an incompatible modem, or a modem that only supports PPP. What type of make and model did you use?

IntrusDave

I agree, 12V is likely your issue. Can you wire the batteries in series and switch to 24V?

IntrusDave

No need to be rude. Clearly he doesn't understand, which is easily explained by his post count (that was his 1st post). Anyway - The CHR doesn't have any of the VM tools installed, so it is unable to communicate directly with the host to get the date and time. Unfortunately, you only real choice is ...

IntrusDave

netinstall is for MikroTik devices only. It will not work on x86.

RouterOS for x86 will only install on the first BIOS supported drive detected. You will need to disconnect all drives, except the drive you want it installed on. And that drive must be a BIOS bootable device.

IntrusDave

Thank you for the script, but I have to say that, as least in my limited testing, I stumbled upon too many blocked gmail servers. I couldn't even send an email from my gmail account to my corporate address. The worst part is that gmail somehow didn't even alert me that the message did not go throug...

IntrusDave

Morning, tnx for explaining the script rights issue, to bad we are struggling with that, for now it works here. @Dave I noticed the script got updated to 2.0.3 in the past 12 hours, it would be nice to see some kind of changelog if possible ? Keep up the good work ! Eddie release notes are in the f...

IntrusDave

Hi all i'm running in my ccr-1009-8G-1S-1S+ log is show notthing but Script List show this messeage https://goo.gl/yYE2do https://goo.gl/yYE2do messeage is " LOG 【;(eval (eval /putmessage=$t) (eval /log warningmessage=$t))】 urlEncode【;(eval (eval /localname=$temp) (eval /forcounter=$i;do=;(eva...

IntrusDave

I've been running a Rb3011 with two 300mbps WANs and 24 IPsec tunnels for almost a year with no issues. The CPU is quire powerful. I have recently replaced it with a RB1100AHx4, but only because I wanted the internal storage.

IntrusDave

Check your MTU. EoIP has a smaller MTU, and without adjusting for it, https often fails.

IntrusDave

The hEX should be able, but if you can, I would go with a RB3011.

IntrusDave

Give the script full permissions. Also, make sure it's owned by a user with full access.

IntrusDave

No worries, I have no intention of including rules beyond the basic examples provided in the initial posts.

IntrusDave

Hi Dave, First of all thanks for an amazing job and all effort you're putting into this. It's working just fantastic on my hAP-ac router. A small idea to consider: how about extending firewall filter rules with autoblock functionality for intruders trying to get to a router or network? A dynamic li...

IntrusDave

Unfortunately, taking away the permissions ends with empty scripts. Taking away ANY of them causes issues - I do not know why. You *SHOULD NOT* need "password" or "sensitive", but removing them causes the failure.

IntrusDave

Just pushed out 2.0.2.2

new auto-script-update script is included. It pulls the current version from the server and updates if needed.

IntrusDave

My issues are all Mikrotik to Mikrotik. My Mikrotik to Cisco IPsec VPNs never seem to fail.

IntrusDave

Just released 2.0.2 with minor bug fixes. Run the auto-update/install script to update.

IntrusDave

No idea at all. And I am unable to force it to happen, so I can't even submit a support request.

IntrusDave

Check for the Scheduler and Script Policies. Make sure that all of the boxes are marked.

IntrusDave

The CRS is a switch (Cloud Router Switch) with routing ability. The RB2011 has the same CPU. I would recommend that you invest in a router more suited for what you are doing. The RB3011, RB1100AHx4, and CCR1009 will all do nicely for that. To be honest, all of the MMIPS based units are great boxes f...

IntrusDave

So two things... Some users are simply blocked at my firewall, and now two users have been added to the list itself. I don't see this as "poisoning" as they are the ones that were actively trying to find security holes. (They have been trying SQL injections) Given that they are active atta...

IntrusDave

You should be getting the same logging both ways. If not, check the schedule policy and the script policy and make sure all of the boxes are checked.

IntrusDave

I have the same issue. It has gotten to the point that I have a script on every router to kill the IPSec connections and flush the SA's, at the same time on both ends.

IntrusDave

I've shut down the old service (pre 2.0 script). I found that several users were leaching the large list and rebranding it as their own. They were also trying to probe the server side for exploits. Again, I offer my list as a free service to the MikroTik community. If people continue to abuse it, I ...

IntrusDave

?

if the router is powered by PoE, then you can cycle the PoE port's power.

IntrusDave

fat32 if you need to move data between the router and a PC. What's the logic behind this? The router has to read the file into RAM and send it, and the other way around on writing. And this has nothig to do with the undelying file system. So unless you want to move that SSD physically to a Windows ...

IntrusDave

/ip firewall filter add place-before=0 chain=input src-address=10.0.9.10-10.0.9.12
/ip firewall filter add chain=input action=drop

then remove any other input rules.

IntrusDave

you can power cycle using PoE, but you can not trigger a Net-Install.

IntrusDave

create an accept rule on the input chain, with 10.0..9.10-10.0.9.12 as the source address.
then create a drop-all rule for everything else.

https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter

IntrusDave

So all the dude data would be saved on the 60gb drive? If you want, yes. Configure the disk in the "system -> disks" menu first. Hi Normis, formating with ext3 or fat32 ? which is better for routeros ? Just a guess - ext3, as it's native for Linux and has better corruption protection. fat...

IntrusDave

in my testing, the 64M units are struggling with anything other than the small list. I'm seeing about 60% of the 64M units pull the medium list 10+ times in a row. That is telling me that the 64M units are having kernel panics and rebooting. At this time, the server is now forcing the small list on ...

IntrusDave

released version 2.0.1 with minor improvements.

Old version will not longer function soon. Please use the install script in the first post to update.
Auto-Script-Update is being testing in house. I hope to have the routers updating themselves next week.

IntrusDave

If you can not easily replace the cable, try manually setting the speed on each end. I've seen them many times in my 35 years of networking. It is most often the cable, but I have also seen interfaces fail after a power cycle. Most recently, I had this happen on a CCR1009. The interface was constant...

IntrusDave

For the time being, I'm very happy with the list system and BGP will not be implemented anytime soon. Currently, about 60% of the systems pulling the blacklist are dynamic IP. That number could be MUCH higher, as some ISP's don't force an IP change unless the modem is offline for a few hours. I will...

IntrusDave

All Android based devices use Google DNS for things other than DNS. (Like how I use DNS to alert clients about blacklist updates) These devices include Phones, Tablets, Refrigerators, Air Conditioners, notebooks, TVs, DVD/Bluray payers... the list goes on and on. I've found that if you are redirecti...

IntrusDave

The RAW rule is not blocking outgoing traffic. But it IS blocking the response from the the remote address.

IntrusDave

Hi msatter, thank you very much for your quick answer. I solve the problem as here but I wonder that when i add my ip block in here like 123.123.32.0/22, is this not make problem to me ? because when i add rule to accept for my ip blocks, blacklisted ip's can attack to my ip range if I true. furthe...

IntrusDave

diff would work, if I can guarantee that every router will get every update. If someone misses an update, the whole process is screwed. It would require a complete do-over on the backend, and I would have to build the scripts in realtime to deal with differences in versions. Still far too many only ...

IntrusDave

The issue with that is that with 200,000+ entries the [find where address=xxx.xxx.xxx.xxx] is really REALLY slow. Each list causes RouterOS to check EVERY entry each time. so you are looking at 200,000*200,000 loops. That's 40+ Billion loops.

IntrusDave

Oh, also... The changes resulted in new list sizes. the "small list" (#1) is only 46kb now (down from 118kb). Medium (#2) is 860kb (down from 2.2M), large is 4M (down from 12M).

IntrusDave

Now that the import/export is moved to the server side script generation, I can make changes on the fly without the need to update the script. So, I've returned to the old "remove, then add" method. The "add, or update" was never completing on low end routers. Even CCR's were tak...

IntrusDave

before this RC, ether5 was 64:D1:54:CF:04:3C. I can't get it to change back
Does /interface ethernet reset-mac-address ether5 command fail?

I does not fail, but it does not do anything at all.

IntrusDave

I have a MAC conflict /interface ethernet set [ find default-name=ether5 ] mac-address=64:D1:54:CF:04:3B set [ find default-name=ether11 ] speed=1Gbps set [ find default-name=ether12 ] name=ether12-IoT set [ find default-name=ether13 ] name=ether13-WAN [djoyce@Intrus_AltaLoma] /interface ethernet> p...

IntrusDave

You need to configure you wireless as the WAN, setup it the wifi in client mode. Then configure the ethernet ports as the LAN. It's not a difficult setup, but you will need to head to the Wiki to learn more first.

http://wiki.mikrotik.com/

IntrusDave

The NAT looks okay - though I would remove the DNS redirect. Do you have the correct Forward Accept rules? Oh, also - all of those rules could have been simplified into one. chain=dstnat action=dst-nat to-addresses=11.11.11.212 protocol=tcp dst-port=22,25,110,143,465,587,993,995,3443,7071,7143,7993,...

IntrusDave

It looks like we’ve uncovered a bug. The timers on dynamic entries aren’t removing the entries when they reach 0.

I’ll change the script to do the remove and add when I get home tonight.

Going to sit in a pool for the evening. It’s 110°F right now. I can’t think anymore.

IntrusDave

dynamic firewall address-list items are not being removed when they expire.

IntrusDave

I will say that the BGP method would be simpler to manage over a large distribution, and the implementation on the client side is brain-dead simple: enable BGP (if not already using BGP) with any private ASN other than 64567. (or just use their real ASN if they're already running BGP). in-filter=ac...

IntrusDave

Well, right off the bat, BGP fails me.
Peers do not support dynamic IPs.
This is a show stopper for me, as most of the routers I deal with are dynamic.

IntrusDave

were there thoughts about BGP feed?..

Okay, I give. Can you point me to a basic setup for BGP. I don't even know where to start.

IntrusDave

Thank you. It's definitely still a beta. I'm really not happy with the update process. I like using the "functions" to make the list smaller, and it works well on my x86 and CHR boxes, but even my CCR1016 in my datacenter struggles with the process. using BartoszP's concept of "add, u...

IntrusDave

not very happy with the speed... Still trying to figure a good way to do this.

IntrusDave

So - this process is VERY slow. The initial import is quick, but the updates take a very long time. The upside is that the entries are left in place so that their is no gap in protection.

IntrusDave

New script is live. grab the installer in the first post.
Make sure you remove any old schedules and scripts.

Remember this is an RC. it may have bugs.

IntrusDave

too much work for the slow units. I think I have a solution.
It's slow... but there is no "unprotected time".

IntrusDave

I think I've found a viable balanced solution. I'll be posting the first beta of the new system later today.

IntrusDave

I have an idea for you:
Code: Select all
:local l "dynamicBlacklist"
/ip f a
a l=$l a=127.0.0.1

I like this. going to see how much it slows things down.

IntrusDave

I thought of that. Diff won't work. Everyone would have to always be current. Some will update as soon as an update is available. Others will only update daily. Some even update weekly, even though the list expires after 24 hours.

IntrusDave

My concern isn't so much size, but time.
With the majority of routers pulling the list being single core, my tests have shown that an import / update like that causes dropped packets.

IntrusDave

I'm sure that would work, but with 200,000 entries in the "large" list, that would make the file size almost 40M.

I suppose I can generate two sets of lists, one the other way and one this way..?

IntrusDave

Bad news. Removing in the background and importing in foreground doesn't work. The background removal is executed on the same CPU core, so overall speed is only a few seconds difference. The issue I am seeing on all of the multicore routers is that the delay needed before starting the import is 10~2...

IntrusDave

Great new that you are going to take the next step, to have better control of and more flexible way of initiating updates by means of DNS. I have managed this morning to not have any need any more for smaller files now I can remove and import the dynamicBlacklist at same moment. This reduces the ex...

IntrusDave

I've started work on "2.0.0". I will no longer be updating this branch. The new branch (going with more normal version numbers) will be more modular and, if installed with the included installer script, it will keep itself updated with the current version and will only update the blacklist...

IntrusDave

In your posted code, you have the delay set to 0. It's fine in the hosted code at https://mikrotikfilters.com/updateBlacklist.rsc

Thank you. Corrected.

IntrusDave

ROFL oops. I fixed it. Should have been NOW not NOT

s/not/now/

IntrusDave

script 2 must be:
:global test;
:put $test

OoooOoooohhhhh! Okay

IntrusDave

I have a scripting issue. if one script sets a global, another script is not able to see it. However, I can see them on the console. Script 1 :global test "test" Script 2 :put $test running the scripts from the console, I would expect Script 2 to output "test", but it's output is...

IntrusDave

New script updated. I'm now including a change log on in the first post.

IntrusDave

I have checked the SD cards and they are fine. Each was able to write 10GB at a rate of 2GB per minute without errors.

IntrusDave

Hey guys, are any of you experiencing problems with downloading using "fetch" and saving directly to an SD? All of my CCR1009's with a 16GB high-endurance microSD are having problems. Anything over a few hundred kilobytes fails with an incomplete download. fetching to the NAND works perfec...

IntrusDave

I have a request. I was testing with a more informative disabling and enabling from the log entries and when I did not disable and enable again as normal is done on an import I did not get only the normal logging but not the huge numbers of the removals and adds to the list in the log. I was very n...

IntrusDave

I doubt they are false positives. Speedtest.net servers are NOT controlled by them. They are 3rd parties that are often shared hosts. If they get blocked, it's because they have allowed a host, shared host, or infected host to remain online. Even Amazon's AWS gets blocked because spammers will "...

IntrusDave

you know... maybe I'll just use DNS. I'll have to see how that works.

IntrusDave

So, I was hoping to simple run this, and have the output placed into a variable that I could then parse. Unfortunately, it appears that the telnet output is sent directly to the console and cannot be captured. Any ideas of a simple way to get text from an outside source into a variable WITHOUT writi...

IntrusDave

Older client scripts requested "dynamic" (the "get=dynamic" in the URL) requests for the old "dynamic" are currently being redirected to "medium", and will soon be switched to an automatic selection based on the CPU and memory. I'll be honest, I have no intere...

IntrusDave

Unfortunately it's not possible to tell the source of the block. The lists are generated from 12 different high profile blocklists, as well as a network of over 200 routers. Once the server has all of the sources, the IP addresses are extracted and then aggregated into a new list that has the subnet...

IntrusDave

Hoping that one of the MikroTik guys can comment on this... My blacklist is getting very large. I'm hoping to be able to send the script (about 200,000 "add" lines) in a compressed format. Is it possible to compress it on the server side and send it as an NPK, then import from that? Thanks

IntrusDave

I had a quick peek at 2017.7.3f and I have to admit that I am a bit lost on it. Update: Before the v [ScriptVer] would undergo a cleaning of spaces which are replaced by %20 for use in the URL which is not not more done. I have still the word (testing) in my version string with a space in front. It...

IntrusDave

Updated the script with minor bug fixes, speed ups, and more detail when run from the console.

IntrusDave

Next thought is to only supply the addresses itself and that would shrink the size of the medium file from 4.1MB to 729KB but then we have to split it up in more than 177 files due to 4096 bytes String limit present in RouterOS. With more than 80% of the routers pulling the list only having a MIPS ...

IntrusDave

I went through different options how to reduce traffic and the quick and easy one is removing the comment in the medium and large file and that gives a reduction in traffic of over 20% assuming that the users of the medium and large file know what that addresslist is named dynamicBlacklist stands f...

IntrusDave

please keep in mind that with all the chaos in the world now, the list is regenerated every 4 hours. I don't recommend holding on to an older list for more than 8 hours. Also, I have no bandwidth caps so I have no issue with people downloading several times a day - But I don't want it abused and pul...

IntrusDave

The new backend and script are live. Make sure you read the comments and select the correct script for your router. *** DO NOT SELECT THE LARGE LIST FOR ROUTERS WITH LESS THAN 20M FREE DISK OR LESS THAN 256M Memory! *** Recommendation: Routers with 32M~128M memory - "small" list Routers wi...

IntrusDave

were there thoughts about BGP feed?..

Too much work

IntrusDave

Today’s update is going to be huge. Not sure when I will push it it out though. I am rewriting the backend that builds the list. I will be pushing out 3 lists soon. Small - about 750kb - intended for home users Standard - about 2M - intended for businesses Full - about 14M - intended for internet se...

IntrusDave

Also, consider adding a RAW drop rule to drop the subnet that the attack is coming from.

IntrusDave

Are you running my BlackList? It will help protect you from many attacks.

If this is a DDoS attack, and you have a dynamic IP, the simple solution is to change your MAC address on the WAN port and reboot the modem to get a new IP address.

viewtopic.php?f=9&t=98804

IntrusDave

I think you need to check that you have a reliable date in the first place. It can be a while between boot up and acquiring the current date and time. I would not count on a simple delay being enough, I would sanity check the date. I second that. If I've learned anything about RouterOS, it's that y...

IntrusDave

That's why I have always had two scheduled tasks. One for Startup and one every 24 hours.

IntrusDave

I updated both the server and script to correct for the notification not displaying. I also changed the script so that the previous entries are not removed if the throttling kicks in. I would love to NOT have to throttle, but several people have set up their units to update every 5 minutes. at 2M ea...

IntrusDave

That could be just the update timing. Currently, my list collects the data a 5am PST and rebuilds then. several of the sources also rate limit, but I may be able to push it and rebuild it ever 6 hours. that may keep them more in sync.

Okay, I changed the cron job to run every 6 hours.

IntrusDave

Very odd indeed. This is one of those times that we may just not have an answer. If I was in front of the box and was able to go through the config line-by-line, I might be able to figure it out. But I've often just found that a fresh start is a better way to deal with it.

IntrusDave

I would make a backup of the config, then reset to factory and do a very simple config, then test each port. You may have inadvertently changed something in the config that killed the port. If you want a simple setup - clear the config, then set ports 2,3,4,5 to master port 1. Ports 7,8,9,10 to mast...

IntrusDave

So far so good. Doesn't help the low end units much.
a quick test...

RB2011 - 123 seconds
CCR1016 - 25 seconds
RB1100AHx4 - 20 seconds
RB3011 - 33 seconds

....WOW! The new RB1100AHx4 is faster than a 16 core CCR.

IntrusDave

That looks like a nice clean solution. I'll test it out on the gear I have and then update the code. Thanks!

IntrusDave

Updated the script with the recommended remove code. It appears to speed the update process by 38~75 seconds on most routers.

IntrusDave

deleted

IntrusDave

deleted

IntrusDave

I rewrote the backend this morning. It now takes all of the sources and purges the /32's into the their corresponding subnet, if it is listed. it cut the size by 50%. it was in the 42,000 range, now back down to 21,000.

IntrusDave

David, please consider including blocklist.de's block list. I've been using both your blocklist and the one from squidblacklist.org for a little bit and so far the only major difference is from blocklist.de. If you add that then I can drop squidblacklist.org.

Done.

IntrusDave

By the way, why is the default path "disk1/dynamic.rsc"? because that is the default path of a USB or SATA drive. If the driver does not exist, it simply creates that path. This way the USB is used if it's there. Anyway, fun fun. I hadn't tried this before: jun/23/2017 10:50:44 system,err...

IntrusDave

it didn't work for me (CCR1016-12G)
error :
/tool fetch url="https://mikrotikfilters.com/updateBlacklist.rsc" mode=https;
status: failed

failure: connection timeout

Connection Timout on that would imply that your IP may be blocked to start with.

IntrusDave

Not with SFTP, no. You could use an HTTPS PUT and upload it to a web server.

IntrusDave

then consider using both =) first quickly remove for recent versions, then slow cleanup for older ones if necessary

I'll do that for the next release.

IntrusDave

I think that C-z in "0KiBC-z" stands for Compression gzip so it is there and now it is how to get that working for the .RSC

the C-z means "Control-Z to Pause", not compressed-zip

IntrusDave

We can't remotely begin to help without seeing the config.
you need to post the compact export for interfaces, bridges, and firewall. Maybe even the queues.

IntrusDave

Use ssh on the server side. It's simpler and doesn't require anything special on the router side.

ssh username@ip_address "/export compact" > routerBackup_export.rsc

IntrusDave

The server does compress the content.... As seen by this compression test.

IntrusDave

The loop is to deal with older versions of RouterOS that would only remove the first item it found when using Find.

IntrusDave

No

1amp at 5 volts is 5 watts
1amp at 12 volts is 12 watts

It’s best to understand how many watts the device needs and what voltage it requires.

IntrusDave

deleted

IntrusDave

From the quick guide:

IntrusDave

The mangle rules created by the script only mark the packets for DSCP. You will need to create new rules to set the DSCP for the video packets. Keep in mind that QoS only works for your outbound traffic. Unless you are using an MPLS for your WAN, you can not control your inbound QoS.

IntrusDave

Don't pass the DNS to the clients. Have the clients use the router as the DNS, and have the router use the ISP. Allow the router to use it's cache to reduce the LTE load.

IntrusDave

Just enable RouterOS DHCP server, no any MS DHCP server.

This is your problem. You should use the MS DHCP. It will register your workstations in the DNS. Use the services that the AD provides. (DHCP, DNS, WINS)

IntrusDave

Yes, you would need to mangle rules to mark the packets with the priority that you want them to have.

IntrusDave

The bandwidth test in the switch will not show the true speed. You will need to use something like a Linux based test on two boxes connected to the switch.

IntrusDave

Why don't you built an address list of the PSN IP addresses, add a filter that blocks and logs the connections. Then you can see the local IP addresses that are attacking. Then clean them.

IntrusDave

two 12v deep cycle batteries, a 50w solar panel and a charge controller will do what you need.

IntrusDave

Your router will honor the QOS tagging in the packets

IntrusDave

It sounds like you are bridging or routing, and not switching.
The device can do wire-speed forwarding on all ports.
Did you remove the default config? Set all the ports in a bridge?
If you are using it as a switch, then all ports should have port 1 as it's master.

IntrusDave

The device / application sets the DSCP. You VoIP signaling is 26, while your VoIP audio is 46. It's best not to change from the defaults. You will want to configure the router to read and use the DSCP bits. I use the script in this post to setup the routers. https://forum.mikrotik.com/viewtopic.php?...

IntrusDave

DNS needs to be pointed at the AD server.
That's may only guess without any info on the design of the network.

IntrusDave

While I don’t know the solution to your problem, this topic has piqued my curiosity. If it were me, I would first try connecting a PC to Ether1 and see if I got the same result. Next I would try a Crossover cable between the port and the modem. Next I would try manually setting the port speed and du...

IntrusDave

Doing the copy and paste from post #1 worked. Still not sure why it stopped working. Thank you!

Sweet, glad it fixed it for you.

IntrusDave

try a copy/paste from the first post. Not sure what the issue is, the server isn't reporting any issues.

IntrusDave

Are you using EoIP for anything?

IntrusDave

Consider at least upgrading to ESXi 5.5, preferably 6.5. I had MANY issues with VM and even full host crashes with 5.1, most have been resolved after moving to 6.5

IntrusDave

Once you put VLANs in play, you no longer have a "flat" network. You can run a pig and trace route from a notebook to the printer. If you have more than 1 hop, then you are routing and AirPrint will not work. It is a broadcast protocol. You issue is likely the VLAN tagging on the WLAN inte...

IntrusDave

DDR1333 and DDR1600 have different latencies. MikroTik is providing throughput details for the CPU clocked at either 1GHz or 1.2GHz, using DDR3 1333 or DDR3 1600.

IntrusDave

SHouldn't be an issue for most. The server will flag routers that get excessive and throttle them to 4 download in a 24 hour period.

IntrusDave

Thanks to someone setting up 50 routers to download every 2 minutes, the server is now blocking any router that downloads more than 4 times in a 24 hour period.

IntrusDave

The script was updated last week to work with the new backend servers. You can find the update in the first post of this thread

IntrusDave

One of the bonuses of 2.4 and 5GHz is that the 5Ghz is half the wavelength of the 2.4Ghz. That means that you can use a single antenna tunes for 2.4Ghz as a ½ wave 5Ghz antenna. That said, just find a nice 2/5Ghz dual band omni and you are set. The wireless config in RouterOS will let you select whi...

IntrusDave

In that case, simply add (or change) the current IP on ether1 to the IP that you would like it to have. Optionally, you can use the DHCP client to have the CRS pull it's own address and configure it's gateway and DNS automatically.

IntrusDave

Also, it's easier to understand the rules if you post them using this:

/ip firewall filter export compact

IntrusDave

The detail and understanding is something that you will gain by reading. https://wiki.mikrotik.com/wiki/Manual:TOC Read the filter section of the Wiki first. Once you cover that, it will become clear as to what they are doing. Just having someone explain it here will not help you in the future. Once...

IntrusDave

Everything you need is all in one place: https://wiki.mikrotik.com/wiki/Manual:TOC Start there, get your basics covered, then post back here for help on refining the setup. You will need to read and learn about the RouterOS before anyone here will be able to help. Without the basic understanding, yo...

IntrusDave

Whitelisting is accomplished by creating a new address-list and a new filter rule. 1) Create an address list - say.. "Whitelist" and add the IP addresses that you need never be blocked. 2) create a new filter "Accept" rule, using the src-address-list you created. 3) place the new...

IntrusDave

I noticed today when I started Firefox that I were getting hits on the blacklist. I followed the IP and found that it lead to hackademix.net and secure.informaction.com and looking on the site it was probably an plug-in was generating the hits and that was No-script. I use this plug-in for years an...

IntrusDave

I've updated the statistics page today. It now normalizes the memory and shows the percentage of each category

IntrusDave

PMs are blocked here. You have Facebook or twitter?

IntrusDave

Jim - Do you work for DWP or SCE?

IntrusDave

Here is the first two lines of my startup script: :log info "Starting System Startup script" :delay 00:00:20 Note that all this script does is send me an E-Mail that lets me know that the router has booted. Leave it to the HAM's to understand. :) That's almost exactly what I use. It works...

IntrusDave

No problem at all. I enjoy it.

IntrusDave

Fixed. Sorry about that. typo in the code.

IntrusDave

Not sure why its not working all of a sudden. I updated the script a few days ago and was working as of yesterday... Now when the script runs, it says its downloading the blacklist but nothing else happens.

What are the last two octets of the public IP?

IntrusDave

I've cleared all my starts and started fresh. Here is a quick and dirty stats page on the hardware accessing the list.

https://mikrotikfilters.com/blstats.php

IntrusDave

Awesome! Thanks for still doing this. Now that you got more stats, you should create some public pages cause i love me some random statistics!

I was just starting on a page that shows each type and number of routers that pulls the list.

IntrusDave

Glad it's working for everyone now. Stats are MUCH more accurate now. The server was starting to block devices behind NAT routers because it thought some were downloading hundreds of times per hour. Now it sees each as a separate device.

IntrusDave

syntax error (line 62 column 11)[/code]

I found the line 62 error and corrected it. delete the items you have, and reinstall. it should be good to go.

IntrusDave

I've updated the script to deal with the CHR using system-id instead of software-id. Annoying that they are different... I've tested on the following units with no failures. CCR1009-7G-1C-1S+ CCR1009-8G-1S-1S+ CCR1016-12G CCR1036-12G-4S CHR CRS109-8G-1S-2HnD CRS125-24G-1S CRS125-24G-1S-2HnD hAP+ac h...

IntrusDave

I am on a RB951Ui-2HnD

can you post the /system license print ?

IntrusDave

I'm guessing that everyone with issues are running CHR. I've found the problem and I'm working on a fix right now. I'll post the update in about an hour.

IntrusDave

Sorry man. More than 500 routers already updated and working with the new script. You are having copy/paste issues. I can't fix that for you.

IntrusDave

That would mean that you need the current script. It's available in the first post.

IntrusDave

Your URL is wrong.
Note the ? between "download.php" and "get"

url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer&softid=$softid"

IntrusDave

Those are ANSI escape sequences. You need to use a terminal that supports ANSI.
Looks like you may be using Linux, you can use also use the screen command from a terminal window.

IntrusDave

Okay, I've updated the script again. It didn't like having the path and filename separate. # Import Intrus Managed Filter Lists # © 2016-2017 David Joyce, Intrus Technologies ##### Update your path, is you are using a USB Flash or other storage :global datapath "disk1/dynamic.rsc" ###### D...

IntrusDave

Yup, clearly a problem with the remove. I can't seem to get it to accept a variable

IntrusDave

Try this
:global datapath "/disk-8G/"

IntrusDave

I've updated the script with support for USB Flash as well as the new RB1100AHx4 with internal storage. I has also reworked the backend and script for more accurate accounting. Please update your scripts. # Import Intrus Managed Filter Lists # © 2016-2017 David Joyce, Intrus Technologies ##### Updat...

IntrusDave

I've pre-ordered one from Baltic Networks. It looks like a nice box and my be just what I'm looking for. The downside is that it should arrive the day before I leave for a 4 week vacation at the beach. Looks like I may be testing how it holds up to sun, sand, and humidity.

IntrusDave

The list is stored in memory while active.
If you need to use a flash drive for the update, just add the path of the usb drive to the path of the fetch and import lines.

IntrusDave

My list will not be moving to DNS. It over complicates the process and provides little if any advantages.

IntrusDave

Anyone have a release date for this? I'm ready to upgrade all of my sites and this unit would cover just about every use I can think of.

IntrusDave

Give this a try... # Import Intrus Managed Filter Lists # ©2016-2017 David Joyce, Intrus Technologies :log warning "Blacklist update in 30 seconds"; # :delay 10 :local model [/system resource get board-name] :local version [/system resource get version] :local memory [/system resource get ...

IntrusDave

Disable mangles, filters, & queues.

You have given us nothing to work with. What router? How much bandwidth? What are you filter & mangle rules? What kind of traffic?

IntrusDave

1. because you are bridging, and bridging passes all traffic.
2. enable firewall on the bridge and filter UDP 67 & 68 from passing on the ethernet

IntrusDave

I am always amazed when someone refuses to read the release notes, then posts here trying to shame and insult MikroTik for the end user ignorance. The only thing you have accomplished is showing us that you have no place in the I.T. field, and that you will not take responsibility for your own actio...

IntrusDave

Try downloading directly from here: https://mikrotikfilters.com/updateBlacklist.rsc Unfortunately, I don't have a router that gets this error, so I really can't troubleshoot it. If one of you want to give me access to a router that is having a problem with the script, I can try and figure out what t...

IntrusDave

Yes, You can create an address list with addresses that you never want blocked, then add an accept rule above the drop rules.

IntrusDave

That is the same unit I use for writing my scripts. I have just over 500 of them pulling the list every morning. The error you posted is almost always a simple format or encoding error.

Search found 1286 matches