MikroTik

tomaskir

http://forum.mikrotik.com/viewtopic.php ... 80#p389982

tomaskir

With wireless-fp (which is now the default wireless package) tab-completion for the "country" doesnt work. /interface wireless> set [find name=wlan1] country=[TAB] Will NOT give you all available countries. This means there is no way for you to see in the CLI all the available countries fo...

tomaskir

Now added to fw manual. There you will find difference between ipsec and none Just a final confirmation, so basically the settings are: ipsec-policy=in,none - incoming packets matched by any policy before decryption ipsec-policy=in,ipsec- incoming packets matched by any policy after decryption ipse...

tomaskir

Hi guys, Whats the difference between ipsec-policy=in,ipsec and ipsec-policy=in,none? Its not made clear in the new Manual article http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Allow_Only_Ipsec_Ecapsulated_Traffic Also the options are not yet described in the firewall Manual article http://wiki.mikr...

tomaskir

All ports are totally equal and can be anything.
The labels are just how the router behaves with default (factory) config.

You can reconfigure the router to do anything.

tomaskir

There is local-address in 6.27 too, I tried that, that doesn't help...

I also tried to add y.y.y.y/32 route to peer with pref-src=x.x.x.x. It doesn't work as well.

It works correctly for me even with 6.23.

Are you sure other NAT / Mangle rules are not interfering?

tomaskir

Yes, using 6.29.1, you can specify IP address used per-peer.

/ip ipsec peer set 0 local-address=x.x.x.x

tomaskir

Nstream will be the best option for lowest latency (if like you mentioned, throughput is secondary).

tomaskir

You have something configured wrong then. 1500 works without a problem. Client config: /ppp profile add change-tcp-mss=no name=pppoe use-compression=no use-encryption=no use-ipv6=no use-mpls=no \ use-vj-compression=no /interface pppoe-client add disabled=no interface=ether1 keepalive-timeout=10 max-...

tomaskir

PPPoE client supports 1500 MTU in v6.x

Support for MTU >1500 is not there, but 1500 is supported.

/interface pppoe-client add interface=ether1 max-mtu=1500 max-mru=1500

tomaskir

The link isn't working

This thread is 9 years old...
This is the UserManager ... you can get the package and install it in your MikroTik.

Do NOT bump old threads.

Can this please be locked?

tomaskir

4.0b3 uses an embedded sqlite DB to store things in. As soon as the DB file is larger then 2GB, you are screwed (that is the limit on the old sqlite drivers Dude 4.0b3 is using). There are ways to recover - includes deleting all historical data. You however have to manually dump (export) the sqlite ...

tomaskir

Yes, some of the newer units update firmware automatically.

After you reboot for ROS update, you will see the standard firmware update message in the log, and after another reboot, you will have newest firmware automatically.

tomaskir

Well, without getting access to the system and playing with it directly, I dont see why it doesnt work.

You can contact me at tomas[at]atris[dot]sk if you want more direct help.
Or maybe someone else can help you.

tomaskir

Post your "/ip rou exp" please. There are 2 things I can see happening: 1) routing engine dropping packets because of no route or a blackhole route 2) packets are arriving with TTL of 1, therefore are being dropped I also advise sniffing the traffic (there is an action in prerouting that c...

tomaskir

You mentioned in your previous posts you can properly see the return traffic in mangle pre-routing: prerouting in:ether1-gateway out:(none), src-mac e4:48:ab:ab:ab:ab, proto ICMP (type 8, code 0), 10.5.1.14->10.0.10.2, len 84 This means the encrypted traffic is properly coming in and being decrypted...

tomaskir

The addresses being incorrect and missing incoming ipsec firewall rule was a copy-paste mistake on my end. Sorry for the confusion. That is why I said it would not work with the previously posted config. I can also confirm traffic is arriving at 10.5.1.14 when pinging from 10.0.10.2. Replies from 1...

tomaskir

what is the difference between SECUIRITY=PRIVATE VS SECURITY=AUTHORIZED ?

Do NOT bump a 4 years old topic.

Regarding your quesion, watch this presentation and you can learn all about SNMP an SNMP in MikroTik:
https://www.youtube.com/watch?v=McUCYuy9Cv0

tomaskir

First of all, from these exports, your IPSec should not work at all, since the policies dont match the peers: /ip ipsec peer add address=54.239.63.154/32 ... add address=54.239.63.155/32 ... /ip ipsec policy add ... sa-dst-address=54.239.63.111 ... add ... sa-dst-address=54.239.63.222 ... add ... sa...

tomaskir

Post your export of:
/ip ipsec exp
/ip fi filt exp
/ip fi nat exp
/ip fi mang exp
/ip rou exp

tomaskir

Go over the data in this presentation:
https://youtu.be/McUCYuy9Cv0

It will give you all useful OIDs and what is located where.

tomaskir

/user set [/user find name="admin"] password=123456

tomaskir

Hi, I think this is a bug or something can't say cleary. Problem is when change SIM card for RB922 or RB912 with RouterOS v6.29.1. Have 2 SIM card with different ISP. Another have PIN code other not have PIN code. When first card witch have PIN code everything works wine, but when i change card to ...

tomaskir

1508 is however correct if you need to deliver full frames (1500) in a pppoe session inside of the vpls tunnel.

Which is what the presentation was dealing with.

tomaskir

@normis
I have managed to reproduce a very rare and annoying bug [Ticket#201503206600075]

It will go away if I reboot the device.
Could someone from support please look at this so I can give you guys SSH access?
I cant keep the device in this state for long, since it needs to be used.

tomaskir

It was announced before somewhere, that single letter shortcuts are removed, because there was a risk of accidentaly removing, disabling, etc. We will add shift or something to these keys Yes, I read that and I understand why that was done for remove/disable etc. But comment was not mentioned. Comm...

tomaskir

The C button no longer works for me to set comments in RC10.

Is this also happening for others?

tomaskir

Very useful and it significantly reduces complexity . I just came across the need for a default routing-mark=no-mark as well which is not implemented as of now (v6.28)

This post is from 2009.

This is already working as described in 6.28.

@MirkoTik - Please lock this topic.

tomaskir

Are you using nv2 for wireless?

tomaskir

1500 is the correct L3 and L2 MTU on the VPLS interface in your test scenario. Remember that MTU (L3 MTU) in MKT is with the data, L4 and L3 headers counted in. Calculation of MTU from the point of view of the VPLS interface: 1472 data + 8 icmp header + 20 ip header = 1500 L3 MTU for the VPLS interf...

tomaskir

Hi, Well, that works, but I have read somewhere that the vpls interface will fragment the package anyway, due that I can ping whit 1500 packetsize as well. Eth header 14, MPLS 4, VPLS ID 4, VPLS 4, IP header 20 + data 1500 + ping header 8 = 1554 How does this work ? ? ? Yes, VPLS interface will fra...

tomaskir

Yes, your calculations are correct, and it will work. Just remember to set the L2MTU correctly on all interfaces on all devices. As for how to test it: Simply create a VPLS tunnel between 2 routers, and try to ping within that tunnel with 1472 packet size with do-not-fragment set. (1472 because ICMP...

tomaskir

Question - if I have no rules in forward chain - only in input chain (typical transit router) - will FastTrack be active? IMO, if there are no rules in a default chain, that chain should automatically be FastTracked (so I dont have to add rules now to tons of transit routers to take advantage of Fas...

tomaskir

I will wait for 6.29 final before trying this, but in your rules you add a fasttrack rule and then an accept rule. What happens if there is no accept rule. Doesn't the fasttrack rule here do exactly this - passthrough all packets matched by it ? Yes, but accept is also needed - it was mentioned in ...

tomaskir

Router RB850Gx2 hangs on reboot if serial port is removed from the /system console [admin@RB850Gx2] > /system console print Flags: X - disabled, U - used, F - free # PORT TERM RouterBOOT booter 3.22 RouterBoard 850Gx2 CPU frequency: 533 MHz Memory size: 512 MiB NAND size: 512 MiB Press any key with...

tomaskir

How ECMP checks the current link load before send the traffic to this link? There is no load checking. ECMP simply routes each packet over one of the available gateways in a round-robin fashion. There is a catch however - routing decisions are cached by the kernel, so actually, ECMP is more like pe...

tomaskir

Problem with e-mail client still exists.
If you use TLS then the second EHLO, which is normally issued after STARTTLS, is malformed and rejected by postfix with error "Helo command rejected: invalid ip address"

Did you report this to support@mikrotik.com?

tomaskir

Thanks. Do you use an agent for those Windows servers? I was hoping to find a way to monitor disk space and memory usage through snmp but that's been more difficult than expected. No, we monitor all using SNMP. Its the same as in The Dude, this is all from the Storage table at OID .1.3.6.1.2.1.25.2...

tomaskir

We have plans to release v6.28 during this week.
Really this week?

Better late than with bugs!

tomaskir

+1 for BGP-MIB

STP-MIB would also be really useful

tomaskir

How can i use ECMP with IPsec VPN-tunnel? You cant use it with IPSec in tunnel node. You need to manipulate the routing table, which IPSec tunnel mode policies do not use. Use IPSec in transport mode with a different tunneling protocol (like GRE or L2TP), which will give you an interface, and you c...

tomaskir

Which IP is the Radius server and which IP is the radius client? Because you mention The packets will be send from 112.25.145.100, but not encrypted and not pass over Ipsec. If packets from 112.25.145.100 are not encrypted, you are showing us exports from the wrong router (the router hosting 192.168...

tomaskir

It would be helpful if you actually described what the problem is.

tomaskir

Just a side node, if you have ROS v5, use

/export compact file=name.rsc

If you have ROS v6, use

/export file=name.rsc

tomaskir

Its a known issue with MikroTik IPSec.
Its actually an issue in MikroTik NAT-T functionality.

You can not have multiple clients from one public IP.

Consider building a site-to-site tunnel, or use a different tunneling protocol, such as SSTP.

tomaskir

This is the CPU that we will use for RB3011: http://www.anandtech.com/show/7526/qualcomm-atheros-announces-new-internet-processor-lineup-ipq8064-and-ipq8062 Can you as well confirm that both switch-chips have a full-duplex 2Gbps link to the CPU? And if the HW acceleration support for AES is going t...

tomaskir

its likely one of "off the shelf" inexpensive A9 twin-core SoC. which explain relatively small performance (for twin-core 1.2Ghz chip). a12/a17 do about 42% more performance than A9 (on same clock on similar die) and a53 and a57 do about 2.5x and 4x times (in peak not sustaine/stressed)mo...

tomaskir

Oh wow, that would be a big upgrade over everything with a switch chip that they used before. Even the CCR1009 has a 1Gbit link internally to the 4x1Gbps connected through the switch chip. Are you sure he said 2Gbps per switch chip link, or maybe he meant 1Gbps to each switch chip so 2Gbps in total...

tomaskir

And what about hardware aes support?

Since CPU brand/type is currently unknown, if it supports aes hw acceleration is also unknown.

tomaskir

A much better solution is to use ECMP load-balancing over the VPN links. If you balance on L2 (using EoIP), you will get huge problems with out-of-order packet delivery, fragmentation, and a lot of other things. Using ECMP also has its disadvantages (very similar to LACP), but overall, is a better s...

tomaskir

I asked Janis about the internals at the MUM, here is a few clarifications:

2 switch chips, each 5x 1GBit ports.
Each switch chip connected to CPU with a 2GBit link.

1x MiniPCI-E for wireless cards.

CPU brand/type unknown.

tomaskir

hi if it is possible to have the pppoe server listens to serveral interfaces instead of one interface .. i have 7 vlans and i have to have 7 pppoe servers for each vlan interface it would be nice to have one pppoe server for 7 interfaces Create a bridge, use split bridge horizon to isolate the port...

tomaskir

NMSs also use it to build topology tables (and maps).

It would be EXTREMLY useful for this purpose to us.

tomaskir

I had this problem before.

NetInstall the device, that fixed it for me.

tomaskir

There have been issues with SNMP in a few older versions...

What I recommend:
Use latest RouterOS with latest firmware (RouterBOOT).

I have had issues where SNMP didnt work because RouterBOOT was older version, even when RouterOS was newest version.

tomaskir

how they interact with MikroTik?

You can use SNMP, same as in the Dude.

tomaskir

/user set [/user find name="admin"] password="mypassword"

tomaskir

Ticket#2014122966000079
This is a bug with the route table not being available over SNMP.

Ticket#2014120866000733
This is a bug with VirtualAP showing inside SNMP Station Interface table (mtxrWlStatEntry)

tomaskir

There are InOctets and OutOctets for every interface...

So what you are seeing in there is for every interface on your router.

tomaskir

Normis, can you please look at these: Ticket#2014122966000079 Ticket#2014120866000733 Ticket#2015020266000252 The first two are more feature requests than bugs. The latest is new, so not answered yet, but before our specialist has looked at it, it may be specific hardware problem or something else,...

tomaskir

Normis, can you please look at these:

Ticket#2014122966000079
Ticket#2014120866000733
Ticket#2015020266000252

tomaskir

Its in the standard ifMIB:
.1.3.6.1.2.1.2.2.1.5

tomaskir

Ok, so basicly what you are saying is: "We have decided on this because we like it and we are not willing to hear feedback. Instead we are going to reply with links to jokes and just ignore our user-base." Now Im fully aware that Im just expressing my opinions as well, and that most userba...

tomaskir

Alright, here we go: Problem 1) Forums are not properly sized on higher resolutions and about 40% of the screen space is wasted. This is using Win7, newest chrome, 1920x1080 screen. att1.JPG Problem 2) "Show x posts" buttons are hidden behind menus and places inconsistently. This adds addi...

tomaskir

Normis, all of these changes decrease my productivity on the forum.
Why are we sacrificing user-friendliness and usability to get a modern look?

We are even missing features which were present in the previous forums ("Show unread posts").

tomaskir

And since we are talking about this: Why are "Your posts" (old "Show my posts") and other post-related buttons in different places? ("Your posts" hidden behind my name menu and other post-related menus hidden behind "Forum" menut) Why are they even hidden behi...

tomaskir

And where is the "Show unread posts" button?

Also, where is the option to change to prosilver and subsilver themes?
(not in the user control panel)

tomaskir

You can also use MAC-Telnet to connect to the device when you clear the config.

One example utility for Linux:
https://github.com/haakonnessjoen/MAC-Telnet

Debian/Ubuntu:

apt-get install mactelnet-client

tomaskir

In NAT on the router terminating the public IP, simply NAT the requests correctly:
PublicIP:SomePort -> LocalIP:161

/ip firewall nat add chain=dst-nat dst-address=publicip proto=udp dst-port=someport action=dst-nat to-address=localip to-port=161

tomaskir

750 series - up to 60 Mbit firewall / routing / NAT / QoS - up to 12 Mbit IPSec (aes128, md5) 951/2011 series - up to 120 Mbit using firewall / routing / NAT / QoS - up to 18 Mbit IPSec (aes128, md5) 1100AHx2 - up to 2 Gbit using firewall / routing / NAT / QoS - up to 550 Mbit IPSec (aes128, sha1) T...

tomaskir

Simply create a new firewall rule, and inside the chain option, write the new chain's name.

tomaskir

If manual update works and automatic update doesnt work, it has NOTHING to do with networking.

You do NOT need to forward any ports, these are all out-bound connections.

tomaskir

This has been requested many times for a long time now:
http://forum.mikrotik.com/viewtopic.php?f=19&t=85716

MikroTik seems not to care

Definatelly a +1

tomaskir

You need to setup full L2TP/Ipsec, not just L2TP.

See this video:
http://tiktube.com/video/mIgH3hmodoLHnH ... tKlGonDpI=

There is a part in it on how to configure MikroTik as an L2TP/IPSec client.

tomaskir

750 series - up to 60 Mbit firewall / routing / NAT / QoS - up to 12 Mbit IPSec (aes128, md5) 951/2011 series - up to 120 Mbit using firewall / routing / NAT / QoS - up to 18 Mbit IPSec (aes128, md5) 1100AHx2 - up to 2 Gbit using firewall / routing / NAT / QoS - up to 550 Mbit IPSec (aes128, sha1) T...

tomaskir

Ha, well, I am flattered you would say this, but the truth is that I am not qualified to work on MetaROUTER. I have neither the requisite knowledge or experience engineering hypervisors. :) All I essentially did to come up with the kernel I did was to act as an "editor" of sorts, pulling ...

tomaskir

Why hasnt MikroTik hired you yet to fix MetaROUTER?

Great job, with MKT would fix all of the current issues and we could all be happier...

tomaskir

Ticket#2014122966000079
Ticket#2014120866000733

Please?

tomaskir

We are already on beta12, so progress is going fast. It is much more stable than v2 ever was

So PLEASE PLEASE release that beta version?

Why keep us on beta3 which has many issues?

tomaskir

Hi ALL i reading your Load balance Bandwidth base Method(MUM_US12) http://mum.mikrotik.com/presentations/US12/tomas.pdf but i don't understand this i connect internet by PPPoe-Client(pppoe-out1,2,3) and I have to do anything at this stage ? thank you /ipfirewall address-list addaddress=1.1.1.0/24 l...

tomaskir

What version of RouterOS are you using?

Post export from:
/ip add
/ip ipsec
/ip fi
/ppp

Feel free to remove sensitive information.

tomaskir

Bug with SNMP not enabling without a reboot from ticket [Ticket#2014112666000541] is also fixed.

Why is it not in the change-log?

tomaskir

But if I plug a GBit into ether1 and ether5, and want to run routing between them, I will only get 1GBit full duplex throughput, not 2GB full duplex, because realistically, there is only a single 1GBit link to the CPU, right?

tomaskir

Could the board block diagram please be posted to routerboard.com for 850Gx2? While we are at it, can the performance tables also be added? I know they are posted here in the forum, but please add them? What Im interested in: is ether1-ether5 on a single switch-chip or is ether1 direct-to-cpu? If it...

tomaskir

Where and how are you capturing the packets?

Can you draw a diagram of your setup, including where the packet capture device is?

Also please include /exports

tomaskir

The packet is transparently fragmented and re-constructed by the VPLS interface driver in RouterOS. If you set a do-not-fragment flag in ICMP, that only applies to routing (L3) logic. MPLS and VPLS are L2.5, they do NOT care about a ICMP do-not-fragment flag, and will happily fragment the frame anyw...

tomaskir

Watch the presentation in my sig, as I mentioned earlier.

It goes into heavy detail on MTU with MPLS/VPLS and especially PPPoE over VPLS.

tomaskir

http://lmgtfy.com/?q=mikrotik+radius

tomaskir

Use RouterOS Radius client for AAA.

As a server, I recommend FreeRadius.

tomaskir

+1

Especially for PPP profile.

tomaskir

Well, take a look at http://www.netxms.org, and will find an anternative that is like The Dude, really! Has anyone tested netxms in a large(r) environment? It's not very clear to me how I can create a structure/hierarchy with all servers and network components. We have NetXMS monitoring about 150 n...

tomaskir

Thank you, thank you!
subsilver2, welcome back.

Now im not neceserally against the new theme, just please improve it more. I think there have been enough coments in this whole thread to tell you what is wrong with it by now.

tomaskir

Watch the presentation in my sig.

tomaskir

Hi Tomaskir, In my environment i think 1526 of mpls-mtu is enough becouse I don't have vlan. By the way I have a look to your presentation and in parallel I am in contact with mikrotik support. Remember that we have side 1 of infrastracture that work properly so I don't understand why this problem ...

tomaskir

Notification with email is easy, simply use netwatch to monitor the host which is used for failover based on recursive route lookup. Then if that host goes down, fire an email using the netwatch scripts. As for packet-loss, you have 2 options: 1) Write a script which monitors it for you and then swi...

tomaskir

For failover based on packet-loss, that is really hard to implement...

For failover on total link dropout (cant ping IP x over the link) I use this solution lately:
http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting

tomaskir

PPPoE encapsulated in VPLS needs 1530 MPLS MTU...

Check page 18 and 19 of the presentation linked in my sig.

tomaskir

spacing is corrected readability of topic list improved post body text visibility improved and signature/title made lighter unread posts is back contrast improved with new color scheme Thank you, it is better now! A few things however: 1) Additional clicks and waiting for a menu to appear are still...

tomaskir

CLI is very self-explanatory in MikroTik, if something is written in CLI, you can easily figure out how to configure it in GUI.

For all learning needs:
http://wiki.mikrotik.com
http://www.tiktube.com

tomaskir

i have yet to see them just simply ignore a genuine bug report which provided enough resources to actually replicate/solve the problem.

Then you have not been here long enough.

I could give you many ticket IDs which show differently...

tomaskir

Watch this:
http://tiktube.com/video/DofH3iFnjDJomG ... uKlEoLqHq=

The 2nd half of the presentation explains what you want to know.

tomaskir

The "View unread posts" is not gone - it's at the "Forum" menu on top, renamed to "View new posts" ("unread" is implied). It is gone. "View unread posts" and "View new posts" are 2 totally different functions. "unread" is NOT imp...

tomaskir

Agree about all the above - I really dont like this too light and too bright color scheme. Also: 1) "View unread posts" functionality is gone. 2) All "View x posts" buttons now require one more click. Before they were right at the top. This is not much, but its an extra click, wa...

tomaskir

As mentioned before XAuth currently doesnt support Radius auth.

For other AAA needs against LDAP (AD DS), setup a NPS server (Windows Radius) and auth against that.
There are multiple topics on the forum about this, if you need help, post here.

tomaskir

Take a look at this.. it not only shows how to do this, but also explains step by step.

http://mum.mikrotik.com/presentations/US12/tomas.pdf

Here is the video for more explanation:
http://tiktube.com/video/DofH3iFnjDJomG ... uKlEoLqHq=

tomaskir

On my RB1100AHx2 I got 40-60% unclassified CPU usage after upgrade (in idle). Downgrade to 6.20 brings it down to 0 - 0.2%. On other single core Atheros based boards, everything seems fine (750GL, 951G, Omnitik, CRS-125). Email support, seems like the same problem I linked in http://forum.mikrotik....

tomaskir

We are also seeing increased CPU usage after upgrading to 6.21.1

Previous avg usage: 0.3%
New avg usage: 4%

This might not seem much, but its a 10x (ten-times, ten-fold) increase in CPU usage on the same config/load.

[Ticket#2014110566000599]

tomaskir

Go for the new 850Gx2 or 1100AHx2.

tomaskir

Did some NetXMS test. Very promising but ... seems there are some bugs. Deleting alarms took a long time and then throws timeouts. Found this bug reported in an older version but found it in the newest. Will try next version again. Still TheDude is the best. It's a real shame there is no further de...

tomaskir

Its not a bonding problem. Its the configuration of the 1100ahx2 that will not allow you more traffic if you bond over ports on a single switch chip. See this diagram: http://i.mt.lv/routerboard/files/Block-RB1100AHx2.pdf To solve your issues, bond on ether1+ether6 for example, that will give you fu...

tomaskir

Go for NetXMS. Its got a bit of a learning curve, but once you do learn it, it can do wonders. I have deployed Nagios, Cacti and Zenoss before. We now only deploy NetXMS. Its got everything, dynamic L2 and L3 maps, full logging (syslog, snmpTrap), graphing, treshold alerts, custom alerts, very good ...

tomaskir

Walk the ".1.3.6.1.2.1.25.3.3.1.2" tree.
Those are all CPU cores the device has, in case of CRS125, just one.

tomaskir

Always use your LAN subnet as the target, specify the uplink interface as a Destination.
You can then use the default download and upload PCQs, and just modify those.

This is assuming you use v6.

tomaskir

I am having my own custom NMS developed as the ones available currnently dont meet my needs.

Did you look at NetXMS? In which regards did it not meet your needs?

tomaskir

To actually answer the quesions: Some functions are performed on the ASIC (like "/interface ethernet switch" menu), but most functions are implemented in software. Do note that MikroTik has fast-path, so a lot of the stuff is actually handled by device drivers and the Linux kernel directly.

tomaskir

Do NOT use MPPE when using L2TP with IPSec.
IPSec provides encryption, you do not need MPPE.

As for securing L2TP server to IPSec only:
http://wiki.mikrotik.com/wiki/Securing_ ... _for_IPSec

tomaskir

One word: VLANs

tomaskir

Please post that from:
/ip firewall filter export
/ip firewall nat export

tomaskir

Post your firewall and NAT configs as well pls.

tomaskir

Your config on the router is wrong. Cant tell you more without seeing the config.

tomaskir

Your error line on your probe shoould be;
if(getTemperature()<25, "", "NOC Room Temperature above 25 c, Please check A.C")

Lebowski

Nice catch, exactly!

tomaskir

If the function returns correctly in the label, it has to return correctly in the Probe as well. Check if you have multiple Probes, check if you are using the right Probe, check if you didnt accidentaly click Cancel when saving the Probe etc. It really should work, lets check if its not something si...

tomaskir

Go to the device's label on the map, go to Appearance.

In "Label" field, click it, you can modify it. To use a function in there, use it in this format:

Temp from function: [getTemperature()]c

Just add that below all that is already in there.

tomaskir

Try to use that function in the label display, to see if the function returns a correct value.

tomaskir

Create a function which will read and divide the temperature:
name: getTemperature
Code: oid("1.3.6.1.4.1.13400.2.62.2.1.2.0") / 100

Use that function in the probe:
Value: getTemperature()

tomaskir

1100AHx2 or any of the CCR series.

tomaskir

You can do absolutelly whatever you need.

Route all DNS over a single connectivity, route rest distributed over other connectivities, etc.

Its really only up to your how you want to do it, when its just a matter of proper Mangle config.

tomaskir

For one thing - I like my internal network to keep on working even if the router goes down for some reason... If we are talking about smaller networks where this is required, those use mostly NetBIOS name discovery anyway. DNS will also be cached for a while. And again, if we are talking about the ...

tomaskir

My reasoning is that if you have a reason to have an internal DNS server, you probably already have some other server you can run it on. I run my own internal DNS on a small VM on one of my hosts in the basement. Small business can easily do the same thing - you don't even need a VM... Extra admin ...

tomaskir

Yes, its all easily possible with MikroTik, but if you dont have networking skills, its not gonna be an easy setup. You will have to use a combination of vlans, bridging proper vlans and ports and virtualAPs to proper subnets, firewall and possibly routing. You can try reading up on those things, bu...

tomaskir

Yes, its possible, simply NAT those other routers, or setup proper routing between the main router and the rest.

http://wiki.mikrotik.com/wiki/Manual:Si ... ic_Routing
http://wiki.mikrotik.com/wiki/Simple_St ... es_Example

tomaskir

That is not the window where you configure NPS logging.

1. Open NPS console.
2. Under Accounting choose Logfiles - enable logging to file.
3. Choose the location you want for the logging file.

Then look into that logging file, it will list why NPS refused login.

tomaskir

why don't you create a metarouter+busybox ?

Because this is absolutelly basic dns feature that I should not have to create a second virtual router for (not to mention manage 2 devices instead of one) for.

tomaskir

I found the log files in C:\windows\system32\LogFiles\. Follow two log records trying to authenticate in the router: X.X.X.X,user.1,08/13/2014,16:01:21,IAS,SERVER,6,1,31,Y.Y.Y.Y,32,MikroTik,4,X.X.X.X,4108,X.X.X.X,4116,0,4128,access_point,25,311 1 ipv6::ipv6 08/08/2014 22:19:56 1159,4136,1,4142,0 X....

tomaskir

We have it working. You are getting Access-Rejects from NPS.

Configure NPS logging. NPS will by default log to 'C:\windows\system32\LogFiles\' - or something very similiar.
Go through the log file, it will show you exactly why NPS sent an Access-Reject.

tomaskir

+1 and a bump on a 6 year old feature request.

LLDP makes my life a lot easier... please make it happen in RouterOS

tomaskir

This issue has been around for a long time, I have submitted support tickets, but never got a reply...

[Ticket#2014032866000651]

tomaskir

Yeah, its not supposed to work on x86, but the fact that the menu is completely missing is a bit misleading to me personally. It would make more sense IMO to show it anyway, but show "Only supported on RouterBoards" Also, importing an export file which has "/ip cloud" setting def...

tomaskir

On 6.18 x86, I do not see the IP>Cloud menu anymore, not in console either.

Any comments?

tomaskir

I checked that, and there are actually two bugs: 1. in Terminal, you can create simple queue with target="" - after that WinBox shows "Target" in red; if you create such entry in WinBox, it says "Error in Target - at least one entry expected!" 2. if 'target' contains a...

tomaskir

Ok, just found another one: /interface wireless set [ find default-name=wlan1 ] tdma-period-size=auto creates an error in a groove where it is accepted by an SXT without any problems. Both are already running 6.15 so both have fx package installed and enabled. For the groove I have to erase the &qu...

tomaskir

How about this bug.
Have not read anything about it, also not heard anything from Mikrotik itself.
I have just tested it and the but is still present on version 6.17!!!

I tested it on 6.17 and could not replicate... so I removed it from the list.

Can you give exact step-by-step to replicate pls?

tomaskir

Just to add to this, at rOS 6.17 some RouterBOARDs like the 912UAG-2HPnD found in the BaseBox2 use set [ find default-name=wlan1 ] tx-chain=0,1 rx-chains=0,1 where as older RouterBOARDs like the 751U-2HnD, SXT G-2HnD, Metal 2SHPn still use set [ find default-name=wlan1 ] ht-txchains=0,1 ht-rxchains...

tomaskir

ros code

/interface wireless
set [ find default-name=wlan1 ] ht-rxchains=0,1 ht-txchains=0,1

tomaskir

Cloud has option to send local or public IP, check "advanced" settings in the IP cloud menu from CLI Why was that not in the changelog? That is a major and awesome change and should really be mentioned in the changelog. I wouldnt even know that was implemented if I didnt read the forums...

tomaskir

You can not.

RouterOS is close-sourced and does not allow adding your own Packages, or Drivers, or anything of this sort.

tomaskir

So just to be clear, you think the Netgear that has worked previously must have been behaving differently? I'm going to test with the current dynamic WAN IP hard set in the config and see what happens without worrying about updating it. If this doesn't work, I noticed whilst checking over the wiki ...

tomaskir

tried the same steps, it does scroll down automatically when new command pasted in terminal. must be some specific thing in windows or else. I have MacOS with Wine and Winbox 3 beta 2 What is your sorting order in Log? Newest on top or newest on bottom? My newest are on bottom, and I have to manual...

tomaskir

Scripts will not help you here.

MikroTik IPSec requires the IPSec responder [IPSec server] to directly terminate a public IP [not be behind NAT].

NAT-T only works on client side with MikroTik.

tomaskir

Since v6.16 has now been released, this topic should probably not be a sticky announcement anymore

tomaskir

[Ticket#2014071866000868] 7 issues / missing features in Winbox3 beta2. Normis, if you have time, please have a look at it. strange but my log does autoscroll once you have scrolled to the bottom ... Here is how I'm trying it: Open log Window > Scroll to the bottom [due to starting scroll being on ...

tomaskir

I could not restore configuration with no-password backup file. Tried several files, not only 1. If I put password when backup the file, I can restore the config. v6.15 RB951Ui-2HnD I could not replicate this in 6.17. Since this seems to be working in 6.17, can you please verify and let us know if ...

tomaskir

Issue:
Winbox doesn't unlock upload files after upload whole folder via Winbox > Files menu

This is more a Winbox issue, but confirmed, and added to the list.

tomaskir

Now I get it. We checked in v6.13 and it worked for us, but it looks like v6.12 has this issue. Seems it's fixed. Normis: Just an update, this is still NOT fixed for me in 6.16/6.17 on a RB 750GL. This was regarding to this post: http://forum.mikrotik.com/viewtopic.php?f=2&t=78816&p=437253#...

tomaskir

[Ticket#2014071866000868]

7 issues / missing features in Winbox3 beta2.

Normis, if you have time, please have a look at it.

tomaskir

All issues re-tested on v6.16 release. The list is now current for v6.16 2 out of 9 bugs on the list at the release of v6.16 were fixed. The following issues from the list have been fixed from 6.12 to 6.16: 3) L2TP Server bug - replies from wrong IP address - http://forum.mikrotik.com/viewtopic.php?...

tomaskir

Exciting news, keep up the good work.

Off to do some testing on the new version now.

tomaskir

This is to calculate minimum MTU, and walk on the edge of a knife. To be sure - Use Maximum l2mtu possible in all l2 net Connected "by" MPLS Its not edge of the knife, its control. You control your network, you know what max MTU it uses. You want to limit the MTU, and you want to have thi...

tomaskir

I fully support this request.

tomaskir

Anyone got a way to set rate limit on freeradius that use LDAP on back-end?

Thanks

It definatelly should be possible, but I am not good enough with Radius to tell you how.

tomaskir

If you want to know exactly how to calculate the MTU and how its done, see the presentation in my sig.

About 15 minutes of it is pure MTU talk.

tomaskir

in future the l2mtu setting for wireless will be changeable. It isn't made yet.

But what will be the wireless max-l2mtu in the future with wireless-fp?

tomaskir

Bump, still hoping for an answer.

tomaskir

Hi,
is possible get your slide about pppoe over vpls ?
thanks..

They are linked in the comments section.

tomaskir

Just a quick question, why is the L2MTU for wireless interface decreased to 1600 when using wireless-fp package? Current wireless package support 2290 L2MTU. Our network is currently at 2200 native L3 MTU (using remaining 90 bytes for MPLS/VPLS/VLAN, etc.) and this prevents me from upgrading and tes...

tomaskir

Also please post:

/ip pool exp
/ip pool used print

tomaskir

Like you said, for the moment, I would focus on bare essentials.

Dont use EoIP, use L2TP or GRE.
Use just a single routed tunnel - no bridging.
Set 1400 MTU on VPN interfaces.

Test for packet loss.

tomaskir

where would I increase the MTU? on the wlan or the Ethernet? Would I have to increase the MTU on all the routers in between? thanks It definatelly sounds like MTU issues from what you are describing. You will have to increase the transport MTU over the whole transport infrustructure, so the custome...

tomaskir

Its IPSec, so there is about 30 different things which can cause this.

You can setup better logging with:

/system logging
add topics=ipsec,!packet

tomaskir

Thank you for answer! Can you help me with proper traffic redirection to HTTPS server? I tried to use the dst-nat rule on the secondary provider IP address, but it did not work. SSTP server responds first. DST-NAT happends before packets are passed to local router process - so if you have a correct...

tomaskir

SSTP is an L3 service, it does not run on top of an interface.

For what you need - use Firewall and NAT.

tomaskir

100% SIP only. Then simply prioritize the whole EoIP tunnel on the output to internet on your router. That will make sure SIP is getting priority, since only SIP will be inside of the EoIP tunnel. This is the part im unsure of... what does "low enough MTU" mean? Im really unsure of my MTU...

tomaskir

That tutorial uses EoIP over PPTP, and justifies it by saying that PPTP is securing the EoIP tunnel. That is just plaing wrong these days, as PPTP uses MPPE encryption, which can be broken by a smartphone today - the tutorial is from 2008. Use IPSec in transport mode to secure the EoIP tunnel if you...

tomaskir

In my opinion the ISP side is right (otherwise i cannot check/configure nothing) because EVERY other item works like a charm. when i push RELEASE or RENEW IP ADDRESS nothing happends, the textbox are still empty. (when i connect the cable on eth1 no leds turn on, is it right or is it an issue?) As ...

tomaskir

Just to add a bit, what you are are looking for is called "Policy based routing" or "Policy routing"

Multiple ways to handle this, including mangling, VRFs, etc.

Search around for those things.

tomaskir

RouterOS licenses are bounded to the HDD.

You can move the HDD from the old PC to the new, but you cant move the license from one HDD to another.

tomaskir

You would get more help if you posted some info that will help troubleshoot this.

Please post the output of these commands from all routers with the problems:
/int exp com
/ppp exp com

Feel free to hide the sensitive information.

tomaskir

Thank you for the quick reply, i will try. But for some test i attached a lot of device to my ISP cable (other routers, pc, voip phone....), and everything works, only the mikrotik don't work. And i don't think that could be a MAC issue. In that case, troubleshoot like usual from Layer1 up. Is the ...

tomaskir

Use the split-horizon feature to accomplish this: http://wiki.mikrotik.com/wiki/MPLSVPLS#Split_horizon_bridging "The basic idea of split horizon bridging is to make traffic arriving over some port never be sent out some set of ports." "Bridge horizon feature allows to configure bridge...

tomaskir

Most probably your ISP has your IP MAC-locked to the MAC of the old TPLink.

Simply try to change the MAC on your WAN port on the MikroTik to the MAC of the WAN port of the TPLink.

tomaskir

This is normal behaviour with BTest - that is how BTest works. With TCP you have a windowing mechanism that adjusts with internal TCP mechanisms and packets dont get lost. With UDP, to detect max speed, you send packets untill some of them get lost - thats how you know that the link is maxed, and yo...

tomaskir

Post the result of:

/interface export compact
/ip address export compact

tomaskir

You will NOT under any cirsumstance "lose" a port.

The master port keeps functioning like any other port - if it does not, do a normal networking troubleshooting process, starting at Layer1 and moving up.

tomaskir

No it won't. Not until they can share connections amongst cores.

IPSec is hardware accelerated, has nothing to do with core sharing, since its a dedicated HW acceleration mechanism.

This number is taken from MikroTik, its not something I came up with.

tomaskir

Looking for opinions for a good model that could handle 200 +/- IPSEC VPN tunnels back to it. Not too much constant traffic, mainly SNMP/management and the occasional VoIP call across the line. If we should want to go with more traffic at a later time, this should figure in. A 1100AHx2 should do ar...

tomaskir

You dont have an IPSec policy from what I can see.

Watch this presentation, a complete setup for a client is there:
http://tiktube.com/video/mIgH3hmodoLHnH ... tKlGonDpI=

tomaskir

You can do it without mangle.

/ip route
add distance=1 gateway=gateway-for-2.3.4.5 routing-mark=ISP2
/ip route rule
add src-address=2.3.4.5/32 table=ISP2

What you are describing is policy routing a single IP over ISP2 for inbound and outboud.

This is not what the OP asked for.

tomaskir

Watch this presentation:
http://tiktube.com/video/DofH3iFnjDJomG ... uKlEoLqHq=

It should explain the mangling needed to keep inbound connections working as they should.

You can ignore the part of the presentation that talks about outbound balancing.

tomaskir

I shall correct my oppinion. Now I think that we can expect torrent client in 6.17, because mikrotik is now targeting such market area... yes, why not Fixing bugs is MUCH MORE important to your CORE user community, then adding useless things like Torrent client. If there were no long standing bugs ...

tomaskir

If I have my own doman than I would not need this useless feature since I would then have script which would check for IP changes and update my domain records. Good luck scripting this your own way. This feature is great since you click one button, create one CNAME record in your DNS, and you get f...

tomaskir

Interfaces are selected into the OSPF process based on network definitions in /routing ospf network. So you define IP ranges that should run the OSPF process, and the router then dynamically runs OSPF on the interface which terminates an IP address inside that subnet. So in your case, please post: /...

tomaskir

CCR1009 does have a Switch Chip My bad, I was assuming all the RBs from the CCR series have each port directly connected to CPU. There is no board block diagram for the 1009 series on routerboard.com, so how is it internally connected? EDIT: the block diagram on routerboard.com for the 1016 series ...

tomaskir

EDIT:
See below.

tomaskir

Both support HW accelerated aes-128-cbc -> aes-256-cbc.
CCR also supports sha1 HW offload.

1100AHx2 will do about 400 MBit/s of IPSec at aes-128-cbc.
CCR will do much more - dependant on model.

tomaskir

For SNTP you only have to set up an NTP server addressand it will switch to unicast mode for you. If no addresses are set SNTP will use broadcast mode, that does not require any configuration adjustments other than to enable it. also from changelog: *) sntp - 'mode' now is a read-only property, it...

tomaskir

Seems that these issues are solved. Please correct me if I am wrong: There is NO shell to access the underlying Linux This is NOT iptables (although it looks a bit similar) "export" and "import" commands can be used to work with config files (as described in Manual:Configuration...

tomaskir

I would not say that, at least in my case. I have to debug a bit when I have time for it.

Please check, would be interesting to know what is causing the problems in your case

tomaskir

Actually, this is not a problem with SMB itself, but with USB mount points appearing and disappearing, and not being assigned consistent names. See this thread for more info, it will explain to you what is happening: http://forum.mikrotik.com/viewtopic.php?f=13&t=84744 So this presents itself as...

tomaskir

Bump - has there been any progress on this?

I really, really, really need safe-mode in API

tomaskir

So now I am lost. Manual says no, you say yes and it does not work for me.

It seems that is a mistake in the Wiki, as SMB2 support was only included recently.

Wiki needs to get fixed...

Search found 1155 matches

ros code