MikroTik

mozerd

How does Fasttrack Help IPv4 FastTrack is a special handler that bypasses Linux facilities allowing for faster packet forwarding. The handler is used for TCP and UDP connections marked with "fasttrack-connection" action. IPv4 FastTrack handler supports NAT (SNAT, DNAT, or both). Note that...

mozerd

What's new in v4.0beta9: I always check logs and disappointed that the log window still does not scroll with up-arrow-keys down-arrow-keys plus the log window should always open at last log entry For me Logs is a priority ,,, hopefully its a priority with your dev team ... So the up-arrow-keys down...

mozerd

This completely exposes hosts in list, more secure is to allow just needed ports for hosts in list.

in my situation I only allow one to one communication - nope, local hosts [and/or devices] are completely secure from each other unless permitted,

I'm always ready to learn, however ...

mozerd

With the current implementation of mDNS I have my Sonos Speakers and Apple Airprint Printers all working flawlessly

Sonos and AirPrint Printer reside on vlan100 --- devices that need access to either one of these reside on vlan20 ...

Using the 2 firewall rules mentioned in my posting here ....

mozerd

Nope. The server in which Jellyfin runs is a linux machine (firewall disabled) and the client is a smartv. I am not at all familiar with Jellyfin but in reading some stuff on the web I have hits stating that Jellyfin currently does not support multicasting ... https://features.jellyfin.org/posts/17...

mozerd

/ip firewall filter add action=accept chain=input comment="Allow mDNS" disabled=no dst-address=224.0.0.251 dst-port=5353 log-prefix=mDNS protocol=udp src-port=5353 In my highly restrictive local communication environment I had to add an addition forward rule like following: /ip firewall f...

mozerd

@rextended, I now see your point .... this Topic is so huge its impossible for me to track all the comments ... thanks for the heads up :-)

mozerd

Winbox for Windows 4beta6
when I view Logs window I am not able scroll past the Top and Bottom using the up arrow or down arrow ... I have to use the scrolling bar to move back and forth past the top or Bottom of the window ...

mozerd

I still do not get it. Qualcomm is probably one of the largest wireless chipset manufacturers of the world. ...... Its my OPINION that MikroTik is having issues integrating the Qualcomm drivers with the Tik Hardware due to some hardware compromises in manufacturing ... the great majority of other v...

mozerd

My understanding is that mDNS is crucial for facilitating device discovery and communication within local networks without the need for a dedicated DNS server ... but Tik have not explained how that is implemented under RoS ... why introduce a new feature without some form of direction that is not ...

mozerd

Under Microsoft Windows version 10 or version 11

I much prefer Winbox 3.x from a productive perspective

The Longer I use Winbox 4 the longer I come to the conclusion that Winbox 4 is very unproductive for me ...

mozerd

The following is IMO one of the very best guides on creating your IPSec under MikroTik
MikroTik IPSec ike2 VPN server: easy step-by-step guide by Nikita Tarikin

mozerd

running 4beta4
REQUEST for Winbox version 4 under Windows 11
Please improve the contrast when using default light mode ... dark mode does not work for me ... Thanks

mozerd

I find it intimidating at first glance ... because the look and feel is very different on my 17inch laptop screen ... perhaps it will grow on me :-)

On my Win 11 Laptop the UI does not follow the Microsoft paradigm ... the look and feel is more Apple Mac like ... IMO this is a mistake ...

mozerd

Are the mikrotk access point so good or not ?

MikroTik wireless is OK not great but OK

If you want better performance and a great WiFi experience then consider
Ubiquiti U6 Pro or the U7 Pro
TP-Link EAP610 or the EAP783

mozerd

Very nice work @Amm0

But the following is also nice to know
Tailscale vs. ZeroTier: Side-by-Side Comparison

mozerd

The cloud in technology refers to: [1] A global network of remote servers around the globe that operate as a single ecosystem. [2] Servers accessed over the Internet, along with the software and databases that run on those servers. [3] Web-connected servers and software that users can access and use...

mozerd

@normis
Please provide the MikroTik Corporate answer to a legitimate question asked by @MikrowizardOfficial

mozerd

In addition to the great suggestions made I suggest that you consider

Who will attack and HACK your Internet connection?

mozerd

For any true MIMO indoor system what matters is the DRIVER and how the driver is configured. Antennas matter for OUTDOOR installations but indoor installation the antennas built-in [inside the case] are synced with the specific driver. MOST OEM's like Broadcom and QUALCOMM provide tuned drivers whic...

mozerd

Here is my suggestion for you:
First Time Configuration
and a very nice security guide from Manito Networks Tyler Hart who is a networking and security professional
MikroTik Security Guide

mozerd

Thanks Amm0 ... I have not had any luck so far My understanding is that mDNS is crucial for facilitating device discovery and communication within local networks without the need for a dedicated DNS server ... but Tik have not explained how that is implemented under RoS ... why introduce a new featu...

mozerd

Anyone using this version got mDNS working? If YES please tell me how ... I have CCR1009 with 5 vlans that's connected to my CRS326 switch where all my vlans reside either through ethernet or WiFi I want my printer that is AirPrint capable and sitting in vlan100 to be accessed by any apple device si...

mozerd

There the workaround is "insert a delay" too, but that kind of kludges should not be necessary.

Yes I agree with your assessment — that it’s a bug …

mozerd

CCR1009 RoS v 7.16beta2 Starting with Ros 7.15 Scheduler is still broken as it tries to launch my on STARTUP script ... all the scripts have been tested and have zero errors ... very annoying ... The issue with the scheduler is now solved . The first script in the “startup” chain had a delay of 10 ...

mozerd

I wanted to know if any professionals here charged that much per hour, and if that's in any way comparable to Serbia. Will also check locally, if someone else says 200e/h, I'm going into networks

On my website I advertise my Cost of Service

mozerd

We have worked with this person/company before, never had an issue (since before I came to the company, and I'm here for almost two years now). The manager just called them, I explained what we wanted and he said it's not a problem and went on to do it. We ordered the equipment to his office, when ...

mozerd

CCR1009 RoS v 7.16beta2 Starting with ROS 7.16 beta1 and now with RoS v 7.16 beta2 my USB disk gets reset. This causes some of my scripts to fail. Starting with Ros 7.15 Scheduler is still broken as it tries to launch my on STARTUP script ... all the scripts have been tested and have zero errors ......

mozerd

@Amm0
Your NEW code works beautifully ... Thank You ...

mozerd

I have checked all my scripts that are launched from scheduler and each return No syntax errors found in the import file IMO RoS 7.15 and 7.16beta1 the Tik scheduler has a bug and is the issue ... If you want to check your scripts and as Amm0 suggests ... once you create a .rsc file and store it in ...

mozerd

Yes I do the very same as you and I get the exact same error.

When I run this script manually it works fine under all versions of 7.x up to and including 7.16beta1

But from the scheduler it’s definitely a problem starting with v7.15 and 7.16beta1

mozerd

CCR1009 RoS v 7.15 stable All my scripts shown below run without error when launched from scripts or CLI or from scheduler under RoS 7.14.2 Under RoS 7.15 if they are launched from scheduler I get an error in log to check manually … when run from scripts or CLI no issue I have a STARTUP script :dela...

mozerd

Hannes I tip my Hat off to you ...

Its my sincere wish that you succeed ...

mozerd

... drumroll please...............
" DPI of encrypted packets "

Would make the gear very expensive and not their market ...

Yes it would be very nice to have but all the Cheap Basterds that love this TiK would have to go elsewhere for an adorable solution ...

mozerd

is-responder (yes | no; Default: no
where is this setting? I do not see it

Using Winbox go to WireGuard / Peers
That’s where you will find Responder

mozerd

IPv6 Fasttrack is coming once they work out platform issues ... hopefully before end of this year or spring of 2025 ...

mozerd

@mozerd. Like in anything else MT, without any entry, all is allowed. The OP has no entries in winbox service entry ( probably just default port ) and thus all IPs are allowed. You are so right ... thanks for the reminder ... I like to use winbox service entry as an extra precaution for specific de...

mozerd

The problem is with the rule: chain=input action=accept src-address-list=Authorized in-interface-list=MGMT log=no log-prefix="" wi-fi is not part of MGMT. I guess I will have to decide vulnerability vs convenience. I have not looked at your config because I am far too lazy right now …. Th...

mozerd

... what is valid is what traffic your users and yourself as admin need. Excellent stuff ...... ...... anav STOP in the name ov coding And to innkeeping with your outstanding direction why is so hard for you not to use code tags which makes far easier to follow each of your coded step ... then perh...

mozerd

….. this is getting very annoying.

@anav
Why is it annoying?

mozerd

My reasons for dissatisfaction with Firewalla have nothing much to do with its capability. Today that J3160, with expanded memory and storage, is reinstalled as just another unix-variant box within the network. @phascogale I 4 1 do not understand your dissatisfaction .... any chance you could be a ...

mozerd

Okay they are telling me they use their own software coupled with Zeek monitoring software, say they do not use any existing platform???
Their new 10gig box supposedly comes with 8gigs of memory and quad core cpu ???

I will try and get a trial and personally see how it goes ….

mozerd

And the declined comes definitely from iOS

I surmise based on the quoted comment you have an IOS app installed that is acting like a firewall preventing the action.

Which version of IOS is running and do u have any security apps running on your Apple device ?

mozerd

How did you figure it out Mozerd? I attendid a demo ... Yes they have layer 7 capabilities as long as a properly equipped machine is used [3+ Ghz and dedicated asics etc] but not many off the shelf units do not have the power or ASICS to be effective [far too slow] ... With FortiGate etc. the perfo...

mozerd

The one exception, no subscription fees is something called firewalla... I wonder if anyone has used this device and can comment??

firewalla is just a fork of pfSense --- IMO does not compare to Fortigate/Arista/Juniper/Cisco for layer 7

mozerd

and the Question is : Is the Mikrotik Firewall Rules is enough to protect my full network ..? or I have to add a firewall to it..? If the firewall is properly configured to meet your business requirements then Yes it is ennough. The Key Point is business requirements. Your business may have require...

mozerd

It it were that easy... (already stated in OP - that nobody seems to actually read) Yes I did read your OP. 2 additional things that you can try After turning off Private Wi-Fi Address turn off WiFi on your iPhone In RoS DHCP Leases delete the entry for your iphone Now turn on your iPhone Wi-Fi Loo...

mozerd

Anybody eny ideas? This is not a RoS Issue ... this is an Apple Setting that you must change if you want the Apple device to get a static IP I will use an iPhone as an example: On the iPhone Go to Settings and Wi-Fi THEN touch the i that is encircled turn off ==>> Private Wi-Fi Address This will en...

mozerd

@anav [this Alias is easier for me to remember]

I do Agree with you that you have discovered a BTH bug …. Traffic originating on wan2 should return to wan2 ….. surprised that MikroTik have not commented on this behavior…. RouterOS must honor WireGuard Routing Behavior….

mozerd

But still more config wizard to create peers & you can see the config it generates in WG so nothing is hidden as @normis points out. BTH is an excellent idea for the home users .... :) @Amm0 For BTH -- From a security perspective the only way to find out exactly what is hidden or not hidden is ...

mozerd

Winbox is also not open source. What is your point? With WireGuard users have control over every aspect .... With BTH, users deligate control over to BTH .... I prefer that users have compl;ete control over the process. Yes you make a good point regarding Winbox but at least here users can choose t...

mozerd

...... all you need is the router password. No need to connect to router with Winbox or anything else. App does it all for you,

@normis
Very nice ..... but this does beg the security question

Is the BTH app Open Source?

mozerd

This has nothing to with your attempt to assign wireguard to ports vice users/devices etc... What you are talking now is simply to access remote routers for config purposes. If you also need to access subnets at remote devices that will require a bit more work but not that much. JUST a reminder tha...

mozerd

how easy is it to integrate PRO WG MGMT with MT devices?? how many aliases do you have anav? :D The Pro Custodibus agent won't run on MikroTik's RouterOS .... would be very nice if it did 8) .... so if a MikroTik Router is used as a WireGuard hub, Pro Custodibus isn't a good fit. Pro Custodibus wou...

mozerd

KISS = acronym “keep it simple” = ZeroTier ;- )

I guess that you have not tried the PRO WIREGUARD MANAGEMENT solution from someone that you respect highly ???
KISS = acronym “keep it simple” = for PRO's only

only when scalling becomes an issue with WireGuard

mozerd

ZeroTier is easier to setup, but even if idle it ZeroTier does use more bandwidth than WG.

In-my-opinion , WireGuard is far easier to setup and far more efficent to run when KISS is applied .... but if you are a Rocket Scientist then ZeroTier is your cup of Tea.

mozerd

llama (amazon)
323.69+15% = $372.24

Anav where did you get the 15% from? It’s 13%
323.69 x 13% = 365.77

mozerd

The most recent MT item I bought through Amazon came from Getic , one of MT’s primary distributors, possibly even #1. Getic does a poor job with product descriptions…. Check the link to see how they describe the RB5009 I like buying from Amazon Canada because returns are absolutely hassle free and ...

mozerd

Can anyone suggest me the lowest price mikrotik router with WiFi and comes with ros7 ?

As I am going to put wireguard VPN client on it so need router os 7

My suggestion is the AX2 or AX3 - ARM64 using the qcom drivers

mozerd

..... ..... Finally gave in and changed manufactures. .... ..... All the trouble tickets stopped cold. The networks we could set and forget we're back. The only change I had to go back to using another vendor for wifi. @gotsprings -- Yes experience is the best teacher without a doubt ... but I see ...

mozerd

……. At most they should be implemented by the ISP, because if one or more of those IPs attacks you, all the traffic will reach your home or office anyway, clogging up your connection... @rextended … salute 😀 I agree BUT very few do that …. My subscribing clients are very pleased with my MOAB. Servi...

mozerd

Hi Mozerd, I could really never tell what exactly makes up the MOAB list. I was under the impression it was just the firehol lists. Not sure where I got that impression. Tell me if I'm wrong. @texmeshtexas greetings 😀 You are not wrong …. But do you fully understand what makes up firehol …. [Overla...

mozerd

Hey all, i have a question. For the last couple of years I've been building a system that I've been using for 2 business and my own home office. ......... How many would be interested? I more than welcome the competion ... :D MOAB ... MOAB blocks over 600 million Bad Guys from attacking your Intern...

mozerd

Wifi 7 actually has some nice features... Lot's of improvements and shouldn't be snuffed at as just another speed bump :) Yes ... and I can predict that WiFi 7 will be an enormus success, first with the high end and Middle Class market ... I am aware that all the BIG names are in a ready set go sta...

mozerd

I stopped wasting my time on legacy IPv4 years ago. I would suggest you play with IPv6 multicast routing going forward. IPv4 should, one day, be removed from the network stack. While I agree with your sentiments wholeheartedly MANY ISP's still do not support ipv6 .... very sad to say .... My old IS...

mozerd

YET ANOTHER SYSADMIN WEBSITE The basics to know about wireguard routing Introduction Now that we learned how to configure wireguard on multiple operating systems, let’s take a break and review what running wireguard does to your routing table. Wireguard routing basics The most important thing to un...

mozerd

but iguess anyone that finds my url on the internet somehow.. can at lkeast gain access to my NAS and from there try to hack it? @ antoniocerasuolo Apparently you do not comprehend how quick connect works …. And apparently All you want is to be hand held by others … Without the proper userdID and P...

mozerd

and i have abilitated the synology quick connect from internet How secure is the quick connect on Synology? QuickConnect Web Portal is secured by end-to-end encryption when the browser is redirected to the Synology NAS using LAN or WAN connection. Otherwise, the request is directed to the Portal Se...

mozerd

probably becasue the CRS310 has the 2.5 Gibit ports?

@antoniocerasuolo
The Switch Chip is the reason

mozerd

yes DPI /IDP for home use of course budget .. max 400Euro

https://eu.store.ui.com/eu/en/pro/products/ucg-ultra

Yes there is a yearly license fee and to find that out you will need to contact UI

mozerd

3) Add "ftp" policy. I run the dynu script and do not have ftp policy checked and my script runs without issue. @rextended ... so why are you stateing point # 3) ? I have not seen the OP's script .... my dynu script is below: /system script add dont-require-permissions=no name=Dynu owner=...

mozerd

But I am curiouse by that "check default script" api.ipify.org Mystery SOLVED .... I have a script that checks my WAN IP Address for changes ... in that script a call is made to api.ipify.org .... For some reason v7.14rc is now showing log info from this script that I have not seen before...

mozerd

But it "could" be CCR only ... Upgrade again to 7.14rc and check default script (which might already be pretty empty, I guess ?). What do you mean by "check default script" ? If this api is not appearing on your devices when running v7.14rc THEN its tied to something else and I ...

mozerd

Malware infected box. Do a clean netinstall and null config, then configure from scratch.

Thanks for your feedback but I do not agree just yet ... I am monitrring the LAB CCR1009 with wireshark and so far I do not see any activity from api.ipify.org under v7.13.4 [stable]

mozerd

CCR1009 LAB Testing v7.14rc A new log entry appears that I have never seen before: Download from api.ipify.org FINISHED Is this injected by MikroTik in THIS RC and for what reason ? api.ipify[.]org and similar domains have long been used by malware to look up an infected device’s public IP. In resea...

mozerd

I absolutely love the format of the Pro Custodibus blogs ! A brilliantly elaborate pedagogy using images in combination with a well-thought-out flow of explanatory text is among the best resources you can find on the internet. This is how I think User Guides and examples should look like on the Mik...

mozerd

When testing your Linux WireGuard Config following link provides you with excellent clues

mozerd

I use a hAP ax^3 since 2023-10 and have the following issue: I followed basically this blog post (https://scholz.ruhr/blog/mullvad-as-second-wan-on-mikrotik/, thanks to the author) to setup WG tunnel to my friends place. Everything was working like a charm with RouterOS v7.11.2. Yesterday I updated...

mozerd

There was a good tutorial for this scenario... Unfortunately it's taken down...

https://web.archive.org/web/20231216022 ... p?t=182373

mozerd

MikroTik sells boxes with ASICs that are advertised for 100Gbps ASIC switching, that's a foot in the door of carrier-class network engineering. And you need product managers, good ones. @DarkNate IMO Mikrotik has ZERO interest in CARRIER-CLASS networking ... MikroTik Market is 1 .. Third World entr...

mozerd

question 3 - if all my concerns will be true....I mean it will be impossible to do what I want with mikrotik wireless, I've read a lot messages like "MikroTik for routing, unifi for wireless" - maybe I need to grab two U6 and connect them to rb5009? I understand that MikroTik forum is not...

mozerd

WireGuard is a Peer-to-Peer protocol with built-in 4in6/6in4 mechanisms for easy encapsulation. There's no such thing as “server” or “client” in WireGuard protocol. There are only peers. You are 100% correct. But unfortunately many people [including so called gurus] on this forum refuse to accept t...

mozerd

FYI

The following IP address 95.214.54.110 is trying very hard to gain access to my Tik via VPN [port 500] each and every day now for months ...

Just a FYI

How many are seeing the very same intrusion attempt on their Tiks ?

mozerd

@anav
Your UK friend has the correct answer
viewtopic.php?t=148825#p733499

@gabacho4
Yes the CCR1009 is discontinued and replaced by the CCR2004-16G-2S+PC (I think ?)
But I only have experience with the CCR1009 with gaming clients …

mozerd

I suggest that you consider the RB5009 or the CCR1009 … I have quite a few CCR1009 in homes where gaming is the number one priority … the tricky part will be for you to arrive a the correct QoS configuration but with some trial and error I’m sure you will arrive at a balance that will please your fa...

mozerd

@Denigor777
How much bandwidth does your primary ISP provide you with Download and Upload ?

mozerd

Why is MikroTik loading wireless package into CCR models? Please explain WHY! This makes ABSOLUTLY no sense to me ...

mozerd

@kevinds. “Anybody else having this issue? Or just me?”

Yes this version 7.13 is a problem that’s already reported in the 7.13 upgrade thread

I has to downgrade to 7.12.1 where all my scripts worked ….

mozerd

If after this you do not understand it open a support ticket with Mikrotik. @diamuxin, you are correct ... I did not fully comprehend the meaning of your comment " You have to delete (uninstall) the existing packages except the "routeros" package, then do the downgrade ." Please...

mozerd

My CCR1009 shows under /system/packages routeros wireless I do not see a match under 7.12.1 in the archive Plus why would CCR1009 load a wireless package ? OK so I finally succeeded downgrading to 7.12.1 I had to uninstall the wireless package then reboot THEN my downgrade worked to 7.12.1. It was ...

mozerd

If you do try to upgrade/downgrade RouterOS manually, then router do expect 1:1 packages match. If that is not possible (for example, wifi-qcominstalled on 7.13) then on packages menu schedule these packages for uninstall. Uploadpackages that you want to install and execute downgrade command. My CC...

mozerd

You did upload the downgrade package to files before hitting "Downgrade", did you ? Yes I did upload the downgrade package to Files before hitting the “Downgrade” … Very annoying that the MikroTik instructions as shown in the link I provided earlier did not work … my only recourse now if ...

mozerd

In v7.13 the package "routeros" already exists in System > Package. You have to delete (uninstall) the existing packages except the "routeros" package, then do the downgrade.

OK followed your suggestion but that did not work ... thanks but now i will wait for 7.13.1 :-)

mozerd

What process did you follow? 1st step is copy file routeros-7.12.1-tile.npk to Files except I renamed the file like you suggested routeros 2nd step is via terminal issue /system/package/downgrade This did not work The procedure that is outlined in the MikroTiK Docs as follows also did not work for ...

mozerd

Hi friend, to downgrade from 7.13 to 7.12.X you only have to have in /system/package the package "routeros" and delete the rest, then the downgrade works.

Hi diamuxin
Your suggested fix did not work for me ...

mozerd

on my CCR1009 After upgrade to 7.13 from 7.12.1 when I attempt to downgrade back to 7.12.1 the downgrade fails. Log file shows omitting package system-7.12.1: newer package system-7.13 is already installed I tried 2 methods for the downgrade 1. via terminal 2. via Packages Both return the same resul...

mozerd

[ ] > :put ([/tool fetch url="https://upgrade.mikrotik.com/routeros/NEWEST7.stable" as-value output=user]->"data") 7.12.1 1700221125 It should report: 7.13 and epoch date: 1702542240 approx. Yes you are correct .... even through My CCR1009 is on 7.13 your code reports 7.12.1 170...

mozerd

This AM i upgraded my CCR1009 from version 7.12.1 to version 7.13 now getting the following error when running a script Download from https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv to RAM FAILED: Fetch failed with status 206 The same script was working fine under 7.12.1 and earlie...

mozerd

I doubt it even comes close to the granularity achievable on the MT. True that MT RouterOS provides SIGNIFICANT granularity …. However when that granularity is exploited there is no guarantee that it will be reliable persistently and consistently with each iteration of the firmware …. Especially si...

mozerd

The following is some performance specs … look at WireGuard …. This is a TPLINK ER8411
https://www.tp-link.com/ca/business-net ... ifications

Impressive IMO … YEP I am now considering switching from my CCR1009 to this TPLINK router ….

mozerd

My sugestion for you is the Mikr0Tik RB5009UG+S+IN ... and for great WiFi get youself the TP-Link AXE11000

mozerd

Bla bla bla

@llamajaja … aka @anav …. Did they ban you AGAIN ??? goodness gracious great

mozerd

Thank you for the help guys, but I said to hell with it and bought an Aruba switch. I'm well versed in Aruba and understand the untagged/tagged/trunk far better than I do Mikrotik. HPE Aruba make EXCELLENT switches … nothing in the MikroTik switch line up can even compare … you made a very wise cho...

mozerd

MikroTik can sell reasonably priced support agreement. 1/2 the price of Cisco or Juniper. Any business [especially manufacturers] that hopes to be alive for a long time operates with a sustainable gross margin model. What my be reasonable to techies is certainly not reasolnable to a business man .....

mozerd

For gross margins on manufacturing, not my area of expertise, but I am willing to pay MikroTik thousands of dollars if they get their shit together. The business - use case is one very obviouse and important consideration that you have articulated clearly --- the deal maker for any manufactures is ...

mozerd

Can you make a business case for a production-grade L3 switch ? If you could make that BC [at a high level] then I suspect that might tweek Tik interetest :D ... Although I do suspect that they already have such BC and have decided that its not worth the investment. Do you have any idea whatsoever t...

mozerd

Im 100% with holvoe/tangent etc and 100% against mkx.
What a subtle way to say that you're 100% against me as well Given the fact that I usually don't agree with your vision of pedagogy, I must say that I'm not disappointed

@kraal and @mkx
I 100% agree with you both ...

mozerd

It seems popular to attack the person that complains instead of taking it serious....... We have here persons that work indirect for the government that act the same and attack and supress opinions from citizen. I get the same feeling here, as with that. @msatter ... I could not agree more !!! To t...

mozerd

Add one to the mix
Wireguard. A lot faster then all the rest.

100% better solution is WireGuard just as @holvoetn stated plus WireGuard Security is second to none without sacrificing performance ...

mozerd

Nicely done Normis ....

mozerd

Any and all passwords are revealed in a supout.rif The only way to avoid exposing your passwords is to --- create dummy password's in all areas, then generate the support-rif ... after you submit the support.rif change back to your real passwords ... yep this is a Hassel but its the only way when a ...

mozerd

I do not know the answer to your question because I do not have any experience with this particular device. For Celluar devices External Antennas are still a must so i venture to state that the LTE18 antennas are for the Cell Service. For WiFi and specifically for AC. AX and wifi 7 devices external ...

mozerd

@webequipped I understand how you feel ... :( Did you buy MikroTik because the product provided great features at a very inexpensive price compared to the big boys in this industry? If the answer is yes then you have to expect failure because the components used are very cheap throughout ... persist...

mozerd

@Taleb
In the Private Address space there is no preferred or best … use whichever suites your intuition.

mozerd

You don't understand how stupid that remark is, don't you? I believe that MikroTik does understand how very stupid that remark is/was -- but are to ashamed to admit that MikroTik is having Network competency issues implementing the protocol in RoS 7.x .... Perhaps the expertise is finally coming in...

mozerd

For the initial handshake one side has to ACT as server and the other end a client. Peer to Peer means: Decentralized peer-to-peer programs (such as WireGuard) allow pushing files, which means the calling Peer initiates the data transfer rather than the receiving Peer. No SERVER is involved ...... ...

mozerd

In the WireGuard world of VPN's there is no such thing as Client/Server .... WireGuard is strictly Peer to Peer ... Any WireGuard Peer can communicate with any other WireGuard Peer .... A Peer does not talk to itself ... a Peer only communicates with it's other permitted Peers ... So your Raspberry ...

mozerd

I have another question, how to isolate the input traffic of upnp. yes you can restrict the trafic to only allow specific devices access to UPnP. The way that I do it it 1st create an address list of permitted devices by their IP address Then only allow UPnP interaction for those devices … I use 2 ...

mozerd

If it has something to do with firewall policies, can you tell me which ports upnp needs to open on the firewall.

udp port 1900
tcp port 2828

mozerd

It really should.
Should I mark in anyway, or it's a moderator's job?

DeDMorozzzz YOU should mark it as solved because you are the initiator ....

BTW, DarkNate is a very knowledgeable person and I 4 1 admire his many contributions regardless
...

mozerd

A router's main objective is to establish a connection between various networks in a simultaneous manner and it works on the network layer. A switch's main objective is to establish a simultaneous connection among various devices. Some Switches have the ability to act both as a Switch and a Router a...

mozerd

So how do you propose to string that comm line to the moon?? No need for wired tech … NASA plus many MANY others rely very heavily on wireless. Once WiFi 7 becomes mainstream the wired world will become obsolete… 98% of my current business clients use wireless exclusively …. Many ISP will be transi...

mozerd

What does this all mean?

It’s an encrypted message for @DarkNate that states the following
“You catch more flies with honey than with vinegar.”

And I had a telepathic message from BFD developer that stated —- RoS 8.0 will be BFD production ready ….

mozerd

I had a similar experience on a CCR1009 where ether1 stopped working but kept lighting up with no cable plugged in. What is strange is that I could assign an ip address to it and ping that address which would respond properly but connect a cable to that port with device but no response. I could disa...

mozerd

@404network …. What happened to you ??? Did they ban your remarkable friend “Anav” again for being a PITA? I can’t believe Anav is in the penalty box … tell me it ain’t so!

mozerd

Did you have chance to test AX3?

@Rox169
You did not see "I tried a couple of times and got so bogged down in the menus that I gave up." learn how to read

mozerd

@eazysnatch Some very good suggestions made by @Rox169 and @gotsprings I also have a suggestion that I believe will work extremely well for You ... its the TP-Link EHP660HD ... based on my experience the EHP660HD runs circles over the Mikrotik AX3 or Audience - in every way shape and form - and I he...

mozerd

Perhaps by studying the following
https://www.procustodibus.com/blog/2021 ... and-spoke/
You may get some ideas how to properly implement your objectives …

mozerd

And it's unclear what issues you're actually run into...

My bad Amm0 … not binary —- but refer to viewtopic.php?p=985966&hilit=Docker+update#p985966

mozerd

Lets forget Pi-hole its so yesterday (betamax). Either discuss adguard or blocky for example. How is Pi-hole so yesterday? Blocky uses the very same hosts file as PiHole and Adguard is very hit and miss IMO .... Pi-Hole does what it supposed to do BUT its not an end-user Tool ... meaning that it mu...

mozerd

You need to follow MikroTik Advice as stated in the following otherwise you are asking for serious hacking trouble ... and its got nothing to do with your ISP ...
Securing Your Router

mozerd

For the hAPac2 the solution was to Reformat the USB memory stick then use
/disk/set x slot=disk2
Then Reformat top most named ID and make sure MBR is left unchecked … this worked to resolve the issue …

mozerd

The flowing will do it for you

/ip smb shares add name=sharethis directory=moab
/ip smb shares remove [find name=sharethis]

The 1st directive will create the directory while the 2nd directive will remove the share that is not needed.

mozerd

What is really annoying about this specific CHANGE is that on many devices the change is transparent -- meaning the MOAB control file is stored successfully under disk2 -- while on some device like the hAPac2 I have lots of complaints that MOAB control file no longer get stored in disk2 ,,, they get...

mozerd

Thank you ..

You are correct … disk1 is no longer used …the naming convention has changed … it’s like you stated.

mozerd

Assuming the USB memory stick was formated and named disk1 In RouterOS version 6.x the following command sequence worked to rename disk1 to Disk2 /disk set 0 name=disk2 In RouterOS ver7.8 the above does not work .. name= is no longer valid Can anyone tell me how to rename disk1 to Disk2 under router...

mozerd

@Mischa
Spot on ….

mozerd

@khalildelavaran Nice work Just a few comments 1. There are many many duplicate IP when all the lists are brought in 2. Your script does not check for file size of the list so some of them could hit a wall 3 .Some of the Tik models do not have enough memory to store large lists of IP addresses If yo...

mozerd

I started programming when I was a child with Assembler and CPM/86 with MSDOS 3.0 and "debug"...

"With Assembler and CPM/86" ... very impressive my Italian Friend ... your RouterOS code is very nice ... but you need to make it very fast not only NICE ...

mozerd

North Idaho Tom Jones You really care about your name, it's always the most prominent thing in each of your posts and it's repeated in a completely useless way, since it's also the nickname and on the avtar... I see that you as a moderator are attacking North Idaho Tom Jones because he like to see ...

mozerd

Now give me the solution or recommend me another hardware or equipment which full fill my need My suggestion for you is Untangle by Arista … can select the appliance plus the software based on your particular need. https://wiki.edge.arista.com/index.php/NG_Firewall_User_Guide https://edge.arista.co...

mozerd

MikroTik needs to make some changes to their UI/CLI/UX logic and docs to help make L3 offloading as simple, straightforward and clear as possible.

DarkNate …
I could not agree more …

mozerd

So I am gun shy of that functionality.

Anav my friend

you are wasting your valuable retirement time with this … I know that you want to conquer this bugger but tell me something …. Is it really worth the struggle ??? Poke poke POKE

mozerd

So .what gear do you sell then?

My primary focus in gear is as follows all depending on circumstances:
Routing + Firewall : MikroTik, UBNT, Custom Build with OPNsense or Arista [untangle]
Wireless AP's : UBNT, TP-Link, Ruckus [CommScope]
Switches : Tik, UBNT, Cisco

mozerd

People get addicted too fast to speed... And I'm not taking about that other thing. My clients expects 3 features …. And that is what I deliver 1. Stability 2. Performance 3. PERFORMANCE And that is in every aspect … In my market 90% have the very same expectation The mainframe/Terminal days of hor...

mozerd

I have the Vodafone Pro II Ultrahub 6E MikroTik does not have any WiFi device that can compete with the Vodafone Pro II Ultrahub 6E. For excellent Router I suggest the RB5009 and for WiFi I suggest the TP-Link EAP660 HD ... this combination will provide excellent Routing and EXCELLENT WiFi equivale...

mozerd

My only contribution to this thread is JUST a reminder that WireGurad is not Rocket Science ,,, WireGuard is best utilized when YOU KISS it. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic y...

mozerd

My question for the gurus, if I have a wireguard connection between two places or from iphone to home, what would adding zerotier bring to the mix that I cannot already do ?? It’s a virtual private switch in the cloud … so anything that you attach to that switch is now accessible For system integra...

mozerd

Until RouterOS 7 becomes actually STABLE I would not recommend the Tik Gear in Your Industry Sector ... Enterprise usage is dramatically different from SOHO usage from a reliability/performance perspective. Routing : SOHO - OK ..... Enterprise - NO Switching : SOHO - OK ..... Enterprise - ABSOLUTLY ...

mozerd

this makes it all easier and makes development faster

If that was true THEN your developers would have BGP/BFD done by now on 7.x .... and very surprising that it is not for ARM ...

mozerd

DPI (Deep Packet Inspection) is currently impossible to perform on standard encrypted payloads which is what almost all traffic is these days, thus you have just IP address and port number to play with. Also, there is no hardware that can crack today's encryption algorithms and decrypt traffic in r...

mozerd

@yahyamemeh MikroTik Routers and RouterOS cannot do Deep Packet Inspection [DPI] so any site that uses HTTPS:\\ [like YouTube, Facebook, etc.] cannot be inspected and blocked .... to do that you need to have the Router/Hardware capable of doing DPI efficiently without impacting performance greatly ....

mozerd

Perhaps you should consider MOAB blocks over 600 million Bad Guys from attacking your Internet » Here's how «

mozerd

I disagree with your summary: this is not rocket science and the answer is very straightforward… Stateful firewalls are capable of monitoring and detecting states of all traffic on a network to track and defend based on traffic patterns and flows. Stateless firewalls, however, only focus on individu...

mozerd

@anav … excellent suggestion and I agree that MT should fix the WG issue … long overdue …

mozerd

First you need to protect the CCR from power outages by utilizing a Uninterrupted Power Supply otherwise known as a UPS ... A good quality UPS with AVR that will protect your CCR, Switches and ISP gear starts arround $1,000 or more depending on how many hours of uptime you expect from the UPSfor all...

mozerd

@ sirbryan over 40 million raspberry pi devices have been sold and very few are complaining that their SD memory cards are failing. Certainly it's happening but your experience is not that common. Would I put a Raspberry Pi board in a Enterprise environment --- ABSOLUTLY not -- but I certainly would...

mozerd

Please accept my apology for using the term "Bogging" .... it was far too harsh of a term ... what I should have used is 'additional strain" .... regardless if only one container is used THEN that strain will be negligible 4 sure .... I am far more concerned with the security implicat...

mozerd

I do recommend PiHole + Unbound and I also recommend that PiHole + Unbound be installed on a Raspberry Pi Zero I do not believe that you will have performance improvement but you will have much better privacy and better control over unsolicited ads coming into your network. Containers are very nice ...

mozerd

Using Winbox Check under system/packages then you should see ipv6 … enable this then reboot …

mozerd

My recommendation is to use WireGuard because it is VERY secure and performance is outstanding …

mozerd

Which Model of WatchGuard are you comparing to the MikroTik CCR1016-12S-1S+ ? WatchGuard are typically purchased for their UTM capability ... but WatchGuard can be purchased without the UTM License .... MikroTik do not have UTM capability in any way shape or form .... WatchGuard Firewall is excellen...

mozerd

You should install Pi and unbound into one container … a much better approach.

https://github.com/chriscrowe/docker-pi ... -container

mozerd

Hi mozerd, can you confirm its easy to implement 2FA with tailscale, vice wireguard which seems to be a bit of a challenge. Greetings anav When you establish an account with Tailscale you are provided with a number of options including the most popular 2FA identity provider like google, Microsoft T...

mozerd

If we need to start doing netinstalls before sending them out in the field... I wanna see a big f--king warning on the top of EVERYTHING from the Mikrotik domain. @gotsprings .... My speculation is that over the last 2 years many personnel changes have take place in the Tik developer domain so the ...

mozerd

+1 for PCP

This one is very important to include under ROS …..

mozerd

How is Disk2 and Disk3 connected?
You only seem to have one usb device connected with one partition.

Good catch Znevna …. In fact disk3 is microSD card and disk2 is microUSB …..

mozerd

CCR1009 ... upgrade from 7.4.1 to 7.5 stable Under Winbox v3.37 Disks do not show the installed number of Disks .... attached image shows that under Files does show the proper number of disks but under Disks only 2 disks are visible disks.GIF Disk2 is USB and named Disk2 but as shown in screen shot ...

mozerd

@normis This newsletter has very exciting devices especially the ax stuff ... IMO the Chateau LTE18 ax AND the Chateau 5G ax will be a real winners assuming RoS7.x and the ax drivers are truly in effective sync when out the door and in the hands of the consumer. BTW, the Linux Kernel is now in v6 RC...

mozerd

Here I site broken hearted
Paid my dime and only started
My Tik would not boot
RoS 7 to the rescue
Darn it it only farted

mozerd

….. nobody is going to run containers on it.

The hAP ax2 was designed for the home user and not the Network nerd ….

mozerd

I am working on building up my home network. I was all set to press "buy" on a $2k Ubiquiti setup (home network and NVR) until the wife shot that down. For a person like you the Ubiquiti UDM-Pro setup etc. is the proper solution ... complete hassle free and will work just GREAT. If you do...

mozerd

@tahmidul I provide a VoIP Blacklist service that has successfully prevented SIP Attacks in 99% of cases ... there is a 10 day free trial period available ... see my sig. My current voipTIK blacklist list contains 39K+ IP addresses ... in your case you will need to whitelist all your core servers fo...

mozerd

I just tried to buy the hAP ax2 from ISP Supplies for testing but they do not show this device in inventory ..... the very same for Baltic Networks etc.

mozerd

No you should not switch … Ubiquiti are excellent AP’s …. If you want another suggestion TP-Link EAP245 or EAP660HD are outstanding AP’s. The only MT wireless device I do at times suggest is the Audiance other than that the othe Tik AP’s suck. Unifi is a system … so to exploite that system everythin...

mozerd

@anav Pro Custodibus also have a Docker Container. https://hub.docker.com/r/procustodibus/agent and some very good info by Pro Custodibus on containers .... https://www.procustodibus.com/blog/2021/11/wireguard-containers/ I have no idea how this impacts Tik memory .... What I like about Pro Custodib...

mozerd

@Znevna
I was not aware of the TailScale official container [excellent] .. thank you for posting the info ...

mozerd

My point is that they adopted zerotier but it has limited applicability, not all MT devices can run it. If tailscale can run on more devices, then it should be adopted if they are relatively equal otherwise. Let the user decide which package they want to load! There is an active Tik user [cannot re...

mozerd

Which of these devices is the best for this type of setup: 1. RB1100AHX4 2. CCR2004-16G-2S+ 3. CCR1009-7G-1C-1S+ Can you recommend which one is the best router for our setup. From the above 3 you selected I would suggest the CCR1009-7G-1C-1S+ .... this will be an excellent choice .... I also sugges...

mozerd

Netinstall is not working.

You may need to run Netinstall 5 or 6 times ... and switch Netinstall to 1 version lower ..... that's been my experience with Netinstall on some version of Tik devices.

mozerd

The talk about an "entirely new routing engine" already started ~10 years ago, when the mythical v7 was introduced that would solve all our problems and fulfill all our wishes. I believe that when MT Developers adopted the newer Linux Kernel [the very heart of the OS ] for version RoS v7 ...

mozerd

@PKSpeleo The following is my suggestion for YOU that will work well with the RB5009 you are considering ... your wireless Clients [all of them] that are capable can achieve between 600 - 800 Mbps TP-Link EAP660 HD AX3600 Gigabit Dual Band WiFi 6 WLAN Access Point. Integrated in Omada SDN: Critical ...

mozerd

"rextended" has gone awry and starts abusing his forum admin privileges. He comments on other people writing things that MikroTik never have said are not allowed, and is editing other people's post to remove such things. He attacks others for writing the truth about some MikroTik problems...

mozerd

@mozerd
Did you copy-paste your post? Perhaps a more relevant proverb in English is 'All roads lead to Rome".

Yes, in fact I did.
BTW, very beautiful women live in the mountains of Iran and love their cooking skills …
https://youtu.be/vMeQ1oSixIU

mozerd

There is a proverb in Persian "هر جا بری آسمون همین رنگه" (Wherever you go, the sky is the same color). Publius Ovidius Naso The concept of the proverb can be traced as far back as the poetry of Publius Ovidius Naso, better known as Ovid (43 BC – 17 AD), who wrote Fertilior seges est alen...

mozerd

+1 for the hEX OR hEX S … excellent router ….

mozerd

There are some downsides, sort of. You can do more, but in order to do so, you need to know more, or be willing to learn a bit. And also be careful, because if you decide to shoot your own foot, system will be happy to help, meaning that it won't say "no". But there's no need to be too sc...

mozerd

Absolutely, if you're good to face some pretty hard challenges when things doesn't work as expected (for a regular SOHO user that is). The very same can be said for any so called consumer brand device like Netgear, TP-Link, Asus, D-Link. etc. regardless of the fact that all these brands are PHD . P...

mozerd

Need Wifi, the house is not very big - 3 bedrooms. 3 gadgets (tablets and laptop). Internet is needed for everyday use, Watching movies, sometimes working from home. @Marvinjul, you need to provide much more info: 1 ... Where are you located [USA, Canada, Europe, Middle East etc.] 2 ... What speed ...

mozerd

Most of times when we receive such reports simply router/switch have a too complex configuration in order to run RouterOS, process traffic, and do everything that is configured on the device. The beauty of RouterOS is that we do not limit you with random limitations, but at the same time you have t...

mozerd

@DarkeNate The 2 parts that make up the solution for Tik gear is: 1… The functional software that drives the capability 2… The Firmware [drivers] that enables the functional software to exploit the capability So When upgrading it’s MANDATORY to always do both parts sequentially otherwise the capabil...

mozerd

@tuxtlequino …. Your Excellent presentation will help many …

mozerd

@Larsa IMO I believe that Tik management understand the cost equation ... the more people you hire in mgmt positions the les comparative you will become.. MikroTik are doing a GREAT Job with the resources they do have --- consequently very competitive and an unbeatable value proposition to boot. But...

mozerd

That was a bit unfair since hell will freez to ice already tomorrow and I don't really have time to fix it. : )

@Larsa, without one shadow of doubt I really like your sense of humor ….

Are you a ZT employee?

mozerd

Still waiting for that "right" config LOL

Hell will freeze over before @Larsa will provide that “right” config for you …. simplicity, performance, reduced costs ONLY in Larsa’s dreams.

mozerd

Outstanding WireGuard Video by the one and only Network Berg
Using RoS 7.2.3
https://m.youtube.com/watch?v=CH10spRyG ... e=youtu.be

mozerd

So ZeroTier cannot meet ANY of those 3 CRITICAL advantages.

TZ meets all these requirements by definition.

@Larsa … word games do not work ?.. but you can dream all you want because in dreams everything is possible.

mozerd

Yeah shied away from netgear ….. Netgear Orbi is the finest WiFi on earth without exception …. No need to shy away …. I do not like Netgear dedicated AP’s just yet but if they move their AP line to to the Orbi TECH then that will be my go to line … however Orbi is very expensive … but if one want t...

mozerd

I certainly will endorse the use of Ubiquiti U6 AP's and the Ubiquiti GenKey Controller ... will work very nicely with Any Tik Router. The only problem with Ubiquiti U6 AP's is that they are very difficult to get since they sell out very fast -- faster than a speeding bullet. My second choice is the...

mozerd

Of course there might be advantages to other alternatives, but at the moment ZT is the only available solution for Mikrotik (so far). So ZeroTier cannot meet ANY of those 3 CRITICAL advantages ..... otherwise you @Larsa would be singing from the Tree Tops :) To bad that TailScale is not integrated ...

Search found 986 matches