Community discussions

MikroTik App

Search found 99 matches

by gfunkdave
Sun Mar 16, 2025 11:38 pm
Forum: Beginner Basics
Topic: Is there a guide on which models are suitable for what purpose?
Replies: 5
Views: 747

Re: Is there a guide on which models are suitable for what purpose?

Thanks, it’s more of an idle curiosity question. I was looking at the lineup and was trying to make sense at the use cases each router is targeted to.
by gfunkdave
Sun Mar 16, 2025 10:11 pm
Forum: Beginner Basics
Topic: Is there a guide on which models are suitable for what purpose?
Replies: 5
Views: 747

Is there a guide on which models are suitable for what purpose?

It seems like Mikrotik's product offerings are all over the place. Is there some sort of guide on which models of routers are suitable/designed for a given purpose? LIke, "this model is targeted at the SOHO market with up to x client devices and a connection speed of y" kind of thing.
by gfunkdave
Sat Mar 15, 2025 6:36 pm
Forum: General
Topic: Reading test results [SOLVED]
Replies: 3
Views: 6915

Reading test results [SOLVED]

I realized I didn't really understand how to interpret the test results that Mikrotik publishes for each router. It seems that people think the "25 IP filter rules" 512 byte packet result is the closest to real world performance. So, for the hEX refresh router, that shows 498.1 Mbps. Does ...
by gfunkdave
Mon Mar 03, 2025 7:55 pm
Forum: General
Topic: DNS timeout when using router's DNS
Replies: 5
Views: 1697

Re: DNS timeout when using router's DNS

Why are you adding multiple bridges instead of using VLANs? Just use VLANs. That's what they're for. Multiple bridges will slow things down and is not the correct way to go about this.

https://help.mikrotik.com/docs/spaces/R ... 14957/VLAN
by gfunkdave
Fri Jan 31, 2025 11:39 pm
Forum: General
Topic: IPv6 over SSTP?
Replies: 1
Views: 3957

Re: IPv6 over SSTP?

edit: never mind. It was a firewall issue.

I tried deleting the post but got HTTP 500.
by gfunkdave
Fri Jan 31, 2025 11:35 pm
Forum: General
Topic: IPv6 over SSTP?
Replies: 1
Views: 3957

IPv6 over SSTP?

I have an SSTP server that I use from time to time, and I had thought IPv6 was working over it, but it appears not to be and I'm not sure what the problem is. The clients are assigned a valid IPv6 address and the router has a route in place for it. But I can't ping the router across the tunnel and I...
by gfunkdave
Tue Jan 14, 2025 4:15 pm
Forum: General
Topic: Weird IPv6 issue on 7.16.2 [SOLVED]
Replies: 3
Views: 3071

Re: Weird IPv6 issue on 7.16.2 [SOLVED]

If you have enabled IGMP Snooping on the bridge, try to turn it off. It's still not compatible with the multicast traffic needed for IPv6 (even in 7.17rc7 with the supposed workaround).
That does indeed seem to fix it!
by gfunkdave
Mon Jan 13, 2025 9:55 pm
Forum: General
Topic: Weird IPv6 issue on 7.16.2 [SOLVED]
Replies: 3
Views: 3071

Weird IPv6 issue on 7.16.2 [SOLVED]

I've got a RB5009 and two VLANs. I've had IPv6 working fine for months on it. I request a /60 from my ISP and each vlan gets a /64 off of that /60. Lately, I've noticed that devices take a while to pick up an IPv6 address when connecting to either VLAN. It seems to take anywhere from 30 seconds to a...
by gfunkdave
Thu Jan 09, 2025 9:33 pm
Forum: General
Topic: Error logging in with Winbox [SOLVED]
Replies: 1
Views: 3277

Re: Error logging in with Winbox [SOLVED]

Ah, never mind. I needed to add a firewall rule allowing src-address-type=local for ssh-tunneled connections to the router to work.
by gfunkdave
Thu Jan 09, 2025 7:44 pm
Forum: General
Topic: Error logging in with Winbox [SOLVED]
Replies: 1
Views: 3277

Error logging in with Winbox [SOLVED]

When I try to log in to the router with WInBox over an SSH tunnel, I get the error "The router does not support a secure connection." If I enable Legacy Mode like it suggests, WinBox just hangs on "Logging in...". I'm using Winbox 3.41 (happened on 3.40 too) and the router is a R...
by gfunkdave
Wed Dec 11, 2024 3:24 pm
Forum: General
Topic: IP Cloud (Dynamic DNS) down?
Replies: 101
Views: 19728

Re: IP Cloud (Dynamic DNS) down?

FWIW I wrote a quickie script to update CloudFlare DNS directly last night. :local wanInterface "ether1" #DNS Zone ID :local zoneID “12345" #DNS record ID :local recordID "12345" #your API token :local apiToken "12345" # determine if we use the dhcp script or the c...
by gfunkdave
Tue Dec 10, 2024 11:46 pm
Forum: General
Topic: IP Cloud (Dynamic DNS) down?
Replies: 101
Views: 19728

Re: mynetname is down ?

Seems to be. Mine isn’t working either. And the forum seems very slow.
by gfunkdave
Tue Dec 10, 2024 6:12 pm
Forum: General
Topic: Still no TLS 1.3?
Replies: 11
Views: 2452

Re: Still no TLS 1.3?

Because there is no urge for Mikrotik to support it. As long TLS 1.2 is not deprecated/discouraged as 1.0/1.1 - Mikrotik won't move. Yes yes, but why? I’d think they would want to ensure RouterOS supports the current security standards at a minimum. My Ubiquiti EdgeRouters, which haven’t gotten a r...
by gfunkdave
Tue Dec 10, 2024 6:03 pm
Forum: General
Topic: Still no TLS 1.3?
Replies: 11
Views: 2452

Still no TLS 1.3?

TLS 1.3 has been around for quite some time now. Why does RouterOS still not support it?
by gfunkdave
Sun Dec 01, 2024 11:59 pm
Forum: General
Topic: What am I missing about Let's Encrypt support?
Replies: 5
Views: 1589

Re: What am I missing about Let's Encrypt support?

Thanks, yes, I understand it doesn’t matter whether 80 or 443 is available. My point is that the default requires you to expose port 80 with the www service active in order to automate certificate renewal. Thanks for the firewall idea - I’m just confused why MikroTik would design the feature to be i...
by gfunkdave
Sun Dec 01, 2024 8:13 pm
Forum: General
Topic: What am I missing about Let's Encrypt support?
Replies: 5
Views: 1589

What am I missing about Let's Encrypt support?

It's cool that Mikrotik supports automatic Let's Encrypt, but isn't it a major security risk to leave port 80 open to the internet AND need to have the www service running all the time? Why doesn't the router automatically enable a web server, open firewall ports, renew the cert, then disable the we...
by gfunkdave
Sun Dec 01, 2024 7:24 pm
Forum: General
Topic: Access LAN B from LAN A, but not LAN A from LAN B
Replies: 24
Views: 2201

Re: Access LAN B from LAN A, but not LAN A from LAN B

Why do you have two routers? Just use one router and configure VLANs and a firewall. There seems to be a lot missing here...
by gfunkdave
Tue Nov 26, 2024 9:59 pm
Forum: General
Topic: Need some help in setting up ipv6 over SLAAC
Replies: 3
Views: 1015

Re: Need some help in setting up ipv6 over SLAAC

Post your config
by gfunkdave
Fri Nov 22, 2024 12:09 am
Forum: General
Topic: How does PPP profile remote address pool work?
Replies: 2
Views: 629

Re: How does PPP profile remote address pool work?

mikrotik unlike other brands assigns the pool IPs starting from the end of the same. to assign another address you have to connect a second client that uses the same profile and you will see that it will assign a different IP Ah, weird. When I first created the profile it assigned the addresses fro...
by gfunkdave
Thu Nov 21, 2024 10:58 pm
Forum: General
Topic: How does PPP profile remote address pool work?
Replies: 2
Views: 629

How does PPP profile remote address pool work?

I created an SSTP server on the router. Under /ppp profile I created a profile whose remote-address is an IP pool for the server, 10.9.0.100-10.9.0.110. Each time I connect, the IP it assigns to the client increments. Now, it always assigns 10.9.0.110. What needs to happen for it to assign other add...
by gfunkdave
Sat Nov 16, 2024 10:42 pm
Forum: General
Topic: SSTP VPN Server questions and best practices? [SOLVED]
Replies: 3
Views: 950

Re: SSTP VPN Server questions and best practices? [SOLVED]

Oh neat. So I could configure Google Authenticator or the like to provide a one time code for login if I use RADIUS? I’ll check it out. Did you try a non-standard wireguard port like 15678 or even 443 for that matter. I cannot see a cruise ship being that capable of blocking wireguard............ Ye...
by gfunkdave
Sat Nov 16, 2024 6:25 pm
Forum: General
Topic: SSTP VPN Server questions and best practices? [SOLVED]
Replies: 3
Views: 950

SSTP VPN Server questions and best practices? [SOLVED]

I’m currently on a cruise ship whose WiFi blocks Wireguard tunnels. The Wireguard client just shows that it’s sending multiples of 148 bytes, but there is no connectivity. My router, on the other end of the tunnel, doesn’t register any connections. I was able while in port to configure a SSTP server...
by gfunkdave
Mon Nov 04, 2024 5:41 pm
Forum: General
Topic: IPv6 and Comcast
Replies: 3
Views: 751

Re: IPv6 and Comcast

Can you post the output of the following:
/ipv6 export
Edit: the prefix hint should be ::/60

Edit 2: did you get rid of the default firewall rule to allow DHCPv6?
by gfunkdave
Thu Oct 31, 2024 4:30 pm
Forum: General
Topic: Can someone explain why MTU discovery doesn't work?
Replies: 0
Views: 2871

Can someone explain why MTU discovery doesn't work?

I have a RB5009 connected via a Wireguard tunnel to a Ubiquiti EdgeRouter. I have full bidirectional connectivity between the two LANs behind each router. I had been experiencing an issue where if I tried to access the web management UI of a smart switch at one location over the VPN, it would hang. ...
by gfunkdave
Tue Oct 29, 2024 8:29 pm
Forum: General
Topic: Multiple IPv6 prefixes when using macvlans
Replies: 10
Views: 1943

Re: Multiple IPv6 prefixes when using macvlans

Update to this. Mikrotik replied to my bug report ticket. Apparently the router continuing to advertise old prefixes as deprecated is the expected behavior: When a router advertises a prefix, it announces its validity time and the client uses this prefix for such period. If an advertising device cha...
by gfunkdave
Wed Oct 16, 2024 11:11 pm
Forum: Useful user articles
Topic: Bypassing AT&T Residential Gateways with MikroTik
Replies: 243
Views: 131524

Re: Bypassing AT&T Residential Gateways with MikroTik

Aaannnnd once more, with all the answers. This gives everything needed to get fully functioning IPv4 and IPv6 on a RB5009 running 7.16.1 and bypass a BGW-210. This assumes ether8 is your WAN port connected to the AT&T ONT. "xx:xx:xx:xx:xx:xx" and "xxxxxxxxxxxx" are the MAC of...
by gfunkdave
Wed Oct 16, 2024 10:41 pm
Forum: Useful user articles
Topic: Bypassing AT&T Residential Gateways with MikroTik
Replies: 243
Views: 131524

Re: Bypassing AT&T Residential Gateways with MikroTik

Not sure what changed, but after a reboot I'm once again getting "authenticated" on the dot1x client. I was back to the "not getting an IP address" issue, but then I changed the ethertype on the bridge to 0x9100, and I instantly got an IPv4 address. Yay. But I can't seem to get a...
by gfunkdave
Wed Oct 16, 2024 7:35 pm
Forum: General
Topic: Disappearing IPv6 configuration?
Replies: 5
Views: 2118

Re: Disappearing IPv6 configuration?

Yes, the only way to fix it is to restore from a backup. Obviously this is problematic...
by gfunkdave
Wed Oct 16, 2024 6:16 pm
Forum: Useful user articles
Topic: Bypassing AT&T Residential Gateways with MikroTik
Replies: 243
Views: 131524

Re: Bypassing AT&T Residential Gateways with MikroTik

Update: today I tried again, thinking I might need to delete the DHCP client and re-create it. But today, with the exact same config, the 802.1x status just shows "rejected". The router's clock is correct to within a second or two. I've triple checked the MAC address in the WAN port and in...
by gfunkdave
Tue Oct 15, 2024 10:54 pm
Forum: General
Topic: Disappearing IPv6 configuration?
Replies: 5
Views: 2118

Disappearing IPv6 configuration?

I'm not sure what I did (or if I did anything), but now I get this: [david@RoutyMcRouterson] > /ipv6/dhcp-client export # 2024-10-15 14:52:33 by RouterOS 7.16 # software id = U9U9-RERG # # model = RB5009UG+S+ # serial number = #error exporting "/ipv6/dhcp-client" (timeout) If I do /ipv6/dh...
by gfunkdave
Tue Oct 15, 2024 10:10 pm
Forum: Useful user articles
Topic: Bypassing AT&T Residential Gateways with MikroTik
Replies: 243
Views: 131524

Re: Bypassing AT&T Residential Gateways with MikroTik

Trying to get this to work on a RB5009. The dot1X client says "authenticated" almost instantly, but the DHCP client just hangs on "searching". /interface ethernet set [ find default-name=ether8 ] mac-address=AA:BB:CC:DD:EE:FF #my BGW-210 MAC /interface bridge add ingress-filterin...
by gfunkdave
Sat Oct 12, 2024 7:21 pm
Forum: General
Topic: VLAN 0 priority tagging with RB5009
Replies: 3
Views: 597

Re: VLAN 0 priority tagging with RB5009

There is a post/tutorial by pcunite (that might need to be adapted to newish RoS7) about this specific matter: https://forum.mikrotik.com/viewtopic.php?t=154954 No idea if newer versions have different provisions. Ah, amazing! I knew I couldn’t have been the first person to want to try it. Now to f...
by gfunkdave
Fri Oct 11, 2024 7:00 pm
Forum: General
Topic: VLAN 0 priority tagging with RB5009
Replies: 3
Views: 597

VLAN 0 priority tagging with RB5009

I would like to bypass the AT&T gateway using a process like this one for pfSense: https://github.com/MonkWho/pfatt?tab=readme-ov-file It seems like it is not possible in ROS to set the VLAN ID to zero. Well, the documentation seems to show that you can use VLAN IDs of 0-4095 under /interface/et...
by gfunkdave
Thu Oct 03, 2024 6:58 pm
Forum: General
Topic: WireGuard stopped cooperating after the 7.16 upgrade [SOLVED]
Replies: 4
Views: 1821

Re: WireGuard stopped cooperating after the 7.16 upgrade [SOLVED]

YEah that Wireguard configuration makes no sense. I would delete it all and start from scratch.

Reread the documentation on what Allowed IPs are and how they work. anav's guidance is solid.
by gfunkdave
Fri Sep 27, 2024 10:41 pm
Forum: General
Topic: Multiple IPv6 prefixes when using macvlans
Replies: 10
Views: 1943

Re: Multiple IPv6 prefixes when using macvlans

After rebooting the router, it seems to be working. I also changed an aspect of the configuration in the meantime. I removed one of the macvlans and assigned a DHCP6 client directly to the ether8 interface.
by gfunkdave
Fri Sep 27, 2024 5:47 pm
Forum: General
Topic: Multiple IPv6 prefixes when using macvlans
Replies: 10
Views: 1943

Re: Multiple IPv6 prefixes when using macvlans

I'll try rebooting the router later today, but in the meantime I've discovered something else. I haven't changed anything since yesterday. The only thing I'm aware of that has changed is the 12 hour timeout has elapsed. Now, the router is no longer advertising the old prefix. Great! But instead it i...
by gfunkdave
Fri Sep 27, 2024 12:18 am
Forum: General
Topic: Multiple IPv6 prefixes when using macvlans
Replies: 10
Views: 1943

Re: Multiple IPv6 prefixes when using macvlans

Update: the router appears to be advertising old prefixes for some reason. I disabled IPv6 on the router and on the AT&T gateway for about 15 minutes, then re-enabled it. While it was disabled I ran tcpdump on an Ubuntu box on my LAN. As expected there were no RAs received. After re-enabling, th...
by gfunkdave
Thu Sep 26, 2024 11:40 pm
Forum: General
Topic: Multiple IPv6 prefixes when using macvlans
Replies: 10
Views: 1943

Re: Multiple IPv6 prefixes when using macvlans

It isn't in there. I wonder if it could be bleeding through from the AT&T gateway upstream of the router somehow? But I have /ipv6/settings/accept-router-advertisements=no so I'm not sure how that could be. [david@RoutyMcRouterson] > /ipv6 nd prefix print Flags: X - disabled, I - invalid; D - dy...
by gfunkdave
Thu Sep 26, 2024 6:52 pm
Forum: General
Topic: Multiple IPv6 prefixes when using macvlans
Replies: 10
Views: 1943

Re: Multiple IPv6 prefixes when using macvlans

THanks, I've changed the valid-lifetime and preferred-lifetime to 10 mins. And I see that the "c" address shows as deprecated. I'm wondering why it would still be around, long after 12 hours have passed since my initial config changes. david@zoidberg:~$ ip addr 1: lo: <LOOPBACK,UP,LOWER_UP...
by gfunkdave
Thu Sep 26, 2024 12:17 am
Forum: General
Topic: Multiple IPv6 prefixes when using macvlans
Replies: 10
Views: 1943

Multiple IPv6 prefixes when using macvlans

I have AT&T fiber internet and a RB5009 running 7.16. They require you to use their gateway, which they provision with a /60. They reserve the first 8 prefixes for themselves and will allow you to request the remaining 8 prefixes. If you request anything but a /64, it doesn't matter - the gatewa...
by gfunkdave
Mon Sep 23, 2024 7:51 pm
Forum: Announcements
Topic: v7.16rc [testing] is released!
Replies: 362
Views: 133688

Re: v7.16rc [testing] is released!

Anyone else getting a script execution errors in the logs after SSH login? I have 2 scripts, both have a run count of 0 and have no idea what this script is. I get this every time I ssh from my iPad using Termius, and never from other platforms or Putty. No idea why but I’m glad it isn’t just me. O...
by gfunkdave
Wed Aug 28, 2024 11:19 pm
Forum: General
Topic: Identifying mysterious script
Replies: 3
Views: 1064

Re: Identifying mysterious script

I don't know why I wasn't getting reply notifications. Yes, it does seem to happen when I log in via ssh.

Oh but this is weird. It only happens when I log in from my iPad using Termius. There aren't any scripts or other oddities configured in Termius so I'm not sure what's going on.
by gfunkdave
Thu Aug 22, 2024 6:57 pm
Forum: General
Topic: Feature requests
Replies: 1807
Views: 797623

Re: Feature requests

1) Take a safe mode approach by default. or at least have a configuration setting that allows this to be turned on by default, needing manual exit of safe mode each time to be fully commited. Eg on Cisco I have to write mem/commit, as with many other vendors. Better to be able to reboot to back out...
by gfunkdave
Wed Aug 21, 2024 6:13 pm
Forum: General
Topic: Identifying mysterious script
Replies: 3
Views: 1064

Identifying mysterious script

I noticed my system log (/log print) is peppered with these entries: 09:50:54 script,error executing script from sshd failed, please check it manually I have no scripts running that I'm aware of. I have three scripts defined, but I never call them anywhere. How can I get more info on what exactly is...
by gfunkdave
Tue Jul 23, 2024 5:20 pm
Forum: Announcements
Topic: v7.16beta [testing] is released!
Replies: 288
Views: 136760

Re: v7.16beta [testing] is released!

Curious what the status of this version is. It has been out for a few weeks and nobody has posted about it in almost a week.
by gfunkdave
Tue Jul 02, 2024 6:56 pm
Forum: Announcements
Topic: v7.16beta [testing] is released!
Replies: 288
Views: 136760

Re: v7.16beta [testing] is released!

*) dns - added support for DoH with static FWD entries; *) dns - added support for mDNS proxy (CLI only); These are both so exciting! I am assuming that the mDNS feature requires that the Firewall allows inbound on all the relevant interfaces for udp port 5353 for IP packets addressed even if addres...
by gfunkdave
Fri Jun 28, 2024 8:16 pm
Forum: General
Topic: How do you get RouterOS to ignore IPv6-supplied DNS
Replies: 9
Views: 2275

Re: How do you get RouterOS to ignore IPv6-supplied DNS

Thought experiment: what if you add a firewall rule that drops the Router Advertisements (ICMPv6, type 134, code 0) from the WAN entirely, instead relying on the DHCPv6 Client option to "Add Default Route"? I know that ideally the default route should come from the Router Advertisement, a...
by gfunkdave
Fri Jun 28, 2024 7:20 pm
Forum: General
Topic: How do you get RouterOS to ignore IPv6-supplied DNS
Replies: 9
Views: 2275

Re: How do you get RouterOS to ignore IPv6-supplied DNS

IIRC at the moment RouterOS doesn't let you administratively override how it uses received Router Advertisements. Please contact Mikrotik support and make a feature request at https://help.mikrotik.com/servicedesk/servicedesk I did. They closed the ticket and said "we'll think about it". ...
by gfunkdave
Thu Jun 27, 2024 7:56 pm
Forum: General
Topic: How do you get RouterOS to ignore IPv6-supplied DNS
Replies: 9
Views: 2275

Re: How do you get RouterOS to ignore IPv6-supplied DNS

Hmm. On the RB1100, using AT&T Fiber, I don't show any dynamic addresses in /ip/dns if IPv6 DHCP has it disabled (and if IPv6 DNS is "use peer DNS" checked, AT&T DNS gets added a dynamic, uncheck it get removed). At least in 7.16beta. This is what I have whenever IPv6 is enabled: ...
by gfunkdave
Thu Jun 27, 2024 7:42 pm
Forum: General
Topic: How do you get RouterOS to ignore IPv6-supplied DNS
Replies: 9
Views: 2275

Re: How do you get RouterOS to ignore IPv6-supplied DNS

It's all SLAAC. There is a bit of a hack because I have two VLANs but AT&T will only give you a /64. But they will give you as many /64s as you ask for, so I use two vrrf interfaces to ask for separate /64s. /ipv6 address add address=fddc::100 advertise=no interface=wireguard1 add address=::1 fr...
by gfunkdave
Thu Jun 27, 2024 7:14 pm
Forum: General
Topic: How do you get RouterOS to ignore IPv6-supplied DNS
Replies: 9
Views: 2275

How do you get RouterOS to ignore IPv6-supplied DNS

I have a RB5009 running 7.15.1. My ISP (AT&T US) uses router advertisements to advertise a DNS server that shows up in the "Dynamic Servers" field of the DNS settings. There doesn't seem to be a way to prevent this. I have set use-peer-dns=no on all the interfaces under /ipv6/dhcp-clie...
by gfunkdave
Mon Jun 24, 2024 6:59 pm
Forum: General
Topic: DNS forwarding when DoH enabled is allowed now?
Replies: 6
Views: 915

Re: DNS forwarding when DoH enabled is allowed now?

was there any new release since you received the mail actually?
One of my tickets was resolved as well last week, but no public release meantime. ;)
Nope, but the email did say the release addressing it may not have been published yet so I’ll hold out hope.
by gfunkdave
Mon Jun 24, 2024 6:49 pm
Forum: General
Topic: DNS forwarding when DoH enabled is allowed now?
Replies: 6
Views: 915

Re: DNS forwarding when DoH enabled is allowed now?

Right but does that mean that I’ll be able to conditionally forward certain DNS requests when DoH is enabled? I don’t care about adlists per se.
by gfunkdave
Mon Jun 24, 2024 6:45 pm
Forum: General
Topic: DNS forwarding when DoH enabled is allowed now?
Replies: 6
Views: 915

DNS forwarding when DoH enabled is allowed now?

I have always found it very annoying that RouterOS doesn't let you enable DNS forwarding when DoH is enabled. I had submitted a bug/change request ticket for it a while ago and to my surprise received an email last week that the change has been implemented in an upcoming release! But when I look at ...
by gfunkdave
Fri Feb 09, 2024 8:58 pm
Forum: General
Topic: CLOUD DDNS BEING HIJACKED
Replies: 7
Views: 1801

Re: CLOUD DDNS BEING HIJACKED

You don't give much to go on, but it sounds like the Hikvision camera is either using the same port as your electric meter or they have some kind of LAN address conflict.

Cloud DDNS has not been "hijacked".
by gfunkdave
Thu Feb 08, 2024 9:47 pm
Forum: General
Topic: RouterOS Virtual Private Networks, which one to choose?
Replies: 7
Views: 1431

Re: RouterOS Virtual Private Networks, which one to choose?

Clarification: Wireguard is not a client/server protocol (though many people try to use it that way). If you have three LANs that all need to talk to each other, set them all up as peers to each other so that connections between two of the LANs don't have to go through the "server".
by gfunkdave
Mon Jan 29, 2024 5:46 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 22
Views: 2478

Re: Can't ssh from router to LInux server?

Well, Mikrotik support replied to my support case and I've got it working but still think there's something screwy with their ssh client. The issue is that there was a key in /user/ssh-keys/private print detail I think that, since the user attribute of the key was my username on the router and on th...
by gfunkdave
Fri Jan 26, 2024 8:03 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 22
Views: 2478

Re: Can't ssh from router to LInux server?

When I started the thread I was running 7.13. Now on 7.13.3, no change.
by gfunkdave
Fri Jan 26, 2024 7:12 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 22
Views: 2478

Re: Can't ssh from router to LInux server?

Ahhh this is very interesting. If I am reading this log right, the router is only trying to do public key auth and then disconnects when it realizes it can't (because it doesn't have a key). It doesn't try to fall back to password auth. 11:04:45 ssh,debug agreed on: curve25519-sha256,ssh-ed25519,aes...
by gfunkdave
Fri Jan 26, 2024 12:16 am
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 22
Views: 2478

Re: Can't ssh from router to LInux server?

Thanks! Now this is a crazy level of detail. It occurs to me that it might be better to find the router's ssh log from its end, since the server log seems to indicate the router is just disconnecting of its own accord. I don't think that's accessible in ROS though. There is a line in the below log j...
by gfunkdave
Thu Jan 25, 2024 11:59 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 22
Views: 2478

Re: Can't ssh from router to LInux server?

Hmmm ... Jan 25 15:28:49 zoidberg sshd[275510]: debug2: input_userauth_request: try method none [preauth] After this one it should try another method - do you have "PasswordAuthentication yes" in /etc/ssh/sshd_config ? Yep, and I log in using passwords all the time on this Ubuntu box. It'...
by gfunkdave
Thu Jan 25, 2024 11:31 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 22
Views: 2478

Re: Can't ssh from router to LInux server?

ok ... can you set the loglevel to DEBUG2, restart the daemon and try another connection? Stupid question: clocks synchronized on both devices? Yep, clocks are in sync. Both systems are set via ntp from us.pool.ntp.org I think. Jan 25 15:28:49 zoidberg sshd[275510]: Connection from 192.168.4.1 port...
by gfunkdave
Thu Jan 25, 2024 10:25 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 22
Views: 2478

Re: Can't ssh from router to LInux server?

On the server, set in /etc/ssh/sshd_config[/] # … LogLevel DEBUG #LogLevel DEBUG2 #LogLevel DEBUG3 And restart the daemon, you should have a lot more info on what goes wrong. Ah, thanks. Logs don't seem to show much of interest. The server is Ubuntu 23.04, so pretty new. Log is; Jan 25 14:19:05 zoi...
by gfunkdave
Thu Jan 25, 2024 10:18 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 22
Views: 2478

Re: Can't ssh from router to LInux server?

Likely your ubuntu runs recent OpenSSH version, which deprecates use of ssh-rsa algorithm to exchange keys whike ROS doesn't support newer ones. So on the server, add PubkeyAcceptedAlgorithms +ssh-rsa to /etc/ssh/sshd_config ... Ah, good idea...but doesn't make a difference. Yes, I restarted sshd s...
by gfunkdave
Thu Jan 25, 2024 9:55 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 22
Views: 2478

Re: Can't ssh from router to LInux server?

Ok. That was worth a shot. On the linux server - can you get the SSH entries? sudo journalctl -xr -u ssh Hmm, seems like it's not telling us anything different than the router seems to be disconnecting: david@zoidberg:~$ sudo journalctl -xr -u ssh Jan 25 13:53:08 zoidberg sshd[274495]: Disconnected...
by gfunkdave
Thu Jan 25, 2024 9:44 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 22
Views: 2478

Re: Can't ssh from router to LInux server?

Hi there! Can you try the following? /system ssh user=<some non root user on the linux server> 192.168.4.5 Yes, same result. But my login is the same on the router and Ubuntu, and the Ubuntu logs show my username connecting and disconnecting before auth. So I don't think it makes a difference.
by gfunkdave
Thu Jan 25, 2024 9:07 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 22
Views: 2478

Can't ssh from router to LInux server?

I have an Ubuntu server on my LAN and if I issue the command /system ssh 192.168.4.5 I just get a "Welcome back!" message without even a login prompt. I can ssh from the router to other devices. I can also ssh to 192.168.4.5 if I use Putty. On the Ubuntu server the ssh log just shows I con...
by gfunkdave
Fri Nov 17, 2023 7:33 pm
Forum: General
Topic: IPv6 prefixes leaking between vlans?
Replies: 7
Views: 1809

Re: IPv6 prefixes leaking between vlans?

Ah, neat! The weird thing is, if I delete the dhcpv6-server AND turn off advertisements for that address under IPV6-Addresses, I still get a single IPv6 address on client devices in the correct prefix. At this point I don't know if this is a bug or if I just don't understand IPv6 at all. Current ful...
by gfunkdave
Fri Nov 17, 2023 5:48 pm
Forum: General
Topic: IPv6 prefixes leaking between vlans?
Replies: 7
Views: 1809

Re: IPv6 prefixes leaking between vlans?

I wonder what underlying ICMPv6 packets looked like when RouterOS advertised itself to each vlan. Perhaps it's reasonable to file a bug request at help.mikrotik.com? --- By the way, what is the goal of /ipv6 dhcp-server add address-pool=lan-ipv6 interface=vlan-lan lease-time=12h name=\ lan-ipv6-poo...
by gfunkdave
Fri Nov 17, 2023 5:32 pm
Forum: General
Topic: windows client wireguard vpn ip
Replies: 4
Views: 4233

Re: windows client wireguard vpn ip

edit: just saw your update. You need to set your WG address to be a /24 not /32 - with a /32 you are disabling all connectivity. You also need to set your peer's Allowed IP to be the /32 of the WG segment - else you are routing all WG traffic to that peer. You only want that peer's IP to get its WG ...
by gfunkdave
Thu Nov 16, 2023 10:51 pm
Forum: General
Topic: IPv6 prefixes leaking between vlans?
Replies: 7
Views: 1809

Re: IPv6 prefixes leaking between vlans?

Update: I seem to have resolved it, but I don't understand why. All I did was add address to the items requested: /ipv6 dhcp-client add add-default-route=yes interface=vrrp1 pool-name=lan-ipv6 request=address,prefix \ use-interface-duid=yes use-peer-dns=no add add-default-route=yes interface=vrrp2 p...
by gfunkdave
Thu Nov 16, 2023 7:03 pm
Forum: General
Topic: IPv6 prefixes leaking between vlans?
Replies: 7
Views: 1809

IPv6 prefixes leaking between vlans?

I have AT&T fiber and two VLANs. AT&T will only issue a /64 but they will give as many /64s as you ask for. So, I've been using a couple vrrp interfaces to do that. It works fine. But I've noticed that devices get IPv6 addresses on both prefixes. Here's the partial result of ipconfig: Wirele...
by gfunkdave
Mon Nov 13, 2023 7:44 pm
Forum: General
Topic: Disabled Use Peer DNS but still see DNS in Dynamic
Replies: 1
Views: 1381

Re: Disabled Use Peer DNS but still see DNS in Dynamic

I ran into this same issue a couple months ago. RouterOS ignores DNS servers specified by the ISP's DHCPv6 but it does not ignore DNS servers in the upstream router advertisements coming from the ISP. I suggest creating a new feature request (go to https://mikrotik.com/support and click the Contact ...
by gfunkdave
Thu Oct 26, 2023 6:04 pm
Forum: General
Topic: RB5009UPr+S+IN to replace pfsense [SOLVED]
Replies: 4
Views: 2225

Re: RB5009UPr+S+IN to replace pfsense [SOLVED]

Yes, RouterOS can do all this. You can choose whichever hardware you think best. If budget is a concern with the rb5009 then perhaps check out the L009UIGS.
by gfunkdave
Wed Oct 11, 2023 5:24 pm
Forum: RouterOS beta
Topic: Static DNS FWD entries using DoH not working [SOLVED]
Replies: 22
Views: 29863

Re: Static DNS FWD entries using DoH not working [SOLVED]

Update: I submitted a feature request for this last week and today Mikrotik replied that if enough people asked for it they would investigate including it in a future release. So everyone please submit a feature request!

https://help.mikrotik.com/servicedesk/servicedesk
by gfunkdave
Fri Sep 29, 2023 10:45 pm
Forum: General
Topic: Feature requests
Replies: 1807
Views: 797623

Re: Feature requests

What is the current correct way to submit feature requests to Mikrotik?
by gfunkdave
Fri Sep 29, 2023 10:18 pm
Forum: General
Topic: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]
Replies: 5
Views: 4530

Re: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]

Thanks. I just changed the IPv6 - Settings "accept RA" setting to "yes if forwarding disabled" and the dynamic entry disappeared. It seems I still get the same delegated prefixes, and IPv6 connectivity works fine. This makes sense given what you've said. Since I have IPv6 forward...
by gfunkdave
Fri Sep 29, 2023 7:49 pm
Forum: General
Topic: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]
Replies: 5
Views: 4530

Re: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]

It will be part of the IPv6 RA data from the ISP. AFAIK there isn't an option to ignore the DNS server option if it is present.
Interesting - in that case, then what's the point of use-peer-dns?
by gfunkdave
Fri Sep 29, 2023 6:00 pm
Forum: General
Topic: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]
Replies: 5
Views: 4530

Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]

I have a RB5009 running 7.10. I use the RB5009 as my local DNS forwarder. I just tried to go to a website that doesn't exist and instead of getting an NXDOMAIN to my surprise I got AT&T's "that domain doesn't exist but we searched for what you typed in" page. I'm running a pretty stand...
by gfunkdave
Tue Jul 25, 2023 6:58 pm
Forum: Beginner Basics
Topic: SSH from WAN
Replies: 4
Views: 2072

Re: SSH from WAN

Not really a reply to your problem but why do you want to use a direct connection from outside ? Going in via VPN is a lot more secure. My view... I'm not always on a computer that I can install a VPN client on. And why would key-only ssh be any less secure than a VPN? I figured out the issue: the ...
by gfunkdave
Mon Jul 24, 2023 6:20 pm
Forum: Beginner Basics
Topic: SSH from WAN
Replies: 4
Views: 2072

SSH from WAN

I have added a firewall rule to the input chain to allow tcp/port 22 and I've disabled password ssh. It is before the general "drop all from WAN" rule. When I try to log in via ssh from the WAN, the connection times out. Can someone help me figure out why it doesn't work? [david@RoutyMcRou...
by gfunkdave
Wed Jun 28, 2023 8:37 pm
Forum: Scripting
Topic: Trouble scripting container updates [SOLVED]
Replies: 4
Views: 3227

Re: Trouble scripting container updates [SOLVED]

Aha! It was trying to add the container before it was done removing it. This script works: :global mytag "pihole" /container { stop [find tag~$mytag] :do { :delay 1s } while=([get [find tag~$mytag] status ] != "stopped") remove [find tag~$mytag] :do { :delay 1s } while=([print co...
by gfunkdave
Wed Jun 28, 2023 7:50 pm
Forum: Scripting
Topic: Trouble scripting container updates [SOLVED]
Replies: 4
Views: 3227

Re: Trouble scripting container updates [SOLVED]

It appears to be a permissions thing. If I enable all the script permissions it works fine. I'm not sure which one (and don't feel like trying them one by one). Of course now I've modified the script to not need the delays and once again it doesn't work (same error). :global mytag "pihole"...
by gfunkdave
Wed Jun 28, 2023 7:04 pm
Forum: Scripting
Topic: Trouble scripting container updates [SOLVED]
Replies: 4
Views: 3227

Trouble scripting container updates [SOLVED]

I'm just trying to script deleting and re-adding a Pihole container, and it keeps failing on the /container/add, but I don't know why. Can someone help? This is my first script so I am sure it's something stupid. /container/stop [find tag=pihole/pihole:latest] :log info "Stopped"; :delay 3...
by gfunkdave
Sat May 27, 2023 6:44 pm
Forum: General
Topic: Adding veth slows internet
Replies: 35
Views: 6664

Re: Adding veth slows internet

So, I've determined that the issue happens when the veth interface is attached to the bridge with the LAN on it. Creating the veth interface on a new bridge doesn't produce the problem. I have deleted all the NAT rules. Just adding disabled=yes to veth2 makes the problem go away. Full config: https:...
by gfunkdave
Sat May 27, 2023 5:53 am
Forum: General
Topic: Adding veth slows internet
Replies: 35
Views: 6664

Adding veth slows internet

I have a RB5009 running 7.9. I added a veth interface for a Pihole container. Even without the container running, the veth interface greatly slows internet. My nominal connection speed is 500/500. If I have the veth port disabled, I get about 590 Mbps down and 520 up. As soon as I enable the veth po...
by gfunkdave
Fri May 26, 2023 4:49 pm
Forum: Beginner Basics
Topic: Using NAT for a docker container
Replies: 4
Views: 2789

Re: Using NAT for a docker container

Update: I just had to delete the container and re-create it, and now it works.
by gfunkdave
Thu May 25, 2023 10:46 pm
Forum: Beginner Basics
Topic: Using NAT for a docker container
Replies: 4
Views: 2789

Re: Using NAT for a docker container

You can add the VETH to you LAN bridge (or VLAN) in /interface/bridge/ports, and in /interface/veth use the 192.168.4.2 LAN IP and Mikrotik LAN address as gateway. No NAT required. Oh I feel so dumb. I forgot to add it in /interface/bridge/ports. But I still can't access the Pihole. Pinging 192.168...
by gfunkdave
Thu May 25, 2023 10:04 pm
Forum: Beginner Basics
Topic: Using NAT for a docker container
Replies: 4
Views: 2789

Using NAT for a docker container

I followed these instructions to run Pihole in a container on my rb5009. Pihole works fine. I created the VETH interface for it at 192.168.5.10 and can access its web ui from my LAN, which is 192.168.4.0/24. What I'd really like is for it to appear on my LAN segment. I couldn't get it to work by sim...
by gfunkdave
Thu May 25, 2023 9:57 pm
Forum: Beginner Basics
Topic: Static DNS Forwarding Help [SOLVED]
Replies: 1
Views: 1918

Re: Static DNS Forwarding Help [SOLVED]

The issue is that ROS won't do regexp forwarding to other DNS servers if DoH is on. Apparently this has been an issue for quite some time.
by gfunkdave
Thu May 25, 2023 5:18 am
Forum: RouterOS beta
Topic: Static DNS FWD entries using DoH not working [SOLVED]
Replies: 22
Views: 29863

Re: Static DNS FWD entries using DoH not working [SOLVED]

I just wanted to chime in and say that I just discovered this is why I couldn't resolve DNS across VPN tunnels. Is there a feature request to enable local/regexp DNS when DoH is enabled?
by gfunkdave
Wed May 24, 2023 10:24 pm
Forum: Beginner Basics
Topic: Static DNS Forwarding Help [SOLVED]
Replies: 1
Views: 1918

Static DNS Forwarding Help [SOLVED]

I have a few Wireguard tunnels set up to other remote LANs. Connectivity works fine bidirectionally. I am trying to be able to resolve DNS names on a remote LAN locally. As an example, one of the Wireguard peers uses the domain ".rena" on its LAN and is in the address space 192.168.35.0/24...
by gfunkdave
Wed May 24, 2023 6:09 am
Forum: Beginner Basics
Topic: Router is getting an ISP DNS server?
Replies: 3
Views: 750

Re: Router is getting an ISP DNS server?

Update: I configured things to use SLAAC (with advertise DNS off on the /ipv6 nd) and now I don’t get that pesky DNS on my LAN.

viewtopic.php?t=181840#p902227
by gfunkdave
Wed May 24, 2023 5:26 am
Forum: Beginner Basics
Topic: Router is getting an ISP DNS server?
Replies: 3
Views: 750

Re: Router is getting an ISP DNS server?

Hmm, that’s troublesome. AT&T’s DNS is randomly hijacking queries for LAN addresses. There must be a way to ignore them. Anyone?
by gfunkdave
Tue May 23, 2023 11:21 pm
Forum: Beginner Basics
Topic: Router is getting an ISP DNS server?
Replies: 3
Views: 750

Router is getting an ISP DNS server?

I have an RB5009 running 7.9.1 (though the issue happened in 7.9 too). I'm getting this random anomalous IPv6 DNS server: [david@RoutyMcRouterson] > /ip dns print servers: 1.1.1.2,1.0.0.2 dynamic-servers: 2600:1700:7c50:3790::1 use-doh-server: verify-doh-cert: no doh-max-server-connections: 5 doh-ma...
by gfunkdave
Tue May 23, 2023 8:54 pm
Forum: Beginner Basics
Topic: DHCP server ignores a single static lease [SOLVED]
Replies: 2
Views: 1055

Re: DHCP server ignores a single static lease [SOLVED]

Aha, thanks! I knew it was something simple.
by gfunkdave
Tue May 23, 2023 8:38 pm
Forum: Beginner Basics
Topic: DHCP server ignores a single static lease [SOLVED]
Replies: 2
Views: 1055

DHCP server ignores a single static lease [SOLVED]

I have a new RB5009 with several static DHCP leases configured. They all work fine, except for the one for the printer: [david@MikroTik] /ip/dhcp-server/lease> export hide-sensitive # may/23/2023 12:36:52 by RouterOS 7.9 # software id = U9U9-RERG # # model = RB5009UG+S+ /ip dhcp-server lease add add...
by gfunkdave
Tue Jan 09, 2018 5:18 pm
Forum: Beginner Basics
Topic: mAP Lite as travel router?
Replies: 12
Views: 14858

Re: mAP Lite as travel router?

Thanks for all the detail! It's the needing to reset it and reload config that gets me. I'm starting to accept that it seems any OpenWRT or Mikrotik router I want to use for a travel router will have this limitation, and I don't understand why. Plenty of cheap consumer travel routers don't make you ...
by gfunkdave
Tue Jan 09, 2018 12:10 am
Forum: Beginner Basics
Topic: mAP Lite as travel router?
Replies: 12
Views: 14858

mAP Lite as travel router?

I'm thinking of getting into the Mikrotik world and thought the mAP Lite would make a nice travel router. I can't seem to find info on a couple questions I have, though. 1. Can I use the mAP Lite in WISP mode, where it pulls in a public wifi signal and NATs to a private wifi network I create for my ...