MikroTik

gfunkdave

Thanks, it’s more of an idle curiosity question. I was looking at the lineup and was trying to make sense at the use cases each router is targeted to.

gfunkdave

It seems like Mikrotik's product offerings are all over the place. Is there some sort of guide on which models of routers are suitable/designed for a given purpose? LIke, "this model is targeted at the SOHO market with up to x client devices and a connection speed of y" kind of thing.

gfunkdave

I realized I didn't really understand how to interpret the test results that Mikrotik publishes for each router. It seems that people think the "25 IP filter rules" 512 byte packet result is the closest to real world performance. So, for the hEX refresh router, that shows 498.1 Mbps. Does ...

gfunkdave

Why are you adding multiple bridges instead of using VLANs? Just use VLANs. That's what they're for. Multiple bridges will slow things down and is not the correct way to go about this.

https://help.mikrotik.com/docs/spaces/R ... 14957/VLAN

gfunkdave

edit: never mind. It was a firewall issue.

I tried deleting the post but got HTTP 500.

gfunkdave

I have an SSTP server that I use from time to time, and I had thought IPv6 was working over it, but it appears not to be and I'm not sure what the problem is. The clients are assigned a valid IPv6 address and the router has a route in place for it. But I can't ping the router across the tunnel and I...

gfunkdave

If you have enabled IGMP Snooping on the bridge, try to turn it off. It's still not compatible with the multicast traffic needed for IPv6 (even in 7.17rc7 with the supposed workaround).

That does indeed seem to fix it!

gfunkdave

I've got a RB5009 and two VLANs. I've had IPv6 working fine for months on it. I request a /60 from my ISP and each vlan gets a /64 off of that /60. Lately, I've noticed that devices take a while to pick up an IPv6 address when connecting to either VLAN. It seems to take anywhere from 30 seconds to a...

gfunkdave

Ah, never mind. I needed to add a firewall rule allowing src-address-type=local for ssh-tunneled connections to the router to work.

gfunkdave

When I try to log in to the router with WInBox over an SSH tunnel, I get the error "The router does not support a secure connection." If I enable Legacy Mode like it suggests, WinBox just hangs on "Logging in...". I'm using Winbox 3.41 (happened on 3.40 too) and the router is a R...

gfunkdave

FWIW I wrote a quickie script to update CloudFlare DNS directly last night. :local wanInterface "ether1" #DNS Zone ID :local zoneID “12345" #DNS record ID :local recordID "12345" #your API token :local apiToken "12345" # determine if we use the dhcp script or the c...

gfunkdave

Seems to be. Mine isn’t working either. And the forum seems very slow.

gfunkdave

Because there is no urge for Mikrotik to support it. As long TLS 1.2 is not deprecated/discouraged as 1.0/1.1 - Mikrotik won't move. Yes yes, but why? I’d think they would want to ensure RouterOS supports the current security standards at a minimum. My Ubiquiti EdgeRouters, which haven’t gotten a r...

gfunkdave

TLS 1.3 has been around for quite some time now. Why does RouterOS still not support it?

gfunkdave

Thanks, yes, I understand it doesn’t matter whether 80 or 443 is available. My point is that the default requires you to expose port 80 with the www service active in order to automate certificate renewal. Thanks for the firewall idea - I’m just confused why MikroTik would design the feature to be i...

gfunkdave

It's cool that Mikrotik supports automatic Let's Encrypt, but isn't it a major security risk to leave port 80 open to the internet AND need to have the www service running all the time? Why doesn't the router automatically enable a web server, open firewall ports, renew the cert, then disable the we...

gfunkdave

Why do you have two routers? Just use one router and configure VLANs and a firewall. There seems to be a lot missing here...

gfunkdave

Post your config

gfunkdave

mikrotik unlike other brands assigns the pool IPs starting from the end of the same. to assign another address you have to connect a second client that uses the same profile and you will see that it will assign a different IP Ah, weird. When I first created the profile it assigned the addresses fro...

gfunkdave

I created an SSTP server on the router. Under /ppp profile I created a profile whose remote-address is an IP pool for the server, 10.9.0.100-10.9.0.110. Each time I connect, the IP it assigns to the client increments. Now, it always assigns 10.9.0.110. What needs to happen for it to assign other add...

gfunkdave

Oh neat. So I could configure Google Authenticator or the like to provide a one time code for login if I use RADIUS? I’ll check it out. Did you try a non-standard wireguard port like 15678 or even 443 for that matter. I cannot see a cruise ship being that capable of blocking wireguard............ Ye...

gfunkdave

I’m currently on a cruise ship whose WiFi blocks Wireguard tunnels. The Wireguard client just shows that it’s sending multiples of 148 bytes, but there is no connectivity. My router, on the other end of the tunnel, doesn’t register any connections. I was able while in port to configure a SSTP server...

gfunkdave

Can you post the output of the following:

/ipv6 export

Edit: the prefix hint should be ::/60

Edit 2: did you get rid of the default firewall rule to allow DHCPv6?

gfunkdave

I have a RB5009 connected via a Wireguard tunnel to a Ubiquiti EdgeRouter. I have full bidirectional connectivity between the two LANs behind each router. I had been experiencing an issue where if I tried to access the web management UI of a smart switch at one location over the VPN, it would hang. ...

gfunkdave

Update to this. Mikrotik replied to my bug report ticket. Apparently the router continuing to advertise old prefixes as deprecated is the expected behavior: When a router advertises a prefix, it announces its validity time and the client uses this prefix for such period. If an advertising device cha...

gfunkdave

Aaannnnd once more, with all the answers. This gives everything needed to get fully functioning IPv4 and IPv6 on a RB5009 running 7.16.1 and bypass a BGW-210. This assumes ether8 is your WAN port connected to the AT&T ONT. "xx:xx:xx:xx:xx:xx" and "xxxxxxxxxxxx" are the MAC of...

gfunkdave

Not sure what changed, but after a reboot I'm once again getting "authenticated" on the dot1x client. I was back to the "not getting an IP address" issue, but then I changed the ethertype on the bridge to 0x9100, and I instantly got an IPv4 address. Yay. But I can't seem to get a...

gfunkdave

Yes, the only way to fix it is to restore from a backup. Obviously this is problematic...

gfunkdave

Update: today I tried again, thinking I might need to delete the DHCP client and re-create it. But today, with the exact same config, the 802.1x status just shows "rejected". The router's clock is correct to within a second or two. I've triple checked the MAC address in the WAN port and in...

gfunkdave

I'm not sure what I did (or if I did anything), but now I get this: [david@RoutyMcRouterson] > /ipv6/dhcp-client export # 2024-10-15 14:52:33 by RouterOS 7.16 # software id = U9U9-RERG # # model = RB5009UG+S+ # serial number = #error exporting "/ipv6/dhcp-client" (timeout) If I do /ipv6/dh...

gfunkdave

Trying to get this to work on a RB5009. The dot1X client says "authenticated" almost instantly, but the DHCP client just hangs on "searching". /interface ethernet set [ find default-name=ether8 ] mac-address=AA:BB:CC:DD:EE:FF #my BGW-210 MAC /interface bridge add ingress-filterin...

gfunkdave

There is a post/tutorial by pcunite (that might need to be adapted to newish RoS7) about this specific matter: https://forum.mikrotik.com/viewtopic.php?t=154954 No idea if newer versions have different provisions. Ah, amazing! I knew I couldn’t have been the first person to want to try it. Now to f...

gfunkdave

I would like to bypass the AT&T gateway using a process like this one for pfSense: https://github.com/MonkWho/pfatt?tab=readme-ov-file It seems like it is not possible in ROS to set the VLAN ID to zero. Well, the documentation seems to show that you can use VLAN IDs of 0-4095 under /interface/et...

gfunkdave

YEah that Wireguard configuration makes no sense. I would delete it all and start from scratch.

Reread the documentation on what Allowed IPs are and how they work. anav's guidance is solid.

gfunkdave

After rebooting the router, it seems to be working. I also changed an aspect of the configuration in the meantime. I removed one of the macvlans and assigned a DHCP6 client directly to the ether8 interface.

gfunkdave

I'll try rebooting the router later today, but in the meantime I've discovered something else. I haven't changed anything since yesterday. The only thing I'm aware of that has changed is the 12 hour timeout has elapsed. Now, the router is no longer advertising the old prefix. Great! But instead it i...

gfunkdave

Update: the router appears to be advertising old prefixes for some reason. I disabled IPv6 on the router and on the AT&T gateway for about 15 minutes, then re-enabled it. While it was disabled I ran tcpdump on an Ubuntu box on my LAN. As expected there were no RAs received. After re-enabling, th...

gfunkdave

It isn't in there. I wonder if it could be bleeding through from the AT&T gateway upstream of the router somehow? But I have /ipv6/settings/accept-router-advertisements=no so I'm not sure how that could be. [david@RoutyMcRouterson] > /ipv6 nd prefix print Flags: X - disabled, I - invalid; D - dy...

gfunkdave

THanks, I've changed the valid-lifetime and preferred-lifetime to 10 mins. And I see that the "c" address shows as deprecated. I'm wondering why it would still be around, long after 12 hours have passed since my initial config changes. david@zoidberg:~$ ip addr 1: lo: <LOOPBACK,UP,LOWER_UP...

gfunkdave

I have AT&T fiber internet and a RB5009 running 7.16. They require you to use their gateway, which they provision with a /60. They reserve the first 8 prefixes for themselves and will allow you to request the remaining 8 prefixes. If you request anything but a /64, it doesn't matter - the gatewa...

gfunkdave

Anyone else getting a script execution errors in the logs after SSH login? I have 2 scripts, both have a run count of 0 and have no idea what this script is. I get this every time I ssh from my iPad using Termius, and never from other platforms or Putty. No idea why but I’m glad it isn’t just me. O...

gfunkdave

I don't know why I wasn't getting reply notifications. Yes, it does seem to happen when I log in via ssh.

Oh but this is weird. It only happens when I log in from my iPad using Termius. There aren't any scripts or other oddities configured in Termius so I'm not sure what's going on.

gfunkdave

1) Take a safe mode approach by default. or at least have a configuration setting that allows this to be turned on by default, needing manual exit of safe mode each time to be fully commited. Eg on Cisco I have to write mem/commit, as with many other vendors. Better to be able to reboot to back out...

gfunkdave

I noticed my system log (/log print) is peppered with these entries: 09:50:54 script,error executing script from sshd failed, please check it manually I have no scripts running that I'm aware of. I have three scripts defined, but I never call them anywhere. How can I get more info on what exactly is...

gfunkdave

Curious what the status of this version is. It has been out for a few weeks and nobody has posted about it in almost a week.

gfunkdave

*) dns - added support for DoH with static FWD entries; *) dns - added support for mDNS proxy (CLI only); These are both so exciting! I am assuming that the mDNS feature requires that the Firewall allows inbound on all the relevant interfaces for udp port 5353 for IP packets addressed even if addres...

gfunkdave

Thought experiment: what if you add a firewall rule that drops the Router Advertisements (ICMPv6, type 134, code 0) from the WAN entirely, instead relying on the DHCPv6 Client option to "Add Default Route"? I know that ideally the default route should come from the Router Advertisement, a...

gfunkdave

IIRC at the moment RouterOS doesn't let you administratively override how it uses received Router Advertisements. Please contact Mikrotik support and make a feature request at https://help.mikrotik.com/servicedesk/servicedesk I did. They closed the ticket and said "we'll think about it". ...

gfunkdave

Hmm. On the RB1100, using AT&T Fiber, I don't show any dynamic addresses in /ip/dns if IPv6 DHCP has it disabled (and if IPv6 DNS is "use peer DNS" checked, AT&T DNS gets added a dynamic, uncheck it get removed). At least in 7.16beta. This is what I have whenever IPv6 is enabled: ...

gfunkdave

It's all SLAAC. There is a bit of a hack because I have two VLANs but AT&T will only give you a /64. But they will give you as many /64s as you ask for, so I use two vrrf interfaces to ask for separate /64s. /ipv6 address add address=fddc::100 advertise=no interface=wireguard1 add address=::1 fr...

gfunkdave

I have a RB5009 running 7.15.1. My ISP (AT&T US) uses router advertisements to advertise a DNS server that shows up in the "Dynamic Servers" field of the DNS settings. There doesn't seem to be a way to prevent this. I have set use-peer-dns=no on all the interfaces under /ipv6/dhcp-clie...

gfunkdave

was there any new release since you received the mail actually?
One of my tickets was resolved as well last week, but no public release meantime.

Nope, but the email did say the release addressing it may not have been published yet so I’ll hold out hope.

gfunkdave

Right but does that mean that I’ll be able to conditionally forward certain DNS requests when DoH is enabled? I don’t care about adlists per se.

gfunkdave

I have always found it very annoying that RouterOS doesn't let you enable DNS forwarding when DoH is enabled. I had submitted a bug/change request ticket for it a while ago and to my surprise received an email last week that the change has been implemented in an upcoming release! But when I look at ...

gfunkdave

You don't give much to go on, but it sounds like the Hikvision camera is either using the same port as your electric meter or they have some kind of LAN address conflict.

Cloud DDNS has not been "hijacked".

gfunkdave

Clarification: Wireguard is not a client/server protocol (though many people try to use it that way). If you have three LANs that all need to talk to each other, set them all up as peers to each other so that connections between two of the LANs don't have to go through the "server".

gfunkdave

Well, Mikrotik support replied to my support case and I've got it working but still think there's something screwy with their ssh client. The issue is that there was a key in /user/ssh-keys/private print detail I think that, since the user attribute of the key was my username on the router and on th...

gfunkdave

When I started the thread I was running 7.13. Now on 7.13.3, no change.

gfunkdave

Ahhh this is very interesting. If I am reading this log right, the router is only trying to do public key auth and then disconnects when it realizes it can't (because it doesn't have a key). It doesn't try to fall back to password auth. 11:04:45 ssh,debug agreed on: curve25519-sha256,ssh-ed25519,aes...

gfunkdave

Thanks! Now this is a crazy level of detail. It occurs to me that it might be better to find the router's ssh log from its end, since the server log seems to indicate the router is just disconnecting of its own accord. I don't think that's accessible in ROS though. There is a line in the below log j...

gfunkdave

Hmmm ... Jan 25 15:28:49 zoidberg sshd[275510]: debug2: input_userauth_request: try method none [preauth] After this one it should try another method - do you have "PasswordAuthentication yes" in /etc/ssh/sshd_config ? Yep, and I log in using passwords all the time on this Ubuntu box. It'...

gfunkdave

ok ... can you set the loglevel to DEBUG2, restart the daemon and try another connection? Stupid question: clocks synchronized on both devices? Yep, clocks are in sync. Both systems are set via ntp from us.pool.ntp.org I think. Jan 25 15:28:49 zoidberg sshd[275510]: Connection from 192.168.4.1 port...

gfunkdave

On the server, set in /etc/ssh/sshd_config[/] # … LogLevel DEBUG #LogLevel DEBUG2 #LogLevel DEBUG3 And restart the daemon, you should have a lot more info on what goes wrong. Ah, thanks. Logs don't seem to show much of interest. The server is Ubuntu 23.04, so pretty new. Log is; Jan 25 14:19:05 zoi...

gfunkdave

Likely your ubuntu runs recent OpenSSH version, which deprecates use of ssh-rsa algorithm to exchange keys whike ROS doesn't support newer ones. So on the server, add PubkeyAcceptedAlgorithms +ssh-rsa to /etc/ssh/sshd_config ... Ah, good idea...but doesn't make a difference. Yes, I restarted sshd s...

gfunkdave

Ok. That was worth a shot. On the linux server - can you get the SSH entries? sudo journalctl -xr -u ssh Hmm, seems like it's not telling us anything different than the router seems to be disconnecting: david@zoidberg:~$ sudo journalctl -xr -u ssh Jan 25 13:53:08 zoidberg sshd[274495]: Disconnected...

gfunkdave

Hi there! Can you try the following? /system ssh user=<some non root user on the linux server> 192.168.4.5 Yes, same result. But my login is the same on the router and Ubuntu, and the Ubuntu logs show my username connecting and disconnecting before auth. So I don't think it makes a difference.

gfunkdave

I have an Ubuntu server on my LAN and if I issue the command /system ssh 192.168.4.5 I just get a "Welcome back!" message without even a login prompt. I can ssh from the router to other devices. I can also ssh to 192.168.4.5 if I use Putty. On the Ubuntu server the ssh log just shows I con...

gfunkdave

Ah, neat! The weird thing is, if I delete the dhcpv6-server AND turn off advertisements for that address under IPV6-Addresses, I still get a single IPv6 address on client devices in the correct prefix. At this point I don't know if this is a bug or if I just don't understand IPv6 at all. Current ful...

gfunkdave

I wonder what underlying ICMPv6 packets looked like when RouterOS advertised itself to each vlan. Perhaps it's reasonable to file a bug request at help.mikrotik.com? --- By the way, what is the goal of /ipv6 dhcp-server add address-pool=lan-ipv6 interface=vlan-lan lease-time=12h name=\ lan-ipv6-poo...

gfunkdave

edit: just saw your update. You need to set your WG address to be a /24 not /32 - with a /32 you are disabling all connectivity. You also need to set your peer's Allowed IP to be the /32 of the WG segment - else you are routing all WG traffic to that peer. You only want that peer's IP to get its WG ...

gfunkdave

Update: I seem to have resolved it, but I don't understand why. All I did was add address to the items requested: /ipv6 dhcp-client add add-default-route=yes interface=vrrp1 pool-name=lan-ipv6 request=address,prefix \ use-interface-duid=yes use-peer-dns=no add add-default-route=yes interface=vrrp2 p...

gfunkdave

I have AT&T fiber and two VLANs. AT&T will only issue a /64 but they will give as many /64s as you ask for. So, I've been using a couple vrrp interfaces to do that. It works fine. But I've noticed that devices get IPv6 addresses on both prefixes. Here's the partial result of ipconfig: Wirele...

gfunkdave

I ran into this same issue a couple months ago. RouterOS ignores DNS servers specified by the ISP's DHCPv6 but it does not ignore DNS servers in the upstream router advertisements coming from the ISP. I suggest creating a new feature request (go to https://mikrotik.com/support and click the Contact ...

gfunkdave

Yes, RouterOS can do all this. You can choose whichever hardware you think best. If budget is a concern with the rb5009 then perhaps check out the L009UIGS.

gfunkdave

Update: I submitted a feature request for this last week and today Mikrotik replied that if enough people asked for it they would investigate including it in a future release. So everyone please submit a feature request!

https://help.mikrotik.com/servicedesk/servicedesk

gfunkdave

What is the current correct way to submit feature requests to Mikrotik?

gfunkdave

Thanks. I just changed the IPv6 - Settings "accept RA" setting to "yes if forwarding disabled" and the dynamic entry disappeared. It seems I still get the same delegated prefixes, and IPv6 connectivity works fine. This makes sense given what you've said. Since I have IPv6 forward...

gfunkdave

It will be part of the IPv6 RA data from the ISP. AFAIK there isn't an option to ignore the DNS server option if it is present.

Interesting - in that case, then what's the point of use-peer-dns?

gfunkdave

I have a RB5009 running 7.10. I use the RB5009 as my local DNS forwarder. I just tried to go to a website that doesn't exist and instead of getting an NXDOMAIN to my surprise I got AT&T's "that domain doesn't exist but we searched for what you typed in" page. I'm running a pretty stand...

gfunkdave

Not really a reply to your problem but why do you want to use a direct connection from outside ? Going in via VPN is a lot more secure. My view... I'm not always on a computer that I can install a VPN client on. And why would key-only ssh be any less secure than a VPN? I figured out the issue: the ...

gfunkdave

I have added a firewall rule to the input chain to allow tcp/port 22 and I've disabled password ssh. It is before the general "drop all from WAN" rule. When I try to log in via ssh from the WAN, the connection times out. Can someone help me figure out why it doesn't work? [david@RoutyMcRou...

gfunkdave

Aha! It was trying to add the container before it was done removing it. This script works: :global mytag "pihole" /container { stop [find tag~$mytag] :do { :delay 1s } while=([get [find tag~$mytag] status ] != "stopped") remove [find tag~$mytag] :do { :delay 1s } while=([print co...

gfunkdave

It appears to be a permissions thing. If I enable all the script permissions it works fine. I'm not sure which one (and don't feel like trying them one by one). Of course now I've modified the script to not need the delays and once again it doesn't work (same error). :global mytag "pihole"...

gfunkdave

I'm just trying to script deleting and re-adding a Pihole container, and it keeps failing on the /container/add, but I don't know why. Can someone help? This is my first script so I am sure it's something stupid. /container/stop [find tag=pihole/pihole:latest] :log info "Stopped"; :delay 3...

gfunkdave

So, I've determined that the issue happens when the veth interface is attached to the bridge with the LAN on it. Creating the veth interface on a new bridge doesn't produce the problem. I have deleted all the NAT rules. Just adding disabled=yes to veth2 makes the problem go away. Full config: https:...

gfunkdave

I have a RB5009 running 7.9. I added a veth interface for a Pihole container. Even without the container running, the veth interface greatly slows internet. My nominal connection speed is 500/500. If I have the veth port disabled, I get about 590 Mbps down and 520 up. As soon as I enable the veth po...

gfunkdave

Update: I just had to delete the container and re-create it, and now it works.

gfunkdave

You can add the VETH to you LAN bridge (or VLAN) in /interface/bridge/ports, and in /interface/veth use the 192.168.4.2 LAN IP and Mikrotik LAN address as gateway. No NAT required. Oh I feel so dumb. I forgot to add it in /interface/bridge/ports. But I still can't access the Pihole. Pinging 192.168...

gfunkdave

I followed these instructions to run Pihole in a container on my rb5009. Pihole works fine. I created the VETH interface for it at 192.168.5.10 and can access its web ui from my LAN, which is 192.168.4.0/24. What I'd really like is for it to appear on my LAN segment. I couldn't get it to work by sim...

gfunkdave

The issue is that ROS won't do regexp forwarding to other DNS servers if DoH is on. Apparently this has been an issue for quite some time.

gfunkdave

I just wanted to chime in and say that I just discovered this is why I couldn't resolve DNS across VPN tunnels. Is there a feature request to enable local/regexp DNS when DoH is enabled?

gfunkdave

I have a few Wireguard tunnels set up to other remote LANs. Connectivity works fine bidirectionally. I am trying to be able to resolve DNS names on a remote LAN locally. As an example, one of the Wireguard peers uses the domain ".rena" on its LAN and is in the address space 192.168.35.0/24...

gfunkdave

Update: I configured things to use SLAAC (with advertise DNS off on the /ipv6 nd) and now I don’t get that pesky DNS on my LAN.

viewtopic.php?t=181840#p902227

gfunkdave

Hmm, that’s troublesome. AT&T’s DNS is randomly hijacking queries for LAN addresses. There must be a way to ignore them. Anyone?

gfunkdave

I have an RB5009 running 7.9.1 (though the issue happened in 7.9 too). I'm getting this random anomalous IPv6 DNS server: [david@RoutyMcRouterson] > /ip dns print servers: 1.1.1.2,1.0.0.2 dynamic-servers: 2600:1700:7c50:3790::1 use-doh-server: verify-doh-cert: no doh-max-server-connections: 5 doh-ma...

gfunkdave

Aha, thanks! I knew it was something simple.

gfunkdave

I have a new RB5009 with several static DHCP leases configured. They all work fine, except for the one for the printer: [david@MikroTik] /ip/dhcp-server/lease> export hide-sensitive # may/23/2023 12:36:52 by RouterOS 7.9 # software id = U9U9-RERG # # model = RB5009UG+S+ /ip dhcp-server lease add add...

gfunkdave

Thanks for all the detail! It's the needing to reset it and reload config that gets me. I'm starting to accept that it seems any OpenWRT or Mikrotik router I want to use for a travel router will have this limitation, and I don't understand why. Plenty of cheap consumer travel routers don't make you ...

gfunkdave

I'm thinking of getting into the Mikrotik world and thought the mAP Lite would make a nice travel router. I can't seem to find info on a couple questions I have, though. 1. Can I use the mAP Lite in WISP mode, where it pulls in a public wifi signal and NATs to a private wifi network I create for my ...

Search found 99 matches