MikroTik

ros44

I am freaking out. I just found this thread because I have a Chateau 5G (the discontinued model) with 16 MB of storage. The device is a two-hour plane ride away from me and won’t reboot, showing the same error: system,error,critical could not save configuration changes, not enough storage space avai...

ros44

Thank you for your time in replying to my post! I found the problem! I noticed another symptom of the same problem - laptops connected via WiFi to the same main router were not able to access WINS/Samba shares reachable via IPSEC tunnel. The problem was in the MTU of the "main LAN bridge" ...

ros44

Hello, I am slowly freaking out. Sorry for dropping this post not well prepared. I have an hAP ax2 running as a PPPoE router and AP. Also I have hAP ac2 running only as an AP in another room. There is a cable between these the two devices. Everything works as expected, no other problems noticed, but...

ros44

All my dynamic IP list entries are missing after the upgrade. I had to add them again from backup.

ros44

Currently I am working on HA cluster with two RB5009UPr+S+IN and I am exploring the possibilities of MikroTik RouterOS for all kind of balancing and redundancy. Can you please explain with simple words what you are trying to achieve exactly? I am not familiar with K8s and I assume they are just 3 se...

ros44

Hi everyone, I have two RB5009UPr+S+ routers installed side by side in the same rack, using the K-79 rackmount kit. Despite being placed at the same level and not stacked, their board temperatures vary by about 10 degrees Celsius, which is quite frustrating. Currently, the cooler unit has the follow...

ros44

I hope the information below can give someone a direction and save him time in research. Also I will be happy for any comments and remarks . This setup will guarantee failover and redundancy but no load balancing or load sharing. As the setup progresses I will come back and post updates. 1. Each pai...

ros44

Thank you for your suggestion. I am powering the ATL with the included adapter and the included gigabit PoE injector. It's been less than 3 months since I bought it. I will change the injector and the PA. The idea of filling the memory is kind of possible because I enabled disk logging (10 files, 10...

ros44

I just managed to do a torch on the interface of the hAP ac2. There is no single packet received from the LTE kit during the 15-17 seconds window that the ethernet interface is up. I guess the device is in a bad state and cannot boot at all.

ros44

Thank you for asking. I don't know because I cannot login to the LTE kit. I will edit my question.

ros44

Hello, I have ATL LTE18 kit mounted on a pole and after a /system reboot command the ATL LTE18 kit did not boot. Since then (almost 24 hours later) the device doesn't work and seems to reboot itself every 5 minutes. I guess it is the watchdog rebooting it. The ATL LTE18 kit is connected to ether1 of...

ros44

The load-balancing requirement can be divided into two subtasks: 1. Load-balancing the VPN connection between the 2 sites; 2. Load-balancing the Internet access for the clients on each site. For load-balancing the Internet access, while keeping the failover of the two routers on each site, I've test...

ros44

Good day folks, What would be your choice of protocols/technologies for the most fault-tolerant, worry free and (if possible) load-balanced connection between two sites in two different locations? The details are: - 2 sites (A and B), - each site has 2 MikroTik routers connected to one or more unman...

ros44

3dfx, OMG! Thank you! Following your instructions and the files you provided, I managed to switch the modem's mode, then install the drivers and after a reboot I managed to flash the firmware. I can now see the IPv4 option, and actually it is the one selected by default. In a few days I will try to ...

ros44

3dfx, your reply was like a bright light for me after trying to understand what is going on and talking with the support of Vivacom for almost 40 mins. I have a device with firmware that has the hidden html option, but even when I made it visible, the option was empty - no IPv4 or IPv6 to select. I ...

ros44

Additional info: I have the router in this "not booting state" connected to a laptop. I noticed that every 6 minutes the laptops' ethernet LAN adapter becomes active for around 20 seconds and then it goes down again. This is a clear sign that the router is in some loop state and it is not ...

ros44

I just opened a ticket to the support as well.

Still when the router is in that "brainwashed" state I cannot generate and/or download any supout file.

ros44

After powering down a Chateau 5G router and then powering it up again, the device doesn't boot. This is the 3rd time for the last 4 months. During these 4 months there were other powering down/up cycles and everything was okay. The only solution I've found so far is to put the device in a netinstall...

ros44

@optio, thank you for your time and your reply. After your reply I had another question and this is what I've found. Thanks again! When using Galois/Counter Mode (GCM) ciphers with OpenVPN, authentication is performed using the Galois Message Authentication Code (GMAC), which is integrated into the ...

ros44

Hello, RouterOS 7.13.3 and 7.13.4 (updated today) always show null-digest as auth. algorithm for connected users no matter the selected auth option(s). I've tested a lot of option combinations, enabled OpenVPN debugging and "verb 4" on the client and I cannot figure out if this is a bug or...

ros44

I did not upload, nor modify the default configuration script. Most probably the issue is related to the fact that when I did the Netinstall I uploaded the routeros.npk + the container.npk and the wifiwave2.npk packages. In my desperation today I decided to remove the container and the wifiwave2 pac...

ros44

Hi, If a router has been compromised , can Netinstall provide 100% assurance that no traces of the compromise are left behind? If the answer is "Yes", than may be I am having a hardware failure. If the answer is "No", than - is there anything I can do? The facts: A MikroTik Chate...

ros44

Enable 2FA for your Gmail account. Then generate an App passwords and use that password in your MikroTik config.

ros44

@oguruma, hello!
Your questions popped up in my Google and forum searches.

Did you manage to find any answer but without using external server?

ros44

@Amm0, thank you so much for your time and clear reply. Looking for any 5G antennas in my country made me realize I should go for LTE antenna instead. And wait for the 5G antennas to become more available on the market. Do you have experience with this antenna: https://mikrotik.com/product/mant_lte_...

ros44

Hi all, There is a Chateau 5G (D53G-5HacD2HnD) working in a hangar, which is of course a Faraday cage. I know :) The hangar is 100x50 meters. 1. Can you recommend an antenna for the Chateau 5G that I can place outside of the hangar? Ideally the antenna will be 5G compatible but LTE is also okay. Is ...

ros44

ros44

@mkx, thank you for your clear and simple answer. I've read the forum for the eeeC or eeCe, eCee, Ceee difference.
But if you have time, can you clarify why do you recommend exactly Ceee?

ros44

7 months later I ended up repeating the problem on another location with a different router and 2 different laptops. I've found several workarounds. The problem: Again hAP ac3 (this time with RouterOS 7.2) with identical configuration and: - Asus laptop with Intel Dual Band Wireless AC-8265 (again t...

ros44

Thank you all for taking time to reply. At this moment I can post only this part of the configuration. [******@******] > /interface wireless export hide-sensitive # sep/23/2021 11:01:47 by RouterOS 6.47.10 # software id = ****** # # model = RBD53iG-5HacD2HnD # serial number = ****** /interface wirel...

ros44

A Dell notebook with Intel AC 8265 can connect to a new hAP ac3 only if I disable the 802.11ac in the Windows driver settings of the WiFi adapter. Can you give me any directions how to debug this issue? --- I just replaced an existing $15 TP-Link router with a hAP ac³ device. I've used the the Quick...

ros44

Thanks for the post! I was just about to ask what is going on question...

ros44

At this very moment my hAP ac³ running DoH cannot resolve ssl.gstatic.com while being able to resolve everything else I've tried. I noticed this because few hours after enabling DoH my Gmail web interface told me I am offline. Is my 3rd time encountering this issue with this specific host name (ssl....

ros44

Is there more civilised way to hide the "duplicate packet, dropping" log message from OpenVPN server? At the moment what works for me is the following: /system logging add action=disk disabled=no prefix="" topics=info,!ovpn add action=disk disabled=no prefix="" topics=e...

ros44

Thank for replying @pe1chl. I did clear the cache on MacOS, Win10 and Linux... rebooting as well. It took me several hours to figure out what is happening. If someone gives me a source IP I can enable access to udp/53 to my router so that he can test himself. The nslookup shown above doesn't use the...

ros44

Please, can you advise if I have discovered a bug and I should report it. I ended up in a situation where the DNS forwarder of hAP ac2 running 6.47.9 will not return an A record for ssl.gstatic.com. As if the router cached something that is not visible and erasable via the DNS cache. All this happen...

ros44

It seems that when DoH is enabled all other DNS servers in the settings are not used even if the specified DoH server stops responding. Is my observation correct? If my observation is correct and considering that: - DoH is a new feature (for me) and may not work as expected - and there is no option ...

ros44

Winbox running on a specific Win10 computer gives this error when attempting to login to 2 different routers: ERROR: no routeros.jg found The first router is running 6.47.8 and the second - 6.47.9. We tried both versions of the latest winbox - 32 and 64 bits. Both routers are accessible from other c...

ros44

I am aware that this question doesn't have a straight answer. But it is my paranoia that is going high lately. I want to regularly check my routers for anything suspicious. All of them are running latest Long-term or Stable version of RouterOS. What are those key areas that might eventually give me ...

ros44

I found this forum post and did some tests. The result is the code below that seems pretty neat, tidy and readable, and works as I expected. :global UserDatabase [:toarray ""]; # The key for the array is the username of the user. # The structure of every user record is as follows: # passwo...

ros44

I may get elegance and clarity... if it works (referring to the issues you had).

Some of the data won't be static, but I don't care if it will be lost between reboots of the router. I will use what you suggest considering the fact that you tested it.

Thank you for your time replying to my question.

ros44

At the moment I use two startup scripts to define two key arrays with the following structure username -> IP address and username -> email address Now my need expands and I want to create array/table/structure like this: username -> ip addres, email addres, status, last status, something else, somet...

ros44

These tests are absolutely wonderful. One question: did you have the same RouterOS installed on all 3 devices while testing?

ros44

Thank you! This clarifies a lot your previous answer.

ros44

I was wondering if anyone else can share their opinion on the topic?

Thank you!

ros44

Hello, I can see that both hAP ac³ and hAP ac³ LTE6 kit have exactly the same WiFi capabilities (gain, chains, max data rate, chip) but of course, hAP ac³ has external antennas. Is it still considered that external antennas are better? Can I expect that hAP ac³ would have better WiFi coverage or at ...

ros44

Hello, A school would like to provide RDP access to computers in a computer lab for the students to use during a specific time that is not fixed. Is there any way I can allow the teacher to enable some NAT rules without giving the teacher access to the management of the router? I am not new to Mikro...

ros44

Something super odd is happening to me. The device is hAP ac2 running 6.46.2. My last successful login was 3 days ago. Since then I didn't do anything. Now when I try to login via Winbox I am getting a login failure. I thought I messed up the credentials after trying a 100 times but I just decided t...

ros44

Hello,

Googling "capsman timeout" brought me to your post. Did you manage to find an answer?

Thank you!

ros44

Hi there, When setting a Guest WiFi I prefer to have the guest WiFi interfaces (2.4 and 5GHz) attached to a separate (new) bridge and then make sure I have the right firewall rules so that the guest network has access only to Internet. I recently used the Quick Set option for Guest Wifi and I notice...

ros44

I found a few posts about this topic, but they are a bit old or left behind. What do you use to draw your network diagrams except for Visio. Are there MikroTik stencils for other software solutions? What do they use in MikroTik documents? What would you recommend that supports layers and is fast of ...

ros44

It would help if you tell us your setup goal. I assume you want to have different SSID clients into different VLANs. The easiest way for me is to reset the config of the CAP and select CAP mode. Then from the CAPsMAN menu in the datapath section for the specific SSID select local forwarding = yes, u...

ros44

Thank you, Metod. This is my 3rd weekend reading the wiki and the forum + watching MUM videos. I want to deep dive. I still cannot overview hat is the difference between configuring VLAN in the bridge or doing it via the switch menu? My OCD kicks in and I am trying to figure out when to use what. 1....

ros44

The lamest way to do it is to use the quick-set menu, select the "Home AP Dual" template, and then in the template: - configure a static LAN IP address of your router, that is free in your network. - and remove the check from the DHCP server option. This way eth1 will still be your WAN int...

ros44

I would use the code display option in the forum instead of attaching a file. It seems to be easier for the readers.

ros44

First, you may want to change the winbox port to a custom port number. Second, if you update your router to the latest stable version and then reset the configuration and configure it again, you will end up having the default firewall rules configured out of the box. These rules provide sufficient s...

ros44

It is not clear if you are using your first router as an access point only or you are using it as a router as well. It makes a difference if you will be using more SSIDs and you want them to be in separate VLANs. Here are a few ideas from me: - at the beginning focus on only one SSID and enable loca...

ros44

Check this, please: viewtopic.php?t=132823
If this is what you need, please, mark the topic as solved.

ros44

I read your config two times and I cannot figure out a problem. The only thing for you to correct in your post is that in the beginning, you wrote "eth1 # WLAN" and it should be WAN. It looks like you did an upgrade from a version before 6.41 and the configuration was upgraded from "t...

ros44

Does your L2TP server have a public IP address? Why do you want Speedtest to show your VPN server address? Do you do the speed tests from the VPN clients?
Provide all extra information possible so that it is possible for people to answer your question.

ros44

Can you please provide a simple topology diagram with the IP addresses and the name of the interfaces.

ros44

How come? What MikroTik are you referring to? What is its RouterOS version?

ros44

It seems that the issue is routing-related or source/masquerade-related. Can you post again in a separate code your current /ip firewall nat of the MikroTIk and also the routing tables of both the PfSense and the MikroTik.

ros44

As @sob said you need that rule. Do not disable it. You need to change it.
What you need to do is log in with winbox, go to IP -> Firewall -> NAT, then click on that rule, go to the General tab and in the Out. Interface from the drop down menu select the WAN interface your router is using.

ros44

The first rule in your /ip firewall nat configuration is the following: /ip firewall nat add action=masquerade chain=srcnat It seems to me that it doesn't have any interface specified, meaning that it will source nat everything going out from all interfaces. Can you specify the outgoing interface in...

ros44

Can you please post the output of the following command
/ip firewall nat export
and then again post the output of the same command but with extra parameters
/ip firewall nat export verbose terse

ros44

Enabling port forwarding of port 22 from the Internet to your NAS will, obviously, expose it to the wild. I assume many bots are trying to connect to it using default username/passwords. That is why you have so many login failure attempts. But one thing is very strange: all these attempts are coming...

ros44

I just saw the signature of one guru member in the forum. it says "People who quote full posts should be spanked with an ethernet cable. Some exceptions for multi-topic threads may apply." These images, you just posted, makes me understand that you have enabled port forwarding from port 22...

ros44

Can you ping the modem's IP from the MikroTik's command prompt? If not do you, at least, see a line with the MAC address of the modem in the /ip arp menu?

ros44

I assume that in order for you to get an answer you need to clarify what do you mean with

where IP is not showing from PC that is trying to connect to it, but only mikrotiks 192.168.0.1

This doesn't make sense to me. Say what you wanted in the first place.

ros44

My router is hAP ac2 and I might change it with RB4011. Should I set up two bridges (WAN_BRIGE: port 1+2) and (LAN_BRIGE: port 3+4+5+wlan1+wlan2) or should I go for one bridge with two VLANs? I have this question for a while. Also in the post Using RouterOS to VLAN your network ( https://forum.mikro...

ros44

I am relatively new in the forum but I deal with networking for a long time. Port forwarding should be very simple but your post has a lot of things that are not clear, at least to me. Try to be more specific and post part of your config, especially the lines from /ip firewall filter, /ip firewall n...

ros44

Thank you! It seems so clear and obvious. Best of luck! Edit: a simple script for anyone reading this post. :if ($leaseActIP = "192.168.1.130") do={ :log info "IP: $leaseActIP, MAC: $leaseActMAC, Host: $"lease-hostname"" :tool e-mail send to=email@example.com subject=&q...

ros44

Hello guys, I found only one similar question in the forum, but without any replies of it. All my devices in the network have statically assigned DHCP leases. Still, there is a pool of 5 addresses available if new devices connect to the network accidentally. Is there any mechanism I can configure so...

ros44

In the brochure of the new RBGESP ( https://i.mt.lv/cdn/rb_files/GESP-190528133701.pdf ) it is said PoE support: Yes, IEEE 802af/at How about protecting a device that is powered with passive PoE using RBGPOE ( https://mikrotik.com/product/RBGPOE )? I want to achive this: RB3011 ---> PoE injector ===...

ros44

SInce Head Office <-> Branch 1 and Head Office <-> Branch 2 are working fine I assume the following: - you need to add routing at Branch 1 for Branch 2 via the VPN - you need to add routing at Branch 2 for Branch 1 via the VPN. That is all. And yes, it is better if you connect Branch 1 and Branch 2 ...

ros44

@sindy, thank you for confirming what I've discovered and was worrying me: a legitimate VPN user to start messing around. A guy from the scripting section of the forum pointed me out that in every ppp profile there are many options to be used so that the ppp interface is dynamically added to an inte...

ros44

Adrian , yes, it is not a RouterOS topic, but I also became interested so thank you.

In your reply, do you mean that you installed a the personal cert in the certification store, but the CA is still in a file and you pointed that file in the ovpn config?

ros44

I feel so lame. I spent hours on debugging a script to add/remove interfaces from a list your last post made me flash for a moment. It could have been so simple. Thank you. Another way to do it was given to my by the support: On-up: :local interfaceName [/interface get $interface name] /interface li...

ros44

It turns out that the difference in the naming (small, capital letters) is known thing. In order for ppp on-down script to work well the support offered me this idea: toid $interface I tested it and works great. I would prefer not to explain it because I have only an assumption how it works. For me ...

ros44

Do you have any ppp interfaces? Can you add manually via winbox an interface to a test list. Then disconnect the interface and show a /interface list member print.

ros44

I did the test below and I can confirm that spoofing is possible and works very well. (Please, correct me if "spoofing" is not the right term for this.) 1. From a Win10 PC with an OpenVPN client I connected to my VPN router. I got the address 10.11.12.101 (the one statically assigned for u...

ros44

The code you offered me I am already using it. The $interface variable (when used in ppp-up or ppp-down script) returns the interface id starting with small letter -> *f00001 But when I print an interface lists members then the interface ids are shown starting with capital letter -> *F00001 To me th...

ros44

Thank you for taking time to reply to my question.

I am talking about interface id. When used in terminal command find works well no matter if the interface id starts with capital or small letter. When used in a script it requires only capital letters. This is my problem.

ros44

Am I doing something wrong with the find command or this is how it works? Example 1: Here the find command works as expected. It removes an interface from an interface list, based on interface id /interface list member remove [ find interface=*f00020 ] * the interface id starts with a small letter) ...

ros44

Should this be reported as a bug: The $interface variable in /ppp profile on-up|on-down scripts has values like this: *f00001, *f00002, *f00003 ... *f00019, *f0001a, *f0001b (Small Letters) If an interface with one of the interface ids from above is added in an interface list and I print the members...

ros44

Hello guys, My firewall rules are designed to grant/deny access to the VPN users based on their statically assigned IP addresses. Example: /ppp secret add local-address=10.11.12.1 name=username001 password=abcabcabc profile=PROFILE_PPP_OPENVPN remote-address=10.11.12.101 service=ovpn Address 10.11.1...

Search found 87 matches