MikroTik

611

I don't think a private server over a VPN will ever give more precision than a nearby public one. It's all about the hierarchy, not raw precision. Bootstrapping the clock from a public NTP is fine, but LTE looks easier to me - no config changes at the router, no netwatch to detect if WG is running, ...

611

The question is, why is such a script needed in this day and age. That's the state of art :) : * (consumer) MT devices have no RTC; * the latest and greatest VPN protocol have a (pretty well hidden) requirement towards monotony of the peer's clock. OK, this particular problem is in part caused by m...

611

Thanks! The script syntax documentation is another thing MT should definitely work on: if you look up :pick command (used in the script) in https://help.mikrotik.com/docs/display/ROS/Scripting, you'll find the syntax is :pick <var> <start> [<count>] , but if you'll try to use the command, you'd real...

611

The problem seems to be caused by a combination of two peculiarities: * time incorrectly set on site3's router after a power outage, each power outage - a "feature" of most Mikrotik devices; * replay protection mechanism of WireGuard protocol - if the peer was previously connected, then th...

611

I am not sure why Mikrotik does not provide a (optional, paid for) way to add a RTC (Real Time Clock) to their devices, capable to keep the date/time for a few days, I know that most if not all professional setups have an UPS so there is less need for such a device (but UPS can also fail from time ...

611

Maybe related, maybe not: https://forum.mikrotik.com/viewtopic.php?p=1083628 I believe it's unrelated, but a reply in the tread gave me good idea: Another slight possibility Router-B is not happy, because router-A still on same port, but wg timestamps from router-A went backwards, Perhaps router-A ...

611

If you're receiving a non-routable IPv4 address over pppoe? yes a) Changing the port helps b) Idling for some time helps At this point it looks like a connection tracker with an old connection stuck in it. c) Non-routable IP address There's surely a connection tracker - your ISP does NAT, and in mo...

611

If you're receiving a non-routable IPv4 address over pppoe?

611

WireGuard over intersite links for management purposes, no recent configuration changes, no problems until, I believe, 7.15. Various MT devices, CHR, all running 7.15.1. Several sites: site1, site2, site3. All-to-all configuration - each site have a single WireGuard instance and two peers configured...

611

Last week I've found that ISP I use on one of my sites blocks IPsec connections from the said site to one of my other sites - IPsec connections starts, then stalls. Monitoring the connection from both sides suggests that ISP starts to drop the packets as soon as the connections is identified as IPse...

611

Looks like interface list includes don't work beyond the first level of nesting: "interface list 2 -> interface list 1 -> interface" works, but "interface list 3 -> interface list 2 -> interface list 1 -> interface" doesnt. This configuration: /interface list add name=il-test1 /i...

611

It's 2023 and ROS v7.9, the same thing, still undocumented. I've resorted to just resetting the routing mark as the first rule in mangle output chain: /ip firewall mangle add chain=output action=mark-connection connection-state=new,untracked ipsec-policy=out,ipsec new-connection-mark=no-mark passthr...

611

the correct syntax is "find where" While it looks more in line with "print where" this way, both docs page on scripting and /export command use "[find property=value]" without "where". Terminal autocomplete suggests that "where" is optional for &quo...

611

You broke a simple law of almost all programming languages: don't use reserved words as a variable name... Sure. The problem is DHCP client supplies interface name to the script as variable named "interface" (unlike DHCP server that uses "bindingVariableName" variables). Had to ...

611

A follow-up as I've ran into similar issue, but the cause was not apparent from this thread. :local interface "some-interface" :put [/ip dhcp-client get [find interface=$interface] primary-dns] Results in "invalid internal item number". :put [/ip dhcp-client get [find interface=&...

611

Just in case you're curous of what's inside country-info DB: :global formatFreqRange do= { :if ( [:find $range "turbo"] < 0 && [:len $range] > 0) do={ :local startfreq ([:pick $range 0 [:find $range "-"]]); :local endfreq ([:pick $range ([:find $range "-"]+1) [:...

611

I've tried similar approach with handcrafted config files and comparison, and crafted a Python script to compare actual config to one I'd want: # RouterOS config file parser/sorter/comparer ver.0 # by 611 import sys import re # My preferred order of parameter sorting # Firtsparams will go first in t...

611

Same to me - looks like "issued" and "revoked" flags, along with CA attribute of the certificates are local - they are not exported and absent on imported ones. Not a major problem for me as mu use case is simple: I'm pinning specific certificates for all connections I'm using an...

611

It happened that I had ran my CA for IPsec purposes on one of my MT routers (yes, I know), and as the device in question was due to be upgraded, I've decided to move the CA to a back-end device. From my previous experience I knew that configuration backup/restore functions in ROS also backing up/res...

611

I have two very different cases where I need to generate some traffic to keep the link loaded, and would like to hear your opinion on available options: 1. Site-to-site IPsec connection over 1Gb/s link plus some paranoia. I'd like approx. 150Mbit/s each way to obscure the traffic patterns of the rea...

611

The packet may return, it's called "loop" :) Normally you shouldn't see neither packets with external addresses (one external is ok is you're routing some external traffic through another node, but not both src and dest) nor ipencap (4) protocol _inside_ your internal tunnel, still you hav...

611

As far as I've understood you, I've got the same config (for the same purposes). If your interface list ipip1 contains your ipip tunnels, by adding such drop rule in prerouting chain you're just filtering traffic _inside_ your tunnels, and you have no way to know if the tunnel itself was encrypted i...

611

The point is that the Mikrotik tutorial and the NordVPN tutorial are both missing this information: https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS https://nordvpn.com/de/tutorials/mikrotik/ikev2/ That's why my expectation is that the VPN tunnel configuration does not add any ...

611

I'm not affiliated with MT :) "DNS leak" in VPN scenario usually denotes "resolving names through DNS server other than VPN provider's". If you'll route traffic from a "client group" (identified with network addresses, ports, L7 patterns used, whatever) to a VPN, but do...

611

All logging actions with destination pointing to an USB disk are lost after reboot on latest beta (6.46beta59): /system logging export pre-reboot: # nov/03/2019 11:43:17 by RouterOS 6.46beta59 # software id = [redacted] # # model = RouterBOARD 3011UiAS # serial number = [redacted] /system logging ac...

611

The support have refused to provide me a new key for unbricked device, citing it has the same serial as fullflash donor. (Thanks, Captain Obvious!)

That's haven't been unexpected, to be true.

So I have to dig deeper

I'll keep this thread updated should I get any results.

611

I've finally got to this issue, desoldered SPI flash and found it to be completely empty. No boot block, no config block, nothing. Just 16Mb of 0xFF. So I can confirm that hard resettng hAP ac twice causes complete flash erasure. I've debricked the router by flashing a dump from another hAP ac into ...

611

Fixed in 6.45.1 stable.

611

Yes exactly, I also tested if the traffic is really isolated, but so far no issues with this kind of configuration. From my point of view, this was the simplest and most direct type of configuration. Looks like I was missing a critical part of knowledge to implement it this way. And it's actually s...

611

Tobias, if your config work on beta64? No hw offload on the second bridge is not a problem because it won't have any meaningful hw offload as it includes only wireless interfaces and VLAN on master bridge - it goes through CPU anyway. Moreover, you'll need this separate bridge if you want to connect...

611

It took a bit longer, still here it is. Relevant portion of config: # model = RBD52G-5HacD2HnD /interface ethernet set [ find default-name=ether1 ] name=ether1-company set [ find default-name=ether2 ] name=ether2-extra set [ find default-name=ether3 ] name=ether3-laptop set [ find default-name=ether...

611

Does anyone knows where to find this setting? I am looking for it for years now. *) winbox - do not allow setting "dns-lookup-interval" to "0"; Update: Found it on a Polish site and it a setting not applying to what I was looking for. It was a very "funny" bug actually...

611

Confirmed working with 6.45beta54.

Phase2 rekeying doesn't work, but increasing SA lifetime to 365 days in the proposal could be used as a workaround.

611

I'm using hap ac2 with its switch configured as follows: VLANs are configured in switch; all external Ethernet ports are access (untagged) ports with corresponding VLANs; CPU port is a trunk (tagged) port; all external Ethernet ports are added to master bridge in router; corresponding VLANs on maste...

611

Looks like power cycling the router after 300s format had bricked it. And this SFP LED steady on for first 300s / blinking for second 300s makes me think it erased primary bootloader first, than backup bootloader. I always disable all other adapters and when running netinstall or similar utilities (...

611

I've got several RB962, and each time I need to netinstall one there was some kind of problem - it won't netinstall like other MT devices. If I remember correctly, the last time problem was solved with failsafe format (supply power while keeping reset pressed, hold reset for 300+ seconds), then it n...

611

IKEv2 from NordVPN should work with latest testing releases, where support for EAP authentication methods was added. See this post for details: https://forum.mikrotik.com/viewtopic.php?f=2&t=126221#p731754 Confirmed working with 6.45beta54. You may create identity with GUI (you'll need to selec...

611

I've got a reply from support, problem confirmed: I have managed to reproduce your problem and at the moment it indeed seems to be software related bug which does not comply with loose rp-filter implementation. However, this parameter functionality in RouterOS works based on Linux Kernel. We will tr...

611

@611: You can mention to support, that the thing you desperately need is conditional DNS forwarding . And that it's really important, the proof of that being the thing you're trying to do now. Maybe you don't mind, but regular people should not be forced to such desperate measures. It's not just on...

611

I haven't done any actual testing, but most likely issue is with connection tracking way to classify traffic, i had similar setup, where traffic was traversing router twice, connection tracking was unable to classify it for some reason. Trying to assign traffic to same conntrack entry so rp-fiter b...

611

I'm sorry, but i still do not understand - WHY you need this? I do not know your background, but this is first time i heard about this "know solution of Mangling loopback".. so please explain functionality that you are trying to achieve 1. I need conditional DNS (like "*.domain1"...

611

An update: Looks like the "mangling loopback" setup was failing to work on my production RB3011 (running the same 6.44.3) for the same RP filter reason. But unlike the test setup, I had to reboot router after switching RP filter off to get it working. Maybe it's due to existing load, which...

611

I've been testing "mangling loopback" (known workaround for dstnat not available in output chain + no cDNS + no non-standard winbox port in Dude in ROS v6) configuration on a metarouter (as I wanted a config as generic as possible). Metarouter is running on RB2011, ROS 6.44.3. The config i...

611

Nope to both (moreover, non-accelerated AES on OVPN will be slow). Since NordVPN has deprecated L2TP/IPsec in late 2018 (for some obscure reasons), ROS is no longer able to connect to NordVPN. I've replaced my CHR with OPNsense because of that, and currently using OVPN from it. Runs well, including ...

611

I'm running beta branch of v6 ROS on RB3011 (and other arm and mipsbe routers, on which I haven't observed the following failure). After an upgrade (I assume to 45beta19, but I'm not sure) a couple of weeks ago all IKE2 links went down, and I was unable to establish L2TP/IPsec connection to router (...

611

I've done some further testing - modified firewall rules to catch all packets fallen off the VLAN to the master bridge. Total seepage is about 0.1% of all packets. The good news - I've been unable to reproduce the issue in a controlled environment like this: The testbed: [MT, 10.50.0.2>] <-Ether-> [...

611

Looks like I have the same or related issue with RB3011: some packets are seemingly coming untagged from an access port, this results in input from the master bridge instead of configured VLAN. I have switch and interface setup as described in https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switchi...

Search found 47 matches