Community discussions

MikroTik App

Search found 78 matches

by txfz
Tue Nov 19, 2024 10:08 am
Forum: Announcements
Topic: v7.17beta [testing] is released!
Replies: 773
Views: 160740

Re: v7.17beta [testing] is released!

> *) container - improved container shell;

Any details?
by txfz
Wed Oct 30, 2024 1:14 pm
Forum: Scripting
Topic: netinstall with script without overriding default configuration?
Replies: 1
Views: 316

netinstall with script without overriding default configuration?

Hi, I'm using netinstall to automatically configure devices by providing a netinstall bootstrap script. It downloads some other files which contains further configuration, and it works fine. I've now realised that the bootstrap script gets installed as the default configuration, which is undesirable...
by txfz
Thu Oct 24, 2024 1:53 pm
Forum: Beginner Basics
Topic: IPSEC Fasttrack
Replies: 12
Views: 1038

Re: IPSEC Fasttrack

You're saying IPsec traffic goes through the forward rules both as "IPsec policed" and not? (order depending on direction) Your explanation makes sense, but how does this manifest itself? I added a log rule like so at the top of my forward chain at site A: /ip firewall filter add action=lo...
by txfz
Thu Oct 24, 2024 10:04 am
Forum: Beginner Basics
Topic: IPSEC Fasttrack
Replies: 12
Views: 1038

Re: IPSEC Fasttrack

I think you can use connection-state=new on the mangle rule to alleviate a lot of that processing. Not sure.

The filter approach has the practical downside of not letting you selectively filter IPsec traffic.
by txfz
Thu Oct 03, 2024 3:20 pm
Forum: Scripting
Topic: Best way to check whether [find] yields results? [SOLVED]
Replies: 1
Views: 414

Best way to check whether [find] yields results? [SOLVED]

Hi, Because I can never remember how this works, I find myself using the following expressions interchangibly in order to determine whether one or more matching items exist: :if ([:len [/interface find name=$interfaceName]] > 0) do={ :if ([/interface find name=$interfaceName] = "") do={ :i...
by txfz
Thu Sep 19, 2024 2:51 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1630
Views: 434660

Re: 📣 WinBox 4 is here 📣

Please post all change logs in the first post, as well.
by txfz
Thu Aug 29, 2024 1:05 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1630
Views: 434660

Re: 📣 WinBox 4 is here 📣

Immediate feedback: Definitely a nice look, though not without issues. Most of these have been mentioned; I will add one more vote to those. - Hopefully performance can be improved. Dragging windows and scrolling lags a lot. - Reordering of columns is a must. - Expand the comment column by default. ...
by txfz
Fri Aug 09, 2024 11:38 am
Forum: General
Topic: Winbox: router not detected despite being on the same broadcast domain
Replies: 20
Views: 1698

Re: Winbox: router not detected despite being on the same broadcast domain

Are you talking about neighbor discovery or actually connecting? Are you able to connect if you manually enter the MAC address?
by txfz
Tue Jul 02, 2024 11:07 am
Forum: Announcements
Topic: v7.16beta [testing] is released!
Replies: 288
Views: 122071

Re: v7.16beta [testing] is released!

This was brought up in a previous thread, but here is my proposal for formatting the change logs. Add and adjust headers as necessary.

7.16beta1 (2024-06-05 11:52)

Changes

  • supout - added netwatch section

Fixes

  • route - fixed memory leak (introduced in v7.15);
by txfz
Fri Jun 14, 2024 3:05 pm
Forum: Announcements
Topic: v7.16beta [testing] is released!
Replies: 288
Views: 122071

Re: v7.16beta [testing] is released!

Yes, exactly. Not to replace the version specific structure, but to complement it. (probably breaking changes at the top, though)
by txfz
Fri Jun 14, 2024 11:32 am
Forum: Announcements
Topic: v7.16beta [testing] is released!
Replies: 288
Views: 122071

Re: v7.16beta [testing] is released!

May I suggest splitting change logs into additions/changes and fixes?
by txfz
Wed May 29, 2024 5:45 pm
Forum: Scripting
Topic: Are IDs returned from REST API stable?
Replies: 4
Views: 1235

Re: Are IDs returned from REST API stable?

Alright. That explains it. Thanks!
by txfz
Wed May 29, 2024 1:24 pm
Forum: Scripting
Topic: Are IDs returned from REST API stable?
Replies: 4
Views: 1235

Are IDs returned from REST API stable?

Hi, I am looking to use the REST API in order to delete items, and understand I need to use the .id field previously returned from a GET request in order to do so. My question is is this ID guaranteed to be the same for as long as the item exists? As far as I understand, when using regular RouterOS ...
by txfz
Mon May 06, 2024 4:02 pm
Forum: General
Topic: Is there a more stable version 7?
Replies: 2
Views: 448

Re: Is there a more stable version 7?

Than any other version. 7.8 is installed.
by txfz
Mon May 06, 2024 3:12 pm
Forum: General
Topic: Is there a more stable version 7?
Replies: 2
Views: 448

Is there a more stable version 7?

Hi, I'm about to install a couple of CRS326 switches. I was going to use version 6, but they shipped with 7 and are impossible to downgrade. Is there any particular version that's recommended? They won't be doing anything fancy, but are absolutely mission critical. Basically just a couple of VLANs, ...
by txfz
Tue Mar 05, 2024 9:59 am
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 492
Views: 143323

Re: v7.15beta [testing] is released!

You did not say anything at all about to whom you listen, or where.
by txfz
Wed Jan 24, 2024 9:34 am
Forum: Announcements
Topic: v6.49.12 [stable] is released!
Replies: 23
Views: 15241

Re: v6.49.12 [stable] is released!

Long term normally refers to a branch, or channel, which gets supported for a longer than normal period of time. Long term normally does not simply mean "old version", and it does not make sense for a single point release to be referred to as "long term". It also doesn't necessar...
by txfz
Mon Jan 15, 2024 4:24 pm
Forum: General
Topic: User poll about using Winbox
Replies: 107
Views: 111281

Re: User poll about using Winbox

1) Only <own>.
2) Save window layouts.
3) Let me specify a default "session" to be used for all (new?) connections/addresses.
4) No. A session would logically refer to the WinBox connection.
by txfz
Thu Dec 07, 2023 10:58 am
Forum: General
Topic: Communication between Mikrotik L2TP VPN users and IPsec IKEv2 remote partner
Replies: 2
Views: 1692

Re: Communication between Mikrotik L2TP VPN users and IPsec IKEv2 remote partner

You might need to add an IPsec policy that includes the L2TP network. Or I guess you might source NAT the L2TP users that they use your LAN address when attempting to reach the remote network.
by txfz
Mon Oct 09, 2023 3:13 pm
Forum: Announcements
Topic: v7.12rc is released!
Replies: 224
Views: 111484

Re: v7.12rc is released!

Automatically generating a private key for WireGuard peers is convenient, but it should not be permanently stored after the fact as that entirely defeats the purpose of the asymmetric cryptography. It also does not appear to be possible to remove a stored private key from a peer configuration once g...
by txfz
Wed Sep 20, 2023 11:31 am
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 137430

Re: v7.12beta [testing] is released!

The behaviour has not changed since I wrote this post, as far as I can tell. Didn't realise you can actually erase the preinput text, though. (maybe that was changed) https://forum.mikrotik.com/viewtopic.php?t=198723#p1022002 value-name is what most people will want to use. prompt seems wholly redun...
by txfz
Tue Aug 29, 2023 10:20 am
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 137430

Re: v7.12beta [testing] is released!

Anyone elaborate on exactly what the terminal/ask parameters are? I can kinda figure it out, but it seems a little strange. prompt is simply a text line that's printed before the rest, preinput is a string that's preprended and fixed/prefilled to the input and included in the resulting value, and va...
by txfz
Thu Aug 17, 2023 1:07 pm
Forum: Beginner Basics
Topic: Netwatch send notification Teams
Replies: 20
Views: 4437

Re: Netwatch send notification Teams

Run the command in the terminal and watch the output.
by txfz
Thu Aug 17, 2023 11:47 am
Forum: Beginner Basics
Topic: Netwatch send notification Teams
Replies: 20
Views: 4437

Re: Netwatch send notification Teams

Works for me, also.

http-method=post http-header-field="Content-Type: application/json" http-data="{\"text\": \"test\"}"

You didn't really explain your problem in great detail, though.
by txfz
Fri Apr 28, 2023 12:45 pm
Forum: General
Topic: RouterOS 7.1.5. "long-term": dead end?
Replies: 73
Views: 11924

Re: RouterOS 7.1.5. "long-term": dead end?

To me it seems like the long term channel has been little more than "old and proven version". In general, I think "long term" usually implies long term support , ie continuing to receive bug and security fixes for duration of the "term", without receiving new features. ...
by txfz
Thu Apr 06, 2023 3:56 pm
Forum: General
Topic: why is restoring a mikrotik router such a pain in the a?
Replies: 28
Views: 2526

Re: why is restoring a mikrotik router such a pain in the a?

Did you have an actual question or was it all rhetorical?
by txfz
Fri Mar 31, 2023 8:33 pm
Forum: General
Topic: Prevent multiple discovered neighbors per physical interface? (CDP/MNDP)
Replies: 14
Views: 1853

Re: Prevent multiple discovered neighbors per physical interface? (CDP/MNDP)

Right, I could have been more clear. The issue is that it is showing in directly connected devices in addition to directly connected ones, hence listing all discoverable devices for each physical port, rather than only the directly connected device. I understand now that this is the intended behavio...
by txfz
Fri Mar 31, 2023 2:50 pm
Forum: General
Topic: Prevent multiple discovered neighbors per physical interface? (CDP/MNDP)
Replies: 14
Views: 1853

Re: Prevent multiple discovered neighbors per physical interface? (CDP/MNDP)

Not sure what functionality that refers to, exactly, but it already works like that for neighbor discovery, as far as I can tell. Since RouterOS v6.44, neighbor discovery is working on individual slave interfaces. Whenever a master interface (e.g. bonding or bridge) is included in the discovery inte...
by txfz
Fri Mar 31, 2023 12:22 pm
Forum: General
Topic: Prevent multiple discovered neighbors per physical interface? (CDP/MNDP)
Replies: 14
Views: 1853

Re: Prevent multiple discovered neighbors per physical interface? (CDP/MNDP)

Thanks for the answers. I forgot to mention that all discovered devices are MikroTiks. (including the directly connected device) There are no other vendors in the network (with LLDP enabled, at least), and I don't think I have tested with any other. If you put it on the bridged interface how do you ...
by txfz
Fri Mar 31, 2023 10:56 am
Forum: General
Topic: Prevent multiple discovered neighbors per physical interface? (CDP/MNDP)
Replies: 14
Views: 1853

Prevent multiple discovered neighbors per physical interface? (CDP/MNDP)

Hi, I have configured neighbor discovery on a bridge interface, and am now seeing multiple neighbors per physical interface, which does not seem useful. After an initial investigation, having the CDP and MNDP protocols enabled seems to exhibit this behavior. If I enable only LLDP, and make sure to h...
by txfz
Wed Mar 29, 2023 1:04 pm
Forum: General
Topic: netinstall using WSL?
Replies: 1
Views: 481

netinstall using WSL?

Hi,

Anyone managed to get netinstall CLI working in WSL(2)? WSL uses some sort of virtual networking, so I'm not sure if or how it would be possible.
by txfz
Wed Mar 22, 2023 1:17 pm
Forum: Scripting
Topic: Creating a baseline config script [SOLVED]
Replies: 2
Views: 1841

Re: Creating a baseline config script [SOLVED]

I use something like this:
:foreach k in=[/interface ethernet find where !(slave=yes || name=ether1)] do={
    :local interfaceName [/interface get $k name]
    /interface bridge port add bridge=bridge interface=$interfaceName
}
by txfz
Thu Mar 02, 2023 4:18 pm
Forum: General
Topic: SNMP request bottoming out CRS354 CPU
Replies: 1
Views: 600

Re: SNMP request bottoming out CRS354 CPU

Anyone else experiencing the same, at least? Do I even need to worry about it? I was planning to poll in intervals of 15 seconds. I realise that switching is done in dedicated hardware, but I don't know how a completely swamped CPU affects the rest of the system. We did experience some issues at one...
by txfz
Thu Feb 23, 2023 5:02 pm
Forum: General
Topic: netbox and napalm
Replies: 7
Views: 3204

Re: netbox and napalm

Well, I have it set up for reading configuration. Not yet for saving it to NetBox.
by txfz
Thu Feb 23, 2023 4:48 pm
Forum: General
Topic: Logging prefix is a mess SUP-105353 SUP-144261. Waiting for MT to support RFC 5424
Replies: 36
Views: 12528

Re: Logging prefix is a mess

To actually contribute constructively I would like to see support for RFC 5424, with severity levels mapped probably to their corresponding syslog level. Use preferrably one topic for the application name. https://www.rfc-editor.org/rfc/rfc5424 Edit: Ok, my bad, the severity level does get set autom...
by txfz
Thu Feb 23, 2023 4:23 pm
Forum: Beginner Basics
Topic: Winbox - Multiple Host Interfaces [SOLVED]
Replies: 5
Views: 1203

Re: Winbox - Multiple Host Interfaces [SOLVED]

There are probably more potential issues, of course, and I think one or two times it hasn't been enough for me either, but almost every time the profile is what I need to change for it to work. Specifically I believe the network discovery option needs to be enabled.
by txfz
Thu Feb 23, 2023 3:28 pm
Forum: Beginner Basics
Topic: Winbox - Multiple Host Interfaces [SOLVED]
Replies: 5
Views: 1203

Re: Winbox - Multiple Host Interfaces [SOLVED]

You need to make sure the interface is using the private network profile.

These instructions may or may not be relevant today:
https://adamtheautomator.com/windows-10 ... o-private/
by txfz
Thu Feb 23, 2023 12:15 pm
Forum: General
Topic: Logging prefix is a mess SUP-105353 SUP-144261. Waiting for MT to support RFC 5424
Replies: 36
Views: 12528

Re: Logging prefix is a mess

I've been going back and forth trying different log systems, and always get reminded by the useless log format of RouterOS. At least map the severity levels automatically instead of requiring a fixed value. I could work around that by creating separate log actions, but that's stupid.
by txfz
Tue Feb 14, 2023 1:35 pm
Forum: General
Topic: SNMP request bottoming out CRS354 CPU
Replies: 1
Views: 600

SNMP request bottoming out CRS354 CPU

Hi, I've set up SNMP to monitor our switch ports. I'm pulling the following OIDs: ifAdminStatus ifHCInBroadcastPkts ifHCInMulticastPkts ifHCInOctets ifHCInUcastPkts ifHCOutBroadcastPkts ifHCOutMulticastPkts ifHCOutOctets ifHCOutUcastPkts ifHighSpeed ifInBroadcastPkts ifInDiscards ifInErrors ifInMult...
by txfz
Thu Feb 09, 2023 4:03 pm
Forum: Scripting
Topic: find behaves in wierd ways if you pass it something like `domain="$domain"`
Replies: 12
Views: 2070

Re: find behaves in wierd ways if you pass it something like `domain="$domain"`

Then don't talk about it as something that's a thing in "all languages". The common sense would be to expect it to behave as all other languages and for variables not to get magically overwritten. It is very common to name variables the same as the parameter or field name.
by txfz
Thu Feb 09, 2023 3:16 pm
Forum: Scripting
Topic: find behaves in wierd ways if you pass it something like `domain="$domain"`
Replies: 12
Views: 2070

Re: find behaves in wierd ways if you pass it something like `domain="$domain"`

Nothing mysterious, as in all languages, you don't have to use the name of a field or a reserved word as the name of a variable... Logical and clear. Can you name another language where parameter names are reserved keywords? Especially only within the context of the function call itself. The only w...
by txfz
Wed Nov 30, 2022 2:27 pm
Forum: General
Topic: [Request] Allow using domain name in Netwatch host
Replies: 0
Views: 359

[Request] Allow using domain name in Netwatch host

Please and thank you.
by txfz
Tue Oct 18, 2022 4:51 pm
Forum: Scripting
Topic: Calling Mikrotik script from Shell script
Replies: 4
Views: 1985

Re: Calling Mikrotik script from Shell script

Combine the previous answers like so:
ssh admin@mikrotik /system script run <SCRIPTNAME>
by txfz
Tue Oct 18, 2022 1:47 pm
Forum: Scripting
Topic: Rest API on PHP with curl
Replies: 1
Views: 1386

Re: Rest API on PHP with curl

Examples can be found here:
https://help.mikrotik.com/docs/display/ROS/REST+API

You seem to be attempting to login by scraping some sort of form, which won't work.
by txfz
Wed Jun 15, 2022 10:48 am
Forum: General
Topic: Feature request: Monospace font on WinBox scripting text areas
Replies: 3
Views: 485

Feature request: Monospace font on WinBox scripting text areas

Hi,

Please implement a monospace font for all textboxes intended for scripts.
by txfz
Mon May 02, 2022 12:41 pm
Forum: General
Topic: CRS354 high CPU usage
Replies: 3
Views: 1043

Re: CRS354 high CPU usage

Thanks. All enabled, active bridge ports seem to be hardware offloaded.
by txfz
Mon May 02, 2022 10:35 am
Forum: General
Topic: CRS354 high CPU usage
Replies: 3
Views: 1043

Re: CRS354 high CPU usage

Issue remains. I've not been able to verify, but now I'm starting to suspect it is in fact affecting switching throughput. It is very much a production device and cannot be taken down for maintenance on a whim.

Anyone got any ideas?
by txfz
Thu Mar 03, 2022 4:16 pm
Forum: General
Topic: Add option to select interface in Netinstall
Replies: 4
Views: 470

Add option to select interface in Netinstall

Hi,

Please add an option to select a network interface in Netinstall. Having to disable all other interfaces is simply primitive and annoying.
by txfz
Tue Mar 01, 2022 11:20 am
Forum: General
Topic: CRS354 high CPU usage
Replies: 3
Views: 1043

CRS354 high CPU usage

Hi, I have a CRS354 on 6.47.9 that's constantly running at near 100% CPU usage. It doesn't do any routing except for management access, and as far as I can tell, only WinBox traffic is going on. I've not noticed any issues with switching performance, and it rarely gets more than a few GB/s. WinBox i...
by txfz
Wed Sep 22, 2021 9:46 am
Forum: Scripting
Topic: RouterSCRIPTS - A collection of scripts for RouterBOARD devices
Replies: 35
Views: 26406

Re: RouterSCRIPTS - A collection of scripts for RouterBOARD devices

No improvement in 6.48.4, I'm afraid. When I asked about this here , the answer was clear on this not being possible, so I don't understand where I'm going wrong? Here is my entire configuration: # sep/22/2021 08:45:43 by RouterOS 6.48.4 # software id = FWIF-LI4F # # model = RB3011UiAS # serial numb...
by txfz
Mon Sep 20, 2021 5:01 pm
Forum: Scripting
Topic: RouterSCRIPTS - A collection of scripts for RouterBOARD devices
Replies: 35
Views: 26406

Re: RouterSCRIPTS - A collection of scripts for RouterBOARD devices

[Gateways] WANNames=ISP1,ISP2 WANGateways=10.1.0.1,10.2.0.1 WANGatewayPrefix=failover-route BalancingRulePrefix=test [Failover] FailoverTarget=8.8.4.4 FailoverThreshold=3 FailoverInterval=5 [DynDNS] DDNSService= DDNSInterval= DDNSUsername= DDNSPassword= DDNSHostname= [Livestream] LVStreamList= LVSt...
by txfz
Wed Sep 15, 2021 11:09 am
Forum: Scripting
Topic: RouterSCRIPTS - A collection of scripts for RouterBOARD devices
Replies: 35
Views: 26406

Re: RouterSCRIPTS - A collection of scripts for RouterBOARD devices

I have read the instructions. I'm not ruling out my missing something. All I need to do before provisioning is filling out the configuration file, and make sure I have all gateway routes configured with the appropriate comment, right?

I'm testing this on 6.47.10.
by txfz
Wed Sep 01, 2021 4:32 pm
Forum: Scripting
Topic: RouterSCRIPTS - A collection of scripts for RouterBOARD devices
Replies: 35
Views: 26406

Re: RouterSCRIPTS - A collection of scripts for RouterBOARD devices

Seems to work if you change the pings to use alternative routing tables rather than interfaces, as per this post .
by txfz
Tue Aug 31, 2021 1:50 pm
Forum: General
Topic: Pinging via secondary default route? [SOLVED]
Replies: 2
Views: 2668

Re: Pinging via secondary default route? [SOLVED]

Thank you. I just found the routing mark solution in a different thread, too, and I think that will do the trick.
by txfz
Tue Aug 31, 2021 12:15 pm
Forum: General
Topic: Pinging via secondary default route? [SOLVED]
Replies: 2
Views: 2668

Pinging via secondary default route? [SOLVED]

Hi, I'm trying out various WAN failover solutions. One of them requires that you be able to ping the "inactive" connection via its interface, which is where I'm getting stuck. I don't know if I'm missing something completely obvious. I have set up a lab environment with two different route...
by txfz
Mon Aug 30, 2021 1:13 pm
Forum: Scripting
Topic: RouterSCRIPTS - A collection of scripts for RouterBOARD devices
Replies: 35
Views: 26406

Re: RouterSCRIPTS - A collection of scripts for RouterBOARD devices

Hi, I've just found this after unsuccessfully having tried a number of other solutions for failover functionality. I can't get it to work properly. Namely, it won't switch back to the primary connection once that comes back online. I'm not able to ping anything (timeout) using the interface of the p...
by txfz
Mon Aug 23, 2021 10:40 am
Forum: Announcements
Topic: WinBox v3.29 released!
Replies: 113
Views: 38598

Re: WinBox v3.29 released!

*) added separate "Show Columns" window for list of visible columns;
This window is not scrollable by mouse wheel.
by txfz
Fri Jul 09, 2021 4:56 pm
Forum: Beginner Basics
Topic: Basic setup: not passing traffic.
Replies: 11
Views: 3053

Re: Basic setup: not passing traffic.

You need to configure your EdgeRouter so that it knows where to forward traffic for 70.80.90.0/24.
by txfz
Mon Jul 05, 2021 4:25 pm
Forum: Useful user articles
Topic: Advanced Routing Failover without Scripting
Replies: 272
Views: 154411

Re: Advanced Routing Failover without Scripting

Sorry, I should clarify. Client traffic not working is my primary concern. I just tried pinging from the router for troubleshooting, but it seems like that is mostly working, actually... it just doesn't seem to be able to switch in the middle of a ping command? I've been testing by disconnecting the...
by txfz
Fri Jul 02, 2021 1:17 pm
Forum: Useful user articles
Topic: Advanced Routing Failover without Scripting
Replies: 272
Views: 154411

Re: Advanced Routing Failover without Scripting

Hi, I said "everything" works, but what I meant was "something" works. The actual failover still doesn't. How are the "main" default routes supposed to look? I tried adding one for each WAN interface, with distances 3 and 4, respectively, but it doesn't help with the fa...
by txfz
Wed Jun 23, 2021 11:48 am
Forum: Useful user articles
Topic: Advanced Routing Failover without Scripting
Replies: 272
Views: 154411

Re: Advanced Routing Failover without Scripting

# jun/23/2021 10:47:16 by RouterOS 6.46.8 # software id = FWIF-LI4F # Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 A S dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 recursive...
by txfz
Fri Jun 18, 2021 3:03 pm
Forum: Useful user articles
Topic: Advanced Routing Failover without Scripting
Replies: 272
Views: 154411

Re: Advanced Routing Failover without Scripting

I can't get this to work. I have set up a lab environment with 10.[1/2].0.1/30 as two different ISPs, and using Google DNS to determine Internet connectivity. I used this guide, which seems to be the same as OP plus the mangling. Alas, I don't have any Internet connectivity at all. Trying to ping so...
by txfz
Thu Jun 17, 2021 12:23 pm
Forum: General
Topic: IPsec phase 2 not reestablishing on responder only after connection downtime
Replies: 0
Views: 2001

IPsec phase 2 not reestablishing on responder only after connection downtime

Hi, We have an IPsec device set up as a responder for a number of peers. This all works perfectly fine normally, but two of our peers face some strange issues. Occasionally we find that while the peer connection is active, we don't have phase 2 established on our end (responder), and the policy is m...
by txfz
Fri Mar 12, 2021 5:34 pm
Forum: Beginner Basics
Topic: IPSEC switches to NAT-Traversal if set to IKE2
Replies: 1
Views: 1801

Re: IPSEC switches to NAT-Traversal if set to IKE2

I've just encountered this phenomenon too while trying to figure out which filter rules are required to get IPsec going. RouterOS 6.47.1. I've found that NAT traversal cannot be disabled when IKEv2 is used. I don't know why, or whether that makes sense. The docs' got this: Parameters that are ignore...
by txfz
Mon Mar 01, 2021 1:00 pm
Forum: General
Topic: When should/need I use IPsec policy templates? [SOLVED]
Replies: 1
Views: 2812

When should/need I use IPsec policy templates? [SOLVED]

As above. When should I use templates instead of non-templates?
by txfz
Mon Dec 21, 2020 11:36 am
Forum: General
Topic: Restricting management access to directly connected devices? (non serial)
Replies: 0
Views: 435

Restricting management access to directly connected devices? (non serial)

Hi, In an effort to increase security, I disable MAC WinBox server, neighbor discovery and only allow WinBox connections from our office IP address. This works well for devices that have a serial interface, but other devices may end up impossible to access if you screw up well enough. I'm looking to...
by txfz
Thu Oct 08, 2020 11:41 am
Forum: General
Topic: Connection NAT state srcnat?
Replies: 9
Views: 2934

Re: Connection NAT state srcnat?

I guess I did not expect that my configuration can change how the connection-nat-stat e option works. I have now come to the conclusion that the srcnated return traffic is in fact considered dstnated rather than srcnated, (as far as the connection-nat-state option is concerned) if the connection was...
by txfz
Thu Oct 08, 2020 10:17 am
Forum: General
Topic: Central Logging - Graylog
Replies: 12
Views: 10358

Re: Central Logging - Graylog

I tried this a while back and found that when you use the BSD option, something very strange to do with timezones happen. My device was set to UTC+2, which would cause the log entries to appear in Graylog two hours after the fact. Extremely confusing until I found out what was going on. I don't know...
by txfz
Wed Oct 07, 2020 6:04 pm
Forum: General
Topic: Connection NAT state srcnat?
Replies: 9
Views: 2934

Re: Connection NAT state srcnat?

If going by invalid packets is the only or best way to solve this, I will do that. But once again, that was not my primary concern. Either way, I have done some more testing, and have more or less pinpointed one of my issues. As far as I can tell, outgoing return traffic is not considered srcnated p...
by txfz
Wed Oct 07, 2020 10:26 am
Forum: General
Topic: Connection NAT state srcnat?
Replies: 9
Views: 2934

Re: Connection NAT state srcnat?

Yes, only the initial packet of a connection is matched by the rule chains in /ip firewall nat . All the rest of packets belonging to the connection inherits the NAT behavior from the first one, as the handling of the first packet is rmembered in the connection tracking and applied appropriately to...
by txfz
Tue Oct 06, 2020 12:04 pm
Forum: General
Topic: Connection NAT state srcnat?
Replies: 9
Views: 2934

Connection NAT state srcnat?

Hi, I just discovered that invalid packets do not get srcnated, and so am trying to prevent these from leaking out on the WAN interface. I found the connection NAT state option, which sounded exactly like what I needed. However, it doesn't seem to work as expected. Namely, there seems to be some con...
by txfz
Thu Aug 06, 2020 5:21 pm
Forum: General
Topic: WinBox global/default settings
Replies: 8
Views: 3294

Re: WinBox global/default settings

I discovered the sessions feature the other day. It's good, but it's not quite there for me... I would still like individual sessions per device. I just want to copy the default session on first connect, rather than starting from a clean slate.
by txfz
Wed Aug 05, 2020 8:14 pm
Forum: General
Topic: Restricting IP addresses on bridge ports
Replies: 3
Views: 1540

Restricting IP addresses on bridge ports

We're setting up a router in a building that will house a few company tenants, each with their own router. (which are managed by the tenants) Our router connects to the Internet, and we have been assigned a few public IP addresses, which we in turn will assign to each of our tenants. We're going to ...
by txfz
Mon Jul 06, 2020 9:42 am
Forum: General
Topic: User restricted to serial login
Replies: 2
Views: 1142

Re: User restricted to serial login

Thanks!
by txfz
Thu Jul 02, 2020 1:20 pm
Forum: General
Topic: User restricted to serial login
Replies: 2
Views: 1142

User restricted to serial login

I'm looking to create a user that can only login via the serial interface. (console port) I thought about setting its allowed address to 0.0.0.0/32. That should at least prohibit any IP connection attemps, right? Would this still allow MAC connections? We'll probably disable that, so that's fine. Is...
by txfz
Wed Apr 29, 2020 10:44 am
Forum: General
Topic: WinBox global/default settings
Replies: 8
Views: 3294

WinBox global/default settings

Not sure if this is the place for WinBox stuff. Would like some way to set up default settings for WinBox. Probably not exact window size and position (maybe column width, though?), but primarily I always set up inline comments, and show a few extra columns, such as To address and port in the Firewa...
by txfz
Wed Apr 29, 2020 10:32 am
Forum: General
Topic: IPsec responder for two DHCP peers
Replies: 1
Views: 1109

IPsec responder for two DHCP peers

I'll start off by admitting I'm not great at IPsec, as this post probably proves. I have a VPN where two branch offices connect to a main office using IPsec site-to-site with IKE2. Both branch offices are addressed by DHCP on the public interface. The goal is to have the main office be the IPsec res...
by txfz
Wed Apr 29, 2020 10:09 am
Forum: General
Topic: Branding package - disable configuration removal
Replies: 0
Views: 1275

Branding package - disable configuration removal

Hi,

According to the branding documentation, it is possible to prevent resetting the device without the default configuration, however it is not apparent how to do so?