MikroTik

SecCon

Either you tried some weird scripts, or you put them like I explained on previous post. Anyone on the forum can confirm this. No. If you don't believe me, so be it, I have no way to prove you wrong that I know of. It's the first time ever, and ever is more than 30 years, that I have been accused of...

SecCon

If setting a static address in the IP DHCP table also goes to the ARP table, sure then I understand why it happened. As for manually setting an ARP address in Webfig > IP > ARP, no. Never done it. Nor in Terminal, nor in WinBox, just to be clear. According to the old manual: https://wiki.mikrotik.co...

SecCon

You are manually setting an ARP entry which conflicts with the DHCP lease entry: /ip arp add address=192.168.1.10 interface=bridge1 mac-address=00:25:90:4B:6B:4B and /ip dhcp-server lease add address=192.168.1.10 client-id=1:e4:35:c8:7e:37:ee mac-address=E4:35:C8:7E:37:EE server=dhcp1 I NEVER set t...

SecCon

lol And from the documentation Wiki. Yes I know to little about this shit to experiment. I never experiment, I am a standards and process guy and have been for ever. Regardless of which are you saying that ONE device loosing Internet because of this? 'Cause I had no issues with any other that I am ...

SecCon

I am very sorry for following the recommendations, tutorials and posts here on this forum. Considering that, how do I know yours is ok, if you say others is not?
Check my post history, I have ONLY implemented what others claim should be implemented.

SecCon

# jun/03/2022 15:56:01 by RouterOS 7.2.1 # software id = Y7E5-SEZ7 # # model = RB1100x4 /ip pool add name=dhcp ranges=192.168.1.0/24 add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254 /ip dhcp-server add address-pool=dhcp_pool1 interface=bridge1 name=dhcp1 /ip address add address=192.168.1.1/24 i...

SecCon

I know it sounds weird. The last few days I have a severe issue with a Windows Server machine that just won't take to the Internet consistently. It is a new installation on trusted and tested hardware and it worked a few days ago. At the time I was having some issues getting it to take a static IP, ...

SecCon

Thanks, I see you are the guy behind Unimus as well. Seems to be a great application. I did go to the wiki to check what user permissions entailed, but there is no page, not on the old nor on the new wiki, that explains anything about the differences between the user permissions, except the obvious ...

SecCon

Sorry to barge in, but when you setup Unimus to handle upgrades - and other things - you give it the credentials to the Mikrotik devices. I am trying to figure out if Write or Full permissions are required for the upgrades and to be setup in Unimus?

SecCon

So after some tribulations I set up a WinSrv to handle this and it seems to be working. https://i.imgur.com/bEa2zWx.png Image from a virtual w10 machine. Had issues understanding the logic and explanation, or rather the lack of it, in diverse how-to's and books. Thing is once you setup a DNS on WinS...

SecCon

I found it a few days ago. Turns out it was an ILO setting on one of my two HPE servers. The ILO IP was ok, but I did not see any setting for mshome.net. It was entered in the BIOS settings of the server.

SecCon

Upgraded both my devices, seems ok.

Router RB1100AHx4 (RoS 7.2.1)
Switch CRS326-24G-2S+RM (RoS 7.2.1)

SecCon

2 months later, just wanted to get back on how my

 /queue simple
 add limit-at=10M/10M max-limit=100M/100M name=queuebw10 target=192.168.1.0/24

works so far and it does work very well indeed.

I got a solid A at https://www.waveform.com/tools/bufferbloat

SecCon

After some additional reading I have come to determine I will need a better solution than posted by @Sob . I will configure my WinSrv to handle it, since it will be running regardless. I am however grateful for the suggestions posted and should I set up some Linux I might very well consider bind or ...

SecCon

/ip dns static add address=192.168.88.10 name=anav1.workstation.llama add address=192.168.88.20 name=anav2.workstation.llama add address=2001:db:0:88::20 name=anav2.workstation.llama type=AAAA add address=192.168.88.2 name=mail1.server.llama add address=192.168.88.3 name=mail2.server.llama add mx-e...

SecCon

"Poor mans DNS" ? "Beggars DNS"?

Yeah, al righty... so can any of you guys step through the cmd's for this achievement, and elaborate on how I can use alias wih it? The DHCP version...

SecCon

So what would be a detailed description? Humm... I am currently reducing server load as much as possible and adding a vmachine for bind or dnsmasq is not my first option. I would like the network equipment to handle all the network related settings, in principle. I think I have enough juice in my MT...

SecCon

While i appreciate any insight, I am after LOCAL DNS SERVER and how to set that up.

Not google....

SecCon

Im a winbox guy so cannot help with webconfig. I can use both, so feel free to elaborate dear Anav... albeit the cache function is not really what I am after, I need to specify a local DNS server with two local IP entries and then the whole shebang with anav1.workstation.llama and anav2.workstation...

SecCon

Is anyone else running a local DNS on a local ip segment such as 192.168.1.* and care to let me in on how you configured it in WebFig? I stumbled over DNS being a requirement for my VMWare solution so I might try to do it on the Router before messing with it on a server... Router specified on my sig...

SecCon

RouterOS version 7.2.1 has been released in "v7 stable" channel! To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download I know there are other ways to upgrade, via File man...

SecCon

Ooo, more updates. Neat. :)

Not updated anything yet since the 7.1.1, have been hovering over an imaginary "update" button for my zero conf switch for a few days.
Dare I push it? CRS326-24G-2S+RM.
Not touching my router yet.

SecCon

No offense, but RTFM about what a RC is, and how it works would have saved you some time ;-) https://en.wikipedia.org/wiki/Software_release_life_cycle#Release_candidate https://en.wikipedia.org/wiki/Software_release_life_cycle#Stable_release "Also called production release, the stable release ...

SecCon

Bookmarked

SecCon

/queue simple add limit-at=11M/110M max-limit=11M/110M name=pppoe-out1 target=bridge1 add limit-at=2500k/25M max-limit=11M/110M name=QoS_2 \ packet-marks=QoS_2 parent=pppoe-out1 priority=2/2 queue=\ default-sfq/default-sfq target=bridge1 total-queue=default-sfq add limit-at=2500k/25M max-limit=11M/...

SecCon

So many issues described above. Normally I am the kind of guy that just hit "upgrade" and close my eyes, but not with this. There is not even an "upgrade" button as such. And I am not even running anything but a default lan with some FW entries and 3 port forwards. I guess the me...

SecCon

Upgrade sources with both those IP addresses for upgrade.mikrotik.com failed. Using my Mikrotik.com creds, not the forum ones. In WebFig 7.1.1 obviously.

Confusing interface

SecCon

Just curious if any of the updates are "high-prio" security related stuff that encourages you to update immediately? From https://help.mikrotik.com/docs/display/ROS/Upgrading+and+installation The package upgrade feature connects to the MikroTik download servers and checks if there is a new...

SecCon

OP Do yourself a favour and sort out your network on pen and paper first and read up on how to use those settings in RouterOS. Do not use the function called "Quick set", you can set those parameters rather easily in the Winbox (or Webfig) interface, but you need to read a bit about how fi...

SecCon

This is very interesting and doing a setup of it during the next few days...

SecCon

I had and then returned Vittore Zen books. As I recall they were a mess and disposition wise a jungle to read. Tyler Harts books https://www.amazon.com/Networking-MikroTik-MTCNA-Study-Guide/dp/1973206358/ https://www.amazon.com/MikroTik-Security-Guide-Tyler-Hart/dp/1549893408 are old now. So is the ...

SecCon

Considering how literate you are in using the search box in MT, (like putting the word book) perhaps a book is not the answer? ;-) https://forum.mikrotik.com/viewtopic.php?p=916003&hilit=books#p916003 Like most that enjoy have some reference material, waiting for something for RoS7 too. Ops, ye...

SecCon

Browsing Amazon Kindle books there are only a few regarding RouterOS and maybe two relatively recent handling Switching. Examples: https://www.amazon.com/MikroTik-Switching-LABS-Certification-covered-ebook/dp/B08ZT2BK6N/ https://www.amazon.com/Multicast-MikroTik-LABS-step-step-ebook/dp/B092DR6XH6/ S...

SecCon

Today I added another instance of the same thing described above for another computer, this time a virtual one, not a physical one, and it worked straight out of the box. I was fearing the virtual network might cause some issues as it goes via an ESXi server, but all works. Did some minor modificati...

SecCon

So far I have implemented a few things. DHCP 192.168.0.1/24 Basic Firewall Filters for Client protection. Basic Firewall Filters for Router protection. Still being discussed a bit. A working Port forward. Basic principle on how that is done documented. Graphing - well only a bit. Could do with expan...

SecCon

Don't see why I have to repeat myself. Latest post was this: viewtopic.php?t=183075#p912397 which also had some additional questions about command sequence lineup.

SecCon

Is this thread some shodan advertisement or? No. Shodan is an independent service than can be used to track IoT devices. In its most basic function it will report open ports and some info about them on any network IP specified in its search. It is one way to check what communication the "inter...

SecCon

Post your config please, otherwise this whackamole gane is unnecessarily tiring.

I think I have posted it like three times in this thread already... have the damn llama raise its eyes and scroll a bit upwards.

SecCon

I just noticed that 1 on my posts above occurs twice. Not intended and I have edited it blank... I still want more info on the Mikrotik services that are keeping theses ports open 2000, 8291, 8728.. 2000 / TCP MikroTik bandwidth-test server \x01\x00\x00\x00 528309196 | 2022-02-04T02:41:25.385111 829...

SecCon

Now you need to add some firewall filter rules. I can help one with the default rules from v7 /ip firewall filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" add chain=input action=drop connection-sta...

SecCon

duplicate removed

SecCon

So I posted the default-configuration you asked for. What now?

SecCon

SecCon

was a bit tricky (for me) to copy-paste from terminal since it involve additional scrolling. Luckily, you can avoid that: /system default-configuration print file=somenicename And then you just download somenicename.txt , open it in a text editor, and press Ctrl-A Ctrl-C. While I admittedly have sh...

SecCon

I think I got it all....
In what sense?

Only referring to the print, nothing else.... was a bit tricky (for me) to copy-paste from terminal since it involve additional scrolling.

SecCon

/system default-configuration print #| Welcome to RouterOS! #| 1) Set a strong router password in the System > Users menu #| 2) Upgrade the software in the System > Packages menu #| 3) Enable firewall on untrusted networks #| -------------------------------------------------------------------------...

SecCon

I do not know what I may have done to remove the basic protection some of you refer to, but I did reset the router and followed the startup instructions before implementing everything posted here and above. @Jotne: The "blank" part was my shodan.io lookup before The Age of Mikrotik, when ...

SecCon

Interesting. Learned some new to day. So with this type of routers, you have to take even more care and maybe ask some professional to set it up. I am happy to help, sort of. I prefer learning by doing, even if I will admit some of my posts may be confusing to the knowledgeable. :) Those ports I me...

SecCon

Something is blocking the webfig terminal.
Configuration as posted above. Any ideas?

Never mind, works

SecCon

Should I expect a a message telling me the device is compromised? How do I know for sure? THIS IS A FRIENDLY MESSAGE FROM YOUR ROUTER I HAVE BEEN HACKED / TAKEN OVER / CRACKED / ABUSED PLEASE RESET ME If this was even possible, no malware would ever exist. Because if the router was able to detect t...

SecCon

ok, got rid of the external port 80 access, not sure exactly which rule did that, but I guess a combo of 2-3 diff. then set up the rest, one at a time in the webfig interface /ip firewall address-list add address=192.168.1.2-192.168.1.245 list=allowed_to_router /ip firewall filter add action=fasttra...

SecCon

How do I know for sure?
You actually never know for sure, if the device has been exposed unprotected to the internet or a malicious network.

I know, I may be a noob when it come to Mikrotik, but I have dealt with these kinda things before and at work.

SecCon

I have added /ip firewall address-list add address=192.168.1.2-192.168.1.254 list=allowed_to_router /ip firewall filter add action=accept chain=input comment="default configuration" connection-state=established,related add action=accept chain=input src-address-list=allowed_to_router add ac...

SecCon

no the device is not compromised... eh, well, it works, I see no other logged in sessions... nor any abnormal activity or bw hogs... Should I expect a a message telling me the device is compromised? How do I know for sure? THIS IS A FRIENDLY MESSAGE FROM YOUR ROUTER I HAVE BEEN HACKED / TAKEN OVER /...

SecCon

OK, haven't done that. Did read it though.

I thought the default config had basic protection.

Jeez, so many manual things to do.

The reason I did not look in to this more is that I plan to set up a PFSense or something like that but the hardware for it is not ready.

SecCon

I see on shodan.io that the following ports are open externally 80, 2000, 8291, 8728. More info states that 80 / TCP HTTP/1.1 200 OK Cache-Control: max-age=31536000 Connection: Keep-Alive Content-Length: 7063 Content-Type: text/html Date: Tue, 08 Feb 2022 16:38:33 GMT Expires: Wed, 08 Feb 2023 16:38...

SecCon

sigh, I did this in Ubiquiti Edgemax SmartQueue functionality and it worked like 99% of the times. It was literally one setting. This https://help.mikrotik.com/docs/display/ROS/Queues#Queues-Configurationexample seems simple enough and considering I only want to make sure none of my computers/device...

SecCon

I am aware I can have multiple lans/dhcp's and all that, but the thing is I do not have them.

it was in the DHCP leases list... and also in ARP list.

SecCon

Yes, there are like 5 other Windows PC's connected, but I did get rid of it and the culprit was my HPE Proliant Windows Server, one of its two "normal" NIC's, it has a third for ILO.

I am more curious as to how the Router could give out an IP it was not even configured to handle.

SecCon

I did. Sharing is not enabled. On W11, my main desktop, sharing is not even a visible option in Adapter Properties.

SecCon

I reorganized a 48U cabinet I have, moved around a couple of servers and a switch plus cleaned up a bit of cabling. That was all. When I started the switch and the server again suddenly I see 192.168.137.* addresses called mshome.net on my Mikrotik Router. I have no network called that or in that ra...

SecCon

So I just realized I protected the clients and not the Router :mrgreen: https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration#FirstTimeConfiguration-ProtectingtheClients compared to https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration#FirstTimeConfiguration-IPConnectivit...

SecCon

They should also avoid the off-limits addresses (network adress as explained above and broadcast address) - DHCP server could be smart enough to avoid them, but in ROS it seemingly doesn't. Also: all addresses in DHCP pool are in principle allocated for DHCP clients, all devices with known statical...

SecCon

Sure as long as the client gets the correct CIDR from the DHCP in order to be able to reach the Routers network...

CIDR: https://en.wikipedia.org/wiki/Classless ... in_Routing
I was going to watch a movie until you threw that acronym in my face....

SecCon

I had an epiphany. Well for me, untrained in the logical side and structure of networks as I am despite working with them. Router IP can be anything as long as it is fixed and within the regular Class A: 10.0. 0.0 — 10.255. 255.255. Class B: 172.16. 0.0 — 172.31. 255.255. Class C: 192.168. 0.0 — 192...

SecCon

@Woland So /ip pool add name=dhcp ranges=192.168.1.0/24 should rather be /ip pool add name=dhcp ranges=192.168.1.0-192.168.1.255 That would still keep the dhcp server at 192.168.1.1 I presume... The reason for the naming, or rather lack of perhaps more explicit naming, is that there is no reason for...

SecCon

By a coincidence doing some troubleshooting I noticed my tellie had the IP 192.168.1.0 in a DHCP range of 192.168.1.0/24 and the DHCP server being 192.168.1.1. TV reported having network, but some things requiring Internet Access was not working. After assigning it a fixed IP address (192.168.1.40) ...

SecCon

2016 is only 6 years back. Never change a running wifi. Somewhat

I would agree if it was hundreds of units in a complex setup. This is not. It is one.

SecCon

@unkis17
Where is the static address defined, in the Router or on the Switch? If you defined it only on the Switch it may be that the Router gives it another anyway, anything available in the DHCP table.

SecCon

OT: 8) @secCon "Rejoice that ye have found it and rest from endless war for the seven-naméd city 'tis that stands upon the hill, where all who strive with Morgoth find hope and valour still." The Lay of the Fall of Gondolin It's mine, my precious: https://www.amazon.com/Fall-Gondolin-J-R-...

SecCon

I would not give up my tplink eap245 AP for an audience, tested yesterday, 619/499 up on my iphone test to the internet through ookla. Does vlans, stable etc. Yes I miss the flexibility of RoS, but do I really need it for an AP, not really. As gotsprings said, now you can get wifi6 APs, why step ba...

SecCon

If you mention quickset again......... https://www.youtube.com/watch?v=gZwYmlR9Lh8 Not a fan of NCIS. May I quote the F-NG OFFICIAL HELP PAGES : Quickset is a simple configuration wizard page that prepares your router in a few clicks. It is the first screen a user sees, when opening the default IP ...

SecCon

@mkx

Yes, I think am beyond that first little left turn in my learning curve, but thanks for reminding me...

SecCon

Jeez. What a discussion. Anyhow, I will buy a Mikrotik AP. I want to keep everything in one brand, one interface and one learning curve. I am pondering the hAP ac3 but might also go with an Audience . It is for a 200square meter home in two floors and I intend to place it in the middle of the house ...

SecCon

Just to repeat the working config /ip firewall nat add action=dst-nat chain=dstnat dst-port=22022 in-interface-list=WAN log=yes log-prefix=sftp-inleed protocol=tcp src-address=5.150.195.195 to-addresses=192.168.1.234 But I am still puzzled by one thing. In QuickSet (7.1.1) there is a button for Port...

SecCon

That helped a lot, thanks...

SecCon

Hi Secon, based on this thread I finished for now another thread I was working on..... https://forum.mikrotik.com/viewtopic.php?t=180838 (However am willing to work on the next level fw set of rules - lets say an intermediate user - but only when I can understand what I post - which may be a while)...

SecCon

That did it... thanks... it's 2.13.

SecCon

Since I set up my Router I have not connected to my Switch (see signature). But as I dig in to more and more functionality I was going to check a few things, but suddenly the switch is unreachable. The DHCP Server on the router gave the switch 192.168.1.255, despite me having giving it ...*1.5 initi...

SecCon

I did it in the WebFig interface though, not in the terminal. While it is a bit cumbersome to scroll back and forth to check the entries I prefer doing it that way. The big drawback of GUI is that the information density per pixel is much lower as compared to plain text/command line. While you are ...

SecCon

This is all that the manual has about Graphing: https://help.mikrotik.com/docs/display/ROS/Graphing When digging in to WebFig to check how I can enable CPU and RAM resource graphs there seems to be no obvious way. I am VERY much aware of the Splunk method (https://forum.mikrotik.com/viewtopic.php?t=...

SecCon

Just wanted to report back that I implemented the basic FW rules as specified Here: https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration#FirstTimeConfiguration-IPConnectivityAccess and everything is still working, even my Port Forward rule . Yes, yes, to some it may be obvious that th...

SecCon

@pcunite Thanks. Yeah that make sense... I only have one router and one switch for now, will get an MT AP later, got an ASUS now, but still, it would be better to run it off the switch, I only have SwitchOS on that since I assumed I would do most "complex" operations on the Router, but tha...

SecCon

Thanks for this, trying to sort out what may be relevant for RoS 7.1.1. This seems to be the most extensive about QoS I can find, so we'll see how it goes. I know I need it, since when games or systems get gigabytes of updates, the e-mail stalls. Typical scenario I guess. Not really understanding th...

SecCon

. It's just that for your devices, this script installs no firewall rules at all.

Wonderful...

SecCon

@sindy @mkx Sorry you lost me. Sindy, yes I would of course make a new thread about that, but right now I am confused by what you and MKX are referring to in regards to SOHO devices, big boy toys and such... So there is a default basic FW embedded and working regardless of any other settings, or add...

SecCon

I am a politician and have potential access to sensitive information, both sent to me and accessed via network. FWIW, if you look at how a former Chief of Staff in the US got hack, turns out phish email and bad IT advice: https://www.pcmag.com/news/report-typo-led-to-podesta-email-hack Personally I...

SecCon

@jotne, waste of time, my drop all rule works just fine for scans.. There are some slightly less plain users than you. For example, one might run a HTTPS server at home and it's open to internet. If a bot scans ports, then that remote address will be blocked on port 443 as well if one used magic by...

SecCon

@SecCon, I do understand your concerns but if all your info is that critical, why not hire a professional to configure that device for you or why doesn't your employer provide you a pre-made setup which you can simply plugin ? That is one of the bigger IT-issues that is causing occasional headlines...

SecCon

On a serious note, the firewall should be appropriate to the threat to your network. Do you have open servers? Do you have sensitive information (medical, financial, scientific, ie business related items bad actors may want to gain access to) etc.. I would seriously judge the data I manage via my h...

SecCon

Yes, there's a problem, it's too long for @anav, he has processing limit around hundred lines or so.

Coming to think of I share that feeling....

SecCon

Interesting, I lost all conn to the router setting up the basic firewall according to the manual pages. /ip firewall filter add action=accept chain=input comment="default configuration" connection-state=established,related add action=accept chain=input src-address-list=allowed_to_router ad...

SecCon

...and verified...

ignore the ipad entries...

SecCon

@mkx
I know... just typed it without backslashes in one row, still errors.

I did add /ip and /firewall before typing add in a couple of attempts, but still would not work. Maybe cmd syntax changed in 7.1?

Anyhow, it works and I have documented it.

SecCon

Looks like - Dude for 7.1?

yeah I have seen it.

SecCon

If this is what you have then the problems in the config are elsewhere and if you use quickset its like configing in quicksand........ a slow death by a 1000 cuts. :-) Listen I have to start somewhere, ok... :) I chose Mikrotik because of its versatility and reputation, been wanting this for a numb...

SecCon

What is this rule supposed to do? You're over complicating things. Your NAT rule should be this: add action=dst-nat chain=dstnat \ src-address=5.150.195.195 dst-port=22022 protocol=tcp in-interface-list=WAN \ log=yes log-prefix=SFTP-Inleed \ to-addresses=192.168.1.234 I've arranged the order of pro...

SecCon

(4) Your dst nat rule is troubling. but I will let mkx sort it out as he has you on the right track......... My initial read of your first entry was that you didnt have a public IP address............ As for 1-2-3 that's the result of the quick set, I suspected some was wrong, but it works and I ca...

SecCon

Still no joy:

add action=add-dst-to-address-list address-list=" 192.168.1.234" address-list-timeout=none-dynamic chain=dstnat dst-address-type=local log=yes log-prefix=SFTP-Inleed protocol=tcp src-address=5.150.195.195 to-addresses=192.164.1.234 \
    to-ports=22022

SecCon

I would only comment if I see the config /export hide-sensitive file=anynameyouwish Chances are there are multiple changes required........... and some learning required in moving from zyxel to MT ( I am one of those breed ) # jan/09/2022 08:45:07 by RouterOS 7.1.1 # software id = Y7E5-SEZ7 # # mod...

SecCon

Ah, never mind.

I found the issue ? :

can not install dude-6.49.2: system-6.49.2 is not installed, but is required

So Dude 6.* does not work with ROS 7.* ???

Bummer.

SecCon

Got the Dude ARM Package as specified. Uploaded to Files in a 7.1 ROS Router dude-6.49.2-arm.npk Unable to launch it or verify it is running. [mt-user@mt-ro-homered] > /dude set enabled=yes bad command name dude (line 1 column 2) [mt-user@mt-ro-homered] > dude set enabled=yes bad command name dude (...

SecCon

There is no public address. Or rather, it can be anything.

5.150.* is the web server address

192.* is my local server address

So maybe I am confusing a non stable public IP with some of those above... or below?

SecCon

Finally setting up a brand new upgraded 7.1 Router, see my signature, and doing a pretty standard port forward that I had on my Zyxel Router last night (working) but things are just not looking the same and a bit confusing. Source IP: 5.150.195.195 Source Port: any (it varies so not defined) Target ...

SecCon

I am setting up the Router in my signature on my small 50 devices network (including phones, virtual clients, tablets and everything you can think of) and the Router is connected to WAN via Port 1 and to the Switch via Port 2 (the switch in my signature, running SWOS) . I can reach the Router both v...

SecCon

Admittedly I am rather new using ROS, so I read and re-read and when I find something that does not match 100% I get confused and try to find an explanation. Example from Winbox/Webfig: Tools > MAC Server > The settings you push through via Terminal do not show there, only if you press the buttons, ...

SecCon

Why should it? I have no vlan...

SecCon

I am trying to setup the network and have all kinds of minor issues that I will get back to, but I am confused about the Wifi. I have a very good Asus Wifi Router that is set as an AP. it is secured and updated, not changing it just yet, does any of the MT Router OS Wifi setting apply to that in any...

SecCon

Wow, thats thourough and a great help.

Much thanks for you effort ! :)

SecCon

:D

Get over here and set my speaker...

SecCon

I noticed that MikroTik Cloud Router Switch 354-48G-4S+2Q+RM has three fans and thus will of course generate a bit of noise, but how much? Intended usage is Switch and nothing else. BTW is not ROS overkill on a Switch? SwOS is very basic RouterOS gives you the ability to take advantage of all the f...

SecCon

fans.7z

Thanks but at what volume do I play that file... :)

SecCon

I used an app called "Sound Meter" on my Galaxy Note 10.

This one: https://play.google.com/store/apps/deta ... ic.decibel

Thanks! :)

SecCon

SwOS lacks both HTTPS, SSH and a CLI. SwOS works but puts the switch in a very different category of device.

Like a Switch that in our environment only is supposed to forward signal, nothing else. Why would you want a Switch to do the job of a Router? Or be exposed to the same challenges?

SecCon

Here's my two cents on it. I run my two MT routers strictly as routers, and I have five MT switches that perform all switching function. The switches run SwitchOS (including one CRS326 that was shipped to me in error instead of a CSS326) and the routers of course run RouterOS. I like SwOS for it's ...

SecCon

If one can (safely?) assume that switch performance is the same when running either of supported OSes (ROS, SwOS), and one doesn't need L3 functions, then it boils down to personal preference regarding administrative UI. Some users, very well acquainted to CLI and ROS, will obviously prefer running...

SecCon

I am puzzled.... I respect the abilities of ROS and am still learning, but I don't really understand why you would want to run ROS on a Switch when you have SWOS? Now I have one 24P Switch that runs SWOS and I am getting another 48P Switch that is not capable of running SWOS and thus will be running...

SecCon

Reply to sound level question please? I even went to youtube to see a review from servezehome or whatsisname but they did not even start the switch... https://www.youtube.com/watch?v=uJFV9PMLa3o no sound https://www.youtube.com/watch?v=uJgNuyQo87w no sound https://www.youtube.com/watch?v=sirCSBHZDz0...

SecCon

It's a rack-mount device and as such it's usually mounted in a noisy environment (server rooms tend to be like that), in that case its own noise would be a feature fitting the envirionment ;-) My racks are rather quiet. Got two. A mini rack 6U on top of the house, in a space just under the roof tha...

SecCon

So how noisy?

SecCon

I noticed that MikroTik Cloud Router Switch 354-48G-4S+2Q+RM has three fans and thus will of course generate a bit of noise, but how much?

Intended usage is Switch and nothing else.

BTW is not ROS overkill on a Switch?

SecCon

Be sure to keep the pages updated :)

It will fail... eventually... but I'll do what I can from available sources.

SecCon

168 pages Word docx file done.
(That's is not the correct amount of pages, I have skipped the IPV6 section for now and some sub ToC's present in random places in the text will removed)

To Do

Review.
Make Index
Make PDF

SecCon

Already doing a file from Word exports. No need to rip the site.

SecCon

... and exporting to PDF directly from Confluence is flawed, just as I suspected.

Word works better though. Then a PDF can be exported from there, using Office 2016 or later.

SecCon

I need to have a printout of the RouterOS manual but doing it via Confluence (i have that crap at work) is just not working and since there is a newer Confluence at Help, I don't trust the Wiki... Any trick to make a PDF from ALL the confluence pages? Normally it wont work, but depends on configurat...

SecCon

The Italian Job

Would you accept pizza and beer for job done?

SecCon

Making separate subnet for Zyxel-MT would actually prepare network topology for the time when you decide to ditch Zyxel. Only WAN side of MT would get changed. And of course MT has to get decent firewall then ... since your RB1100 doesn't come with default, you'll have to construct one. I strongly ...

SecCon

A bit difficult to comment on this, as it all depends ... on what functions are used, how complex the LAN network is, on what is desired as new functionality. The local lan is extremely simple. Only the basics; a bunch of distributed ip's from a dhcp. Even more , I never configured a Zyxel Firewall...

SecCon

If you paid extra for services then I can see you wanting to use it until they expire though.

Exactly, got to around end of year worth of license. Then dump.

SecCon

Subnets? I really don't get why? I was thinking along the lines of (assuming 192.168.1.1/24) : ISP > > Zyxel FW @ 192.168.1.2 (Cabling channels all the traffic through here) > > MT RO @ 192.168.1.1 (DHCP server) > > SW @ 192.168.1.3 > > LAN at 192.168.1.1/24 (also a WiFi AP) I don't see why I should...

SecCon

I am trying to wrap my head on setting up my Mikrotik RouterOS Router as Gateway and DHCP server for my local LAN, while keeping a dedicated FW that I purchased a license for as "filter" between the ISP and the Mikrotik Router. Some kind of schematic: Current ISP <-> FW/Router <-> Switch <...

SecCon

Its fine, the market is getting crowded... :)

SecCon

I use a real password manager and not a Firefox plugin. I better clarify that I am also using a "real" password manager - as far as I know, I pay for it and it is a separate application - that has plugins for most browsers in order to use it, but I am not sure what you are referring to, d...

SecCon

Not using any plugin - just standard Firefox.

Thing is I use that pwd manager plugin for all my pwds on all devices and while I don't distrust Firefox in particular to keep passwords with FF Lockwise i have yet to move to that solution, if ever...

SecCon

For me is a bug on software than report CPU temp as motherboard temp... My rack are closed, not vented inside, on 23°C room... I agree, my rack is a small 6U in an small "attic" just below the roof tiles of my house. I know it is not an ideal location, it will get HOT during summer so I h...

SecCon

I'm not using a password manager plug-in, just standard Chrome. And username/password is filled in automatically (default settings). Just have to click login. Klembord-2.jpg That is probably because you set Chrome to remember the passwords and perhaps it is just better at filling them in than a pas...

SecCon

it may of course be OS+Browser related but this is in Windows on Firefox and checking a bit more, also on Chrome and Edge, all in W10.

All three browsers generate the same popup upon logging in in SwOS.

SecCon

@biomesh I don't have to search the forums to read the hardware specifications and I did quote the Tested ambient temperature -40°C to 60°C as written there. I can buy it is the CPU temperature @rextended. I will put a sensor there just in case, I already have one for the whole rack, but putting a s...

SecCon

So this does not deserve any attention? Explanation?

SecCon

So I took down the switch, while still in the rack and connected and measured the surface temperature of the chassis with a Schneider-Electric Infrared Thermometer (the ones that looks like a small gun) and the surface temperature of the top part of the chassis was about 30 degrees, but the interior...

SecCon

So the ambient temperature where the switch is located is currently between 15 and 30 degrees Celsius (19 as I type this) and will get hotter as temperatures rise come summer, but already the CRS326-24G-2S+RM monitor in SWOS is reporting 60 degrees plus. (63 as I type this). Tested ambient temperatu...

SecCon

The way the login works by generating a small pop-up window is not letting my in-browser password manager plugin feed the credentials to the session, having to input them manually.

I wonder if anyone came across this and found a workaround, it is of course not a huge issue, but still annoying.

SecCon

And registered my second Mikrotik device...

SecCon

ok then, guess that is easy enough....

SecCon

Is it necessary to switch the switch's OS to RouterBoard to see the Software ID to be able to register the device at Mikrotik?
Don't plan to use RouterBoard on it but want Mikrotik to have a record of the ownership.

Should perhaps posted at the SWOS subforum, sorry...

SecCon

After some initial conf issues, the upgrade itself went without a hitch. Very smooth. I am not sure if to expect some kind of particular blinking pattern from the front LED's while upgrading, but it would be a welcome feature, like a rolling blink or some. just so you know the thing is in upgrade mo...

SecCon

Now I have a static Public IP with my ISP Not sure about the configuration details but... I can get fixed IP from my ISP as well but they also tell me that Port Forwarding via that IP may have issues, despite the "fixed" IP. And it did so I reverted to regular assignment, despite having F...

SecCon

Are we having language lessons for the rats? :lol:

SecCon

All devices apart from: CHR, CRS line, CCR line, RB1100 line and possibly RB3011 (not sure about this one). I'm not talking about SwOS devices here. I would certainly wish for that being clearly stated when looking at product purchase.The again, we look mostly at port speed, cpu power and ram when ...

SecCon

BTW, also got this switch: https://mikrotik.com/product/CRS326-24G-2SplusRM

Weird this is at it apperas both as Router and as Switch on many shop sites... very confusing. Fortunately Mikrotik has it listed as "switch".

Delivery May 20.

SecCon

Best thing is to accept the default firewalls as they work out of the box quite safely. SOHO-line of Mikrotik routers comes with very decent default firewall rule set. RB1100AHx4, however, is not from that line and comes with pretty plain defaults, hence it's wise to get some decent starting settti...

SecCon

Best thing is to accept the default firewalls as they work out of the box quite safely. Then work to understand all the default rules. Then state your requirements and folks will likely chime in to give some advice. Do not use quickset. Do use the safe mode button at all times. Clear requirements w...

SecCon

So i will be buying RB1100AHx4 Dude Edition https://mikrotik.com/product/RB1100Dx4 . It is probably a bit overkill for my SOHO, but better safe than sorry and make sure it will last a few years ahead. The thing I have been pondering the most is the ability to control the Firewall and I have read som...

SecCon

The Dude needs some storage to deal with statistical data from controlled/monitored devices. While every ROS device comes with some permanent storage that storage comes with one or two problems: As with all semi-conductor based permanent storage it has limited number of write cycles and the dude ad...

SecCon

After some pondering I might be inclined towards this: https://mikrotik.com/product/RB1100Dx4 RB1100AHx4 Dude Edition Not really sure about what benefits comes with the extra M.2 storage and how it helps The Dude, but a good network drawing/topology tool on the Router itself is not a bad thing. I am...

SecCon

For Wifi if its a vanilla indoor access point you are looking for (aka a stable decent wifi 5 variant) I would select the tp link eap245. I have not tried their latest wifi6 units yet eap 620 and 660 (too pricey). Thanks but no thanks... as I mentioned, I rather keep all the products to one brand. ...

SecCon

It is it hard requirement to have firewall and router separate and why? Just curious as most home and SOHO dont require it. Is the extra expense a nice to have or a real need, in which case maybe I should put my hex before my CCR1009 LOL. Yes and no. Short answer, Yes, I want it separate. Long answ...

SecCon

Speed You are right. Current speed is max 1GB in Lan. No use to have faster due to I/O bottlenecks with my current drives. Have about 100Mb/s R/W via SMB3 and Jumbo Frames. ISP Speed is 100/100MBit, can be upgraded up to 1/1GBit. I only use one PoE as it is right now, don't really plan on expanding...

SecCon

Actually my "dated" RouterBOARD CCR1036-12G-4S have 60-70 "handmaded" rule, auto upload drop and edrop list among others, block malicious dns, etc. (I do not do now a full list of all) (the first thing I do is clear completly the configuration, no default) and protect near 4000 ...

SecCon

Well, I have a Zyxel firewall that has a "gazillion" predefined rules (USG60) so assuming CCR1036-8G-2S+EM is preconfigured and also updated in a similar way...? As for PoE, well, I could have that in the 24p switch instead, it would be possible, I think. Can you jump PoE power from one pa...

SecCon

All seems to run RouterOS. Is that valid usage for a Firewall? FIREWALL: https://mikrotik.com/product/CCR1036-8G-2SplusEM > RouterOS ROUTER: https://mikrotik.com/product/rb4011igs_rm + https://mikrotik.com/product/crs112_8p_4s_in > RouterOS and RouterOS (?) SWITCH 24 https://mikrotik.com/product/CRS...

SecCon

Nothing?

SecCon

Browsing products I tend to go for the same basic series with same OS and with minimal differences between versions so looking at switches I look at https://mikrotik.com/product/crs354_48g_4splus2qplusrm and would very much like a 24G version of that one, but it seems there are more differences than...

SecCon

Hi, I am new. Well not really, had a Mikrotik Router some 10 years ago, but I guess things have happened since. The Dude is still awesome. So looking to replace all my aging network equipment and focus on one brand only. Mikrotik is among my first choices. Specifically I would need 1 Firewall, 1 Rou...

Search found 165 matches