MikroTik

An5teifo

Okay so scp will work for me.
I have intially created regular folders via "Files" and added my content but then I was not able to start the container with the folders as volume mounts.

An5teifo

Hello there, I wonder how someone could edit various config files for a container with a persistent volume? E.g. I would like to run Knot DNS but for this I would need to create a zone file with my settings. On my regular linux docker machine I could either edit the file directly at the shell (nano ...

An5teifo

I also thought that RouterOS is not affected by this version but it makes sense if any CISO or other IT-related staff got the order to query if any product of MikroTik is vulnerable or not.

That's why it make sense from my point of view to highlight "we are not vulernable".

An5teifo

Great to hear.
Maybe this topic can be pinned somewhere for the next couple of days/weeks if someone else is raising this question?

An5teifo

Can someone confirm if MikroTik devices are vulnerable to the current SSH backdoor?
See here https://openssf.org/blog/2024/03/30/xz- ... 2024-3094/.

Althought the malware scans for .rpm or .deb packages in general it would be a good to know if MikroTiks SSH server relys on liblzma or not.

An5teifo

I think I fixed it by setting different costs for interface pointing to CCR2004 and CCR2116

An5teifo

Hello everyone, I stumbled accross a weird routing behaviour on my network. In general my network is: Mikrotik CCR2004 as internet & VPN router connected to 2x OPNsense which are connected to a Mikrotik CCR2116 as my network router. As a failover my CCR2004 is also direct to CCR2116 but with hig...

An5teifo

I think I found the issue: Your script requires a "total" value after the fetch command. Currently it is not being included at "as-value": downloaded=26;duration=00:00:00;status=finished Hiiiiii, could you share the whole script pls ? thx You can find it here -> https://forum.mi...

An5teifo

It seems that

/tool fetch

does no longer include a "total" value - only "downloaded".
Is this expeded/hidden feature or a bug?

An5teifo

Which script are you have been using? I'm using a modified version of this one https://forum.mikrotik.com/viewtopic.php?p=935938&sid=9a9086e98c872089e19fd57de7aba7ed#p935938 I think I found the issue: Your script requires a "total" value after the fetch command. Currently it is not be...

An5teifo

I have tried the script you've mentioned with the today released 7.14beta8 version - it still does not work. Is there a possibility to debug a script to see where the error occurs? So far I just removed the "nolog" parameter but the only thing I get is Starting import of address-list: spam...

An5teifo

The other, more modern script does not work on me as I get the integer error. I'm skipping v7.13, going see what changes v7.14 and maybe v7.15 bring and then take a look at fixing the script after that, since fetch is mentioned in the beta changelog. v7.12 is fine for my networks, what I needed in ...

An5teifo

It just removes the entries with a specific comment

find where comment=$description dynamic]

The other, more modern script does not work for me as I get the integer error.

An5teifo

I found this script on the forum. It works OK on my hEX S running 7.13.2. The only change I've made was to concentrate all entries on a single "blacklist" and select the entries via the comment field. MH :global readfile do={ :local url $1 :local thefile "" :local filesize ([/to...

An5teifo

Yes, I tried that as well.
I just received the same error messages as you @kevinds

An5teifo

I just upgraded to 7.14beta7 to verify if fetch is working for this but it does not.

An5teifo

Hello forum, after playing around with some virtual router/firewall I would like to step back to have a physical device in case my servers are down due to what ever reason. Some background: I am a prosumer running 10 Gigabit network at home and managing the IT of friends and family - so nothing miss...

An5teifo

Thanks for the info. In general I am already using a CRS312-4C+8XG-RM as my core switch where my Proxmox servers are connected via a LACP bond. So far they work pretty well but as I would need also some firewall rules like DMZ-VLAN is not allowed to access some hosts from other VLANs this switch wou...

An5teifo

So best would be to either leave as it is or get another router for VLAN routing?

An5teifo

The only reason why I need to use OPNsense is IDS/IPS via Suricata and some Geoblocking to keep those Asian bots out of my network

An5teifo

CCR is responsible for my VPN tunnels, NAT/portforwarding, WAN traffic in general.

I am using it as my ISP only allows one MAC address on the interface. OPNsense in HA does not do that and I had troubles with that.

An5teifo

Anyone any idea?
I tried to play around with VRF but unfortunately when enabling any VRF I am no longer able to reach other devices (either devices via VPN or OPNsense itself)

An5teifo

I think I finally found the trouble maker: As I use two OPNsense in HA configuration they syncronise each and every connection state so if a OPNsense goes down the other can take over immediately without any downtime. The setting is called "Synchronize Peer IP" and its default value is dir...

An5teifo

Another interessting fact: Even if I tell iperf3 to only use 1 thread the switch CPU goes up to 100 % PS E:\Users\mmuehlbacher\Downloads\iperf-3.1.3-win64> .\iperf3.exe -P 1 -c db1.hks.lan -t 60 Connecting to host db1.hks.lan, port 5201 [ 4] local 192.168.10.12 port 63031 connected to 192.168.20.97 ...

An5teifo

The switch just discovers some broadcast packages when running at 100 %: [mathias@Switch-CRS312] /tool/sniffer> packet/print Columns: TIME, INTERFACE, SRC-ADDRESS, DST-ADDRESS, IP-PROTOCOL, SIZE, CPU # TIME INTERFACE SRC-ADDRESS DST-ADDRESS IP-PROTOCOL SIZE CPU 0 14.692 Mathias-Desktop 192.168.10.12...

An5teifo

With regards to 1/2 bandwith: Initially I do get 6.5 Gbit sometimes.

An5teifo

Thanks for the marvelous packetflow drawing - this is exactly how I imagine it. I was able to check CRS312 hosts database on the bridge interface and both Mathias-Desktop as well as the VMs MAC address are known by the bridge. Unfortunately sniffing packages do not work as the bridge is hw-offloaded...

An5teifo

I have already removed VLAN10 from the port configuration. I had initally added it due to the message the VLAN10 is not a port member of the bridge which was resolved by your last information. In general all interfaces are hardware offloaded: [mathias@Switch-CRS312] > interface/bridge/port/print Fla...

An5teifo

Thanks for the info - I have done that but the CPU goes up to 100 % CPU immediately: [mathias@Switch-CRS312] > /tool/profile Columns: NAME, USAGE NAME USAGE ethernet 5% console 1% ssh 0.5% networking 49.5% winbox 0% management 1.5% routing 0% profiling 0% bridging 36.5% unclassified 6% total 100% So...

An5teifo

I disabled it as I only want to do L2 traffic but I already reenabled it - although result is the same nevertheless if L3 hw offloading is on or off.

An5teifo

Hello everyone, I am using a CRS312-4C+8XG as my main switch. It is connected to two Proxmox servers via LACP. On my Proxmox servers I run an OPNsense appliance for firewalling and intervlan routing. I recently stumbled accross a strange behaviour regarding switching traffic: If I run iperf3 within ...

An5teifo

I already found the issue: QoS - I set an upload limit for 80M as this is my general WAN uplink.
As I added my other VLAN interfaces to the bridge I was not able to bypass the 80M limit.

An5teifo

As a side note: Doing VLAN routing on CCR2004 does not generate 100 % on any CPU core.
One core is usually at around 25 %

An5teifo

The current config would be below. Kindly note that at the moment I am using OPNsense as VLAN router (temporarily) until the low bridge performance on CCR2004 is fixed. # 2023-12-19 10:26:44 by RouterOS 7.13 # software id = 7092-YU0E # # model = CCR2004-16G-2S+ # serial number = ABC123 /interface br...

An5teifo

Hello, I currently testing a CCR2004-16G-S2+ for VLAN routing. The switch is connected via SFP+ ports (trunked) to a CRS326 & CSS326 switch (CRS326 is root bridge). Current CCR2004 config would be: [mathias@IBR] > /interface/bridge/print Flags: X - disabled, R - running 0 R name="bridge1&qu...

An5teifo

Hello there, I am using a CCR2004 router as my main internet router. Right behind it I am running two virtual OPNsense firewalls in HA mode which are also doing my inter VLAN routing. All devices share the network informations via OSPF in a single area (0.0.0.0). As the inter VLAN routing performanc...

An5teifo

I also agree on that and it's important to only open ports to the internet which are needed and to keep any software up-to-date. Nevertheless it's also a good option to have another layer of security (if you have the ressources) to run it. I just thought that I mention it a the useful articles - I d...

An5teifo

Yeah I know that but leaving an SQL port open vs SQL injection via HTTP are two different pairs of topic. If someone leaves something open without any usecase it is not good. But if you have a regular webserver you would need port 80 & 443 open to the web - and there are also the bad guys how tr...

An5teifo

Do you guys understand the usecase of an IDS/IPS or are you just bashing on this topic because you have some free time?

An5teifo

It not blocks traffic based on invalid TCP, UDP, whatever - it blocks traffic from e.g. known bad hosts automatically. Also it does deep inspection and stops any malicous traffic which you in general would allow on a firewall level - e.g. TCP/443 for you webserver. If a bad bot would like to try som...

An5teifo

SELKS is an IDS/IPS while T-Pot is a Honeypot

An5teifo

Unfortunately RC3 still did not solve SUP-107271.

An5teifo

Please note it's not my GitHub repository - I just mentioned it as I used it as a guidline for installing.
From my point of view it looks like that you are using wrong paths and therefore the application cannot find them.

An5teifo

I run mine on Debian 11 - how did you install it?
Just run the easyinstall.sh script?

An5teifo

Which OS are you using?

An5teifo

Have you verified that all containers are up and running? It seems that Suricata is not running. If you enter sudo docker ps it should display something like: CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d40a1db11567 jasonish/suricata:master-amd64 "/etc/suricata/new_e…" 10 days ag...

An5teifo

I am having troubles with OSPF IPv6. If I just announce regular routes via a passive interface only a few are being seen by the other routers. Currently I need to stick with redistribute connected. Also packet sniffer slows down my IPv6 speed dramatically (off ~150 Mbit, on ~ some kbits) but only on...

An5teifo

From a quick view I think you messed up with src-nat /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \ ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat disabled=yes src-address=192.168.1.0/24 add action=masquerad...

An5teifo

Thank you both.
I completly reworked firewall rules on all of my Mikrotik routers with dedicated chains (which makes more sense if you know this nice feature).

So far everything works well and I haven't seen any issues.

An5teifo

Thanks for clarification!
As I used an OPNsense firewall before I am still learning what is best practice on Mikrotik

An5teifo

Can you also share your current firewall settings?

An5teifo

I would add all untrusted interfaces into a dedicated list e.g. WAN.

An5teifo

Hello there,

as a side note: I am running a virtualized x86 ROS on Proxmox (=KVM/QEMU).
Zerotier addon would be available.

An5teifo

Thanks for clarification.
I think I managed it for IPv6 now thanks to you!

May I additional just ask: Does it make sense to also create a dedicated jump-rule for IPv4 addresses?

An5teifo

Just a further question: Wouldn't it be better to drop any non allowed traffic instead of rejecting it?

An5teifo

Thanks @ConradPino I will start my journey with your suggestions!

An5teifo

Not sure if this is relevant on 7.8 beta but one of my Wireguard peers is not working after a router reboot. I need to disable and reenable the peer manually to get it running.

An5teifo

Because I have several VLANs where I would like to only allow specific hosts/ports.

Mikrotiks default firewall rules are more into WAN/LAN but not for LAN#1 LAN#2 and so on

An5teifo

Hello everyone, I recently tried to implement some proper firewall rules for IPv6 by copying my currently existing and working IPv4 firewall rules. But somehow it's not working really working. My network consists of several VLANs to separate traffic from management LAN, DMZ, IoT and so on and I do o...

An5teifo

1) Centralized firewall management
2) Grouped device management (e.g. multiple devices can be at one group and I only need to create firewall rules for this group)
3) Updates
4) Scripting - either on specific devices or a central API endpoint for REST request.

An5teifo

Dear forum, I am running a CCR2004-16G-2S+ as my main internet router. As my local ISP only provide IPv4 addresses I have some tunnels to other ISPs with different technologies (GRE, SIT, EoIP, VXLAN). So far everything works properly and I get my usual expected up- & download speed (300/40 for ...

An5teifo

Hello there,

yesterday I installed SELKS and connected it with my Mikrotik --> viewtopic.php?t=193417

An5teifo

Its quiet simple: Bridge <-- VLAN <-- VRRP To be more detailed. You create a bridge and VLANs (via interface). On IP/Address you can assign a specific IP address AND network to a VLAN. Additional you need to add the VLAN on the bridge interface as tagged (+ the bridge itself). For a VRRP you need to...

An5teifo

You can do this via RADIUS.
RouterOS has a specific version of it called "User Manager" --> https://help.mikrotik.com/docs/display/ROS/User+Manager

An5teifo

Dear forum, as I recently migrated from OPNsense fully to Mikrotik I had some concerns as there is no IDS/IPS native available on Mikrotik - but luckily the internet has some solutions which I implemented and where I would like to share some tips and tricks with you: I found a GitHub project called ...

An5teifo

It seems I had some misconfiguration/understood the settings wrong. I only set all other VRRP interfaces to the master but I did not configure the master to be itself group master. With this setting it works far better. And I also unticked the "Preemption Mode" setting. So now from a netwo...

An5teifo

Thanks for the information.
In general I am using the group master feature, sync connection state and preemption mode on master.
Additional I am also using a script which adds OSPF costs to 65000 on the backup node so all traffic would be routed via the master router to my main internet router.

An5teifo

Hello everyone, I already raised a ticket at support but would also like to see if anyone has also a clue what could be wrong: I am currently migrating from virtualized OPNsense to virtualized x86 ROS. So far the setup works pretty well but I am struggeling a lot with VRRP. In general I have several...

An5teifo

No in general I only have one ISP but it is only providing my an IPv4 address.
I am connected to several tunnelbroker, vIXP etc. which all uses different types of tunneling (GRE, EoIP, VXLAN, SIT).

So far I did not see any issues on that.

An5teifo

I am just someone who is new to BGP and peering with others.

An5teifo

Behind my Mikrotik I am running a dedicated firewall.
Access to Mikrotik is only granted from a specific IP range.

Why shouldn't there be any additional service running on the router?

An5teifo

Thanks for that. From a firewall perspective I am already pretty solid.
I just recently received my own ASN and try to figure out any best practice rules for peering with others via BGP.

An5teifo

But e.g. on input I do currently have also

if ( dst-len > 48 ) { accept }

rule for IPv6.
With such a rule I would also filter some routable IPv4 ranges - wouldn't I?

If so it would make sense to create to different chains - 1x v4 & 1x v6

An5teifo

So should I create two generell in/output filters?
One for IPv4 and one for IPv6?

An5teifo

Okay from this perspective I agree.

Are there any general recommondation regarding BGP in-filtering as I came accross some input that accepting anything is not always the best solution?

An5teifo

Isn't a bit weird?
If I set a filter the default is being reject anything - if I do not set a filter (leaving it blank) everything would be accepted?!

An5teifo

Hello felixhappy,

I thought that on ROS 7 the default filter mechanism is to deny any?

An5teifo

Hello there, as I am very new to BGP and it's filtering mechanism I would like out to get some help: What would be the right filter for an - input "Any route that you send me I will accept" - output "I only send you my biggest /40 subnet but not the /48 & /64 subnets which I split...

An5teifo

Okay got it

Outbound filter like
if (dst==own address/48) {accept}

An5teifo

Hello everyone, I just took my 1st steps to BGP and want to announce my /48 IPv6 subnet to my BGP peer. So far I only found the ability to announce "connected" which includeds this subnets but also my splitted /64 subnets. Is there any possiblity to announce only the "big" /48 su...

An5teifo

Hello everyone, crossposting my Reddit question also here: as my ISP does not provide any IPv6 connectivity but still wanted to have it I rented a cloud server and deployed a CHR image from Mikrotik. The cloud server provides a /64 public routable address but set the default gateway to fe80::/1 via ...

An5teifo

Seems that this was the issue: I don't know why or how but it seems my HQ acted as a client (and not as the server) for wireguard connection.
Now, after I have removed the preconfigured port from Wireguard peer on MT remote it works as expected.

An5teifo

It seemed that my OPNsense fw has established a connection with my remote side via a NAT.
I removed the prefilled Wireguard listen-port and let it choose a new random one and after that the connection looks like an incoming VPN client-> server connection which I expect.

An5teifo

What is also strange:

On my internet border router (= HQ) I cannot see any connections going to the dst port?!
Althought wireguard VPN is up and running and hosts can ping each other.

It's a bit weird?

An5teifo

Sounds like an HA setup issue. Is there some mac address change somewhere?? If there is no change to destination port or IP address, and if the HQ MT WANIP stays up, not sure what can be done at the client side ??? I am also not sure - from a WAN perspective even the MAC address stays the same as a...

An5teifo

Try more details. Is it client to server (= remote is behind NAT and HQ needs to wait until it connects) or peer to peer (any side can initialize connection to the other)? What exactly happens on failover? Does the second machine come up with same IP address and WG listening on same port? If so, it...

An5teifo

@anav: May I ask, where to place/use such a script as you have mentioned at para 6?

An5teifo

Hmm maybe something like
"ping 5x" if no ping then restart Wireguard service.

I did not know how to do this via SSH so I just disabled the Wireguard interface and enabled it again but that did not solve my issue.

An5teifo

I am not sure if this might be my reason as I am using a static IP address which is being terminated on my HQ Mikrotik router.
No hostname or dynamic hostnames are being used.

An5teifo

Hello everyone, I recently rebuild my local network and my remote network: HQ: ISP -> Mikrotik (internet border router) -> 2x OPNsense as HA configuration with CARP -> LAN Remote: ISP -> Mikrotik -> LAN On both places I am using Wireguard as VPN connection and so far it works pretty out of the box. ...

An5teifo

Thanks for the advice - I already found help on Reddit.
The thing in general is that I do not need a very high bandwith as only my mobile phone + sometimes a laptop is connected to it.
I just wanted to have a 2.4 & 5 GHz within one device and the regular disk APs were already sold-out on Amazon.

An5teifo

Solved -> viewtopic.php?p=639053#p615844

An5teifo

Hello there, I recently moved from Unifi to Mikrotiks Audience and run the Wifi via CAPsMAN. What is a bit weird to me is, if setup just SSIDs with authentication (like for a home AP) I receive any SSID at 2.4 & 5 GHz. As soon as I create a dedicated channel setting and use it for my SSIDs, I on...

An5teifo

Hello everyone, I recently decided to replace my last bit of network (Unifi) with Mikrotik Audience for WLAN coverage. Currently I am setting up my 10 Gbase-T switch (CRS312-4C+8XG-RM) to act as my CAPsMAN controller for this an probably another WLAN device. So far I created my three different WLAN ...

Search found 94 matches