MikroTik

mdadigital

I was locked out from my own VPN when a timeout occurred on a bad connection. I added this that checks if the IP have had a ISAKMP-SA established :if ($logMessage~"ISAKMP-SA established") do={ :local temp [:pick $logMessage ([:find $logMessage "]-"] + 2) 999] :set whitelist [:pic...

mdadigital

Hello. I'm quite new to writing scripts for Mikrotik. But I needed a script that would display used of the Mikrotik processor in the terminal. Is it possible?

:local cpuLoad [/system resource get cpu-load] 
:put $cpuLoad

mdadigital

i have 6.48.6
Be advised, that assumption might become wrong.
It looks like they are moving towards standardized date/time formatting.
See latest change log on 7.10b5.

My code you are trying to execute on your router was written on 7.8 - 7.9

mdadigital

its a shame mikrotik log doesnt have a proper datetime data type

mdadigital

I added this so that it only looks at todays logs. Otherwise it will report old logs after timeout period. I use the fact that todays logs only have time not date

:if ([:len [get $i time]] = 8 and [:len [/ip fire addr find where list=$listName address=$logIp]] < 1) do={

mdadigital

Here is my variant that also reports abuse :local listName "portscanner" :local logMessage "" :local logIp "" /log :foreach i in=[find where message~"phase1 negotiation failed\\." or message~"phase1 negotiation failed due to time up "] do={ :set logM...

mdadigital

Not conceptually besides overkill for the AP ? cAP AC (or XL AC, if you want) or AC3, even AC2 will be enough. You will normally never saturate the LTE6 connection, I would think ? Stlll nice to have a wifi6 network for the future? edit: I have 5G but mikrotik doesnt have a 5G product yet in this f...

mdadigital

I'm looking at fixing better connection at our country house. I'm thinking of getting the LTE6 https://mikrotik.com/product/lhgg_lte6_kit And the a cable into the house and connect it to a cAP ax https://mikrotik.com/product/cap_ax I would then run the capAX as AP and router. You guys see any proble...

mdadigital

Post full configuration export ... execute /export hide-sensitive file=anynameyouwish from terminal window, fetch resulting file, open it in text editor, obfuscate any remaining sensitive information (e.g. public IP addresses - but keep them the way they are still distinguishable from each other) a...

mdadigital

I hope you are not in the Steve Gibson camp... did you "hide" your router for ICMP as well? BAD IDEA!!!

ICMP is not hidden

But hiding that I have a VPN would be nice

mdadigital

IKE requires this port open. At least for "incoming connections". When you make your connections towards another system that is passive, you can of course remove that rule as the established/related rule will take care of it. In that case, make sure you have DPD (dead peer detection) acti...

mdadigital

Hi, I use the default IKE port 500 rule from mikrotik when you add a VPN. I tried a port scanner and it detects port 500 open. Since IKE uses UDP and thus is connectionless it feels like there should be possible to hide the port better for scanners. Only let valid traffic through that success with e...

mdadigital

This does the job

/interface/bridge/host
:local interFace [get [find mac-address=$leaseActMAC] on-interface]

:log info $interFace;

mdadigital

ok so threre is a tab called lease script. If i put :log info "foo"; It logs foo when a IP is assigned and deassigned. But I cant for the life of me figure out how I print the interface there, According to docs there is a event variable called interface. But I cant figure out of to print t...

mdadigital

Ah...now I understand, some sort of custom logging where this information is included.

Yeah, I want to know on which interface this traffic originated. Its concerning I cant find out which hardware uses these MAC adressens. Seems like unauthorized access, how the heck that can happen

mdadigital

If I look in /ip/dhcp-server/leases in Winbox, it shows the bridge port. Are these connected through wire or wireless? The latter is (in my case) not shown, while everything connected to wire is. Yeah, but I want it in the log when devices are assigned an IP. I need to debug these strange connectio...

mdadigital

I would like to know which interface dhcp assigns are made on. I have logs with MAC addresses I do not recognise.
Can I add this to the logging? Thanks

edit: It have happened twice with different MAC adressen and both are to the second 10 minutes long

mdadigital

Ah, its built into the router. I missed that, only looked at L2TP and OpenVPN. Will have a go.
edit: Aha, doesnt work with the built in windows client. Thats a pain.

There must be a way to configure l2TP to be more stable on cell connections?

mdadigital

No, that's your conclusion. I am not saying that at all. Just that some VPN protocols are more sensitive to connection drops then others. E.g. when I make connection using Azure Remote Desktop to a virtual server over cell or Wifi I get kicked out at least once or twice a day. Usually it will recov...

mdadigital

Change VPN ? Wireguard comes to mind, have used it quite a bit using cell-connections without major problems (wireguard on cell phone and/or using SXT LTE as modem). Even when being in a car driving on the highway, hopping from base station to base station. It handles reconnects pretty well. Are yo...

mdadigital

I have been working for about 3 hours now from a landline and without any connection issues. I reseted my traffic counter at that point I had a few drops recorded from previous run with a cell phone. After 3 hours no recorded packet drops https://i.imgur.com/OevC6XE.png I'm pretty sure the VPN respo...

mdadigital

Are internet matches stable? Is the L2tp configuration on your mikrotik router something like this? https://forum.mikrotik.com/download/file.php?id=48815 I was on a cell phone connection. Though a stable one. This worked just fine with my old PPTP VPN configured on my windows machine. It even worke...

mdadigital

I configured a L2TP VPN with ipsec. I can connect and it works fine. But after a while I get disconnected from my remote desktop session, I'm still connected to the VPN according to Windows VPN client. I have to disconnect the VPN, connect again and connect back to remote desktop. I need this to wor...

mdadigital

Hey guys. I configured a L2TP VPN and in the process I changed the firewall setting to only accept L2TP packages that are ipsec encrypted. After that I stopped receiving malicious requests in the log. (Have only tried for a while so will keep looking out).

Thanks for feedback btw

mdadigital

I really need to help with tnis. I ran a security test and I got this

mdadigital

Like this

first L2TP UDP packet received from 154.89.5.115

Though I don't have any L2TP server configured. His this just info that some one is trying to connect even though no server exists?

mdadigital

I still think this is a bit strange.

Iperf3 with a bit lower bandwidth usage uses about 40% of a single core.

Speedtest,net uses about 20% of a singel core while having a slightly higher bandwidth

mdadigital

Outside of mikrotik btest we also have speedtest.net which you can run both from router from a docker container and from client PC.
Also something that is useful is this list of public iperf3 severs

https://github.com/R0GGER/public-iperf3-servers

mdadigital

Running speedtest is from a PC ? Logical then that cpu is higher when running btest on the router itself. Except for packet handling.which it is designed for, the router does nothing in the former case. Btest can be pretty cpu intensive. As long as it does not reach 100 on a single core, i wouldn't...

mdadigital

Are there any European servers that are up and working? I only get about 400 mbit to the US ones though my ISP is a gigabit fiber. I get about 900mbit using speedtest.net What's interesting though is that tools/profiling reports less CPU usage with speedtest.net at 900mbit than the local cpu stats ...

mdadigital

Are there any European servers that are up and working? I only get about 400 mbit to the US ones though my ISP is a gigabit fiber. I get about 900mbit using speedtest.net What's interesting though is that tools/profiling reports less CPU usage with speedtest.net at 900mbit than the local cpu stats s...

mdadigital

no ideas without your config

Sorry this might have been a ISP DNS problem that
coincided with me switching out routers. After a ipconfig /flushdns it seems to work.

mdadigital

Hi guys. I have a new installed RB4011. Everything works. But I get a DNS_PROBE_FINISHED_NXDOMAIN for one specific website. I use the gateway as DNS on my computer. If I use 8.8.8.8 on my computer it works. But when I revert to gateway it does not work anymore.

Any ideas?

mdadigital

Hi have a new RB4011. Everything works perfect. From wired connections i can access my webserver on my LAN using the webservers computer name eg winserver:8080 It also worked on PC clients connected to my ubiquity AP. But it does not work for my android phone connected to same ubiquity AP. It works ...

Search found 34 matches

Re: Black list for failed login to IPSec VPN

Re: CPU usage script in terminal

Re: Black list for failed login to IPSec VPN

Re: Black list for failed login to IPSec VPN

Re: Black list for failed login to IPSec VPN

Re: Black list for failed login to IPSec VPN

Re: LTE6 and CAP ax as AP/router for country house

LTE6 and CAP ax as AP/router for country house

Re: IPv6 help [SOLVED]

Re: Can I hide ipsec IKE with a better firewall rule

Re: Can I hide ipsec IKE with a better firewall rule

Can I hide ipsec IKE with a better firewall rule

Re: Add which interface to dhcp assign logging

Re: Add which interface to dhcp assign logging

Re: Add which interface to dhcp assign logging

Re: Add which interface to dhcp assign logging

Add which interface to dhcp assign logging

Re: Unstable L2TP

Re: Unstable L2TP

Re: Unstable L2TP

Re: Unstable L2TP

Re: Unstable L2TP

Unstable L2TP

Re: Malicious L2TP requests in log

Re: Malicious L2TP requests in log

Malicious L2TP requests in log

Re: Public-Mikrotik-Bandwidth-Test-Server(s)

Re: Public-Mikrotik-Bandwidth-Test-Server(s)

Re: Public-Mikrotik-Bandwidth-Test-Server(s)

Re: Public-Mikrotik-Bandwidth-Test-Server(s)

Re: Public-Mikrotik-Bandwidth-Test-Server(s)

Re: Getting this error: DNS_PROBE_FINISHED_NXDOMAIN [SOLVED]

Getting this error: DNS_PROBE_FINISHED_NXDOMAIN [SOLVED]

Computer name is not accessible from android phone