MikroTik

minfrin

Would be great to have the IPv4 holdouts not hold the rest of us to ransom.

+1

minfrin

I have someone at a remote site verifying where cables are plugged in, we have a CRS328-24P-4S+RM. The manual contains no pictures of the device, and we need a clear and unambiguous description of which port is which. Is sfp-sfpplus2 the top left SFP+ socket, or the bottom left SFP+ socket? The labe...

minfrin

There are multiple ways for firewalls to break things. In the case of Rocky9 you need to disable the firewall like this:

[root@netinstall ~]# service firewalld stop

minfrin

Been stuck trying to un-brick a CAP XL ac, and have not got netinstall to work. Most specifically, netinstall hangs having done this: [root@netinstall ~]# ./netinstall-cli -a 192.168.88.1 routeros-7.11.2-arm.npk Version: 7.12rc1(2023-10-05 06:32:41) Interface Mask: 255.255.255.0 Using Client IP: 192...

minfrin

Hi all, Routine upgrade of a CAP ac: MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK K...

minfrin

Tried a Rocky8 machine using a spare ethernet port, and a Latte Panda running Windows 10. My other options are an RPi and a Macbook Pro, neither will help. I am imagining that netinstall is something cobbled together in the past that only works under specialised circumstances. I see reports of peopl...

minfrin

Already tried downgrading netinstall to 7.7, no luck.

tcpdump shows that the device is making many bootp requests, but netinstall ignores these completely.

Just tried Windows, also no luck. Different switch, no luck.

I'm not entirely convinced that netinstall works properly.

minfrin

After the device starts, tcpdump immediately shows this: 21:03:17.598981 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 18:fd:74:3e:d7:b0 (oui Unknown), length 300 21:03:17.799113 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 18:fd:74:3e:d7:b0 (oui Unknow...

minfrin

Hi all,

Went through the standard update process for 7.7 to 7.8 on a cAP XL ac, and after a long time the device has not returned. Power and user lights on, E1 light flickering, not responding to mac-telnet.

Anyone encountered this before?

Regards,
Graham
--

minfrin

Hi all, 10 0000 miles away from me right now is a CRS328-24P-4S+RM, reporting that sfp-sfpplus1 is connected and running to a downstream device. I also have a photo showing me that of the 4 SFP+ ports, the bottom left and bottom right ports are plugged into a cable. Alas the picture of the port numb...

minfrin

Hi all, I have an LtAP that has been incorrectly installed (a story for another day) with a GPS that reports no signal. This makes sense, as the device is sitting deep in a cupboard with no signal. However, despite reporting zero satellites, zero validity, the date-and-time is updated somehow and co...

minfrin

The manual at https://wiki.mikrotik.com/wiki/Manual:Tools/Sms#USSD_messages shows how to send a USSD message, and this works: /tool/sms/send lte1 phone-number="*136*1#" type=ussd I get a response inviting me to continue the conversation by sending "1". How do I sent the "1&q...

minfrin

your lte1 is not registered (R) on gsm-only. Is supported from your modem and mobile operator? That cut and paste is between times while it was connected, it is back connected again. [minfrin@rescue] /interface/lte> print Flags: R - RUNNING Columns: NAME, MTU, NETWORK-MODE, APN-PROFILES # NAME MTU ...

minfrin

You must enable GSM or 3G, LTE only is not able to send USSD codes. Am I right in understanding that the following command enables GSM? [minfrin@rescue] /interface/lte> set lte1 network-mode=gsm [minfrin@rescue] /interface/lte> print Flags: R - RUNNING Columns: NAME, MTU, NETWORK-MODE, APN-PROFILES...

minfrin

I have a Mikrotik LTAP RouterOS 7.4 with a R11e-LTE6_V034 firmware modem inside, with a simcard that I am trying to activate. Having read manuals and browsed forums I understand there are two mechanisms that can be used to send USSD messages, however there seems to be few details on where the respon...

minfrin

I'm confused - the Cloud ROUTER Switch is not a router - can you explain? An analysis of the router while loaded shows both CPUs on the device maxed out, so while CPU bound PPPoE does not appear to be single threaded. Do you have some kind of evidence to back up the claim that the RB4011, RB5009, et...

minfrin

Hi all, I have a CRS309-1G-8S+ that is routing a series of VLANs to the internet via a PPPoE connection provided by BT OpenReach. While the line is provisioned for a max download of 1000Mbps, the CRS309-1G-8S+ is maxing out both CPUs at around 400Mbps. Is there a way to get the CRS309-1G-8S+ to achi...

minfrin

Hi all, Posting my experience as it may help someone. Had same problem, NTP stuck in waiting. Eventually I discovered I could ping in one direction but not the other, odd. Turned out two interfaces on different VLANs were enabled for OSPFv3, and there was an asymmetrical route. As soon as OSPF was l...

minfrin

Hi all, I am considering a CRS305-1G-4S+IN to act as a router between a WAN port running PPPoE at 1Gbps, and the rest of the ports switched together. Will this router be fast enough to handle some modest routing, including IP masquerading and some basic filter rules at 1Gbps through the WAN port? Th...

minfrin

Hi all, Small bug I've found in RouterOS 7.1.3 on an LtAP. When the configuration is set as follows: /system routerboard usb> set type=mini-PCIe overriding the default value of type: USB-type-A This is excluded from the /export command. This breaks config backups, as the system routerboard usb setti...

minfrin

Hi all, I have a CRS328-24P-4S+RM, and have it's serial console plugged in. The serial console does not respond. Other serial consoles work on other devices, so we know the client side works fine. We have tried different cables, introducing null modem cables, nothing works. The question is, given th...

minfrin

Seeing the same problem alas. Little-Net:routeros minfrin$ wget -c https://download.mikrotik.com/routeros/7.1.1/routeros-7.1.1-mipsbe.npk --2022-01-19 21:38:58-- https://download.mikrotik.com/routeros/7.1.1/routeros-7.1.1-mipsbe.npk SSL_INIT Resolving download.mikrotik.com (download.mikrotik.com)......

minfrin

Turns out all routerboards default to the same engine-id by default. This confuses net-snmp, and in turn collectd-snmp, which use one engine definition for all unrelated connections. One router works, all other routers reject the packets, and trigger the timeouts. Workaround is to manually set a uni...

minfrin

What it means is that two or more hosts (in this case routerboards) have the same SNMPv3 engine ID, and net-snmp has mixed up the hosts it has been told to monitor, and is using the engine ID from one router to send requests to another. In this case you will see one router return SNMPv3 data as norm...

minfrin

Hi,

I have a router that responds as follows to an SNMPv3 request:

snmp,debug v3 err: 1 not in time window or incorrect engine boots

What does it mean, and how do I fix it?

Regards,
Graham
--

minfrin

Hi all, Trying to monitor various routerboards using collectd. Snmpwalk using SNMPv3 works great, I can connect to the routerboards no problem. In the case of collectd, I can connect to one big switch and get a response, or two small switches and get a response, and more than that and the attempts t...

minfrin

Hi all,

Is there any chance of one of these with SFP+ on the roadmap?

https://mikrotik.com/product/hex_s

Regards,
Graham
--

minfrin

Hi all, When adding a SCEP server that is part of a wider SSL secured server, the following error occurs: [minfrin@router] /certificate> add-scep template=test-name scep-url=https://interop.redwax.eu/test/simple/scep failure: Not a HTTP URL! Are there plans to fix the SCEP client so that it can conn...

minfrin

Hi all, Testing some interoperability on routeros v6.46.3, and have picked up that a digital certificate cannot be valid past Jan 1 2038. The certificate in question is valid until Feb 6 16:38:56 2040. 1 T name="test-name_CA" issuer=CN=Redwax Interop Testing Root Certificate Authority 2040...

minfrin

Unfortunately port forwarding (whether using the command line or config) only allows you to jump one step past a mikrotik, and is therefore not useful in a secure environment.

Can you confirm when SSH agent forwarding will be supported?

minfrin

How do I get this supported by Mikrotik?

We have a strict no password policy, and the inability to forward keys make it difficult for us to enforce that policy.

minfrin

Hi all, I have routerboard B, that I need to ssh to via routerboard A. All user accounts are protected by SSH keys. I am struggling to get ssh agent forwarding to work. When I log into routerboard A I can log into successfully, but when I log into routerboard B I am asked for a password, when I shou...

minfrin

I have exactly the same problem - brand new CAP ac, and it does not have an IP address on boot. No access to a PC, and therefore no ability to run winbox. DId you ever solve this? Edit: Moments later I stumbled on a post that recommended using /tool mac-telnet <MAC> from another mikrotik - this work...

minfrin

Maybe you're looking for Cisco's ipv6 encapsulation with GRE header? You can add ipv6 in ipv6 by this method I think.

Will this work with a MacOS / iOS / Windows 10 VPN client?

Currently IPv4-in-IPv6 works with MacOS VPN IKEv2, looking for IPv6-in-IPv6.

minfrin

Wait. Depending on how the certificate of the RADIUS is generated (self-signed or signed by CA), the RADIUS server must provide the complete chain and the Mikrotik must either have that certificate itself (if it is self-signed) or the CA certificate (if it is signed by a CA) in its trusted certific...

minfrin

I have successfully got an IPv4 tunnel running through an IPv6 connection, and this works successfully (for the record, the config is below). Does RouterOS support an IPv6 tunnel running through an IPv6 connection? If so, what must the policy look like to make this work? /ip ipsec mode-config add ad...

minfrin

Hi all, I have successfully configured routeros to allow VPN clients to connect via IKEv2, backed with radius, and authenticating using EAP-TLS (no passwords). The config is below. What I discovered is that this configuration would only work if I took the private key and certificate of our radius se...

minfrin

Hi all, I have an IPv6 multicast source that is providing a number of multicasted channels into a Mikrotik 750G on various multicast addresses. Other ports on the 750G are currently being swamped by the traffic, and I'm trying to find a way to cut this traffic down. I understand that Multicast Liste...

minfrin

Hi all, I have an AP running a wifi network backed with radius and EAP-TLS, and this is working fine. What I'm struggling with is trying to convince the AP to re-authenticate the client with the radius server, just in case in the mean time, access has been revoked. I have configured the radius serve...

minfrin

I have managed to find references that say that IPv6 works with openvpn in ethernet mode (http://forum.mikrotik.com/viewtopic.php?f=13&t=38026#p187333), it would be good to get a definitive answer. What I have found is that the tunnel seems to be established without a problem, and IPv4 works. Th...

minfrin

Hi all, I am trying to set up an openvpn server and a RouterOS ovpn client, and have successfully got this working for IPv4. I am now trying to set up openvpn to hand out an IPv6 address, and I am struggling, the openvpn side logs that an IPv6 address is offered to the RouterOS side, but the RouterO...

minfrin

Hi all, Are there any plans to support https with /tool fetch? It turns out that /tool fetch is used to implement many of the dynamic DNS services, and because the password is revealed to the net in clear text, an attacker can take over the dynamic DNS account. I'd like a way to prevent this. Regard...

minfrin

Adding some more information, the message "Invalid ID length in phase 1" appears inside the racoon code, and means one of two things: - The DN of the certificate presented by server doesn't match the DN expected by the routerboard. - The user FQDN provided inside the subjectAltName doesn't...

minfrin

Hi all, I have configured a routerboard to establish an ipsec transport policy to an openswan peer, where both sides are authenticated with digital certificates, each one signed by a separate CA, one CA for (what will become) the concentrator, and a second CA for (what will become) the Mikrotik clie...

minfrin

Hi all, I have a wireless access point, configured to use wpa2-eap against a radius server to authenticate. So far, this works fine. I've configured the radius server to return the Filter-Id attribute in an effort to create a custom firewall rule for each person connected to the access point, but so...

minfrin

Hi all, I have an EAP-TLS secured network that allows people to authenticate using radius, and so far this is working fine. What I'd like to do, is for certain users, based on the radius response, I would like to redirect them to a given webpage on connection, like you would with a hotspot. I've tri...

minfrin

The message "dhcp2 offering lease ... without success" was the key in this case, I needed to add an entry beneath "/ip dhcp-server network" for that specific DHCP pool, which for some reason was missing.

minfrin

I had originally tried wpa2-eap, and the iOS v5.0.1 phone had failed with the same effect. I have now managed some more experimentation, a second iPhone4 running iOS v4.3.5 successfully connects, but for no clear reason the DHCP doesn't complete. If you attempt to renew the lease on the iOS v4.3.5 d...

minfrin

Hi all, I have configured a Mikrotik routerboard to have a wireless network that attempts to authenticate using EAP-TLS with a client certificate only, passed through to a radius server which verifies everything. So far, the radius server seems to be working correctly, and the user is accepted, but ...

minfrin

Hi all, I have a strange problem with /ip dns. I need to update the name of the DNS server server in routerboard, and so use /ip dns to change the settings. I can view the new settings, and the routerboard's DNS now works, so far so good. I then reboot the routerboard, and the old dns settings have ...

minfrin

Hi all, I have some routerboards that are embedded within a site, and getting an internet connected windows laptop running winbox up onto the sloped roof of a set of buildings so we can click on "upgrade key" is going to be a health and safety issue for us. Does a method exist to get our l...

minfrin

The clock was wrong (ntp problems, which I'm battling with separately), but the clock wasn't related in this particular case. I managed to restore the hotspot by deleting the certificate from the routerboard, reimporting it, then setting the "ssl-certificate" parameter within the hotspot-p...

minfrin

Hi all, I have a 433 routerboard / routeros v3.30 that a while ago had been successfully been configured as a wireless hotspot, complete with an SSL certificate. This worked fine. Having just tried to connect to the hotspot after some time not using the hotspot, I suddenly receive the following erro...

minfrin

Linux is set up to handle VLAN tags, yes (the interface eth3.2 means "VLAN 2" on "interface 3"). Tcpdump is showing the tagged packets correctly, but ping didn't work.

minfrin

This directly contradicts the advice given on the Miktrotik wiki here: http://wiki.mikrotik.com/wiki/Initial_MAC_Winbox_Connection Would it be possible to take this wiki page down, as it no longer seems accurate? I had no luck with a serial cable either, what eventually worked was to hard reset the ...

minfrin

Hi all, According to the manual, underneath /ip ipsec peer, it is possible to have L2TP tunnels secured using ipsec: generate-policy (yes | no; default: no) - allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. This way it is possi...

minfrin

Some brief success with Darwine, the most recent development version (1.1.20) won't work, you need to use the latest stable version (1.0.1) for winbox to start. The success is short lived - winbox cannot find the routerboard, with one exception - if an attempt is made to leave the search window open...

minfrin

Hi all, I have a brand new routerboard, and I need to set its initial address. I tried to Google for details of what the default IP address might be, and came back with hits to say there isn't one (???). I found the page below, describing how I might run winbox.exe through the Darwine emulator for M...

minfrin

One thing I see: vlan-public and wlan-g-public have the same localnets. I would recommend changing one of them. That is probably the reason the wlan-g-public network assignment is messed up. It should look like this: 2 172.16.250.3/23 172.16.250.0 172.16.251.255 wlan-g-public but vlan-public has th...

minfrin

What I am really trying to do is try set up a hotspot, it is not clear from the documentation whether you need to configure a dhcp server to be used by a hotspot, or whether the hotspot does this on its own. The attempt to create a hotspot using the hotspot setup wizard also results in a hotspot tha...

minfrin

I continue on regardless, and I try to enter nothing as a DHCP relay, as I don't want to use a DHCP relay: dhcp relay: invalid value for argument relay Ok, so it wants a dhcp relay. So I try the default value: dhcp relay: 172.16.252.3 Select pool of ip addresses given out by DHCP server addresses to...

minfrin

Hi all, While using the setup tool in an attempt to configure dhcp, I am getting an error message that I do not understand. First off, my ip addresses look like this: # ADDRESS NETWORK BROADCAST INTERFACE 0 172.16.252.3/24 172.16.252.0 172.16.252.255 wlan-a-backbone 1 172.16.250.2/23 172.16.250.0 17...

minfrin

Yes:

3 172.16.250.3/23 172.16.250.3 172.16.250.3 wlan-g-public

It doesn't answer why no reason is given for the error. Is there is way to get some kind of human readable error message out of this?

minfrin

Hi all, After making an attempt to add a dhcp-server on a wifi interface, as below, the dhcp-server is flagged as "invalid": Flags: X - disabled, I - invalid # NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP 0 I server1 ether3 dhcp-eth3 3d yes 1 I dhcp-public wlan-g-public public-pool...

minfrin

Hi all, Does anyone have a detailed howto to solve the following problem: I have an access point, with a virtual AP configured inside it for public use. The main AP is protected WPA2, and works fine. The virtual AP is configured as an open system, and also works fine. What I am struggling to achieve...

minfrin

Hi all, I have a simple mikrotik wifi access point, which is plugged directly into a Linux router. I want to have two wireless LANs, one a private WLAN, which works fine, bridged to ether1, and a second public WLAN, bridged to VLAN-2, in turn attached to ether1. The first private WLAN works fine, th...

Search found 66 matches