MikroTik

serafin

for the given problem 802,1x seems as the only viable solution. To configure it - you need to have radius server to feed MT with configuration details for clients. There is a few radius servers available, but you can start from FreeRADIUS (which is probably not the easiest one for configuration but ...

serafin

Hi, I faced the issue recently with SOME websites not opening via HTTPS protocol correctly. The behavior was: $ curl -i -v https://web.site * Trying 185.xx.xx.xx:443... * Connected to web.site (185.xx.xx.xx) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-cert...

serafin

Hi, I have similar case - PV inverter from Huawei does not negotiate link with MT, neither CCR1009 nor CCR1072, but negotiate with Linux laptop. I enforced the same parameters on MT port as it was negotiated in Linux(auto-negotiation=no full-duplex=no speed=100Mbps) and all works like a charm. Leavi...

serafin

I did upgrade to 7.10.2 and after reboot:

:put [:resolve yyy.xxx.local]
192.168.8.3

weird...

Ser@fin

serafin

have you tried as below?

/ip ssh
set always-allow-password-login=yes

Ser@fin

serafin

Hi, I have a setup with forwarding DNS queries for specific domain to local DNS server: /ip dns static add address=192.168.8.7 name=ns.xxx ttl=1h add address=192.168.8.9 name=ns.xxx ttl=1h add forward-to=ns.xxx match-subdomain=yes name=xxx.local ttl=1h type=FWD when I query dns this way all works: :...

serafin

Hi, I have checked again today and cell-monitor shows more than one band :) sindy - your advice with power-cycle helped. I think the issue was related to short time I gave my modem to scan the network. After longer period it showed multiple bands and is automatically selecting other than initially b...

serafin

unfortunately behavior is still the same, only one band in cell-monitor output

serafin

Hi, I wonder how to UNSET band for the modem R11e-LTE. before enforcing band via set 0 band=X I could see multiple bands while running cell-monitor. after enforcing specific band I can see only single band in cell-monitor. This is not changing when I do unset 0 band any idea how to reset band setup ...

serafin

I don't recommend having this dirty trick - makes me lots of troubles trying to connect via SSH

serafin

Hi, I have CAPsMAN managing multiple cAPs with 3 SSIDs. Each SSID has separate security policy/password. Now I want to use UserManager to have unique passwords per user. I did so for single SSID where within access rules I query radius for access credentials in UserManager as described here: https:/...

serafin

Bingo! - adding switch-cpu in egress-vlan-tag rule solves the probelm.

with trunk & adding ports to the bridge - this is CRS125, here ports have to be in the bridge to trunk them...

serafin

Hi, I have CRS125-24G-1S device and can't reach it via IP address from one of the tagged VLANs received via trunk port. Let me describe my config - maybe somebody can spot where I made an error I have bridge defined as in all examples in the wiki: /interface bridge add name=bridge1 protocol-mode=non...

serafin

thanks for this post, it works for me as well this way.

Where to report gap in wiki?

S.

serafin

Issue described in here: viewtopic.php?f=10&t=142882

as well as solution - to add default profile before adding user

Ser@fin

serafin

Hi I'm trying to test config with one central router and a few antena managed with CAPsMAN. CAPsMAN stuff works well up to the moment when I start limiting access based on User Manager database. I have entry in /caps-man access-list: add action=query-radius interface=XXX-1-2 while I'm trying to esta...

serafin

It took me today quite a long time to found a solution to the issue with establishing VPN connectivity from Windows 7/10 to MikroTik router using L2TP/IPSEC protocol, so I'm sharing solution. Configuration description: - 2011 router with RouterOS v6.42.7 behind NAT & with DNAT set up for being a...

serafin

Hi

sorry for not replying earlier, just come across this old post. Do you still need help?

Ser@fin

serafin

Hello, I don't know if I'll give you the best option. To do a dynamically failover between two sites I would recommend you to set up GRE+IPSec tunnels. Using this you will be able to let the OSPF take care of your routes. But if you do not use OSPF, have you tried use "check-ping" option ...

serafin

after some investigation: re 2: still no success for DHCP snooping configuration but two options to address issues with malicious DHCP server in L2 segment: - Protocol Level Isolation described here: https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Protocol_Level_Isolation -...

serafin

Hi,

does anybody know if/how it is possible to:

1. authorize MAC address of the connected computer based on RADIUS reply and then assign port to specific VLAN?

2. detect DHCP snooping on specific port and take an action based on that (ie disable port)

thanks in advance
Ser@fin

serafin

thanks for your reply - my situation is slightly different as I have FreeRADIUS with LDAP backend for AAA however your screenshots gave me a hint and now SSTP works like a charm. I had an issue with LDAP/MS-CHAP attributes translation which was actually not used in case of OpenVPN. I have working RA...

serafin

Hi, I have CCR1016-12G with recent 6.37.1 RouterOS. I have OpenVPN server configured there with Radius authentication - everything works perfectly well. Now I'd like to add SSTP vpn server and I'm getting: sstp,ppp,error : user <user> authentication failed . When I tried to define <user> in /ppp sec...

serafin

The biggest challenge to LDAP integration is writing your translations from LDAP-speak into RADIUS attributes. The best thing to do would be to configure your user groups in RADIUS as you see fit, and then use LDAP for password authentication and group membership. Basically, the RADIUS server retre...

serafin

Hi, I have CCR with RouterOS version 6.33.3 with radius server configured there for DHCP & PPP. Radius server has two different instances listening for those services, but everything is available on one server without any firewall. For PPP everything works perfectly well, I can login via various...

serafin

Hi

is thare any general changelog for all releases in version 6 available? I can't find it neither on website nor on wiki.
What I can find is changelog for one particular version only

for those who ask why - to asses what tests I need to do after upgrade from 6.12 to 6.23

thanks
Ser@fin

serafin

I haven't encountered any issues with SSTP after upgrade. I have constant VPN connection via SSTR from 9 RouterBoards and several from Windows 7.

In the matter of certificates - I still need to test it after upgrade

thanks
Ser@fin

serafin

Hi I have noticed strange behaviour while I made backup of my configuration with SSTP server and certificates. After restoring it on second device SSTP configuration was off and certificates were not migrated is it bug or maybe a feature? tested on two RB1200 with RouterOS 5.8 and 5.11 thanks Ser@fin

serafin

Can you please give some more detail ... I am stil having similar problems.. Log: radius,debug,packet Reply-Message = "no valid profile found" Any advice where to start debuging. I am trying to setup PPPoE server with radius.. I have created profile in User Manager and it solved the probl...

serafin

self response, for further reference

it appeared that I haven't configured profile for customer properly (/tools user-manager profiles), however it was not enough.
I tested version 5.11 and I was not able to assign profile for the user from command line, I needed do so via web interface.

Ser@fin

serafin

Hi I'm trying to prepare POC for DHCP management using User-Manager. I took Mikrotik v5.8 installed in VirtualBox and made the configuration as below: /tool user-manager profile add name=dhcp name-for-users="" override-shared-users=off price=0 starts-at=now validity=521w3d /tool user-manag...

serafin

I thought the answer was very simple...
thanks, it works

cheers

serafin

Hello I suspect that mangle in RouterOS version 5.8 have some features I don't know about, could you please help me? I have the following addresses assigned to my interfaces at RB1200: 0 213.xx.xxx.xxx/28 213.xx.xxx.xxx ether1 1 83.xx.xxx.xxx/29 83.xx.xxx.xxx ether2 2 10.8.4.254/24 10.8.4.0 ether9 t...

Search found 33 matches

Re: User Authentication

Re: cannot access https websites

Re: Troubleshooting MikroTik and Huawei?

Re: DNS forwarding

Re: SSH RSA Mikrotik to Mikrotik not working [SOLVED]

DNS forwarding

Re: modem R11e-LTE & band setup [SOLVED]

Re: modem R11e-LTE & band setup [SOLVED]

modem R11e-LTE & band setup [SOLVED]

Re: Windows 7/10 & L2TP connection issue

UserManager & multiple SSIDs

Re: CRS125 & managemenent interface in tagged vlan

CRS125 & managemenent interface in tagged vlan

Re: Wi-Fi mac auth produces no valid profile error

Re: no valid profile found for user for mac-authorization for CAPsMAN

no valid profile found for user for mac-authorization for CAPsMAN

Windows 7/10 & L2TP connection issue

Re: SSTP vpn & PPP authentication via radius

Re: HA with RB750

Re: CRS questions about MAC authorization and DHCP snooping

CRS questions about MAC authorization and DHCP spoofing

Re: SSTP vpn & PPP authentication via radius

SSTP vpn & PPP authentication via radius

Re: LDAP integration

DHCP + radius = connection timeout

changelog

Re: issues with SSTP backup

issues with SSTP backup

Re: no valid profile found for user <mac address>

Re: no valid profile found for user <mac address>

no valid profile found for user <mac address>

Re: why mangle rure doesn't process traffic?

why mangle rure doesn't process traffic?