MikroTik

sejtam

I needed to switch my daily backup upload from ftp to sftp as the new NAS does not allow pure FTP (TLS/SSL required) I am trying this, . the credentials work when used from a mac: > /tool fetch upload=yes url="sftp://192.168.0.10/ftp/test.rsc" user=koerberGW password="***correct***&qu...

sejtam

I am using openvpn to remotely connect into my LAN

is there an interface I could graph to show the usage of the OpenVPN
server? (http://192.168.0.1/graphs does not show that)

sejtam

So what the cause/is the solution?

sejtam

Also: can I define a scheduler which triggers on a UTC time rather than the local time?
(yes I know i coudl just run the script hourly and then in it test the date, but that seems wasteful)

sejtam

Is there any way to access the date in UTC (or the UNIX/epoch/time_t time (seconds since Jan 1 1970))
from a script?

sejtam

I am not so fluent in The ROS language. Could someone show an example
how to call this as a function?

I looked at

https://wiki.mikrotik.com/wiki/Use_Func ... CMD_Script

But that method is somewhat different?

thanks

sejtam

Has anyone found a way to build a port-knocking listener with cryptographic hash checking (to prevent sniffing/replay attacks) for RouterOs/Mikrotik? it would need to be something for which a client can be built on Linux/Mac and also Android and iOS clients. http://www.cipherdyne.org/fwknop/docs/SPA...

sejtam

Is there no-one who can provide help with this? RouterOS 6.27 on an RB2011 Unifi APAC SSID 1 SSID 2 -------------------\ SSID 3 - tag VLAN 3 ---------G2-----RB2011 I want to bridge the traffic from port G2 to bridge-local as usual. Traffic that comes in tagged as VLAN3 should be separated to a separ...

sejtam

http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features says: Vlan Table Vlan tables specifies certain forwarding rules for packets that have specific 802.1q tag. Those rules are of higher priority than switch groups configured using 'master-port' property. Basically the table contains entries tha...

sejtam

I have trouble getting the following set up 1. ether1 (renamed G1-World): Upstream port to internet 2. G2 - should accept a. unpacket packets and connect these directly to bridge-local b. VLAN 3 tagged packets and link them directly to bridge-V20 (and VLAN-20) 3. G3 accept untagged to bridge-local 4...

sejtam

Today for the first time since switching from an old Netgear E3200 running DDWRT to an RB2011 I used Gotomeeting to have a(mostly voice)
discussion, and the sound sucked. (Skype was much better).

Is there anything I should tune in the MT router to improve (prioritize) GTM traffic?

sejtam

+1 for mac-address-list in bridge filter/nat and mac-address-list along with ip firewall rule src-mac-address matcher

and f course add-src-mac-to-list and add dst-mac-to-list (and hopefully also remove-src/dst-mac-from-list...

sejtam

If i turn on safemode, RouterOS remembers the 'before state' and resets to that state if I log out/ get disconnected before turning safemode off. That's fine But is there a way I can get a diff of the point I got to in safe-mode before the rollback? Safe-mode in small increments may not be ideal. So...

sejtam

Nothing that complicated happening here. My MT is 192.168.0.1 and the gatway to the world, with nothing else. These seem to all be the final throes of a genuine connection that existed but is now dead. As can be seen some of these 'invalid' ACK/FIN' etc originate locally (presumably at the PC access...

sejtam

How about: /ip filter add chain=firward action=accept source-address=PCIP connection-state=established,related add chain=forward action=drop source-address=PCIP connection-state=new That should filter out all connections established from that PC, except the established one you create when connecting...

sejtam

see attachment. It looks as if the connection tracking forgets a connection on the first FIN and then all following packets are considered invalid? Notice hos this applies to ACK,FIN from internal to websites outside.. Is this normal? I don't think so, as a FIN can be unilateral, ie one side can clo...

sejtam

is there a way to make the graphs under Winbox's 'Graphing' function show some units (both X and Y axis)
with The 'legend' is rather useless as it only shows teh current values. (and yes, i discovered the crosshair, but
that's not useful when print a screenshot or such)

sejtam

It would be important to know if a firewall detection catches the same address twice.
In most cases it shoudl extend the entry time IMHO.

I also noticed that if the entry is untimed, it won't be changed to timed, ie untimed is effectively 'infinite'

sejtam

Yes, I think this would be useful for port-knocking, or when detecting that a system outside has successfully established a connection (logged in), it can be removed from the blacklist. I do think it can be worked aorund by instead adding the address to a whitelist (and then possibly having a script...

sejtam

Ok. just found out they are not terminal. Next question: Say I have an address already in a list A.B.C.D 1h and now the same address gets executed with Add-*-to*list address=A.B.C.D timeout=2h will this a) fail (and keep the original timeout b) extend the timeout to 2H c) add the timeouts to make 3h...

sejtam

Ok. yes. colour me confused... thanks

That said, if instead of the '!' it showed '0' (so: '0 Notifications') it might not have confused me.

(yes, I know the meaning of '!' obviously but don't expect that in a UI design that is not totally
built for geeks)

sejtam

I have defined the following in DHCP servers: /ip dhcp-server print detail Flags: X - disabled, I - invalid 0 X name="default" interface=bridge-local lease-time=10m address-pool=default-dhcp bootp-support=static authoritative=after-2sec-delay lease-script="" 1 X name="dhcp1&...

sejtam

I don'see that square. see screenshot

sejtam

There doesn't seme to be a 'Board issues' subforum.
Is anyone else seeing that Notifications for subscribed topics stay even if one has opened/read that
reply/topic?

I already tried deleting all board cokkies but the notifications stay anyway.

sejtam

I am mostly confused by this graphic from 'RouterOs by Example' (and the accompanying text), which indicates that an 'Invalid' packet inside a connection 'breaks' the connection so that it has to be estabklished again. 2015-02-09 01.37.06.jpg (sorry, it seems rotation info gets lost when attaching. ...

sejtam

Not sure whether this still qualifies as a beginner's question, but since I am new to all this.. I bought myself a combo of an RB2011 (no Wifi) and a UniFi AP-AC Got the following to work: Simple local network - interface G5 set to separate VLAN (vlan-id 30, separate DHCP network 192.168.30.0/24) Th...

sejtam

What exactly are 'invalid' connection states? I see a lot of these in my firewall log: 18:10:27 firewall,info dropINVALID forward: in:bridge-local out:G1-world, src-mac d8:bb:2c:b9:67:40, proto TCP (ACK,FIN), 192.168.0.106:65002->108.160.165.10:443, len 52 18:10:38 firewall,info dropINVALID forward:...

sejtam

ie, do they stop further processing of the chain?

I couldn't find that just now.

The 'mark packet' actions have a passthrough option, but the above don't .

sejtam

did you ever find a proper solution?
I got the same when setting the switch-cpu interface to vlan-mode=secure/strip. Everything just stops

sejtam

i cannit search for this as '*F' is not a vali search term :-( My bridge port print shows 4 I G1-world *F 0x80 10 none What does that "*F" mean?

sejtam

I'll have to try but it fits the OP's symptom of the clients not getting addresses

sejtam

I use a similar setup except there's a switch in between.

5. Input: Accept UDP port 53 (DNS) from vlan-guest

Don't you also have to allow DHCP (UDP port 67) from vlan-guest
to allow it to reachteh DHCP server?

sejtam

Are any version of RouterOS affected by this vulnerability?

https://cve.mitre.org/cgi-bin/cvename.c ... -2015-0235

The bug apparently goes back almost a decade?

sejtam

What would such a firewall rule look like? Am I understanding the issue correctly, this is about clients connecting to the hotspot interface but not logging in, yet being able to talk to other non-logged-in hotspot users directly on that interface/bridge? would (assuming the hotspot is on interface=...

sejtam

Ok. it seems there can only ever be one connection-mark and one routing mark. I tested like this: /ip firewall mangle> print chain=prerouting Flags: X - disabled, I - invalid, D - dynamic 0 chain=prerouting action=mark-connection new-connection-mark=CM1 passthrough=yes src-address=192.168.0.4 log=no...

sejtam

I am ivestigating queues right now. I have a subnet I want to lower the internet-access priorities of. So I set up a connection mark ('Learn ROuterOS' Dennis Burgess writes that this less CPU intensive as the mangle has to only match the new connection state and then all following packets belonging ...

sejtam

Ok. i worked this out. for a while I had two addreses in 192.168.0.0/24 bound to the bridge-local interface (192.168.0.233 and .234) Apparently the routing rememberd .234 as the preferred source, even after I removed that address (and only .233 was left). I had to remove the .233 address also and re...

sejtam

To be able to block clients from a hotspot (so they don't even get an Ip address) it would be useful to
have address-lists that store mac-addresses. Then one could set up a 3-stage set of lists like the SSH bruteforce recipe

sejtam

I am trying to upload a file fom my RB2011 to my Synology NAS /interface bridge> /tool fetch address=192.168.0.10 upload=yes src-path=current_config.rsc user=admin password=password dst-path=/tmp/c.rsc mode=ftp failure: cannot open FTP socket A packet capture on the synology shows no attempts of any...

sejtam

But there is already such forum: http://forum.mikrotik.com/viewforum.php?f=1. I do not understand why is here such discussion? Every one should search the forum first before writing anything. At least... I did, but that forum is named 'beta and <new version>' so I didn't realize it is for general f...

sejtam

I have [admin@koerberGW] /tool e-mail> /ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK INTERFACE 0 A.B.C.D/24 103.247.134.0 G1-world 1 ;;; Loopback bridge 127.0.0.2/32 127.0.0.2 bridge-loopback 2 192.168.88.1/24 192.168.88.0 bridge-local 3 192.168.0.233/24 192.168.0...

sejtam

I am trying to set up a hotspot, but would like to block users (mac-addresses) who keep connecting and trying to log in. I knw I could set up a progessive set of adress-lists (like the ssh_blacklist example), but I need suggestins on how to add the users to the blacklists in the first place. one ide...

sejtam

when i try and set up a firewall rule to filter on traffic cming from my open-vpn server, I am offered in-interface=<ovpn-username> only, ie interfaces one per user. Is there no way to simply say in-interface=ovpn-server or in-interface=all-ovpn-server to to this once for all users?

sejtam

I have a script that runs fine from the commandline when logged in as 'admin' when run from the scheduler, it doesn't seem to work: 0 name="sched_backup_email" owner="admin" policy=read,sensitive last-started=jan/05/2015 13:21:32 run-count=9 source= /export file=current_config hi...

sejtam

I think those don't count as sensitive, because they're passwords to external services, whereas "hide-sensitive" is intended to hide local sensitive data - passwords that the router itself defines and authenticates others against. unfortunate, as currently I have only an outside SMTP serv...

sejtam

I found http://wiki.mikrotik.com/wiki/Manual:Scripting-examples#Allow_use_of_ntp.org_pool_service_for_NTP which looks useful. sadly however, most caching DNS servers implement a round-robin scheme, so that two consecutive queries for a name with multiple addresses return these in a different order: ...

sejtam

RB2011 with 6.24 I ran a backup /export file=c hide-sensitive however, several items of sensitive info were still left in the output file (somewhat mangled by me) add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.2 log=\ auth-fail name=koerberGW shared-secret=myRadiusSecret use-coa=no ...

sejtam

There are several pages with sample script. eg like this: /system backup save name=email_backup /tool e-mail send file=email_backup.backup to="me@test.com" body="See attached file" \ subject="$[/system identity get name] $[/system clock get time] $[/system clock get date] Ba...

sejtam

Ok obvious next question.: action=mark* is then a terminal action right?

sejtam

Can one use mangle to set more than one packet-mark , connection-mark etc on a packet/connection?

If so, what is the limit?

Is there a way to print/log packets with all the marks they have (for testing)?

sejtam

Mangle is for mangling packets. It has an accept action but not drop or reject. You're right. So 'accept' here only means that it stops processing the 'mangle' table, but doesn't also skip the normal firewall tables (so there is still a chance to drop it? Or does that make it just accept the packet...

sejtam

http://en.wikipedia.org/wiki/Random_early_detection mentions some flaws in classical RED queues and two improvements
WRED and RIO as well as ARED and RRED

Which variant does RouterOS implement? (or is there even a choice)?

sejtam

Is there (if not, should there be?) a sub-board here to point out errors/omissions/suggestions for the Wiki Manual, which then can also be discussed? yes I know it's a Wiki, but if I'm not an expert in a topic I'd rather start a discussion than edit things myself (apart from the fact that the 'discu...

sejtam

two more: a) does connection-state=!established,related mean: !(established,related) (ie neither) or !established, but related? I hope the former as there is no way to say !established,!related either, but the doco is sketchy b) does connection-state=invalid equal: not new, not established and not r...

sejtam

A few firewall questions a) in 'mangle' I see also the accept/drop/reject actions. I though mangle is intended for marking traffic, not for making decisions on how to handle it? Or is the 'mangle' table just a normal firewall table that is just consulted first before the 'filter'? b) What is the 'ho...

sejtam

I have no console port, so that is out. Also, I'm MAC only and have not installed wine yet.
But just after I posted it, I got it working somehow. Dont'really know what I did differently though...

sejtam

I have the basic RB2011 model (just Ethernet, n console, wireless nor fibre) A stupid typo locked me out of the device (firewall action=drop src-adress-list=rfc1918, aciddentally hit enter before specifying the interface) So now I am trying to factory reset my router to get it back, but I cannot get...

sejtam

I am making some progress. I have now turned to Hotspot setup. I managed to make the hotspot work, but it also gets access to all other devices on the LAN. So I gather I will need to set up some firewall rules to allow only Internet access to hotspot users. While looking at that, I noticed that a) t...

sejtam

[something went wron with the previous attempt at posting this. Here is try #2]: I am trying to configure my RB2011 as a client to out HQ's Cisco VPN. We were given the following information for configuration (with samples fow both Win and Mac) Server IP address [A.B.C.D in my sample code below] use...

sejtam

Is there a place to send suggestions/RFE (requests for enhancement) to?

Maybe a separate sub-forum/board here would be useful?
(or something on getSatisfaction/userVoice)?

sejtam

I suspect I need to extract the tls-auth key from what HQ gave me, but i cannot find where to specify that in the ovpn-client settings.
Please don't tell me tls-auth is not supported..

sejtam

I'm trying to set up the script from http://wiki.mikrotik.com/wiki/Send_email_about_reboot However, it hangs, trying to get the NTP status: It seems that 'get status' doesn't return anything, even though a print shows the status as synchronized? [admin@koerberGW] /system ntp client> print enabled: y...

sejtam

yes, tapatalk also just scared me telling me I'm banned. no idea why.

sejtam

I am trying to connect to my HQ using my new RB2011 I have upgraded to the latest OS My HQ gave me OVPN configuration consisting of 1. a ca root cert 2. a ovpn config file 3. in.key and out.key for tls-auth The .ovpn file looks like this: client dev tap proto tcp remote VPNSERVER 1194 resolv-retry i...

sejtam

I just got my first RouterOS router (RB2011 series). I like to read documentation in full, rather than piecemeal as webpages. If there a full PDF for this? I tried 'download as PDF' from the Manual:TOC page and only got an error: Book rendering failed There was an error while attempting to render yo...

sejtam

Are any parts of RouterOS vulnerable to this?
thanks

sejtam

I am looking for a new router/wifi for my SOHO. I'd like to find out about a few issues. I started reading the documentation, but it's huge, so I may not find what I want easily. 1. with RouterOS, can you operate two (or more) Wifi SSIDs in parallel? 1.1 Can one be a hotspot and the others be treate...

Search found 67 matches