If a router system normally observes packets to a particular UCP port 443 that are accepted along with just a few that are dropped then firewall rules that have a drop at the end potentially even without a log might normally work well depending on requirements others may have I am not aware of. Howe...

"In most cases not significantly enough to warrant the loss of throughput by all the rules......... In other words throughput is directly affected by the number of firewall rules, so first things first, be LEAN."

Is that a straw man argument?

Does this belong in a !General area?

I get the concept you are bringing up and it is obviously more complicated than just the quick example you shared. However, /ip firewall filter add action=drop chain=forward in-interface=WAN protocol=tcp dst-port=80 dst-address=!<HTTP server for public access> AND then add action=accept chain=forwar...

This topic is to share some basic understandings I have to be corrected if wrong and to also bring up some ideas with a goal of optimizing RouterOS firewall rules in production environments. So, I am going to focus on a snippet from this page -> https://help.mikrotik.com/docs/spaces/ROS/pages/328513...

Can I get an explanation as to where the information after "query from", such as an IPv4 or IPv6 address, when the dns topic under logging is configured and on, and if it is potentially different with a UDP query versus a TCP query? An example from a log entry where "DNS" was add...

With the concern of not sharing private information along with not forgetting about allocations that are not the block large size; with a quick review, it appears the particular API you are using to get vendor information returns “IEEE Registration Authority” until it has a vendor match as long as i...

I have a CRS326-24G-2S+ unit that I recently noticed had an uptime not consistent with when I would have rebooted it. It does not appear to have lost power. There are also no indications in the log that it was rebooted such as the message "router rebooted" corresponding to the alleged upti...

Part of my confusion thus far was thinking a "speed=" setting was the same as the "advertise=" setting which appears if in a default mode is not exported and I thought it would be verbose showing all options..For example, on RB450G gigabit ports in the Winbox GUI if "Auto Ne...

Those are good questions. Try using different hardware and software versions and see what you are able to find out.

In the export tools there appears to be a bug in the Interfaces section. Some of the ports that were set for faster speeds than 100mbps get set to 100mbps. Is that something that has already been reported and is being looked into?

With bridge ports in RouterOS Mikrotik has three options labeled "unknown unicast flood", "unknown multicast flood" and "broadcast flood". I was using Torch recently and saw traffic that did not look like it was that kind of traffic but when I checked those options it w...

A long long time ago I added my support for the fact that RouterOS needs a database client. I think at that time suggestions were for MySQL but frankly any of a number of open source database servers would work. That didn't happen yet and is a much higher priority than a new ping tool in my opinion....

Just to summarize after these helpful responses. The built in Winbox tools do not support ICMP type 13 which could be used to track latency both ways but accurate synced clocks would be required. Other equipment on each end supporting tools that work with ICMP type 13 as long as the networks involve...

Does anyone know if there is a way with RouterOS to get it to report latency in microseconds instead of milliseconds and if it can report not just round trip latency but one way latency even breaking down the latency each way? Assumptions are that without adjustments the latency reported in RouterOS...

Consider not helping destroy evidence in evaluating suggestions.

It appears you have a need to manage devices beyond the demarcation point but are also providing traditional Internet services. I would suggest you work with your customers to create a way where a box you can still manage if they want hands off all the management traffic off to a patch panel be it c...

It's a little off topic but make sure with Tristar the different firmware/software versions they call A & B or something like that are up to date. That helped me with some similar issues also. Rarely I would have the Tristar's completely lock up on their NIC and/or http server engine, I can't ex...

Pretty sure there was a pretty bad bug in Winbox on earlier Router OS's or some combo of both that allowed sessions to be taken over which would normally be more risky from wan ports. Especially if you have an upstream provider even with an employee part of an organization that thinks it should be d...

Thank you. I must have missed that in the release notes. I'll give it a shot when I get a chance.

Questions like this are very difficult to answer because not only of security and best network practices outside of potential laws and regulations many don't consider but because of laws that often come into play with a lot of Mikrotik stuff that may be using say for example one or more of the ISM f...

Not without adding hardware but maybe someone else has ideas. If you ran the LACP into something like MT450G's on each end and then ran management cables back also to the Cisco switches I think you could make something work but that adds hardware on each end not in your diagram.

I have a an RB1100AHx2 that apparently came new with an internal 64mb drive. Logged in as admin looking at the file list through Winbox I see just a few files taking up about 2mb. However, I am seeing 56.4MiB of 64.0MiB used. At first I was concerned this box may be compromised and do still have con...

Some of the other solutions above may have worked. I can't remember if I tried them all or not. My memory is if anyone if still having trouble with this issue is that it was a chipset issues between the 493ah and the Tristar. Upgrading 493ah's to 493g's and I think also similarly the 450 series to t...

serjes, I haven't tried your suggestion but I expect it would work because I know if I use the 450g inbetween the 493ah and the Tristar it works. This doesn't solve my problem because there is no such thing as a cheap switch in my scenario. Another switch means typically at least 7 more watts of pow...

We have adopted both the 493ah's and the 450G's for much of our backbone. We purchased Tristar 60 MPPT charge controllers because they have built in ethernet interfaces for monitoring. With the 450G's we have had no problems communicating with the Tristar. However with the 493ah's we never can. We h...

To convert from 24V to 48V, try something like this...

http://www.altestore.com/store/Charge-C ... tor/p1257/