Normunds,This is a bugfix release, solving issues related to upgrade from v5 to v6.14.
We have made some interesting new features, including the new "ip cloud" menu, and general release of CAPsMAN:
What's new in 6.15 (2014-Jun-12 12:25):
*) fixed upgrade from v5 - on first boot all the optional packages were disabled;
*) fixed problem where sntp server could not be specified in winbox & webfig;
*) metarouter - make openwrt work on ppc metarouter again;
If you already run some RouterOS v6.x version, simply click “Check for updates” in QuickSet, Webfig or Winbox packages menu.
Others: http://www.mikrotik.com/download
Thank you for the suggestion - we will think about those features.I notice the CAPsMAN will cause all the connected APs not working when the CAPsMAN is down, is there anyway the CAPs will copy the CAPsMAN configuration and store on it self ?
and, when can be CAPsMAN able to let all CAPs running on same channel with no interference to others ???
I wait again the fix on 6.16... I'm waiting the fix from 6.10...http://forum.mikrotik.com/viewtopic.php ... 88#p416454
BUG SIGNALED FROM 6.10 AND STILL NOT FIXED???
Opened another ticket for that: [Ticket#2014041566000226] 6.12 UNFIXED BUG: user-manager profile limitation
netinstall 6.15I just upgraded a remote 751 from 6.14. --> 6.15 and it never came back
Now what?
Leon
How did you do your remote upgrade? Did you copy the upgrade file to the file folder and do a reboot?Good remote upgrade 6 devices to v6.15!
No. Upgrade from WinBox. System-Packages-Download&Upgrade...How did you do your remote upgrade? Did you copy the upgrade file to the file folder and do a reboot?Good remote upgrade 6 devices to v6.15!
This terribly CPU load 100%v6.15
/export file=expo_6.15 ~25sec
supout_6.15.rif ~1min 53sec
v6.13
/export file=expo_6.13 ~11sec
supout_6.13.rif ~47sec
v5.26
/export file=expo_5.26 ~3sec
supout_5.26.rif ~36sec
Maybe the upgrade simply took longer than you expected? If it came backlooks like it came back about 20 min ago; log indicates reboot.
wish they would test things before releasing.
THanks leon
Both forget to say RouterBoard model.As mentioned by noyo the exports and supouts are really very slow in 6.15. What is the reason?
soa#1 (ccr1036)Routing mark does not work again.
[admin@mikrotik] /ip firewall filter>
1 I ;;; Night Block (Work)
chain=forward action=drop src-address=192.168.1.10
time=3h-8h,mon,tue,wed,thu,fri
"I" doesn't mean illegal. It means it doesn't work at this moment. So it is completely normal, that out of time, it will be red. It simply means rule is not applied now.RB/750G, RBOS: 6.13-6.15
1. Rule like this is illegal - marked by red color and didn't work.Rule for period 3h-19h is legal and work normally.Code: Select all[admin@mikrotik] /ip firewall filter> 1 I ;;; Night Block (Work) chain=forward action=drop src-address=192.168.1.10 time=3h-8h,mon,tue,wed,thu,fri
2. I suggest to make function in script language to detect a day of the week. It's already maked in RBOS for above the mentioned ability. And it's more effectively than using of special script to do that.
Then it could be smart to assign a new status with other than red color to indicate correct record that is normally active (not gray) bud actually inactive due to some condition not fulfilled..
"I" doesn't mean illegal. It means it doesn't work at this moment. So it is completely normal, that out of time, it will be red. It simply means rule is not applied now.
netinstall 6.15I just upgraded a remote 751 from 6.14. --> 6.15 and it never came back
Now what?
Leon
Netinstall is the only solution, in any case, you will have to drive to that location and do the Netinstall.netinstall 6.15I just upgraded a remote 751 from 6.14. --> 6.15 and it never came back
Now what?
Leon
You pressume a lot rextended. Maybe these devices are on remote location?
ACK, same issue on x86. Downgrading didn't actually help, I had to restore the config, so beware.Routing mark does not work again.
SSTP client does work for me from 6.15 to server 6.15, 6.14 or 6.13Hi Normis
SSTP does not work at all on 6.15. (It also didn't work on 6.14?)
Do both devices have to be on 6.15 to work? If i downgrade to 5.26, it works fine. Upgrade to 6.15 it breaks, its also enabled under PPP. Dont understand...
Hello Folks!ACK, same issue on x86. Downgrading didn't actually help, I had to restore the config, so beware.Routing mark does not work again.
What is wireless-fp package good for ?I've done a few upgrades to both v6.14 and v6.15 over the air. Also enabled wireless-fp package, again over the air. No problems so far.
The biggest difference is the CAPsMan. Some people say it has better performance, but there is no changelog about that. I have seen improvement on 1, maybe 2 links that I upgraded and few more without any change.What is wireless-fp package good for ?
Okey, then I guess it is nothing for us since we only use NV2 ptmp sectors and NV2 links in our infrastructure and have no wifi hotspots etc.The biggest difference is the CAPsMan. Some people say it has better performance, but there is no changelog about that. I have seen improvement on 1, maybe 2 links that I upgraded and few more without any change.What is wireless-fp package good for ?
Implement this ASAP, please. CAP must be able to work, even in case of lack of connectivity to CAPsMAN.Thank you for the suggestion - we will think about those features.I notice the CAPsMAN will cause all the connected APs not working when the CAPsMAN is down, is there anyway the CAPs will copy the CAPsMAN configuration and store on it self ?
Yes, since the are 2 different subnets, one static, one dynamic.DYnamic and Static at the same time?
I think ahtoh is talking about that last entry ALONE. It has flags that say "DAS", as in "Dynamic, Active, Static".Yes, since the are 2 different subnets, one static, one dynamic.DYnamic and Static at the same time?
please tell us more information on this problem. How are you measuring that and on what wireless links it happens?With CAPSMAN all links with degradated performance about 20%. Disable - all goes normal.
If you leave it empty the settings is auto. This is a new feature. You can try to check if it is working better compared with the static value.I noticed that with wireless-fp package enabled for NV2 the field TDMA Period size can be empty. But if it is empty what does this mean ? Is it the minimal value or is it automatic. Do you advise leaving it empty or leaving the older configuration with set value ?
Why you complain about that? Only one fool upgade/update one device 200Km away without be on place with another device ready to replace...
>>>Netinstall is the only solution, in any case, you will have to drive to that location and do the Netinstall.
Nice, 200km+ in one direction. It's a great bonus to a super upgrade. I've always wanted to do that.
Uldis,If you leave it empty the settings is auto. This is a new feature. You can try to check if it is working better compared with the static value.I noticed that with wireless-fp package enabled for NV2 the field TDMA Period size can be empty. But if it is empty what does this mean ? Is it the minimal value or is it automatic. Do you advise leaving it empty or leaving the older configuration with set value ?
that is for the tdma-period-size setting with regular wireless interface when you are using the wireless-fp package.Uldis,If you leave it empty the settings is auto. This is a new feature. You can try to check if it is working better compared with the static value.I noticed that with wireless-fp package enabled for NV2 the field TDMA Period size can be empty. But if it is empty what does this mean ? Is it the minimal value or is it automatic. Do you advise leaving it empty or leaving the older configuration with set value ?
you mean the nv2 is supported now?
and, what abut is the CAPs lost connection with CAPsMAN, will the CAPs still working?
So was this fixed or should I keep an eye on this and I just got lucky with the current release?*) pptp,l2tp,pppoe - fixed problem where some of the static bindings
become dynamic interfaces;
Please clarify what makes you say this? In this thread, no serious problems have been reported that are specific to v6.15.Could we perhaps have BETA stamped on this firmware again?
This is not the typical behavior or development path of "stable" firmware. At ALL.
Seriously, 15 revisions later, and we are not making any serious progress. One step forward, another step sideways and backwards.
I'm sick of being a beta tester, there is no reason to have STABLE marked on this firmware.
I tried it. I suspect that in my case (a PtMP outdoor network with 5 clients at distances up to 2.5 km), it chooses an interval of 1ms, at the time that I've seen the best performance (a 1.4x increase in upload speeds) with an interval of 2ms.If you leave it empty the settings is auto. This is a new feature. You can try to check if it is working better compared with the static value.I noticed that with wireless-fp package enabled for NV2 the field TDMA Period size can be empty. But if it is empty what does this mean ? Is it the minimal value or is it automatic. Do you advise leaving it empty or leaving the older configuration with set value ?
Maybe also a good idea to show the current period size in the registration info. The idea of allowing smaller cell radius is also good.I tried it. I suspect that in my case (a PtMP outdoor network with 5 clients at distances up to 2.5 km), it chooses an interval of 1ms, at the time that I've seen the best performance (a 1.4x increase in upload speeds) with an interval of 2ms.
Could you also make it possible to decrease the cell radius below 10 km? As I see it, 10 km is more towards the upper distance limit of PtMP networks.
Sorry, I do not understand what you try to say...AT LAST logs for PPPoE clients activity are complete
11:14:32 pppoe,info PPPoE connection established from xx:xx:xx:xx:6E:D0
11:14:33 pppoe,ppp,error <055e>: user xxxxx authentication failed
11:15:37 pppoe,info PPPoE connection established from xx:xx:xx:xx:6E:D0
11:15:38 pppoe,ppp,error <055f>: user xxxxx authentication failed
Routing marks were broken since RoS6.7 together with lt2p, we can grant access if we could agree a date and time, because we can not have production stopped for much more than 30-40 minutes in any routers.Please clarify what makes you say this? In this thread, no serious problems have been reported that are specific to v6.15.Could we perhaps have BETA stamped on this firmware again?
This is not the typical behavior or development path of "stable" firmware. At ALL.
Seriously, 15 revisions later, and we are not making any serious progress. One step forward, another step sideways and backwards.
I'm sick of being a beta tester, there is no reason to have STABLE marked on this firmware.
Routing-mark issue has been seen on very few customers for a long time now, it is not specific to this release, and does not affect significant amount of customers. We do need remote access to these machines to fix it.
Send a backup file with enabled admin user to support and specify on which routerboard we can restore this backup.Routing marks were broken since RoS6.7 together with lt2p, we can grant access if we could agree a date and time, because we can not have production stopped for much more than 30-40 minutes in any routers.
It seems that something changed regarding route marks and route handling in 6.14 (and 6.15) - at least on my RB1100AHx2.
- Routes using routing marks show as inactive (and don't work)
- All RIP routes appear as inactive (and don't work)
Reverting to 6.13 fixes all the issues.
In my case routing marks start working after an additional reboot after upgrade 6.13->6.15.
This is of course a problem if that routing mark is needed to remotely reach the router and you can not request that reboot.
We also have problems with IPSEC-tunnels. The tunnels are not rekeying when the soft limit in phase2 is reached so the SPI:s will reach the hard limit. We have the problem on RB1100AHx2 and RB951Ui-2HnD and on 6.12 and 6.15, but not on 5.26.v6.15 PPC platform can not negotiate IPSEC with MIPS devices, even if MIPS are v5.xx or v6.xx. Basically, v6 is still useless for 1100AHx2 if you need IPSec. ALmost same problem i had with CCR. Thank goodness i didn't bought it.
In automatic mode the link is disconnecting after used by a period.If you leave it empty the settings is auto. This is a new feature. You can try to check if it is working better compared with the static value.I noticed that with wireless-fp package enabled for NV2 the field TDMA Period size can be empty. But if it is empty what does this mean ? Is it the minimal value or is it automatic. Do you advise leaving it empty or leaving the older configuration with set value ?
I don't have disconnects when using auto.In automatic mode the link is disconnecting after used by a period.
About what version you are talking?I can no longer setup an NTP client as unicast, did this feature get removed or moved to another area I am not seeing?
Sorry I expressed myself wrong.I don't have disconnects when using auto.In automatic mode the link is disconnecting after used by a period.
I already have signaled that problem, also for pppoe connection, but from 6.14 now is working again...pptp and l2tp tunnels broke for winboxing into mikrotik at 6.10 and is still broken. if you create pptp or l2tp tunnel and then winbox into mikrotik through the tunnel if fails right away or disconnects. We have been having to create eoip tunnels to get around it. please fix.
Here:I can no longer setup an NTP client as unicast, did this feature get removed or moved to another area I am not seeing?
+What's new in 6.14 (2014-Jun-06 15:34):
*) sntp - 'mode' now is a read-only property, it is set to broadcast if no
server ip address is specified;
What's new in 6.15 (2014-Jun-09 15:26):
*) fixed problem where sntp server could not be specified in winbox & webfig;
And setting of the unicast server IP was fixed in 6.15...Here:I can no longer setup an NTP client as unicast, did this feature get removed or moved to another area I am not seeing?What's new in 6.14 (2014-Jun-06 15:34):
*) sntp - 'mode' now is a read-only property, it is set to broadcast if no
server ip address is specified;
This is only test on table. But when you make it on remote wireless client, then is client disconnect because package wireless is disabledI not understand why some users are fixed to uninstall unused packages...
on the second case, maybe you could make support output file when it happens and send it to support@mikrotik.com?I tried to use AUTO in the tdma period size with 2 PtP link
- first case works perfectly
- second case the client disconnets the wireless and I lost connection on ethernet on the main AP and I need to redo the login, setting tdma period size to 2, it works.
Giuseppe
Use the field "max station count", it exist from RouterOS "1"......to have the NV2 protocol not leave slots for new stations to join the network when in Bridge mode rather than AP mode...
Use the field "max station count", it exist from RouterOS "1"......to have the NV2 protocol not leave slots for new stations to join the network when in Bridge mode rather than AP mode...
Try to disconnet the client, put it in scan mode, you should able to have access to the routerboardAlso set tdma-period to auto via console.
61 Km link with nv2 and wds-birdge.
Lost connection with board (RB911G-5HPnD). I am still able to access site via redundant link though.
Board non responsive. Driving out to go and power cycle.
Board is no longer visible under /ip neighbors. Ethernet connected to affected router still reports a link.
What fun...
Update:
On site and unit is constantly rebooting....
Will attempt reset...
[Ticket#2014062066000221]on the second case, maybe you could make support output file when it happens and send it to support@mikrotik.com?I tried to use AUTO in the tdma period size with 2 PtP link
- first case works perfectly
- second case the client disconnets the wireless and I lost connection on ethernet on the main AP and I need to redo the login, setting tdma period size to 2, it works.
Giuseppe
If you leave it empty the settings is auto. This is a new feature. You can try to check if it is working better compared with the static value.I noticed that with wireless-fp package enabled for NV2 the field TDMA Period size can be empty. But if it is empty what does this mean ? Is it the minimal value or is it automatic. Do you advise leaving it empty or leaving the older configuration with set value ?
In 6.15 is bug with wireless-fp package. When is this wireless-fp package uninstalled
http://forum.mikrotik.com/download/file ... w&id=17337
then after reboot is wireless package disabled
http://forum.mikrotik.com/download/file ... w&id=17338
Not possible enabling wireless package. Only solution - downgrade and then enable wireless
See this: http://forum.mikrotik.com/viewtopic.php ... 50#p432232Tested this too and this workaround worked for me with 433AH and 7115Hd: set wireless to enable and wireless-fp to disable, then reboot.
In fact, this sounds logical to me, because it's a user choice to enable/disable wireless package, whichever flavour it is. Mikrotik has no way to know if you want to disable "wireless-fp" to fully disable wireless interface or if you want to disable "wireless-fp" to enable "wireless" package...
In 6.15 is bug with wireless-fp package.
v6.15 ...fixed problem where sntp server could not be specified in winbox & webfig...For anyone with sntp client issues take a look at the release notice for the version.
the arrow at the end of field....I'm not seeing this "NV2 Latency Improvement" at all. And when I go to the NV2 tab, you can't leave it empty, and when I put 0 in for TDMA size, it turns red as invalid. Latency on my 300/300 rate link with no traffic, is 4-7ms solid. Almost seems worse. Help???
You must install the wireless-fp package to have that functionality.Arrow at end of field???
You must install the wireless-fp package to have that functionality.Arrow at end of field???
have you activated wireless-fp package?
use netinstall 6.15I have problem with 3 rb532 when reboot rb is hang, don't boot up. Any solution?
Have you traced your network traffic on LANs and check for traffic passing or not (e.g. using wireshark or similar) ? Maybe the devices there don't accept traffic form networks outside their IP/netmask (and src-nat actually fixes this issue).Hi,
Looks like v6.15 has broke L2TP (without IPSEC) connection. I folow this guide. And I have to use SRCNAT between LAN. I cannot do routing only.
Any one has similar symptoms?
Use command at the base level
[admin@socit-mikrotik] > tool profile
NAME CPU USAGE
ovpn all 0%
pptp all 0%
firewall-mgmt all 0%
wireless all 12.5%
ethernet all 4%
console all 2%
ssh all 0%
dns all 0%
firewall all 17.5%
networking all 8%
winbox all 0%
logging all 0%
management all 3.5%
routing all 0%
idle all 36.5%
profiling all 0.5%
queuing all 7.5%
telnet all 0%
bridging all 3%
unclassified all 5%
-- [Q quit|D dump|C-z pause]
=)) when i read forum always i found ) you messages.... )))))) hello people!STILL EXIST ON 6.15
I wait again the fix on 6.16... I'm waiting the fix from 6.10...http://forum.mikrotik.com/viewtopic.php ... 88#p416454
BUG SIGNALED FROM 6.10 AND STILL NOT FIXED???
Opened another ticket for that: [Ticket#2014041566000226] 6.12 UNFIXED BUG: user-manager profile limitation
netwatch ints not bug!!! use watchDOG...or maby need start netwatch services after fullboot rooter???When power off rb start. bug in 6.15?
On both ends?I'm having an issues with 6.15.
One of my wireless clients on a PtMP link is not working.
The client is up on the registration table but traffic to the client just stops. If I ping it, there is no response, then I remove the client from the registration table and it re-associates then traffic starts to flow again. Is it possible to fix this?
edit:
Using nv2 and latest wireless-fp package
On both ends?I'm having an issues with 6.15.
One of my wireless clients on a PtMP link is not working.
The client is up on the registration table but traffic to the client just stops. If I ping it, there is no response, then I remove the client from the registration table and it re-associates then traffic starts to flow again. Is it possible to fix this?
edit:
Using nv2 and latest wireless-fp package
Have you call the speedtest hosting (SET 000) for ask how much bandwidth must be usable for make speed test?we have a big problems!!!
now i have 100Mb uplink. when i test a speednet test - i have a 20 Mb\s MAX from NAT. on RB2011 it is NOT GOOD!!!!!!!!!!! IT VERY BAD!!!!!!!!!!!!
ALL RULES in FIREWALL - OFF.
and when a want to change a settings on port i have a problem:
[...]
after 10M all values not working.
i was chaged queues...also not work....
Hi.netwatch ints not bug!!! use watchDOG...or maby need start netwatch services after fullboot rooter???When power off rb start. bug in 6.15?
Have you call the speedtest hosting (SET 000) for ask how much bandwidth must be usable for make speed test?
Think if 10 users on the world want test on same server 100Mbps for each one...
The speed test over other isp are for dumb home users.
Call first the company involved on speed test for ask how much bandwidth they leave for speed testing...
Hmmm...
Have you call the speedtest hosting (SET 000) for ask how much bandwidth must be usable for make speed test?
Think if 10 users on the world want test on same server 100Mbps for each one...
The speed test over other isp are for dumb home users.
Call first the company involved on speed test for ask how much bandwidth they leave for speed testing...
people! of corse ! i was first tested my speed... it is = 70 Mb\ sec.
somthing wrong.. or cpu 600 mhz is MAX speed for NAT is 20 MB\sec.
????
what is wrong? what is yor tests by NAT??
What's your complaint?Hmmm...
Have you call the speedtest hosting (SET 000) for ask how much bandwidth must be usable for make speed test?
Think if 10 users on the world want test on same server 100Mbps for each one...
The speed test over other isp are for dumb home users.
Call first the company involved on speed test for ask how much bandwidth they leave for speed testing...
people! of corse ! i was first tested my speed... it is = 70 Mb\ sec.
somthing wrong.. or cpu 600 mhz is MAX speed for NAT is 20 MB\sec.
????
what is wrong? what is yor tests by NAT??
NAT + 64 rules, 100Mbit/s tariff rate. (Price 700 RUB month; 20,32 USD or 14.93 EUR)
I watched live speed in webfig at this time, it is the same as on the speedtest result +/- 2 Mbit/s.
CPU load 26-32% on 600 MHz.
What I doing wrong?! =)
What makes you think that I'm complaining? If i want see 100+ Mbit/s i connect to GPON from Rostelecom ISP. I just showed that in fact everything works fine with NAT and 64 firewall rules to man, ho say "...something wrong.. or cpu 600 mhz is MAX speed for NAT is 20 MB\sec..."What's your complaint?
You are almost at the max of your contract. Do you really want to see 100.0 Mbit up and down?
there is my settings......... maby anybody can say anithing? )
# jun/22/2014 23:52:50 by RouterOS 6.15
# software id = XRPPPPPPPPPPPPPPPPPHHH
#
/certificate
add common-name=xxxx country=RU days-valid=3650 key-usage=\
digital-signature,key-encipherment,tls-server locality=SPB name=cert_1 \
organization=xxxx state=LO subject-alt-name=email:xxxx@gmail.com \
trusted=yes unit=xxxx
add common-name=xxxx country=RU days-valid=3650 locality=SPB name=cert_2 \
organization=xxxx state=LO subject-alt-name=email:xxxx@gmail.com \
trusted=yes unit=xxxx
/interface bridge
add l2mtu=1594 name=bridge-free-wifi
add admin-mac=4C:5E:0C:2XXXXXX auto-mac=no l2mtu=1594 name=bridge-local-lan
add l2mtu=1594 name=marina-net
/interface ethernet
set [ find default-name=ether1 ] comment=\
"########################## wan #######################" \
name=ether1-gateway
set [ find default-name=ether2 ] comment=\
"--------------------- FREE BSD ---------------------" name=\
ether2-freebsd
set [ find default-name=ether5 ] comment=\
------------------------cisco------------------------ name=ether5-cisco
set [ find default-name=ether6 ] comment="================================= \
\_ ATS ==================================" name=ether6-ATS
set [ find default-name=ether7 ] comment="phone siemens" name=ether7-phone
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] comment="GUEST WIFI" name=ether9-guest-wifi
set [ find default-name=ether10 ] disabled=yes name=ether10-slave-local
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
band=2ghz-b/g/n disabled=no distance=indoors frequency=2452 \
hw-protection-mode=rts-cts l2mtu=2290 mode=ap-bridge multicast-helper=\
full periodic-calibration=enabled ssid=Mikros tx-power=18 tx-power-mode=\
all-rates-fixed
/ip neighbor discovery
set ether1-gateway comment=\
"########################## wan #######################" \
discover=no
set ether2-freebsd comment=\
"--------------------- FREE BSD ---------------------" discover=no
set ether3 discover=no
set ether4 discover=no
set ether5-cisco comment=\
------------------------cisco------------------------
set ether6-ATS comment="================================= ATS ==========\
========================" discover=no
set ether7-phone comment="phone siemens" discover=no
set ether8 discover=no
set ether9-guest-wifi comment="GUEST WIFI" discover=no
set ether10-slave-local discover=no
set sfp1 discover=no
set bridge-free-wifi discover=no
set marina-net discover=no
/interface vlan
add comment="local lan" interface=ether5-cisco l2mtu=1594 name=vlan1 vlan-id=\
44
add interface=ether5-cisco l2mtu=1594 name=vlan2-xxxx-net-server vlan-id=\
2001
add interface=ether5-cisco l2mtu=1594 name=vlan3-2002-local-net vlan-id=2002
/ip neighbor discovery
set vlan1 comment="local lan" discover=no
set vlan2-xxxx-net-server discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed name=none supplicant-identity=""
/interface wireless
add disabled=no l2mtu=2290 mac-address=4EFFFFFF master-interface=\
wlan1 name=wlan2 security-profile=none ssid=free-gorodok-net \
wds-cost-range=0 wds-default-cost=0
/ip neighbor discovery
set wlan2 discover=no
/ip firewall layer7-protocol
add name=vk regexp=\
"^.*(get|GET).+(vk.com|odnoklassniki.com|facebook.com|twitter.com).*\$"
/ip hotspot profile
add hotspot-address=192.168.11.1 login-by=http-chap,trial name=hsprof1 \
trial-uptime=1h/27m
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=l2tp-pool ranges=192.168.254.2-192.168.254.62
add name=dhcp-ovpn ranges=5.5.5.10-5.5.5.100
add name=xxxx-net ranges=10.10.10.20-10.10.10.230
add name=hs-pool-16 ranges=192.168.11.12-192.168.11.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local-lan name=default
add address-pool=hs-pool-16 disabled=no interface=bridge-free-wifi name=\
hotspot-free-wifi
add address-pool=dhcp-ovpn interface=vlan1 name=vpn-dhcp
add address-pool=xxxx-net disabled=no interface=marina-net name=\
xxxx-net-serv-control
/ip hotspot
add address-pool=hs-pool-16 disabled=no interface=bridge-free-wifi name=\
hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool=hs-pool-16 idle-timeout=none \
keepalive-timeout=2m mac-cookie-timeout=3d rate-limit=600k/1M \
shared-users=unlimited
/port
set 0 name=serial0
set 1 baud-rate=9600 data-bits=8 flow-control=none name=usb2 parity=none \
stop-bits=1
/ppp profile
add change-tcp-mss=yes local-address=192.168.254.1 name=l2tp remote-address=\
l2tp-pool
add dns-server=8.8.8.8 local-address=5.5.5.1 name=ovpn-server remote-address=\
dhcp-ovpn use-encryption=required
/queue type
add kind=pcq name=Inet-Download pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-limit=300 pcq-rate=100M \
pcq-src-address6-mask=64 pcq-total-limit=20000
add kind=pcq name=Inet-Upload pcq-classifier=src-address,dst-address \
pcq-dst-address6-mask=64 pcq-limit=100 pcq-rate=100M \
pcq-src-address6-mask=64 pcq-total-limit=70000
/queue tree
add name=DOWNLOAD parent=global queue=Inet-Download
add name=UPLOAD parent=global queue=Inet-Upload
add limit-at=2M max-limit=99M name=innnnn packet-mark=in-to-home-lan parent=\
DOWNLOAD queue=Inet-Download
add limit-at=2M max-limit=99M name=uppppp packet-mark=out-home-lan parent=\
UPLOAD queue=Inet-Upload
add limit-at=1M max-limit=5M name=radio packet-mark=radio parent=UPLOAD \
priority=7 queue=Inet-Upload
add limit-at=1M max-limit=70M name=openvpn-in packet-mark=openvpn-in parent=\
DOWNLOAD priority=6 queue=Inet-Download
add limit-at=1M max-limit=70M name=openvpn-out packet-mark=openvpn-out \
parent=UPLOAD priority=6 queue=Inet-Upload
add limit-at=1M max-limit=10M name=torrentsin packet-mark=\
torrentsin,torrentsinudp parent=DOWNLOAD priority=6 queue=Inet-Download
add limit-at=850k max-limit=5M name=rdp-prioritet packet-mark=rdp-traffic \
parent=DOWNLOAD priority=7 queue=Inet-Download
add limit-at=10M max-limit=70M name=http-traffic packet-mark=http-traffic \
parent=DOWNLOAD priority=2 queue=Inet-Download
/interface bridge port
add bridge=bridge-local-lan interface=ether2-freebsd
add bridge=bridge-local-lan disabled=yes interface=ether3
add bridge=bridge-local-lan disabled=yes interface=ether4
add bridge=bridge-local-lan interface=ether5-cisco
add bridge=bridge-local-lan interface=ether6-ATS
add bridge=bridge-local-lan disabled=yes interface=sfp1
add bridge=bridge-local-lan interface=wlan1
add bridge=bridge-free-wifi interface=ether9-guest-wifi
add bridge=bridge-local-lan disabled=yes interface=ether10-slave-local
add bridge=bridge-local-lan disabled=yes interface=ether8
add bridge=bridge-free-wifi interface=vlan1
add bridge=bridge-local-lan interface=ether7-phone
add bridge=marina-net interface=vlan2-xxxx-net-server
add bridge=bridge-local-lan interface=vlan3-2002-local-net
add bridge=bridge-free-wifi interface=wlan2
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp keepalive-timeout=15 max-mru=\
1418 max-mtu=1418
/interface ovpn-server server
set auth=md5 certificate=cert_1 cipher=blowfish128,aes128,aes192,aes256 \
default-profile=ovpn-server enabled=yes require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge-local-lan network=192.168.1.0
add address=10.10.10.11/24 interface=marina-net network=10.10.10.0
add address=192.168.11.1/24 comment="hotspot network" interface=\
bridge-free-wifi network=192.168.11.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-gateway
/ip dhcp-server lease
add address=10.10.10.10 client-id=1:0:ssssmac-address=\
00:1B:1dd:30:C7 server=xxxx-net-serv-control
add address=192.168.1.135 client-id=1:f4:bsssssssc mac-address=\
ddd01:08:BC server=default
/ip dhcp-server network
add address=5.5.5.0/24 gateway=5.5.5.1
add address=10.10.10.0/24 dns-server=10.10.10.11 gateway=10.10.10.11 \
ntp-server=10.10.10.11
add address=192.168.1.0/24 comment="default configuration" dns-server=\
192.168.1.1,8.8.8.8,10.0.0.50 gateway=192.168.1.1 netmask=24 ntp-server=\
192.168.1.1
add address=192.168.11.0/24 comment="hotspot network" dns-server=192.168.11.1 \
gateway=192.168.11.1
/ip dns
set allow-remote-requests=yes servers=192.168.11.1,7ccccc
/ip dns static
add address=192.168.1.1 name=z.lan
add address=192.168.88.1 name=tref.lan
add address=192.168.1.101 name=free.lan
add address=192.168.1.111 name=cisco.lan
add address=172.26.1.25 name=ds.lan
add address=172.26.1.1 name=m1.lan
add address=172.26.1.2 name=m2.lan
/ip firewall filter
add action=drop chain=forward dst-port=445 protocol=tcp src-address-list=\
Worm-Infected-p445
add action=drop chain=forward dst-port=445 protocol=tcp src-address-list=\
Worm-Infected-p445
add action=drop chain=virus comment="Blaster Worm" disabled=yes dst-port=\
135-139 protocol=tcp
add action=drop chain=virus comment="Messenger Worm" disabled=yes dst-port=\
135-139 protocol=udp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=forward disabled=yes layer7-protocol=vk
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp
add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp
add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp
add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp
add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp
add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp
add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp
add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp
add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp
add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 \
protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=\
virus src-address=!192.168.1.101
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1 src-address=!192.168.1.0/24
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="ping port scanners" src-address=\
!192.168.1.0/24 src-address-list="port scanners"
add action=drop chain=input comment="ftp brute forcers" dst-port=21 protocol=\
tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="ssh brute forcers" disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=10m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=10m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp
add action=drop chain=forward comment="ssh brute downstream" disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=input dst-port=53 in-interface=ether1-gateway protocol=\
udp
add action=drop chain=input dst-port=53 in-interface=ether1-gateway protocol=\
udp src-mac-address=00:1E:58:D8:1A:21
add action=drop chain=input dst-port=53 in-interface=ether1-gateway protocol=\
tcp
add action=drop chain=input comment=\
"TO BLOCK PROXY ACCESS PORT 8080 / ATTACK on WAN INTERFACE" dst-port=8080 \
in-interface=ether1-gateway protocol=tcp
add chain=input comment="L2TP VPN Server UDP 4500 (Nat-Traversal)" protocol=\
udp src-port=4500
add chain=input comment="L2TP VPN Server UDP " protocol=udp src-port=1701
add chain=input comment="Allow IKE" dst-port=500 protocol=udp
add chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add chain=input comment="Allow UDP" protocol=udp
add chain=input dst-port=1194 protocol=tcp
add chain=output dst-port=1194 protocol=tcp
add chain=input dst-port=1194 protocol=udp
add chain=output dst-port=1194 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input protocol=ipsec-ah
add chain=input disabled=yes dst-port=1194 protocol=tcp
add chain=output disabled=yes dst-port=1194 protocol=tcp
add chain=input disabled=yes dst-port=1194 protocol=udp
add chain=input comment="ipsec upd 500" dst-port=500 protocol=udp
add chain=output comment="ipsec upd 500" dst-port=500 protocol=udp
add chain=input comment="all upd" protocol=udp
add action=drop chain=input disabled=yes dst-port=53 in-interface=\
ether1-gateway protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=\
ether1-gateway protocol=udp
add chain=input dst-port=1701 protocol=tcp
add chain=input comment=l2p dst-port=1701 protocol=udp
add chain=input dst-port=1194 protocol=udp
add chain=output dst-port=1701 protocol=tcp
add chain=input comment="VPN PPTP SERVER" dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input comment="default configuration" protocol=icmp
add chain=input dst-port=1194 protocol=tcp
add chain=input comment="default configuration" connection-state=related
add chain=input comment="default configuration" connection-state=established
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
add chain=forward comment="default configuration" connection-state=\
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
/ip firewall mangle
add action=mark-packet chain=output new-packet-mark=openvpn-out \
out-interface=ether1-gateway protocol=tcp src-port=1194
add action=mark-packet chain=input dst-port=1194 in-interface=ether1-gateway \
new-packet-mark=openvpn-in protocol=tcp
add action=mark-connection chain=forward in-interface=ether1-gateway \
new-connection-mark=Incoming_Packets out-interface=bridge-local-lan
add action=mark-connection chain=forward in-interface=bridge-local-lan \
new-connection-mark=Outgoing_Packets out-interface=ether1-gateway
add action=mark-packet chain=forward connection-mark=Incoming_Packets \
dst-address=192.168.1.0/24 new-packet-mark=in-to-home-lan
add action=mark-packet chain=forward connection-mark=Outgoing_Packets \
new-packet-mark=out-home-lan src-address=192.168.1.0/24
add action=mark-packet chain=forward connection-mark=Outgoing_Packets \
new-packet-mark=radio protocol=tcp src-address=192.168.1.101 src-port=\
8000
add action=mark-packet chain=forward connection-bytes=0-2000000 \
connection-mark=Incoming_Packets new-packet-mark=http-traffic \
passthrough=no protocol=tcp src-port=80
add action=mark-packet chain=prerouting new-packet-mark=rdp-traffic protocol=\
tcp src-port=3389
add action=add-src-to-address-list address-list=Worm-Infected-p445 \
address-list-timeout=1h chain=prerouting connection-state=new dst-port=\
445 limit=5,10 protocol=tcp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=netmap chain=dstnat dst-port=8000 in-interface=ether1-gateway \
protocol=tcp to-addresses=192.168.1.101
add action=netmap chain=dstnat dst-port=60017 in-interface=ether1-gateway \
protocol=tcp to-addresses=192.168.1.16
add action=netmap chain=dstnat dst-port=51413 in-interface=ether1-gateway \
protocol=udp to-addresses=192.168.1.101
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp \
to-ports=8080
add action=netmap chain=dstnat dst-port=51413 in-interface=ether1-gateway \
protocol=tcp to-addresses=192.168.1.101
add action=netmap chain=dstnat dst-port=4444 in-interface=ether1-gateway \
protocol=tcp to-addresses=192.168.1.202
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=192.168.11.0/24
/ip hotspot ip-binding
add address=192.168.11.11 mac-address=44NNNN server=hotspot1
/ip hotspot user
add name=admin
/ip ipsec peer
add disabled=yes
add address=MMMMMMMM/32 dh-group=modp1536 disabled=yes enc-algorithm=\
3des exchange-mode=main-l2tp my-id-user-fqdn=mikrotik-xxxx policy-group=\
default
/ip ipsec policy
add disabled=yes dst-address=MMMMM/32 sa-dst-address=MMMMMM0.243 \
sa-src-address=xxx.xx.xx.130 src-address=10.38.192.131/32 tunnel=yes
add action=none disabled=yes dst-address=10.253.98.1/32 sa-dst-address=\
0.0.0.0 sa-src-address=0.0.0.0 src-address=192.168.1.1/32
/ip proxy
set cache-on-disk=yes
/ip route
add distance=1 dst-address=10.0.0.0/24 gateway=192.168.1.3
add distance=1 dst-address=72.16.4.0/24 gateway=5.5.5.10
add distance=1 dst-address=172.20.0.0/28 gateway=5.5.5.10
add distance=1 dst-address=172.26.1.0/24 gateway=5.5.5.11
add distance=1 dst-address=172.30.0.0/24 gateway=5.5.5.10
add distance=1 dst-address=192.168.88.0/24 gateway=5.5.5.10
/ip route rule
add action=unreachable dst-address=192.168.5.0/28 src-address=192.168.1.0/24
add action=unreachable dst-address=192.168.1.0/24 src-address=172.26.2.0/24
add action=unreachable dst-address=192.168.1.0/24 src-address=192.168.5.0/24
add action=unreachable disabled=yes dst-address=192.168.1.0/24 src-address=\
192.168.11.0/24
add action=unreachable dst-address=10.0.0.0/24 src-address=192.168.11.0/24
add action=unreachable dst-address=172.20.0.0/28 src-address=192.168.11.0/24
add action=unreachable dst-address=72.16.4.0/24 src-address=192.168.11.0/24
add action=unreachable dst-address=172.26.1.0/24 src-address=192.168.11.0/24
add action=unreachable dst-address=172.30.0.0/24 src-address=192.168.11.0/24
add action=unreachable dst-address=192.168.88.0/24 src-address=\
192.168.11.0/24
/ip service
set telnet address=192.168.1.0/24 disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24,192.168.88.0/24
set ssh address=192.168.1.0/24
set api address=192.168.1.0/24
set winbox address=192.168.1.0/24,172.26.1.0/24,192.168.88.0/24
set api-ssl address=192.168.1.0/24
/ip traffic-flow
set active-flow-timeout=1m enabled=yes
/ip traffic-flow target
add address=192.168.1.15:1234 version=5
add address=192.168.1.13:1234 version=5
add address=192.168.1.18:1234 version=5
add address=192.168.1.16:1234 version=5
add address=192.168.5.4:1234 version=5
add address=10.10.10.10:1235 version=5
/ip upnp interfaces
add interface=ether1-gateway type=external
add interface=bridge-local-lan type=internal
/lcd
set default-screen=stats-all
/lcd interface
set sfp1 disabled=yes interface=sfp1
set ether1-gateway interface=ether1-gateway
set ether2-freebsd interface=ether2-freebsd
set ether3 disabled=yes interface=ether3
set ether4 disabled=yes interface=ether4
set ether5-cisco disabled=yes interface=ether5-cisco
set ether6-ATS interface=ether6-ATS
set ether7-phone interface=ether7-phone
set ether8 disabled=yes interface=ether8
set ether9-guest-wifi disabled=yes interface=ether9-guest-wifi
set ether10-slave-local disabled=yes interface=ether10-slave-local
set wlan1 interface=wlan1
/ppp secret
add disabled=yes local-address=192.168.1.1 name=XXXXX profile=\
default-encryption remote-address=192.168.1.201 routes=192.168.1.1
add disabled=yes local-address=xxx.xx.xx.130 name=vpn remote-address=\
XXXXXXXXXX4
add disabled=yes name=client1 profile=l2tp service=l2tp
add disabled=yes name=XXXXX profile=l2tp service=l2tp
add name=19ph profile=ovpn-server remote-address=5.5.5.10 service=ovpn
add name=marina-baza profile=ovpn-server remote-address=5.5.5.11 service=ovpn
add local-address=192.168.1.1 name=esf profile=default-encryption \
remote-address=192.168.1.3 service=pptp
add disabled=yes local-address=5.5.5.20 name=marina-baza-net profile=\
ovpn-server remote-address=5.5.5.21 service=ovpn
/routing bgp network
add network=192.168.88.0/24 synchronize=no
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=xxxx-mikrotik
/system logging
add topics=e-mail
/system ntp client
set enabled=yes primary-ntp=89.109.251.21 secondary-ntp=89.109.251.24
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/system scheduler
add interval=1d name=backup on-event="/system script run backup_to_email" \
policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-date=may/31/2014 start-time=00:20:00
add interval=10m name=flushDNS on-event="/system script run flushcache" \
policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-date=jun/17/2014 start-time=02:11:52
/system script
add name=backup_to_email policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="{\r\
\n:log info \"Starting Backup Script...\";\r\
\n:local sysname [/system identity get name];\r\
\n:local sysver [/system package get system version];\r\
\n:log info \"Flushing DNS cache...\";\r\
\n/ip dns cache flush;\r\
\n:delay 2;\r\
\n:log info \"Deleting last Backups...\";\r\
\n:foreach i in=[/file find] do={:if ([:typeof [:find [/file get \$i name]\
\_\\\r\
\n\"\$sysname-backup-\"]]!=\"nil\") do={/file remove \$i}};\r\
\n:delay 2;\r\
\n:local smtpserv [:resolve \"cccrocc.ru\"];\r\
\n:local Eaccount \"aaa@aaaaa.ru\";\r\
\n:local pass \"aaaaaaa\";\r\
\n:local backupfile (\"\$sysname-backup-\" . \\\r\
\n[:pick [/system clock get date] 7 11] . [:pick [/system \\\r\
\nclock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".backup\
\");\r\
\n:log info \"Creating new Full Backup file...\";\r\
\n/system backup save name=\$backupfile;\r\
\n:delay 2;\r\
\n:log info \"Sending Full Backup file via E-mail...\";\r\
\n/tool e-mail send from=\"<\$Eaccount>\" to=\$Eaccount server=\$smtpserv \
\\\r\
\nport=587 user=\$Eaccount password=\$pass start-tls=yes file=\$backupfile\
\_\\\r\
\nsubject=(\"\$sysname Full Backup (\" . [/system clock get date] . \")\")\
\_\\\r\
\nbody=(\"\$sysname full Backup file see in attachment.\\nRouterOS version\
: \\\r\
\n\$sysver\\nTime and Date stamp: \" . [/system clock get time] . \" \" . \
\\\r\
\n[/system clock get date]);\r\
\n:delay 5;\r\
\n:local exportfile (\"\$sysname-backup-\" . \\\r\
\n[:pick [/system clock get date] 7 11] . [:pick [/system \\\r\
\nclock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".rsc\");\
\r\
\n:log info \"Creating new Setup Script file...\";\r\
\n/export verbose file=\$exportfile;\r\
\n:delay 2;\r\
\n:log info \"Sending Setup Script file via E-mail...\";\r\
\n/tool e-mail send from=\"<\$Eaccount>\" to=\$Eaccount server=\$smtpserv \
\\\r\
\nport=587 user=\$Eaccount password=\$pass start-tls=yes file=\$exportfile\
\_\\\r\
\nsubject=(\"\$sysname Setup Script Backup (\" . [/system clock get date] \
. \\\r\
\n\")\") body=(\"\$sysname Setup Script file see in attachment.\\nRouterOS\
\_\\\r\
\nversion: \$sysver\\nTime and Date stamp: \" . [/system clock get time] .\
\_\" \\\r\
\n\" . [/system clock get date]);\r\
\n:delay 5;\r\
\n:log info \"All System Backups emailed successfully.\\nBackuping complet\
ed.\";\r\
\n}"
add name=flushcache policy=ftp,reboot,read,write,policy,test,winbox,password \
source="/ip dns cache flush"
add name=tor-dc-NIGHT policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="/queue tree set [find name=torrents] limit-at=2M max-limit=20M;\r\
\n/queue tree set [find name=mlnet] limit-at=2M max-limit=10M;"
add name=tor-dc-DAY policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="/queue tree set [find name=torrents] limit-at=200k max-limit=1M;\r\
\n/queue tree set [find name=mlnet] limit-at=200k max-limit=1k;"
/system watchdog
set automatic-supout=no no-ping-delay=20m watchdog-timer=no
/tool e-mail
set last-status=succeeded
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-freebsd
add interface=ether3
add interface=ether4
add interface=ether5-cisco
add interface=ether6-ATS
add interface=ether7-phone
add interface=ether8
add interface=ether9-guest-wifi
add interface=sfp1
add interface=wlan1
add interface=bridge-local-lan
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-freebsd
add interface=ether3
add interface=ether4
add interface=ether5-cisco
add interface=ether6-ATS
add interface=ether7-phone
add interface=ether8
add interface=ether9-guest-wifi
add interface=sfp1
add interface=wlan1
add interface=bridge-local-lan
/tool netwatch
add down-script="/interface pptp-server remove <pptp-esf>" host=10.0.0.65 \
interval=10m
/tool sms
set port=usb2
This is YOUR problem, do not generalize.The newsletter is here! Many new features!
- System rebooted because of kernel failure
- System rebooted because of kernel failure
- System rebooted because of kernel failure
- System rebooted because of kernel failure
- System rebooted because of kernel failure
- System rebooted because of kernel failure
Warning to everybody who uses 6.15: DO NOT activate wireless-fp package unless you want you routers to random reboot 10 times a day!
And no, you cannot switch between wireless packages once you activate wireless-fp, you have to downgrade.
unless I missed something, more then 48h passed.Won't that only be until the DNS entry expires?
rightit would be better if within RouterOS you could control the DNS enablement and also the TTL directly on a per device basis.
I just noticed that my Multi WAN Routing Marks no longer working.My path to make Routing Marks work.
6.14 -- work
6.14 to 6.15 -- NOT work
6.15 to 6.13 -- NOT work
6.13 to 6.14 -- NOT work
6.14 to 6.7 -- work
6.7 to 6.14 -- work
So weird
It's not a bug, it's your config.Hello,
can you please fix the timestamps for the User Manager please ? I am on timezone GMT+2 and the logs for the Sessions and User Sessions are missing +2 hours.
user-manager-6.15-mipsbe.npk
Kind Regards
/tool user-manager customer
set [find] time-zone=+02:00
Are these the only 3 fixes, or is this changelog just the highlights?What's new in 6.15 (2014-Jun-12 12:25):
*) fixed upgrade from v5 - on first boot all the optional packages were disabled;
*) fixed problem where sntp server could not be specified in winbox & webfig;
*) metarouter - make openwrt work on ppc metarouter again;
# name initializegps
/system gps set enabled=no
:delay 15;
/port set 0 baud-rate=4800 parity=odd
:delay 15;
/port set 0 baud-rate=4800 parity=odd
/system gps set enabled=yes set-system-time=no
# name initializegps
/system gps set enabled=no
:delay 15;
/port set 0 baud-rate=4800 parity=odd
:delay 15;
/port set 0 baud-rate=4800 parity=odd
/system gps set enabled=yes port=usb set-system-time=no
I updated every 6.15.I saw the same between 6.13 and 6.15.
I understand that per RFC1997 that the community field is a 32 bit field, at the time with two byte AS numbers it was commonly used as 16 bits for the AS (before the colon) and 16 bits after for the community string.need help support MK, because AS does not work with 6 digits? version 5.26 and 6.14
I just did a 10000 packets test. 0 packets lost. This is on a link with good signal and 100% ccq. I have some links which show minor packet loss on smokeping, but those links are not with good conditions so I think I had these losses before.I liked the "Auto" NV2 timing with the new Wireless-FP package, latency hit 1ms sometimes! However, I got packet loss about every 100 or so pings, so had to revert back...
Use 23456,ok need to use the prefix 262605 how do I? tanks.
In which version the GPS receiver was working?My USGlobalSat Bu-353 receiver quit working when I upgraded my RB751 to RouterOS 6.15. Is there a fix for this?
Thanks,
donjames
Use 23456,ok need to use the prefix 262605 how do I? tanks.
or one of the private prefixes,
or use another number
you could also try appending L to the end of the number, but I have not found any mikrotik documentation that says they support this signalling of 4-Byte AS Numbers.
Mikrotik may come back and change this or tell me I am wrong.
Also if you explain your use case then that could assist us in understanding other ways to do it.
Regards
Alexander
Please write EXACTLY how you have upgraded the two board, without omit anything,Two different RB711 reboots because of kernel failure.
It happens after updating from ROS 6.13 with regular wireless package to 6.15 with wireless-FP package.
Routing marks worked without any issue for me for every ROS 6.xx release, even the latest 6.15. I'm using CCR1009 and RB2011UiAS for policy based routing.We did not upgrade routers using policy based routing with routing marks (broke after 6.7) and vpn routers using l2tp (also broke after 6.7) and one Rb411 which is on 5.20 because if upgraded ethernet device stops working by some strange reason.
What problems do you have in this scenario ? RB with legacy card. I have a few boards with legacy cards which reboot themself with 'kernel failure' message in log. Also just a few minutes a go one of these boards first rebooted a few times and then just crashed completely and needed a power cycle.Hi!
Confirmed bug by MT in wireless-fp package if you have any legacy wireless card(non N-wireless capability)
installed on the RB
I'm now testing 6.16rc10 if they fixed it.
6.16rc10 seam to have a new SNMP bug thou...
RGDS
SSTP is broken for me. I use it on x86, RB493G and CCR-1009, get disconnect on larger amount of traffic/bandwith. CCR as VPN Concentrator? no way.did sstp for win7 clients ever get fixed? or disconnects on pptp when logged into winbox? this all broke after 6.7? anyone not seeing these issues anymore?
afther hw reset i see 6.15.afther upgarde from 5.25 to 6.15 on sxt5hnd, now i cannot access router, need netinstall,,but sxt is on rig..
Please tell us more abut SNMP bug that is introduced in v6.16rc10Hi!
I'm now testing 6.16rc10 if they fixed it.
6.16rc10 seam to have a new SNMP bug thou...
RGDS
True.I've noticed this thing with snmp in v6.15, I enabled it and it was not working, but then I went and changed the community from public to something else and it worked, no reboot needed.
In our case, we had about a dozen CCR1036-12G-4S units on 6.5 that were becoming completely non-responsive via MAC Telnet or IP until rebooted. The failures were occurring every 10-14 days of uptime. We upgraded to v6.13 and haven't had any incidents in 18 days.We are having problems with the routing engine crashing on CC61036-12G-4S
We loose all routes and BGP peers. You reboot the router and it all comes back and works fine for a couple of days.
We are running 6.7 on our other datacentre CC61036-12G-4S and never had an issues with the routing engine crashing with 26 BGP peers connected.
Stewart
Please tell us more abut SNMP bug that is introduced in v6.16rc10Hi!
I'm now testing 6.16rc10 if they fixed it.
6.16rc10 seam to have a new SNMP bug thou...
RGDS
paste your SNMP verbose config here.Please tell us more abut SNMP bug that is introduced in v6.16rc10Hi!
I'm now testing 6.16rc10 if they fixed it.
6.16rc10 seam to have a new SNMP bug thou...
RGDS
Hi!
Seams to be working after 24hr -- CPU, Voltage etc did not get any data to DUDE - Maybe DUDE needed some time??
RGDS
/snmp export verbose
/system resource pr
uptime: 18m53s
version: 6.15
build-time: Jun/12/2014 12:25:29
free-memory: 107.9MiB
total-memory: 128.0MiB
cpu: MIPS 74Kc V4.12
cpu-count: 1
cpu-frequency: 600MHz
cpu-load: 11%
free-hdd-space: 109.6MiB
total-hdd-space: 128.0MiB
write-sect-since-reboot: 114
write-sect-total: 67294
bad-blocks: 0.1%
architecture-name: mipsbe
board-name: CRS125-24G-1S
platform: MikroTik
/tool profile
NAME CPU USAGE
firewall-mgmt all 0%
spi all 3%
ethernet all 1%
console all 0.5%
ssh all 0%
networking all 4%
management all 0.5%
idle all 87%
profiling all 0.5%
unclassified all 3.5%
is this on MIPS or some other arch?The only bug I find on 6.16rc10 about SNMP if is SNMP are enabled AFTER the boot, you must REBOOT the device for make it effectively enabled.
secondary "bug" already present on 6.14 and 6.15 versions.
Thanks for reply, I have check this problem only on mipsbe devices:is this on MIPS or some other arch?The only bug I find on 6.16rc10 about SNMP if is SNMP are enabled AFTER the boot, you must REBOOT the device for make it effectively enabled.
secondary "bug" already present on 6.14 and 6.15 versions.
Is not a bug.Bug on RB 2011UiAS with dynamic DNS rows. There was only 2 static DNS. The rows are too many. Example on picture.
/ip dhcp-client set [find] use-peer-dns=no
/interface pppoe-client set [find] use-peer-dns=no
/interface ppp-client set [find] use-peer-dns=no
I must use peer DNS. But this bug on RB 2011UiAS repeat the same DNS on every rows that write "Dynamic Servers".Is not a bug.Bug on RB 2011UiAS with dynamic DNS rows. There was only 2 static DNS. The rows are too many. Example on picture.
Paste this on your device:
Code: Select all/ip dhcp-client set [find] use-peer-dns=no /interface pppoe-client set [find] use-peer-dns=no /interface ppp-client set [find] use-peer-dns=no
we are working on the issue.
Thanks for reply, I have check this problem only on mipsbe devices:
netinstall 6.15 without keep previous config with netinstalled routeros-mipsbe-6.15.npk
All devices, after configured SNMP must be rebooted for SNMP to work, other things works flawlessly.
Other detail: i have configured SNMP simpy paste this on new terminal, without using winbox GUI:we are working on the issue.
Thanks for reply, I have check this problem only on mipsbe devices:
netinstall 6.15 without keep previous config with netinstalled routeros-mipsbe-6.15.npk
All devices, after configured SNMP must be rebooted for SNMP to work, other things works flawlessly.
/snmp
set enabled=yes trap-community=public trap-target=0.0.0.0 trap-version=2
And again, is not a bug, check how many peer DNS your provider send to you.
Why I'm sure is not a bug?
Because I'm using 4 2011UiAS all with 6.15 (really one with 6.16rc10...) with dynamic dns, one with dhcp client, one with pppoe-client connected to mikrotik pppoe-server, one with pppoe-client by ADSL (the screenshot)
the 4th are at my home and I use ppp on 3G as backup.
And this bug never happen to me...
It's the normal behaviour, any scan of any type and tx stop completly.Hi,
running /interface wireless spectral-history wlan1 or /interface wireless spectral-scan wlan1 on RB2011UAS-2HnD-IN 6.15 drops wireless connection and router stops broadcasting SSID until disabling and enabling wlan1 in winbox via ethernet connection.
SSTP is broken for me. I use it on x86, RB493G and CCR-1009, get disconnect on larger amount of traffic/bandwith. CCR as VPN Concentrator? no way.did sstp for win7 clients ever get fixed? or disconnects on pptp when logged into winbox? this all broke after 6.7? anyone not seeing these issues anymore?
http://forum.mikrotik.com/viewtopic.php ... 20#p434049*) time - on routerboards, current time is saved in configuration on reboot
and on clock adjustment, and is used to set initial time after reboot;
SOLVED ON NEXT 6.16rc11STILL EXIST ON 6.15
I wait again the fix on 6.16... I'm waiting the fix from 6.10...http://forum.mikrotik.com/viewtopic.php ... 88#p416454
BUG SIGNALED FROM 6.10 AND STILL NOT FIXED???
Opened another ticket for that: [Ticket#2014041566000226] 6.12 UNFIXED BUG: user-manager profile limitation
yes!, Yes!, YES!
Is like someone on next RouterOS 6.16rc10 like my ideas...
http://forum.mikrotik.com/viewtopic.php ... 20#p434049*) time - on routerboards, current time is saved in configuration on reboot
and on clock adjustment, and is used to set initial time after reboot;
Abbi pazienza... lo puoi attivare (se hai già una versione con wireless-fp) quindi lanciare l'update senza riavviare.The "wireless-fp" package seems stable.
When will you default include it as primary, in the standard update package?
I want to upgrade all my network without enable every station manually
We experienced this behavior from 6.0 through 6.5 where it was fixed for us. Have you tried rolling back a few releases to identify where it was introduced ?Who else is having ospf problems? Many times all routes do not make it into the routing table, only into LSA. Is this the routing engine crashing? A reboot or three will finally make it work. I finally grabbed a supout and will put together a ticket if I can.
Rextended, if I got it correctly, you rebooted the 2011UiAS using system->reboot and it needed netinstall afterwards? Not even a power unplug/plug?When I reboot using system/reboot my working 2011UiAS-2HnD netinstalled (netinstall 6.15) with 6.16rc11 it go to one loop with etherboot...
This problem for me is fixed with netinstalled (netinstall 6.15) 6.16rc12, never hang whenn rebooted.
"Timekeeping" work perfecly...
I've had some issues with 6.16rc11 on partitioned systems: stable system on part0 and test env on part1, boot my part1 (active), upgrade to 6.16rc11, reboot ..board start with part0 and part1 in unusable even if I try to activate it again. Problem seen on two board (CRS and 2011).on 6.16rc11 I reboot the board 2011i2hpnd and the system not reboot, required netinstall for restore the system
I try again with 6.16rc12 ....
I have 4 RB1100AHx2 and I use it as pppoe-server, EVERY SINGLE DEVICE ON MY PRODUCTION NETWORK, EVERY 28 DAYS @04:00 AM AUTOMATICALLY REBOOT. Never haved one single problem with 5.26/6.7/6.10/6.14+wireless-fp/6.15+wireless-fpRextended, if I got it correctly, you rebooted the 2011UiAS using system->reboot and it needed netinstall afterwards? Not even a power unplug/plug?When I reboot using system/reboot my working 2011UiAS-2HnD netinstalled (netinstall 6.15) with 6.16rc11 it go to one loop with etherboot...
This problem for me is fixed with netinstalled (netinstall 6.15) 6.16rc12, never hang whenn rebooted.
"Timekeeping" work perfecly...
I had a strange issue lately with a RB1100AHx2 which sometimes requires a power unplug/plug after a scheduled reboot with a script (/system reboot). I wonder if there is an issue somewhere..
Use 23456,ok need to use the prefix 262605 how do I? tanks.
or one of the private prefixes,
or use another number
you could also try appending L to the end of the number, but I have not found any mikrotik documentation that says they support this signalling of 4-Byte AS Numbers.
Mikrotik may come back and change this or tell me I am wrong.
Also if you explain your use case then that could assist us in understanding other ways to do it.
Regards
Alexander
I have some boards with these reboots. Upgraded few of them with v6.16rc11 and the problem seems fixed. No reboots for a few days now.Keep getting reboots from "Kernal Failure" on rb912's... dang!
simply change timezone and apply previous back (not with undo).I just upgrade my CRS from 6.12 to 6.15
and seems i got time issue on log the /system clock show and the top bar show the correct date and time BUT the log file show the time 7 hours before.
this problem never introduced on the previous version
it is a but, isn't it ?
Paul
IPsec is supported. Or please clarify what you mean?PLEASE!!!!!!!!!!!!!!!!!!!!
ADD IPSEC INTERFACES!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
What do you need them for? Virtual interfaces coupled with classic (policy-based) IPsec seem to be rather confusing (since you generally can not pass arbitrary traffic through them, but only what's covered by the policy). What am I missing?PLEASE!!!!!!!!!!!!!!!!!!!!
ADD IPSEC INTERFACES!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
He is meaning IPSEC Virtual Tunnel Interfaces.IPsec is supported. Or please clarify what you mean?PLEASE!!!!!!!!!!!!!!!!!!!!
ADD IPSEC INTERFACES!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Then the right thing to ask Mikrotik engineers for is to improve the performance of these standards-compliant combinations, rather then inventing something proprietary or trying to mimic some other vendor's proprietary solutions.I do understand we can make this with IPIP+ipsec and GRE+ipsec. But the performance of those constructions is very bad.
Groups are to be used with policy templates, not policies.IPSEC groups are not working. When assigning a group to a policy nothing happens, not even an error. In winbox the group is not even visible under policies. Has this ever worked in earlier versions?
Thank's that works perfectly.Groups are to be used with policy templates, not policies.IPSEC groups are not working. When assigning a group to a policy nothing happens, not even an error. In winbox the group is not even visible under policies. Has this ever worked in earlier versions?
Works fine for me at least in 6.7, though there's no GUI support for these IPsec features in 6.7.
I have script that flushes sa's on both sides of the link when the connection breaks. It helps normally.
IPSEC still stops working randomly, a user that was able to connect a couple of days ago, can no longer connect using L2TP/IPSEC. Sometimes it helps Flushing SA:s. I experienced this myself today. I was connected on Friday for a short while without any problems, but today I was unable to connect, I tried several times, but when flushing the SA:s I was able to connect.
Can be interesting. Especially when used for eoip also. And for other types of tunnels if suitable.What if you have something like (use-ipsec) in gre configuration and no additional ipsec config is required?
OK, so VTI is a fairly common feature. The implementations on Cisco, Juniper ScreenOS and JunOS, Fortinet, SonicWall, Sophos UTM(Astaro), Vyatta and Palo Alto Networks are all compatible with each other.By looking at sonicwall links, where is the benefit of VTI in such configuration? You still need to set policies for that interface meaning additional configuration.
on mikrotik:
gre over ipsec would be true interface usable for routing firewall etc.
ipsec with subnet policies - the same as sonic wall provided example except that you do not need to configure virtual interface.
Can you point me to an RFC or similar document, please? I assume some doc should exist, if the feature is standard, as you say. I'd like to learn how it works on the protocol level.- VTI is standard, and works across multiple vendors
http://www.isi.edu/div7/presentation_fi ... outing.pdf Very old document, but has a great outline on how VTI works at a protocol level. See Page 33...Can you point me to an RFC or similar document, please? I assume some doc should exist, if the feature is standard, as you say. I'd like to learn how it works on the protocol level.- VTI is standard, and works across multiple vendors
Thanks, we will look if there are any differences between strict and override that could affect your mentioned problem.As I don't get any replies any more from Mikrotik on Ticket#2014061166000542, I can share an experience with those of you who have IPSEC problems. When upgrading from earlier versions, like 5.26 to 6.15, you will get: generate-policy=port-override instead of generate-policy=yes. Nothing strange with this, as this should be the most compatible setting according to Mikrotik. The problem is that it no longer works reliably. If you connect to a router running 6.15 that has generate-policy=port-override with an L2TP/IPSEC client like Windows XP, it will work. If you then disconnect and reconnect the client it will be unable to establish the IPSEC transport connection (reproducible every time for a client I have tested behind NAT) . The only way to reconnect is by flushing the SAs.
Workaround: use the setting generate-policy=port-strict. This will stop what can appear as random connection problems, and it will let the clients reconnect immediately after disconnecting without flushing the SAs.
How so? Fortinet VTIs interoperate perfectly with standard IPSec Site to Site implementations like Mikrotik or Cisco ASA.Agreed regarding the VTI . I have some extremely reliable mtk boxes that I might possibly have to junk now as we've moved away from a nix based quagga server to a fortinet and I absolutely need VTI.
How so? Fortinet VTIs interoperate perfectly with standard IPSec Site to Site implementations like Mikrotik or Cisco ASA.
You just need to understand that the Fortinet VTI itself is equivalent to Phase 1 (IPSec Peer configuration), and the Policies you can bind on the VTI are equivalent to Phase 2 (IPSec Policy configuration). You don't have an interface on your Mikrotik box, but most configuration can be adapted to work this way.
Copy whole package with winbox, reboot by scheduler at night.Exact and detailed method used for upgrade the board?
What you described is not really a bug.Has anyone tested the reported long term routing-mark issue in any of the v6.16 rc versions yet and is it perhaps fixed?
....
Exactly the same here, RB2011LS upgraded to v6.15, down to 6.10 and the mismatch persist:How is this possible?
(read the cpu frequency reported by the two commands, on the same routerboard)
[admin@MikroTik] > /system resource print
uptime: 1h49m56s
version: 6.15
build-time: Jun/12/2014 12:25:29
free-memory: 8.4MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 300MHz
cpu-load: 1%
free-hdd-space: 50.1MiB
total-hdd-space: 63.8MiB
write-sect-since-reboot: 28602
write-sect-total: 206729
bad-blocks: 0.3%
architecture-name: mipsbe
board-name: RB951-2n
platform: MikroTik
[admin@MikroTik] > /system routerboard settings print
boot-device: nand-if-fail-then-ethernet
cpu-frequency: 360MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
This behaviour makes my monitoring software going crazy...
paste this:How is this possible?
(read the cpu frequency reported by the two commands, on the same routerboard)
[admin@MikroTik] > /system resource print
uptime: 1h49m56s
version: 6.15
build-time: Jun/12/2014 12:25:29
free-memory: 8.4MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 300MHz
cpu-load: 1%
free-hdd-space: 50.1MiB
total-hdd-space: 63.8MiB
write-sect-since-reboot: 28602
write-sect-total: 206729
bad-blocks: 0.3%
architecture-name: mipsbe
board-name: RB951-2n
platform: MikroTik
[admin@MikroTik] > /system routerboard settings print
boot-device: nand-if-fail-then-ethernet
cpu-frequency: 360MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
This behaviour makes my monitoring software going crazy...
/system routerboard settings set cpu-frequency=400MHz
paste this:Exactly the same here, RB2011LS upgraded to v6.15, down to 6.10 and the mismatch persist:How is this possible?
(read the cpu frequency reported by the two commands, on the same routerboard)
[admin@MikroTik] > /system resource print
uptime: 1h49m56s
version: 6.15
build-time: Jun/12/2014 12:25:29
free-memory: 8.4MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 300MHz
cpu-load: 1%
free-hdd-space: 50.1MiB
total-hdd-space: 63.8MiB
write-sect-since-reboot: 28602
write-sect-total: 206729
bad-blocks: 0.3%
architecture-name: mipsbe
board-name: RB951-2n
platform: MikroTik
[admin@MikroTik] > /system routerboard settings print
boot-device: nand-if-fail-then-ethernet
cpu-frequency: 360MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
This behaviour makes my monitoring software going crazy...
sys re pr
uptime: 21h53m31s
version: 6.10
build-time: Feb/12/2014 13:46:18
free-memory: 30.3MiB
total-memory: 64.0MiB
cpu: MIPS 74Kc V4.12
cpu-count: 1
cpu-frequency: 600MHz
cpu-load: 36%
free-hdd-space: 101.9MiB
total-hdd-space: 128.0MiB
write-sect-since-reboot: 32647
write-sect-total: 504475
bad-blocks: 0%
architecture-name: mipsbe
board-name: RB2011LS
platform: MikroTik
/system routerboard settings print
boot-device: nand-if-fail-then-ethernet
cpu-frequency: 500MHz
boot-protocol: bootp
silent-boot: no
We sufer some random "kernel panic" + "out of memory"
Supout.rif sended to staff.
EDIT: This only happen in RB2011 series, in the others MK upgraded to v6.15 everything is working fine.
/system routerboard settings set cpu-frequency=600MHz
It's the first thing I did (obviously), but it didn't work.Code: Select all/system routerboard settings set cpu-frequency=400MHz
Being able to "zone" the interface and classify traffic going over it separately from the parent interface. Cisco, juniper, Palo Alto all support this and it hinders compatibility by not providing this functionality.By looking at sonicwall links, where is the benefit of VTI in such configuration? You still need to set policies for that interface meaning additional configuration.
on mikrotik:
gre over ipsec would be true interface usable for routing firewall etc.
ipsec with subnet policies - the same as sonic wall provided example except that you do not need to configure virtual interface.
The file you download from the beta area is not the final version... on my lab RB2011 the (supposed) 6.16 final update (from 6.15) + firmware update (3.16->3.17) ..have needed a manual reboot. Display showed 'rebooting' but was stuck; pay attention if you have remote similar device/conditions..
I hope so @rextended , otherwise many mt guys will have to jump in their cars..The file you download from the beta area is not the final version.
If you not trust me save the file somewhere and compare with the final public version when available.
well done!Todays build of 6.16 has fixed the issue bajodel had above
How did support respond to your questions about this? Where they able to verify and test with you?PLEASE FIX THIS BUG BEFORE LAST 6.16 COME OUT...
THIS BUG ALREADY SIGNALED ON 6.12 STILL PRESENT AND NOT SOLVED:
Primary BUG: Webfig created script or schedule do not have ftp, winbox, api rights and are impossible to set that rights on Webfig
Secondary BUG: Winbox do not have the possibility to change ftp, winbox, api rights on script or schedule
VERSION AFFECTED: ALL VERSION OF ROUTEROS. Included last pre-release 6.16
When one script are created on Winbox or on CLI, the default right applied are:
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
But when the script are created by webfig, the only right can be applied are:
reboot,read,write,policy,test,password,sniff,sensitive
MISSING ftp,winbox,api
Without ftp right some command like "/export file=filename;" are not doable on script / schedule created with WebFig.
Walkthrought: obviously using the CLI you can set the missing rights.
Is clear what is the problem, without any other investigation.