MikroTik - Search

cdiedrich

I haven't found any hint in the forums or manual pages yet and hope for clairification. I have a pair of routers, each running 3 vrrp interfaces. Identical config. I'm about to upgrade to 7.6 (from 6.49.6) soon to take advantage of synced connection tracking. Do I need to enable sync-connection-trac...

cdiedrich

Well, the "single drop rule" was just half of the story ;-) The # of "just allow rules on top of that single drop rule" would most likely be the same as my suggestion ;-) I'll get you some chocolate - once traveling and live events are possible again, I'd be happy to meet you for...

cdiedrich

My two cents: /ip neighbor discovery-settings set discover-interface-list= none Given that the largest volumes of data in the network should be the video streams, I'd assume there's rather some kind of packets the keyboard doesn't know how to handle, which may cause an overflow of some buffer despi...

cdiedrich

Man, I know - I'm working with NDI almost daily ;-) We made very good experience with UDP unicast (tcp tends to be laggy from time to time).Even two or three destinations work well in this setup. Unfortunately, I don't have any experience with MikroTik switching (using them as routers only), all our...

cdiedrich

Since your setup is really small - do you really need multicast? Looks like every NDI source connects to one destination only. Quickest way would be going unicast.
Apart from this, your config looks good to me.
-Chris

cdiedrich

You're talkinmg about clients - so I guess you provide Internet service? And your client-facing network is basically just a L2 domain and you want to totally block discovery within this domain? So not just making your Tik devices invisible to them but also theirs from one another? Then it depends on...

cdiedrich

I wish I was as smart as anav whom I appreciate and respect as a vivid forum member ever since - but I guess everyone has a bad day now and then. And yes, I totally missed the scale.\ How about this one - can be created by script and should basically do what is needed - still some lines per tenant: ...

cdiedrich

/ip firewall filter add chain=forward action=drop src-address=10.10.10.0/24 dst-address=10.10.11.0/24 comment="Drop A to B" add chain=forward action=drop src-address=10.10.11.0/24 dst-address=10.10.10.0/24 comment="Drop B to A"

Done.
-Chris

cdiedrich

Winbox is using your computer's DNS settings.
resolve command in terminal is using the router's DNS settings.
-Chris

cdiedrich

看起来像一个设备与私营MAC地址00:00:5e:00:01:6F (this belongs to a VRRP interface) is doing proxy-arp.
The reply from that MAC address with IP 192.168.2.3 points to a D-Link AP. I'd check its settings.
-Chris

cdiedrich

Didn't see anything that would point to a dhcp server problem. I guess you know your firewall is pretty wide open, don't you? Just out of curiosity: do your udp dst-nat rules include port 67 and/or 68? What's the actual mac address of your 1100's bridge? I see a duplicated mac address in your switch...

cdiedrich

Yes. This is the only possible answer to your question. Without knowing anything about your setup, nobody can help you. There's obviously no switch "make everything work perfectly" which is disabled by default.and has just to be turned on. So please share some information with us, the mini...

cdiedrich

That can really be misledaing.
So see the actual managed interfaces, you need to look at your caps manager.
output of the managed CAP is just an indication that you can't do anything there b/c it is managed by CAPsMAN.
-Chris

cdiedrich

Well, you said when turning off HT you other instances (vms?) suffer degraded performance - so my advice was for a scenario with HT still being enabled. CPU affinity is a good path to go to make sure the assigned vCPUs are not running on the same physical core in a HT environment. And just out of cu...

cdiedrich

Using Hyperthreading with CPU-intense workloads is far from being a good idea.
If not done yet, I'd check CPU affinity (make sure the vCPUs assigned to your CHR instance are not on the same physical cores) and probably add a CPU reservation for the vm at 125% of its average load.
Good luck,
-Chris

cdiedrich

Now this make so much sense...
Thanks for opening my eyes.
Now these commands are to be used in scripts run by the scheduler - will that be run with the account of the script owner?

Thanks!
-Chris

cdiedrich

a standard company-wide admin account

cdiedrich

Dang - and this happens to me :-) Exact same output on both devices: /user ssh-keys prin Flags: R - RSA, D - DSA # USER BITS KEY-OWNER 0 R remote 2048 user@computer /user ssh-keys priva prin Flags: R - RSA, D - DSA # USER BITS KEY-OWNER 0 R remote 2048 user@computer

cdiedrich

Morning all, My goal is to make two routers talk to each other in a script with ssh-exec. I created a user and keys according to this Wiki article . But when trying to fire a command from a remote router (with the exact same user and key config), I always receive an authentication error while the de...

cdiedrich

Your question is a bit ambigous. Do you have a problem that only ten users can connect concurrently and you want more users or do you want to limit the amount of concurrent vpn connectios to a total of ten? Either way, post an export of your config and we can see to find a way to accomplish the one ...

cdiedrich

Let's assume your servers are configured in a /24 subnet and .1 of this subnet is their default g/w, it'll be this:

/ip address add interface=ether3 address=192.168.2.1/24 disabled=no add interface=ether4 address=192.168.3.1/24 disabled=no

cdiedrich

the fetch tool has improved quite a lot since 5.25
Just looked at it on my 6.46.7 version and now there's header-field and http-method parametrs (like get, put, post, delete). Have look atthe manual entry
Probably it's just a routerOS upgrade you need.

-Chris

cdiedrich

Hmm..
Which versions are CCR, CHR and Winbox running?
Did you try "Legacy Mode" from The Tools menu to connect?

-Chris

cdiedrich

The information provided is too little to really help. Does your CHR have connectivity at all when checking from vm console? Does it do its job beside Winbox connectivity? Did I get it right that you can connect to the web interface but not through Winbox? How are you connecting though Winbox? via I...

cdiedrich

Web access to the dude is pretty limited, but possible.
Just log into webfig of your hEX and navigate to Dude.
It's totally OK to view network maps which already have been created - but not much more.

It might be a good idea to create a separate user for this together with a custom skin.

-Chris

cdiedrich

Check your subnetting. Your "external" router sees the src address of 73.65/27 as a local address b/c it's in the range of 73.0/24.
This would also not work with Cisco.
Try adding a static route to your "external" router for 73.64/24 with gw=73.3 then it should work.

-Chris

cdiedrich

I've had a similar problem with a client of mine quite a while back and the behavior was exactly the same. Try setting "group ciphers" to TKIP in your security profile and give it another try. And make sure you're using a clean 20MHz channel on the TP-Link, ideally on 1,6 or 11 as @erlinde...

cdiedrich

Simple solution:
Do not use the devices for testing (well, better: guessing) bandwidths. It's always a CPU bottleneck.
Get yourself two computers, connect them to the switches and run iPerf on them.
-Chris

cdiedrich

Now that is brilliant!
Will try this first thing tomorrow morning.
Thanks a lot - the easiest things rarely are that obvious.

-Chris

cdiedrich

Well, according to the LTAP mini datasheet, it draws a maximum power of 9W.
That represents 1800mA current at 5VDC. So a fully charged 6000mAh power bank should last about 3:20h under perfect conditions. You should be safe assuming 2:30...2:45h realistically.
-Chris

cdiedrich

Now that's by design, unfortunately. The most pragmatic way would be filtering by IP address.
-Chris

cdiedrich

First, you need to enable promiscuous mode on the vswitch port groups your routerOS vm is connected to. Since that impacts all other vms as well, I-d advise to create another port group just for this vm on the vSwitch (the one that has physical adapters and has the "VM Network" port group ...

cdiedrich

As long as the devices are on a map, you can multi-select the devices in question, right-click, settings and just update the password there. Do not touch any other fields.
-Chris

cdiedrich

Yes, that will definitely work.

cdiedrich

You'll need to update your system package as well. The Dude package can't be a different version than routerOS. The easiest way would be to go through the normal update process via System -> Packages -> Check for updates. This will update all necessary packages. And, of course, the platform has to m...

cdiedrich

First: You won't need any bridge for vpn access. Instead of poking into the dark, please post an export of your config and let us know what you exactly want to achieve. "Doesn't see anything in the subnet" is still too vague. Re-reading your initial post now makes me guess you want a site2...

cdiedrich

Nope.
Just create a dedicated IP pool seperate from your local subnet for vpn clients and let them use these addresses.
-Chris

cdiedrich

The problem is not UDP but that it's Multicast
Checkthis post by @donewareand the whole thread.
-Chris

cdiedrich

Well, it's not free actually but bound to the (disk on the) device and being paid for with the purchase of the device. As long as you see a running routerOS when it's booted, you're safe.There's no recurring cost.
-Chris

cdiedrich

Good afternoon all, I'm trying to create a custom probe with passing device_property("FirstAddress") into a ros_command by concatenating the string. I'm struggling to correctly escape double quotes into the concatenated result. Escaping with a leading \ I get a "parse error" as w...

cdiedrich

Haven’t tried it myself with winbox, but it might be worth a shot creating a scaling manifest file as describedhere in point 4.
-Chris

cdiedrich

Tools -> Zoom In

cdiedrich

Common practice is checking mac addresses - the last two bytes should be way enough to figure out on such a small NIC count.
other way would be hooking up a dumb switch to the empty NIC and see which one goes up in routerOS.

-Chris

cdiedrich

Hmm... I don't see any obvious misconfiguration in your setup. Just double-checked it with a bonding I have up and running here and the only differences I see is explicit LACP protocol assignment to the interfaces on the cisco side and plain layer2-hashing on the Tik side. Here's my working config (...

cdiedrich

Now that's simple.

execute this command on both ends, station side first:

/int w60g set [find] password=yoursafepassword

After they reconnect, traffic is encrypted.
-Chris

cdiedrich

The information provided is pretty little. In case it is just a transparent bridge, you can only encrypt the transport link. If your links are running 802.11, first step would be to encrypt the w/l traffic with WPA2-PSK. Create identical security profiles on each end of a link and use them in the wi...

cdiedrich

The problem is neither the physical switch nor the routerOS license level. It's in ESX. Link aggregation is only supported on distributed switches. These are only available from vSphere enterprise license level upwards. All standard vSwitches in ESXi balance the vm NICs between all uplinks of the vS...

cdiedrich

Yeah, it’s really sad. Due to the lack of standardized roaming features I replaced about 700 centrally managed APs in 20+ locations with Meraki just in the past two years...

cdiedrich

Hahahaha...
No.
:(

cdiedrich

I think the best start would be that you post an export of your config. Then we can take a deeper look.
-Chris

cdiedrich

That's pretty little information. I guess you already know that the ideal solution would be replacing your CCR with one that actually has SFP+ slots. You could distribute your ten addresses across multiple physical interfaces, no bridges. Then you can set routes for all interfaces to the same gatewa...

cdiedrich

I had exactly this issue a couple of weeks ago and contacted support about it (Ticket # SUP-16818)
They say there is no way around this and advise a fresh install :-(
Totally agree on being cumbersome. Where feasible, we're going back to basic x86 images.
-Chris

cdiedrich

I doubt that will ever work with both peers connected to the same AP. A 4k stream allocates a significant amount of bandwidth - and your AP will have to receive and transmit it at the same time. If there is absolutely no chance to have at least one end wired, the only chance I see is adding a dedica...

cdiedrich

The easiest way would be making the lease static. If not possible for whichever reason, you can retrieve the active IP by mac address with

/ip dhcp-server lease get [find mac-address=00:01:02:03:04:05] address

And use this to adjust the netwatch script.

cdiedrich

/tool netwatch add down-script="/int pppoe-client set pppoe-out10 disabled=yes \n:delay 3s\r\ \n/int pppoe-client set pppoe-out10 disabled=no\r\ \n" host=192.168.88.10

cdiedrich

I'd say it's about your double quotes - the "inner" double quotes need to be escaped.
try this:

[ros_command(":put ([interface ethernet monitor sfpplus1 once as-value]->\"sfp-vendor-part-number\")")]

cdiedrich

Totally with pe1chl. For the conditional forwarders I'd love to see having this possibility for reverse lookups as well. Like That is not different functionality. To have reverse working for subnet 172.16.16.0/24 you configure an NS record for 16.16.172.in-addr.arpa. (and the router should forward ...

cdiedrich

Totally with pe1chl. For the conditional forwarders I'd love to see having this possibility for reverse lookups as well. Like /ip dns add conditional-forwarders=10.20.30.40,10.20.31.40 domains=test.com,xyz.org subnets=10.20.30.0/23 add conditional-forwarders=172.16.16.16 subnets=172.16.16.0/24,192.1...

cdiedrich

首先,请把配置出口到代码块,makes it much easier to read. For your problem, this should fix it: ## make sure your dhcp sends out dns servers and correct gateways. A Gateway must be in the same subnet to be reachable. /ip dhcp-server network add address=192.168.10.0/24 gateway=...

cdiedrich

You can do this with the "Static Network Element".
Insert, right-click, select Appearance, select image (previously uploaded to the Dude), choose a proper scale for the image, select rectangle as shape and use white as color.
-Chris

cdiedrich

I've seen this a couple of times (count is easily three-digit) and it is really annoying. The interface list for discovery should only contain the bridge the lan-facing interface is bound to. No physical interfaces belonging to the same bridge. In 100% of my cases the issue only appeared on access p...

cdiedrich

With VRRP you already have everything you need. You can use any private network for VRRP, like 172.16.16.0/29. Then use .2/30 and .3/30 for the physical interface addresses and .1/32 for the VRRP address. Then add your public IP with correct subnet mask to that vrrp interface as well. It will follow...

cdiedrich

I have to chime in in not seeing a proper solution but I totally understand the demand. A dodgy solution with a noticeable admin overhead would be bridge horizon and static routes for all hosts in the same subnet via the default g/w. And this being set on each and every host. Far from nice, far from...

cdiedrich

Just for the first - the one in the same subnet you're using for vrrp.
other addresses can be any mask and will follow the vrrp status.

-Chris

cdiedrich

是的,工作。但vrrp地址必须是一个/32 no matter what the actual subnet size is.
-Chris

cdiedrich

可惜的是,操作系统没有能力process to handle multicast across bridge/vlans!

No, it's not.
The topic is about link-local multicast and that's the way it is supposed to work.
routerOS does in fact offer "real" multicast routing with PIM and multicast package.
-Chris

cdiedrich

There is a vpn client who need an IP address from the local address space. The only reason I can see for this being necessary is a service running in your LAN that only accepts connections from the local LAN. So it's not the client that needs the local range address but the service being accessed. ...

cdiedrich

Best and common practice is to have a dedicated subnet for vpn clients.
There's absolutely no reason for vpn clients being located in the same subnet as the local LAN.
-Chris

cdiedrich

A simple "Simple Queue" should do the trick. On each end of your tunnel, add a simple queue with the local subnet as target and the remote subnet as as "dst" and fill both "Max Limit" fields with your desired total b/w. like "60M". After reading your post agai...

cdiedrich

That should be fairly easy - of course it depends on the complexity of your setup. I'd strongly advise to schedule a downtime for doing this b/c you never know... I'd create a script that adjusts all necessary settings (i.e. IP address interface binding, firewall rules with in/out-interface matchers...

cdiedrich

You could try station-pseudobridge-clone with your cam's MAC address as station-bridge-clone-mac parameter.
Just to be 100% sure: your main router is not running routerOS, right?

-Chris

cdiedrich

That is great news.
Just thinking further - together with GPS it could become a really nice Master clock or even grand master...
And it could open the CRS range for use with AVB.

cdiedrich

That's unfortunately true. I have a set of scripts ready that push new new config to the backup capsman. First script exports the current /caps-man config into a file. Then I have another file ready that completely wipes the current /caps-man config. The wipe script is uploaded via ftp as wipecaps.a...

cdiedrich

I also voted for full user export with md5-hashed passwords. +1 for exporting certificates as they are a essential part of the config. And I´m totally with mada3k to have public keys exportable. Now for the import process, I´d love to see an option for error-handling, ideally per config section. Lik...

cdiedrich

Hmmm...
Turn on logging for topics e-mail,debug and trigger that command manually. Then you can see the whole smtp session in your log.
Maybe you find a hint on what's wrong there.
-Chris

cdiedrich

Did you configure /tool e-mail before?

Like:

/tool e-mail set address=mail.provider.com from=dhcpalerts@provider.com password=youremailpassword port=465 start-tls=tls-only user=dhcpalerts@provider.com

-Chris

cdiedrich

You could trigger /tool e-mail from your dhcp server's lease-script
-Chris

cdiedrich

So both networks are attached to the same router? If so and the config is default-ish, it should automatically route between the networks without any user action required. Your question was a bit ambigious, either a language barrier or typo - or not precisely put. I read your "won't" as &q...

cdiedrich

Your config looks good to me an first sight. There have been issues in throughput and packet loss on RB3011 with the LCD turned on. Try turning off the LCD screen and see if that helps. As for your plenty dst-nat rules, you can aggregate the ports comma-seperated into one rule for each protocol and ...

cdiedrich

Your mangle rule sets the routing mark no matter what the dst-address is. So add a route with the appropriate routing mark like this: /ip route add dst-address=192.168.138.0/24 gateway=ether1 routing-mark=your-routing-mark-eth3-wan add dst-address=192.168.138.0/24 gateway=ether1 routing-mark=your-ro...

cdiedrich

Totally understandable application. I'd say this would work: /interface list add name=nodhcpports /interface list member add interface=ether3 list=nodhcpports add interface=ether4 list=nodhcpports /interface bridge filter add action=log chain=input dst-port=67-68 in-bridge=bridge1 in-interface-list=...

cdiedrich

I've seen this before a couple of times when no ipsec policies and proposals were defined but the other end had some proposals defined already.
尝试添加sha1 auth-algorithms在你的你的ls.

-Chris

cdiedrich

Hmmm...
which networks are bound to which interfaces?
And what's the content of the "lan" address list?

You normally just need one masq rule for everything going out to WAN. with proper routing in place, you won't need any internal src-nating as your last rule implies.
-Chris

cdiedrich

+1
...and a Dude server with 64bit counters, please :-)

-Chris

cdiedrich

post an export of your core router's /ip firewall nat section.
Looks like your default (masquerade) rule is configured too loosely.

-Chris

cdiedrich

It's only a guess, but I wouldn't be surprised if the script file is locked during execution and can't be deleted because of that. I could imagine a workaround: in your config script, create a scheduler item that runs on startup and deletes that file. It then removes itself from scheduler with the s...

cdiedrich

Access lists will allow you to control what device connects to which AP but you have to manually decide. Perhaps you could do some OUI lookup to determine 5GHZ capable devices or deny access for a while and see if they connect to 5GHz and if not then allow 2GHz ? It would be a good trick if we coul...

cdiedrich

If the script is a file on the device, the last line of the script should be

/file remove yourscript.rsc

If the script is in the internal script repository, the last line should be

/system script remove where name=yourscriptname

-Chris

cdiedrich

In such scenarios I recommend to check these options: TX power: your w/l interface has a lot of power. Make sure you're running in regulatory-domain mode for your country. It's not unlikely that your router just saturates your client's RF interface. Adjust TX power downwards in 3dB steps if still ne...

cdiedrich

It depends. There´s basically nothing speaking against using the default range - but when it becomes likely that you interconnect with other networks that may be in the same subnet (i.e. deploy a MikroTik network for a friend of yours and set up tunnels between them and your network to service them)...

cdiedrich

vlan tags should be transparently carried through your unmanaged switch, it should work right away. The only drawback would be that every port of you witch will turn into a trunk port and that you can´t create access ports for the other lan on that switch. But looking at the scenario you described t...

cdiedrich

Yeah, in that case I´d recommend unbound as well.

cdiedrich

In your local CAP settings, remove discovery interface and add 127.0.0.1 as CAPsMAN address.
-Chris

cdiedrich

If the domains are foreseeable, I´d implement a basic conditional forwarder with L7 matcher and dst-nat. And in case the returned addresses are all in a foreseeable subnet, you can even add a term for reverse lookup: /ip firewall layer7-protocol add name=„fibusta“ regexp=„fibusta.lib|[0-9]+.195.10.1...

cdiedrich

Is getting the address from CCR1's dhcp server? If so, make the lease static, adjust the address and let CCR2 renew the lease. If it's static on CCR2, first add it to to correct interface (which then has .14 and .1), adjust all routes and peer settings in both routers accordingly, then remove .14 -C...

cdiedrich

Looking at your diagram I can only guess: 103.88.88.13/30 is the transport network between ccr1 and ccr2 ccr2 has a default route pointing to ccr1 103.88.88.1/29 is hosted on ccr2 and ccr1 should be able to talk to 103.88.88.1 Let's assume: ccr1 has 103.88.88.13/30 and ccr2 has 103.88.88.14/30 of th...

cdiedrich

Bummer.
没有就是没有EoIP场景。也没有vlan——vlan是L2-local as well.
Try setting the tunnel interface as gateway in your routes instead of the remote IP of the tunnel.
-Chris

cdiedrich

Routing looks correct.
I'd rather say that this is a Windoze Firewall problem which by default does not accept incoming connections from non-local subnets.

-Chris

cdiedrich

You can try MobaXterm. Log into all devices concurrently and then use Multi-Exec. Every character you type will be sent to all Sessions. Or create a .rsc script which contains all the changes and then upload it to all devices by FTP and name it .auto.rsc - it'll thenm be executed automag...

cdiedrich

思考这个问题一段时间后,这个might be a (part of a) solution: You say that you want to monitor your resident devices that might be shuffled around vlans, but do get an address in the vlan they've been moved to. And I read that the dude is running on the same machine as the dhcp ...

cdiedrich

I have to agree, pe1chl. But the density of devices with problems drops constantly. I build temporary wireless networks with tens of thousands of concurrent clients on a very regular basis - the last time I had problems with clients with k/r/v was in August 2017 (that was a Meru/Fortinet system). Cl...

cdiedrich

I asked Support mid-July if there are mid-term (i.e. within a year) plans to implement k/r/v roaming and band steering.
The reply was that there's 'no precise schedule'.
That being said, I'm currently replacing a couple of CAPsMAN sites with Meraki. Really a bummer.
-Chris

cdiedrich

Quick solution: create a vlan interface on the bridge interface. Assign an IP address to that vlan interface. Done. A colleague of mine had a similar problem with a D-Link switch. It seemed that LLDP neighbor discovery was causing the problem. Disable neighbor discovery (create a interface list with...

cdiedrich

WhatsApp uses end-to-end encryption, so you're basically safe. Even if an attacker captures your raw data stream of a conversation, they still have to decrypt it. I wouldn't say that it's impossible, but frankly not within reasonable amount of labor, time and skills. Assuming that your WiFi is alrea...

cdiedrich

Haven't found a real round function, but you may get lucky with thisdecimal calculation scriptand specify the decimal point place.
-Chris

cdiedrich

The config looks good so far. There's still a dhcp-client active on wlan1 - since you're using pppoe you won't need dhcp. I can only think of a polarization and/or alignment issue here - check your signal levels, the rx levels on both chains should be pretty close, an imbalance of 6 or more dB is a ...

cdiedrich

The answer to each of your questions is yes.
For testing/learing/evaluating, you should consider deploying a CHR instance via ova in your ESX environment. It doesn't have a 24h limit but is limited to 1MBps throughput in unlicensed state.
-Chris

cdiedrich

I'd say it's CDP messages to 01:00:0C:CC:CC:CC. Check your discovery settings and adjust your discovery interface list to just the interfaces really needed for discovery. -Chris Edit: After re-reading the post in terms of timing and looking at the amount of bridges (I now assume that there's a bridg...

cdiedrich

From first sight I'd say that it's bridge-related. You have two bridges on the same physical switch chip (which covers sfp and ether1-5). And hw-offload is only available for one bridge per switch chip. So I guess that your link-local traffic is going through the CPU. It looks that you don't really ...

cdiedrich

Pretty straight forward: /ip firewall address-list add list=wan.1 address=192.168.0.2 add list=wan.1 address=192.168.0.3 ... add list=wan.2 address=192.168.0.9 add list=wan.2 address=192.168.0.10 ...and so on /ip firewall nat add action=src-nat src-address-list=wan.1 to-address=add list=wan.1 addres...

cdiedrich

Copy that - what a bummer. Now it really gets tricky and I'm not sure if it's possible at all. It might be worth a try to assign all addresses of all subnets to the router, give the machines other private subnets and create netmap rules for each and every IP address... Together with hairpin nat... W...

cdiedrich

The best way would be to talk to your ISP and let him give you control over your subnets, these should then typically be routed through a /30 transport subnet - one end their router, the other end your CCR.
-Chris

cdiedrich

我能想到的几个场景:1。隔离the AP from the rest: Create a dedicated /30 transport network for this certain AP and make ARP on those two interfaces (ether on hEX, ether1 on AP) static. Configure seperate datapaths for all your WiFi networks for manager forwarding and apply the...

cdiedrich

If your router has a serial console, you might get lucky with access from there and probably a script logging you in and disabling your netwatch item. That shouldn't take longer than two seconds.
Good luck!
-Chris

cdiedrich

If you didn't touch the data rates, then it should be good.
-Chris

cdiedrich

Ooops... sorry, I was too quick reading your post. The error deals with dhcp client. That might be a heritage from the original config when ether1 was WAN.
It looks like you configured your device for bridging only or get WAN through SFP. So it should be safe just to remove that dhcp-client.
-Chris

cdiedrich

Put the dhcp server on the bridge and not on physical interfaces being member of a bridge.
-Chris

cdiedrich

Setting multicast-helper from 'default' or 'disabled' to 'full' should solve the issue.
Additionally, check if lower rates are disabled - I had this issue more than once when el-cheapo WiFi printers only worked reliably when lower rates were re-enabled.
-Chris

cdiedrich

Post an export of your config and we can have a look at it - everything else will be guessing.
-Chris

cdiedrich

I guess you add routing marks for this PC, correct? You'll need to add a route to this PC with its new routing mark to work. like: /ip route add dst-address=192.168.88.22 gateway=bridge routing-mark=myWan2-mark Edit: And probably (if even not more likely) a route to the vpn client with that routing ...

cdiedrich

You should be good to set src-address in your dst-nat rules matching the subnet of your specific vlan.
If you have more address spaces to cover, you might be better off with an address list.

And I think your post is better placed in General.

-Chris

cdiedrich

You might get lucky withthis log parser script.
If you have more than a handful of equipment, it might be worth considering collecting all logs centrally. We're running Graylog to collect the logs from ~200 devices and setting up alerts in Graylog is really easy.

-Chris

cdiedrich

...assigned by UniFi APs? So you have multiple dhcp servers in a single network?
First step is to disable those dhcp servers.
Second step is to check whether there's one or more devices with proxy-arp configured in your network. I could bet your lan-facing interface has proxy-arp enabled.
-Chris

cdiedrich

The definitely best solution is dot1x as @sebastia mentioned. When your switches support it as well you're close to 100% secure.
-Chris

cdiedrich

It pretty much looks like a private address - 172.22/16 is within 172.16/12 which is a private range.
And since the initial script is pulling the address from the interface, I'm sure you have a private address and your ISP is NATing your address.
-Chris

cdiedrich

Hi - when I try to use this, it appears that there is another private address between the my Mikrotik router and the internet. So it returns a private address. Any other way I can do this? You could get your Ip this way: /tool fetch mode=http http-method=get url=http://icanhazip.com/ dst-path=myip....

cdiedrich

I'd like to add the option of only using static dhcp leases with "add arp for lease" option and setting the arp mode of the lan-facing interface to reply-only.
That at least blocks rogue clients from accessing the internet.
-Chris

cdiedrich

I get your points and understand your problems - i am in the events industry as well and know the woes with guest productions sharing consoles :-) A possible solution could be HotSpot with IP-binding aka one-to-one-NAT aka "Universal client" - you can translate literally any IP address to ...

cdiedrich

I'd love to see the terminal object-oriented.

Please stop the off-topic messages, and please delete them if they are yours.
(I will delete this when that happens)

After re-reading my post I have to fully agree. Edited.
Thanks,
-Chris

cdiedrich

Perfect.
So a bonding with balance-rr should absolutely do the trick.
-Chris

cdiedrich

What device is the other end of that link?
Is it a switch? Or another MikroTik router?

You should be absolutely fine with bonding and balance-rr. Unfortunately, the fewest switches do this as well. And be aware that balance-rr can cause a lot of out-of-order packets.

-Chris

cdiedrich

[removed b/c off-topic]
Additionally to all the mentioned functions, I'd consider a basic set of IP calculations very helpful.

-Chris

cdiedrich

Sure.
Take a look at "lease-script" in thedhcp-server manual.
Add your matchers against the leaseActIP variable and then trigger an email.

-Chris

cdiedrich

Nope, a root bridge can't have a backup port. It's on the other bridges to turn ports into backup. I guess the 60GHz link is MikroTik? What is the 24GHz link? Is it an AirFiber? Is WDS enabled on it? Is any STP-flavor definitely disabled on the w/l links? I had some similar issues a while ago when S...

cdiedrich

You could run a discovery for the given subnets.
But that is a one-time run, either you repeat it every now and then or look for some other solution (NetXMS could deliver what you're looking for as it constantly scans the newtorks).
-Chris

cdiedrich

If the bridges are replicable on the other router is solely your realm. If so, it's absolutely possible to add a redundant CAPsMAN. Make the two a vrrp cluster and clone the CAPsMAN config over to the other. Make your APs connect to the vrid. Make sure you disable all L2 connectivity for APs and man...

cdiedrich

/ip firewall filter add action=accept chain=forward dst-address=172.16.11.0/24 src-address=172.16.10.0/24 add action=accept chain=forward connection-state=established,related dst-address=172.16.10.0/24 src-address=172.16.11.0/24 add action=drop chain=forward connection-state=invalid,new dst-address...

cdiedrich

I was looking into the same challenge recently. There's the Phihong POE370U which offers a network interface for managemengt (web interface) and snmp monitoring.
But looking at the pricing, a decent PoE switch might come in cheaper.

-Chris

cdiedrich

再保险move all firewall rules in filter and nat sections. Remove dhcp-client from ether1. Add ether1 to bridge-local. Remove ether1 from Interface-list "WAN". Add ether1 to interface-list "LAN". Done. Then you still have a dhcp server running on your device. Disable it if not needed....

cdiedrich

As you can see, we don‘t get any further.
Now is the point to post both your full configs.

/export compact hide-sensitive

-Chris

cdiedrich

This is not a full config export.
And are you sue about always-strip?

cdiedrich

Lookhere.
-Chris

cdiedrich

But if I remove an interface from the bridge, I loose connectivity to that interface. This is why I always add all interface to the default bridge.

You will have mpls connectivity on this interface.

cdiedrich

LDP interface configuration is invalid. Are those interfaces slaves? if yes then you need to add master. Yes, they are all slaves. I run version 6.42.11 and 6.43.9. All my interface all linked to the default bridge: /interface bridge port add bridge=bridge comment=defconf interface=ether2 So you an...

cdiedrich

and not to mention to have the user database in an export.

cdiedrich

So as said twice now, post your configs and we can get a grasp of what's going on.
-Chris

cdiedrich

dst-address is meant to be the WAN address of your router the server is located behind. I assume the 93. address is the remote location, correct? specifying a src-address surely adds some layer of security b/c the dst-nat will only happen when the connection is originated from this particular addres...

cdiedrich

As Anav said, we're fishing in the dark without actually seeing your configs.
I could imagine two more scenarios:

Is it possible that the PVIDs differ between the devices?
Can there be an additional link between them through an access port?

-Chris

cdiedrich

I bet it's your hardware. the 951 is MipsBE and this is far from ideal for encrypting IPsec traffic. You might want to try a 750Gr3, 3011, 4011 or CCR series - these offer hardware acceleration. I personally run a 750Gr3 in my remote office which talks to our main office (CCR1036) through IPsec and ...

cdiedrich

That is an excellent point!
-Chris

cdiedrich

(c) Do Mikrotik have any limitations? That truly is difficult to answer. I'm managing about 5000 individual devices (covering routers, switches, wireless devices and more from MikroTik, Fortinet, Cisco, Juniper, SilverPeak, PepLink, UBNT and many more) in any given year and I'd say that about 90% o...

cdiedrich

Try adding a static route to your DG as follows:
224.0.1.1 via 172.16.4.17

-Chris

cdiedrich

因为你说你使用CCR1009-8G-1S-1S+ it is important to know which interfaces you are using for your backhaul and LAN side. That one still has a switch chip which aggregates ether1-ether4 to a single 1G pipe to the CPU. If you have both interfaces in that port range, it might be a ...

cdiedrich

Keep your address space as it is. Then install and configure PIM your router: Add the DG-facing interface to PIM. Add the pptp clients to PIM with their interfaces (create pptp server bindings for each client, these can be added). Your DG should send the multicast traffic to your router (give it sta...

cdiedrich

I'd say /tool netwatch is your friend. It does exactly what you need, just fill in scripts for up/down that will fire on these events. But it might get tricky b/c the script is only fired once, not every time the target gets checked. So you might add another netwatch item which monitors your UPS. On...

cdiedrich

You shouldn't. That's reserved for IPv4 Multicast and will reliably mess things up in your router. I was asking if the Multicast you want to send to the clients is in that range. And if it is, chances are high that you will have success using PIM on your router. Here's an excellent presentation cove...

cdiedrich

BCP or any "true" layer2 tunnel (EoIP or vpls for example) will surely do. Is that Multicast link-local (224.0.0.0/24) or routable (everything from 224.0.1.0 upwards)? If the latter, you could surely try PIM on your concentrator and make the clients send a join request - this could easily ...

cdiedrich

I'm pretty sure it's related to your loose masquerade rule. Traffic from Sonicwall to your subnet works b/c traffic is NATed to your routers internal IP address which is known to your site. And I guess that traffic towards the Sonicwall is mostt likely NATed to your WAN IP address so that traffic wi...

cdiedrich

On first sight I see two issues: Your default masquerade rule is way too loose - it will masquerade everything from anywhere to anywhere. Add your local subnet as src-address and add your WAN-interface as out-interface. Move your NAT accept rules before your masquerade rule. and as a side note: Your...

cdiedrich

In case the pptp clients are routers and not raod-VPN computers, you could give it a try by using BCP.
-Chris

cdiedrich

The lease script is fired after the lease is bound.
Either way you approach it - you would need static leases to assign the right options to the right clients.
Once your lease is static, you can adjust all options or select predefined option sets.
-Chris

cdiedrich

I'm not sure if your ISP will allocate those reserved (and not changeable) MAC addresses of the VRRP interfaces, but it should be worth a try. If they don't, the next step towards madness is to use a bridge between the VRRP and the physical uplink interface and to set /interface bridge nat and /int...

cdiedrich

only way of getting more than one DHCP client on one interface is using VRRP interfaces. Add a VRRP interface to your WAN-port and add a dhcp client to this. You'll need some unused address space on the interfaces to make VRRP work. Like 192.168.171.2/30 on ethernet, .1/32 for vrrp1, vrid 2 192....

cdiedrich

Edit vm settings -> VM Options -> VMware Tools -> Time and uncheck "Synchronize guest time with host"

cdiedrich

I'm totally not into gaming but I'm almost certain that it has to do with your loose masquerade rule. This rule catches any traffic and NATs from anywhere to anywhere. Modify it to narrow down matches: /ip firewall nat add action=masquerade chain=srcnat src-address=your.lan.space/24 out-interface=wl...

cdiedrich

Proxy can be used to deny access to specific file types.

True, but only on http. Which is not the case on drive shares.
-Chris

cdiedrich

No, not in routerOS. First, operations in the local network usually don't pass the router. Second, there is no way to block transfers by file extension in routerOS, you'd need an advanced L7 firewall (that could even prevent that content from coming into your network). Best idea would be either bloc...

cdiedrich

It strongly depends on your organizational structure and what services your staff is supposed to use. Everything that syncs back to a cloud (Like Dropbox, iCloud, Google Drive, etc) is a good start to limit - especially as those syncs happen in background, nobody would really notice that the task is...

cdiedrich

No :-) Facebook traffic is not really high and not so bandwidth-consuming as it's a lot of GET requests with little transfer per request. I made the experience that limiting sites like this is more labor than you would gain out of it. Limiting sites with big transfers is much more suitable so that a...

cdiedrich

As a first guess without seeing your config, I'd say your default srcnat/masquerade rule is too loose (i.e. has no src-address and no out-interface specified) Further I can imagine that your NAT-accept rules for this traffic are below the default srcnat/masquerade rule. Post an export of your config...

cdiedrich

I agree it's another single point of failure but i guess there is less chances of a hardware firewall failure? That's a misconception. It's built from the same components: power supplies (failure #1), fans (failure #2), semiconductors, physical connectors, HDDs/SSDs, etc that are all subject to the...

cdiedrich

Verify your default routes if you have check-gateway=ping enabled. If not, interface link state is the only indicator for your router.
-Chris

cdiedrich

@cdiedrich, do you know how HA clusters/pairs of Fortigate and PA behave in this regard?

I do - absolutely seamless. All connections are always in sync. Dealing with those as my daily business...

cdiedrich

You are correct about the need of duplicating settings, but that counts for every setting, not only Firewall. And once created and proven good, I consider a firewall rather static... And with some scripting you could automate the replication to the other peer. When getting one firewall in front of t...

cdiedrich

Upstream - or, to be more precise: The server that holds the data for your 192.168.0.0 network.
-Chris

cdiedrich

Thanks for the hints.
I already considered the scripting way but was unsure if there was something more obvious that I might have missed.
-Chris

cdiedrich

It depends on your needs. Do you need stateful failover? Do you need DPI? Do you need address collection in the firewall to do further things with on the CCRs? Do you need application control? Is firewall latency an issue? Do you need advanced logging facilities? Do you want it cloud managed? Do you...

cdiedrich

Add a dns entry for your hAP.
-Chris

cdiedrich

It's absolutely possible.
First, add vlans to the bonding interface and then add vrrp interfaces to the vlans.
Or, if you want one vrrp interface being the master of the whole subsequent trunk port, add just one vrrp on the bonding interface and then add vlans to the vrrp interface.
Done.
-Chris

cdiedrich

All, I need to create a self-contained package for a client of ours who will tour with a recurring event. Their guest management system relies on a timing-critical database application running somewhere in a cloud. Due to recent bad experiences with venue internet and partially blocked ports, the pa...

cdiedrich

I'd strongly recommend not to use MikroTik wireless devices for high density applications. The lack of any 802.11 roaming, band steering and adjustable beacon interval renders them useless for such deployments. Better look into UBNT, Xirrus, Meraki, Fortinet/Meru, Everest Networks (in ascending budg...

cdiedrich

Does Site B have a route to 192.168.252.0/24 via Site A?
-Chris

cdiedrich

Multi-WAN with same gateway works as described inthis thread.
再保险garding the resulting bandwidth, you will have 700/700-ish with multiple flows while one flow cannot be greater than the WAN link it is assigned to.
Look at the examples inthis manual page.

-Chris

cdiedrich

You have the same IP range (10.20.0/24) in br-AP and vlan1002.
-Chris

cdiedrich

我可以打赌,hyper - v不相关configured for promiscous mode.
-Chris

cdiedrich

If I remember correctly, admin access is restricted to 192.168.88.0/24 in the default config, so access from 10.0.0.0/8 will be dropped and you're seeing the timeouts. Try adding your vlan100 range under IP -> Services in the "available from" field. To do so, either connect from a 192.168....

cdiedrich

Hey Ruben,

that would be great, thank you very much.
DM is not supported here in the forum - feel free to contact me on cdiedrich (at) clairglobal.com

Thanks again,
-Chris

cdiedrich

Hi all, It looks like using nested functions in probes don't work as expected. Runnind the Dude 6.44 in a x86 instance (not CHR). 6.44.1 shows the very same behaviour. These terms are working perfectly when being used individually in a function probe in the "available" line: if(device_prop...

cdiedrich

Update:
A colleague of mine is currently writing a Python script that remote controls chrome that then cycles through WebFig where we have access to all relevant device fields in the dude.
Will share the outcome once we have what we need.

-Chris

cdiedrich

What a bummer - thanks.
Time to get an apprentice working on updating ~2000 devices with three fields each...
-Chris

cdiedrich

Dear all,

is there a way (through script, API or whatsoever) to bulk-update device custom fields?
We have a map with thousands of devices and need to fill custom fields based on either MAC address, device name or IP address.

Any hint is highly appreciated.
Thanks,
-Chris

cdiedrich

Now that's a good start. All that's left is adding routes through the tunnel. Assuming 192.168.1.0/24 is on the tunnel local IP of 192.168.99.1 and 192.168.10.0/24 is on the tunnel local IP of 192.168.99.2 do this: #on router 1 /ip route add dst-address=192.168.1.0/24 gateway=192.168.99.1 distance=2...

cdiedrich

This Section of the IPsec manualis pretty comprehensive and should exactly do what you want to accomplish.

Since IPsec is a cpu-hog, I'd advise to use it on routers with h/w acceleration olnly (all CCR series, 1100AHx4, RG750Gr3, RB3011).

-Chris

cdiedrich

Hi all, we recently upgraded our infrastructure to Cisco Nexus 3548P and Catalyst 9300 switches. While updating the dude maps (Running 6.44.1 in a CHR) I realized that the link graphs don't scale correctly: I have a couple of links from 9300 TwoGigabit-Interfaces linking to other devices with a 1Gig...

cdiedrich

I'm facing strange issues powering wAP ac and wap60g devices from a Cisco Catalyst 9300. The devices don't turn on at all. They work well with Cisco 3560, UBNT Edge Switches and Netonix. Now the fix that made it work is really strange: I just insert a passive MTik Gigabit PoE injector on the AP side...

cdiedrich

You could add a mini-script at the end of the rsc file which resets all mac-addresses and sets the bridges to auto-mac. This goes into the scheduler, to be run at startup. The script will delete itself from scheduler once finished. Like this: /system scheduler add name=resetmac on-event=":forea...

cdiedrich

So you already created a vlan interface. Put this on the bridge, not on physical ports. Then add an appropriate ip address to that vlan interface. Or enable vlan filtering on your bridges, create all allowed vlans for these and their tagged port mappings for both physiical interfaces (ether and wlan...

cdiedrich

Looking at your first screen shot in your first post, I'd say that's a decent connection. You're connected at VHT MCS 7 with two spatial streams and short guard interval resulting in 650MBps connection rate at 80MHz. Keeping in mind that actual real-life throughput is roughly 50...65% of the w/l con...

cdiedrich

Do the Tiks have routes set?

like

#Site B /ip route add distance=20 dst-address=192.168.10.0/24 gateway=1.1.1.1 #Site A /ip route add distance=20 dst-address=192.168.1.0/24 gateway=1.1.1.2

cdiedrich

Did you specify a subnet mask?
If not, the address is a /32 and can't communicate anywhere.
So it should look like

/ip address add address=172.18.0.1/24 interface=vlan101

I guess your config looks like

/ip address add address=172.18.0.1 interface=vlan101

and won't work.
-Chris

Search found 997 matches