MikroTik - Search

ik3umt

Well...I'm actually starting from scratch with the lab routerboard ad two WANs When the first route fails I can use the failover one within few seconds (and few page refresh on various browser) , acceptable at all :shock: I came to ask this thread because I experienced systems in which was impossibl...

ik3umt

at this time ,better wait @ik3umt reply, assuming he answers.... Thanks for replies, Not sure what reply you're expecting from me..... :o Just as said, that failover technique works fine, connection on failover route is immediately available but (tcp,udp, etc) old connections are stuck on waiting/s...

ik3umt

Main 0.0.0.0/0 route points to a virtual GW checking (ping) recursively two internet hosts. Secondary 0.0.0.0/0 route (distance 2) becomes active when the first one fails, but active connections are still hung on primary route , preventing navigation. Of course manual connections flush does the tric...

ik3umt

i had to activate second factor auth in google account and then enable application password on google account

now i use that password for email tool on routeros

That’s what I’ve done….
But I get the shown error.

ik3umt

As we already know, Google has disabled these days the simple user-pass email authentication. Workaround with i.e. Outlook is to enable 2 factor authentication into google account and create a app-specific password. I tried the same with routerboard with no success : 18:02:02 e-mail,debug recv: 250-...

ik3umt

What about 3 rows in 1U?
https://www.youtube.com/watch?v=5kILCRsachk

Or at least 5 rows in 2U
120 ports are not bad for 2U
I suppose 19" can fits 30 ports on a single row (total 150 ports in 2U).

ik3umt

Noob question:

need to remove all files /myfolder/myfile*.* by script

what syntax ?

Thanks

ik3umt

CRS328-24P
Impossible to find anywhere here in Italy, what's the continental situation ?

ik3umt

Good explanations both, Thank you

ik3umt

Gurus are at knowledge level 100 Experienced are at level 50 Noobs are at level 5 Veterans (like me) can be honestly at level 20 as well at level 90 (I'm at 20 indeed :( ) It doesn't matter how long you're involved in... Your setup is not an easy one, it depends from WHICH point of view..... Elmers ...

ik3umt

Yes, you're correct. It's an issue I never dealt with, I thought it was straightforward I can tell 192.168.2.10 "route packets to 1.2.3.4 via 192.168.1.100" because you're able to reach 192.168.1.100 despite which routing path is used. On the other way, just for information, entering from ...

ik3umt

Scenario : https://ibin.co/6c2DQb7gHojT.jpg 192.168.1.1 and 192.168.2.1 are gateways for own subnets they are off-limits (third-party configuration). 192.168.2.10 linux device can reach the whole 192.168.1.0 network. Is there a way to make a static route into 192.168.2.10 to reach 1.2.3.4 via 192.16...

ik3umt

Thank you !

ik3umt

What does it mean out:(unknown 0) in logging ? There are multiple (a lot) lines like : input: in:ether10 out:(unknown 0), src-mac [isp_router_mac], proto UDP, 82.117.218.102:6889->[routerboard_wan_interface_address]:6889, len 129 Are the packets dropped by firewall filter rule ?? ( action=drop chain...

ik3umt

What's the difference between File=>new/open/save and Tools=>import/export in winbox window ?
Thanks

ik3umt

If reliability is needed other than write/read speed (not a must) I will go for industrial grade uSD.

ik3umt

Do you happen to use the .local domain for your static entries? I saw someone mentioned in another thread that Apple only uses mDNS (but not "regular" DNS) to resolve names ending in .local . Good catch ! My fault in not being specific (thinking .local was a private domain like any "...

ik3umt

My RB acts as DNS server for my LAN
It has few static entries like

/ip dns static
add address=192.168.1.100 name=myhost.mydomain

Name is resolvable by local machines but NOT by wifi-connected iPhones (that say DNS server is RB address)

Why is this ? Another Apple complication ? Any workaround ?

ik3umt

I have two bridges : bridge1 (ether1 and ether2) for data bridge2 (ether3 and ether4) for voice NO vlans I have to add a switch connected by a SINGLE ethernet cable and replicate distinct data and voice ethernet ports on it. On switch side it can be easily done with untagged vlans ethernets facing d...

ik3umt

The question is : does a dual band capable client performs better when it choose to use 2,4 GHz band (i.e. due to lack of 5GHz signal) ?
We know a poor RSSI-S/N on 5GHz leads to a drastic throughput drop.

The problem I experienced is the missed switch-back to 5GHz once signal reach better levels....

ik3umt

At last .... can be 2,4 GHz band considered deprecated with modern wifi devices nowaday ? I could keep the main SSID for 5GHz band and add a new i.e. "ssid-2_4" for customers complaining about no desired SSID shown (or with older 2.4GHz devices they would only see "ssid-2_4" wifi...

ik3umt

Well... that particular scenario is a hotel with single SSID using capsman managing wapACs I was doing a speed test , no more than 50/60 Mbps downstream (with a 200Mbps capable wan) , I quickly realized my smartphone was using 2,4GHz band and yes, probably due to signal strength, but once moved clos...

ik3umt

Using wap AC with same SSID , I find dual band capable clients using 2,4 or 5 GHz apparently with random behavior. What's the reason a device choose a band instead of the other one ? It would be preferable the 5GHz-AC would be used, and 2,4GHz one left for non-5GHz capable devices, which way can I a...

ik3umt

Despite script suggested by WeWiNet works fine enough, I found however some entries like youtube.com resolve in dns entries that once entered as blacklisted IP they affects negatively other services like google classroom, google meet etc. Is it possible that so different web services go to use same ...

ik3umt

Sob, do you mean that current socks isn't capable of ? Meanwhile, it's interesting to see how , with just three domains, filrewall list becomes populated with 180 items, mostly google.... Of course I need to run script frequently to hit new DNS cache entries. It's not perfect but not too bad.... The...

ik3umt

Thank you for script !

Yes, usually little local sites/services has one or very few subdomains, but there is the need to use gmail as well as google meet or other world-wide services , I'll try script as soon as possible .

ik3umt

You can screen by script DNS cache for "*.mydomain.com" and add all corresponding IP addresses to address list... Do you mean that, despite all hidden redirections, all the "anysubdomain.domain.com" entries (or CNAME entries resolutions) are enough for website services to be all...

ik3umt

Yes, unfortunately when you try to use a website or a service inside a website, you are hiddenly redirected to a lot of subdomains and different ip addresses . Address lists resolve dynamically just few entries related to that subdomain.... Looking at DNS cache then, many entries are associated to C...

ik3umt

How to allow all forward traffic to *.mydomain.com ?

As far as I know , I can't

/ip firewall address-list
add address=*.mydomain.comlist=allowed

Any other workaround ?

ik3umt

Thanks,
What about to simply enable the rule and disable it after x minutes ?

/ip firewall filter enable  delay 3600; /ip firewall filter disable

any issue in leaving script hung for a long time ?

ik3umt

How can I set a timer to trigger a firewall rule enabling and automatically disabling after X minutes ?
Not a scheduled rule (made by schedule or rule "time" option) , a "one shot" rule to be triggered when needed.

Thanks

ik3umt

Just seen......thank you.

ik3umt

How can I deny winbox access via MAC (also MAC telnet) in a defined ethernet port (enabled on other ethernets) ?

ik3umt

Question: If a whole /24 subnet on a dedicated interface is reserved for IP Phones, can I avoid use of packets marking / mangle rules and manage the voip traffic just using queue target ? Can just this work ? : /queue simple add name=Internet queue=default/default target="" add max-limit=1...

ik3umt

所以我可以添加多个虚拟无线接口s slave of master interface, then add them to the same pertinent bridge.....good What about master and slave wireless interface having the same mac address , but when adding a second virtual with the same mac address it says me "mac-address alre...

ik3umt

When I go to Wireless -> Setup Repeater it asks me for wlan, SSID and phassphrase,
If I repeat this procedure for a different SSID on the same wlan it overwrites the previous one (id doesn't create a further virtual wlan) that's why I'm asking if it is really possible...

ik3umt

Using AP in repeater mode , is Multi-SSID repeating allowed ?

ik3umt

I set two different /24 LAN subnets as target into a 50MB/s simple queue.

Those 50Mb are shared totally between all hosts of two subnets or 50Mb is the limit for each subnet (100Mb/s total) ??

ik3umt

Let's start from a fresh default config, forward chain ends with add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked" add chain=forward action=drop connection-state=invalid comment="defconf: drop invali...

ik3umt

Default filter rules include this one:

add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked

If placed before a forward "drop-all" rule, does it still allow two lan subnets to talk each other ??

ik3umt

I need just two ip addresses from /29 subnet to my wan interface, so I'll go for it and still use your src-nat rules with no proxy-arp , it seems to be more reliable than the ip route one ( that sometimes works and sometimes not...)
Thanks

ik3umt

Nice, so allow the desired addresses into the nat rule rather than drop it with filters.......

ik3umt

I have these forward filters as per default firewall config: add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="drop invalid forward" connection-state=invalid add act...

ik3umt

I've tried

/ip firewall nat add chain=srcnat action=src-nat src-address-type=local dst-address=x.x.x.x to-addresses=y.y.y.y.

It doesn't work unless y.y.y.y is assigned to RB wan....

ik3umt

Ok , so the masquerade one could be considered the global one to be placed at the end, where other src-nat rules are not matched, as the masquerade cannot specify a "to-addresses" From what I undersood, if more LAN subnet have to be used , just the interested ones can match src-nat rules w...

ik3umt

And what about existing masquerade rule ?

ik3umt

Thank you for example,
This is for Lan forwarded packets , what if the routerboard itself need to use different wan address ?
Should I use an ip route for specific target, selecting the wan address by mean of “Pref.Source” field ?

ik3umt

Who is lying to whom?

Passive means it is without configuration interface, just plug in and use it. There is no GUI to control it, it just works.

I think the misunderstanding is because "Passive" is referred usually to a device that DOESN'T require power to be supplied....

ik3umt

The issue with not enough space has been fixed in newer versions, but to get to the new version, you will have to use Netinstall

Well, I love this clear answers !

So on-site trip is scheduled !
Thank you Normis.

ik3umt

Ok , tedious thread...
anyway, is it possible to erase config , and automatically restore config via script after reboot AND update has been done ?
but probably script takes disk space, so.....

ik3umt

22:16:20 system,info installed routeros-smips-6.45.6 22:16:20 system,error not enough space for upgrade 22:16:21 system,info router rebooted

ik3umt

I was able to update a pair of hap-lite by connecting to local remote desktop and run the save-clear-restore cfg tasks. There are a pair more that have no pc on their lan and worse, they are routers managing internet connection, so configuration cannot be erased. latest .npk file can be succesfully ...

ik3umt

Nick, any practical example of rule ?

i.e. :
192.168.1.0/24 (ether4) will use 10.20.30.1/29 on ether1
192.168.2.0/24 (ether5) will use 10.20.30.2/29 on ether1
and so on...

Still masquerade rule needed ?

Thank you

ik3umt

A /29 public addresses subnet is available to one RB ethernet port.
How can each single LAN subnet use a specific WAN IP address ?

ik3umt

One can set dhcp server options by specifying a dhcp option set into dhcp server settings as well as single options into dhcp networks settings
What is the difference ?

ik3umt

OK understood.
Meanwhile, I have it updated to latest 6.45.6.npk whithout space issues, fingers crossed.....

ik3umt

Please explain : should I disable (I cannot uninstall) all packages and copy only desired ones and reboot to have just the copied one filling hdd space ? What happens to old disabled ones ? Would they becomes available to uninstall ? Goal is obviously to have more free space (hdd not ram , this is a...

ik3umt

As main package is a bundled package, I cannot unnstall single unneeded package so kristsd solution #2 worked for me, but: cannot remove directly entire configuration as hap lite is connected via l2tp/ipsec tunnel generated by itself. I had to connect to a local PC winbox via teamviewer or similar, ...

ik3umt

Is there a way to update hAP lite (regular update failed because of known memory space issue) without on-site netinstall ?
Thanks.

ik3umt

Found flood ping increases quickly SFP+ Rx MAC and RX FCS errors counters on switch target devices are connected to.....
Opened a request @support.....

No one with CSS326 10Gbps issues ???

ik3umt

Further tests: a linux machine with ping -f to machines at the other switch ends gives : ping -f 192.168.1.253 PING 192.168.1.253 (192.168.1.253) 56(84) bytes of data. .......................................................................................................................................

ik3umt

still on 6.45.1 with few hAP lite

6.45.3 : *) smips - reduced RouterOS main package size (disabled LTE modem, dot1x and SwOS support);

Should I netinstall them anyway to fix failing updates (thus on-site operation) ?

ik3umt

UMarcus: are you sure Hap lite has been updated ??

I've tried also to update via /system packages and manually via file upload, it seems it still fails....

npk file is displayed on files section , winbox reports 16MB of16MB used, maybe no more space allowed for updating process....

ik3umt

Yes, testing deeper (for what my knowledge permits) I've found iphone looking for captive.apple.com once new wifi network has been connected, while windows10 machines trigger msftconnecttest.com/redirect, both probably http sites as they make hotspot login page to appear. Older devices/OS would prob...

ik3umt

For me it works this way: ...

ik3umt

Ok, it is something the user's browser should do, but we are not sure any device does , or does it the right way.
Do you mean they should already behave this way , or is it just a plan about the way all devices should work in future as a standard ?

ik3umt

RB3011---1G_eth----CSS326_1------10G_fiber------CSS326_2 from rb3011: /tool flood-ping sent: 500 received: 500 min-rtt: 0 avg-rtt: 0 max-rtt: 1 (it takes two seconds to finish operation) /tool flood-ping sent: 500 received: 467 min-rtt: 0 avg-rtt: 0 max-rtt: 2 (...

ik3umt

Not really sure about this "fetching random URLs over http" thing.... can you explain ?

ik3umt

Just tried https auth with an apple device, it warnings me twice (two web pages sequentially) before to access hotspot , then twice for hotspot authentication , a bit tedious... Will try to teach users to browse www.mysite.web (http) to gain access to login, at least for now... One could even ignore...

ik3umt

Thanks, pretty clearer now, it's really a browser (security) issue then... So what's our kindest solutions from user point of view, when he accesses our hotspot and something bans https sites from being visited ? It wouldn't be a great thing to teach them "please type this url in order to login...

ik3umt

So , we agree about kicking them off sometimes, to "refresh" all things.
然后有什么建议的组合值:Http Cookie Lifetime, Trial Uptime Limit, Trial Uptime Reset and eventually dhcp lease time for a "pseudo-no-time-limit" user ?

ik3umt

The user hitting hotspot for the first time with an https request will fail and receive the well known warning. Installing self-signed certificate , enabling www-ssl service and https login , redirection is possible with some warnings. When login by HTTP to an HTTP site is done without all the above...

ik3umt

CRS328 works perfectly as switch
But it has only 16MB storage

Any possible issue running in routerOS with next package updates if growing in size ?

ik3umt

That was enough, single queue with pcq definition,quite easy !
Searching in my place would be greatly appreciated, I did it myself for now....

ik3umt

New to queues...

From what I understood, putting my lan subnet into a simple queue target with 10M, it allows 10M total to be shared between N lan users (i.e. 5M each between 2 users)
How instead allow i.e. 1M each user of the whole subnet without to create 254 queue entries ?

ik3umt

I think MT has lost its train.......
Or it's not in their plans, maybe.

ik3umt

It would be pretty nice if someone explains where and why restoring a backup to same model unit fails...
Is definitely "backup" intended to be restored on the same piece of hardware from where it has been generated ?

ik3umt

I'll try local forwarding.... Question: I'm using the same datapath for two different SSIDs in two different capsman configurations, can I use localforwarding YES and NO for the same datapath ? /caps-man configuration datapath=Office_Bridge mode=ap name=OfficeCfg security=security1 ssid=OfficeWIFI d...

ik3umt

Just wondering why they don't hang while under ping from routerboard.....
something kept alive ? disconnect timing ?
why it doesn't happen when linked to a common AP wired to the switch ?

ik3umt

Samsung wifi tablets running RDP session to a microsoft server in local LAN by mean of capsman system. Capsman running in cap forwarding mode , chosen datapath is the same bridge LAN switch is connected to (thus MS server connected to same switch). I'm experiencing RDP session hangs (need to re-logi...

ik3umt

Imagine....if this wasn't the "Beginner Basics" section.......

ik3umt

In the meanwhile, I got it working with two separated routerboards each dst-natted from in-interface to the address of router behind it

It works totally transparent, but the goal is to use , if possible, a single routerboard in the middle....

ik3umt

Thank you for patience, Arp table of firewall (actually a RB) sees both and 10.10.10.10 with MT ether2 mac address Arp table of MT sees with on ether2 and with on ether1 If I ping

Search found 295 matches