MikroTik

nescafe2002

Doesn't CHR add a DHCP client automatically?

nescafe2002

Is there any way in 7.6 to cancel the power reset command or override it?

moutazsalem, nice example of how every change breaks someone's workflow :)

nescafe2002

volkirik , your issue is not related to 7.5beta. E.g. on 6.48.6: /system script add name=test policy=test source=":log info test" /system scheduler add interval=10s name=test on-event="test\r\n" policy=test Will not run, but /system script add name=test policy=test source="...

nescafe2002

ech1965, get architecture via /system resource print, download Extra packages, upload container-*.npk via ftp, scp or winbox and reboot to trigger the installation.
Container package is compatible with arm arm64 and x86 architectures.

nescafe2002

Can confirm, this is the CPU usage from a RB3011 upgraded from v6.48.6 to v7.4 on August 1, 20:20:

dude_4E5l0pdPpl.png

nescafe2002

*) dns - added "match-subdomain" option for static entries (CLI only); This is a nice addition! E.g. to delegate a domain + subnet without having to use regexp: /ip dns static add forward-to=192.168.89.2 match-subdomain=yes name=otherdomain.lan type=FWD add forward-to=192.168.89.2 match-su...

nescafe2002

Try disabling detect-internet

nescafe2002

Are there any hints in the log? Kernel panic? Watchdog reboot? Out of memory condition?

Did you submit autosupout.rif to support?

I am experiencing reboots on 7.2.3 on smaller devices and they are gone in 7.3rc2.. not sure why.

nescafe2002

eenpahlefi, have you tried checking oids .1.3.6.1.4.1.14988.1.1.19.1.1.9 and .1.3.6.1.4.1.14988.1.1.19.1.1.10 ?

nescafe2002

woodych, I suspect this has something to do with ND. Since you don't need ND for WireGuard, you can safely remove the global address from the WG interface and add a static route instead.

nescafe2002

Apparently agent "server" is the default.. so I have no clue, sorry.

nescafe2002

What is the RouterOS status of the agent device (server)?

nescafe2002

aoakeley, did you upgrade your agent (server) to 7.2 as well?

nescafe2002

If MT is your resolver, you can use the FWD records to forward the requests to another server.
This is introduced in 6.47 (June 2020).

/ip dns static
add forward-to=192.168.215.4 regexp="\\.domain\\.local\$" type=FWD

nescafe2002

Pun1sh3r: press F1 twice to display key bindings: F4 or Ctrl-X Toggle safe mode F7 Toggle hotlock mode Ctrl-D Terminate session (on empty prompt) And since Winbox is a MDI application, you can use CTRL-F4 to terminate session regardless of whether the prompt is empty or not.

nescafe2002

Wow normis, that is a lot of code for a simple api call :) TS, this works fine: /tool fetch url="https://api.telegram.org/bot123456789:abcdef/sendMessage?chat_id=123456789&text=testMsg" as-value output=user note that the ? between sendMessage and chat_id is missing in your example.

nescafe2002

Hi!! This mean if... it the IP if not reachable for 6 times (in my case, the MK reboot 6 times, the 7th no reboot, keep online)... the RB not reboot anymore (until poweroff or reboot?) and it can be accessed? I have the old backup with the netwatch "issue".... tomorrow I will check for si...

nescafe2002

Anyway, if you want to reboot the device when a host is unreachable, use the watchdog function: https://wiki.mikrotik.com/wiki/Manual:System/Watchdog watch-address (IP; Default: none) The system will reboot, in case 6 sequential pings to the given IP address will fail. If set to none this feature is...

nescafe2002

Or just disable the service and it won't be rediscovered.

I've noticed that printers can go crazy with the amount of snmp requests, so you could also try setting snmp to a no-snmp profile (snmp version: none).

nescafe2002

I have this same device with the same symptoms. Applying pressure to the chip (heat sink) solved the issue. Put a piece of foam or a folded paper between the heat sink and the case to 'solve' this issue.. or RMA the device. https://forum.mikrotik.com/viewtopic.php?f=7&t=138928 Video: https://you...

nescafe2002

Either src-path + mode or the url parameter. https://wiki.mikrotik.com/wiki/Manual:Tools/Fetch#Properties mode (ftp|http|tftp {!} https; Default: http) Choose the protocol of connection - http, https , ftp or tftp. src-path (string; Default: ) Title of the remote file you need to copy. url (string; ...

nescafe2002

Was that new for you?

Not new, but the problem has been acknowledged/reproduced on Jan 11th and "hopefully fixed in the next update" -- this is the next update :)

nescafe2002

Ipsec identities lost after upgrade from 7.2rc1 to 7.2rc2 and again after upgrade from 7.2rc2 to 7.2rc3 (SUP-60031).

nescafe2002

*) vxlan - allow unsetting "group" and "interface" properties; The "group" and "interface" properties are (unexpectedly) unset on upgrade from 7.2rc1 to 7.2rc2. Before upgrade: /interface vxlan add group=224.0.0.188 interface=bridge-lan name=vxlan-iot port=847...

nescafe2002

Thank you. Increasing the udp timeout fixes the issue. Looks like v7 does not detect properly udp streams.

nescafe2002

Regarding SUP-67833 download.mikrotik.com, 2a02:610:7501:4000::226 is actually unreachable from 20 endpoints. But that must just be dozens of ISPs

nescafe2002

Heh, I had SUP-67833 created for the poor IPv6 reachability (download.mikrotik.com in this case). Their response: Unfortunately, we do not provide network troubleshooting, please contact consultants. www.mikrotik.com/consultants Really? Really :) Closed the case, not my problem anymore. (Still: 2a02...

nescafe2002

'Closed ports' as in firewalled tcp and udp ports? As long as you haven't disabled the physical ports and you did not disable MAC WinBox server, you should be able to connect via MAC address. https://wiki.mikrotik.com/wiki/Manual:Winbox#Starting_Winbox To connect to the router enter MAC address of t...

nescafe2002

Probably worth debugging the issue a little more on your end. I'm willing to bet that this is Windows Auto-tuning going bananas. Turn this of on server level. We turn this of via policy as it do not work well over VPN. https://www.thewindowsclub.com/window-auto-tuning-in-windows-10 Thank you for yo...

nescafe2002

What's new in 7.1rc7 (2021-Nov-25 16:35): *) ipsec - fixed hardware acceleration support for ARM and ARM64 devices; Not sure what is fixed, but my RDP sessions to Windows 2012 R2-instances are still dropping out about every minute. RDCMan_DYG87BsyBf.png This has been the case since v7 with multiple...

nescafe2002

>>> /interface/pptp-client/monitor
>>> =.id=pptp-out1
>>> =once=
<<< !re
<<< =status=disconnected
<<< 
<<< !done
<<< 
>>> /quit
<<< !fatal
<<< session terminated on request
<<<

nescafe2002

Have you increased the dhcp lease time?

nescafe2002

I will finally be able to restore my full export.rsc without having to split it in two parts because of the historically missing address-pool default value. Hah, thank you for this. I think I'm responsible for this change log entry. It actually took two attempts to convince support: nov 2020 they d...

nescafe2002

I understand you Infabo. Everybody was happier when they did not release v7 for years. Oh wait... No that's not it. Software development takes time. Completing software takes more time. MikroTik decided to release early betas and rcs. You can choose to participate (voluntarily) or stick to the older...

nescafe2002

Options 31 and 56 are working for me.. Make sure you supply the adequate suboption (0x0001) and address length (0x0010) for each ntp server (when using option 56!). Also 2001:db8:case:: is an invalid IPv6 prefix therefore the addresses are interpreted as a string. I changed case:: into cafe:: for th...

nescafe2002

Can you reproduce the issue using the code example provided on the wiki?

Have you also considered using tik4net (https://github.com/danikf/tik4net)?

nescafe2002

Infabo, netinstall takes 15 minuten and you're up and running again. Reinstalling windows can take up half a day depending on the configuration. If you're sick of this, consider running long term. No one is forcing you to evaluate the beta.

nescafe2002

What unexpected results? Are there side-effects other than the obvious one, naming the interface *num?

[admin@MikroTik] /interface> set ether1 name=*A
[admin@MikroTik] /interface> disable *A
no such item (4)

nescafe2002

ROS, API and REST do support names as primary identifiers for master data: # ROS [admin@MikroTik] > /interface enable ether1 # API /interface/enable =.id=ether1 # REST curl -k -u api:api -X POST \ https://192.168.88.1/rest/interface/enable \ --data '{".id":"ether1"}' \ -H "c...

nescafe2002

Yes..

https://mikrotik.com/product/cap_xl_ac

Included parts:
- 24V 1.2A power adapter
- Ceiling mount
- Gigabit PoE injector
- K-81 fastening set

nescafe2002

You will need to find a IPv6 tunnel provider and configure the device accordingly. If your provider does not provide such service (6RD), you can sign up for a tunnel on https://tunnelbroker.net/ - they will provide you with configuration details which you can paste in terminal.

nescafe2002

RouterOS v7.1rc has masquerade support, so you can NAT your entire network to one (!) IPv6 address that is bound to the WAN interface. Not sure about dual wan using recursive routing, but you could automate that using scripting. Netmap which would be ideal (prefix translation), but it's not availabl...

nescafe2002

The command to execute is /user/group/print, but you would have got no such command if that was the problem. I had no luck reproducing the issue with the MK class in https://wiki.mikrotik.com/wiki/API_in_C_Sharp#Class (without SSL, new login procedure w/ plaintext password). Works as intended. Custo...

nescafe2002

Remove the remaining static neighbor discovery prefixes - dynamic entries should appear even with EUI64 disabled (try re-enabling the IPv6 address for reactivation).

nescafe2002

ROS doesn't support prefix-hint for ipv6 address yet, so it depends whether the assignment from comcast is dynamic, static or generally static (hardly changing). You can set the prefix per vlan to static by unsetting the 'From Pool' attribute in the IPv6 address.

nescafe2002

6to4 is a service to tunnel IPv6 over an IPv4 network and cannot be used to expose your IPv6 device over IPv4. You will need some other (VPN) service for that, providing a public reachable IPv4 address. Also, v6 routeros does not support ipv6 route rules, so multihoming IPv6 is not really going to w...

nescafe2002

Ok, sorry, I based my post on the 'no prefixes available' message earlier, not the duplicate addresses problem. Not sure what causes that.

Can you post a (anonymized) screenshot of the Used Prefixes tab of the IPv6 Pool?

nescafe2002

Set the Pool Prefix Length in your DHCPv6 client to 64.. it will not affect the acquired prefix length, but it will limit the pool assignments to /64. Note that MT will keep incrementing the prefix with from-pool setting on each configuration change, as soon as you assign multiple ip's from pool. Yo...

nescafe2002

To request options: /ip dhcp-client option # 01 = Subnet Mask, 03 = Router, 06 = Domain Server, d4 = OPTION_6RD add code=55 name=req_6rd value=0x010306d4 To process responses, I haven't been able to figure this further out.. I think DHCP option 212 deserves an actual implementation by MikroTik. /ip ...

nescafe2002

High CPU is a common issue, have you ruled out usual suspects e.g. NAT (masquerade) and connection tracking?

There are quite a few topics on this issue (search for pppoe cpu in forum).

nescafe2002

Looks like you have to add an ipv4 address to the ipipv6 interface and route to an ip within the ip subnet.

(E.g. ip 192.168.0.2/24 and route to 192.168.0.1)

Via forum search this topic popped up: viewtopic.php?p=724273#p724273

nescafe2002

You currently have two dynamic default routes, one from pppoe-client and one from dhcpv6-client. You may want to disable add-default-route on one of them. Sometimes adding a static route with dst-address=2000::/3 and gateway=pppoe-out1 could make it work (not sure why, but it worked for me). Remove ...

nescafe2002

anav, you're like a dog who marks every tree it walks by, but instead of trees you're marking forum topics :) not really necessary as sindy kind of adviced/requested the same thing.. Plugpulled, regardless of the actual cause of the issue, which should be fixed anyway, you can get auto reboot using ...

nescafe2002

I have examined logs and traces but could not find a cause for this issue.. unfortunately RDP is extremely sensitive and will initiate a TCP RST as soon as 'something' is off.. disconnecting after 5 to 15 seconds, leaving these unhelpful events in the log (Event Viewer/Application and Services Logs/...

nescafe2002

Partial configuration loss in 7.1rc4, after a few succesful reboots.. Same section got lost as 7.1rc3 => /ip ipsec identity SUP-60031 I have a higher MTU on the SFP, PPPoE won't go further than 1492. Could you tried creating a bridge-wan with a single port (sfp) and use this bridge in your configura...

nescafe2002

I think it would be better if the export for ip address followed the same rule as for bridge port: export interface ID instead of omitting interface attribute. [admin@MikroTik] > /interface bridge port export # sep/22/2021 09:00:35 by RouterOS 7.1rc4 /interface bridge port add bridge=docker interfac...

nescafe2002

svmk, the config disappearing problem has been fixed - this was probably the last time

Try restoring the config on rc4 and rebooting - should work properly now.

nescafe2002

w0lt, this is not unique to the CCR2004. v6 RouterOS devices cannot be downgraded below their factory version either.

nescafe2002

As I said earlier..The downloads page says CCR2004 for ROS 6.48.4. Not just certain model numbers. False advertising !! Actually not. The download pages states that CCR2004 models are ARM64 architecture. They do not state that all CCR2004 models do run all RouterOS versions. Also the product page f...

nescafe2002

ldkrjuger, probably the status is based on polling (internally), therefore the latest status (Downloaded, rebooting...) is sometimes not visible. Isn't the connection timing out? Perhaps you want more control over the update process.. therefore you could split the update process to make sure the dev...

nescafe2002

In label (appearance):
Firmware: [oid("iso.org.dod.internet.private.enterprises.mikrotik.mikrotikExperimentalModule.mtXRouterOs.mtxrSystem.mtxrFirmwareVersion.0")]

nescafe2002

It's stupid to advertise it. The fastest way to get infected. I checked, fortunately the two files: https://download.mikrotik.com/routeros/7.1beta6/all_packages-mmips-7.1beta6.zip https://download.mikrotik.com/routeros/7.1beta6/routeros-7.1beta6-mmips.npk and https://drivers.softpedia.com/get/Route...

nescafe2002

Good question. It works on a hAP ac³. It also works on a RB4011 if it's the single container. It doesn't work if you have multiple containers (start 1 actually runs iperf3) /container> print 0 file=iperf.tar name="2df45158-b892-4e06-af32-9ed00c0a1b9a" tag="" os="linux" ...

nescafe2002

Can you upload the container tar somewhere so I can rule that out?

Just uploaded here: http://www.filedropper.com/alpid

nescafe2002

I must say that I've had the same problem since upgrading my RB4011 to v7.1rc1.

Mostly connections to Windows 2012 R2 servers. They are probably really sensitive to interrupted data streams.

I am using direct RDP, TCP+UDP, over IPSEC.

nescafe2002

It works if you set the entrypoint to /usr/bin/id in the image. Dockerfile: FROM alpine:3.13@sha256:7bf024556a224584c0fff680d650b4be2ad560b17f6f627b11e0e2d5beb4b597 ENTRYPOINT /usr/bin/id Build on host: ~/alpid$ docker build -t alpid . ~/alpid$ docker save alpid > alpid.tar Transfer tar to device, t...

nescafe2002

Hello, please create a support file on the device (supout.rif) while it is not functioning properly and send the file with problem description to support.
You can also request a download link for the 7.0.4 package in the same ticket.

nescafe2002

Well - business users usually know how to follow instructions. Like, creating a supout.rif and sending it to support.

nescafe2002

Rfulton, what do you expect from us on the forum? Nobody here can help you - please create a supout.rif after the crash and send it to support.

nescafe2002

One big advantage of wildcart certificates is that your hostname is not leaked to the public via certificate transparency. I once generated a certificate on the synology.me domain, the host was then listed on crt.sh and the number of login attempts from all over the world exploded. If you create a w...

nescafe2002

You could enable fasttrack, it works for NAT as well. CCR should handle gigabit with ease without it, but may be worth trying out. /ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related add chain=forward action=accept connection-state=established,relat...

nescafe2002

No problem, was just replying to point out that the rule is safe to add.

nescafe2002

That rule is part of the default configuration:

/ip firewall
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"

nescafe2002

denisun, can you advertise a lower mtu via ND settings?

nescafe2002

Okay I have no problems WinBox 3.29 connecting to 6.48.3, that's why I think it's related to v7.

nescafe2002

icsterm, is this happening on v7.1rc2 or at least v7? I have already reported this behavior (SUP-58300, Stalled entries in active Winbox session list & wrong session removed from session list on logout) - reproduced and will be fixed. Not only after crashes, after all disconnects.

nescafe2002

I'm having issues with 6to4 interface. IPv4 packets are somehow assembled (length 2922 bytes) and then rejected with ICMPv6 Packet Too Big. The tunnel throughput is starting at 900 Mbit and then dropping quickly to no more than 20 Mbps. It is dependent on the uplink (SFP) and fast path setting (when...

nescafe2002

What's new in 7.1rc1 (2021-Aug-19 13:06): !) added support for IPv6 NAT (CLI only); Currently action=netmap is not supported, which you'd expect for dual wan scenarios (to translate ULA prefix to ISP specific global prefix) E.g. this config is not supported: /ipv6 firewall nat add chain=srcnat acti...

nescafe2002

/int bri por is expanded to /interface bridge port-controller for some reason.. just don't abbreviate cli commands, they are suspected to change anyway. [admin@MikroTik] > /int bri por pri ;;; disabled switch: none control-ports: excluded-ports: [admin@MikroTik] > /int bri port pri Flags: I - INACTI...

nescafe2002

This works fine on ROSv7.1rc2 (ping request timed out):

/interface bridge filter
add action=drop chain=forward dst-mac-address=E4:8D:8C:B0:DE:37/FF:FF:FF:FF:FF:FF

Could you share a code example and your test setup?

nescafe2002

Or use bridge split horizon. /interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 horizon=1 interface=ether1 add bridge=bridge1 horizon=1 interface=ether2 add bridge=bridge1 horizon=1 interface=ether3 add bridge=bridge1 horizon=1 interface=ether4 Ports ether1-ether4 are now i...

nescafe2002

Ok, afaik WireGuard is stateless, so no connect / disconnect occurs.

There is a last handshake property which you can use to detect activity, but since that would be based on a timeout - netwatch would be a better option.

nescafe2002

Since WireGuard uses fixed ip addresses anyway, could you just set up a netwatch entry for the remote host and implement the functionality in up/down scripts?

nescafe2002

Have you checked the firewall connection tracking table for any icmp entries when the issue occurs?

nescafe2002

var conn1 = tik4net.ConnectionFactory.OpenConnection(TikConnectionType.Api, "192.168.88.1", 8728, "admin", "password"); var conn2 = tik4net.ConnectionFactory.OpenConnection(TikConnectionType.Api, "192.168.88.2", 8728, "admin", "password");...

nescafe2002

I had the same issue. Sent to support. Note that the netinstall completes successfully. You just have to manually reboot the device.

Win10 netinstall/netinstall64 7.1rc1 RB2011.

nescafe2002

You can create multiple clients in a single program.

nescafe2002

But what if those addresses ever change? You'd have to check all your router's configuration!

The "check all your router's configuration" is not hard.. make an export of the configuration (text file) and search for the address in this file.

nescafe2002

But.. have you tried disabling keepalive?

nescafe2002

SUP-27251 [Winbox] Feature request: Add menu option "Window"

Time to delivery: Less than a year :)

Thanks!

nescafe2002

Tested on beta, seems that the GRE interface is not running when keepalive is active.

Disabling keepalive on the GRE interface enables the routes.

Note that ROSv7 is still in beta; 7.0.3 is a one-time-build for Chateau but can still contain bugs.

nescafe2002

Setting custom dns server in ND/RA is not possible until ROSv7. For ROSv6, use option 23 in dhcpv6 server and enable 'other configuration' in RA: /ipv6 dhcp-server option add code=23 name=dns value="'2001:db8::1''2001:db8::2'" /ipv6 dhcp-server add dhcp-option=dns interface=bridge name=def...

nescafe2002

Not sure why you want to update the local address, do you have a dual wan setup? If not, just unset local-address and it will pick your external address automatically: /interface 6to4 set [find] local-address=0.0.0.0 You could update the IPv4 endpoint on HE side by running a fetch command, e.g.: htt...

nescafe2002

In my case, support noticed a high queue drop count (/interface print stats, column "tx-queue-drops").

Setting larger queue size solved the problem:
/queue type set ethernet-default pfifo-limit=300
/queue interface set [find where queue!=no-queue] queue=ethernet-default

nescafe2002

They do not post the firmware publicly because it will brick non-chateau devices. Both times they posted a link, with warning, at least one user tried installing it on another model.

nescafe2002

What 'works on my machine' is: /interface pppoe-client add add-default-route=yes name=pppoe-client /ipv6 dhcp-client add add-default-route=no interface=pppoe-client request=prefix This will add a dynamic route to ::/0 via pppoe-client. And a default ipv4 route. The 2000::/3 is a testing route to fin...

nescafe2002

1) Well you have a polling timer at the moment at around 5-10", so to start with you could make that time range dynamic so we could set it to 1 year for example 2) You need to keep the settings(filtering the local forwarding ones) that are pulled locally to the cap so in case of reboot they ar...

nescafe2002

Note that the pppoe-client already adds a default route (based on ppp profile). So first try setting add-default-route=no in your dhcpv6 client to prevent the extra route to be added. Have you added bridgeLAN to the LAN interface list? For testing, you could add a route to a more specific public pre...

nescafe2002

mrz, SUP-45712 describes same issue, no LL address on bridge with admin-mac set. LL address doesn't change, it disappears on unrelated reconfigurations. I have provided steps to reproduce + supout.

Edit: Issue will be resolved in 7.1beta7.

nescafe2002

There is an earlier statement on this issue (well.. slightly related issue) from staff: https://forum.mikrotik.com/viewtopic.php?p=646067#p646067 DHCP client is required on CHR installations since most of cloud services provide only access through IP address and you do not have direct access to cons...

nescafe2002

Then try enabling DHCP Provisioning: Settings > Auto Provision > DHCP Active > On Then reset (reboot) phone. Is your endpoint password protected? From a working setup: /ip dhcp-server option add code=66 name=yealink value="'https://user:password@host.domain.tld:443/dms/yealink/'" /ip dhcp-...

nescafe2002

Have you enabled DHCP provisioning in the phone features? Or have you factory reset the phones to test?

(Yealink will only accept DHCP provisioning when enabled or after factory reset)

nescafe2002

Split your ip pools and use vendor class. /ip pool add name=lan next-pool=lan2 ranges=192.168.0.2-192.168.0.199 add name=lan2 ranges=192.168.0.221-192.168.0.254 add name=voip ranges=192.168.0.200-192.168.0.220 /ip dhcp-server vendor-class-id add address-pool=voip name=yealink server=default vid=yeal...

nescafe2002

Move the login logic out of the loop and keep the process running.

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Port_Settings Use split horizon bridging to prevent bridging loops. Set the same value for group of ports, to prevent them from sending data to ports with the same horizon value. Split horizon is a software feature that disables hardware offload...

nescafe2002

I'm assuming the 5 minute timeout is introduced by OP solely to prevent a boot loop, but if it's necessary to add a waiting period for all outages, you can alter the watchdog ping-timeout parameter. ping-timeout (time; Default: 60s) - Specifies the time interval in which the device will be pinged 6 ...

nescafe2002

Ok, ontopic, let me further explain my thoughts here. OP has created a 5-min reboot script which is triggered by a netwatch entry. This makes sense because netwatch fires directly after startup - restarting directly would create a boot loop. When there is a connection - OP wants to cancel the reboot...

nescafe2002

In a fair and sensible way, OP is free to take my advice or not.

But are you, rextended, accusing me of forum pollution? Really? Lol..

nescafe2002

Imo the XY problem is applicable here - OP already has created a reboot script which he wants to interrupt so he asks for a scripting solution; the watchdog module doesn't require scripting at all.

nescafe2002

Better use the watchdog feature https://wiki.mikrotik.com/wiki/Manual:System/Watchdog watch-address The system will reboot, in case 6 sequential pings to the given IP address will fail. If set to none this feature is disabled. By default router will reboot every 6 minutes if watch-address is set and...

nescafe2002

rextended , anav , please don't reply to these post as they are automatically crossposted (from reddit) with suspicious links. Just report the posts. Post #1: https://www.reddit.com/r/mikrotik/comments/jypr2q/routeros_v72_beta_and_routing_marks/ Post #2: https://www.reddit.com/r/mikrotik/comments/j...

nescafe2002

It might be a shot in the dark, but I've experienced similar issues with ipsec until today - dropping ipsec connections (active peer state message 2 sent). Rb3011 / 6.48.3 / 3 peers (2 ip & 1 ip cloud dns). Noticed an active peer entry with an ip address of peer_a and comment of identity of peer...

nescafe2002

Make sure you are connected to port 2-5.

nescafe2002

You can prevent port membership updates from affecting the bridge mac by hard setting the admin MAC instead of using auto MAC for the bridge.

Yes, but reconfiguring any bridge (e.g. bridge2) should not lead to loss of link local address of another bridge (e.g. bridge1).

nescafe2002

This has been reported but was unconfirmed by MikroTik support. SUP-45712 [7.1beta5] No link-local communication after bridge reconfiguration Quick solution is to briefly disable and enable IPv6; /ipv6/settings/set disable-ipv6=yes /ipv6/settings/set disable-ipv6=no The issue re-appears after a brid...

nescafe2002

and because you seem to approve of the beta rollout process probably can help me find the beta5 binaries so that I can downgrade from the latest UNTESTED beta Hello person who has been doing software development for decades; you can find the binaries of the previous untested beta release for your d...

nescafe2002

RB3011UiAS - Portflapping We just had a case of portflapping with 6.48.2 on a RB3011. I reported a case of port flapping on rb3011 6.48.1 earlier and got response: Please apply this command to prevent lockups between RB3011 switch chips and CPU: /interface ethernet switch set switch1,switch2 cpu-fl...

nescafe2002

tenner, check the log

nescafe2002

Use the in keyword for subnet matching.

E.g.

/ip route print where 172.17.0.0/16 in dst-address

nescafe2002

Why are you insisting on AD DHCP? Just use MT's DHCP server and you will be fine. Configure AD DNS in MT DHCP Network and you're done. Disabling MT's DHCP server shouldn't lead to the problems you are experiencing unless you configured the AD DHCP incorrectly. Also, create a backup AND an export of ...

nescafe2002

Since name is the primary identifier for the object, you can use .id=peer-A: using (var conn = tik4net.ConnectionFactory.OpenConnection(TikConnectionType.Api, "192.168.88.1", 8728, "admin", "password")) { conn.CreateCommandAndParameters("/ip/ipsec/peer/disable"...

nescafe2002

Never, ever, ever, use QuickSet on an already configured router. Not even with correct settings. You should only QuickSet a device with zero configuration on it. That being said, in default config the device should be discoverable on the internal net and reachable via web, winbox and/or mac telnet. ...

nescafe2002

Tried to assign a static ip in addresses but failed. Failed how? You couldn't open the IP Address menu? Couldn't access the console? Setting was not saved? Did you get an error message? If your device doesn't work properly, create a supout.rif and send it to support with problem description + steps...

nescafe2002

Netinstall lets you keep the configuration as an option.

nescafe2002

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/command/ipv6-cr-book/ipv6-i3.html#wp2583862361 To suppress IPv6 router advertisement transmissions on a LAN interface, use the ipv6 nd ra suppress command in interface configuration mode. Don't advertise your ips: /ipv6 address set [find where a...

nescafe2002

I have recently tested 7.1beta4 on my main router (RB4011) with a 6to4-tunnel but cannot reach speeds over 100 Mbps. There are a lock of dup acks and icmpv6 packet too big messages cluttering up the interface. Not sure if this is related to IPv6 in general or the 6to4 tunnel, but you may want to che...

nescafe2002

That's what betas are for :) Glad it will be fixed for stable release.

nescafe2002

Try send host-name "hostname" in dhclient.conf.

nescafe2002

MikroTik reads hostname (client option 12 ) from DHCP DISCOVER, some client devices provide host name in DHCP REQUEST.

nescafe2002

aronw95, did you check the log after the first attempt?

nescafe2002

/interface bridge port remove [ find bridge=bridgeLocal ]

nescafe2002

Not necessary, interface is member of WAN and there is already a masquerade rule for WAN. Just remove the general masquerade rule.

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:S ... l_commands

beep :beep <freq> <length> beep built in speaker

You can supply length without unit (defaults to number of seconds) or with unit, e.g. 200ms.

nescafe2002

mskoric; yes, sniffer disables fast path. The issue is fixed in 6.49beta11. https://forum.mikrotik.com/viewtopic.php?f=21&t=172259&p=842156#p844958 The reported SIP phone issue is fixed with this change: *) fastpath - fixed IP packet receive on bridge and bonding interfaces when destination ...

nescafe2002

No scripting required.

What's new in 6.41 (2017-Dec-22 11:55):
*) ipsec - allow to specify "remote-peer" address as DNS name;

nescafe2002

What's the name of the file?

nescafe2002

Not really. It has been mentioned before on the forum. https://forum.mikrotik.com/viewtopic.php?f=2&t=103739&p=515485#p515505 I just confirmed that Winbox 3.0 still has the behavior where typing a hostname into "Ping To" will use the client's DNS resolver, and not the remote Mikrot...

nescafe2002

The host is resolved in Winbox on the client device..

Try this in Terminal:

[admin@MikroTik] > /ping [:resolve www.cnn.com] 
failure: dns server failure

nescafe2002

Please don't quote posts entirely - quote selectively and don't quote if you're replying to the most recent post. CAPsMAN will provision radios wlan1 and wlan2 based on provision rules based on mac address or hw mode (e.g. gn/ac). In the documented example provision is not filtered so both radios (2...

nescafe2002

Users are omitted on export, probably to prevent the creation of passwordless users on import. Also users can be kept on configuration reset.

Use /user export to export users.

nescafe2002

Please post your CAPsMAN configuration. If I remember correctly, devices in cap mode somehow only work if a CAPsMAN controller is available in the network. /caps-man export should look something like this: /caps-man configuration add country=latvia datapath.client-to-client-forwarding=yes datapath.l...

nescafe2002

Use watchdog timer with watch address instead of netwatch. https://wiki.mikrotik.com/wiki/Manual:System/Watchdog watch-address (IP; Default: none) The system will reboot, in case 6 sequential pings to the given IP address will fail. If set to none this feature is disabled. By default router will reb...

nescafe2002

Mail support.. the forum is no official support channel.

nescafe2002

Is there no relevant line in the firewall connection tracking table?

nescafe2002

Yep.. that should work.

nescafe2002

Sorry, I misguided you.. PBX should be set to gateway 192.168.1.254.

nescafe2002

PBX should have set 192.168.2.254 as gateway.
Not sure why you couldn't ping 192.168.2.254 from your existing lan.. could you post your config (/export hide-sensitive)?

nescafe2002

System > Packages > Check for upgrades => upgrade.mikrotik.com IP > Cloud > DDNS Enabled => cloud2.mikrotik.com Interfaces > Detect Internet => cloud.mikrotik.com These are all subdomains. Are you sure the device is actually resolving the domain name 'mikrotik.com' (without subdomain)? Are there cli...

nescafe2002

Nope, not really.

Perhaps you're trying to remote configure CPE's, then you could take a look at https://wiki.mikrotik.com/wiki/Manual:TR069-client

nescafe2002

Was Winbox designed to dock the child window to the main window (when maximized)? Or has this behavior changes in recent version?

Perhaps this is not a bug but rather a suggestion or feature request.. better contact support.

nescafe2002

You want to pass-through option 43 from dhcp-client to dhcp-server? That's gonna require some scripting. E.g. :if ($bound=1) do={ :local acs ($"lease-options"->"43"); :log info "DHCP Option 43: $acs"; /ip dhcp-server option set option-43 value="'$acs'"; } Or, ...

nescafe2002

Add ip address 192.168.2.x/24 to LAN interface (bridge) takes care of routing between two subnets on same interface. /ip address add address=192.168.2.254/24 interface=bridge network=192.168.2.0 Extend ip pool and add dhcp-network for this segment. /ip dhcp-server network add address=192.168.2.0/24 ...

nescafe2002

Option 55 is a dhcp client options (requested parameter list). If you want to request more than the standard options, you'll have to supply the complete request list including 1 (subnet mask), 3 (gateway) and 6 (dns). Note that the MT probably will ignore option 43, but maybe you could do something ...

nescafe2002

Will be there no further V6.48.XX versions?
From the doomed V6.48 straight to V6.49?

Check the version numbering schema: https://wiki.mikrotik.com/wiki/Manual:U ... _numbering

Changes (fixes) from 6.49beta/rc can be merged to 6.48.x.

nescafe2002

Perhaps the package is disabled. Check System > Packages.

nescafe2002

viewtopic.php?f=1&t=169992#p832375

Export problem is known, /routing menu export is the one that fails.

nescafe2002

Mail support.

nescafe2002

Which version of WinBox? Have you tried clearing Cache (via connection dialog)?

nescafe2002

Nope, but you are trying to tunnel via a bridged device.. should work nevertheless, but I have not tested that scenario.

nescafe2002

Yes, if 192.168.10.254 is the default gateway of the device, 192.168.10.21 will not be able to reach either the other subnet or the internet via site B. Set the default gateway to 192.168.10.1. Actually nske noticed this earlier: a) 192.168.10.21 would be using the local ipsec terminating router (19...

nescafe2002

For 192.168.10.21 initiated traffic no additional configuration (route, firewall, nat) is required in default configuration. https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS There is 'some' routing decision before ipsec policy matching, but routing is done twice, so the actual (out...

nescafe2002

It should work out of the box.. Are the PH2 states of the new policies established?

nescafe2002

This rule translates all connections with a destination port of 25, 465. add action=dst-nat chain=dstnat comment=email dst-port=25,465 protocol=tcp \ to-addresses=192.168.2.7 So, even outgoing connections will be rewritten to destination ip 192.168.2.7. If this is the desired behavior, you should al...

nescafe2002

No need for additional protocols or interfaces. This scenario will work in standard ipsec tunneling mode. On site A create an additional policy: /ip ipsec policy add dst-address=0.0.0.0/0 peer=siteB src-address=192.168.10.21/32 tunnel=yes On site B create an additional policy: /ip ipsec policy add d...

nescafe2002

No need to add another filter rule. Your nat rule is dstnatting both incoming and outgoing connections. Limit the nat rule instead (e.g. dst-address-type=local and dst-address=!192.168.0.0/16). Note that you already made this effort on the first nat rule (ssh) with src-address=!192.168.2.0/24. To pr...

nescafe2002

Connect via mac to bypass firewall.

nescafe2002

This has been discussed before: https://www.reddit.com/r/mikrotik/comments/6kgln8/anonymous_and_weak_ssl_ciphers_on_mikrotik/ Disabling/firewalling www-ssl and api-ssl should fix the issue. If you're concerned about security, you should learn to properly and securely configure (e.g. firewall) the de...

nescafe2002

Did you clean the connector or the optical side? And how?

nescafe2002

*.phillipcarroll.local is not a valid regex entry because the first * quantifier is not preceded by a character (sequence).

But since partial matching takes place, I choose to omit the subdomain (.*) in general.

So.. \.domain\.local$ is simpler than ^.*\.domain\.local$

nescafe2002

The wiki example is escaped for pasting in terminal, you pasted the terminal example in the winbox dns static entry window (not the terminal).

nescafe2002

Your tld is .local, not .local$. Don't escape the last $ in the regex. In fact you should unescape the CLI syntax, e.g. \\. => \. when pasting directly in Winbox. Omitting the slashes will make it match with other characters as well. E.g. philipcarrollBlocalWhateveryoulike would match. Better use th...

nescafe2002

You're welcome. Increasing dhcp lease time (from 15m to 2h) might also help.

nescafe2002

7.1beta has support for DNS in RA, until then use DHCPv6 option 23

nescafe2002

You can use 6to4 (6in4) to tunnel ipv6 traffic over ipv4. /interface 6to4 add !keepalive name=6to4-branch remote-address=branch.tld /ipv6 route add distance=1 dst-address=2001:db8:10:10::/64 gateway=6to4-branch /interface list member add interface=6to4-branch list=LAN /interface 6to4 add !keepalive ...

nescafe2002

User Cha0s has answered this question earlier on SO:

https://serverfault.com/questions/88496 ... tik-router

AFAIK you cannot disable this on MikroTik.

nescafe2002

not sure why it wasn't applied automatically.

Default configuration is not re-applied on module activation. Maybe it should (for firewall) but that's up to the product team.

nescafe2002

After enabling ipv6 package, the ipv6 firewall is in the default configuration. https://help.mikrotik.com/docs/display/ROS/Default+configurations /system default-configuration print You can copy/paste the /ipv6 firewall part from there (make sure your terminal window is wide enough for all contents ...

nescafe2002

Is the DHCP server service not active, or not listed? Those are two different concepts..

The IP Services list is list of services not specified elsewhere. E.g. IPSEC server, PPTP/L2TP server services are not listed under IP Services. So it is 'by design'.

nescafe2002

Correct, they serve the same purpose. I like to leave the default firewall alone, give the dummy route a higher distance and a comment regarding device initiated ipsec connections. Also for unenstablished dynamic policies, the dummy route prevents unencrypted packets from leaving through wan. But se...

nescafe2002

Running EoIP to link two sites and then deal with the undesired effects (broadcasts, same subnet) is.. not the best advice imo. Just plain ipsec tunneling should work fine. To start, get rid of all the custom proposal and profile and use static peer for tunneling. Default firewall needs no adjustmen...

nescafe2002

Please see below link what I want to elaborate you. https://aacable.wordpress.com/2018/03/27/separating-natting-from-routing-in-mikrotik/ Your link provides the correct information: "When using Masquarade, RouterOS has to do full connection tracking recalculation on EACH interface connect/disc...

nescafe2002

msatter understood your question and pointed you in the right direction. The linked post contains all you need to know to create a failover solution.

Next time, don't quite entire posts especially if it's the most recent post you are replying to.. thanks :)

nescafe2002

monitor.ExecuteAsync(re => responses.Add(re)); This does not give me nay responses. It does give a response in the error callback: monitor.ExecuteAsync( re => responses.Add(re), e => Console.WriteLine(e.ToString())); Error: ApiTrapSentence:.tag=1|message=unknown parameter You can use parameter .id ...

nescafe2002

https://wiki.mikrotik.com/wiki/Manual:Product_Naming

Compared to the RB2011UiAS-2HnD, the RB2011UAS-2HnD has no PoE (out).

Watch out for NAND wear (bad blocks) on older, used devices. Performance should be comparable between both (244 Mbps w/o fasttrack).

nescafe2002

Also note the 'S' flag in the cache table - it refers to Static

nescafe2002

Since this thread went offtopic anyway, if you could limit the amount of quotes in your posts, that whould be helpful for rss readers :-)

(Or use Post reply instead of Reply with quote)

nescafe2002

Also, system shutdown is not required before power off.

viewtopic.php?t=123124#p607056

Mikrotik devices are safe to loose power in normal operation mode. No need to shut down the system before the power outage.

nescafe2002

/ipv6 dhcp-server option add code=23 name="dns" value="'2001:db8::1''2001:db8::2'" add code=24 name="search" value="0x04'home'0x05'local'" /ipv6 dhcp-server add dhcp-option="dns,search" interface=bridge-lan name=default /ipv6 nd set [ find default=y...

nescafe2002

"Bad" programmer? Incomplete requirements or missed in QA; but actual the programmer did a fine job here. Input is properly validated and saved according to some spec. Be a "good" user and report your findings to support via mail (support@) or https://help.mikrotik.com/servicedes...

nescafe2002

Make dhcp entries static then assign dhcp option 6; they will override dhcp network setting. /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.2,192.168.88.3 domain=home.local gateway=192.168.88.1 /ip dhcp-server option add code=6 name="alt-dns1" value="'192.16...

nescafe2002

I used to have a script in /system/schedule to change NAT address ip.

Why don't you add pppoe-client to WAN interface list to take advantage of masquerade rule in default configuration?

nescafe2002

Check the default forwarding property of your wireless interface, the forwarding property of your access list entry or the client-to-client forwarding property of your capsman (datapath) profile. Check the client isolation setting on your TP-Link device :) Disable this checkbox: AP Isolation: Selec...

nescafe2002

Check the DHCP client status tab to find out which device assigned the ip

nescafe2002

But...I could not come up with any combination of routing definitions or NAT that would allow me to reach 192.168.42.1 from the main router. When using plain ipsec tunnel mode (no gre/ipip/...), you'll have to make sure the router picks the correct local address to be matched with ipsec policy. Thi...

nescafe2002

valemal, if you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device.

nescafe2002

https://mikrotik.com/download/changelogs/stable-release-tree (Stable release tree) What's new in 6.47.3 (2020-Sep-01 05:24): *) dns - fixed multiple TXT string replies; (Testing release tree) What's new in 6.48beta35 (2020-Sep-02 07:50): *) dns - fixed multiple TXT string replies; Are you on long te...

nescafe2002

Hello,

This is a known issue. You can set the endpoint (IPv6 address with port) via terminal:

/interface/wireguard/peers
print
set 0 endpoint="[2001:0db8:85a3::8a2e:0370:7334]:12321"

nescafe2002

Thx.. It's mistake for typing, but I really can't download update. Are you sure download.mikrotik.com resolves to one of the following ip addresses? ~$ openssl s_client -connect [2a02:610:7501:1000::196]:443 | openssl x509 -noout -text | grep DNS: DNS:*.mikrotik.com, DNS:mikrotik.com ~$ openssl s_c...

nescafe2002

Try enabling logging for the invalid rule. I've had some problems with lan-to-lan connections which were flagged invalid.

nescafe2002

Enabling IP Cloud will not automatically allow access to the device. It is just a free ddns service provided by MikroTik along with time sync and a backup slot.

You can find the exact specifications in the wiki, https://wiki.mikrotik.com/wiki/Manual:IP/Cloud

Search found 889 matches