Mikrotik changes their firmware version numbering

While troubleshooting an issue this morning I went to upgrade the routerboard firmware on a CCR after bringing it up to 6.42.  The upgrade-firmware now appears to match with the router-os version.

/system routerboard print
routerboard: yes
model: CCR1016-12S-1S+
firmware-type: tilegx
factory-firmware: 3.22
current-firmware: 3.41
upgrade-firmware: 6.42

Now, if Mikrotik would just provide release notes on the routerboard firmware in a handy place.

IPV6 Firewall rules for Mikrotik

Some basic IPV6 Firewall Rules for Mikrotik. Replace in-interface=”” with your appropriate interface.

/ipv6 firewall filter
add chain=input protocol=icmpv6
add chain=input connection-state=established,related
add chain=input dst-port=546 in-interface=ether1-wan protocol=udp src-port=547
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=new in-interface=ether1-wan
add chain=forward protocol=icmpv6
add chain=forward connection-state=established,related
add chain=forward connection-state=new in-interface=!ether1-wan
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=ether1-wan

Mikrotik and two unique subnets across an Ipsec Tunnel

Recently we had an issue with an IPsec tunnel on Mikrotik passing multiple subnets across a tunnel with multiple policies. The problem is Packet forwarding and encryption only works for one destination (the first matched IPSec Policy) and the other subnet, which has the second policy did not work.  In our case, we had two subnets 192.168.115.0/24 and 192.168.116.0/24 going across the tunnel.  We could reach things on 116, but not 115.  The following blog post was the fix for our issue.

Mikrotik IPSec VPNs with multiple destination Networks/Policies and SA(s) management.

Once the level was set to “unique” everything was good.

The importance of checking layer one and two

I had a simple network consisting of a Mikrotik hooked to an internet connection along with 3 APs behind it.  Nothing fancy,  The network was experiencing drop out in service.  The internet would just stop.  One of the most noticeable things would iPhones would drop the wireless link and revert back to LTE, or the internet would just stop working for them.  This was happening on a very regular basis.

Wireless testing was done, new APs were added, but no one thought to check the ports on the headend router.  Upon investigation of the logs this was found:

Normally this would be a slam dunk, however, there was nothing plugged in at all to ether4 to generate these areas.  No cable, no nothing.  If you disabled the port the errors would go away.  Re-enable the port and they would come back.  Upgrade and downgrade of the OS did not seem to fix the issue.  A new headend router was installed and everything was back to working normally.

Simple shut-off scripting

I had a client today who is doing some manual things as they are using Quickbooks for billing and such.  One thing they kind of struggle with is turning off people for non-payment and such.  Their current method is adding a que and throttling someone to a low-speed to make them call.  Their network is a routed network utilizing DHCP to the CPE at the customer.  Everything is in router mode and they control the addressing of the units via DHCP reservations.  So how do we make this better without adding radius and all kinds of stuff into the network?

First we set up a web-proxy

/ip proxy
set enabled=yes port=8089

/ip proxy access
add dst-host=mtin.net dst-port=80
add dst-host=*.mtin.net dst-port=80
add dst-port=53
add action=deny redirect-to=www.mtin.net

What the above code does is says anyone coming into the proxy is only allowed to go to mtin.net (used our domain as an example), use port 53 (DNS), and anything else gets redirected to www.mtin.net. We chose port 53 because they are in the process of cleaning up some of the radios and such which are using 8.8.8.8 and other DNS servers.

Next we set up a nat rule

/ip firewall nat
add action=redirect chain=dstnat dst-port=80 protocol=tcp src-address-list=\
SHUTOFF to-ports=8089

This nat rule says anyone making a port 80 request coming from our SHUTOFF address-list gets redirected to port 8089 (our proxy port setup earlier).

Our third step is to setup our address list. this is very straightforward.  Just modify and add users to this list when they are to be turned off.

/ip firewall address-list
add address=10.20.0.192 list=SHUTOFF

Lastly, we add a filter rule which denies the SHUTOFF folks from using anything except port 53 and port 80.  We do this because we can’t proxy port 443 and other SSL traffic. If folks go to a HTTPS site it simply fails.  This is a drawback of using a web-proxy.

/ip firewall filter
add action=drop chain=forward dst-port=!53,80 protocol=tcp src-address-list=\
SHUTOFF

If you have an SSL payment gateway you can modify your filter rules to allow traffic to it. This is just one quick and dirty way of letting customers know they have been turned off.

Mikrotik Router OS 6.36.2

To upgrade, click “Check for updates” at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

v6.36.2 forum topic discussion,
http://forum.mikrotik.com/viewtopic.php?f=21&t=111450

What’s new in 6.36.2 (2016-Aug-22 12:54):

*) arm – show cpu frequency under resources menu;
*) capsman – fixed upgrade policy;
*) ccr/crs – fixed SFP+ interface ddmi info reporting function. Info is now refreshed on regular intervals;
*) conntrack – fixed ipv6 timeout display;
*) conntrack – fixed removing icmpv6 connections;
*) dns – avoid unnecessary dynamic server address saving in storage;
*) dns – allow to set query-server-timeout and query-total-timeout only greater than 0s;
*) dns – fixed lockup when dynamic dns server address 0.0.0.0 was received;
*) export – updated default values in /system routerboard settings menu;
*) partitions – fixed crash on repartition when there is not enough free space;
*) sstp – fixed disconnects on transmit for multicore systems;
*) switch – fixed configuration reload on CRS switches;
*) winbox – make queue tree default queue type default-small;