This is particularly for the DGS-3526. This will block rogue DHCP servers.
1 2 3 | create access_profile ip udp src_port_mask 0xFFFF profile_id 10 config access_profile profile_id 10 add access_id 1 ip udp src_port 67 port 25-28 permit config access_profile profile_id 10 add access_id 2 ip udp src_port 67 port 1-24 deny |
I’ve been working on connecting to our Bioscript readers…bio metric entry devices. You can upload thumb templates one way…standing at the device with an RS232 cable…not ideal!
What I did was install some RS232 to IP converters. These guys are a little over a eighty bucks each, but they are well worth the money. They map a virtual com port over to a windows or linux machine. This allows us to administer the readers from anywhere! These guys will take up to 24 volt DC so you could use a standard PoE injector, but that’s not any fun!
What I did was to create a couple of special cables. One injects the 24 volts on the brown and blue wires of our cat5 cable, the other stubby wire breaks them back out.
The injector
I’ve really had my head down lately. I just knocked out my MTCRE and scored better than an 80. What this means is that I’m able to train for this cert. What’s that you say…train? That’s right my peoples…I’ll be training. At the MUM in a few weeks I’ll be taking train the trainers. Once complete, I’ll be offering live-in person classes! I…Can’t…WAIT!
I’ll be posting the URL to my new training site soon. I’ll also see if I can’t get my content going again. I’ve got a few things to wrap up, but afterwards things should get back to normal 
You guys know I love me some Cacti. I also enjoy the dude. Cacti is especially great for long term retention of graphs. If you don’t have a monitoring tool available, or you are simply in a pinch, then you can use the built in Mikrotik graphing.
You can enable the graphs by going to tools -> graphing.
If you want to enable system graphing of CPU/Disk/Memory then go to the Resource Rule tab and add which host or network should have access.
If you would like to enable interface monitoring you can choose either all or individual interfaces. Specify which hosts or networks have access.
You can also graph simple queues following the same methods.
Once you have allowed access, make sure you have your web service running under IP -> services -> www.
Then navigate to http://Router-IP/graphs/.
The graphs may be ugly, but they work in a pinch 
Looks like they will be giving away the RB250GS that I reviewed here. At least they will to the first 200 users. Get in there and claim your switch.
wwwweeeeeeeeeeeeeeeeeeeee
I’m doing IPSec tunnels from a 6509 at a remote facility to an ASA. The tunnel would establish, traffic would send from the 6500 to the remote client, the remote client would answer, but it would never go back through the 6500…strange.
I noticed that the ASA said that the connection was using NAT traversal, which it shouldn’t…both of these devices were sitting on public address space. I also notice the following message in my logs:
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection
I tried many things, but the fix turned out to be disabling NAT-T on the 6500… apparently it is buggy. Issue the following command for happiness:
1 | no crypto ipsec nat-transparency udp-encapsulation |
I was thinking while running the other day. How could one monitor utility power at a POP (Point Of Presence) without forking over your standard $200 for a monitoring device. So this is what I came up with:
Stuff
Supplies:
Cut your cable in half and then strip off a couple of inches of the jacket.
Then strip a little of the jacket from the remaining wires.
Wire the green/white to the common leg of relay # 1 or the first common if you are using a DPDT and the orange/white to the normally open (NO) leg.
Then wire the green to the second common leg (DPDT) or to the common of the second relay and the orange to the NO leg.
Then tie in your 12V transformer to the positive and negative polls on your relay(s). Throw everything into your plastic container and you are just about done.
That ziptie screams quality.
At your POP, plug the router into the UPS and then plug the 12V adapter into the mains power outside of the UPS. Then plug the ethernet cable into an available port on the MTK.
When power is live on the 12V transformer, the relay is actuated and the cable we wired up is now looped up. With the loopback active, the port on your router comes up and the script running at the bottom of the page sends a message to you indicating that power is restored. When the power goes down, the UPS will keep the router up, but the relay will fail and thus the loopback will fail. The router’s script will see the change in port status and send you an email saying the port is down.
This script was written by a clever guy named Manuel, and I’ve adapted it to work in other situations.
1 2 3 4 5 6 7 8 9 | # Checking eth5 link status:
:global "ether5-state"
:global "ether5-laststate"
/interface ethernet monitor ether5 once do={:set "ether5-state" $status}
:if ($"ether5-state" != $"ether5-laststate") do={
/tool e-mail send from="Power <monitoring@$[/system identity get name]>" to="powerdown@gregsowell.com" subject="$[/system identity get name]: power status changed" body=("$[/system clock get date] \nInterface ether5 - link status changed to:" . $"ether5-state")
:log info ("Interface ether5 - link status changed to: " . $"ether5-state")
:set "ether5-laststate" $"ether5-state"
} |
Schedule the above script to run every 15 seconds or so.
If done correctly, you should be able to scrape all of this together for less than $15. If you spend $15 putting this together and it saves you a truck roll in the middle of the night, then it was well worth it!
Happy hacking my friends.
