Statistics: Posted by mantouboji — Tue Apr 02, 2024 3:20 pm
Statistics: Posted by 3eff — Tue Apr 02, 2024 3:17 pm
Statistics: Posted by mkx — Tue Apr 02, 2024 3:17 pm
Statistics: Posted by infabo — Tue Apr 02, 2024 3:11 pm
I think he's talking about the multicast helper which is in the Wireless (and CAPSMAN) system which does multicast to unicast conversion at the radio interface. It's needed to make things like mDNS and DHCP more reliable and also allow for use of VLANs with wireless clients. I am surprised it doesn't exist in WifiWave2.
Search for it in https://help.mikrotik.com/docs/display/ ... +Interface
So yeah, FTOMs what's the go with multicast to unicast conversion in WifiWave2? Does it exist in some other form?
Statistics: Posted by mman1982 — Tue Apr 02, 2024 3:06 pm
Statistics: Posted by infabo — Tue Apr 02, 2024 3:02 pm
Statistics: Posted by pellerb — Tue Apr 02, 2024 2:55 pm
Statistics: Posted by anav — Tue Apr 02, 2024 2:42 pm
Are you sure your (R/M)STP works properly? Maybe you should check bridge port status for this port and check which bridge is indicated as root bridge. If root bridge is not detected properly there might be a need to tune STP priority for bridges...
I have an RB5009 where I've started noticing it randomly stop talking to devices on one of the ports. It takes a reboot to fix it. No amount of port-bouncing or bridge tinkering works. I suspect it's seeing occasional route loops or some other packet it doesn't like and it silently shuts down the port. It usually happens if I've been messing physically with a device directly connected or downstream of the failing port. Noticed it on 7.11.2, still happens (very rarely) on 7.13.5.
Statistics: Posted by sirbryan — Tue Apr 02, 2024 2:42 pm
Statistics: Posted by ygrecki — Tue Apr 02, 2024 2:42 pm
Except they did just this with VRFs and firewall rules. Existing firewall configs are now broken that reference L3 input interfaces attached to a VRF.
Mikrotik has "general rule" about not touching existing configs, except during major upgrades where a config update is necessary. Usually, changing connection tracking settings falls under that "not a major upgrade" category.
Statistics: Posted by sirbryan — Tue Apr 02, 2024 2:37 pm
Statistics: Posted by vovan700i — Tue Apr 02, 2024 2:32 pm
# apr/02/2024 10:53:30 by RouterOS 7.9.1# software id = #/interface bridgeadd name=bridge1/interface wireguardadd listen-port=13299 mtu=1420 name=wireguard1/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp_pool0 ranges=10.10.100.1-10.10.100.253/ip dhcp-serveradd address-pool=dhcp_pool0 interface=bridge1 name=dhcp1/portset 0 name=serial0/interface bridge portadd bridge=bridge1 interface=ether2add bridge=bridge1 interface=ether3add bridge=bridge1 interface=ether4add bridge=bridge1 interface=ether5add bridge=bridge1 interface=ether6/interface wireguard peersadd allowed-address=0.0.0.0/0 endpoint-address=192.168.216.135 endpoint-port=\ 13299 interface=wireguard1 public-key=\ "sdfdsfsdfsd"add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.138 endpoint-port=\ 13299 interface=wireguard1 public-key=\ "sdfdsfsdfsd="add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.136 endpoint-port=\ 13299 interface=wireguard1 public-key=\ "sdfdsfsdfsd="/ip addressadd address=10.10.100.254/24 interface=bridge1 network=10.10.100.0add address=172.16.0.100/24 interface=wireguard1 network=172.16.0.0/ip dhcp-clientadd interface=ether1/ip dhcp-server networkadd address=10.10.100.0/24 gateway=10.10.100.254/ip firewall filteradd action=accept chain=input disabled=yes dst-port=13299 protocol=udp \ src-port=""/ip routeadd comment="Connection to xy" disabled=no distance=1 dst-address=\ 10.20.100.0/24 gateway=wireguard1 pref-src="" routing-table=main scope=30 \ suppress-hw-offload=no target-scope=10add comment="connection to zy" disabled=no distance=1 dst-address=\ 10.30.100.0/24 gateway=wireguard1 pref-src="" routing-table=main scope=30 \ suppress-hw-offload=no target-scope=10add disabled=no dst-address=10.40.100.0/24 gateway=wireguard1 routing-table=\ main suppress-hw-offload=no/system identityset name="MT SPINE WG"/system noteset show-at-login=no
# apr/02/2024 10:53:44 by RouterOS 7.9.1# software id = #/interface bridgeadd name=bridge1/interface wireguardadd listen-port=13299 mtu=1420 name=wireguard1/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp_pool0 ranges=10.20.100.1-10.20.100.253/ip dhcp-serveradd address-pool=dhcp_pool0 interface=bridge1 name=dhcp1/portset 0 name=serial0/interface bridge portadd bridge=bridge1 interface=ether2add bridge=bridge1 interface=ether3add bridge=bridge1 interface=ether4/interface wireguard peersadd allowed-address=0.0.0.0/0 endpoint-address=192.168.216.137 endpoint-port=\ 13299 interface=wireguard1 public-key=\ "papapapaapa"/ip addressadd address=10.20.100.254/24 interface=bridge1 network=10.20.100.0add address=172.16.0.200/24 interface=wireguard1 network=172.16.0.0/ip dhcp-clientadd interface=ether1/ip dhcp-server networkadd address=10.20.100.0/24 gateway=10.20.100.254/ip firewall filteradd action=accept chain=input dst-port=13299 protocol=tcp/ip routeadd disabled=no distance=1 dst-address=10.10.100.0/24 gateway=wireguard1 \ pref-src="" routing-table=main scope=30 suppress-hw-offload=no \ target-scope=10/system identityset name="MT Leaf1 WG"/system noteset show-at-login=no
# apr/02/2024 10:53:56 by RouterOS 7.9.1# software id = #/interface bridgeadd name=bridge1/interface wireguardadd listen-port=13299 mtu=1420 name=wireguard1/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp_pool1 ranges=10.30.100.1-10.30.100.253/ip dhcp-serveradd address-pool=dhcp_pool1 interface=bridge1 name=dhcp1 /portset 0 name=serial0/interface bridge portadd bridge=bridge1 interface=ether2add bridge=bridge1 interface=ether3add bridge=bridge1 interface=ether4/interface wireguard peersadd allowed-address=0.0.0.0/0 endpoint-address=10.10.100.254 endpoint-port=\ 13299 interface=wireguard1 public-key=\ "bkakakakakaa"/ip addressadd address=10.30.100.254/24 interface=bridge1 network=10.30.100.0add address=172.16.0.110/24 interface=wireguard1 network=172.16.0.0/ip dhcp-clientadd interface=ether1/ip dhcp-server networkadd address=10.30.100.0/24 gateway=10.30.100.254/ip firewall filteradd action=accept chain=input dst-port=13299 protocol=udp/ip routeadd disabled=no dst-address=10.10.100.0/24 gateway=wireguard1 routing-table=\ main suppress-hw-offload=no/system identityset name="MT Leaf2 WG"/system noteset show-at-login=no
Statistics: Posted by korg — Tue Apr 02, 2024 2:05 pm
Statistics: Posted by StupidProgrammer — Tue Apr 02, 2024 2:00 pm
Statistics: Posted by igorr29 — Tue Apr 02, 2024 1:56 pm
Statistics: Posted by quackyo — Tue Apr 02, 2024 1:48 pm
:foreach i in=[/interface/wireguard/peers/find where disabled=no endpoint-address~"[a-z]\$"] do={ :local LastHandshake [/interface/wireguard/peers/get $i last-handshake] :if (([:tostr $LastHandshake] = "") or ($LastHandshake > [:totime "5m"])) do={ :log info "WG-iface-restart script found WG peers with last handshake greater than 5 minutes; then reset the endpoint-address to reload dns of endpoint" /interface/wireguard/peers/set $i endpoint-address=[/interface/wireguard/peers/get $i endpoint-address] :local endpoint [/interface/wireguard/peers/get $i endpoint-address] :log info "WG-iface-restart script found WG peer with last handshake greater than 5 minutes; then reset the endpoint-address to reload dns of endpoint: $endpoint" }}
Statistics: Posted by Josephny — Tue Apr 02, 2024 1:37 pm
Statistics: Posted by rpingar — Tue Apr 02, 2024 1:24 pm
Most important are the stuff in Bold. If that is wrong or missing, stuff does not work.script,info serial=75B70647AAAA MikroTik: .id=*5;activity=;blocked=false;bytes-down=0;bytes-up=0;disabled=false;dynamic=true;inactive=false;ip-address=192.168.10.241;limited=false;mac-address=D8:9E:CC:CC:CC:10;name=;rate-down=0;rate-up=0;script=kids;user=
Statistics: Posted by Jotne — Tue Apr 02, 2024 1:18 pm
Statistics: Posted by nz_monkey — Tue Apr 02, 2024 1:16 pm
Statistics: Posted by lodex — Tue Apr 02, 2024 12:55 pm
Statistics: Posted by nmt1900 — Tue Apr 02, 2024 12:52 pm
Statistics: Posted by godel0914 — Tue Apr 02, 2024 12:29 pm
Mikrotik has "general rule" about not touching existing configs, except during major upgrades where a config update is necessary. Usually, changing connection tracking settings falls under that "not a major upgrade" category.Well, among other things I just found and fixed the UDP timeout (which is amazing, Mikrotik changing it for new setups but not changing it for existing installations where the user has not changed the default value - talk about breaking systems) which fixed SOME of the issues (RDP it seems).
Now I just read about some MTU trickery broken that "we are not going to fix because we plan to fix it in 7.15" which may well be it.
Given those I am really out of ideas. This is a setup that has been working flawlessly the last years, now I get significant issues down to PING not working over this one router to all machines (which change randomly after hours).
Statistics: Posted by Archous — Tue Apr 02, 2024 12:26 pm
Statistics: Posted by saktie — Tue Apr 02, 2024 12:10 pm
Indeed! As far as I compared, compressed sizes of NPK (main package, wifi-qcom-ac) are nearly comparable to 7.13.x again. Looks promising! Thanks Mikrotik for taking all issue reports on the space-topic seriously!*) system - general work on optimizing the size of RouterOS packages;
Statistics: Posted by infabo — Tue Apr 02, 2024 12:08 pm
Statistics: Posted by kniksc — Tue Apr 02, 2024 12:08 pm
Statistics: Posted by godel0914 — Tue Apr 02, 2024 11:54 am
Statistics: Posted by EdPa — Tue Apr 02, 2024 11:46 am
Statistics: Posted by nz_monkey — Tue Apr 02, 2024 11:41 am
/ip dhcp-server lease add address=SOME_IP_HERE mac-address=SOME_MAC_HERE server=main
Statistics: Posted by kekraiser — Tue Apr 02, 2024 11:36 am
Statistics: Posted by normis — Tue Apr 02, 2024 11:22 am
Statistics: Posted by mkx — Tue Apr 02, 2024 11:20 am
Statistics: Posted by Shambler — Tue Apr 02, 2024 11:17 am
Statistics: Posted by kekraiser — Tue Apr 02, 2024 11:14 am
Statistics: Posted by mkx — Tue Apr 02, 2024 10:40 am
/interface/bridge/host/print where vid=<vlan id>
/interface/ethernet/switch/host/print where vlan-id=<vlan id>
Statistics: Posted by mkx — Tue Apr 02, 2024 10:35 am
Statistics: Posted by normis — Tue Apr 02, 2024 10:32 am
Statistics: Posted by andressis2k — Tue Apr 02, 2024 10:18 am
Statistics: Posted by BlackVS — Tue Apr 02, 2024 10:00 am
Iam trying to look at "Log" tool (for each AP), but there is nothing interested, and no any attempts to device connection. Is there any other wireless log present?include the wireless logs when the device attempts connection
Statistics: Posted by kekraiser — Tue Apr 02, 2024 10:00 am
Statistics: Posted by patrikg — Tue Apr 02, 2024 9:55 am
Statistics: Posted by godel0914 — Tue Apr 02, 2024 9:50 am
Statistics: Posted by An5teifo — Tue Apr 02, 2024 9:42 am
Statistics: Posted by saktie — Tue Apr 02, 2024 9:38 am
Statistics: Posted by tangent — Tue Apr 02, 2024 9:37 am
That isn't a question..Question 2. Fan connector in the front of fan... it is weird
Statistics: Posted by BlackVS — Tue Apr 02, 2024 9:33 am
Statistics: Posted by An5teifo — Tue Apr 02, 2024 9:33 am
Statistics: Posted by normis — Tue Apr 02, 2024 9:31 am
Statistics: Posted by mkx — Tue Apr 02, 2024 9:24 am
Statistics: Posted by mkx — Tue Apr 02, 2024 9:17 am
Statistics: Posted by An5teifo — Tue Apr 02, 2024 9:14 am
Statistics: Posted by normis — Tue Apr 02, 2024 9:14 am
Statistics: Posted by kekraiser — Tue Apr 02, 2024 9:11 am
:global MtmTools;:set ($MtmTools->"hashing") $s;
/system/script/environment/print
Statistics: Posted by merlinthemagic7 — Tue Apr 02, 2024 9:07 am
Statistics: Posted by mkx — Tue Apr 02, 2024 9:06 am
As I already wrote, you CANNOT connect a RB941 to a new AP using station-pseudobridge. That means you CANNOT put the WiFi in the bridge.Thank you. When i changed mode on RB941 from B/G to B/G/N it connected to WiFi. Then i had problem because RB941 didn't want to get IP from DHCP. Then it got IP but i didn't get IP on my laptop that was connected to RB941 even i connected to ether port that was in the same bridge as WiFi.
You would need to buy at least a hAP ax2.Maybe the solution is to buy some news HAP's?
Statistics: Posted by tookiehr — Tue Apr 02, 2024 8:49 am
Statistics: Posted by Amm0 — Tue Apr 02, 2024 8:47 am
Statistics: Posted by jacklandan — Tue Apr 02, 2024 8:29 am
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"/ip firewall {filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"}/ipv6 firewall {address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"address-list add list=bad_ipv6 address=::1 comment="defconf: lo"address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute"filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"}
/interface listadd name=VLAN/interface list memberadd interface=VLAN10 list=VLANadd interface=VLAN11 list=VLAN
/ip firewall filteradd action=drop chain=forward comment="block vlan to lan" in-interface-list=VLAN out-interface-list=LAN/ipv6 firewall filteradd action=drop chain=forward comment="block vlan to lan" in-interface-list=VLAN out-interface-list=LAN
Statistics: Posted by CGGXANNX — Tue Apr 02, 2024 8:05 am
Statistics: Posted by nzlme — Tue Apr 02, 2024 6:53 am
Statistics: Posted by godel0914 — Tue Apr 02, 2024 6:14 am
Yes, the only issue puzzles me would be how come when i added WAN IP : 61.219.84.105 (interface sfp3) into address list,Is everything else working... and the ONLY issue why QuickSet is showing wrong LAN?
/interface bridge set [find name=BridgeLAN] comment=defconf/interface list member set [find list=LAN interface=BridgeLAN] comment=defconf/ip address set [find address=192.168.88.1/24] comment=defconf
Statistics: Posted by Amm0 — Tue Apr 02, 2024 5:30 am
Statistics: Posted by CGGXANNX — Tue Apr 02, 2024 4:58 am
Statistics: Posted by godel0914 — Tue Apr 02, 2024 4:46 am
Statistics: Posted by anav — Tue Apr 02, 2024 4:43 am
Done, thanks for the guidance.(1) Added back NAS on port 443 to the config.
Thanks again for finding out the unnecessary setting, it's inactive and removed.add bridge=BridgeLAN ingress-filtering=no interface=LAN internal-path-cost=10 \
path-cost=10[/i]
There is no such interface!! Removed.
There is a interface-list called LAN, but no interface! What goes under bridge ports are typically etherports and wifiports.
Thanks, i will check around.(3) The Routing is setup such that sfp1 is the primary WAN. Thus we need not do anything special for:
a. all users,, will thus always be routed out WAN1
b. Servers on LAN accessed via WAN1 will have traffic returned out WAN1 ( no mangling required )
c. Servers on LAN accessed via WAN2 will have traffic retured out WAN2.
Statistics: Posted by godel0914 — Tue Apr 02, 2024 4:33 am
Statistics: Posted by petardo — Tue Apr 02, 2024 4:08 am
Statistics: Posted by mantouboji — Tue Apr 02, 2024 3:57 am
Statistics: Posted by aruto77 — Tue Apr 02, 2024 3:44 am
Statistics: Posted by eypi39 — Tue Apr 02, 2024 3:41 am
Statistics: Posted by rudym88 — Tue Apr 02, 2024 2:21 am
Statistics: Posted by anav — Tue Apr 02, 2024 2:00 am
Statistics: Posted by msatter — Tue Apr 02, 2024 1:49 am
Statistics: Posted by gotsprings — Tue Apr 02, 2024 1:48 am