MikroTik

theprojectgroup

A few others have exactly the same issues: https://www.reddit.com/r/mikrotik/comme ... boot_loop/

Mate I have exactly the same problem after attempted upgrade 7.11.2

theprojectgroup

I tried various machines (even an old windows xp), switches in between, etc.
Can anyone test with a "working" chateau 5g if it boots netinstall at all?

theprojectgroup

I have the same issue and the linked tips won't work for me. Did you ever fix this unit? In my case I can see with wireshark: - bootp request from chateau 5g and reply from my machine (client ip is assigned) - tftp transfer for file vmlinux: CleanShot 2023-08-31 at 21.51.07@2x.png - tftp transfer co...

theprojectgroup

Switched to UniFi APs - Just works.

theprojectgroup

PeterXC

interface/detect-internet/print
    detect-interface-list: none
       lan-interface-list: none
       wan-interface-list: none
  internet-interface-list: none
  
   installed-version: 7.9rc2

theprojectgroup

You might get much better overall performance figures if running iperf3 with multiple parallel streams ("-P 8" or something). Your absolutely right and I often see higher rates when using parallel streams. But in my environment. With a single stream I can saturate my 300Mbit WAN line but ...

theprojectgroup

No, it was: name="ch-5ghz-march" frequency=5180,5260,5500 width=20/40/80mhz skip-dfs-channels=all I just tested with fully auto. Does it mean to leave everything empty? Seems to work but TCP is still very slow! Other none AX devices like 802.11ac don't show this behaviour... name="ch-...

theprojectgroup

+1. Please, still unsupported in 2023?

theprojectgroup

*) wifiwave2 - fixed issue which lead to VLAN-tagged wireless clients receiving tagged traffic from other VLANs;
viewtopic.php?t=194781
Could this explain the issues with a Windows VM running on a Wireless client?

theprojectgroup

v7.8 [stable] is released: https://forum.mikrotik.com/viewtopic.php?t=193986 - Update: - still the same issue - ~100Mbits/sec TCP download on client / 780 Mbits/sec upload - UDP is fine v7.9beta [testing] is released: https://forum.mikrotik.com/viewtopic.php?t=194781 - Update: - still the same issue...

theprojectgroup

Interesting, thanks!

theprojectgroup

Makes sense, thanks a lot.

theprojectgroup

The whole thing is (almost) never due to bugs in switches/bridges, so it's not clear why are we still discussing it in this forum? Maybe because people run into that issue, google it up, find this topic, and don't read my post #4 :D Hey Sindy. I hear you and thanks for the hint with drivers strippi...

theprojectgroup

Had the same issue and was suspecting my MikroTik as the culprit but I was very wrong. I found a few background infos about this topic: https://forum.mikrotik.com/viewtopic.php?p=988242#p988242 Basically It's default behaviour by Windows drivers which comply WHQL: https://docs.microsoft.com/en-us/wi...

theprojectgroup

viewtopic.php?p=988242#p988242

Is your client a Windows machine connect untagged to a port which also has tagged VLANs on it?
It looks like Windows just strips off the vlan tags and then gets the RAs which are in VLAN tagged packets.

theprojectgroup

I'm still seeing this issue in various deployments. Searching the net shows lots of people have similar issues only related to IPv6 RAs and it looks like only WindowscClients are affected... It looks like Windows just strips off the vlan tags and then gets the RAs which are in VLAN tagged packets. -...

theprojectgroup

Thanks a lot for the great work and building the container image!

I just wrote a little HowTo set this up: viewtopic.php?t=194185&hilit=mdns+repeater+container

Now I'm able to share Airprint and Airplay with my guest vlan / wlan.

theprojectgroup

I didn't find a howto on the forum so I wanted to share something back. Apple Airplay or Airprint clients use multicast DNS to discover speakers & printers on the network. mDNS uses the IP address 224.0.0.251, which is "administratively scoped" and does not leave the subnet. "mdns...

theprojectgroup

Nice manners, please.

theprojectgroup

you could set both interfaces (one for 2,4 and one for 5ghz) to the same ssid name.

theprojectgroup

Does this looks like a bridging + TCP + ether1 2.5GbE issue?
UDP works fine.

What is your range during tests?

60-100 cm

theprojectgroup

Oh yes - I am also interested.

theprojectgroup

@normis

Is there any overview available of possible frequencies?
https://help.mikrotik.com/docs/display/ ... properties

Can you please share your wireless and bridge settings?

theprojectgroup

yep, already did both!

theprojectgroup

I have similar issues described here and I don't think it's a platform issue. See my iperf3 results. It looks like it's an issue of bridging the 2.5GbE port (ether1) with wifi1 and TCP. https://forum.mikrotik.com/viewtopic.php?p=984769#p984769 - iperf3 TCP download via bridge & 2.5GbE is really ...

theprojectgroup

Does this looks like a bridging + TCP + ether1 2.5GbE issue? UDP works fine. Still had a chance to access an AX Windows machine but it looks like it's not a platform issue. Macbook Air M2 < wifi1 < bridge 1 < ether1 (2.5GbE) < Intel NUC8 with Thunderbolt 10 GbE TCP - iperf3 Up - Good iperf3 -c 192.1...

theprojectgroup

The issue doesn't exist when doing NAT, only when WLAN < Bridge > ethernert > server.

theprojectgroup

Will Try other Windows AX devices but I don't see why this is mac related.

If the traffic is bridged = bad
If the traffic is NATed = good
So this seems a bridging issue, right?

The AX Macbook Air M2 and MacBook Pro M1Max work great with UniFi AX APs btw.

theprojectgroup

Still the same issue on latest RC.

theprojectgroup

No, it's not.

I am very sorry, but it is.
hAP ax2 & 3 have major stability and performance issues since their release for at least a few people.

But I am very glad you seem to be not affected .

theprojectgroup

hAP ax3 wifi is very slow and unstable (but it's also on stable ROS):
viewtopic.php?p=980696&hilit=hap+ax3#p980696
Looks like it's bridge related. When routing and natting, throughput is stable in both directions.

theprojectgroup

Same here with hAP ax3. Client MacBook Air M2 (AX) iperf3 sending > WiFi1 (5G) + ether1 in one bridge > ether1 > nuc8 350-750 Mbit/s (quiet unstable...) Client MacBook Air M2 (AX) iperf3 receiving < WiFi1 (5G) + ether1 in one bridge < ether1 < nuc8 70-120 Mbit/s (quiet unstable...) Client MacBook Ai...

theprojectgroup

@jacobp posted here: https://forum.mikrotik.com/viewtopic.php?t=191635#p973040 The 7.7rc2 release has fixed my issue with the hAP ax2 radios. With the countries field now populated, the wifi radios start up and devices associate just fine. Thanks to the Mikrotik team for getting that taken care of! ...

theprojectgroup

... connect to AC3 with LAN cable via Winbox without sucess.

I don't think it's related. The hAP ax2 is accessible via LAN. It just stops broadcasting BSSID beacons and you can't connect anymore...

theprojectgroup

Same here. WiFi drops every night, only reboot helps. /interface/wifiwave2/export # dec/10/2022 23:40:36 by RouterOS 7.6 # software id = JAMW-UMX1 # # model = C52iG-5HaxD2HaxD /interface wifiwave2 set [ find default-name=wifi2 ] configuration.mode=ap .ssid=MyWiFi2G /interface wifiwave2 channel add f...

theprojectgroup

Can you please post your wifi config of hap ax2?
Thanks.

theprojectgroup

Hi, I noticed my snmp monitoring (LibreNMS) is missing wireless metrics like client count, etc. since I replaced a hAP ac2 with a hAP ax2 running routerOS 7.7beta4 and wifiwave2 package. hAP ac2 7.7beta4 CleanShot 2022-11-16 at 07.42.01@2x.png hAP ax 2 7.7beta4 CleanShot 2022-11-16 at 07.43.21@2x.pn...

theprojectgroup

Stupid question but how to proper earth these soho devices like hap ac, hap ac2?
Experiencing same issues here at home. The issue started when no one was at home during holidays and I got saw multiple random link downs in my monitoring.

theprojectgroup

Thank you all very much for explaining!

theprojectgroup

There is a manual https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-PortSwitching maybe it could put some light on the problem: Switch chips with a VLAN table support (QCA8337, Atheros8327 , Atheros8316, Atheros8227 and Atheros7240) can override the port isolation c...

theprojectgroup

Config Export /interface bridge add admin-mac=AA:BB:CC:DD:EE:C8 auto-mac=no comment=defconf name=bridge \ protocol-mode=stp /interface ethernet set [ find default-name=ether1 ] comment="connected to M-net FritzBox" name=\ ether1-wan speed=100Mbps set [ find default-name=ether2 ] comment=\ ...

theprojectgroup

No,
I am on current ROS 7 and I answered here because the topic perfectly matches my issue.

theprojectgroup

Hm. How is it possible that this is going over WiFi?
IIRC WLAN tags aren't sent over WiFi, right? But my Win-VM running on the mac (connected via WiFI) inside Parallels Hypervisor receives RAs so there must be some leak...

theprojectgroup

The still persists, even when I disable the particular VLANs on the switch:

CleanShot 2022-08-06 at 22.29.06@2x.png

CleanShot 2022-08-06 at 22.51.28@2x.png

CleanShot 2022-08-06 at 22.33.47@2x.png

theprojectgroup

I have exactly the same issue. I have a MT at my home office with: hAP AC2: - bridge (is default vlan1) without vlan filtering enabled - vlans configured on switch chip On my macbook connected via WLAN i have a windows VM running which gets IPv6 addresses from a few, sometimes all vlan interfaces wi...

theprojectgroup

Just got IPv6 on Chateau 5G with german Vodafone over 5G working…
Clients on bridge get IPv6: viewtopic.php?t=183382

theprojectgroup

Ahm... yes - what?
Just right after my post I checked the IP on my MacBook and I have IPv6.
IPv6/ND is set to bridge interface (ether1..5 and wlan interfaces).
Currently using Vodafone over 5G, will check with Telekom soon.

CleanShot 2022-05-05 at 22.36.22@2x.png

theprojectgroup

@Emil, can you confirm this is not supported?
Not sure if I remember correctly, but I had IPv6 LTE working with wAPr...

theprojectgroup

Hi, not sure if this even possible because I guess the user passwords are stored only as hashes, right? I'm wondering what the " show-sensitve " switch does in /user export in RouterOS 7.x I see no difference in the output of /user export with and without the parameter. Thank you in advanc...

theprojectgroup

Removing "Add Default Route" also worked for me with pppoe and german ISP M-net. Would it be more convenient if we could have these settings in the pppoe-client? Example: Add Default Route: IPv4: yes IPv6: yes < if this is set to yes, then untick for any DHCPv6-Client running on this inter...

theprojectgroup

How solved? I can`t see any hint;o). I have the similar problem too. Please describe your issue. It works fine for me: CleanShot 2021-12-29 at 21.00.37@2x.png CleanShot 2021-12-29 at 21.01.38@2x.png CleanShot 2021-12-29 at 21.02.26@2x.png Messages: CleanShot 2021-12-29 at 21.03.00@2x.png

theprojectgroup

I just found this and will walk through, could be helpful.

Multiple Road Warrior L2TP/IPsec clients behind NAT - solved:
viewtopic.php?t=132823

What I don't under stand yet: I only have one L2TP client which kills my wireguard clients...

theprojectgroup

Hey Forum I worked on this issue for hours and finally find the solution and want to share it. I have three client machines here in my home lan behind a NAT / Router. Then we have CCR1016-12G Router (routerOS v7.1) in the office which terminates these road warrior clients with l2tp/ipsec and Wiregua...

theprojectgroup

Turns out it is working, same for l2tp ppp dial-in - but only right after a fresh boot.
After a few minutes all tunnel die.

theprojectgroup

無題.png I am also seeing the same problem. In my environment, restarting CCR1009 did not improve the CPU usage. Same here, I disabled ipsec and some routing filters that were migrated over, and everything is OK for now. Before that a reboot would help for a little, but then the IPSec connection woul...

theprojectgroup

Same here + L2TP IPSEC Clients can't connect. CCR1016-12G L2TP Clients connects and fails with error "server did not respond" 14:12:59 ipsec,info respond new phase 1 (Identity Protection): 212.114.xx.xx[500]<=>80.187.82.203[500] 14:12:59 ipsec received Vendor ID: RFC 3947 14:12:59 ipsec re...

theprojectgroup

Happened to me six times now - all on "hEX S" units with routerOS 7.1beta6 It works fine for a few weeks, sometimes months and then due to a reboot the routers lost the whole config (no config at all = 0.0.0.0). Restored latest .backup > reboot > coming back without config! Restored from ....

theprojectgroup

Downgraded to 6.48.3, lost configuration (it did a full reset), restored config backup, ~930Mbit/s

theprojectgroup

Hi, I just upgraded my hAP AC from 6.48.3 to 7.1beta6 (including firmware). 6.48.3 - iperf3 single stream tcp - ~70% CPU - 930 MBit/s 7.beta6 - iperf3 single stream tcp - 100%CPU - ~330 Mbit/s CleanShot 2021-07-10 at 09.05.27.png CleanShot 2021-07-10 at 09.11.34.png CleanShot 2021-07-10 at 09.12.09....

theprojectgroup

Thx for clarification :-/
So I guess we need to return the batch or Chateaus
Best Regards.

theprojectgroup

Hey Forum

we wanto to get get the stock firmware / RouterOS 7.0. (no Beta) our new Chateau LTE 12 shipped with.
We updated to v7.1 Beta5 and want to go back to "stable" 😂.

I can't find any download links.

Thx a lot and best regards.

Flo.

theprojectgroup

Hey Forum, I have an issue with out cloud core router and IPv6. We have a few road warriors dialling in via L2TPG/IPSEC VPN. This just works fine if they use our WAN IPv4 address as the target VPN server! If the VPN client (Windows 10) connects to the routers WAN IPv6 address, it doesn't work and ti...

theprojectgroup

why complicate your life? /ipv6 dhcp-server option> add code=23 name=dnstest value="'fe80::ceff:e0ff:fabc:abcd'" /ipv6 dhcp-server option> print # NAME CODE VALUE RAW-VALUE [...] 4 dnstest 23 'fe80::ceff:e0ff:fabc:abcd' fe80000000000000ceffe0fffabcabcd Since which routerOS version is this...

theprojectgroup

Python3 Script to convert the IPv6 address of your DNS to HEX format in /ipv6 dhcp-server option Install ip address module https://docs.python.org/3/library/ipaddress.html #!/usr/bin/python3 # https://docs.python.org/3/library/ipaddress.html # ^^ pip3 install ipaddress import ipaddress ip = input('...

theprojectgroup

Yours also shows all 7. 5+2
Extended Key Usage: Client and server authentication. Same on mine.

When you sign the certificate on MT, you must select the existing CA. Otherwise you just get a self signed.

theprojectgroup

ahm, if you don't have a value in issuer field the cert is not signed by the CA? ca expiration date doesn't has to match client cert date... try to re-create that all from scratch. New ca on router, new certs on router, sing them with router's ca... match cn and dns (SAN) name of the cert could be a...

theprojectgroup

My certificates: Screenshot 2020-05-12 at 14.08.04.png I guess key usage must be at least tls-client for client and tls-server for server Screenshot 2020-05-12 at 14.09.50.png|200px Screenshot 2020-05-12 at 14.09.59.png|20% Screenshot 2020-05-12 at 14.10.07.png|20% Screenshot 2020-05-12 at 14.10.19....

theprojectgroup

Too bad. In my house I have a ZFS storage and a health-checker script which plays an alert song on all MikroTik devices if a disk or pool failes - https://forum.mikrotik.com/viewtopic.php?t=23976#p288920 # Play "Ozzy Osbourne - Crazy Train" using the /beep command on MikroTik in living roo...

theprojectgroup

We are looking into the communication issues with The Dude connecting through Agent. Other issues related with The Dude "std failure" message must be caused by old version on either The Dude server or RouterOS client. theprojectgroup , please enable SSH debug logs (/system logging add top...

theprojectgroup

Version 6.46.4 also fixes the issue with public key authentication. All fine now, thanks a lot! This is not fixed. We still have issues (#[SUP-10614]) with public key authentication. The router first advertises rsa-sha2-256 and then declines it: 14:59:56 ssh,debug host key algo: rsa-sha2-256,ssh-rs...

theprojectgroup

Big issues with SSH keys since this update (coming from 6.46.1). I use Royal TSX with its "Secure Gateway" feature which is basically a great way to use SSH tunnels in this awesome remote connection manager. I get this error: "An error occurred while opening a Tunnel: A public key cor...

theprojectgroup

Same here, can't use Royal TSX Secure Gateway with ssh keys anymore:
This is fixed with 6.46.4 stable, so I guess it will be ok with next beta.

I am on 6.46.4 stable. I came from 6.46.1. now i have the issue. I am on confused.

theprojectgroup

*) ssh - added support for RSA keys with SHA256 hash (RFC8332); Ha, that was fast. Thanks! Will give it a try now. Looks like this breaks public key authentication. If I remove ssh-rsa from host key algorithms I am prompted for a password. Password login succeeds (if always-allow-password-login is ...

theprojectgroup

Hey,
yes I generate the certs on MT and export (p12) to my mac, then I use apple configurator:
- add both certificates here:

Screenshot 2020-02-26 at 16.54.23.png

vpn_home.mobileconfig 2020-02-26 16-56-33.png

Screenshot 2020-02-26 at 16.55.15.png

Screenshot 2020-02-26 at 16.55.42.png

theprojectgroup

Thx for the tip.
The sources should be fine.
Already tried 10cm cables. Didn’t work.

theprojectgroup

Same here. The products description is horrible due to it's lack of disclaimers regarding function and compatibility. - USB Power not Working (at least LTE is missing, also WiFi is unstable) - GPS only with external antenna (I'm aware that the brochure now includes this but it hasn't a long time) An...

theprojectgroup

So now way to display except torch?
Is their any ETA?
Can’t recommend rOS for IPv6 deployments right now.
Many things like vpn, modeconfig, etc. is missing completely

theprojectgroup

Uff.
Do you guys know a way to display / show the current SLAAC IPv6 address?

theprojectgroup

Is this really still an issue?
Is MikroTik still not IPv6 ready?

theprojectgroup

What do the certificates look like?

theprojectgroup

I'm on the most current 6.45.7 this is my config: /ip ipsec profile add dh-group=modp2048 dpd-interval=1h enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=ikev2 /ip ipsec peer add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2 send-initial-contact=no /ip ipsec proposal add auth-...

theprojectgroup

no - except of changing to the new certificate

Did you change it?
Can you show screenshots of your certs?

Screenshot 2019-11-14 at 09.23.49.png

theprojectgroup

SOLVED: Thx to Emils Z. from support. He pointed out, that in iOS13 & macOS Catalina "Apple has added SAN certificate field verification and it fails in the new version because your certificates does not have any Subject Alt". I re-created both certificates for client & server wit...

theprojectgroup

Not yet - Emil from support suggested to check the certificate to include the subject alternative names of local and remote id which didn't help (i just tried it with the client certificate)

Screenshot 2019-10-23 at 17.52.16.png

theprojectgroup

Thx for the howto run winbox64 !

Make sure to backup "/Users/your-user-name/.wine/drive_c/users/flo/Application Data/Mikrotik" to later restore it to keep your connections...

theprojectgroup

https://forums.developer.apple.com/thread/121193

theprojectgroup

Just found the RFC wich mentions the truncate issue: https://tools.ietf.org/html/rfc8221 AUTH_HMAC_SHA2_256_128 was not mentioned in [RFC7321], as no SHA2-based authentication was mentioned. AUTH_HMAC_SHA2_256_128 MUST be implemented in order to replace AUTH_HMAC_SHA1_96. Note that due to a long sta...

theprojectgroup

I found and iPhone 12.4.2, released after 13. Last update. I am having the same issue. Can anyone confirm? UPDATE: My fault it works. I had to add the "Local ID" I am confused and can’t understand what you are saying. Please let us know what works and what not and how you probably fixed it.

theprojectgroup

confirmed, changing to different hash algorithm doesn't help.

theprojectgroup

Don't want to blame anyone... The tunnel seems to establish fine but iOS thinks it's an "User Authentication" error. Regarding to apple we need to "configure the server to truncate the output of the SHA-256 hash to 128 bits" on the MikroTik, but how? Emil is already on it (opened...

theprojectgroup

Hey People, since iO13 or macOS Catalina IKEv2 VPN isn't working anymore (client certificates). While trying to connect you get this error: "User authentication failed" From the MikroTik logs everything looks fine (client gets an IP assigned). MacOS Mojave and iOS12 are still working fine....

theprojectgroup

In my case my cable ISP doesn't allow bridge mode, so i must use the crappy modem/router of them. I use the mikrotik as vpn gateway, ssh server, etc. This is why I want it to have an ipv6 address.
Currently it's only reachable via ipv4 behind nat / dst-nat for ssh, ipsec, etc.

theprojectgroup

This is real ? Still an issue!

Why not just implement a second ping command called ping6?

theprojectgroup

If all you want is a IPv6 host address without PD to populate the pool, then you need to get rid of the pool configuration. That assumes that the cable modem/router is serving as the v6 dhcp server (which it appears to be based on the client screen shot). Hey, thx for the hint. I'm wondering how to...

theprojectgroup

Hey All, I can't get an IPv6 address on my MikroTik via DHCPv6 Client. My Setup at my home office is like this: Vodafone Germany Docsis 3.1 Cable ISP < > Arris Cable Modem/Router < SWITCH > Clients on LAN, WLAN, etc. and also the MikroTik is connected (Dual Stack, IPv4 and IPv6) Acts as normal Route...

theprojectgroup

Is there a recommended way to backup and restore config including certs & keys?

theprojectgroup

Same here, disabling doesn't help.

The strange thing is, it works on iOS fine, but the windows client doesn't. Current RouterOS from today on CCR

theprojectgroup

Any progress here @mrz? You mentioned some improvements in the future.
I have the same issue here with CCR and current routerOS on Windows and macOS/iOS clients.
They only use the first subnet defined in mode-config > split-include. The other subnets for the split tunnel are ignored.

theprojectgroup

What I can see from apple configurator default lifetime is 1440 minutes (24h, 1day). Setting peer & proposal doesn't help. What I found the connection stays longer connected when setting lifetime to 60 minutes in apple configurator vpn profile and also on the Mikrotik CCR-10161-12G. I will test ...

theprojectgroup

I have the same issue with IOS and MacOS (current build): 10:04:00 ipsec processing payload: KE (not found) 10:04:00 ipsec IPsec-SA established: IP_OF_CLIENT[4500]->IP_OF_VPN_Router[4500] spi=0xa37f177 10:04:00 ipsec IPsec-SA established: IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] spi=0xb93a775 10:0...

theprojectgroup

Hey All, I have an issue with OpenVPN as long I use it on MT routers. It takes up to 20 seconds (until the client says it's connected) to establish a connection from a Mac (tunnelblick or viscosity) or Windows client. It doesn't make a difference which MT model I use, no matter if it's a hexLite or ...

theprojectgroup

Looking good here on CCR1016-12G, tested before and after the update

Site2Site IPIP Tunnel Spain (fibre 300mbits ISP: consumer) <-----------> Germany (fibre 100mbits ISP: m-net corp) with latency:60ms

SMB2 traffic:

speed.png

Search found 102 matches