MikroTik

olivier2831

If you manage to install the devices outside, then definitely choose 60 GHz. It's a cheap solution, actually gives 900+ Mbps and it is future-proof. I agree. The key is to have: a way to route a cable from the outside to the inside (an extra flat PoE compatible Ethernet cable ?) a mean to mount the...

olivier2831

Thank you very much for your reply.

I agree SXTsq Lite2 or SXTsq Lite5 seem to fit.

olivier2831

Hello, On a remote location, I need to set a temporary point-to-point wireless link between two buildings. The use is for Internet surfing and target throughput is 100Mb/s. The buildings are quite close to each other (<100m) with clear line of sight. I currently have no path between the building roo...

olivier2831

Unfortunately LLDP-MED is rarely used, at least for small and medium telephony installation, because the hardware does not always implement it. I think the main reason is small and medium installations do not use VLANs at all, either for telephony or for other applications. Anyway, with other vendo...

olivier2831

Thank you very much for starting this thread: the topic seems very important to me.

olivier2831

Check TR069 instead, will it work for you or not.

Does TR069 support VLAN configuration (ie not just for WAN port but for bridge or interface) ?

olivier2831

When using CLI to configure RouterOS, I had trouble to script idempotent operations such as "create VLAN 10 if it doesn't exist". I don't mean it's not possible to write idempotent scripts with CLI, I only mean I had trouble doing so. One expected benefit from using Ansible is to ease idem...

olivier2831

Hello, I'm quite used now to manage Debian hosts with Ansible. I would like to also manage Mikrotik RouterOS device with Ansible. The whole picture is: - using Flashfig to initialize the platform (management IP, firmware, certs, creds, management accounts, enabling/disabling protocols, ...) - using ...

olivier2831

Hello, How do you test NAT/firewalling perf of a given NAT/firewall router (could be a Mikrotik RouterOS device or not) ? If I'm not mistaken, some NAT/firewall operations are done when a new flow is detected while other are repeated afterwards. So do you need to often create new flows (ie changing ...

olivier2831

Agree with you, i think Mikrotik wireless became good, at least for home users, now i have same or even better experience with cap ax when compared to ubiquiti u6 lite. Signal is better for sure.

Do you have figures (dB, ...) echoing this ?
Were both AP ceiling mounted ?

olivier2831

A side note: latest Unifi 7.5.185 UNA finally supports PPSK !
Having PPSK on Mikrotik would be great !

olivier2831

Yes, I think this reply to my needs.
Thanks for replying.

If the log rule is strictly focused on the IP/port range I'm after, this won't produce too much log data.
Thanks again

olivier2831

Hello, I've got the following setup: Internet ---- RouterOS ----- Linux Host ---- PC The Linux Host implement do NAT on traffic from PC. I would like to check if this NAT is properly done. My first idea was to connect on RouterOS device and use Packet Sniffer but, if I'm not mistaken, on 6.48.5, it ...

olivier2831

Smart TVs perfectly show how difficult it can be to securely connect guest devices on a Wifi network. Some (most ?) smart TVs do no embed any browser so no portal. To my knowledge, none supports EAP. So basically, it only leaves three options: WPA Personal with a shared password, PPSK with device de...

olivier2831

Maybe trading RB5009's 5 Gigabit ports to 2 2.5Gb/s would cover such needs without involving too much dev effort.

olivier2831

The same as above but aid differently: There are hundred of devices types that can by powered by PoE, but by far, the most common ones are either IP phones, IP cams or WiFi APs. - To my knowledge, IP phones are still and only Gigabit devices. - For IP cams, maybe 2.5Gb/s will break trough given vide...

olivier2831

I am wondering if there are no other reasons such as power supply circuitry placement on the PCB (as close as possible to PoE circuitry and as far as possible from WiFi antennas) to avoid interference for instance... Maybe a large enough hole in the left mounting ear (as the power input plug is on ...

olivier2831

It is here: CRS310-8G+2S+IN

At last !

olivier2831

hEX PoE may fit.
I use them to remotely power AP and cameras

olivier2831

In the light of common practices in networking, it seems to me that jumping from 1G/s to to 10Gb/s is a too long jump as it introduces thermal or compatibility issues we didn't have to deal with in the past. Maybe going from 1Gb/s to 2.5Gb/s would be a smarter move allowing bandwidth increase withou...

olivier2831

Hello,

Is it possible to set several LLDP-MED policies on RouterOS 6.X or 7.Y device ?
I would like to set lldp-med-net-policy-vlan to 5 on interface-list LAN1 and lldp-med-net-policy-vlan to 10 on interface-list LAN2.
(of course LAN1 and LAN2 have no interface in common).
Is it possible ?

Regards

olivier2831

Thanks for including the image: it's much easier now to follow this thread. With a single DIN Rail accessory, you can position a whole device family on this uncovered market. To be complete, industrial switches sure have unique capabilities (temperature range, ...) but current r5009 also has its str...

olivier2831

On the above attachment, the U shaped thing at the right of the drawing is a DIN rail profile.

olivier2831

What I have in mind is something that can compete with :
https://www.fs.com/products/138513.html

Those devices can be wall mounted or DIN rail mounted without any rack and very easy to swap.
r5009-like devices are even more compact than those.

r5009 DIN.pdf

olivier2831

Hello, Current R5009 or L009 are very compact and silent rack-mountable devices. It could very interesting in hospitality or industry to have switches of the same form factor but with rail bracket allowing them to be vertically (or horizontally) side-by-sied, mounted on a wall through a DIN rail. In...

olivier2831

Yesterday, I discovered Freeradius 3.2 recently introduced a DPSK module (ie myPSK, PPSK, iPSK, ...). This new module comes with a warning from its devs saying this module may suffer from scaling issues as it needs brute force iteration to process messages. I wonder if a single SSID can both have re...

olivier2831

That was it: turning Hardware Offload to Off on one port forced my IP Firewall Filter rules to be run !

Thank you all very much for you help !

olivier2831

My setup is: PC1 ---- Switch1---- mAP ---- PC3 | PC2 --------- My test is ping PC3 from PC2 while PC1 is for configuring mAP. mAP's interface to PC3 is ether2 and mAP ether1 is connected is upstream Switch1. During my tests, PC2 could positively ping PC3. I was waiting this to fail due to my firewal...

olivier2831

I couldn't succeed yet, using a 6.49.6 powered mAP.

During my first testing, I wrote a couple of rules in IP/Firewall/Filter rules. Is it the correct tool to implement my rules ?
While searching, I also found potentially relevant forms in Bridge/Filters and Switch/Rules but I didn't use any of them.

olivier2831

Reading this not so old thread, have OP met success with RFC8910 since asking here ?
What about Win10 and Win11 clients ?

olivier2831

So I can leave both Ethernet interfaces (the LAN-facing and the printer-facing ones) belonging to the same single bridge ?

olivier2831

Hello, On a remote site, I've got the following setup (details omitted): Cloud server ---<Internet> ------ Router ----- <LAN> ---- Printer The printer receives printing jobs from a Cloud server over the Internet. This cloud server has a fixed public IP address. The router is provided by an ISP. It c...

olivier2831

Does RouterOS support the use of USB Ethernet adapters? If so, are there any caveats I should be aware of? This one should be officially supported (I never used it), at least on Mikrotik device with a USB A port. https://mikrotik.com/product/woobm An Ethernet alternative would be welcomed by sysadm...

olivier2831

I always use the small LC connectors,
...

Thank you very much for this very informative reply.

olivier2831

If you can pull cat6e (or cat7) UTP cables, then you could pull FO cables as well. I thought FO is harder to deploy than copper as: you can't easily pull a FO along its connector end within small conduits (20mm diameter or so) FO required minimum bend radius you can't pull the FO cable with the sam...

olivier2831

I was looking for alternative to S+RJ10 because that runs as hot as fusion reactor. IMHO, having on the market, a 30$/€ SFP or SFP+ module supporting 1Gb/s or 2.5Gb/s would be very interesting if it can avoid such heat issues. If my memory serves me right, reducing speed from 10Gb/s to 2.5 Gb/s is ...

olivier2831

Some PoE Injectors accept Ethernet and DC power source (from 9V and up) and deliver some kind of PoE (passive 24V PoE, 48V PoE).
One such reference is TP-DCDC-1224.

I use one of these to power both a Raspberry and a WiFi AP using a single PowerBank.

olivier2831

No AC. Ax please.

Some Gigabit PoE-powered devices (hex PoE) can provide several (1,2 or 4) Gigabit PoE source ports.
I've never seen such devices with 2.5Gb/s input.
This could be very convenient if you don't want to sacrify thoughput/speed when using a single cable for two devices.

olivier2831

MT support told me that all their 10G SFP+ modules will work if forced in 2,5G mode. With exception of S+RJ10 as that requires 10G internal link. About heat, i would assume it is same as in RB5009, and that one has dedicated 10G SFP+ port. So as L009 comes in the same case cooling should not be iss...

olivier2831

- L009 series - the perfect RB2011 upgrade;

One interesting thing is that L009 has a 2.5Gb/s capable SFP slot (not an SFP+).
What kind of SFP modules can take advantage of it ?
What about heat with such 2.5 Gb/s SFP modules ?

olivier2831

In principle, non-PoE NICs don't like 48V thrown at them (that kind of voltage can cause permanent damage to NICs). Therefore PoE power sourcing device (PSE) has to make sure that the other end is ready to accept the power. Not all PoE PSEs do the job correctly (and not all non-PoE devices react to...

olivier2831

Hello, My setup is: PoE Switch1 ----- PoE Switch2 ---- PoE Switch 3 where: Switch1 is a grid powered DLink DGS-1210-10P Switch 2 is an Hex PoE powered on ether1 by switch1 (with routerOS 6.48.6) Switch 3 is either: Switch 3A: a grid powered TP Link SG2428P Switch 3B: a grid powered Ubiquiti Edgeswit...

olivier2831

The simplest, cheapest option is to upgrade the USB-C port on the "lite" so that it will not only accept PD at a variety of voltage levels, it will act as a wired network interface. This will let you plug it into any USB-C laptop, with the router pulling power from it in exchange for prov...

olivier2831

I understood however for ISP purposes it might be better this way.

For curiosity's sake, why ?

olivier2831

My only beef with the size of the unit is that it's very large (228mm) for only a 2x2 MIMO. Unifi fit 4x4 MIMO into a smaller footprint (197mm). If "long range" is intended then the direct comparison would be the Unifi U6 LR which is 220mm across but it's 4x4 MIMO. So yes, I think this is...

olivier2831

I can also confirm that after moving to ROS 7.8 from latest 6.X version SIP was broken. Once I updated the UDP timeout to 20 seconds, from the 10 seconds, and killed the existing connections in the IP->Firewall->Connections tab, then SIP started working again. No need to enable the SIP Helper, just...

olivier2831

Works!

What do you mean by that ? hEX to Cyberpower or hEX to APC ?

olivier2831

After reading Flashfig feature, maybe I should spit the config process in two steps: 1. apply common configuration "on bare metal" with Flashfig/Netinstall (updating firmware, creating system users, changing IP services ports, defining some firewall address list, uploading SSH keys) 2. app...

olivier2831

Hello, How would you configure 50 hAP units spread over a building ? Which tools would you select ? Each unit should simply offer Internet access to WiFi users. Each unit a PoE uplink to a PoE switch. Each unit serves a personal SSID (users from room A connect to Room A's SSID , ...) without any roa...

olivier2831

2.4Ghz Wi-Fi only.

Datasheet touts an increase in speed of up to 90% within 2.4GHz.
How is that possible ? Using 40 MHz channels ? Which part of WiFi6 enables this ?

An other question: what is a "dual-chain antenna"

olivier2831

A public IP can help for LetsEncrypt cert generation and renewal though opening port 80 to the Internet is scaring.

olivier2831

During latest CES, I read one vendor unveiled two WiFi7 devices: one device with a single "10G PoE++" port, the other with two "10G PoE++" ! I never heard of so-called 10G PoE++ (10 Gb/s and PoE++ over copper, I suppose) nor bonding two of them while 2.5Gb/s with is still hard to...

olivier2831

A U6-lite vs U6-enterprise with the some output levels and the same series radio but 2x2 vs 4x4 and I'm able to get 100Mbps on the U6-Enterprise where I can't get the U6-lite to stay connected. On a side note, U6-Enterprise has one 2.5GbE RJ45 port (PoE in). A Mikrotik switch with 2.5 Gb/s and PoE ...

olivier2831

Disclaimer: I've worked as senior radio engineer for a major MNO for 15+ years. I was responsible for optimization of network coverage and performance of UMTS and LTE networks, so I believe I know sonething about antennae, MIMO, etc. Vast majority of simple WiFi devices (such as SOHO APs) have omni...

olivier2831

Who needs whole preceding post to be quoted to be answered? Use "Post Reply"

So I should still look for a wall mount accessory, allowing horizontal mount on a wall.

olivier2831

I eagerly await some 4x4 designs. I have almost 100 U6-lites out there right now, but I've even replaced some with the U6-Pro and U6-Enterprise, the difference between 2x2 and 4x4 in a busy environment is unbelievable. I often met the case where I couldn't cover four rooms in a building in 5GHz ban...

olivier2831

Please confirm if this will work at 2.5GbE speeds.

If my memory serves me right, selecting 2.5 Gb/s over 10 Gb/s was not so easy to set, due to autoneg issues.

olivier2831

Unfortunately, I can't use powerline nor coax on this location.
I ordered an OpenWRT-powered tri-radio router,(65 Euro without VAT) without detachable antenna, hoping its range would meet my requirements.
Audience would have been perfect except for its price.

olivier2831

Lay a network cable, the best solution

Yes, I fully agree

)
Still, I'm looking for a second best wireless solution.

olivier2831

Hello, I've got a remote location in which wired (Ubiquiti) AP supporting both 2.4 and 5 GHz bands are installed. I a couple of spots where I can't easily extend current cabling but have weak Wifi signal issues. I'm looking for Mikrotik device that will work as a repeater/extender/whatever, connecti...

olivier2831

I think you can search for CGNAT or deterministic NAT threads, within this list

olivier2831

Nice. This makes CSS610-8P one of rare MT devices (if not the only one) that actually do perform voltage (down)conversion internally. Which makes mentioning it in product page and user manuals even more important. CRS328-24P also provide "on demand 24 or 48V". I second datasheet could be ...

olivier2831

Have the very same PoE options with my CRS328-24P which I know for sure does passive. Very inclined to believe the CSS610-8P does as well.

Thank you all for you valuable inputs.
I hope I'll test a CSS610-8P soon.

olivier2831

Product page specifies power input as AC or 48-57 V DC . So where is the 24V for PoE out supposed to come in? CRS328-24P also has an integrated power supply. With it, you can select 24V or 48V PoE out on each interface. CRS328-24P datasheet is not explicit about this specific capability. If Mikroti...

olivier2831

Hello,

Do you know if a CSS610-8P-2S+IN can power 24V passive PoE devices ?
Datasheet does not specify this.

Best regards

olivier2831

My linux servers are configured to perform actual reboot if shutdown sequence was due to UPS battery depletion so if mains returns during shutdown sequence, they simply reboot. Can you elaborate as I'm thinking about how I should properly protect some Linux NUC servers. The main point is from previ...

olivier2831

I see no need to have customized sort keys, when people want fancy sorting they can do that themselves. But what I want is some sorting so that the output is always the same for the same configuration (i.e. addresses in a list, addresses on interfaces, etc) no matter how that configuration was cons...

olivier2831

I use this: https://sourceforge.net/projects/winmerge/ to visualy compare .rsc files Coincidence, I was about to open a new thread on a very similar topic. Lately I needed to compare two configs and spot differences using Meld (winmerge-like tool). Current and default export behaviour, IMHO, should...

olivier2831

RB5009 does not get the PoE power from the Netgear GSM4210P switch. The switch is PoE+ capable and supports all necessary standards (802.3at, 802.3af, passive POE, and compatible 802.3at). Different devices work perfectly, including Unifi APs and Raspberry PI. I also tried different Mikrotik device...

olivier2831

Hi, any Chance of having a smaller netpower with PoE af/at out in the near future? Netpower with 16 ports for an attic, barn or garage is a bit much. Maybe a Netpower with 8 Ports? I was also looking for such product to connect and power WiFi APs, up to 8 APs/per floor or so. For such use, having 2...

olivier2831

What kind of SFP/SFP+ module are you expecting, then ? Some GPON or similar ones ? Ethernet ones ? Others ? Actually it would be nice if MT could consider implementing EPON support directly in the products. Symmetric 10G/10G-EPON would look like the best choice for the future at this point. No spec...

olivier2831

Good afternoon. Do you know what's missing from this great product? SFP or SFP+ port! Many ISPs run optical cable in apartment buildings.

What kind of SFP/SFP+ module are you expecting, then ? Some GPON or similar ones ? Ethernet ones ? Others ?

olivier2831

No, the changelog just says that specifically in 7.3 there was a bug, which was fixed. 7.2.1 still works ok

OK thanks

olivier2831

Looking at 7.4-beta4, I read:

*) ssh - fixed host key generation (introduced in v7.3);

It seems to me that what I'm looking for requires 7.3 (or 7.4 beta4), right ?

olivier2831

Hello, I'd like to connect from a RouterOS device to a remote Linux host without entering any password. I've read [1] and tried the command bellow without success. Before entering this command from RouterOS 6.48.5 terminal, I uploaded on my RouterOS device, both id_rsa and id_rsa.pub files from my o...

olivier2831

Does anyone know of any Linux applications that allow you to do this?

nfdump itself allows for some filtering and aggregation.
I've not used those features, yet but would be very curious bto read about this.

olivier2831

For start, start just with: Daily backup on text format, not binary on any point, and full configuration, included ssh keys, certificates, user-manager and dude database. Some instruments to compare backup among various days for see the changes. Some instrument for push configuration (like change N...

olivier2831

I think issue today is the export/import isn't symmetrical, backup/restore is monolithic+binary, . What's missing is idempotent configuration file. And that's the first step to being able to monitor/apply a configuration in "controller software".

+1

olivier2831

Using Netflow/IPFix feature on Mikrotik devices, you can send 5 mins long reports to a configured data collector.
These reports can include NAT log data.
If your data collector is a Linux box, some Netflow/IPFix data collecting apps exist, nfdump being the one I tested.

olivier2831

Does any 2.5Gb/s Ethernet interface support HSGMII or vice versa or both ? In other words, beside 2.5Gb/s speed, what does an Ethernet interface need to support to fully implement HSGMII ? Nope, it has to be 2.5g+HSGMII compatible. A lot of 2.5g interfaces are not HSGMII compatible. @Florian: Thank...

olivier2831

Does any 2.5Gb/s Ethernet interface support HSGMII or vice versa or both ?
In other words, beside 2.5Gb/s speed, what does an Ethernet interface need to support to fully implement HSGMII ?

olivier2831

The mind boggles with all the potentional uses for the CRS504

Do Mikrotik QSFP28 modules exist ?

olivier2831

Hello, I've trying to set a NAT logging system up to comply with local regulation (copyright infringement and so on) in a RouterOS 6.48 environment. I'm completely new to NetFlow/IPFIX world. I intend (but I'm not 100% sure yet) to save NAT translation details and leave out outbound flows destinatio...

olivier2831

An unusual thing I can spot in your setup is that the gateway parameters of the routes towards the reference addresses are set to interface names rather than to IP addresses of the gateway devices; this is a possible setting but the gateway device must act as an ARP proxy, responding with its own M...

olivier2831

Thank you both for replying.
Now I think I understand why "proper" NTP is not installed by default.
Thanks again !

olivier2831

Hello, I'm preparing a couple of RouterOS CCR1009 with 6.49 that should be used as the main router to the Internet for 100 or 200 users. I always thought I would these routers as the single time source for all LAN devices (switches, AP, a Linux server, ...). To my surprise, it seems the only include...

olivier2831

These seem like minor things, but they are limiting where I can use the PowerBox and hEX PoE. For curiosity's sake, what do you use the PowerBox and hEX PoE, for ? For powering WiFi AP? IP phones ? As in WiFi AP, Nbase-T is a growing requirement, maybe, a PowerBox-like device with a small port coun...

olivier2831

https://www.servethehome.com/mikrotik-c ... pcie-card/

olivier2831

putting it into a Linux/BSD box instead of a 10G NIC or putting it into a server used for virtualization (Proxmox or just Debian).

How would a Linux host + CCR2004 card combo compare to a single server host with Open vSwitch ?

olivier2831

- option to have external power so it can run even when server is off (possibility for failsafe or doing ring networking that doesn't go down with server) Having a PoE-IN Gigabit port, instead of non-PoE one, would be awesome. It might even solve some booting issues and bring dual power sources (on...

olivier2831

Hello,

I've just discovered this new CCR2004-1G-2XS-PCIe.

Given its unusual form factor, which use case do you foresee for it ?
In which kind of host machine would you plus it in ?

Best regards

olivier2831

A quick google search:
viewtopic.php?t=116253

PS I have not tested it.

Thanks for replying.

I haven't tested the above linked solution, yet but it seems to fit.

olivier2831

I think this could be relevant
viewtopic.php?t=179294

olivier2831

Unless $GUESTIF is bridge1 , you assign connection-marks properly, but you do not translate connection-marks to routing-marks properly. That's why I was asking you to watch counters of all rules, not just the mark-connnection/per-connection-classifier ones. Yes, your are right: the rule that transl...

olivier2831

I should have written I ran latest tests with 6.49.2 box, not with 6.48.6 anymore.

olivier2831

What does /ip route print detail show? And what does /ip route rule export show? Also, disable the fasttrack rule, fasttracking bypasses mangle. What does /ip route print detail show? And what does /ip route rule export show? Also, disable the fasttrack rule, fasttracking bypasses mangle. [foo@Mikr...

olivier2831

I've just opened my very first ticket (SUP-74425) on this.

olivier2831

Does the order with which routes are entered matter ?
If positive, can you change it with WebFig ? In my testing, I couldn't move routes as I could move firewall routes.

olivier2831

The issue is as long as the hashing algo remains unknown as Sindy said, it's not easy to check if PCC is working at all ! Testing failover is easy, testing load balance is not, IMHO. /ip firewall mangle print stats will show you immediately whether the rules do something or not. Do you see any erro...

olivier2831

Hello,

I'm currently developing a script that starts with:
:global IP1 25.74.135.17
:global CIDR1 255.255.255.248
:global NET1 25.74.135.16
:global LEN1 29

As you may see, all four values could be computed from a single 25.74.135.17/29 value.
How can this done, efficiently on 6.4X ?

Best regards

olivier2831

It's easier to test with dst-address, you won't have to reconfigure anything, just select different target address for e.g. ping. To make sure it doesn't work because of some mistake elsewhere, enable logging for these PCC rules (log=yes log-prefix="PCC1"), and you'll see what they do, in...

olivier2831

May I add that classifier (src-address, both-addresses, ...) can be changed through Winbox64.
It works with CLI and Winbox.
It doesn't with WebFig.

olivier2831

Hello, I'm discovering PCC on CCR1009 with 6.48.6. At the moment, I'm focusing on src-address classifier as it look like the simplest classifier to check. My setup is: Webserver ------ WAN1 router ------ CCR1009 ------- My PC |----------------WAN2 router -------------| CCR1009 config includes: 7 ;;;...

olivier2831

Hello, Supposing whatever is shown with CLI is the Source Of Truth, on a CCR1009 powered with 6.48.6, I'm seeing the following issue. I can set a PCC rule to use src-address as with: set [ find comment=PCC1 ] per-connection-classifier=src-address:2/0 I can also set this rule to use both-addresses in...

olivier2831

resurecting. Setting negotiation rates still doesn't work on these. I'm wanting to use this to copper feed a netpower 16 on the roof in a router-on-a-stick kind of setup. I don't know if I'm going to get a reliable 10G error free and I got these specific modules thinking I would be able to set 2.5G...

olivier2831

Hello, I'm writing a script with which I want to set HTTPS service up. This script is copied to my 6.48 CCR1009 box through an scp command and then executed throuh a RouterOS /import. Everything seems to working fine except for the last two statements. These statements are: /certificate sign myrootc...

olivier2831

The rules in your mean, that traffic to the IP-address ranges 10.111.0.0/24 and 10.112.0.0/24 that enters the Router of the LAN-Interface will be accepted, so the following mangle rules did not affect the traffic (first match). If you do not use such rules it the PCC rules could route your traffic....

olivier2831

Hello, Looking at [1], there are the following rules : / ip firewall mangle add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=LAN add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=LAN Those are explained with With policy routing it is possible to force...

olivier2831

For the rb750gr3, if you're not using "the dude," is there any good use for an sd card? What else could it be used for, and is it worth it/useful?

For curiosity's sake, if you're using "the dude", what else these cards could be used for ?

olivier2831

It should work, just don't forget to enable it on RB:
Code: Select all
/ip ssh set forwarding-enabled=local

It works !
If I'm not mistaken, too bad WebFig doesn't show this option, but at least, forwarding-enabled can also be set to both.
Thanks !

olivier2831

I'm sorry if my questions seem obvious for many (most ?) but: Until MikroTik decides to properly document the feature (and give it a UI probably), Have anyone a pointer on this command within or outside (blogs, ...) Mikrotik documentation ? What are requirements to test this function in a lab ? Havi...

olivier2831

Most of the residential ISP's have a drop rule for port 22 so... .

What do you mean by that ?
The CPE the IPSs provide, forbids incoming connections from the Internet to port 22 ?

olivier2831

Hello, I was thinking about restricting WebFig to localhost and then access WebFig through SSH for the sake of having one less service open the world. I was thinking of using something like "ssh -f -N foo@1.2.3.4 -LXXX:127.0.0.1:80" but my attempts failed. How can you do that, from a Linux...

olivier2831

Hello, 1. Where can I read anything (example, doc, ...) regarding /system script parameters and options ? It is missing from [1], if I'm not mistaken. 2. Is there a reliable way to create a script from an existing file (either fetching or copying from disk or with HTTP) ? [1] https://help.mikrotik.c...

olivier2831

you can not put "reset" inside (re)config file
must be doed separately, waith the reboot, then apply the (new) config

Life is hard, anyway

)

olivier2831

I often get errors because I'm trying to add something that already exists. How can I solve this ? Is there anything like "delete ifexists" like in SQL scripts ? Any of the above approaches above can work to re-write an exported config, pick you poison. All have pro/cons: the issue with &...

olivier2831

Hello, I'm discovering RouterOS scripting. I often get errors because I'm trying to add something that already exists. For instance, if I run twice a script that includes the following lines, it would fail the second time. /interface vlan add interface=bridge1 name=vlan2 vlan-id=2 How can I solve th...

olivier2831

I don't this is even possible. While I never used it myself, from what I know Dot1x uses MAC address to authenticate clients. This means that your MT sees traffic from all clients connected to a port under a MAC of the dumb switch. The moment a single client behind that switch passes authentication...

olivier2831

One good thing for me is that it is super easy and quick to lookup and identify what customer is being referenced when I now get one of those copyright notices where some customer downloaded a copyrighted movie. These notices provide two pieces of information ( Live-IP-Address and the Port-Number )...

olivier2831

Be aware that only 63 concurrent DNS requests are possible, still. You might also want to aggressively time down your UDP timers in connection tracking, when using such a low amount of ports per user. Can you elaborate, both above points, please ? In the first one, are you implying DNS requests pas...

olivier2831

Limiting the ports per user does not mean there will be a hard limit of connections=ports. Mikrotik does port-overloading. This means it can re-use the same port for another destination.

But still, original and re-used ports are always binded to the very same private IP, right ?

olivier2831

Then make your life easy and forget about certificates and https. It's not that they are too difficult, but it is some extra work, and I don't see how they can add anything for your use case. Allow only ssh, and if someone wants WebFig, they can use ssh port forwarding to access it. Since ssh alrea...

olivier2831

Well - I think I finally got my NAT444 working I don't know if it's the appropriate place to ask, but what happens if a customer consumes too much TCP or UDP ports ? 1. Is this something that is logged ? 2. From end user perspective, does it trigger some 5XX HTTP error code ? 3. What are the networ...

olivier2831

I'm about to remotely deploy 30 RouterOS 6.4X devices. Some are Internet-facing while some are not. I would like to manage them with WebFig and HTTPS, if possible, along with SSH. Only a couple of Linux PCs (from sysadmin team) will ever need to access WebFig. May I add, that I'm not familiar with P...

olivier2831

I'm quite sure that there's no technical need, but most customers don't know and simply see: "Delta offers 8Gbit", "OpenFiber offers 1Gbit". Someone selling 10G/s shared among 100 users may even get more success than an other one sharing 1G/s among 5 ! That's the reason why I wo...

olivier2831

Hopeful MikroTik have 6E in their roadmap because its revolutionary .... Why revolutionary? The Great 6 GHz Invasion – Here Come the Wi-Fi 6E Clients! Key Takeaway But with all due respect to some of the Wi-Fi 6E naysayers, “you just don’t get it.” Wi-Fi 6E is not just another ho-hum technology upg...

olivier2831

We are hoping / wondering if a hAP AC2 successor is on the roadmap, with at least: - WiFi 6 support - nBase-T / 2.5G / 5G RJ45 port(s) It's not that the technology is currently unavailable or too expensive, brands like TP-Link offer WiFi 6 capable routers for < €40. Preferable in a semi robust tiny...

olivier2831

I'm not sure if Web-Fig is a web server or as a separate service, It could be a simple Web-Fig enable/disable functionality. I don't mine the port 80 if they cant use it to log in. +1 IMHO, the simplest solution would be to dedicate a port to cert renewal and WebFig out of it. I think LetsEncrypt m...

olivier2831

Resurrecting this old thread, I think having a Mikrotik device supporting OLT functions would make sense in hospitality (hotels, ...). Currently among others, Zyxel or Ubiquiti address these markets with GPON OLT/ONT devices. In a single hotel, you can easily have 100 ONT integrating Ethernet or/and...

olivier2831

I plugged my r5009 to an old DLink DES-1210-08P (Fast Ethernet only): no powering on. I left it connected while working on other things during at least 15 minutes, and I saw it powered on ! Looking at DHCP logs, if necessary, I think I can have an exact measure of elapsed time between cord plug and ...

olivier2831

Hello, In my lab I've got: a 7.0.5 powered r5009, a 6.48.6-powered hex PoE a 6.48.6-powered RB2011 and an old DLink DGS-1210-10P switch in my lab. When I plug an Ethernet patch cord between this DLink switch and the hex PoE, this later one powers up. When I plug it into the r5009, it remains powered...

olivier2831

Is anyone else seeing something similar, specifically with respect to SFP+ 10GbE transceivers? I am planning to introduce another 10GbE computer on one of the other SFP+ ports when its 10GbE NIC arrives and am weary about how the switch will behave. 10GbE over copper seems to come with a lot of hea...

olivier2831

This is just a small poll to see how people are configuring their RouterOS. I mostly configure RouterOS device using WebFig and I'm not satisfied doing so, as you may guess, when using a GUI, it is very easy to forget to configure something (ie changing SSH port, ...). I tried to configure using te...

olivier2831

I was absolutely blown away by my early testing of caps man. When I started applying the flexibility of routerOS to caps-man, I was really excited by all the things I could do with it. SSIDs that could shut down if a gateway was unreachable. Per device passwords. ACLs. Near instant feed back of eve...

olivier2831

... finally "nice to have" enhancements. My guess is that this one falls into the latter category.

Agreed

olivier2831

I agree. In order not to view al the open ports just in one place, would be very useful. I am opening ports now that I might change in the future, it would be useful to havd them all listed together. I don't think I currently need to reuse a Port List several times in the same config but I would su...

olivier2831

Is it possible that the seller/shop has installed some sort of branding on these devices? The vendors have the option to hide it from you, if they preconfigure the devices in some way I don't think the seller/shop ever customized these devices as: 1. I bought them from several different sources 2. ...

olivier2831

Hello,

On various 6.4X Mikrotik boxes, WebFig's left menu (the one with CAPSMAN, Wireless, Interfaces, ...IP, System, ...) is sometimes missing.

Where does it come from ?
What can I can do to have it back ?

Best regards

olivier2831

Hello, I'm trying to connect to a 6.48.6 powered CCR1009 through a serial/USB cable. I'm trying to connect through a: - a Linux-enabled laptop (some variant of Ubuntu) - a serial to USB cable - and CuteCom app. As I'm not familiar at all with serial/console connection, it's quite possible that I wou...

olivier2831

Question 2: SSH as being immune to timing issues ? I never had a Problem with Mikrotik and timing. Even when the Device think it`s still 1970 =) Question 3: Suggest using some other tools (Wireguard, OVPN, ...)? In the context of a Productive and/or Business Environment , i think it is "Best P...

olivier2831

- that all values within Rx Stats (Rx Unicast, Rx Broadcast, Rx Pause, ...) show 0 while Tx Stats values are non-zero

May I add that looking at the CCR2004 port to which this Netpower 16P is connected to, I see normal stats with non-zero values in both Rx and Tx Stats.

olivier2831

Hello, On a remote location I'm reading stats provided by a 6.48.4-powered NetPower 16P. This box has 2 SFP+ slots. One is populated with a Mikrotik RJ+10 module. Looking at this populated slot, I see: - that all values within Rx Stats (Rx Unicast, Rx Broadcast, Rx Pause, ...) show 0 while Tx Stats ...

olivier2831

What version are you running now? Because on v7.1 stable the problem still exists ..

Wasn't MLAG dedicated to a few Mkt devices (CRS3XX, if I'm not mistaken) ?

olivier2831

Hello, I'm thinking about using SSH or HTTPS (with self-signed cert) to remotely manage RouterOS devices. As it involves certificate, I always viewed HTTPS as being time sensitive in the sense that if, for any reason, a device has a bogus time and date, HTTPS cannot be used anymore. To my knowledge,...

olivier2831

You need to find what uses the port, there are not so many things on router that can do it. If it's not something in IP->Services, it could be VPN server (SSTP, OpenVPN), possibly few other things I don't remember just now. I'd try to export config and look for "443" in there. I exported ...

olivier2831

Hi, On a RB2011, I'm trying to enable www-ssl with my self-signed cert. I followed these steps [1]. It does work when setting ssl port to many value but 443, as if this 443 was already used for something else. Using webfig, after changing port value to 443 and clicking over Apply button, an "in...

olivier2831

What is the use case? Autonegotiation is mandatory in the standards for 1000BASE-T and 10GBASE-T (includes the lesser 2.5GBASE-T & 5GBASE-T rates). Over copper, 10Gb/s can generate a lot of heat. Forcing 2.5 or 5Gb/s may reduce this heat and give increased speed over 1Gb/s. I back this request ...

olivier2831

Not sure if all thunderbolt 10Gbps adapters are equally good. Found https://www.servethehome.com/usb-3-1-gen1-to-5gbe-network-adapter-guide/ for 5Gb/s adapters but no such comparison for 10Gb/s networking. Also found https://www.qnap.com/en/product/qna-t310g1s with Linux support, it seems. I would ...

olivier2831

However you could configure 2 access methods on the same AP (with a different SSID) and have most devices connected with username/password and reserve the other one for the few devices that cannot do it. Can you specify a VLAN in which each device with an individual PSK would be allocated into ? Th...

olivier2831

The more I use Mikrotik wireless... The more I love Ruckus.

Which Ruckus AP do you prefer within 100-150 Euros price range ?

olivier2831

I would disable "Auto-Negotiation" and play with the Speeds on the Mikrotik. My 2 cents: Lately, I had unsuccessful experiences trying to (remotely) control the speed/rate between 2 Mikrotik devices connected through an SFP+ 10Gb/s module over a 25m Cat6A copper wire. One of the two boxes...

olivier2831

Hello,

For compliance reasons, I need to log ARP entries from a 6.48-powered CCR1009.
I need entries such as :

<timestamp> <MAC> <private IP>

How can I do that ?
If necessary I've got a local Debian host I can push entries or files to.

Best regards

olivier2831

Hello, For compliance reasons, I need to log NAT translations occurring on a 6.48-powered CCR1009. I need to log entries such as: <timestamp> <proto> <private_src_ip> <private_src_port> <public_src_ip> <public_src_port> If necessary, I've got a Debian host close to the CCR1009 where I can push log e...

olivier2831

I m testing with this, but it has some problems with streams plataforms like netflix and microsoftstream.

Can you describe those problems ?

olivier2831

Looking at the picture you can make short ears and connectors by beaking off/out the parts. If you do that the long ears are destroyed.

I didn't notice this : thank you very much for pointing this !
This solves my first question !

Thanks again

olivier2831

Hello, I've just got a new RB5009 and its rackmount kit. 1. The rackmount kit I bought has K-79 reference on purchase order or billing documents. On its packaging RME5009 is printed. The kit content seems appropriate to mount a single or two RB5009 in a 19'' rack as it includes 2 long ears, 16 screw...

olivier2831

When I either ping 10.119.0.1 from ether3 or ether7, I've got no answer.

For an unknown reason, my config started to work, so I'm sorry for the noise.

Anyway, may I re-iterate that for reference, IMHO, adding details on the way addresses are set, should help.

olivier2831

Hi everyone, after days of reading how-tos (e.g. https://forum.mikrotik.com/viewtopic.php?t=143620 and many others) and struggling with the configuration I head to you and ask for help. Attached you can find a diagram of the network I want to achieve and an rsc file with the configuration my latest...

olivier2831

Google, FB and all the other are going to REMOVE LOGIN FROM INTERNAL WEBVIEW.
If this "notification" will not be "focused" nobody will ever be able to login using OAuth2 in a few months

Can you elaborate a bit ?
Any pointer to Google or FB intents on the matter ?

olivier2831

Hello, I need to deploy a new router on a remote site. This router must NAT and load balance traffic from for 3 internal LAN to two WAN uplinks (from the same ISP). Each uplink has 500 or 600 Mb/s download capacity. I've just got a brand new RB5009UG+S+IN (with 7.0.5 installed). I'm hesitant to use ...

olivier2831

Hello, After reading it several times, I still have some question on [1]. / ip firewall mangle add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=LAN add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=LAN With policy routing it is possible to force all t...

olivier2831

I want to power a cAP ac from another cAP ac with the included 24v power supply, but I noticed that its listed maximum power output on the second port is 500mA. A cAP ac takes up to 13w, which equates to 540mA with 24 volts. Is this power requirement close enough, or is it too risky? Note that the ...

olivier2831

Hello, Some times ago I configured a CRS328 that used 3 DSL lines to connect to the Internet. I followed [1] to edit the different rules. Months later, I changed my config when this CRS328 became connected to the Internet through a single FTTH line. Doing so, I mostly disabled existing rules. Now, t...

olivier2831

And I wonder if there is a reason that CRS328 were taken out of the assortment?

CRS328 is unavailable in France, these days.

olivier2831

Hi I have the following configuration: R1: CCR1072-1G-8S+ on 6.41 with SPF+ port 4 using the following SM Single Strand fibre SFP+ module S+23LC10D. At the other end of this link, across about 2.5km we have the following: R2: CCR1009-7G-1C-1S+ on 6.42.7 with SFP+ port using the following SM Single ...

olivier2831

We have seen CRS, RB4011 and RB5009 devices having auto neg issues with fibre and copper 1G SFP modules running in 10G SFP+ ports. Auto neg status never completes, depending on the device at the other end resulting link is reported as none, 100MB or 1GB and is prone to flaps. Connections to media c...

olivier2831

Hello, Doc [1] says: auto-negotiation (yes | no; Default: yes) When enabled, the interface "advertises" its maximum capabilities to achieve the best connection possible. Note1: Auto-negotiation should not be disabled on one end only, otherwise Ethernet Interfaces may not work properly. Not...

olivier2831

I was thinking about the following process:

- On central CCR2004,
check all Advertise boxes but 10G box
uncheck Auto-negociation
click OK or Apply

- On leaf (overheating) Netpower 16P
check all Advertise boxes but 10G box
uncheck Auto-negociation
click OK or Apply

Thoughts ?

olivier2831

Hello, On a remote site, I've got a central CCR2004 connected to two Netpower16P. All 3 devices includes S+RJ10 modules. On one Netpower 16P, I've just discovered an "auto disabled due to overheating" message. 1. What does "disabled" mean in this context as I needed the disabled/...

olivier2831

Thanks for replying !

olivier2831

Hello, In nftables or iptables language, what could be the equivalent of Mikrotik's connection-mark=no-mark ? Semantic: "if an un- marked packet is received in interface ISP_1, then add mark it with 17 mark" /ip firewall mangle MT implementation addchain=input connection-mark=no-mark in-in...

olivier2831

How do you exactly cover a building for inventory tracking ?
Do you deploy several Knot devices or do reuse some existing radio infra (WiFi AP with BLE capability) ?
What is the "radio range" of a TG-BT5-IN in a casual situation, with concrete walls, glass doors, ... ?

olivier2831

Hello, In 6.48.4 (or other versions), the Interfaces/Interface view shows columns such as: Actual MTU L2 MTU Tx Rx Tx Packets ... I would appreciate to read in this view things like PVID, PoE Priority or PoE out Current. Is it possible to add these columns or remove some existing ones ? Am I the one...

olivier2831

Hello,

When will MTP250-53V47-OD (power supply for Netpower 16P) be available in western Europe countries ?

Best regards

olivier2831

I love those 16P switches, I run 4 Core power cable up to it. Use 48V and 24V Meanwell redundancy modules so I have power from 2 different sources. One trough battery bank and one from mains. I wish it was able to put more power trough it on 48V as I can't power 16 devices on 48V with the draw we n...

olivier2831

My goal is to setup a hotel wireless network where guests can roam across any AP in the building but remain in their dedicated room assigned VLAN. I've got a very similar target with the following differences: - I'm planning to use a Freeradius server - I'm planning to use different APs. I've not s...

olivier2831

hello, I've got (quite urgent) need for help on setting up a CCRXXXX (currently a CCR2004 vith RouterOS 6.48.4) to act as a router between: - a DHCP-configured Ethernet uplink to the Internet with 1.2.3.4 address - a couple of trunk Ethernet interfaces to 3 other LAN switchs - on LAN switches, are c...

olivier2831

Hello, Reading about how to add a Letsencrypt certificate, I observed most used a DNS challenge. As all Mikrotik boxes are shipped with a pre-configured VPN that defines a specific 123456789abcd.sn.mynetname.net-like hostname, would it make sense if this hostname could be used to get an almost out-o...

olivier2831

viewtopic.php?t=169350

olivier2831

Is broken or on transport the internal patch form psu1 to board is off, try to open the case and reconnect the cable. Is not the first time than happen to us... After years those devices are still on without problem. Yes, that was exactly that: an internal plug not fully inserted ! Thank very much ...

olivier2831

Hello, I'm about to deploy my very first CCR2004-1G-12S+2XS in a remote location. Its mission is to NAT-route traffic to Internet for about 100 simultaneous LAN users (segregated into 3 VLANs). I don't plan to upgrade this box OS without any good reason (repeated failures, major vulnerability, ...)....

olivier2831

Hello,

I'm preparing a new CCR2004-1G-12S+2XS i received a couple of days.
It has 2 power supply plugs.
When plugging a power cord in Power1, nothing seems to happen.
When plugging the same cord in Power2, box is starting (lights turning, ...).

Is it a defect or nominal ?

Best regards

olivier2831

NetFlow is the answer here. It will export ("log") all the connection tracking statistics for you. Use NetFlow v9 as it provides a richer set of information, including full NAT details for each connection. Which NATing device did you use with NetFlow ? A Mikrotik device ? If positive, whi...

olivier2831

8P-2S+ would make sense in some ring-like scenarios. 4P-1S+ would just be ridiculous. I think a four 2.5Gb/s PoE ports with a single SFP+ uplink would also make sense but I only one device to select, I would pick the 8 ports one. 2.5Gb/s is also interesting in WiFi as WiFi bandwidth now theorically...

olivier2831

Yes, a router version of the CSS610 would be helpful. That and the lack of PoE is why it dropped off my list of options for the core switch pretty early on. However, the CSS610 would fit into the "leaf" role from my " holes at the low end of the CSR line " thread. (I'm posting m...

olivier2831

"wall warts" may fail, but anyone can replace them and the failure is easy to diagnose. When an internal power supply fails, it often means people will throw the whole device. Replacement PSU is often non-existent and even if it existed, not everyone will be able to open the device and re...

olivier2831

Syslog to log NAT/CGN-Nat translations I hope somebody knows to the answer to the question I am asking. Can I and how do I , log ( syslog and/or syslog to a remote syslog server ) all NAT translations ? Like many ISPs and WISPs , we get copyright notices which state somebody at an IP address downlo...

olivier2831

My ideal pick would be a 2 (or 4 ports) 2.5Gb ports with RB4011 processing power.
You can build one using SBCs like Hardkernel's H2+ but that is a very path ...

Thanks for all input

olivier2831

Hello, I'm looking for a Mikrotik device with: - equipped two 2.5 Gb/s Ethernet (either native or through a SFP+ slot) - able to route a 1 or 2 Gb/s flow applying NAT or firewall rules. I've looked at several product but: - RB4011 is fine but only host a single SFP+ slot, - hEX PoE has no SFP+ slot ...

olivier2831

*) poe - do not perform PoE firmware upgrade procedure on RB960 and OmniTik devices without PoE out;
Can you elaborate a bit ?
simpy do not try to upgrade poe firmware on device can not have poe...

That makes sense !
Thanks for this clarification !

olivier2831

*) poe - do not perform PoE firmware upgrade procedure on RB960 and OmniTik devices without PoE out; Can you elaborate a bit ? Could it be related to this? https://forum.mikrotik.com/viewtopic.php?f=21&t=169553&p=831920#p831920 Yes, it seems to match. Thanks for replying ! How could I rephr...

olivier2831

*) poe - do not perform PoE firmware upgrade procedure on RB960 and OmniTik devices without PoE out;

Can you elaborate a bit ?

olivier2831

Hello, I'm looking for a mean to prevent some people to unplug PoE powered devices (WiFi access points, cameras, ...) to connect rogue devices (laptop, ...) when physical access can't be denied (corridors, common rooms, ...). These PoE powered devices do not support 802.1X. I was thinking of monitor...

olivier2831

Hello, For PoE supplying devices (CRS328-24P, ...), you have: - a general view showing stats (Rx/Tx, MTU, Packets, ..) from all interfaces - a detailed view showing the same stats and more, specifically PoE power, voltage and current. 1. Is it possible to read somewhere the sum of all PoE powers ? 2...

olivier2831

+1, this is not an optional thing, it is required in most enterprise environements. Need LLDP-MED, even if it's just an installable package.

I felt LLDP features (without WebFig support) were introduced with 6.48.1 or so.
I don't know if it covered LLDP-MED (nor I didn't test it yet).

olivier2831

The original poster said that he has two CRS125 routers and two passive POE injectors running on 24 volts. My original and followup suggestions was to run both the routers and the POE injectors off the same 24 volt battery plant. How do you ideally split current between 4 devices (2xCRS, 2xPoE inje...

olivier2831

1) Hex with a SFP+ and 5 1Gb ports,

+1 or alternatively, CSS610-8P-2S+ which was announced in MUM 2019 Europe

mAP or mAP Lite with 5GHz radio

A 4-ports device with Ethernet bypass

olivier2831

Yes, that would be a very useful feature.

olivier2831

I powered a cAP AC with a PoE injector, then connected a Mitel handset to the POE-out port of the cAP AC and it worked fine. I wasn't necessarily expecting the phone to power up as the cAP AC spec says it's passive PoE out. How did you exactly power your cAP AC device ? Using a 48V power supply con...

olivier2831

Reading back mAP datasheet, I would appreciate if someone could confirm the following setup would work or not:

LAN <--- non-PoE ethernet or wifi ---> mAP with 48V power supply <--- 802.af ethernet ---> IP phone

Search found 308 matches