MikroTik

CTSsean

Good day, I have on location A - 192.168.0.0/24 on location B - 192.168.0.0/24 On site A, for example, I have a printer at 192.168.0.5 At site B, I have a server with an accounting system of 192.168.0.5 When I'm at location A and I want to connect to location B VPN - which has its own range - 10.10...

CTSsean

Had a request from a customer so I have been brainstorming and just wanted to get some input :) would like to know if what I'm thinking below will work for the purpose and if anyone has any thoughts on optimising. So I will be managing a router that will connect to the customer's LAN. That LAN will...

CTSsean

I have a couple of customers out in a community that is off the grid. They power their equipment through inverters and generals/solar panels. I've had two customers contact me after a storm both with equipment that burnt up. The one just had his router power supply fry. (burnt a hole right through ...

CTSsean

802.1Q Q-BRIDGE-MIB (RFC 2674) is a standard MIB for retrieving vlan information. Currently, LibreNMS and other network monitoring platforms require special agents / scripts to retrieve vlan information from RouterOS devices.

CTSsean

I'd personally love it if Mikrotik could make a centralized controller. Even if it was required to be its on VM appliance. Here are my reasons: A) when deploying capsman, only the the wifi radios are configured. The rest of the device isn't protected. B) It's difficult to have a standardized install...

CTSsean

Auto software upgrades is not recommended... on almost ANY platform.

While that's probably not killing your tiks, probably doesn't help. I'd verify that your power at the site is within expected range and is protected with either a UPS or other battery solution.

CTSsean

+1 on this... I'm not sure why this was available on CRS2x, but not CRS3x.

CTSsean

Yes it is for me for v7.10 .... And where and how are your VLANs defined ? Or is this a setup without VLANs ? That we all know works just fine. If you look at my config, it lists the vlan IDs My vlans are deployed at my router (which the CAP AX is connected at). /interface vlan add interface=LANBri...

CTSsean

No. Not without specifying the individual mac addresses. This has been tested over and over again, but not available yet.

CTSsean

Yes it is for me for v7.10 bof CAP AX ---------------------- /interface wifiwave2 # managed by CAPsMAN /interface wifiwave2 cap set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp slaves-static=yes /interface wifiwave2 datapath add bridge=bridgeLocal comment=defconf disabled=no na...

CTSsean

Plus 1 for this! WIFI multiple PSK ACL with wildcard MAC. Here Engenius description on that. Ruckus also have something similar and I think Meraki also do so... https://www.engeniustech.com/mypsk-a-network-access-solution-for-universities-multi-tenant-dwellings-and-large-corporations/ Here discussio...

CTSsean

Can the fix be posted publically? This will affect more than just 1 user.

CTSsean

Thanks @anav, luckily it was possible without getting physically to Location 1. Just learnt that Mikrotik router does not have ssh client but there were other devices to ssh further to Location 2 router.

exportTik.txt

what? All tik devices have ssh clients / servers.

CTSsean

You just make bonding only on other, client side and thats it. On AP you just put 60Ghz station interfaces in same bridge as 5Ghz interface. This wont make loopback with client side, thanks to active backup in that bonding. We are using this style of client backup for 4 months without any problems....

CTSsean

Today, I've been able to get IGMP Proxy working with Chromecast cross vlans. I'll get my documentation together and post a new thread so its easily findable. Thank you to Nate for provided the basis of this solution. I don't understand quite how it works as the IGMP Proxy doesn't show much under the...

CTSsean

Unless you are an advanced networking user or engineer, I agree. Using VLANs at home makes no sense for the added complexity and bullshit hacks required. With Mikrotik and CAPSMAN1 you can cordon off Wifi devices without using VLANs to their own bridge as long as you don't use local-forwarding for ...

CTSsean

It worked sooooooo!!!!

Ty. Keep it up

CTSsean

Reach out to MikroTik support. Give them the supout export file. This needs to be solved by them, not me.

Ok, I will reach out to Tik support and report back.

CTSsean

I did a PCAP on my end. So IPv4 (IGMP) does get queried by the proxy/MikroTik. But IPv6 (MLD) does not. And this could impact apps that explicitly rely only on IPv6 Multicast or prefer IPv6, so of course you're not going to see it working. The experts in this thread should demand for IPv6 MLD suppo...

CTSsean

tested ccast, torched vlan69 for port 1900. Saw a kids pc trying to connect to 239.255.255.250:1900

Guessing Chrome is always looking for ccast devices. Still no joy on IGMP Proxy. I'm open to suggestions. I don't mind reading some digestible information about it.

CTSsean

When I torch the vlan69, and test ccast, i do not see any traffic for port 5353. Doesn't Chromecast actually use SSDP? If so, same story, but 239.255.255.250 port 1900 is what you'd need to look at if it does use SSDP. Also, didn't study the config very carefully, maybe covered...but "ingress-...

CTSsean

Config looks fine. But possibly, I could've missed something. Run a torch/packet sniffer and perform analysis on what happens when you try Chromecast. Something, somewhere is dropping the packet. Multicast-querier should remain disabled on the bridges/HP switch. ok, is there something I can digest ...

CTSsean

Here is my config for following Nate's suggestion. Both Airplay and Chromecast still don't work. Topology R1 > LAG to 2 MLAG connected CRS3X SWITCHES > LAG to POE Switch > CAP AC I get it, I'm not skilled, experienced, smart as others that have done it all. I'm not afraid of being dumb. It allows me...

CTSsean

keep segmentation due to security reasons Just to then punch holes in those layers? And just ignoring the vendors advice (e.g. the "illusion of security") here, which be okay if you understood the underlying network protocols risks. But cut-and-paste other peoples configuration you don't ...

CTSsean

I liked this quote from Mikrotik: By the looks of it, L2 segregation for the mentioned above cases is an illusion of safety. But... Exactly. Give us a working example to get chromecast/airplay working using the IGMP Proxy and all of this noise goes away. So you want to cut-and-paste without underst...

CTSsean

why would someone need to have that? worse, why even relay such network noise? That's the existential question here. But [...] at the end it is Mikrotik's pure business decision [...] And... it sounds like this could be resolved by better docs on IGMP Proxy for those that want to go this route. An ...

CTSsean

Ever home user needs mDNS. Don't know why mikrotik keeps ignoring this. why would someone need to have that? worse, why even relay such network noise? IOT. This category of devices is now more prolific than every before. In homes, smb, and enterprises. We’re looking for tools to allow us to segrega...

CTSsean

For posters here........... Do not mind Darknate's lack of personal communication skills (probably why he has more dates with large networks than real people ;-) ) and of course the rampant narcissism. He has a lot of experience with many large networks that is invaluable to other large network use...

CTSsean

If you've gone done the road of subnetting your LAN, IGMP Proxy should not be a huge leap. And if it was, maybe you should re-think segmenting your network in the first place? VLANs + mDNS containers hacks takes like 10 minutes total for a noob. IGMP Proxy, takes 5 seconds to configure for all VLAN...

CTSsean

Use IGMP Proxy in simple VLAN segregated home networks and call it a day. iPhone in VLAN1 can talk to iPhone in VLAN2 for AirFuckKnowsWhat, no problem. Unicast DNS-SD defeats the whole purpose of multicast aka saving computing resources on L2 and L3. Doesn't work. Used your specific example, includ...

CTSsean

I've been using Tik products for a nearly a decade, and when Romon cameout, it was a dream. It was working fine for everything on v6. In v7, its hit or miss. Some devices work fine, some do not. Some people say its related to vlans, while others say thats not it. A most recent example. I have a camp...

CTSsean

aidanonym, I tried your recommendation when I check the log, I get this... /container /container add cmd=env envlist=ZTnetwork1 interface=veth1-ZT logging=yes start-on-boot=yes /container envs add key=NETWORK_ID name=ZTnetwork1 value=1234 /log/print 17:13:16 container,info,debug r=> Configuring netw...

CTSsean

Here's been my experience.... If I use a simple queue using the max limit in the simple queue itself, Cake / FQ_Codel seems to work well enough. If I use a simple queue using the limits inside the Cake type itself, during testing, after the download queue has been maxed out, when testing the upload ...

CTSsean

I'm looking to set up a routed PTMP network with failover. Eth1 and wireless would not be bridged together. In the wiki - it shows https://wiki.mikrotik.com/wiki/Manual:Interface/W60G#Point_to_Multi_Point_setup_example It shows adding both the eth1 and wlan1 interfaces to the bridge. If I don't add ...

CTSsean

The problem is there is no point separating trusted and untrusted vans when you allow the untrusted one inject an advertisement into the trusted one to get the trusted one to call into it not to mention allowing the untrusted one to see all that is advertised on the trusted one. Very helpful in its...

CTSsean

Yes, the question is, why separate the IoT, if you don't really need to separate ? Trust. The same reason is why you firewall your input chain from the world... You can't always trust that people won't do the right thing. This is the reason for a LOT of vlans. However with IoT, there are service ne...

CTSsean

Recently purchased a pair of PWR-Line APs and discovered the sync button refuses to sync two PWR-Line AP devices together. Followed the instructions, cleared all PLC settings, then used the hold for 2 seconds to start the sync process, and nothing. The two devices do not find each other and the keys...

CTSsean

I think the moral to this story is to avoid majors (6.48) and wait until the first minor (6.48.1) Moral of this story: 1. MKT was forced by sales department to release "new" (7b/6b) versions before christmas without testing 2. Never trust blindly and install anything on holiday season onl...

CTSsean

Still broken on my HAP AC2 on 7.1beta3.

CTSsean

I agree with everyone here Getting 'good' to 'great' performance with Mikrotik Wifi is a bear. Compared to say generic Comcast modem, where its instantly connects and has high throughput, I could play with Mikrotik for weeks and not get the same performance. I've been putting wifi networks together ...

CTSsean

Are there any plans to add any SIP ports to any switches or routers? The HAP ac with one would make an ideal home router with a SIP port added and remove the need for an extra box for VOIP.

SIP port? Do you mean ATA port as Mikrotik already supports SIP ALG just fine.

CTSsean

RouterOS 7 is here [removed link]! Finally!

CTSsean

We have near to 10k Mikrotik devices in our network, if every one of them needs to be updated. This is not something you do in a few hours .. or days. ... And the issue is, that it is not the first time, that Mikrotik has handled an issue this way. It is every single time. They only react, when iss...

CTSsean

To those having bad 5Ghz problems, do not choose auto. It may be that MikroTik is choosing a dFS channel and not all modern devices support DFS channels properly.

CTSsean

Same problem. not happy. Why include a USB power input if its not enough to actually power the LTE interface. It's bs.

CTSsean

My question is how did this get past QA? How did so many devices who cannot lock on to GPS without an external antenna get shipped? This is probably as paramount for a recall from Mikrotik as I've ever seen. A core feature which is advertised (STILL) on the device but doesn't state the external ante...

CTSsean

Just to clue other people in... its a matcher in the MT syslog that is the problem.

If you try to send critical,error,info, etc all at once. Only events that match all 3 topics will be sent. you have to send individual topics separately.

CTSsean

^^ Thank you for that!

CTSsean

Going to resurrect this as I found this during my runtime error handling testing. The syntax format has to be very specific to process the error handling properly. Example: :do {/interface bridge add name=loopback; } on-error={:put "loopback exists"} So its :do {whatever command you want t...

CTSsean

Another rant... Just discovered that when trying to use a variable within an array with keys, it does a comparison instead. example: :global "newAddressListArray" {$localserver="OnPremiseServer"} or example: :global "newAddressListArray" {"$localserver"="...

CTSsean

IMO, if RouterOS7 is vapor ware, OpenVPN UDP needs to be addressed.

CTSsean

###This Script will auto create vlans that are missing ###Add the vlans you need to have in the newVlanArray variable by using "vlanid"="vlanName" and the script will do the rest ###BOF### ##Initialize variables :global "physInterface" ether6; :global "newVlanArra...

CTSsean

Discovered today that if you send a function an argument, you can no longer use a global variable within the function. Once a argument is passed to the variable, the global variable is no longer referenced by the root, but only by the arguments that are passed in. Example: :global "physInterfac...

CTSsean

The array_keys() function is used to get all the keys or a subset of the keys of an array.
Here is syntax

array_keys(input_array, search_key_value, strict)

from my testing... this function doesn't exist within RouterOS. Can you give me a syntax example?

CTSsean

DNF was released in 2011, so ...

so 15 years from version to version. Nice... so we only have another 11 years.

CTSsean

- there can only be a single packet mark on a packet, so when you want to use packet-marks
both for routing decisions and for QoS, you need to apply the mark for QoS in post-routing

For routing decisions (and routing marks), wouldn't you do that pre-routing?

CTSsean

Why would one mangle pre-routing vs post-routing for QOS? I've seen it both ways but don't know why. I'm sure someone will post you a link of the packet flow diagram but it depends on that according to how you are routing the packets. Generally go for pre-routing although for a lot my applications ...

CTSsean

Why would one mangle pre-routing vs post-routing for QOS?

I've seen it both ways but don't know why.

CTSsean

first, Thank you IntrusDave for the script. If someone wouldn't mind explaining, why put the DSCP mangle on the post routing chain and not the pre-routing chain?

Also, why use the default queue tree and not say pcq?

CTSsean

Here are my FreeDNS script for updating a FreeDNS domain, when you have more than 1 FreeDNS domain. It also posts the start and stop of the script in the log. It was originally created by LESHIY_ODESSA, but I've improved it by adding some error checking and making this work when you have more than 1...

CTSsean

Your firewall rules are all kinds of messed up. action=drop chain=input comment="Rule to stop GuestLAN accessing OfficeLAN" dst-address=192.168.99.0/24 src-address=192.168.150.0/24 action=accept chain=input comment="Rule to allow GuestLAN traffic to Printer1" dst-address=192.168....

CTSsean

WAN1 and WAN2 are on seperate ethernet connections ether23 and ether24.

why is your gateway set for google?

CTSsean

How are you connecting WAN1 and WAN2?

Via a single interface or multiple?

Search found 63 matches