MikroTik

mozerd

Ended up getting a Netmetal ac2, should be in on Tuesday. Absolutely loving the Wireless Wire, highest ping to it was 5ms, usually 1-2ms. Incredible performance so far, powering it over PoE via CRS112 from my shed. @archerious very nice pics and good work .... Yes. the wireless wire is absolutely S...

mozerd

ALL of my MikroTik Router clients use MOAB to prevent External Attacks just like the one you describe.

If your MikroTik Router model qualifies for the MOAB service --- I provide a 10 day Free Trial of MOAB so that you can see for yourself.
If you are interested see my sig below:

mozerd

Hi Mozerd, Out of curiousity what is the load on the router in that gaming situation. More precisely does it burn up throughput so like instead of 50mpbs down, one gets 45Mbps down?? It all depends on the MikroTik Router Model .... in my prerequisites web page the following is stated: Performance H...

mozerd

BPWL. Now here... 2 cAP ACs will run about $140. The step to $240 is $100. How many phone calls and pissed of users does it take before you think... "Yeah... That's not a smart business decision... Trying to save $100 bucks." Reputation is everything .... ABSOLUTELY everything .... my business thri...

mozerd

One of my clients operates a gaming kiosk in Los Angeles that uses MOAB .... they have 26 gaming stations ..... The Router they use is a MikroTik PowerRouter732 .... the LA operation since using MOAB they have zero issues .... before MOAB they has many attacks .... they have been using MOAB now for ...

mozerd

That seems to be the product its built to compete with. Anyone done the comparisons yet? In the Mesh world and for busy home networks, based on my field experiences nobody beats Netgear RBKxx systems -- NOBODY period FULL Stop Ruckus --- The only manufacturer that has successfully exploited Spatial...

mozerd

I use SanDisk 32GB SD cards and 8GB Kingstone DataTraveler USB sticks and works nicely in many CCR1009xxxx
I have not tried large ones because I have no need for larger ones BUT I see no reason they would not work.

mozerd

Don't think so. That Wiki page states : This page was last edited on 18 October 2017 , at 10:37. As it says on the page : After RouterOS v4.0beta4, Lua support is removed until further notice My sincere apologies -- I did not see the part that After RouterOS v4.0beta4, Lua support is removed until ...

mozerd

According to the following Manual:Scripting-examples -- file size limitation has been removed Read and write large files Many users requested ability to work with files. Now you can do it without limitations Create and write to file: :global newContent "new file content\r\nanother line\r\n"; [/lua "...

mozerd

A ruckus R710 is a pretty dated unit. An R510 or R610 is newer and I would take a R610 over the R710 anyday. Now lets also skip the B--L$h!+. Ruckus has been on Promo for nearly 2 years. The $650 R510 is readily available on Amazon for ~$250. AND STOMPS ALL OVER THE AUDIENCE. There is ABSOLUTELY [w...

mozerd

But most importantly, Winbox is key software that helps you to get things done. As quickly as possible, in simple and efficient manner. With no animations or other design decisions taking your time. No "..." buttons you have to click to show "advanced" options, that you have to click all the time. ...

mozerd

Next steps are just useless until there is the ethernet connection.

@bpwl --- You do have the patience of Job ..... my deepest respect for your efforts.

mozerd

after research a lot I decided to buy three RBcAPGi-5acD2nD and get rid of my tp link deco p7. For some reasons I didn’t want to buy the fritz repeater 3000 nor the unifi Modells because I liked the Mikrotiks. After playing around on the weekend with different types of setups I am somehow sad. My s...

mozerd

....... I tested the router this morning and it is back online. I have checked its logs and the last thing I see is a reference to an improper shutdown. There does not appear to be anything else in the logs. What happened? I am guessing I pushed the router into net install mode or something else bu...

mozerd

This does not seems to be true. Changing to 20MHz on 2.4GHz improved the speed greatly. Yes the theoretical speed is halved, but in real world, I can get 5x better speeds on every device... If you have lots of competing wireless transmitters in close proximity to your venue ... that means lots of i...

mozerd

How does one relate to another? :) You can use 20MHz channel and still use MIMO. All those spatial streams operate in the same channel(s). I did not state that you could not use 20MHz channel with MIMO .... I did state that if you want PERFORMANCE you must use 40Mhz ... performance means speed........

mozerd

I for ONE am very impressed with @bpwl contribution .... certainly provides much to contemplate especially if YOU are a GEEK :-) I do not wish to rain on anyone's parade but wireless TODAY wireless is MIMO centric assuming that all devices are MIMO capable [N, AC, AX and 6E] ... so my contribution h...

mozerd

........................ .................... It's fantastic, literally plug and play, didn't have to change any settings on Tp-link switch. Removed all bridges on hex, and the speeds are honestly just 200-250mbps slower on upload than RB4011, the downstream is line rate. Never went past 35% cpu us...

mozerd

You're one very very smart Dude

The ACL's on the 3650 is very rich [granular] but for fire-walling I would use Untangle + this switch .... Check out Untangle .... very rich UTM

mozerd

Any other alternatives?

Cisco Catalyst 3650 Series Switches
This one will meet all of your security objectives plus it will route at wire speed plus do things that you have yet to imagine.

mozerd

@rkrisi Be a little patient and MikroTik will improve the wireless performance in your RB4011 .... it may take another 6 months ... patience is key My suggestion for you is to buy the Ubiquiti nanoHD access Point Connect that to your RB4011 and you will have superb performance beyond your wildest ex...

mozerd

make it more about proper implementation of existing features that needs to be fixed in hardware: SFP+ slot that's not picky and supports SFP/SFP+/passive DAC/GPON modules without any issues Switch chip that supports at least 8 ports at 0.01/0.1/1/2.5/5Gbit/s with hardware VLAN filtering and other ...

mozerd

I would doubt that the hex Routerboard can handle that many dynamic address list entries... MOAB for the hEX and the HAP AC2 currently has 7692 ipset entries ..... the performance hit on the hEX is close to 13% while the HAP AC2 the performance hit is 8%. For Your Information MOAB for the hEX and t...

mozerd

You create a VLAN for all Guest, then add the port for the guest to this VLAN, same with create a own guest Wifi.
Then you make filter rules.

I do not recommend at all mixing in Layer 2 firewall. Do a VLAN and stick til Layer 3 Routing/firewall. Make it simple.

@Jotne is 100% correct ....

mozerd

I offer a 10 free trial of my blacklist service .... check my sig for links

mozerd

Just bought your book on Amazon because I liked what I saw in the preview.

mozerd

Your internet allocated bandwidth will determine your capability on your local network. Having a 10G connection at the switch level will not help to level the load. The 10G connection is best suited for NAS, stuff you will do locally assuming you will have 10G network .... But your 2 switches provid...

mozerd

This is for performace reason, i need to connetc two switches (CRS326-24G-2S+RM) with 10Gbit fiber connection and the router would slow down my routing. MicroTik Switches are not Multi-Layer Switches so Inter-VLAN Routing will have a performance penalty when L3 is used .... Because the switches you...

mozerd

I am not a networking expert but cannot you not ensure that most traffic is contained within the switches?

VLAN Routing: 3 options

mozerd

What do you think about the webproxy stuff near the end: "Blocking Unwanted Websites", to block http traffic - outdated and not useful?? @anav ..... If one uses their TiK router as a webproxy THAT will mean a significant amount of Read-Write cycles will be made on the NAND memory .... not a good th...

mozerd

Is it only me or there's something wrong with double quotes?.. /user set 0 password="!={Ba3N!"40TуX+GvKBz?jTLIUcx/," The double quotes is OK but when quotes are used in the actual password as shown in your illustration that quote must be preceded with the escape character as follows: /user set 0 pa...

mozerd

Maybe I'm a Martian new on planet Earth :-) Update: newly discovered: the answer seems to lie exactly in this document: https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x To me [like YOU :-)] users are Joe users in a LAN w/o login permission to the router or switch they are connected --- that is...

mozerd

Let's say a user in the morning comes to his seat and turns his office computer on (it was ordinarily shut down the previous work day). So, what happens next? Does he need to login to the RADIUS server first (but how is this supposed to work as he does not have any network access yet, I imagine) be...

mozerd

Mikrotik have recently introduced port-based access control https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x although you need an external RADIUS server. Many other vendors support port-based access control in fully managed and the better smart/web managed switches, entry-level smart/web manag...

mozerd

by default block everything, explicitly define each protocol/port that shall be allowed/opened ." Ie. this is possibly a diametrically opposed method to what most people do. But to each his own, I've my own experience and view on these things and so my own practical requirements regarding network s...

mozerd

I would prefer Tailscale (wireguard SDWAN) over ZeroTier

100% correct

and 100% faster ..... KISS

https://tailscale.com/

mozerd

@mozerd, thanks for clarification and the links. I want to keep this device as is by default: a switch with RouterOS in Bridge Mode, but will need to use its firewall as well. Is this configuration/setup choice a good/acceptable one, or would there be a better configuration/setup in terms of securi...

mozerd

As said above, in my device there are no such default firewall entries present, as far as I can see; I hope I haven't overlooked anything. @mutluit Your switch CRS326-24G-2SplusRM does not have the same default Firewall rules like a Router would have. Your switch default CONFIGURATION is a switch n...

mozerd

Yes, Multi-layer-switches can route at wire speed - MLS .... A multi Layer switch is just a Switch with Layer 3 capabilities... And am sure their traffic passes the CPU before reaching the Switch... A MLS Switch has a dedicated cpu for routing and a dedicated ASIC for switching plus it has Flow Con...

mozerd

If you want to route at wire speed on the switch YOU will need to look at other brands. Route at wire speed on the Switch ? :? What is that supposed to mean? A switch is a switch, it does not route Traffic... The CPU takes part in the Routing Process... Yes, Multi-layer-switches can route at wire s...

mozerd

The MiktoTik switch/router CRS326-24G-2S+RM ( https://mikrotik.com/product/CRS326-24G-2SplusRM ) can use either SwOS or RouterOS. With RouterOS installed, can it be configured to have more than 1 WAN port for Load Balancing the WAN traffic? This switch is good if you want routing inside your LAN be...

mozerd

Lots of good adice for you here @anav :-) On the subnet [vlan] that your daughter's pc lives on -- are YOU 100% certain that there is not a rogue DHCP server doing its thing. So the question you have to ask yourself is .... which devices are running on that specific subnet --- you must confirm [trus...

mozerd

Wireguard is a design disaster in every aspect if used on a router. I'm going to name some: Yes WireGuard does VPN a little differently -- actually a LOT differently. There is the Old way and now the NEW WireGuard way. Yes, there is The Classic Solutions of Routing BUT now there is The New Namespac...

mozerd

And yes 80% of the rules had hitcounts! Throughput in the same broadcast domain is working with full gigabit speed. Very NICE Lab ..... I suspect that the RB3011 would work out well for your LAB. If you are going to keep the SG200-8 then do consider the RB4011 with its quad core CPU ... the combina...

mozerd

I have a small home test environment and use a HEX S (6.45.8) for routing and firewalling: Bridge VLAN filtering setup Vlan ~ 15 via Trunk on eth2 to a cisco sg200-08 IP Firewall Filter rules ~ 75 IP Mangle rules ~ 10 IP NAT rules ~ 10 I am truly impressed with this many rules ... WOW ... How may o...

mozerd

I recommend RouterOS and especially Winbox the GUI administration Tool. Anytime a security issue is discovered MikroTik makes the immediate effort to determine if that security issue is legitimate and fixes the problem if its real The following link is where you can find information on security issu...

mozerd

Right now we are on manufacturing process, as soon as we receive the first batch on our warehouse and be ready to sell and shipping we will notify you with all the details (Cost, Payment Methods, Specs, Shipping, etc,.) please send an email with your details to contacto@ carlitoxxpro.com to we can ...

mozerd

A FYI item:

Install illustration is now available online for Mother of all Blacklists:

The How-To for MikroTik Routers like the RB4011 and CHR
and
The How-To for all other MikroTik Routers having 1G or more of RAM with external file storage

mozerd

Rethinking VPN: Tailscale startup packages Wireguard with network security A whole bunch of tunnels': Mesh networking with per-node permissions and OAuth security ..... Tailscale's product includes several pieces. First, it's based on peer-to-peer VPNs rather than piping all VPN traffic through a si...

mozerd

And .. my subggestion should actually be /ipv6 address add address=::1 from-pool=rogers-ipv6 interface=bridge The address=::1 generated an error condition stating it must be a 64 The good news is that after Router Reboot the bridge unreachable condition became reachable. I switched to a hint ::/56 ...

mozerd

What happens if you set it like this: /ipv6 address=::1 add from-pool=rogers-ipv6 interface=bridge ... or something else instead of ::1 ? In addition, how big is address prefix, received from ISP? ( /ipv6 pool print ) i cannot /ipv6 pool print now as the unit is in another jurisdiction and I will r...

mozerd

ipv6 is configured on the hap ac2 and ether1 [WAN] gets an ipv6 address and the bridge gets an ipv6 address but the bridge is unreachable so non of the attached laptops are getting an ipv6 address. By looking at the config below can anyone please advise why the bridge is unreachable? Redacted Config...

mozerd

Man they should hire you Mozerd! You could bring some sweet stuff to the functionality and to the team some pure Canadian Maple Syrup too!! :-) I am only for hire based on the services I offer from my website ... :) Yep, the MikroTik Team would love Canadian Maple Syrup ... the very best .... even ...

mozerd

"Development" is a download category. There are actual download links. https://mikrotik.com/download You can install it on one of your important gateways and later report how ready you feel it is. Your opinion is valued. Thanks. Once MikroTik adds Wireguard Support and LUA System v4 or whatever ver...

mozerd

v7 is a public beta.

Do you think it's ready for a 7.0 stable release ?

I just checked and do not see v7 under testing, but I do see v7 under development.

So @normis we are far beyond April 1 [April Fools day] so I guess you have a lot more info?

mozerd

MikroTik should be aware of the following

https://www.theregister.co.uk/2020/03/0 ... ment_ipv6/

The site is currently down .... something wrong with the UK but it will be up soon

mozerd

Please include LUA system in v7 so that RouterOS users can make fetching address lists of any size a reality.

mozerd

@pe1chl provided YOU with very good direction and I would highly encourage you to follow .... very specifically the following is absolutely critical in your situation: However, you still will need to invest in some IT consultancy. It is not a good idea to setup such complex networks without knowledg...

mozerd

https://i.mt.lv/cdn/rb_files/1568200626Audience%20-%20qg.pdf Interesting devices. One 5ghz Chain just for audience to audience connectivity (but can be used for other purposes). A dedicated 5ghz Chain for the MESH is very desirable so that the mesh will work effectively. I 4 1 would not recommend d...

mozerd

Very Well Done and great example .... Thank You!

mozerd

User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better track of system users and customers. I have not loaded v7 Bx and will not until v7 RC is out -- but I wanted t...

mozerd

Just do the right thing: hire a brand/Product manager and staff who focus on the forums, documentation, and howtos. Make it fun to be a part of the MikroTik community.

@pcunite 100% AGREE
@screamingservers ... good post!

mozerd

it would be a dream because now i have a routerboard+raspberry(wireguard) for every single sites of my fullmesh vpn

Yes absolutely !!!
Dream along with me I am on the way to the STARS

mozerd

That IP address returns the following: person: Piotr Najduk address: Vectra S.A. address: Al. Zwyciestwa 253 address: 81-525 Gdynia address: POLAND phone: +48 58 6248352 e-mail: p.najduk@vectra.pl nic-hdl: PN3299-RIPE mnt-by: PN97052-MNT created: 2012-03-13T10:55:37Z last-modified: 2012-09-24T16:39:...

mozerd

Problem with SFTP server and WinSCP I use WinSCP to move files from my CCR1009 to my Network Server. According to WinSCP Developer RouterOS has a issue in it's SFTP server The SFTP server returns an error But when WinSCP queries the server for a target of those links, the server returns an error. I ...

mozerd

I would suggest that you seriously consider the MikroTik Audience ... especially if you exclusively dedicate one of the 5 GHz radios for the wireless backhaul assuming that you may need to add another Audience to provide FAR superior performance for the 100 hosts you want to service. Audience is a t...

mozerd

@mozerd, I understand that encryption using CPU will tax the CPU, but did not expect it to tax the Hap AC2 cpu by that much, i.e. from OP stats it was 10 fold, i.e. from 23Mb/s to 238Mb/s by disabling TKIP and these figures just did not add up for me. i.e. what did we get back in the day on device ...

mozerd

I understand that tkip is old technology and deprecated and fully anderstand that it can have a huge performance impact on devices like hap lite or even RB2011. Now the hap ac2 is not a beast, but this CPU runs circles around the 2011. So my question is why such a big performance hit on hap ac2? Ye...

mozerd

The situations where I have been forced to enable tkip for very old devices don't involve collaboration, so I may change architecture to a separate virtual AP using tkip that I can enable only if needed If you enable TKIP for a Virtual AP and have WPA/WPA2 on another Virtual AP that YOU are utilizi...

mozerd

Wouldn't the encryption CPU be burned ONLY if some connection was actually USING tkip? Does just making tkip available (for devices that may show up that can't connect over aes) immediately affect cpu even if no such devices actually show up? If TKIP is an available option BUT not being utilized [e...

mozerd

Does tkip slow down performance by its very existence enabled, or does a connection actually have to be using it?

Yes, TKIP will dramatically slow down performance when enabled because encryption/deception heavily relies on the CPU.

mozerd

Overall, I do not recommend this switch as a single-piece networking solution for a homelab - CRS317 is a much better (and cheaper) all-in-one option. For the CRS326-24Splus2QplusRM — IMO you are not reading the specs properly, that 100Mbps port is suggested for switch management https://i.mt.lv/cd...

mozerd

Goodness gracious great balls of Fire ...... if you do not tell us what model of MikroTik Router you have how can anyone help you?

mozerd

My suggestion for your situation is the RB3011 Router that will serve you very well ... combine that with your existing Apple Express in bridge mode and you will get very good WiFi .... I am assuming that you already have the Apple Express however if my assumption is wrong then I would recommend the...

mozerd

a simple alteration to the script the previous script sends an email when ever a new devices connected to router static or dynamic in my situation I need to know only dynamic ones because the static ones in known to me this modification sends only dynamic ip addresses :local recipient "someemail@se...

mozerd

I have router mikrotik rb2011uias-2hnd OS version 6.46.1 I'm asked by my manager 1 - how many clients can connect to WiFi simultaneously 2 - how many clients can connect to Ethernet simultaneously please guide me how I can give him a correct answer If you want a proper IT approach to these generic ...

mozerd

Buy why the TPLINK AP. My CapAC is a decent AP for the price and ubiquiti LR AP for those that want premium performance. For $20 more ==> Performance wise The TP-link AP IS VASTLY superior to the CapAC and to the Ubiquiti LR AP .... That is why. Wishing all a blessed Christmas and a happy, healthy ...

mozerd

@mozerd, I wonder why you fancy the RB3011 (over e.g. 4011) so much? @mkx The 3011 has superior switch chip, it has Support for USB 3 providing additional storage and the SFP cage actually works great on GPON networks; users who want to use MOAB love this router .... the only advantage the 4011 has...

mozerd

Looking for a router, previously was using a tp-link router with a single antenna. Problem reception issues, signals dropped significantly. Which one to go for? Need recommendations. I suggest the RB3011 as your Router/switch and for wireless I suggest the TP-Link EAP245 AC1750 Wireless MU-MIMO Gig...

mozerd

The MikroTik RB4011iGS+RM could be your choice
But it has a SFP+ cage that will not accommodate SFP GPON modules + no USB storage.

So if GPON is a needed capability the RB3011UiAS-RM is a good choice and it does have a USB3 interface for storage plus.

mozerd

Any solution ?

I have no experience using RouterOS with multicast ....

You should check the following link that may be of help to you since it shows some PIM EXAMPLES
https://wiki.mikrotik.com/wiki/Manual:M ... ed_example

mozerd

.
Being 4011 quadcore is not a remarkable difference to buy it?
If not, I will decide on 3011.

Yes 4011 quadcore is superior to the 3011 dualcore.

mozerd

To support@mikrotik.com Oks, Thanks If you can return the 2011 to the place you bought it from and get a refund Or exchange for a better model like the 3011 I suggest you do that ... if on the other hand you can no longer get a refund or exchange for a 3011 then good luck with all the hassles you w...

mozerd

How is one to measure if ones CPU is up to the task to handle Wireguard without HW acceleration and meet or beat performance of ipsec with hw acceleration.?? My experience with WireGuard is only on the Ubiquiti EdgeMax product line and I can categorically state that WireGuard runs faster that any o...

mozerd

Of course, I am only referring to RouterBOARD devices. if you have plenty of CPU power, you can make it fast. Normis, can you perhaps comment on comparing Wireguard to the Road Warrior VPN scenario? Does the hw accelerated MT device still have the edge? Normis cannot provide that analysis without r...

mozerd

The Mikrotik hAP ac² is better than my router? Is the best option for me? I thought a router was better option than wireless system. Actualy I have my ISP router as bridge and Mikrotik as router. The best option for YOU is the MikroTik RB3011UiAS-RM and Yes I agree that a dedicated Router - like th...

mozerd

To the OP: The number of Wireless concurrent users That can connect is not relevant .... what is relevant is understanding the activities [load] that these users will have on the network and in your case the wireless network. You can have 256 wireless users connect but if the load [activity like voi...

mozerd

but if streaming and real time activities is part of the equation Then absolutely NO and under those circumstances perhaps 20 concurrent wireless users It is obvious you do not know any of the device specs and obviously you have never used this model. It is a quad core 1.4Ghz with 1 GB of RAM that ...

mozerd

Good day, please I want to know if the Mikrotik Router rb4011igs+5hacq2hnd-in can handle 80 concurrent wireless users.... Thanks. It all depends on on the kind of activity your users are doing ... if it’s just email and browsing without streaming and no real time activities then 80 concurrent wirel...

mozerd

According to the following doc http://www.motorolacable.com/documents/MB8600-QuickStart-revE.pdf Your cable modem is strictly a modem only with no other capability so the following should work for you. 1. Reset the modem but make sure that neither your hEX S or pc is attached. Shut down the hEX S 2....

mozerd

Since you are using the Motorola MB8600 the first thing that you should do is to find out is if the Cable Modem is BRIDGEABLE ... if the answer is YES then put the 8600 in bridge mode and then your hEX S (RB760iGS) will work with the default configuration otherwise you will experience the problems y...

mozerd

The compatibility page is a red herring and an escape from the real issues: Another example .... Does the MikroTik hEX S SFP port have the same technical behavior as the SFP port provided in the RB2011? Why does the HUAWEI MA5671A SFP module WORK in the MikroTik RB2011 SFP port but does not work in ...

mozerd

Yes, but the USER forum needs to have a public response from MikroTik to my IMPORTANT questions because the SFP SFP+ issue is of vital importance especially for users of GPON networks in the USA and Canada.

mozerd

The silence is deafening. ..... shame!

mozerd

Your experience is more proof that Audience is not in any way ready for prime time. I have no Audience Mesh experience but I do have lots of Netgear Orbi Mesh experience and with Orbi [3 units] in 6,000 sq foot residence and close to 70 devices ... all 2 stream and 3 stream devices experience betwee...

mozerd

Let me ask the question another way: Why does SFP and/or SFP+ have different behaviors on MikroTik Routers that contain these ports? for example On RB4011 SFP+ does not behave the same way as it does on CCR1009 ... etc. Regardless of which MikroTik Router model should not all SFP and/or SFP+ modules...

mozerd

Can MikroTik please enumerate which industry standards are the SFP and SFP+ modules built to for all current Router models only.

mozerd

If I dont use winbox externally and I change the default port to something else, where is the risk from this latest vulnerability? If I was to use winbox externally via VPN ( IKEv2), where is the risk? @anav No need to change winbox default port when using winbox internally -- risk is only from com...

mozerd

RouterOS without WinBox is like car without seats, it still runs, but it's not enjoyable ride. But it's clear now that it's not good idea to let it be exposed to whole world. I though that it shouldn't be a problem anymore, that MikroTik surely fixed it, to require robust authentication first befor...

mozerd

As you know, a vulnerability is just a crossing of security boundaries. CVE-2019-15055 allows someone to elevate from an admin account to root shell. That seems like a security boundary to me. The POINT you make is exactly correct. ROOT SHELL is not permitted under RouterOS because it’s proprietary...

mozerd

It should be pointed out that this vulnerability is more severe than reseting passwords. An attacker can use this vulnerability to get a root shell on the router. Unfortunately, MITRE (the org that runs the CVE program) hasn't updated the description. Access to a root shell is pretty concerning. I ...

mozerd

It seems mozerd that they are not updating the blog. Good pickup!
(of course this assumes that 15055 is actually covered).

Yes 15055 is mentioned in the logs ... MikroTik needs to be much more proactive in making sure that the blog site is uptodate especially where security issues are concerned.

mozerd

Already fixed in 6.45.5 and others. So what?

Would be NICE IF it was mentioned in the following link

https://blog.mikrotik.com/

mozerd

Security issue

https://www.cvedetails.com/cve/CVE-2019-15055/

mozerd

This contrasts with regular hub-type networks, where a failure in a central router or switch could cut large parts of the network off from each other. Repeaters, on the other hand, do not increase a network's resilience. If the router or access point broadcasting the original wireless signal goes d...

mozerd

Audience does not use classic MESH with repeating...!
Its better than that...!

Classic Mesh does NOT use repeating period.

mozerd

In the following MikroTik Wiki MESH is described as Interface/HWMPplus
What would be very helpful from my perceptive is for MikroTik to illustrate Audience Mesh utilizing HWMPplus as part as parcel of the illustrations offered.

mozerd

I was never satisfied with how mesh works... Also because mesh involves repeating you have loss in bandwidth which is really bad... I would suggest you use a non mesh configuration that does not involve repeating... For example the new MikroTik Audience AP does mesh but without using any repeating....

mozerd

started using the CCR1009-7G-1C-1S+PC and from the description it seemed to me that combo port should be used as WAN from ISP, but I can't figure out how to set it up so that the connection from my ISP would come to that combo port so that I can use the remaining ethernet 1-7? You should be able to...

mozerd

Ccr1009 has atheros 8237 switch chip that according to the manual supports hw offload when dhcp snooping,igmp snooping,vlan filtering and mstp are off... so why i dont see hw offload enabled ?

The new generation of CCR Routers do not any switch chip ..... That is. FYI

mozerd

I will certainly try again, and report back. It is 3.10pm South African time now and I have been at it since early (no success so far), so my brain is jelly at the moment. It should not be as hard as you seem to be experiencing. Can you describe how the chain of gear you are using is connected? I.e...

mozerd

Information and capabilities for the Audience Mesh is very sparse .... specs looks interesting but not interesting enough for me to make a trial investment without much further usability information. MikroTik should show off some real world application to demonstrate Audience Mesh properly.

mozerd

In other words, what is the real concern you are attempting to articulate but being too vague about it?? Hi anav Audience TriBand Mesh is a brand new product so its too early for any concerns. I do not use MikroTik wireless for ANY of my clients --- I only use Ubiquiti wireless AP's for custom inst...

mozerd

Question is not clear. The Audience runs standard RouterOS. It supports ipv6 just like any other MikroTik device.

Can you please show some Winbox screen shots of Audience in action and RouterOS interaction with ipv6 enabled wireless clients.

mozerd

How does the Audience Tri-band mesh AP support ipv6?

mozerd

6.45.3

*) rb4011 - fixed SFP+ interface linking (introduced in v6.45.2);

Fixed? I do not believe its fixed based on the experience in the Following thread"
MikroTik RB4011 SFP+ GPON

How disappointing and unprofessional!

mozerd

By the way just because the word GURU is next to my name it doesn't mean I know jack sheite.

You may not know jack sheite BUT IMO you're one very smart hombre

mozerd

It will be another load of fun if we ever decide that we actually want direct communication. Because unless something changed, recommendation for default router config (home devices and such) was to block new incoming connections from internet. So you will have devices all with public addresses, bu...

mozerd

A long time ago, there was the sound of perfecting ipv6 modules in the forum. It has been nearly six or seven years in an instant, and many functions are still lacking. ipv6 nat, policy route, routing mark, and many other functions are completely absent. I tried opnsense, pfsense and vyos, edgeos, ...

mozerd

:

• PWR-LINE PRO

Download the newsletter here:
https://download2.mikrotik.com/news/news_90.pdf

Most Power-Line adapters made by the competition are sold in packages that contain 2 adapters.
Its not clear to me if the PWR-LINE PRO package contains 1 or 2 adapters --- please clarify.

mozerd

6.45.3

*) rb4011 - fixed SFP+ interface linking (introduced in v6.45.2);

Very strange that no official announcement on the Forum and when using Winbox "Check for updates" only 6.45.2 displays.

mozerd

But my bad luck at this time was not gone. After downgrading both firmware and RouterOS to the previous version my router still refused to obtain the ip-address from the ISP via DHCP. I got in touch with the ISP support and they checked that the switch port my RB is connected to is set properly (ne...

mozerd

TL;DR: There is a fault with the RB4011 supporting communication with some gigabit or gigabit-like SFPs (see forum comments about interface not working after upgrading firmware). Once resolved, the brochure page should more correctly say 'The RB4011 does not support Passive DAC modules or dumb SFP ...

mozerd

No. An interface is the module that you put into your SFP/SFP+ cage, not the cage itself. The specification of the cage itself is (almost) purely mechanical. And my understanding is that both host software and host hardware must be compatible with the type of transceiver you want to use. It appears...

mozerd

SFP/SFP+ are Network INTERFACES and these network interfaces should work much like any other network interface. THAT is the whole point . The small form-factor pluggable (SFP) is a compact, hot-pluggable network interface module used for both telecommunication and data communications applications. ....

mozerd

EPON SFP VS. GPON SFP
http://www.fiber-optic-components.com/e ... n-sfp.html

IMO, smarten up MikroTik!

mozerd

MORE Info on FTTH -- in Canada Bell uses GPON for FTTH and that means <<<< ---- >>>> point to multi point . Standard SFP/SFP+ modules are point to point. Plus there needs to be a processor in the GPON SFP to encapsulate the Ethernet frames into the GPON frames. The issue is that Standard modules don...

mozerd

@Error0x29A, thanK you —— so MikroTik used an ineffective chipset to drive the SFP+ cage .... I will no longer recommend this product and in fact I will discourage others from acquiring/using this POS.

mozerd

Same thread here .. https://forum.mikrotik.com/viewtopic.php?t=140806 The thread you linked to has some similarities BUT it is NOT the same. Its quite apparent that RouterOS and SFP[+] cages [interfaces] do not interact with consistency across all MikroTik routerboards --- and THAT is a real shame ...

mozerd

HUAWEI MA5671A SFP >>> This is a GPON SFP module

Why does the HUAWEI MA5671A SFP module WORK in the MikroTik RB2011 SFP port but does not work in the MikroTik RB4011 SFP+ port?

mozerd

SFP+ interface compatibility settings with SFP optical transceivers SFP+ interface compatibility settings with SFP optical transceivers For MikroTik devices with SFP+ interface that support both 10G and 1G link rate following settings are needed to be set on both linked devices for required interfa...

mozerd

Latvia is a small country in northern part of Europe. Latvia is part of the European Union, Eurozone, EEZ and Schengen. The Latvian language and culture is unique and share nothing in common with Russia. For a part of the 20th century, Latvia was forcefully occupied by the Soviet regime, but this m...

mozerd

(a) What is Mikrotik target group? Business or consumers. (b) What is making Mikrotik unique, why pick Mikrotik instead of Cicso? (c) Do Mikrotik have any limitations? If any, what can MicroTik do too improve? (a) tech savvy people (b) a superb value proposition that is -- so far -- unmatched by an...

mozerd

While Mikrotik has it's share of problems with proper operation of different SFP modules (even with basic things, such as reading diagnostic values like temperature, Tx & Rx power, ...) I don't think its the problem in hardware implementation of SFP ... SFP interface is well standardized. But then ...

mozerd

And such "intelligent" SFP modules need some support from router which router might not know how to provide. Due to this GPON by Bell might not work any better on Routerboards when they move to 10Gbps sync rate. Thanks @mkx ...... so what you're saying is that due to MikroTik's SFP[+] implementatio...

mozerd

You appear to be confusing Active vs. Passive optical networks with Active vs. Passive SFP+ modules: All optical SFP[+] modules themselves are active as they contain electronics to convert between optical and electrical signals. Only direct attach cables (DAC) can be active or passive - active cabl...

mozerd

So David, are you saying that in the near future we may be able to connect the RB4011 directly to the incoming fibre line from the street and bypass the ONT? I know the technician spent some time configuring the ONT to the account settings on their database (so they talk to each other). How would y...

mozerd

Something is definitely wrong with your RB4011 ... try one more process of running netinstall-6.45.1 .... this will eliminate any form of corruption in the NAND memory and reinstall ROS -- then proceed with your Copper SFP as WAN link to see if that works -- it should and if it does not then I would...

mozerd

My apologies I misunderstood. Is you Cable Gateway in Bridge mode? The power levels are excellent and your RoS code looks good to me. Confirm that your Ethernet cable is good.very strange that you’re not getting the throughput ..... perhaps a defective port, try another port. Also make sure to shutd...

mozerd

I ended having to swap the cisco device back in. Having tried every permutation of interfaces, MSS clamping, doing packet captures (shed loads of DUP ACKs)

If you sincerely want to be helped you need to answer some of the questions asked -- which questions you have chosen to avoid.

mozerd

Current: DOWNLOAD 12.09 Mbps UPLOAD 36.14 Mbps Virgin Media<->Vodafone IE Previous: DOWNLOAD 341.11 Mbps UPLOAD 35.96 Mbps Virgin Media<->IP Telecom router-pdn-export.rsc Some questions: I will assume that your WAN connection is Fiber from Virgin Media -- so is the Cisco GigE SFP module white-liste...

mozerd

This is what happens when you dont regulate industry and companies play these stupid games. Make a standard and follow it. The standards are there and they are being strictly enforced ... and I believe that MikroTik adhere to the standards .... the problem is how the PON providers choose to impleme...

mozerd

Has anyone tried to login into the SFP and using shell commands to change the rate to see if it connects to RB4011 at 1Gb? @Error0x29A, YES you make excellent points. I have not not tried to login into the SFP .... did not know that could be done because Root is locked on RoS ??? In Canada Bell pro...

mozerd

As I wrote in another post, Russian users have no problems using GPON modules with theirs RB4011. Perhaps not all GPON models are supported but GPON SFP Sticks from Zisa OP151S and D-Link DPN-100 are reported as working https://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fforum.ru-bo...

mozerd

Strange. Users in Russia have no problems using SFP modules with RB4011 like D-Link DPN-100 or Zisa OP151S. They are sourced from T&W Shenzhen Electronics. Easily recognizable by firmware starting as TW2362H-CDxx In Canada, Bell company provides at least 2 Nokia and 1 Huawei to their customers. Are...

mozerd

Mozerd just to be clear with the SFP port and that is there is nothing wrong with using that port downstream on your network when matched/mated with the right components, not everybody or every situation assumes the sfp port is upstream to the provider??? the whole point of SFP [+] port is to conne...

mozerd

Services - PPPoE, SQM QoS cake?, ipv6 tunnelbroker, upnp and ability to add/ customize further. What to consider? Option 1: New router with built in wifi? Option 2: New router only + Tenda AC18 as wifi access point? Option 3: New router + new wifi access point? Some are suggesting the RB4011 and Ye...

mozerd

Hi all, i'm not very skilled in networking except that i know some basics. Anyway, i set FW rule to drop incoming connections from this IP 141.98.80.115 But everyday i see in the logs that this IP is trying to get access to my router. A FYI; MOAB has IP 141.98.80.115 listed as an attacker .... IP L...

mozerd

Similar networks can be already made by using our devices, as explained by Attila Bologh in MUM Hungary 2019
https://mum.mikrotik.com/presentations/ ... 506180.pdf

EXCELLENT presentation by Attila Bologh -- business opportunities galore --- very entrepreneurial.

mozerd

Yes, I also would like and official response regarding this subject as some of my clients are based in the US and subject to US Gov directives.

mozerd

But don't misrepresent the reason for your price doubling.

No misrepresentation ... my bandwidth costs have doubled so based on that I decided I would double the price for a subscription. Thanks for your interest in my business affairs .. to me you pe1chl sound like a Socialists/communist.

mozerd

(and I don't think you have many other costs, as the data sources you use are free and you are using this forum to get your advertising for free) 65% of my business for MOAB is derived from systems my organization builds for people and sold into my local marketplace and the USA .... 5% is derived f...

mozerd

What was the cost before the price hike? What is the percentage increase and why is the increase necessary? What was the cost before the price hike? US $60 per year What is the percentage increase and why is the increase necessary? percentage increase is 100% .... my bandwidth costs have doubled so...

mozerd

NOTICE of MOAB subscription price change:

For new users and effective June 1, 2019 annual subscription cost will now be USD $120 ....

Existing users will be subject to the price increase upon renewal of service.

mozerd

Celebrating 1 billion hits ON A DAILY BASIS >>>> based on 600 Tik Routers using MOAB. Thanks to all my users.

mozerd

Notice of CHANGE to subscription model. OLD method: Annual Subscription was based on your Mikrotik Serial number New method: Annual subscription will now be based on your WAN IP Address ... For organizations that have multiple TIKs --- serial number subscriptions will change to account number subscr...

mozerd

RB760iGS (hEX S) with the SFP being cooled.

@msatter pray tell how do you cool the SFP on your hEXs ... got a pic?

mozerd

Our trusty Putty has been updated to version 0.71. A time ago a vulnerability was discovered and through the EU-funded bounty program a few more were shared. The latest version can be downloaded from: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html Change log: https://www.chiark.gree...

mozerd

DID you KNOW that MOAB designed to protect YOUR network for amply provisioned MikroTik Routers AND for memory constrained MikroTik Routers include FireHOL-Level1 block list And within firehol_level1 among the 628 million ip addresses covered includes 100% of spamhaus_edrop and 100% of spamhaus_drop...

mozerd

You should enable DHCP VLAN on your phone: https://www.grandstream.com/sites/default/files/Resources/VLAN_Guide.pdf Or configure the VLAN manually. MikroTik does not currently support LLDP-MED which is necessary for communicating voice VLAN ID to phones. This normally isn't a huge problem since mos...

mozerd

Based on March 12, 2019 Check out Change History for FireHOL_Level2 level2changes.GIF Based on March 12, 2019 Check out Country Map Covered by FireHOL_Level2 countrymapl2.GIF MOAB includes firehol_level2 in its blacklist for MikroTik Routers having a minimum of 1 GB of RAM Did you know that MOAB inc...

mozerd

Don't ever go back to QuickSet. It's not meant to deal with advanced setups such as yours (which includes VLANs). AMEN ! amen and another AMEN. IMO QuickSet should NOT exist for Routers branded MikroTik .... for dummyTik yes or if QuickSet is used with a CAVEAT that ALL advanced functionality is no...

mozerd

Huge spike

fireHOL_level2.GIF

Notice the huge spike in attacks March 5 to TODAY

MOAB includes firehol_level2 in its blacklist for MikroTik Routers having a minimum of 1 GB of RAM

PREREQUISITES First

mozerd

voipBL protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's

If you spend the time to actually READ through link below you actually will see very interesting information.
Evolution of voipbl

voipTIK

PREREQUISITES First

mozerd

UPDATE Effective March 15, 2019 for memory constrained MikroTik routers like the hEX and hAPac2 wsiptik.rsc will now be integrated into mtiptik.rsc and that will eliminate approximately 550 duplicate ip addresses. for well provisioned MikroTik routers including the CHR and the x86 wsiptik.rsc is bei...

mozerd

The firewall was set up. What do you mean? Is there remote access to ports 80 and/or 8291 to your router? (the default firewall does not allow that, but maybe after your setup it does) In almost EVERY MikroTik Router I have been asked to remotely install MOAB the Firewall was reconfigured from defa...

mozerd

UPDATE I am in the process of creating a MikroTik specific blacklist for VoIP and specifically aimed to protect against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's I currently have one prospective client who is trialing this blacklist and providing me with very g...

mozerd

Mozerd, any country where devices are manufactured are suspect and anywhere along the distribution chain (incoming or outgoing from-to a country). I am not sure where MT devices are actually made (chips, CB, assembled etc) but I have my doubts that the Latvian govt has an NSA or Red Army equivalent...

mozerd

I don't mind if someone opens the lid and peaks inside, its a good way to find out if a. chips on board have nefarious firmware attached............ (That the vendor may not know about if bought abroad, notice I didnt say China). Why would any VENDOR including MikroTik trust anything involving comp...

mozerd

don't ever use VID=1 in any setup and always have frames tagged in LAN infrastructure ... untagged should only live on access points (wires outside active LAN infrastructure perimeter and wireless SSIDs). I'm sticking to these rules and I don't have any problems whatsoever (neither conceptual nor r...

mozerd

, if traffic doesnt match a rule I have (for a specific purpose), then off with its head!! Yes I AGREE :-) I for one do not fully comprehend under what circumstances I would want to use connection-state=new ::: I have never had a situation where I've needed to use that directive ... do I need more ...

mozerd

@pcunite
very NICE [excellent] work

Not sure if the following is a typo or otherwise

the rsc file called switch one comment line has:

Because weird, we "also" add the Bridge

So do you mean wired or actually weird

mozerd

I like the following:
https://creately.com/lp/network-diagram-software-online

and if you use Google Chrome for a browser the app is PERFECT IMO.

mozerd

Very glad that YOU found the .OOPSY. ... rock on !!!

mozerd

Mozerd, you are looking at the wrong user manual LOL. https://wiki.mikrotik.com/wiki/SwOS/CSS106 Is the correct one. Once you hae the correct UG in front of you, my elegant non-picture post will be much clearer (if you can write scripts, this is not complicated) By the way I did open up the Obi202,...

mozerd

Can you please post pictures of your SWOS TABS as follows:
1. VLAN menu
2. VLANs menu

Your response to my question is far too complicated for me

I like pictures better.
The following pictures is what I am after:

mozerd

Okay I reviewed all my settings. I now have trunk port1, port 2 is going to unmanaged switch, port 3 vlanxx going to vidcam hub, port4 vlanyy to voip modem, and port5 vlanzz going to NAS. I have configured ports 3,4,5 identically only difference being vlan number. Ports 3 and 5 work great but port ...

mozerd

Well, that's bad that simple things like VLANs relies on ISP. Or maybe it's ok and I just don't understand it well :D Anyway thank you very much! 99% of the general public do not have the ability to configure subnets [vlans are a form of subnets] ..... so most isp take the easy raod and jsut provid...

mozerd

Hum... why not deliver via BGP and on site do blackhole routes with routing filters? it would not rape the storages and cpu at all. you could account the bgp peers with the 60 bucks and secure it with vpn and just use ibgp. a client can secure its router by some deny rules. for example to net let y...

mozerd

Up until now most ISP’s that I am familure with will not provide a static ipv6 .... and if there are exceptions I am certainly not aware of those ISP. So for the time being check with your isp and find out if they will allocate more than one /64 ... tell them that you run 2 subnets they may accomade...

mozerd

My ISP Rogers dishes out multiple /64 plus other options like /56 although that may have changed recently. for a long time I was using /64 and assigning to each subnet or vlan. With Ubiguiti Routers its very easy to do that utilizing a commands like: set interfaces ethernet eth0 dhcpv6-pd pd 0 inter...

mozerd

Thank you! I'm getting /64 prefix via DHCP client.
I tried your config but second command gives me error "pool exhausted - no more addresses left". Why?

I have no idea why.

Who is your ISP?

Can you please post your Config
/export hide-sensitive file=spixxyconfig terse

mozerd

Following is my config for ipv6 based on my ISP proving me with a prefix /56 /ipv6 address add from-pool=rogers-ipv6 interface=vlan10 /ipv6 address add from-pool=rogers-ipv6 interface=vlan20 /ipv6 address add from-pool=rogers-ipv6 interface=vlan40 /ipv6 dhcp-client add add-default-route=yes comment=...

mozerd

Just a reminder in case the casual lurker is interested THAT MOAB blocks over 600 MILLION IP Addresses of known perpetrator's [ the Bad Guys ] … that's over SIX HUNDRED MILLION …. In other words, MOAB blocks more than 16% (SIXTEEN PERCENT!!!) of all ipv4 routable addresses :) @Chupaka To be precise...

mozerd

Just a reminder in case the casual lurker is interested THAT
MOAB blocks over 600 MILLION IP Addresses of known perpetrator's [the Bad Guys] … that's over SIX HUNDRED MILLION …. no other blacklist for MikroTik specific gear does that to the best of my knowledge.

PREREQUISITES First

mozerd

Mozerd can you clarify if this functionality is for providers or for the end users? I use VoIP at home and my service is never interrupted and thus was wondering??? aimed to protect against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's Primarily for providers who h...

mozerd

UPDATE I am in the process of creating a MikroTik specific blacklist for VoIP and specifically aimed to protect against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's I currently have one prospective client who is trialing this blacklist and providing me with very go...

mozerd

Deleted due to OP believes it to be unconstructive -- My Apologies.

mozerd

DELETED because OP believes its not constructive … My Apologies.

mozerd

UPDATE FYI Effective immediately I will no longer be providing MOAB for RB4011 devices. The RB4011 uses NAND memory == MOAB write/reads 4,300 times over a period of 365 days which may be deleterious to the RB4011 Router's life span MOAB will only be supported on MikroTik Routers that utilize USB me...

mozerd

The RB4011iGS+RM acting as your Router and the CRS328 acting as your Switch I believe would provide you with 1 Gbps symmetrical throughput. And Yes -- GPON SFP connecting directly to the fiber network would be the approach I definatly would recommend. You may need to do some reconfiguration of the R...

mozerd

죄송합니다.이 포럼은 영어로되어 있습니다. RouterOS v7이 개발 중에 있습니다. CHR에서 x86 버전의 현재 한계를 해결하기 위해 노력하는 것이 좋습니다.

나는 유창한 한국어를 할 줄도 몰랐다. 당신은 진정한 다재다능한 예술가입니다! :-디

Вавилонская башня

mozerd

@francoislepage Very nice report. ! for one do not believe that you can get to 1Gbps using your config with the CRS328 ... I believe that the CRS317 could do it using your config test bed. My overview is simply based on comparing the Test Results published by MikroTik for the respective devices.I do...

mozerd

Yea, check Overlaps of firehol_level1 with other IP
http://iplists.firehol.org

mozerd

Yeah, hope they plan to do something about it or create a more manageable/flexible solution in the future. How many lines (give or take) is the end result? I'm wondering since I'm interested to use the Spamhaus drop/edrop "real-time" lists. Will the total aggregate work on a CCR do you think? My CC...

mozerd

Any thoughts about a secure way to update the address list online that doesn't take forever ? The wipe and clean method is highly insecure because the lengthy import times that is direct related to the huge import volumes. Btw, what lists are you using from FireHOL ( iplists.firehol.org ) ? Untill ...

mozerd

Is there any way to use some kind of "dynamic" ip address lookup within the firewall (with eg DNSBL check) in the instead of using the build-in static address lists? The objective is to move out all the static address lists to a server since they've grown to big for RoS. Background to my question i...

mozerd

Sorry for Offtopic but I have to:

Welcome reiniss2!
And congrats on your first reply - it is perfect.
In the future, don't let random users annoy you. There are plenty of us, who truly appreciate great support!

+1
Yes 100% and Welcome reiniss2!

mozerd

UPDATE FYI Effective immediately I will no longer be providing MOAB for RB4011 devices. The RB4011 uses NAND memory == MOAB write/reads 4,300 times over a period of 365 days which may be deleterious to the RB4011 Router's life span MOAB will only be supported on MikroTik Routers that utilize USB mem...

mozerd

A little birdie whispered into my ear that March is a welcoming month full of surprises.

Search found 367 matches