MikroTik

Hominidae

yup, same here on two css610

Hominidae

What can i do to get the device working again?

...netinstall, as always.

Hominidae

...updated two hap ac^3 from 7.13.1 to 7.14.1....both devices are running wifi-qcom-ac, vlans for ssids in bridge filtering mode and booting in CAP mode The bridge/vlan config got messed up completely during upgrade although all of the wifi interfaces got provisioned by the capsman host in the corre...

Hominidae

Hello guys, i have one CSS610 and two CRS310 devices. Because i already have the CSS610 with SwitchOS i wanted to use the 310's with it too. Hahaha...for a moment you had me there...CSS610 is running SOS-lite, not SWOS. ...but wait, what is that?...witchcraft, but non quite so (from my CSS610 on SW...

Hominidae

I watched videos and changed drivers with wifi-qcom-ac and reconfigure capsman. but my download speed did not above 400-410mbps again. I tried different channels but result did not change. ...this is on a cap-ac, so the non xl version: https://forum.mikrotik.com/viewtopic.php?p=1038187#p1038187 I d...

Hominidae

Yes, I think I understand what the problem is in this case. I use pppoe in vlan on built backbone with vlans to transport L2 traffic /network/ with eoip on both ends - CCR2116 and cAP ACs. Yes, ppoe is not multi-thread in ROS, AFAIK...so this imposes a bottleneck. But then this problem should not b...

Hominidae

@JohnTRIVOLTA ...this is my cap-AC and ww2+capsman on a RB4011, client is a Samsung S20FE, 4 meters away:

Screenshot_20231118_215506_Chrome.jpg

...I think yours is a specific, local problem with your setup.

Hominidae

Trying to understand how 802.11ac CAP device interfaces should be configured now. Currently: I have capsman setup to create-dynamic-enabled, and a datapath config that enables vlan and set vlan IDs. In the future, vlan IDs won't be settable for 802.11ac chipsets, but instead they need to be manuall...

Hominidae

I tried that but it does not work. Even if I set CAPSMAN to “create enabled” to avoid having new interfaces popping up outside the bridge, I still couldn’t get the VLAN-s working by manually setting up bridge VLAN filtering and tagged / untagged traffic. Eventually I see devices removed from the VL...

Hominidae

For mixed CAPSMAN setups (qcom-ac and qcom), does it matter which package is installed on the CAPSMAN? For now I kept my RB4011 on 7.12/wifiwave2, but I cannot get VLAN-s working on hap ac2 and wap ac VLANs via CAPsMAN/datapath is not supported on qcom-ac models. Just use standard VLAN / Bridge fil...

Hominidae

Router 4011 reboots on 7.12
i have opened a support ticket: SUP-134808
Back to 7.11.2

Nope, not mine..must be unique to your setup/environment.

Hominidae

...doesn't make much sense to me, the way you are going to split services. When deploying a sense (why would you do that at all, when intentionally only going for DHCP, DNS?) use it as router/firewall + internet (+ vlans, DNS, DHCP, ...) and convert the hex to a simple switch/bridge setup, including...

Hominidae

I believe based on the Script by the user, that he also wants the subnet and wireguard associated subnet to go out wireguard regardless. Thus if WAN2 is not available, he wants wireguard to be established and go over WAN1. SHould not be a problem as the server site and probably doable. Thus I would...

Hominidae

Site A: WAN-1 - Static WANIP - Ether1 WAN-2 - LTE - Dynamic (carrier grade nat) Ether2 Site B WAN-1 - Static WANIP ...this is the way I am doing it: - for DHCP-Client on Site A, LTE: create a second routing table "WAN2" and add the default gateway for WAN2 to it (in addition to the standa...

Hominidae

thanks, updated my small zoo: RB4011 (SFP+: MT S+AO) hex Gr2 (Switch mode) CRS309 (SFP+: DACs from Aristo, Cisco, MT S+AO, fs.com 80m 10G-T) CRS326-24G-2S (SFP+: DACs from Aristo), running wifi capsman LHGG wAP-ac 2ndGen (CAP) 2x hap-ac^3 (WW2 APs) no ww2-capsman, container (Adguard-home) CHR ...VLA...

Hominidae

I am not using the RB5009 but when it comes to reliable USB / Flash storage, you'd normally go for (p)SLC based NANDs. On other occasions, where the reliability is key, i.e. because the flash drive / its S/N gets tied with a software license, I am using the ones from swissbit: https://www.swissbit.c...

Hominidae

Any ideas about the problem? Do you miss some important information in my post? ...are these WW2-ax or WW2-ac devices? I remember, that there is a bug with WW2-ac devices and VLAN assignment via CAPsMAN (Edit: see here https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-Datapathpropertie...

Hominidae

Now please suggest some MODERN looking alternative to Canvas, for those that do not like ProSilver ...can't say, that I really like the look&feel of Prosilver, BUT this appears to be much, much faster than the old one...so this is a Feature I'd like to be made Priority 1, with any alternative T...

Hominidae

I agree with you but a lot of devices (home lamps, chinese cheap devices for domotics works in WPA1 ... so I cannot drop completely WPA1. WPA3 still gave me a lot of issues ESP8266 based devices all support WPA2 (but no WPA3, as the underlying SDK from manufacturer espressif does not support it). E...

Hominidae

I try to purely get interVLAN routing working. Since I have NAT covered. So you have static routes on your clients sending the inter-VLAN traffic to the switch, separate from the default route to your OPNsense router? No, I thought the switch chip would register the destination... and then route th...

Hominidae

It's not only for airport radars.
Also weather radars.

...and with a growing number of car manufacturers, that offer speed/distance control for (assisted) driving, based on radar..it's a nuisance.

Hominidae

How would I apply a firewall rule for each VLAN? To allow/block traffic between a VLAN to itself . ...just a hunch, but enabling an "allow" (like all clients in the same VLAN can ping each other) would be against other port isolation rules you have set?, see: https://help.mikrotik.com/doc...

Hominidae

..deploying the correct VLAN config in your Switch alone will not suffice. What you want, in the end, is inter-VLAN traffic to work....this means you will have to configure the Routers/GWs on both sides to allow routing (forwarding) between the two networks. Edit: for the MT Router, using ROS, see: ...

Hominidae

....read this first, since your switch is a CRS model and you are already trying to use ROS, instead of SwOS: viewtopic.php?f=13&t=143620

Hominidae

In hap ac2 and Cap ac is IPQ4018 which does not support wave2.

...not so sure about that, based on: https://www.qualcomm.com/content/dam/qc ... tbrief.pdf

Hominidae

...at least there is hope, then. Thanks Normis, much appreciated!

Hominidae

...if capsman in a mixed wiFi+ww2 will not be made possible, I can only urge you to enable ww2 on the smaller devices somehow. ...maybe introduce a staged boot for capsman, where drivers can be fetched remotely, once a cap gets connected or something else. It is a shame letting these devices go to e...

Hominidae

Unfortunately, it's unlikely that it will change.

...this makes me feel sad :-(
For me, that means no new WiFi-Ax products from MT on the Xmas shopping list

Hominidae

*) wifiwave2 - added initial CAPsMAN support (only compatible with wifiwave2 interfaces) (CLI only);

...finally...can't wait for the Version wth Ui/winbox support
Will this capsman version support a mixed infrastructure (wifiwave2 and non-ww2 APs)?

Hominidae

Use case: I'm using a CRS112-8P-4S-IN as PoE Switch for a video surveillance system in a private house. Some cameras are indoor and should only be active, when nobody is home. ...next best hack, if this switch is soley used for this set of cameras: use a smart plug, i.e. with tasmota firmware and a...

Hominidae

yes, for single-mode modules, you'll need single mode fiber/cable. Check the specs, that the advertised wavelengths and desired distance/length match. Assuming you don't have experience with manufacturing the proper cable, the number of strands don't count into it, really. Fetch a pre-manufactured f...

Hominidae

2,4 GHz "Uplink" to wireless hotspot of mobile phone (LTE or 5G).

...did you consider to use USB Tethering on the Phone to connect/passthrough LTE/5G to MT device?
See example here: https://blog.ligos.net/2017-08-16/Mikro ... droid.html

Hominidae

...needle or pincer, precision toolset ?...pince/pull the SIM's edge to lodge it out of its holder. On my LHGG, there is not much force needed.

Hominidae

Well, I am looking for a truly small size router - RB4011 is way too big for my location...

...another option is RB450Gx4 ... case and PSU sold separately, though.

Hominidae

...if you get the separate PoE switch, just be aware that the RB450Gx4 also supports PoE-In with 802.3at/af standard...so only the RB + case and no PSU needed

Hominidae

Yes, using a PoE+ Switch plus "Router on a Stick" is an option...just mind you, that the Hex/Hex-S IMHO will not be good for Internet/Broadband WAN-lines above 400-500Mbps and the Hex-PoE will even be a bit worse in that respect, I think. For WAN speeds up to 1 Gbps, rather go for the RB45...

Hominidae

I've updated both my RB4011 and hap ac3(ww2). all seems fine except the hAPac3 is showing some strange lines each time that it boots: [me@AC3] > log/print 14:11:08 system,info router rebooted 14:11:08 interface,info Home_vlan link up 14:11:14 bridge,info "bridge" mac address changed to XX...

Hominidae

...Uhmm...the TL-SG1024 is a passive 24x1Gbps switch...and has no PoE capabilities, AFIK. What exactly is it that you want to achieve, when it comes to "PoE cascading"? Do you want the second switch to work as a PoE-Extender? If the existing Switch has enough LAN-Ports, but you want to dri...

Hominidae

...story of our life

Hominidae

...band support is limited by hardware radio capabilities...the future awaits us

Hominidae

@kriszos: thanks for a good piece of engineering, it's a keeper!

+1

Hominidae

its not routeros driver support the problem? what solarflare would do to me? its not the first CHR that i setup, everytime i passthrough the interface to CHR completely fot things to work as it should. my hypervisor sees the adapter before i passthrough to CHR. also my last intel card its configure...

Hominidae

Seems like you are directly forwarding IO to VM, instead of sharing it with CHR from Hypervisor as Virtio interface. The CHR doesn't have any drivers for hardware, ...not true, as I am using IOMMU/vt-d with real, Intel based NICs on my KVM based machines....CHR pics them up just fine. CHR / ROS v7 ...

Hominidae

No, is not the same bug, previous bug is (if you write it correctly)
no such item
this time is
bad command name wireless (line 979 column 25)

...ah, my bad...yes, you are right....thanks for the clarification.

Hominidae

Confirm, installed wifiwave2 on Audience, no other problems than the line in the log [...] This happen because get-custom-defconf is not maded for wifiwave2 only , and have internal references to /interface wireless that do not exist on wifiwave2 only devices. The problem happen also if is added la...

Hominidae

@Hominidae: Can you try what I wrote here? https://forum.mikrotik.com/viewtopic.php?p=890726#p890726 (the 2nd half of that post) Follow the netinstall procedure, and when the device is supposed to show up but it doesn't (after the initial tftp transfer which you can check with wireshark) close neti...

Hominidae

Using the reset-button procedure to recover a perfectly fit for use backup firmware DID NOT WORK (it did with my wAP-ac, I tested in parallel, which still has v6 as backup firmware). I think you have misunderstood this feature. Which is not surprising. "firmware" of a MikroTik router is n...

Hominidae

If you have the craving for instant updates you will not be "screwed" only with MikroTik... ....I am saying this again..... I am not blaming MT for broken features of ROS itself or for a broken release and myself testing it (early). I am blaming MT for breaking BOTH levels of recovery met...

Hominidae

I am really angry, as it took me literally 5-6 hours to setup and test...even with linux and dump switch in between did not work with netinstall I do not see why all is upset. Yes, its not good that software do breaks the router. I am not upset that the update did break the router....my decision, m...

Hominidae

So, I am the one who get bricked device (HAP ac3). Is it possible to bring it back to live? I've tried to download 7.3beta37 netinstall script and firmware, than connect lan1 port with Ethernet cable, on my PC I set 192.168.88.3 ip and default gateway (disabled systemd-networkd unit), started netin...

Hominidae

...thats the problem...it never does appear in netinstall...

Hominidae

...jep...and the hap-ac3 is now fully bricked, as netinstall (v7.2.1) does not seem to work either. According to this: https://help.mikrotik.com/docs/display/UM/hAP+ac3#heading-ButtonsandJumpers the LED should go off when entering netinstall mode, but it never does go off....it starts flashing green...

Hominidae

Bricked another ac3 with wifiwave2 That issue was fixed with 7.3b37. It should be mentioned this version 7.2.2 is not to be used for devices using ww2 ! This is NOT stable ... my view. bbbwuahhh...same here....coming from 7.2.1...WTF? Using backup Routerboot does not work....trying netinstall now.....

Hominidae

Well, I often change the interface names with a -purpose suffix, using only the dash (-) special character. like ether1-inet or ether2-pc or ether8-phone. Same here, but only because there is no capsman with wifiwave2 drivers. Since this is only reported upon reboot, once and everything is acting n...

Hominidae

...upgraded 2 devices, hap-ac^3 model, running as AP with wifwave2 packages, from v7.1.1 The log, after reboot states a critcal error: "error while running customized default configuration script: no such item" Does not go away after a reboot - scripts are not installed. ..looks like somet...

Hominidae

...maybe they changed the behaviour then or my experience was just different. They definitely would report a "rouge AP" even well after the AP with same SSID showing up after the unifi AP booted. But instability of the connection could as well have other reasons. Like I said, some firmware...

Hominidae

...don't know when this started, but I had it happen on two of mine (UAP-AC LR) when I had them running along with my MT setup. Seems natural, as unifi is managed, enterprise solution...simply not a mix&match catered for. The unifiAPs / the controller will basically sound/issue an alert...if cha...

Hominidae

You should disable the WiFi on your hap ac2 or at least use different SSIDs...unif APs will detect the other WiFi signal with same SSID as a "rogue AP" otherwise and will simply go offline.

Hominidae

What could be the cause of the sudden drop in signal? Is it likely to be a hardware issue of software issue? As a side note, there is another part of the infrastructure that could be accountable for your problems. Check if the provider tower is out of order or simply if it still does exists. I had ...

Hominidae

EDIT: got up after almost 10 minutes of waiting.

....standard for DFS channel search/wait on 5GHz band...has always been there (must be, as per country regulations).

Hominidae

I get 400+ before and after wifiwave2, maybe a tad more on the latter. So really not impressed :lol:

...then you are one of the lucky users, where standard wifi drivers worked good already (never had 300+ here). Maybe you should upgrade your clients to see a difference like I do ;-)

Hominidae

any hope to get a smaller wifiwave2 packages, i have an early cap ac / hap ac2 version with 256 meg of ram but with the small space, i would love to try it out I have it running on AC3. I am not that impressed as far 5Ghz is concerned. I get more or less the same speeds as the old drivers. ...reall...

Hominidae

...the point is, hence the reference to putting in on a shelve: if you already own one, then do use it. ...if you are looking for better performance but start with new hardware....go elsewhere or wait.

Hominidae

...better practice....try it out, go through the dungeons of configurations without the ability to use capsman....once you are there, keep it and never look back...maybe software will evolve over time. I would not trade my hap-ac3 units anymore...definitely, they are not on a shelve...my cap-ac and ...

Hominidae

meeeh..yes, the encryption segment is per default hidden in webfig and winbox...no wonder, I didn't see it with my old eyes...I am balding fast

Hominidae

Try to add gcmp and gcmp-256 to the encryption list.

I've added both gcmps [...]

...ehhrmm...how did you actually do that? I can only select one item out of the possible list in the group encryption entry under the security tab.

Hominidae

...ebay seller has some stock, while its own online shop only tells to wait for batch to arrive in june.
You should maybe call them and ask...
Otherwise, go for a WiFi model and add a RJ45/SFP media converter if you can't wait.

Hominidae

-> https://www.ebay.de/itm/153137660884?ep ... SweR9f4gjY

Hominidae

Thinking this over ... this changing of 'client-IP' should be dealt with automatically by the WG-protocol, as last resort should toggling of peer status do the same thing ? A reboot should not be needed. Agree with the reboot thing. But a Change of local WAN IP in my case does not toggle the conntr...

Hominidae

When I updated the remote hAp ac3 from 7.1.3 to 7.1.5, the wireguard tunnel never came up (waited -30 min to see if it would eventually come up, but it did not). I see the same, when my local IP. which is passed-trough from LTE (LHGG) changes. Resolution is to delete the existing conntrack entry to...

Hominidae

...I am not recommending the use of a CHR, it is just what I do use. You can of course do that with any VPS, running a linux OS and with iptables and wireguard installed. But since you do have a MT and know your ways there, why introduce another system type? A P1 license is not coming with a huge pr...

Hominidae

RouterBOARD 750G r3, Update from v7.1.3 it break routing table

same here for a RB4011, update from 7.1.1

Hominidae

In configuring the wireguard of the local Mikrotik, I put the public IP of the Mikrotik CHR is the endpoint peer. How about in the Mikrotik CHR, what is the endpoint IP I should put? ...not needed. The local MT will use the endpoint config to initiate the tunnel to the CHR. As it is behind CGNAT, t...

Hominidae

so that any rules or setup I'll practice with on my Mikrotik virtual divice would affect my external Browser internet access and navigation. ...isn't it "..so that any rules or setup I'll practice with on my Mikrotik virtual divice would *not* affect my external Browser internet access and nav...

Hominidae

I know that the better solution is to reset the router or netinstall new firmware but the problem is that im too far from the device (thousands of miles) and no one have access there. Could you please advise me what can I do in such case? +1 physically remove and replace/netinstall. Also, as it is ...

Hominidae

1. Internet acces is done by a Fritzbox 7490. 2. Behind the Fritzbox is the DMZ and then the Mikrotik router RB3011. ....there is no such thing as a DMZ with a Fritz, not even the concept of this available from AVM. With a Fritz you cannot disable its Firewall and NAT. The next best thing you could...

Hominidae

The local server still communicates to the internet but it uses the public IP of my mobile data network which is in CGNAT. I would like the local server to use the 10.200.200.1 network to communicate to the internet so that if I check its public IP, it will show the public IP of the VPS. Is this po...

Hominidae

I haven't got the option to set a bonding protocol on the SMC, I can only set a port to be a trunk and add up to 8 ports to that trunk.

Ah, from your previous posts, I'd actually understood that the other way around, sorry.
I only use ROS on CRS models, so cannot help any further, unfortunately.

Hominidae

...in this setup, there is no need for port-forwarding on the MT router. MT router will enable the link to VPS via its wg enpoint-configuration in the peer to VPS, hence overcoming the CGNAT limitation of the local MT WAN-Link. Once the tunnel is established, it will be fully bi-directional, even if...

Hominidae

I've tried static lag but, reading so many posts, I 'think' I understand that SwOS uses Balance-xor? I was only able to get the SMC swicth to work in static lag configuration using balance-rr ....I wonder if SwOS/CRS328 will get confused if you'd set balance-rr on the SMC only (so CRS will see the ...

Hominidae

Then the ping from Tik1 to the PC would not have succeed either, would it ?

...yes, but not necessarily so.
another thing might be a "mangled" config in the access-list of the wg peers.

let's wait for the OP to show more details of the config on both MTs.

Hominidae

I don't think CPU usage is a problem. As you said, the 5009 should do more and runs at a maximum of 39%. The CHR runs at 4x 4.0GHz with less than 10%. ...running a similar setup (RB4011 with 1G/55M I-Net and 1x3GHz/2M CHR,) I can confirm, that 450Mbps is max for traffic via the wg-link. As RB4011 a...

Hominidae

pings from 192.168.100.1 to 192.168.113.10 work. ...if this is true... The classic problem of Win PCs not responding... been fooled by that one too already multiple times. ...then this is not the cause of the problem, as the MT-CHR is on another subnet as well. ....feels like there is a problem wit...

Hominidae

...cool thing.
Were all of the supplied voltage inputs of the same level, like all 24V or all 48v?

Hominidae

...I see V033 is available...my unit is on V029...any info, if an upgrade would improve things?

Hominidae

but when I did one try before disconnecting dc power powered down 5009 and it went back later on poe but it was not uninterrupted action. As far as I understand, the different power options are for redundancy, not increased availability. Meaning if one source will fail, the unit will restart (re-po...

Hominidae

...no need to create a double post....pls stick to one thread, whichever you find appropriate of the two.

Hominidae

CHR costs money and if you want it free - you are limited to 1mbps only.

Your solution is *not* free, too.
....running one year of your linode VPS is as expensive as my VPS (1 year) + one, onetime P1 CHR licence...at least in my calc sheet, just sayin'

Hominidae

no, I don't think that there is a dependency. What I meant is, that the reset-procedure is sometimes flaky. After trying to reset and expecting the MT device to enter netinstall mode, it simply does not but starts up with routerOS, but "empty" with no IP config enabled. Hence IP based prot...

Hominidae

....I did the same thing, going back and forth between v6 and v7 ROS on my hAP-ac^3 devices several times without issues. Hence I cannot help with your problem, really. All I can say is, that the netinstall method worked OK for me on other MT devices. Sometimes, it felt that the devices seemed to ig...

Hominidae

maybe...a one-time licence, not a rented CHR on a VPS, is not what I call expensive. Actually I was able to save 1 buck a month by the ability to just use/migrate to a smaller VPS...just sayin'

Hominidae

Blaming the other devices look obvious, but in case of the Fritzbox I don't believe it. I definitely can blame it on the fritz for sure, as a FW-update to FritzOS FW v7.21 - which was the only thing changed in my infrastructure - caused exactly this behaviour. Before that, the setup ran for months ...

Hominidae

glad, that it worked out...you should also set a persistant keepalive in the peers to a number much lower than your FW-conntrack settings.

But why not use a CHR on the VPS?...could possibly same some ressources and easier to configure....

Hominidae

...whatever the proper name might be.
The question relates to the fact, that on wifiwave2 driver, the only modes available are "ap" or "station", no stadion-bridge or something that would indicate that a "wireless-backhaul" can be created with wifiwave2 drivers.

Hominidae

...same here, on two other KVM based VPS providers and ROS v7 (stable)

Hominidae

...I tend to believe that, when using wifiwave2 drivers. Based on my experience with hap-ac^3, this is a real performance boost. @normis: as Audience is wifiwave2 capable: is Audience 2nd 5Ghz band/device capable of running a "wireless wire" with wifiwave2 drivers (I understand that mesh i...

Hominidae

...yep, just use it in "bridge mode" only and do not add/enable any firewall rules.

Hominidae

How to connecting wireguard wireguard inside mikrotik router to wireguard on the vps. The mikrotik router that I use only gets a private ip from the ISP. ...once the tunnel is established, it is a bi-directional IP-Link. Just establish the tunnel from local MT to VPS. In local MT specify the VPS-pe...

Hominidae

...still there in 7.1.3....just got bitten by that, after setting up a new CHR instance ;-(

Hominidae

AFAIK this switch only uses SWOS-lite, not SWOS ... different firmware "products", although versions might make you think these are related. When the switch hit the market, it was shipped with a release candidate (v2.12rcX) of SWOS-lite, hence your thinking to go back to that version numbe...

Hominidae

no, using VLANs to separate traffic from individual SSIDs is an add-on on L2. It is common, for example for a Home- plus Guest-WiFi SSID. This way you can treat traffic individually in the firewall. Not related to your "problem". If your environment is crowded WiFi wise, this might be a ca...

Hominidae

...for the purpose of a "standard" AP, with multiple SSIDs separated in VLANs, v7.1.1 and wifiwave2 works much more reliable on a hAP-ac3 than with v6 and standard wifi drivers (plus better performance)...at least for myself, running 2 units in the house.

Hominidae

...for a hAP-ac3, without the need for capsman in a small setup -> use wifiwave2 drivers and you'd be amazed what the performance boost would look like.

Hominidae

...not quite sure what you are saying here, but virtio network (and disk) drivers should work out-of-the-box, hence no need to install them in CHR image separately.

Hominidae

My guess for the price point of this card would be more like $500... check the other CCR2004 devices. ...it's around a 180USD/170EUR...you can place pre-orders already for that price. But of course you can put in an SFP+ module or DAC. Although pinouts are matching, whether these will actually work...

Hominidae

If you are hacked when using any new appliance then the egg is on your face for having opened the router to the public before or while configuring. Actually you cannot help that with a CHR, can't you? AFAIR dhcp-client is active on ether1 by default and I personally had the bots in at some occasion...

Hominidae

...but there is a switch with SFP28 ports misssing in the asssembly/line-up, isn't it? No use buying, when the only switches available are non-MT :roll: If it is going to work well with Linux and Open/FreeBSD it would give us more flexibility and a lower price point than some Intel 10G! I don´t yet...

Hominidae

...currently using it as a switch down in the cellar, with PoE-in, in front of my EV-Wallbox and garden AP. But now I am sure I could even use it as a semi-hot spare (did that in the past with v6), should my RB4011 go down...it would limp along at 30-80Mbps on my 1G Internet, but still I'd get along...

Hominidae

Resurrected my first ever MT, a (now) old Hex (RB750G r2, factory FW 3.27) via upgrade channel 👌

Hominidae

2nd variant: ...get a VPS (KVM) that allows to install your own image (mine is approx 3USD/month, 1vCPU, 2GB RAM, 20GB SSD, 40TB traffic - but anything with 512MB+ RAM will do fine) and host/install a Mikrotik CHR on it.

Hominidae

I also wonder what price tag this will have

...you can place it on pre-order for roughly 2.4kUSD ... use your google.fu.

Hominidae

...but there is a switch with SFP28 ports misssing in the asssembly/line-up, isn't it?

No use buying, when the only switches available are non-MT

Hominidae

I've checked (in US) Hex-S I should take a look at, ty. Ah, sorry...different part of the world. -> seems legit, no?: https://www.ebay.com/itm/203557144467?_trkparms=ispr%3D1&hash=item2f64f38793:g:WF4AAOSwmDNhFBst&amdata=enc%3AAQAGAAACkPYe5NmHp%252B2JMhMi7yxGiTJkPrKr5t53CooMSQt2orsSjVt3vLKC...

Hominidae

...RB450Gx4 is available and should be capable of sustaining 1GBit WAN
Edit: ...and Hex-S is reported to be good for 400-500Mbps WAN, even over ppoe.

Hominidae

Didn't look at the size of the room so far. But indeed 3 units might be an improvement. I would not reduce TX power until really needed. The 3 units should work on different frequencies. If on the same freq all devices wait for each other whatever TXpower reduction is used. Totally agree. Placement...

Hominidae

... without capsman, there is no real use of ACL ... Why do you think so? ...because it is a distributed list....you need extra effort to manage it centrally, then deploy to each AP. Also in winbox, the "copy to ACL" button in wifiwave2 registration list panel is simply non existant (as i...

Hominidae

Our office is an open space area 30 X 18m large with few meeting rooms of glass in the corners. I'm running 2 CAP ACs on this floor. Packet loss starts unpredictably for different users Maybe you need to go for 3 units in more of a triangle arrangement, with reduced TX-power, then? Also, you should...

Hominidae

+1
thank you!

Hominidae

....as said, I also did not test this. If you really believe, that hw-offloading for the ethX ports is of essence, then use another switch with a proper switch chip in addition to the hap-ac3. Then with wifiwave2 use brige filtering with PVODs for VLN seperation and an ethX as trunk to that swicth. ...

Hominidae

N.B.: @Hominidae suggested "hybrid" approach of using both /interface/ethernet/switch config and /interface/bridge with vlan-filtering enabled. This kind of setup is not very common (and AFAIK is not supported by Mikrotik at all), is not very well tested and might cause some unexplicable ...

Hominidae

...maybe it is not a fix but the lack thereof ? Hoenstly, I configured everything in defaults and only set the regulatory domain....but how do I know that these things are being followed? IMHO we have seen a decrease in speed with standard wifi drivers over the years, as more and more regulatory res...

Hominidae

i'm added pvid vlan 10 on bridge port wifi2 (wifiwave) still didn't get ip from dhcp with configure vlan on switch menu As already said, you need to use vlan-filtering=yes for the wifi interfaces to work with VLANs...but only these. You maybe could combine things. Use one ethX as trunk for the wifi...

Hominidae

no, why...you could still add the wifi interfaces to the bridge, but configure the ethernet ports via the switch menu: https://help.mikrotik.com/docs/display/ ... switchchip
The wifi ports do not support hw-offloading anyway.

Hominidae

...but you cannot configure the WiFi/Wave2 Interfaces/SSIDs VLANs in the switch menu, can you?

Hominidae

...your ISP Router is already acting as a router, as it seems. In order for DLNA to be available, all devices accessing it need to be in the same IP segment as the DLNA server.. You curently have your MT in a second segment and acting as a router. So turn your mikrotik from router to Bridge/AP mode....

Hominidae

AP Device: U6LR (3 ssids: Vlan 20,30 and third under default 'LAN'{MGMT Vlan} ). Mikrotik: RBG450GX4 (eth1 -connected to internet, eth2 -connected to AP, eth3 connected to downstream switch that has Unifi controller connected,eth4,5 other devices ) The link I posted is for a switch. Your scenario i...

Hominidae

...you could tie/glue a RB450Gx4 and a hAP-ac^2 together, eh?

Hominidae

See: https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching#BasicVLANswitching-Otherdeviceswithabuilt-inswitchchip for use with the RB450Gx4 In General, see: https://forum.mikrotik.com/viewtopic.php?f=13&t=143620 should Unifi AP have atleast one of its SSIds with 'LAN' setup for managem...

Hominidae

All I want to do is use the little guy as a switch. I don't want it connected to the internet, nor do I need it as a router, without the need to adjust some settings, there even is nothing to do at all, isn't there? Switch it on and it will perform the function of a simple switch on all ports. In c...

Hominidae

..:Webfig in v7 seems far from complete or bug free....Routing Mark column is not there in v7.1.1 compared to v6.4x, indeed.
Also the current routing table is sometimes truncated as well

Hominidae

...all my 2.4GHz Smart-plugs and older gear works flawlessly with WPA2 + WPA3 enabled. What I am really pleased with is the Speed at 5GHz....at least double, compared to default wifi drivers. I am still in need to fine-tune, running on default ATM....as the range is also greatly increased, I notice ...

Hominidae

...I concur....this is what I did as well, but in current times, the other stuff went to unavailability by the seller. As I had my MT equipment still around, there was only a short 2nd thought about trying....meanwhile I had to cancel my order. With the current wave2 setup I now can wait until other...

Hominidae

Hi all, What's the best mikrotik unit that will support 500Mbps +/- via wifi. I currently have about 650Mbps from provider and would like to at least use 500+ of that through wifi. I bought a few ac2 which the spec sheet says they support 5ghz and 867Mbps, but I'm not seeing more than about 150Mbps...

Hominidae

I could access every device via vpn in my home. But if i traceroute the public ip from a public place the last hop is the first ip from my VPN-Server. So i think the way is the right but my VPN does not route the request over wireguard. So i rechecked if the ip route from 8.3.2.1 to wg0main and it ...

Hominidae

Hi Hominidae, thanks for the graphic! Like Sob, unfortunately I do not see how the IP gets to the home server. Or is the solution not good in terms of performace ? Is NAT transferring all traffic from online to offline in your solution? ...don't understand what you mean by online/offline. The forwa...

Hominidae

I don't see how it routes second public address to internal server, as OP wanted, it looks just like NAT. Yes, basically that's true in my case. However, OP stated, that the inbound route had been solved but still missing the outbound path. Maybe I misunderstood the term of forwarding a public IP i...

Hominidae

Do you mean that you have rented server space on the cloud and put CHR on it?? The mechanics of this escape me and does it have a public IP?? Yes, I have a CHR on a VPS Server....of course it has a public IP space. My use-case is a bit different than that of the OP. Both my local WANs have a dynami...

Hominidae

Do i understand you right ? Thanks for your Help! ...here is a picture of how my setup looks like: https://i.imgur.com/HBWyKTl.jpg ...basically, I do have my home-MT (RB4011) and my Cloud-MT (CHR) connected via wireguard link (actually I have dual link/dual WAN with switchover between cable and LTE...

Hominidae

Are you sure that the Public IP has to patch to the Interface on the public server ? Yes, I am sure. IPs are not a floating element, that you can take with you across the globe. The IP is manged by the Hosting Provider of your online server and only allocated, as a single IP to you/your online serv...

Hominidae

my 2 cents: why bother?...since 2016 a lot of other things came to life in the maker industry. You can easily get a DS1820 probe with an arduino/ESP8266, wired/ethernet or WiFi with even greater flexibility and scalability....waiting for the first person to host MQTT/mosquitto broker on a MT; now as...

Hominidae

...both MT will be easily up to that task and will save you a lot of energy (and noise). However, should you require some extras, like IDS/IPS...these addons are not available (but wireguard and zerotier support is there just now) on MT. I have a RB4011, with a 1000/55Gbps cable + 50/25 LTE WAN link...

Hominidae

...i'd actually doubt that a RB4011 will be capable of running/saturate a 10G WAN (incl. NAT) link...it can serve around 6+ Gbps, I think....maybe 7Gbps with overclocking the CPU a bit. Keep in mind, that on a fiber ISP connection, the link will often have to be established va ppoe in a tagged VLAN....

Hominidae

...as far as I know, you will need a dedicated transfer network for the ovpn connection, not just the same IPs from your local LAN for clients. See: https://help.mikrotik.com/docs/display/ROS/OpenVPN#OpenVPN-OVPNServer Also note the hint at the bottom of that page: Since RouterOS does not support ro...

Hominidae

...well, OK...but then you DID attach the IP to the online server ... the provider of that server will not allow/route that IP to a location outside of its infrastructure segment the online server sits in, Maybe I misinterpreted the way you described it. Seems like you are missing the route back to ...

Hominidae

WG connection is working but I've problem with local DNS.
At WG client local names are not resolved but when I ping IP (matched to the name) it's working.

configure/instruct roardwarrior clients to use the Cisco as DNS (assuming this is holding the resolver for local names).

Hominidae

The online server run Ubuntu 21.04 as wireguard server. Wireguard runs perfekt. I could access every device via vpn in my home. I ordered a second ip for my server but did not attached it to it. I route it over wireguard to my mikrotik router at home: ip route add 8.3.2.1/32 via 10.1.1.2 dev wg0mai...

Hominidae

...my way of using shelly devices is to flash them with tasmota first ... no probs with wifi as well, afterwards....but I am using my own "cloud" to integrate them.

Hominidae

So I bought a MikroTik RB2011UiAS-RM and I am so impressed but I now have a problem and have no idea how to solve it. My Unraid server is not accessible via the network so I lost all Dockers running like Plex and Jellyfin. ...so you did not use a pfsense before but unraid and Dockers on it had been...

Hominidae

...the RB2011 is not a managed switch, but a router and I gather you'd want it to be that way. Your problem has nothing to do with Mikrotik, pfsense or unraid....my best guess is, you messed up your IP-Network scheme when swapping a pfsense for the RB2011. Without knowing what your setup should look...

Hominidae

I mean, 20-30 mbps is more than enough for browsing, terminals, even video calls, etc. Higher speeds are great, but the reality is that most companies have relatively small uplinks. Do not get confused...Wireless speed and LAN/wired should be compared by a factor of 10. So this is a 60Mbps Lan/Wan ...

Hominidae

I am amater that you see such an improvement. Whats with capsman support for wave2? I am surprised myself...did not see that kind of performance with a v7rc last year. However, no capsman fpr wifiwave2 (yet?). I really hat bad experiences with latest v6 stable and v7 and standard wifi drivers (5G l...

Hominidae

...the performance of the cap ac, when mounted on a wall is definitely minor to its performance in ceiling mount. There is new cap ac XL model that promises improvement. Did you consider to build yourselves a "dummy" ceiling mount (like a simple L-shaped construction)? In general, the WiFi...

Hominidae

With rc3 Fastrack with bridge-vlan-filtering is working.
Almost half the CPU-Load with three times the troughput.

...good find and thanks for confirming!
I am just not prepared to run my main router on a RC-Version of ROS as of yet...using 7.1 stable path is dangerous enough

Hominidae

At the moment i have a hypervisor with a 10G-Trunk with 4 VLANS, and a VM in each VLAN with a router-on-stick RB5009 who does the routing between the vlans. For tests i have disabled all Firewall Rules. VM_VLAN10+VM_VLAN20-->vSwitch-->Trunk-to-CRS309-->Trunk-to-RB5009 But even then i just get the f...

Hominidae

If an item is sold out, this doesn't mean it's EOL. Mikrotik is pretty current in removing EOL +1 If you observe what is currently going on in the manufacturing and supply chain, there is no wonder that availability is not at a constant flow right now. You can find shops out there, stating that hun...

Hominidae

...is this on the 5GHz band? AFAIK, some PCs/laptops do have NICs that do not allow for certain/all frequencies/channels on that band (in your area of jurisdiction).
If your wlan interface is set to "auto" channel, this could easily happen.

Hominidae

for 1: YES for 2: don't know for 3: dead simple, licenses are "stored" and allocated to machines in the MT-cloud. You will need to get an account (its free) when purchasing the license and each CHR will "call home" with its ID. From there you can transfer these with 2 clicks betw...

Hominidae

I think the problem is the wifi has restricted access and it fails the Android "internet access" test. When Android thinks there is no internet access across wifi, it (sometimes but not always) sends the data over the mobile access. Hmpf...so you are not in your own, managed wifi zone but...

Hominidae

Basically the inter VLAN routing should be enabled per default. Hence, the "normal" way of doing what you want is not to enable forwarding but rather to actually restrict the inter-VLAN routing between VL10 and VL1 to traffic/connections originating from VL10 to the mqtt Broker (IP and por...

Hominidae

The problem is that Android will sometimes (but not always) use mobile broadband (which I have no knowledge or control of) instead of wifi. Using an address that is *only* reachable on wifi would solve the problem if I could handle the routing in the AP. This indicates that you might have a problem...

Hominidae

That change does not seem to have any effect on the behavior I’m observing. ..but then, what is actually the ID used for traffic? For example on the interface "bedroom"...is it vid=2 or vid/pvid=1 ? ... attach a dhcp-server with a different pool to each vid and see which one feeds IPs to ...

Hominidae

As you can see the bedroom-* interfaces have inline vlan-id=2 while iot-2.4 has vlan-id=99 through the "Matryoshka IoT 2.4Ghz" config. On CAP's `/interface bridge vlan print` only the iot-2.4 interface is recognized as tagged for vlan-id=99. The bedroom-* interfaces are untagged for the d...

Hominidae

...Aggree with you on the last part, as I thought you'd be using your setup in manager forwarding mode,So I've been referring to the second part of the guide. So, maybe you did not follow the guide entrirely? PVID=1 is the standard ID, system wide....so maybe you actually want that VLAN-ID on that i...

Hominidae

Am I doing something wrong or should I just manually set pvid on the interfaces? No to both parts of your question.. The Bridge in context is the Bridge at the Capsman-Router, not the Bridge at the CAP. I see where maybe this guide given in the link is somewhat "tricking" a reader into th...

Hominidae

...aggreed...just offered that, because I've been putting myself on that foolish side, too ....been there, done that

... lots of YT-videos do show that kind of stuff

.

Hominidae

Hi Everyone! I tried looking for this topic so sorry if it's been asked! I went ahead and upgraded my router to 7.1.1, created a Wireguard interface, peer, all that good stuff, on my phone as well, and got it working! So cool! I can access my NAS from my phone now without the need for "The Clo...

Hominidae

-> viewtopic.php?f=13&t=143620

Hominidae

...not up to the stable release, no. All WG entries currently lack a logging feature,
Also, there are no users, only peers...best would be to check their last handshake info (or change thereof) or find / check their IPs (which you could also keep in a Address-List)

Hominidae

If no route whatsoever (not even the default one) is available in the routing table requested by means of a routing-mark , RouterOS normally uses routing table main to route the packet. To prevent that, you have to explicitly state the following: [...] Or another possibility is to add a default rou...

Hominidae

Many thanks for your response. If your ISP tolerates that, you can attach two APN profiles to the same LTE interface, and you will get a separate address for each of them. So one of them can be a "normal" one used locally by the LHGG, whilst the second can be the passthrough one used by th...

Hominidae

Hi Folks, I have a LHGG deployed, with its LTE-Link on passthrough to a RB4011. The LHGG itself gets managed via VLAN-ID 02 over the same llink. What I want, is to have the LHGG to *only* use its "own" LTE WAN, when accessing the internet. This *includes* the use/update of its DDNS address...

Hominidae

About NAT I was referring to my case where I establish a VPN connection from SXT to CHR (on datacenter) to get around the CGNAT that I have on my LTE connection. Ah, yes..I now understand. I actually decided to trust the local endpoints of my wg tunnels, so I'd only open ports on the CHR but I've d...

Hominidae

Actually recursive route works in v7.1.1 (I'm using it on my router), but you need to make sure that target-scope is set with a value higher than scope. This is not taken care by the migration script, so initially the route is marked as invalid; then you can fix it by setting the target-scope (just...

Hominidae

If using a static route on RB4011 you could implement recursive route to define it, so that check-ping will check the end point at the destination side instead of the internal address between LTE router and 4011 and it will find whether one route is still working or not. ...I do that for the WAN de...

Hominidae

Well... OSPF as such also just prepares a backup route, same like the static routes. What makes the difference in the switchover time is the rate of link transparency checking. check-gateway=ping sends the test pings (or ARP requests) every 10 seconds and it cannot be affected, whereas the bfd send...

Hominidae

thank you so much for your response! Wireguard is a way of encapsulation, encryption, and NAT traversal all in one, whilst GRE is just a way of encapsulation. You may not need encryption so much as the traffic between the Asterisk and the remote server will go plaintext (or whatever application laye...

Hominidae

Hi Folks, I need your help in getting my head around the best practice for defining a stable, resilient route from my home DUAL-WAN setup to a CHR on a VPS, which I want to use as default GW for my VOIP server. Here is the thing, I depicted in my head so far. I need help defining the best way to go ...

Hominidae

Yes, capsman will not alter the config of the main router, but you need to have a firewall rule in place to enable capsman to talk to the local ip (input chain, action=accept, dst-ip=127.0.0.1). Check, as it should be there by default. To be honest, for a single WiFi AP, even with 2-4 SSIDs, capsman...

Hominidae

...not limited to forums...complete domain mikrotik.com wasn't available for me on sunday - including DDNS / Cloud Service. I am sitting in central Europe

Hominidae

...running a x86 Router with a WiFi Card is complete nonsense....my 2 cents.
To answer your question more directly: well. I don't know, but didn't you try it?

Hominidae

...updated several hap-ac3, wap-ac, cap-ac, one CRS326 and one RB4011. After a couple days, some WiFi users started complaining about I-Net speed degraded (WAN1 is a 1Gbps DOCSIS cable link). Rebooted the AP in their zone and performance was back to normal. After the same issue occurred today, I tes...

Hominidae

...a lot (at least all I know) of people have tried modules from ubiquiti (note, not ones from other vendors, that are marked generally compatible) and failed. These buggers are cheap...must be a reason behind that. Buy the next, marked generic from amazonia or the bay and go with it....or use the 8...

Hominidae

...all that info is already in here, somewhere: viewtopic.php?p=890592&hilit=crs326+fan#p890592

Hominidae

...it is said, that a picture is worth a thousand words..pls. draw us a pic: https://app.diagrams.net/ including all IPs used, routes deployed for all relevant components, that are to be connected/reached.

Hominidae

This is not working, as soon as I set route in zerotier I can not reach the HAP AC2, so something is going on, but I have to disable the route in Zerotier to be able login into ROS on HAP AC2 that respective chain for that connection is the input chain in the hap^2 firewall. Access to others is the...

Hominidae

I hope, I can trust this compatibility list... Anyway, I made a note about the alternative solution you proposed. Many thanks.

Yes, you can,
Actually when I bought my RB4011 the XS+DA0001 was not available in the market, only the S-DA0001, which would not work.
Sorry for the confusion.

Hominidae

Hi all. Thanks for opening my eyes... 8) Haven't had thought about using SFP+ connectivity between the CRSs & the RB4011 at all. According to https://wiki.mikrotik.com/wiki/MikroTik_wired_interface_compatibility all three devices should support https://mikrotik.com/product/xs_da0001 . I'll remo...

Hominidae

As the CRS326 and CRS112 both have at least 2 SFP+ ports, I'd also connect the CRS112 to the CRS326 using a 10G link, either fibre or DAC if the distance is very short.

IMHO CRS112 has 4xSFP, hence 1G, not 10G.

Hominidae

...I'd use Option 3+, using a 10G AOP/Fiber connection between CRS326 and RB4011 instead of a 2x1G bond. According to the block diagram of the RB4001, each Switch Chip is connected to CPU with a 2.5G Link.....SFP+ with 10G, with max-out because of CPU with approx 6-7Gbps. This would be the best of a...

Hominidae

Ehhmmm, that statement is totally different that the one you gave in your first post.
Unclear how your setup looks like, where the zt-clients are (rPi or MT-hap^2, phone/App) ...and what you want to achieve...pls create a diagram of your setup.

Hominidae

Before I used the Mikrotik (it's main purpose is the load balancing and failover between the 2 ISPs (with a Fritzbox each)), it was working without a problem. Each Fritzbox has its own dyndns and the respective dyndns with port 21 was forwarded to the FTP server. ...then, what stopps you from keepi...

Hominidae

...it is all about network routes and gateways. The concept you want to implement is that of using the zt-net as a transfer net between the two other sites A and B. We talk about L3 routing, not L2 switching, zt-central can populate the routes configured in zt.central to each client. The zt-IP of th...

Hominidae

...this not in any case MT related, isn't it?
zt is a SDN, so every device will be on the same ZT-LAN....that's the main purpose.
Should you desire to use zt as a transfer network, enable routing...on both sides of each connection...zt-central allows to configure routes

Hominidae

would there be any problems with dyndns configured in the fritzbox this way? stay away from myfritz, as this will enable some portforwarding "backdoors" to access the fritz. Yes it comes with dyndns as a by-product, but you either have a standard means to add dyndns to your fritz or even ...

Hominidae

....interface is only about what it is, interfaces...physical or logical devices...IP addresses are...guess where: /ip - address Edit: RouterOS is for a router, not a switch....if you do run a MT switch, it usually would also allow to boot into SwOS. However, I've never seen a Switch as such to give...

Hominidae

...a Fritz is a bitch...very unreliable and unpredictable sometimes...I finally stopped using these, after they introduced port flapping and a MT Router with their latest firmware, starting v7.21 The effects your seeing could be anything left in its config after you changed back and forth, even with...

Hominidae

...configure - in zt-central - the route to your LAN with GW being the zt-IP of your zt-client on MT (10.147.20.133, make this a static IP in zt-central).

Hominidae

...IMHO you can't really avoid Double NATing, as the Fritz will not allow to disable NAT in its firewall. You could disable NAT/masquerading on the CCR altogether, but would still need a port forward on the CCR for SCR 192.168.0.1 to DST 192.168.2.2 as the fritz will use the CCR as GW for the 2nd ne...

Hominidae

You will need a separate IP-net for the red channel and instruct the firewall on the tp-link to deny forwarded traffic between the two. What firmware is your TP-Link using? You could do all this with enabling Zones and/or VLANs, but I think you'll need to move to openWRT or dd-wrt for that kind of t...

Hominidae

...get rid of the ISP-DNS alltogether....as said, disable in DHCP-client to ISP and in MT DNS settings. In MT Router, for DHCP-Server to your local clients set DNS-Servers as A: Adguard-IP (...88.250) and B: MT-IP (...88.1) In MT DNS, set forwarded DNS to the same list (well, the plain IP based ones...

Search found 354 matches