MikroTik

Zacharias

If the question is whether you can connect the LAN side of Injector 1 to the LAN side of the Injector 2, yes.

Zacharias

With this i got some kind of success as the terminals CAN connect to the Wi-Fi but they instantly loose conection again. What does the log say about that on the WAP when you set /system/logging/add topics=wireless,debug action=memory and then you try to connect ? Also, check here https://wiki.mikro...

Zacharias

/ip address
add address=10.10.59.1/24 interface=ether2 network=10.10.59.0

Change it to

/ip address
add address=10.10.59.1/24 interface=bridge-local network=10.10.59.0

Zacharias

What do you mean by modern ?

CRS3xx line.

ok, indeed CRS3xx are very very good...

Zacharias

What are the network requirements ?
RB5009 is a good choice.. but there are other routers too https://mikrotik.com/products/group/ethernet-routers

One is enough, but in a more advanced scenrario, e.g. VRRP you could use two as well...

Zacharias

Why do you have both :

add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.0.0/14 gateway=192.168.1.1

Zacharias

Looks good! And proof, that we need a short depth modern PoE switch.

What do you mean by modern ?

Zacharias

I agree with @mkx.
A VPN is suggested, or at least a port knocking mechanism...

Zacharias

I agree with @mkx... Also, i want to add that indeed CRS1xx does not support neither 802.3ad nor xor in hardware... According to the manual CRS3xx, CRS5xx series switches and CCR2116, CCR2216 support xor and 802.3ad bonding in hardware... https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2...

Zacharias

Not with atheros 8327
Read here https://help.mikrotik.com/docs/display/ ... Offloading

Zacharias

Looks like DS416play or alike.

Exactly...
It supports 802.3ad...

Zacharias

@winap, here is the changelog https://mikrotik.com/download/changelogs
You can see all the fixes and improvements that are made on V7 as far as the LTE is concerned... Its not always about performance only...

Zacharias

It is normal that it now asks to press the RESET button

Exactly, it was added on ROS v 6.49.1
*) routerboot - enabling "protected-routerboot" feature requires a press of a button;
https://mikrotik.com/download/changelogs

Zacharias

Personally i install ROS v7 on all the LTE devices i have in production since there are many improvements there...

Zacharias

IPsec does not create any interfaces. so you can not manually create any routes as you would do with GRE for example.

Zacharias

Remove ports ether1 and ether2 from the Bridge.
Then create the bonding interface with ports ether1 and ether2.
Finally, add the bonding interface to the Bridge.

As simple as that...

Zacharias

Also check Basebox (and the set of pigtail cables).

I like this suggestion.

Zacharias

Everything you need to know is here https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-Createedgeports Create Edge ports so that you restrict the port from sending BPDUs and ignore the received ones : /interface bridge add name=bridge1 /interface bridge port add b...

Zacharias

will sit hidden inside a grounded electrical cabinet -- which I can't imagine will result in good Wi-Fi experience.

What's the purpose of that ?
Managing another device ?

Zacharias

Does that VLAN interface exist ?

Zacharias

I think that is an indication of an unknown interface.
What did you set as target there? Maybe a dynamic interface ?

Zacharias

Maybe yes, maybe no...
What was the initial reason that led you to netInstall the device ?

Zacharias

The error message indicates you exactly what the problem is.
The port members of a bonding must not be slave interfaces of the Bridge itself. When you create the Bond interface, add that bond to the Bridge.

Also read here https://help.mikrotik.com/docs/display/ ... ng-Summary

Zacharias

Create static leases...

Zacharias

It looks like they have no IP addresses set

They don't.

Your management VLAN is 99 and not VLAN 10.
For testing, set the PVID on the port of PC1 to 99, and then check again.. Do the switches have an IP now ?

Zacharias

but wondering if I can assign static leases/ips outside the dhcp server pool? But those IPs you specify are not outside the main DHCP pool... You can assign static leases to those devices... Let the DHCP assign an address to them, and then make it static and assign the IP you wish... On the Lease r...

Zacharias

@rextended thanks for your answer...

Zacharias

The 4-MAC problem on Wi-Fi...

What does that mean ?

Zacharias

To be honest its the first time i see this.
Do you get the same result if you ping any other external host for example ?

Zacharias

What do you mean ?
You have loss of ping replies ?

Zacharias

The pppoe tunnel, should and will go up as long as the pppoe server responds to the discovery messages of the pppoe client and all the stages get completed successfully.
https://wiki.mikrotik.com/wiki/Manual:I ... _Operation

Zacharias

Or a CRS328 if you need more than 8 ports.

Zacharias

I have tried this and I keep losing access to my dlink device, the moment that I enable vlan mode secure on the port

Can we see an export of your Switch configuration ?

Zacharias

ROS v 7.2, setting connection tracking to off created the exact same Dynamic entries in the RAW table too...
Instantly or after reboot?

Instantly...

Zacharias

Correct, on Atheros8327 you can not offload your VLANs on the Switch Chip using Bridge VLAN Filtering. The only way to offload them is to use VLANs on the Switch chip. how would you move this config from bridge vlan to switch vlan? This is how you can configure your VLANs on the switch chip: https:/...

Zacharias

ROS v 7.2, setting connection tracking to off created the exact same Dynamic entries in the RAW table too...

Zacharias

our network is down help me please

How can actually someone help you with almost no valuable information provided ?
For example an export of your configurations with sensitive information removed and a more detailed analysis of what the problem is...

Zacharias

More info here https://wiki.mikrotik.com/wiki/Manual:I ... n_tracking
When set to no then connection tracking is disabled.
If set to auto then if you have a filter or Nat rule it will automatically get enabled.

Zacharias

CRS354 supports L3 hardware offload after ROS v7.1...
https://help.mikrotik.com/docs/display/ ... 2000Series

Zacharias

how to make the configuration to emit a wifi zone?

If by that you mean a seperate network, then you can use VLANs.

Zacharias

What is the device model you are using ?

Zacharias

Can you show a network diagram of your topology and point on the traffic that you assume it is blocked ?

Zacharias

Indeed...
I have not noticed that...

Zacharias

When ask something like that, remember to the user to remove sensitive data inside the posted config...

But isn't that what hide-sensitive does ?

Zacharias

I guess you could contact the support https://mikrotik.com/support

Zacharias

Here is another example too https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless
it consists of Wifi tagging and Bridge VLAN filtering, similar to what @mkx suggested i think.

Notice, though, i don't know if it has been mentioned, CRS1xx does not support bridge VLAN filtering in hardware.

Zacharias

Start here https://help.mikrotik.com/docs/display/ROS/NAT

Zacharias

From my personal experience, every time i opened a ticket i got a reply back if not the same day, the next one...
They are really helpful...

Zacharias

Well it could be better than that, or even 0 transfer time...
But ofcorse i can't be sure that it might be related to that...

Zacharias

Look for IGMP Proxy https://wiki.mikrotik.com/wiki/Manual:R ... IGMP-Proxy
and PIM-SM https://wiki.mikrotik.com/wiki/Manual:M ... ample#IGMP

Zacharias

@sob you are right, sorry.
I just missed that the reply will have nowhere to go because of the missing main Routing Table and that the Routing decision in Output chain is earlier than the Routing Adjustment.

Zacharias

What is the response/transfer time of the UPS and its voltage Output ?

Zacharias

@anav you are right on that.
However i thought the OP was trying to access 200.1 as you can see from my previous answer and not 200.2.
Anyways, the OP indicated that it works on some cases, so i am confused now, maybe the tests where made with firewall disabled ? who knows...

Zacharias

@sob i don't agree with you. Yes there are cases where not having a Main Routing Table can cause situations where the packets can't be routed and are dropped or are routed in a wrong way. But not in this case. The OP describes that can't reach from B corp the Router 200.1. The packet looking the Pac...

Zacharias

Much clearer now. Still some doubt about the reply-only ARP feature though.

The Router will only reply to its own MAC address.
Other than that, you have to manually add ARP entries in the ARP Table for the rest of the LAN devices you want to communicate with.

Zacharias

@rextended indeed is impressive.

How have you tested it ? It seems it can achieve those speeds but in larger packets, 1518 Bytes... https://mikrotik.com/product/rb5009ug_s ... estresults

Zacharias

Which Mikrotik router can handle more than that?

Many, check in the Ethernet Routers section https://mikrotik.com/products/group/ethernet-routers
The Test results page will help you see what each device can perform.

Zacharias

yes, I use it as a router.

You shouldn't ( since you expect better results )
It is a device with advanced switching capabilities.

Here you can see how the device performs as a Router https://mikrotik.com/product/CRS326-24G ... estresults

Zacharias

To add to what @sob said, Indeed the connection tracking Table keeps track of all the connections that are taking place to the Router. So it knows if a packet was Source Nated, Dst Nated etc... In that example, the router knows the packet was dst nated and it will un-nat that connection. The same ha...

Zacharias

Did you read here https://wiki.mikrotik.com/wiki/Manual:IP/ARP#Summary
Also, on proxy-arp the photo missing is this one here viewtopic.php?t=71721 might help you understand

Zacharias

Please draw a network diagram of the desired network topology and how it should work.
Also can you export the VLAN configuration you already have configured ?

Zacharias

I never change interface name of physical interfaces... ;)

I used to change the names in the past, but i don't do that anymore.
I use the default names too, even for WAN ports, and i add comments whenever needed...

Zacharias

How can the port be missing from /interface ethernet print ?
Shouldn't it be there even with another name ?

Zacharias

I think it can rollback up to about 20 commands

Only ?

Zacharias

Maybe you are using ether7 somewhere else in your config ? So it does not allow you to add it as a slave port on your Bridge ?

Zacharias

You could try to use Wireshark on the host to make a more detailed packet analysis...

Zacharias

What is your ROS version ? Did you update to latest 7.2.1 ?
Also a network diagram would help understand your network topology better.

Zacharias

As far as i know, simple queues use multiple processor cores...

Zacharias

It seems it is... and in V7 you can use the APN profile as well https://help.mikrotik.com/docs/display/ROS/Peripherals
But you will go from an LTE cat 6 modem to an LTE cat 4 ?

Zacharias

Indeed ros v7 has many fixes on the LTE. I recommend it too...

Zacharias

You could update to ROS v7 as well.
First backup your configuration in case something happens.

Zacharias

Any info on how you did that ?

Zacharias

Does anyone know, why my KNOT after upgraded to version 7.2 the LTE Interface is missing?

Then the lte interface was never there, it dit not dissapear after the update...

Zacharias

I've used passthrough on LTAP, on LHGG, on WAP R, on WAP R with LTE6 on WAP AC with success... Passthrough is a feature of the modem... Am not really sure why some chipsets do not support it and what is meant by that... If you take a look here https://help.mikrotik.com/docs/display/ROS/Peripherals y...

Zacharias

How else can I replace it in the way I can access my network remotely?

L2TP/IPsec, OVPN, Wireguard, IKEv2 are some of the protocols you can use for Road warriors but for Site to Site tunnels as well ...

Zacharias

Your RSRP, RSRQ and RSSI values are not bad...
They are not excellent either.. but they are good...

You could try updating to Ros v7, there are a lot of fixes for the LTE.
Also, what is your modem firmware version ?

Zacharias

Do not use PPTP, its not secure...

Zacharias

My EM12G has arrived, just awaiting myipex4 to sma cables. very good upgrade. EM12 is my favorite one. If you buy it with latest firmware then it's just work out-of-box at ros7 Nice, and its cat12 as i can see... How many carriers ( CAs ) does Cat12 use? any reference on that ? Can the firmware be ...

Zacharias

Or if you meant that it would be possible to drop dst-port and only keep ipsec-policy, then yes and no. Just for L2TP, yes, because created policies are for just this one port anyway. But in case you have some other IPSec tunnels, this rule could allow access to anything on router, which may not be...

Zacharias

Zacharias

/ip firewall filter
add chain=input protocol=tcp dst-port=1701 ipsec-policy=in,ipsec action=accept

@sob, do we actually need the dst-port=1701 here ?
Its UDP by the way, i guess you just missed that...

Zacharias

Release 6.49.1
*) routerboot - enabling "protected-routerboot" feature requires a press of a button;

https://mikrotik.com/download/changelog ... lease-tree

Zacharias

Downgrade to V6...
Is the interface back ?

You can always contact MikroTIK support... https://mikrotik.com/support

Zacharias

So a hybrid port only has one untagged vlan (and as many tagged vlans as required)

As long as they do not match.
In practice, it won't let you add the same port as tagged and untagged anyways...

Zacharias

An access port, for example, will strip the VLAN tag of the packet matching the VID of the port on egress.
So you can't have port etherX both Access Port for VLAN 10 and Tagged Port for VLAN10.

Zacharias

ok, you can use Bridge VLAN filtering.
Start from here viewtopic.php?t=143620
And here https://help.mikrotik.com/docs/display/ ... VLAN+Table

Zacharias

I would first give netinstall a try...
https://help.mikrotik.com/docs/display/ROS/Netinstall

Zacharias

It depends on the Switch model... So what device are you using ?

Zacharias

That is a Hybrid setup. You can have an access port on VLAN10 and at the same time the same port can be a Trunk Port for VLAN 11. Notice though, a trunk Port carries Tagged Traffic, so the port will tag the packets on egress ( the ones that do not belong on VLAN 10 ) with VLAN ID 11. That means your...

Zacharias

As i can see you have 7.1.5.. but the router shows firmware 7.2 So at some point you did upgraded the ROS and firmware to 7.2, then for some reason your downgraded to 7.1.5 and you left the firmware version as it was... I am missing details on why you downgraded, because the LTE was missing ? Person...

Zacharias

Updating an LTAP LTE6 from version 6.49.5 to 7.2.1, ROS upgrade was successful
After i upgraded the firmware, from 6.49.5 as well, the device upon boot had lost the LTE interface... A second reboot solved it...
Am not sure if that was supposed to happen or not ...

Zacharias

I'd also recommend trying 7.2. It has a lot of LTE fixes over any of the 7.1.x versions.

Updating an LTAP on 7.2.1, the ROS update was successful
When i updated the firmware, the device lost the lte interface, i had to reboot it a second time in order to find it...

Zacharias

If you press the reset button before applying power to the device then the backup bootloader will load...

Zacharias

You need a Hybrid VLAN configuration... Set the PVID on port 21 to PVID=14. So, port 21 will be using tagged traffic on VID 1720 and Untagged traffic on VID 14... But since reading on a previous post you say that this does not work ( it should ), maybe a wrong configuration on the VLAN side of the G...

Zacharias

How are the VLANs configured on your CRS112 ?

Zacharias

There is no even IP type ipv4ipv6

What do you mean ?
In the APN menu there is an IP type field where you can select both IPv4 and IPv6.
After that you enable the passthrough feature...
And ofcorse in the LTE general tab you should select the correct APN profile.

Zacharias

I would suggest an LTE6 modem device for better performance results ...

Zacharias

@mkx how can it be useless since it is used in the calculation of the RSRQ value ?
I think all the values ( RSRP, RSRQ, SINR and RSSI ) have their importance...

Is there any value you take into account the most ?

Zacharias

RSRP better than -86db

RSRP of -86db does not indicate on any way loss of connection...
You should take into account the RSRQ SINR and RSSI values too...
Also you don't mention what the ROS version is and what the modem firmware version is... ???

Zacharias

If you don't know the number and you just want to know what that is, perhaps sending an sms and then verifying the number would help...
https://wiki.mikrotik.com/wiki/Manual:Tools/Sms

Zacharias

Which means my fear may be valid - what if Hex negotiates too little power and / or voltage for the device it powers (via passive poe out)?

Why don't you just test it ?

Zacharias

My fear is simple - what if mikrotik negotiates voltage, that is too low for my unifi device

From a quick look to some of my production equipment a CAP AC and a wsAP for example, that are capable of af/at at POE in are fed with 52V from a CRS328...

Zacharias

I am a happy beginner who wants to learn more

Since you want to learn, take a look here viewtopic.php?t=143620
Also there are many Articles in the MikroTIK documentation to read...
Very important, is what device model you have... ?

Zacharias

@mkx there are devices such as CRS328 and CRS354 that do support voltage selection ( LOW, HIGH ) and do not need 2 PSUs...
Obviously they do have voltage regulators

Zacharias

Take a look here https://wiki.mikrotik.com/wiki/Manual:PoE-Out
and here https://help.mikrotik.com/docs/display/ROS/PoE-Out

Zacharias

An ISPs router can both act as a Router and at the same time having passthrough enabled...
Since you can reach the internet connected to your ISPs wifi obviously it acts as a router too...

Are you sure the IP address space assigned to you by your ISP belongs to the Public IP address space ?

Zacharias

Nice explanation of Hairpin NAT from @mkx
Not sure if this is hairpin nat?? In the sense that its redirecting wanips vice ensuring traffic gets back from server to originator on same LAN.

Well i think @mkx answered your question...
Same technique...

Zacharias

It's not switch - it is 5009

I am reffering to the device that gives power to the RB5009 through POE...

Zacharias

What is the configuration of the CRS112 ?
Is it configured as a switch connected to a router ?
Or is it configured as a router ?

If the second, then as stated on the previous post, CRS112 is a switch it has an advanced switch chip but limited CPU performance...

Zacharias

Nice explanation of Hairpin NAT from @mkx

Zacharias

I don't see what problems could this behaviour cause.
Can someone explain not in a video?

Personally i am not saying that it will cause any problems...
I am just saying that it seems its not because of the connection tracking...

Zacharias

Scenarios: A) Both sources connected at startup The 2-pin terminal takes charge and PoE is never delivered (confirmed with web-management switch portal). I think your problem is here... RB5009 should be able to negotiate and draw power through the POE in regardless that the 2pin terminal is connect...

Zacharias

I am trying to understand where the problem is... If you have a static IP block given to you by your ISP, a /27 as you said ( 32 available addresses from which the first is the network address and the last the broadcast address ) then you assign ( usually ) the second available host address to the e...

Zacharias

Also a nice article to read for Bridge VLAN filtering viewtopic.php?t=143620

Zacharias

It seems there is no reference on the wiki.

Zacharias

ctrl+- is for zoom out and ctrl+= is for zoom in

Zacharias

@Larsa, i think the OP ( i quickly viewed the video ) at some point of time disables connection tracking and tests again the add/remove firewall filter rule, and it seems there is still a delay, although connection tracking was disabled. So, if the connection tracking was causing the delay, then why...

Zacharias

So, if for example you add 10 rules in the firewall, and you remove a random one, you still get the same delay ?

Zacharias

@Buckeye i am surprised too since i clearly mention that support on Bridge VLAN filtering in hardware is added on Ros v7... So i totally do not understand your point... Also, if the switch chip itself has a VLAN table, but ROS does not use it ( on V6 for example ), this does not change the fact, tha...

Zacharias

Upon firmware upgrade procedure the LTE will show as not Running... If i remember right that is at the installing phase...
That is normal...

I would suggest you reset the device to defaults, uninstall any extra packages ( if added ) and retry to update the modem...

Zacharias

@chechito you are right, i just missed that Atheros 8227 has a VLAN table too, my mistake...

Zacharias

Yes you can... However if you follow the advice on the second post and go with Bridge VLAN Filtering, you will loose the hardware offload on your Bridge since Atheros 8327 ( the switch chip on first 5 ports of RB2011 ) does not support Bridge VLAN filtering in Hardware... However, it supports VLANs ...

Zacharias

When you run the command on terminal: /interface/lte/firmware-upgrade lte1 upgrade=yes The modem will download the firmware and upon installing the lte will drop and that is normal... You should not do anything until the terminal informs you that the installation is done... If for some reason it won...

Zacharias

You can also have a look here https://help.mikrotik.com/docs/display/ ... HairpinNAT

Zacharias

70% load is high, i don't think that neither your PPPoE nor your NAT are causing it...

Zacharias

Yes, it is a limitation of the CHR free license...
https://wiki.mikrotik.com/wiki/Manual:C ... al%20guest.

Zacharias

@anav, when someone wants a MikroTIK router/switch/AP and you suggest something different than that, obviously you are out off topic 100%... You can suggest whatever you want... Let the other engineers/users etc... make their own suggestions as well and have their own opinions, experience, preferenc...

Zacharias

I sent this bug to the mikrotik team 8 days ago. But no news yet.

I guess because it is not a bug...
As said earlier, do you plan on adding removing a single firewall rule in your setup ?

Zacharias

The manual is clear that MT7621 has no VLAN Table support...https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features Bridge HW offload on VLANs was added on ROS v7.1rc5 https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features Also the changelog https://mikrotik.com/download/changelogs has n...

Zacharias

Did you try connecting over IP instead of MAC?

It would be interesting if the behavior is different...

Zacharias

@anav, the OP can as well go to https://mikrotik.com/products the product page and check the Test results for any device... That way, he does not need neither my opinion nor yours... So, when someone asks for a recommendation , i guess he needs something more than what he can already find on the Pro...

Zacharias

Did you try to update to the latest 7.1.5 and see if anything changes ?
Or maybe to 7.2rc5 ?

Zacharias

The RB4011 and RB50009 have the port numbers but are easily good to well over 1Gig throughput up and down so a tad overkill. @anav, a Router should always be able to perform better than the actual requirements...At least that is they way i think it should be... Today the OP will use an ISP line of ...

Zacharias

But they need to be in the same bridge for that to work? Or not?

You will not Bridge the VLAN interfaces, but the ports...
The ports will be either Trunk Ports or Access Ports, depending on how you will configure them...

Zacharias

For a simple setup like this, i would suggest an RB4011 or RB5009, for a switch a CRS112 or in case you need something more advanced then a CRS326 or CRS328 in case you need POE and for wireless Access Points CAP AC.

Zacharias

VLAN Filtering on the bridge is disabled and when I enable it I lose all connection and have to restore to a previous config.

Wrong configuration...
Post your configuration as @anav suggested.
Next time let a port out of the Bridge or use console port for management.

Zacharias

From what version ( of ROS v6 ) did you upgrade ?

Zacharias

how do i setup the mikrotik router to use the static IP i have?

Here.

As @tangent already said, you configure a Public static IP the same way as you would configure any other IP...

Zacharias

Have you read this article ? https://forum.mikrotik.com/viewtopic.php?t=143620 Since you already have ROS v7 installed, you can use VLANs along with Bridge filtering enabled, that will be in hardware... Also you do not need all those Bridges... A trunk port with your ISP to receive the VLANs 832 and...

Zacharias

Only APC ups are supported ?
My CyberPower CST135UC works fine

Great...
I mostly use CyberPower too...
I will give it a try soon...

Zacharias

You do not say which VPN protocol you are trying, IPsec will not work as you are missing add action=accept chain=input comment="allow IPsec ESP" protocol=ipsec-esp It depends... If NAT-T is supported and used by both sides then ESP packet will be encapsulated inside UDP Port 4500 packet.....

Zacharias

Only APC ups are supported ?

Zacharias

RB4011 is indeed a good choice...
If it is a home Router, i would suggest you try V7 and Bridge Hardware Offloading...
If something does not work as expected you can always downgrade...

Zacharias

From a quick look i can't see anything wrong in the configuration... From what you describe in your first post, the devices get an IP address from the DHCP server successfully, but they can not reach the internet... I would suggest you change the default network to something else, lets say 192.168.1...

Zacharias

Please /export hide-sensitive the Router configuration...

Zacharias

Can you /export hide-sensitive the switch configuration ?

Zacharias

ether1 is not your WAN port... lte1 is your WAN port... So remove ether1 from the WAN list and add your lte interface... Also i see no masquerade rule for your LTE interface... ip firewall/nat/add chain=srcnat out-interface-list=WAN action=masquerade No IP address assignment on your Bridge and no DH...

Zacharias

Everyone has been so helpful and the config tips get me going however, defaulting and resetting and netinstalls all get me back to my same problem...

Can you please /export hide-sensitive the configuration you have after reset to no defaults was made ?

Zacharias

This message indicates that the switch received a message coming from a DHCP server ( probably a DHCP offer ) located to an untrusted port... If it is not the AP itself using a DHCP server then it is a client connected to that AP... This is just a warning message... Since snooping is enabled the swi...

Zacharias

Here https://help.mikrotik.com/docs/display/ROS/LTE#LTE-Quicksetupexample you can see the APN configuration... Then, in a simple Router setup, create a Bridge and add the ether1 and wlan interfaces as ports, set an IP address to the Bridge interface e.g. 192.168.1.1/24, create a DHCP server on the B...

Zacharias

@sindy i installed a LTAP LTE6 this week. I noticed nothing strange compared to other MikroTIK LTE devices i' ve used ( WAP, WAP LTE6, LHGG,) as far as the configuration is concerned . As @Amm0 wrote above, there is a difference between the default configuration script of an LtAP "LTE(6) kit&q...

Zacharias

I would suggest you to reset to defaults, then upgrade to 7.1.3 and test again... Look into the default configuration script of 7.1.3 as posted by @Amm0 in this post . It sets exactly what OP is getting. No point in spawning it over and over again, the result will be the same. @sindy i installed a ...

Zacharias

I would suggest you to reset to defaults, then upgrade to 7.1.3 and test again...

Zacharias

Though I'm not @gotsprings...local forwarding will not cause a high cpu load on the CAPsMAN.

I agree on that, but it is a users mistake if Capsman forwarding is used on a low performance CPU device...

Zacharias

@fevr just create a VLAN interface under /interfaces VLAN, use as interface the Interface the ISPs Router is connected and set as VID= the Vlan ID your ISP needs for communication ...
Then on your PPPoE connection use as Interface the one created under /interfaces VLAN...

Zacharias

Probably, i used a wrong diagram indeed...

Thanks @tdw and @mkx for answering...
I was more confused with the terminology Tagged and Untagged Ends the way they were used, but i think i got it...

Zacharias

MikroTIK itself has WoL implemented, you will find it under /tool/wol Devices to be waked through a WoL packet ( magic packet ) must be in the same Broadcast domain. Since you use VLANs, those broadcast domains are seperated... I don't know if there is a workaround on this... But you can try if you ...

Zacharias

oh my, now i did try to put CAP LITE in Home AP mode, Ive dissabled WPS and now Im getting 62,6Mbit over wifi, which is little improvement.....even upload is now 11,8Mbit, which is strange since my internet connection limit is 150/10Mbit :) As you can see the problem is not the CapsMAN. Don't expec...

Zacharias

The rule apparently works, since there are packets counting...
Are you sure the server is listening to the correct port ?
Or you don't block it through the Firewall ( the to-ports port )?

Zacharias

-I tried to use local forwarding, but it didnt have any impact on the wifi speed

So i guess it is not solved...

If you remove the CAP from the Capsman, do you see any improvement in the Speeds ?

Zacharias

The performance will decrease even with less than 30 Virtual SSIDs... To my personal opinion you should not exceed 10 Virtual SSIDs.. Also what plays significant role, is how many APs exist from neighbouring netwroks broadcasting on the same Channel. If for example you create less than 10 SSIDs, doe...

Zacharias

Thanks for answering.., My question is mostly related to what @mkx names as Tagged end and Untagged end... As far as i know, when you set an interface with a VID under /interface vlan then looking at the packet flow photo https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#PacketFlowi...

Zacharias

My suggestion would be to use another VPN type if you want multiple Road warriors behind the same Public IP to connect to a specific VPN server...
That could be wireguard ( ROS v7 ) OVPN ( TCP on ROS v6 or TCP and UDP on ROS v7 ), IKEv2 etc. ...

Zacharias

Can you provide a network diagram with the Topology of your network, and a simple example of what you re trying to achieve ?

Zacharias

If you want to supply voltage to devices that accept Passive POE and also supply some other with af/at then there is a solution... Using a device that has selectable POE out Voltage... netPower 16P is an example https://mikrotik.com/product/netpower_16p#fndtn-gallery Since the device has no onboard ...

Zacharias

Hello how can we downgrade from the factory installed version 7.1.1

That is the version the device has installed right now...
But what is the Factory Firmware version under /system routerboard ?
What is the Factory Software version under /system resources ?

Zacharias

@gotsprings you prefer Local Forwarding mode instead of Capsman Forwarding ? If yes, may i ask why ?
Personally i use both modes but most of the time i use Capsman Forwarding...

Zacharias

@mkx, reading your post, i tried to visualize the Tagged and Untagged End...
If i understood correctly, you name Tagged end, the Interface used under /Interface VLAN ?
And Untagged End the IP address Interface ?

Zacharias

Can I use the one that mikrotik makes for a single rb5009?

I 've not yet used any RB5009 with a rack mount kit, but watching the Gallery photos https://mikrotik.com/product/rb5009_mou ... -downloads it seems that you can make any combination up to 4 RBs.

Zacharias

HAP AC3 has an Atheros 8327 switch chip that supports 92 Switch Rules...
So there would be no problem configuring MAC based VLAN...

Zacharias

Take a look at this post from @jotne viewtopic.php?t=179960
Personally i use Dude and also Zabbix to monitor my Networks...

Zacharias

Since Hap AC2 is already being used as an AP, then CAP must be configured as a Station-Bridge, the question is, do you need to still be using the CAP as an AP for other devices to connect on it wirelessly ? If yes, then you should create a Station-Bridge on the wireless interface of the CAP and then...

Zacharias

Looks like it works. I now have 2 set and all good

Thanks!!!

Great...
You can mark the post as solved...

What unique actually does, is it creates a unique SA for each particular policy...
https://help.mikrotik.com/docs/display/ROS/IPsec

Zacharias

Check here how Hairpin NAT works https://help.mikrotik.com/docs/display/ ... HairpinNAT

Zacharias

@tdw seems to be right...
I checked it too and its 100Mbit...

Zacharias

Maybe a diagram with your network topology and your configuration export with hide-sensitive parameter would help to understand better what the issue might be...

Zacharias

it does offer the option tho in the OS

Features and options depend on the hardware being used...

Zacharias

I guess there might be a problem with the SAs...
What if you set /ip ipsec policy level to unique for each policy ?

Zacharias

I 've seen cases where when using multiple polices for the same peer some might not show as Active, but as soon as traffic is initiated they do become active...
But that is something different...

It does work when you disable a specific policy ?

Zacharias

Did you try nat-traversal=yes ?

Zacharias

I am not sure i understand the question...

I 've used a couple of LTE products, like WAP R, WAP R AC, LHGG LTE and LTAP LTE...
ALL are using standard SIM cards like the ones we are using on Mobile Phones... Never had any problem with the SIM cards...

Zacharias

@Jotne i missed it, edited my previous post...

Also, in your case, the src-nat rule is not actually needed because you have a general masquerade rule... if you add it though, just place it before the masquerade one so that you can see it works ( packets counting )...

Zacharias

No, never...

Zacharias

I want the above rule to work so inside to outside nat and nat to the sever1.
Since server2 is a web server, I like the webserver to see the public source IP, so that logging of usage would be correct.

Nat rules in post #2 is what you re asking for...

Zacharias

You need src-nat and dst-nat rules... The first one, is used so that the server is src nated using the Public IP you want, and the later to dst-nat all the incoming traffic to that Public IP to the Server... /ip firewall nat add chain=srcnat src-address=x.y.z.w action=src-nat to-addresses=public_IP ...

Zacharias

Today i tried to upgrade again a WAP R with a R11e LTE6 modem card twice... Still i could not update, both times i was getting status failed when installing... I thought then that it might be due to some extra packages added consuming Ram and HDD resources... So i did remove them and left only the d...

Zacharias

Last time i remember, i could not upgrade for some reason...
I think that was on V27...

Zacharias

If it is fiber, also check if you use the correct SFP modules along with the Fiber type used...

Zacharias

There is a difference between the firmware version (what is written in that article) and the RouterOS version (what I described). E.g. my RB4011 has minimum firmware 6.47.9 but minimum RouterOS 6.44.6 The article is clearly talking about Downgrading the RouterOS version... It also describes the ste...

Zacharias

Agree with @pe1chl
https://help.mikrotik.com/docs/display/ ... g+RouterOS

Zacharias

How are those SFP ports connected ?
Using a DAC or AOC cable ?

Zacharias

Higher voltage has greater priority...
Read here viewtopic.php?t=153113#p756002
So i guess the same applies to RB5009...

Zacharias

Netinstall is for specific situations and problems...
Just because you did not see it in your neighbors does not suggest a Netinstall...
Disable all your network cards except the ethernet that the WAP is connected to, disable your Antivirus and test again, this will help to identify the problem...

Zacharias

WAP R as you can see here https://mikrotik.com/product/RBwAPR-2nD does not include a modem... It has a mini PCI e slot so that you can use a modem of your choice...
So that is why you could not see an LTE interface...

Zacharias

As i can see you do not use any specific MAC to apply that filter rule to... So obviously you need a Port based Traffic shaping. Can you instead try to apply a rate limit using /interface ethernet switch port menu ? Does it make any difference ? https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+C...

Zacharias

Yes, maybe...

Zacharias

The way you have it configured, you should be able to access the Switch using Tagged Traffic with VLAN id 99 coming from ether1... If you want to test it using Untagged Access, you can as well change a PVID of a port to 99 and check if through that port you can access the Switch through its Manageme...

Zacharias

Rate is 40Gbps. If rate is 40Gbps, then that's what interface can do ... not sure what you expect though ... Yes, but the question is why the physical interface is being shown as four different ones QSFP1-1,QSFP1-2,QSFP1-3 and QSFP1-4 ... Wouldn't it be more clear if it was shown as one single inte...

Zacharias

@jbl42, VLANs 0 and 4095 are reserved and VLAN with id 1 is the default VLAN used by MikroTik and should not be used...
It is explained here https://en.wikipedia.org/wiki/IEEE_802.1Q

Zacharias

I mentioned the Power supply check on post #3...

Search found 3327 matches