MikroTik

xvo

It seems, that you are right.

xvo

You might be right.

Ok. Another suggestion: putting vlan-mgmt into separate vrf will definitely make it unroutable, unless needed.

xvo

when i set slient-boot do i need rebootthe router?

I’m not sure: this setting is needed to prevent mikrotik from writing into console port on startup.
But I don’t know if it will be applied on first reboot or after it.

xvo

Never used it between mikrotik and cisco, only between two mikrotiks, so can't say about the needed baud rate.
But don't forget to disable serial console on mikrotik's serial port.
And also set silent-boot=yes in /system routerboard settings.

xvo

Where do you run your pi-hole?
Bare device, VM, docker container?
It looks like some misconfiguration in VM/docker networking.

Anyway, it most likely has nothing to do with mikrotik.

xvo

I believe there is even simpler way: /ip route rule add interface=vlan-mgmt action=drop With this approach, you are explicitly ending your set of rules using "drop everything else". That means you have to whitelist (allow/accept) every single separate type of traffic you want to allow. With this log...

xvo

And your question is?!
What exactly prevents you to configure what you describe?

xvo

https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering

xvo

IP -> DNS -> Static

Of course that will work only if mikrotik is used as DNS server for you network.

xvo

The second is the right one.
That's interesting to know if %interface can actually be used to "bind" ping check to this interface only.

xvo

Is ospf permitted by firewall on both sides?

xvo

Hi, Yes.
Attached known bug.
https://discourse.pi-hole.net/t/total-q ... er/31648/2

As already stated - It's not a bug, but a misinterpretation of router's config options.

xvo

I guess you entered pi-hole as DNS server in IP -> DNS?
You should additionally specify pi-hole as DNS server in IP -> DHCP -> Networks

xvo

And it works like a charm. Yes it does! And another great thing about that - the addresses doesn't have to be adjacent, so I have all my PTP links like 172.27.XXX.YYY - 172.27.YYY.XXX (where XXX is some unique identifier for this particular router). That is perfect for 1) ease of reading 2) the abi...

xvo

That should work.

xvo

I'm not sure if Mikrotik supports /31 but I thought I'd mention it.

It doesn't. You need to use pair of /32 addresses with network specified as the "opposite" one.

xvo

Hi, This is for Internet fail over. What's the best way in RouterOS to configure a route via a specific interface, so that if that interface is down it won't route via the default route (or any other less specific route)? I think I can do it by adding a route to Null for the same /32 but with worse...

xvo

Yes, that's exactly my point.

xvo

Performance-wise you're right. Configuration-wise, VLANs and centralized routing config is much simpler than distributed routing. Plus it would make a good basis for expansion (much easier to add another subnet or increase number of ports within subnet or replacement of RB760iGS with a proper manag...

xvo

that there are no additional GPIO pins

Have you seen this in the latest 6.48beta48?

*) m33g - added support for "/system gpio" menu (CLI only);

viewtopic.php?f=21&t=163308#p822721

xvo

including wiping the file storage...where I had stored a couple backup configs

Are you sure they were in /flash folder, not in the root directory that is mounted to RAM?

xvo

There are different approaches - you could route between subnets on mikrotik2-4 and have static routing rules on mikrotik1 so traffic is directed to the correct mikrotik, or you could use mikrotik2-4 as switches with VLANs and perform all of the routing/firewalling on mikrotik1 RB760iGS won't be go...

xvo

Firewall doesn't allow connections, it allows packets.
And different packets from that connection can be allowed by different rules.

xvo

This is an all wireless network with the AP's UN-tagging VLAN traffic. In this scenario, is there any advantage to tagging all the switch ports? Thanks again.

If all ports need to have the same set of tagged vlans, then there is no point really.

xvo

I've come to conclusion that the easiest way to wol a pc in remote network is running a small bash script that will connect to mikrotik by ssh and run a wol command. A special user can be used for that: only ssh and test permissions are needed. But anyway, ssh port open to outside network is not a g...

xvo

manual.jpg

That is from the very beginning of that page.
https://wiki.mikrotik.com/wiki/SwOS/CRS ... s_features

Unfortunately, it looks like RoS is the only option here.

xvo

Yes, there is 250 VLAN limit in SwOS:
https://wiki.mikrotik.com/wiki/SwOS/CRS3xx

xvo

In winbox you have to choose needed action first (in this case action=reject) and then options for this action will appear.

xvo

That is the expected behaviour - latest period of time is stored in max resolution, the next one - in lower (10 min), and so on (2 hours, 1 day).
You can change the exact time for each period in settings:

dude charts.jpg

xvo

First you have to decide: do you really need to "bridge" or to "route" will be enough? In first case you will have one subnet, only one of the routers will act as a DHCP server for both networks and so on. While in the second case you will have two completely independent networks, but yet they will ...

xvo

A load balancer would slightly complicate things, nothing terrible, but a couple rules like sindy suggested would be a much simpler solution in this case. These rules are what load balancer is mostly. And now meaning the "destination". The only thing that is lacking - taking the up/down status of t...

xvo

Now ping and ssh connection are working from management RPi to DEVs! Thanks xvo! Niiice! However that makes me wonder if the guy who wrote the article ever tried it himself in the exact way he wrote. I once built a test setup somehow using this article as a guidance, but the setup itself had some m...

xvo

Then check IP -> Services, System -> Users and IP -> Firewall -> Filter (input chain) sections to see if access is not restricted to some ip's (whether for this user only, or to device in general).

xvo

Yes, all ports are gigabit no matter if you use PoE or not. And yes, hap ac definitely can benefit from gigabit connection. Especially if you use 5Ghz wifi. On the other hand I am not completely sure what you want to do. If you want to daisy chain devices like: hEX S PoE-out --> 1st hAP ac PoE-in an...

xvo

Are both of PCs have the same winbox version?

xvo

I also found MikroTik RBGPOE power injectors, with these I think I should be able to use the power supply that comes with the ac²s to supply PoE. This way, all of my APs should be able to pull up to 0.8A*24V=19.2W in ideal conditions. Besides the extra wiring and cabling in the basement, that shoul...

xvo

You are misusing ECMP - it is meant to load balance routes, not the "destinations".

xvo

I have one idea. For returning packets you do this: /ip firewall mangle add action=mark-routing chain=prerouting dst-address=192.168.2.2 new-routing-mark=main Is this rule being hit at all? The idea is, dst-nat is performed after the prerouting chain, so probably the action reversing the src-nat too...

xvo

No, if the device is configured as a switch it doesn't forward any IP packets.
You can even disable IP forwarding in IP -> Settings.

xvo

I agree that it would be nice to have a bit of a buffer, but I can't seem to find that 28V 3.4A supply while browsing MikroTik products. I think it may be a one-off accessory for that specific switch. Do you happen to know if it is sold anywhere? I'm not finding similar products offered elsewhere e...

xvo

No attachments in case of hAP ac2 means no usb devices. The device itself consumes 16W which is 0.666A at 24V (not 0,5A). So 3 of them will give exactly 48W which is 2A at 24V. So theoretically this is as much as hEX PoE can provide. But that doesn't account for losses on the cables on one hand, and...

xvo

If you changed the IP for your LAN bridge you should change dhcp pool and dhcp-server network as well.

xvo

Why your vlan-interfaces are created on top of the bridge if you want ether5 to be a trunk port?
Move them to ether5. Also add all of them to interface-list=LAN.

And also move the address from ether2 to the bridge.
Despite the fact that it is in the default config it is wrong.

xvo

So, I did try that - I set a port on the bridge to untagged VLAN4 and then enabled vlan-filtering on the bridge. Plugging in a client to that port and I do not get an IP from the DHCP server on that VLAN. I may be missing something else here. Would I need to also add the VLAN interfaces to the brid...

xvo

Mikrotik uses Mode B (4,5 - 7,8) to supply power.
Most likely cameras support only Mode A (1,2 - 3,6) which is against the standard.

xvo

RB4011 doesn't support vlans on hardware.
So you should configure bridge vlan filtering (and lose hw-offloading).

xvo

Thanks for your reply, there are some default rule under the filter rules tab NAT tab or Mangle Which I am not able to delete.

If you are talking about "special dummy rules", the will be deleted on first reboot once you delete the fasttrack rule in filter forard chain.

xvo

How an untagged flow of traffic into a switch can then be turned into tagged traffic coming out other ports of the switch It will be tagged by a switch, I guess :))) Isn't that what is switch for after all: tagging, untagging and tagging again, just to fulfil the darkest of admin's designs?! You co...

xvo

Thanks for keep supporting. I know RoS has more configuration features than SwOS, but some features i didn't get in RoS what i see with SwOS such as port isolation, port forwarding, port locking, port mirroring, bandwidth limit etc. Thanks. All is there, in switch menu, with far more possibilities ...

xvo

Okay! i disappointed to know this as i thought all Mikrotik smart switches come with SwOS opeating system. Totally waste my money on this. Thanks. There are 3 families of Mikrotik switches: - CSS: that run SwOS - CRS1XX/2XX: that run RoS - CRS3XX: that allow dual-boot (you can choose what os to run...

xvo

No, you can't.

xvo

CRS1XX/2XX are RoS devices, not SwOS.

xvo

Adding an 8-port switch makes far more sense in your situation.

xvo

You don't need switch functionality if you want separate LAN on each of the ports.

xvo

Remove all firewall and NAT rules.

Or reset the device with no default configuration and configure only things you need.
Only be aware that after resetting with no config the router won't have any IP addresses, so it will be possible to connect to it only by mac-address using winbox.

xvo

It sounds like what I'm looking for is the Dual-concurrent label. Well, there are some examples (most likely the more newer ones) that don't have this said explicitly, and yet they are still dual-concurrent. To be sure, you can check the block diagram of the device, and for dual-concurrent you will...

xvo

All current dual-band Mikrotik routers from this section are dual-concurrent, meaning that they can work in 2.4Ghz and 5Ghz simultaneously: https://mikrotik.com/products/group/wireless-for-home-and-office And as an example of AP that can work either in 2.4Ghz or 5Ghz, but not at the same time: https...

xvo

PPP-profile-Scripts.jpg

xvo

Is Mikrotik RouterBoard RBD52G-5HacD2HnD-TC hAP ac2 up? This one will do? I meant up the product line. Starting from hAP ac2 and then to more powerful/expensive models. hAP ac2 will be ok for 1Gbit as long as traffic can be fasttracked (for example with the default config). If you need load balanci...

xvo

Could you please explain the sense behind this? I see no practical reason to distribute /32 routes. Each router can reach each router - but the hosts in the networks connected to the router cannot reach other hosts in network connected to other routers? It is suited fine for point-to-point links (t...

xvo

MT-Wikis says: Discovery on PTMP Subnets Point-to-MultiPoint treats the network as a collection of point-to-point links. Is this behaviour Mikrotik specific or is this "per design" of the PTMP network-type? It works exactly as stated in your quote - you end up with bunch of /32 addresses. For anyth...

xvo

Yes, you can remove jumpers on PoE-out side and then it won't pass PoE further.
But there is a note, that it won't work if 802.3af/at is used - the power source device won't power the GPeR alone.
https://i.mt.lv/cdn/product_files/GPeRqg_190928.pdf

xvo

But running the default configuration makes it impossible to connect to the router because of the firewall. What do you mean? From WAN interface? Yes, so? I don't really understand what your point is. Firewall won't prevent powering the device up :))) PoE input and "internet" schould not be on the ...

xvo

xvo, I tried your example in https://habr.com/ru/post/262091/, but it doesn't work as such. I used Raspberry PIs in ether3, ether4 and ether5 with identical addresses as yours. No connection available from 192.168.2.2 to 192.168.2.13 or 192.168.2.14. Is there something missing? You should have your...

xvo

I think this is where my knowledge on how to configure CRS1XX/2XX ends. I have only one of the line and it's in production, so I can't use it for testing purposes. I guess that port-profile is somehow messing with the vlan config, or at least with it's part that makes ether1 a trunk port. But I don'...

xvo

Why is the PoE input also the WAN interface by default? Because it is the port, that will definitely be used on a wifi router run with default config. So you don't need to reconfigure the device only to power it up from an injector. For cAP ac it is even more obvious, as it don't have separate powe...

xvo

That can't work even in theory.

xvo

May be but on the other hand it seems more cost effective just to buy a larger unit like for example CSS326-24G-2S+RM that is only a bit more expensive but is full 19" rack unit and gives you 24Gbps ports etc ... Sure, but the idea mainly is to combine two 8-port PoE switches, or one PoE and one no...

xvo

It would be really nice if for smaller devices like this CSS610-8G-2S+IN switch MikroTik bundles second ear for 10" racks mount that are increasingly popular ...

And also (as a separate item) a kit that will make possible to mount two units in one 19" space.

xvo

Right you are... shame on me for not checking for this. No shame here: too many devices to remember all their specs. And no distinctive pattern between names - generations - architecture. As for this particular case: wAP ac2 LTE would be a more proper name, clearly indicating, that this a new gener...

xvo

Think about some of the devices built around the IPQ-4018/9 SoC, such as hAP ac², wAP ac, or cAP ac.

Only wAP ac LTE is IPQ-4018.
wAP ac is mipsbe, and hence not a competitor to the above ones.

xvo

To get an access from trunk port you might need to specify the correct vlan id for management access (System tab, Allow from VLAN).

xvo

it is ok , i think i do not use https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack in full config above. Actually I don't see any firewall at all, which is not good, if the router is facing the internet, and there are public IPs on any of your Dlink DSL-modems. Last think please @xvo , for the 2 WA...

xvo

also , do you think i need chain=input rules ? because i use only prerouting and output chain's ? No, you don't. Prerouting covers both "input" and "forward" traffic. how can i check https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack is enabled ? Look at your firewall/filter's forward chain to see ...

xvo

or it is just a problem with per-connection-classifier=both-addresses:2/0 for WAN-09 and per-connection-classifier=both-addresses:2/1 for WAN-12 ? That is definitely a problem, and has to be corrected the way you figured out yourself. Also be sure that you don't have fasttrack enabled. Apart from t...

xvo

also , can i use both-addresses-and-ports rather than both-addresses ?

You can, but it might potentially break applications that rely on multiple parallel connections.

xvo

Antenna Gain doesn't show up on my settings

Search field on the forum too? :)

xvo

There is no such product.
So, just buy a decent 16-24 port switch and continue using 4011 as a router.

xvo

CCR 2004 is not longer listed in newsleter
and caralog ;) https://download2.mikrotik.com/catalog_2020.pdf
any idea why?

It is there, announced in May/2020:
https://mikrotikdownload.s3.eu-west-1.a ... ews_95.pdf
The catalogue most likely was created earlier.

xvo

Set MAX Limit for leaf queues a little lower than for the parent.

xvo

I assume the concern is throughput and CPU impact rather than function.

Yes, exactly.

xvo

It's a separate interface.
Keep in mind that it is connected directly to CPU not to a switch chip, so it's good to use it as an uplink from ISP, and not so good as a LAN port.

xvo

How would that rule look like? (Blue VLAN is on interface "BLUE_VLAN", vlan-id is 10 and subnet is 10.0.10.0/24. Port ether1 on each switch is connected to the router.) I guess something like this: /interface bridge filter add action=drop chain=forward in-interface=ether2 mac-protocol=vlan out-inte...

xvo

In that case it would be possible to isolate clients using split horizon (assuming each has own access port on one of CRSes). It would probably work nicely for clients of each CRS1xx, however isolation of clients connected to different CRS1xx would still be a challenge, which could be solved by usi...

xvo

https://wiki.mikrotik.com/wiki/Manual:C ... #Isolation

xvo

Does your hap lite have a public ip assigned to it, or is it behind some other router with some ports forwarded?

xvo

And the last steps to do are:
- create different configurations using different channels.
- and then provisioning rules for groups of caps, that will use their own configurations.

xvo

Dont know about proprietary crap but I use firewall rules to allow users on vlans to access a printer on another vlan. Firewall won't help you in case of discovery protocols that rely on broadcasts (and are supposed to work inside one broadcast domain), no matter if they are open or proprietary. On...

xvo

Can't see anything else in your config, that could interfere with it.
Apart from what @anav had already pointed out (address being assigned to the wrong interface).

xvo

/ip firewall nat add action=dst-nat chain=dstnat dst-address=your_public_IP to-addresses=192.168.1.60

And with it the hairpin rule:

/ip firewall nat add action=src-nat chain=srcnat dst-address=192.168.1.60 src-address=192.168.1.0/24 to-addresses=192.168.1.1

xvo

Yesterday i saw some posts about "hairpin nat" and tried to implement, but still doesn't work (currently are not implemented as you can see in the FW rules). How exactly did you try to implement hairpin nat? As your public IP is not assigned to your mikrotik but to the ISP router, you should add an...

xvo

but it fails on phase 2 i have double checked the policy's and they match

You mean proposals, right?

xvo

Search for "hairpin nat".

And as you are behind an ISP router, you should probably implement it there, not on mikrotik.

xvo

Yes, that sounds different indeed.
Still worth "digging" the forum.

xvo

If I recall correctly, the were some messages describing similar behaviour on 4011: one cpu core maxes out, cutting out access to the device itself.
Try searching the forum for last couple of month.

xvo

I do not want to achieve anything . this is a basic setup . but what kind of problems does having wan to the same bridge as lan create ? It would be the same as using a switch instead of a router - one device would probably get internet access, all others - won't. Probably no one will get internet ...

xvo

Tryed disabling both wlans, but when I did the config change to CAP

Just disable both wlan interfaces and don't change anything else in Home AP Dual setup.

xvo

Depending on what exactly you want to achieve by that, but in most usual situation when WAN port goes to your ISP and all other ports are for your LAN devices, that is not what you want to do.

xvo

but both office and home needs public ip address

Public IP at one side is enough.

xvo

Hi.
And what if I will plug ETH1 of RB260 to some PoE Switch with 802.3af / 802.3at? Because of passive PoE I am afraid auto-negotiation will fail to set proper voltage? Or it will work OK?

802.3af / 802.3at is 48V (actually can be between 36-57V), so it is too much for RB260.

xvo

Is there an official place where I could submit a ticket directly to Mikrotik for this? At least so they're aware of the issue, since this is a new, pretty powerful device. The official way to contact support is via email: support@mikrotik.com You can add a link to this thread to your message not t...

xvo

Such a shame, I would really love to test out the features The Dude has to offer... No other ideas cross your mind? Unfortunately - no. If the Dude tab does not appear, that means something is definitely wrong. You can try it on some other device, dedicated for the dude server only: for example on ...

xvo

Could the original installation of the wrong architecture screw things up, even after uninstallation? Could be. If it's a test environment - you can try to netinstall the device and try from scratch. But arm64 being a new architecture in mikrotik line, I'd rather think that it just doesn't work pro...

xvo

Nope, can connect with winbox but can't see the Dude tab on the left side panel.
Where do I need to set up the server settings on the router side?

In this "Dude" tab.

Try disabling/enabling the package (with reboots in between).
And removing/reinstalling, if the first doesn't help.

xvo

Having two bridges doesn't disable hardware offload for one of the bridges?

Not if there are two switch chips.

xvo

Do Dude menu appear in webfig/winbox?
Have you enabled server in settings there?

xvo

Add two additional routing tables with default routes for each of WAN connections. And then a couple of routing rules, that restrict usage of the tables depending on src IP: /ip route add distance=1 gateway=gw-ip-for-isp1 routing-mark=isp1 add distance=1 gateway=gw-ip-for-isp2 routing-mark=isp2 /ip ...

xvo

So it is not possible to distribute one TCP-Stream across all available Links?

No, it's not.

What are the alternatives, to archive full speed for these protocols?

Use multiple streams and balance-xor mode: it can use l3+l4 hash policy, so takes ports into account too.

xvo

What makes you think 30-30-30 should work for mikrotik?!

Here you can read about reset procedure:
https://i.mt.lv/cdn/product_files/hEXSqg_191001.pdf

If nothing works - try netinstall.

xvo

Only LACP and balance-XOR are hw-offloaded:
https://wiki.mikrotik.com/wiki/Manual:C ... es#Bonding

xvo

Nobody has rukus I've never seen anyway

Yeah, sure, things you've never seen, don't exist at all ;)

xvo

What if we leave target as blank though?

Should work the same way in this scenario.

xvo

Cheers! Glad to help :)

xvo

If it's on the wan bridge, isn't it bypassing mikrotik's NAT anyway?!
Or are you talking about traffic from local subnets to Cisco?

xvo

I guess you are missing local-address in your ppp-profile. I suggest you set it to 192.168.252.1 and change to /24 instead of /30 in the route on the modem and in ovpn-server settings. Can leave /30 in the pool though. And for sure no such route should be present: 2 A S 192.168.252.240/30 192.168.1....

xvo

Mikrotik has static IP from modem - 192.168.1.252 Ok, so in the modem all you need is a route to 192.168.252.0/24 via 192.168.1.252. That's all. I see, that you already have it. Modem range is 192.168.1.0/24 subnet 255.255.255.0 --DHCP scope 192.168.1.50-150 --should subnet be 255.255.0.0 if I want...

xvo

PPTP can't be "a good road warrior VPN solution" anyway.

As for the problem - try lowering MTU on the tunnel to smth like 1400.

xvo

When I connect to the VPN, my router assigns my laptop the same IP address I have when I'm normally connected locally on wifi. Local IPs work, but not the internet. Well, don't do it. What Ip does your hEX get from your modem? Specify the completely different subnet for vpn clients. And then two op...

xvo

Yes, xvo, you describe more accurately, what I mean... But suppose, this is bug... RP-filter or route with route mark can't be existed at one time. No, it is a limitation, but not a bug. All is working logically... so one just need to understand this logic to workaround this limitations. Thank you ...

xvo

Packets routes by route mark to vpn interface... Reply come from the other side, checked by RP-Filter, based on rules without route mark, and discarded. Yes, exactly! The way to overcome it: 1) copy routes pointing to local networks to tovpn routing table 2) and mark the returning packets to use it...

xvo

Thank you for patience, xvo I rebooted device and claimed, that this is RP-filter, which discard reply packed in strict mode. I don't understand why... Suppose routers must use only loose mode? So it was rp-filter after all?! I think that is what was happening: - the original packet was routed by t...

xvo

And yes, rp-filter=strict, but I changed it to "no" without any success...

Probably you should wait for route cache to expire.

Anyway, that was my last guess...

xvo

Do adding the ip directly to the list instead of domain name change anything?

And another suggestion - is rp-filter set in ip settings?

xvo

Does routing through vpn work if you make it the default route not only for marked traffic, but for all?

xvo

add action=mark-routing chain=prerouting connection-state=new dst-address-list=blocked new-routing-mark=tovpn passthrough=yes First of all: you can't use mark-routinng for only the first packet. Second: same thing about fasttrack - you can't use it for traffic, that has to be mangled and routed thr...

xvo

Bridge -> Ports, open ports in question and set the proper PVID=4 for them.

xvo

Ok.
I think I know what the problem is: you need to use address as a gateway, not interface.
It works for a /32 address, thinking that it's just another end of ptp-link, but won't work for destinations with wider mask.

xvo

That's hEX on the latest 6.46.7 (long-term).

As I have 300/800 + 600/600 as my Internet connection, I even tried to add something parallel to speedtest, to see if I can push it up to the full gigabit, but no luck there.
So I guess that's actually as much as it can do.

hex_wan.jpg

xvo

If you're extremely lucky.

No luck involved here.
As surprising as it is.
Regular config: NAT, firewall, fasttrack (obviously).
Even tested the case when WAN connection is L2TP couple of days ago - still good results (800/700mbit).

xvo

And what You say about HEX S? Better? Worse? (I do not need wifi antenna inside)

Not exactly worse. Just different.
Nevertheless - slower: will cap at 800-900 in real-life scenarios.

xvo

I prefer to put the distance higher for the non marked route as this allow to sort per distance and makes complex routing table more readable

Yeah, I kind of also sometimes use distance to sort the routes, for which the exact order has no difference.

xvo

Then have one route (the one you actually want) with higher distance and no routing mark on it... Distance is irrelevant in this case. For packets using the named table, route selection falls back to main table (if it is allowed) only after it failed to find a route in the named one. And if named t...

xvo

Dears,

I confirm that the 951g-2hnd is not able to carry more than 300-400 Mbps on 1Gbps link. In this case: which Mikrotik router do you recommend to fully use 1Gbps?

hAP ac2/RB450Gx4 and up.

xvo

Shouldn't we be seeing the changelog from 6.45.9 to 6.46.7 not from 6.46.6 ? Going up a major version in a long-term release should be looked over a bit more carefully before we take the plunge.

Yes, that would be logical.

xvo

Pin side UP is the right way.

xvo

I tried to follow wiki manual, still unifi AP is nto visible on trunk port ether5. Leaving aside the fact, that you've chosen the less desirable configuration approach, and keeping in mind the mistake, that bpwl already mentioned, I can't see anything wrong in your config at first glance. Recheck w...

xvo

You need to have: 1) Only one bridge 2) ether2 and ether5 added as bridge ports to that bridge 3) Two vlan-interfaces created on that bridge (created on, not added like the bridge ports) - one for each of the vid's. 4) Add IP configuration to vlan-interfaces 5a) Vlan filtering done in switch menu if...

xvo

I would try another router between ISP and CRS (use CRS like a switch only) to rule out the possibility, that the problem is on ISP side.

xvo

[moderated]
Sophisticacted poetry please.

xvo

Post your whole /ip firewall section.
And /ip route as well.

xvo

I concatenated two rules, dst-address and route-mark in one route, and it's ignore reply again :( I can't uderstand this situation and hope anybody help me to diagnose it... Having different distances means nothing in this case - these two rules are in the different routing tables. The fact that di...

xvo

Default firewall will block it, just as any other incoming traffic from the outside world.

xvo

Use forum search.
At least another two similar topics were created for the last week.

xvo

Have you checked the physical port status after the slow down?
Could be some problems on the line, that force renegotiating to 10mbit.

xvo

the question I have is, is the excess shared equally or goes to the first person accessing it??

If you use PCQ, then yes.
If all queues are configured manually, you can use priority to modify this behaviour in favour of some users.

xvo

They also offer endpoint as a cloud service which likely has high availability - so no issue with single point of failure. That's the key to effectively move from per-connection to per-packet. You can do the same (more or less) with Mikrotik: get a CHR in the cloud and multiple tunnels running to i...

xvo

So basically at the moment there's no better MikroTik device that will get me increased wireless speeds over what RB922 currently does.

As unsatisfying as it sounds, but yes.
At least not up to the point where what you gain will justify the money spent and overall hassle.

xvo

Ok, no errors, good.
But still can be a cabling issue.
Any chance to try different cable, or at least redo the connectors?

xvo

Sometimes I think Normis and 3-5 other guys are the entire Mikrotik workforce

Not 3-5 of course, but only ~300 employees total.

xvo

Which parts of the processing would you do with the virtual routing and forwarding (VRF) technology? The VLAN tag/untag and NATing has to be done in lower layers than L3 anyway, right? VLAN tagging/untagging don't really complicate anything, you'll just end with bunch of VLAN-interfaces on each of ...

xvo

other side is PowerBeam 5AC Gen2 --
what is strange if i setup manualy 1GB on MIkrotik -- there is no LINK with PowerBeam 5AC Gen2 -- must make Auto negotiation to work again :(

Are there any errors registered on the link (TX Stats/RX Stats)?

xvo

Copy MAC-address of 2011's WAN port somewhere, then change it to the one from ASUS's WAN port.
If that resolves the problem, that will indicate the ISP is using binding to MAC for authentication.
Then change the MAC back and call your ISP, and ask them how to rebind to the new address.

xvo

The clue is VRF.

xvo

what can be reason LINK DOWN? ? for 2-3 s

All ports or just the one?
What's on the other side of the link?

xvo

/queue simple add dst=pppoe-out1 max-limit=10M/10M name=queue1 queue=default/default target=eth1 Thanks a lot for the reply. Apart forbthe queues code, do i need to add anything else on the firewall or anywhere else? Nope, but I misread your original post a little, so the command should be: /queue ...

xvo

/queue simple add dst=pppoe-out1 max-limit=10M/10M name=queue1 queue=default/default target=eth1

xvo

Clients don't have a route to 192.168.102.0/24 and use the default one.

xvo

Yes, I think I understood. I'm okay with separate subnets.

Ok! :)

xvo

..... unless the gain was changed while in a previous release or by a restored or imported configuration (or set to zero due to the update) , and people unfamiliar with RouterOS are facing a rather puzzling fix (CLI only) with a non-trivial error message ..... Well, that's what this forum is for :)))

xvo

Thanks. That's a very useful explanation of VLANs. That doc also confirms what XVO said. The interfaces must be on separate subnets. I'm still not 100% sure that you got me right: both approaches are possible. If you want them to be in one subnet - then you need to bridge two ethernet interfaces to...

xvo

That makes sense. Thanks so much for your help! большое спасибо!

You are welcome! :)

xvo

Note that the vlan-aware bridge is less versatile than the general solution of putting vlan interfaces in a bridge. For example, it is not possible to have different tags on different ports (tag translation). True. But when talking about tag translation between two ports, the bridge will contain tw...

xvo

Put the VLAN interface in a bridge together with ether5 and put the IP config you now have on ether5 on that bridge instead. One should avoid bridging physical ports with vlan interfaces: https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_in_bridge_with_a_physical_interface Creating...

xvo

Historically, setting antenna gain higher (and tricking the device so it will lower the TX power automatically) was (and still is) the easiest way to lower the TX power on devices that don't support tx-power-mode=card-rates (tx-power-mode=all-rates-fixed is not exactly that, and setting tx-power for...

xvo

Maybe a warning while using Quickset after initial config would make sense. I also noticed that it randomly removed me a couple of firewall rules for L2TP/IPsec server access Not being told what will happen, is not the "safest" design. sebus While there are some warnings in help web page for quicks...

xvo

Per your advice earlier, I got rid of the bridge. Now that there is no bridge, can I go ahead and assign same-subnet different-IPs to the VLAN and ethernet interface? That is not, what I meant: two ethernet ports should be bridged, not ethernet port and vlan. But if you don't want to go that way: y...

xvo

Do you know if it's possible to have the VLAN's interface set to 192.168.1.1, and the ethernet port's interface set to 192.168.1.2? Same subnet, same IP pool, but different IP addresses? Assigning an address to a slave interface (and ethernet interface will be a slave to a bridge in your config) is...

xvo

Thank you. By "do it properly" you mean bridge vlan filtering, correct? Depending on what exact Mikrotik device we are talking about. And are you saying that to have them on separate subnets will be a performance loss? Or that finding a workaround is not a good idea? Traffic between subnets will be...

xvo

Thanks. This is the man page, then? https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering Yes, that's it. But keep in mind that, despite the fact, that all mikrotik devices can be configured this way, in high-load scenarios this approach it the best option only for CRS3XX swi...

xvo

That is what I normally expect from the gear I work with. But well... Quickset is just a set of scripts, that apply different predefined configurations with some user-defined variables (like names, passwords, some checkbox-type options). There is absolutely no way someone could make such script che...

xvo

I created a bridge called "office," assigned it two ports (ether3 and VLAN11) That is not the correct way. Bridging VLAN interfaces with physical ports is a misconfiguration. You should add both ethernet ports to the same bridge and then setup a proper vlan filtering. Depending on the RB model, it ...

xvo

If you didn't disable it yourself, mikrotik won't do it for you, that's for sure. On the other hand, if talking about "bridge mode", you mean quickset, then I'm going to disappoint you: quickset is not meant to be used on the router, that has a non-default configuration. I mean at all. It can screw ...

xvo

radiating power has not changed also - only ROS thinks that the antenna has less gain. It is so? Yes and no. It thinks that antenna has different gain and adjusts the radiating power to fall into the allowed range. Antenna gain minimal value together with regulatory-domain setting is exactly what p...

xvo

Set proper antenna gain in terminal:

/interface wireless set 0 antenna-gain=2

xvo

you mean to create a seperate virtual ssid on the cap that will be connected with the station-bride?

Exactly.

xvo

As a matter of fact, I was wrong, capsman is the reason after all:
https://wiki.mikrotik.com/wiki/Manual:W ... tion_Modes

So the best thing to try is to create separate virtual interface not managed by capsman.

xvo

3. this option is necessary to enable communication between wireless clients inside their (with a capsmans acl) assigned vlans, so i have to enable it. Now I get it: it's not really a bridge, but rather ap - station, when the far end of the bridge is among some other "regular" clients. 1. because i...

xvo

First of all, why do you care if mode=station-bridge is supported by capsman, when capsman is not used to configure the station? Second, it is explicitly stated in wiki that for multicast-helper=full station has to be in mode=station-bridge. And the last, why do you need multicast-helper=full in the...

xvo

Log window is showing no entries.

xvo

Have you done the same on the other side?

Also you better change the addresses on the tunnel itself so they are not from your local subnet.

xvo

You can’t use interface as a gateway in this case. It has to be remote router’s tunnel address: 192.168.1.251

xvo

How do I create a route on the core side to the spoke subnet if there is no interface or IP to use? The interface is created dynamically when the spoke mikrotik connects. There are several options: 1) You can create L2TP Server Binding - which is a static interface. 2) You can specify the routes th...

xvo

It's kind of expected for non-fasttracked traffic with queues, and as much mangle rules.

xvo

Add this rule to your firewall and move it upper than the default drop rule in input chain:

/ip firewall filter add action=accept chain=input comment="allow dude to self" dst-address-type=local dst-port=8291 protocol=tcp src-address-type=local

xvo

For CRS317 it was added earlier.

xvo

I have a suggestion. Do you by any chance have a couple of switches, so both NASes are connected to 4011 via its own switch? Or instead you can configure your RB260 this way: ports 1 and 2 untagged members of one vlan, ports 3 and 4 - the other. And another suggestion, watch for errors on TX Stats a...

xvo

What ports do you use: belonging to one switch or different?

xvo

Well, you can certainly do that.
But your initial post was about DNS only, and about the easiest way to do it.
And so was my answer.

xvo

Create additional network(s) in DHCP Server --> Networks just for that address(es) with another DNS server setting.

xvo

Only CRS3XX devices can get hw-offloading when VLANs are configured in the bridge menu.
On all other devices (CRS1XX/CRS2XX as well) you still have to configure VLANs in switch menu, for traffic to be processed by switch chip, and not by CPU.

xvo

Is there anything else out there that's superior to PCC-type concept for load-balancing between two different ISPs without the use of proper bonding? I mean outside the world of MikroTik. Outside or inside Mikrotik, it is not an implementation question, but rather a question of concept, as you stat...

xvo

The benefit of "both addresses" is the increased chances of bandwidth aggregation. "both addresses and ports" would double or triple the chances of bandwidth aggregation. That is only true for small amount of client devices. When we are talking about 50, 100 and more active users, the load will be ...

xvo

Thanks all for the tips here. I am sure 3dfx can apply those to get wired speed as well :). He should disable STP as well and make sure there is no loops in his network as this protocol needs to be disabled in order to get wired speed on VLAN 1 I don't think lack of HW-offloading is a problem in hi...

xvo

Nah, you got it wrong. What the other guy tried telling is, when an app/service/site does multiple connections to multiple destination IPs. Hence the hash will never be the same for each pair of "source IP" and "destination IP" where the latter varies. Please, reread the thread: "the other guy" was...

xvo

No one has ever shown any hard evidence for "broken connections due to multiple source IPs".

How will using both-addresses end up with "multiple source IPs" in the first place?!
The hash will always be the same for a given pair of addresses - so the resulting WAN will be the same.

xvo

by default STP is enabled and as soon as I disable it I got HW offload enabled.

Bingo! :)

xvo

Something is configured on yours that disables HW offload.

Most likely STP.

xvo

If I log into routerOS is everything ok?

Login and navigate to System --> License to check the actual licence level.

xvo

1) Connection is marked on the first packet from LAN to VPN: 1st counter +1 2) The same packet is marked with packet mark by second rule (you have passthrough=yes on the first rule): 2nd counter +1 3) Returning packet is marked with packet mark (as it belongs to already marked connection): 2nd count...

xvo

No real point, but from your screenshot it is not disabled.

Search found 1048 matches