MikroTik

xvo

What you need is VRF.
Divide your ports into two separate VRF instances and each one will use it's own routing table.

xvo

You are welcome!

xvo

A 5-port switch chip kind of is a 6-port switch chip actually, with one of the ports leading to CPU. And the access to the router itself, router's wifi, another switch chip, possibly firewall (if needed) - all this is behind this port. In most of the cases if you need to send a packet from ethernet ...

xvo

Yes, I've read the document. Mikrotik's definitions of indoor/outdoor don't correlate with it (leaving the fact that they are weird by nature) - but overall frequency range is right. Which is the most important part, anyway. You can choose both standard and non-standard center frequencies. No surpri...

xvo

Actually 6425 is right: https://digital.gov.ru/ru/appeals/faq/366/

And for indoors/outdoors there is definitely some misunderstanding, not only for "russia4" region: either on mikrotik's side, or on how mikrotik treats the whole thing, so just use "any".

xvo

Depends on whether you expect vlan 99 packets reach the cpu tagged or tagless (this way they get there tagged): do you have a vlan interface, or the address is attached directly to the bridge? Also config of 8227 is also relevant (the one on the other side, not on 2011), for probably it’s the one th...

xvo

That doesn't look right to me: in case of 8227 default-vlan-id should be set for ether6 and ether10 too. However, for 8327 that would be the right way (except setting vlan-header to anything other than leave-as-is won't take effect). Also I see settings for switch2 cpu are missing, which also can't ...

xvo

@xvo from your last can i get conclusion that we can't play around with different switch chips. It must to be same, on both ends, and also how you mind differently? Nope. Of course there can be different switch chips. One device does't care what is other device's switch chip. It's just you don't co...

xvo

What about the latest "russia4"?

xvo

Surely not, but vlans on Atheros8327 and Atheros8227 are configured a little bit differently.

xvo

STM32F107xxx is not a switch chip it's the CPU.

xvo

Cheers!

xvo

this will have to involve NAT/Masquerading...a feature I was not able to gahther info, whether this will be hardware accelerated on MT (some or in general) devices or not. No it won't. All current mikrotik routers don't do NAT in HW. (Only some of mikrotik switches can do HW NAT in ROS7 now, but on...

xvo

You can create a scheduler script that will run at boot and disable interfaces in question (or do anything else you need).

xvo

1) You can create second l2tp-tunnel through the second wan connection the same way and revert to lookup-only-in-table for both of them: switching routes between two tunnels will be much faster than rebuilding the tunnel. Especially if OSFP + BFD can be used on top of that. 2) You need this address ...

xvo

You can try, if it's the only l2tp connection originated by the router.
Mangle output and srcnat chains are at your service.
But I don't see in what way is it simpler.

xvo

Two possibilities: 1) Create a loopback interface (empty bridge) and assign this random/unused address there. That should work. 2) Add a script to PPP profile used for PPPoE to update the address in l2tp-client and route rule any time it changes. Anyway, try to make it work with you current dynamiс ...

xvo

src-address :)

xvo

1) Fill the src-address field in l2tp-client.
2) Use /ip route rule (lookup-only-in-table) to force connections originated from this ip to desired routing table.

xvo

This approach would be so much easier to understand for idiots like me. I kept thinking that the Network Address was on top. Sure, but again, as already stated, it would require to specify both values. And with the current approach the only occasion when you need to specify network manually is when...

xvo

Can you confirm that this is the correct setting for a XXX.128/25 subnet?

Yes it is.
And you don't even need to specify the network - it will be automatically calculated from XXX.129/25 address/mask.

xvo

but for anything that starts with a 0/XX, the Network Address get set to 1/XX.

No it's not.
Your own screenshot:

network.jpg

xvo

This is how my router defines the Network Address out of the box, not as 0/24, but as 1/24. If I change it to 0/24, the subnet stops working. I am crazy at this point? Untitled.jpg At your screenshot it defines your router's address - 192.168.88.1, your network address - 192.168.88.0 and your subne...

xvo

At this point it feels like I'm talking to a wall. I REALIZE how it works, I'm saying that if you gave a monkey an example of XXX.XXX.XXX.0/25 Subnet >>> XXX.XXX.XXX.1/25 Network Address and told it to replace it on .128/25, it would make it like so: XXX.XXX.XXX.128/25 Subnet >>> XXX.XXX.XXX.129/25...

xvo

There are no exceptions here.

XXX.XXX.XXX.128/25 is not a valid address for a device, just as XXX.XXX.XXX.0/25

They are both reserved to be a network address.

Same for XXX.XXX.XXX.127/25 and XXX.XXX.XXX.255/25 which are broadcast addresses for these two networks.

xvo

1) Inter-VLAN traffic should be fasttracked on hEX (and you need to enable Fast Path in IP -> Settings for it to work). It is not powerful enough to route full gigabit without it. 2) As you are using one of the ports outside of the bridge for uplink, and SFP port as part of the bridge, the CPU <-> S...

xvo

Fastpath is not enabled, does this have to be working for fastrack to work correctly? Yes, it absolutely does. That should be the solution to your problem. I have VLAN filtering enabled on the router. From what i was reading if vlan filtering is enabled fastpath is disabled. Fastpath is used by dif...

xvo

I am fairly certain it catching and processing the packets through those rules as when i run my iperf test now i see a massive spike in bytes and packets on those to rules in Winbox only during the duration of the test. Something is definitely wrong, the fasttrack rule should be hitted only once pe...

xvo

While the chip seems to support up to 32 VLANs in hardware the functionality is not exposed in ROS. Most likely the switch chip vlan layer is used inside ROS to provide individual (non-switched) ports functionality. And as the switch chip can't do vlan stacking, there is simply no additional vlan l...

xvo

UAP-AC-HD needs more than 44V according to datasheet, so 48V power supply is needed anyway.
And no passive poe support is mentioned at all.
So no guarantee it will work from 4011 at all.
Better wait for someone who actually tried it to confirm.

xvo

Established/related etc are states between WAN - LAN etc. not from VLAN to VLAN. Why do you think VLAN to VLAN traffic if somehow special? For multiple connections the device should utilise more than one core. But still, this is the kind of traffic you should apply fasttrack to, in order to increas...

xvo

$user

xvo

There is a dedicated tab for that in ppp profile settings:

ppp-profile-scripts.jpg

xvo

If the static DNS records provided by the router are simple to distinguish, you can use matching of the queries to regular expressions listed under /ip firewall layer7-protocol to make the action=dst-nat rule selective: what needs to be answered by the external DNS server will be redirected (dst-na...

xvo

I changed the IP of the DNS server to 10.10.10.1 and then used that address in the NAT it forwarded the request to that DNS server, but the IP entering the DNS server is still the IP of the router rather than the client's actual ip That was the solution to make NAT work, not for your initial proble...

xvo

What if I changed the IP of the DNS Server to a different range?

Yes, that is the best solution.

xvo

why if I use a public DNS IP in DST-NAT everything returns to normal but when I use a local IP like 0.33 everything stops? Because the local server sends the reply directly to the client (and the router has no chance to do the reverse translation), while the client waits for the answer from the rou...

xvo

yes i think I'll just have to live with that, i tried using NAT dst-nat but that didn't work at all the requests wouldn't resolve. Dst-nat could help you to forward the request to the server, and let the server answer instead of mikrotik. But you can either forward the request to the server (needed...

xvo

I can't do that there are some specific static DNS entries available on the router, required to be available.

Either move these entries to your server at .33, or you have to live with what you have now.

xvo

yes, exactly I set the router's DNS as 192.168.0.33 and "allowed remote requests" but all the requests coming to the DNS Server 0.33 are from the client IP 0.1(the router) i need them to be the source IP address not masked with the router's address. Use 192.168.0.33 as DNS server on your ...

xvo

Probably RSTP is enabled on the bridge, and as a result hw-offloading is disabled.

xvo

Interestingly only 9 wired ports..

Probably 8-port switch + 10Gb combo-port.
Would be nice.

xvo

Oh, it was my impression that this figure is the max EIRP per chain on that specific frequency. So subtract the antenna gain and you get the max output power per chain. Total, not per chain. And with antenna gain already subtracted. So for ac you can set this as tx-power. For n - might need to subt...

xvo

bpwl is bailing, would someone please explain his parting words, to me? Please? Bottom line: no one even cares if quickset is buggy, because no one is using it. At least for scenarios more complex, then the home ap. Simply no point - you will need to redo most of the config anyway, so why not start...

xvo

You have "some" information in the status of the interface. Here 17dBm. That is shown only in tx-power-mode=regulatory-domain and that is simply maximum allowed tx-power. Don't even know if it is calculated from actual antenna gain, as you describe, or just hard-coded from the default ant...

xvo

Is this a bug, but I can't see 5GHz Current Tx Power? It is working fine and devices are connected, but just can't see anywhere the transmit power.
The tab is just empty. in 2.4GHz it's filled with numbers.

It has nothing to do with the ROS version, this was always the case for 5GHz ac cards.

xvo

What most people really want is to enter simple value that lowers the gain proportionally for all modulations by a specified number. If I want 5dBm weaker signal, I just enter "5" and I get 5dBm less signal over all modulations and modes. Irregardless of regulation domain settings, MIMO c...

xvo

ISSUE FIXED !!!

I'm now on MacOS 11.0.1 Big Sur.
But i assume the solution is the same on previous MacOS Versions

Nope.
Broadcom 4331 still needs kext modification on High Sierra.

So perhaps this is true only for some of wireless chips, or only for 11.0.1.

xvo

Even if you somehow disable ECMP, you will still have "unpredictable routing".
Only instead of having ECMP routes, which at least are easily seen in the routing table, you can end up with asymmetric routes.

xvo

If you don't care what path will be chosen between two points (which is the case, as you don't want to fine-tune the path costs), then why do you care if it is ECMP or not?

xvo

If I remember correctly higher channels are available via CLI only.

xvo

Or create a more specific dhcp-server network(s) with different dns-server specified.

xvo

Should i paid HALF of price?

Well, you kind of do...
Maybe even less, compared to other brands :)

xvo

Thanks, it is clear, what about the device - mAP 2nd is OK? Can I assign the same IP address on ehter1 and ether2, to avoid NAT, or there is some other trick? You don't need router for the task, any managed switch can do that. Or I think any unmanaged 100mbit one will do the trick too. And even if ...

xvo

port_speed.jpg

xvo

If the device can work only on 10 or 100 it will autonegotiate at 10 or 100.
If for some reason autonegotiation doesn't work you can set the speed manually.

xvo

I guess this is because netinstall is compiled for win32.

It is. Always forget about such limitations in newer macOS.
Using it myself on a machine that is still on High Sierra.

xvo

You can run Netinstall with Wine.

xvo

What exactly do you want to test? When testing by bandwidth test in ROS between two devices you are not really testing network performance, but rather CPU performance of the devices. To test bandwidth properly you should test through your devices, not between them. And you can do so for SwOS as well...

xvo

Shouldn't this speed happen between the 2 clients? If they are both on the same wireless? Of course not: each frame needs at least twice the airtime to be transmitted - from A to AP and then from AP to B. So maximum you can get is 1/2 of what you have, when only one client is on wireless, and in re...

xvo

Curious enough, when both tested with Speedtest, each of them achieves ~470/25 Mbps, my contract being 500/25. Why do you find it curious: 230mbit between two wireless clients on one radio is actually more or less the same as 470mbit from one of them to outside network. To have the idea of maximum ...

xvo

Not the wap ac LTE Kit (QCA9531).

Can't find any info on that one.
As I remember wAP ac LTE Kit was IPQ4018 from the start.

xvo

Looks like you missed that it is kind of special reverse-PoE switch.
For PoE-out there are different models.

xvo

I've been trying to login from winbox for Win, but no luck.

And you are sure that you tried to connect by MAC, not by IP?

xvo

As for hardware vlan issue, I see that now, but i cannot figure out how to do this without that. https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Management_access_configuration and for all your other vlan's: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.231_.28Trunk_an...

xvo

Check, that you advertise 1000M:

ether1.jpg

xvo

Neither your hAP ac2, nor the device on either end is advertising 1Gbit.

xvo

I guess the easiest way if you disabled winbox and ssh as well is to try mac-winbox. It is controlled by different menu, so if you didn't have a chance to mess with it before proceeding to IP -> Services it should still be open from the LAN by default. Open winbox, go to the neighbours tab and wait ...

xvo

TP-link is probably using different pairs when in Passive-PoE mode.

xvo

hEX S doesn't support vlan filtering on switch chip.
Only on the bridge.

xvo

What makes access list an "enterprise solution" and why being "enterprise solution" is a "bad thing" in the first place?

xvo

One way to solve this problem is to use Static-only for the DHCP server. In this case, if users change their MAC address they will not be able to obtain an IP address. This will force them to disable the option in iOS settings. Also this will not work for all users, because some of them will set th...

xvo

I doubt the CAPsMAN rule ,,,,, possible ?

Try ading src-address=127.0.0.1 to this rule as well.

xvo

Ok. Short googling tells that you need forced reboot at the end of procedure, not the "regular" one:

echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger

From here (in Russian).

xvo

Try of=/dev/vda
If I remember correctly that helped me with Aruba Cloud.

xvo

I don't think you need bridges at all: just vlan-interfaces on top of each of ethernet ports.
It's not that you will be switching between to ports with vlan tag in mind, but rather untagging - routing - then tagging again.

xvo

What's the difference between 4 and 6?
Just scale accordingly.

And if I recall correctly, you already posted the same question earlier?!

xvo

The sim slot is there to be used if you swap LoRa card for a 3G/4G modem card.
The kit is basically a wAP R device + LoRa card, so no modem included, and there is no way to use both (modem and LoRa) at the same time.

xvo

You can use any PoE-out port on any of Mikrotik devices (except for PoE injectors) to connect a non-PoE device without any risk. If you don't manually put such port to poe-out=forced-on , but leave it on auto-on or off the power won't be applied to it. And it's clearly mentioned in the manual: https...

xvo

I suggested OP (on the other forum) to add /ip route add dst-address=137.17.4.1/32 gateway=137.17.24.1 scope=10 And he already confirmed, that it resolved the issue. But per @Sob 's suggestion I would still add a lease script: to update this route instead, in case of gateway or network change (proba...

xvo

Set use-ip-firewall=yes on the bridge or use bridge filter if it's capabilities are sufficient for your task.

xvo

Ok...so i need to add the switch cpu port in the vlan Table for VLAN-ID 20. But this also enables access to device management. What is a good strategy to get around this problem? There are multiple options how to restrict unwanted access to device itself: IP -> Firewall and IP -> Services for L3 ac...

xvo

Unfortunately the SFP-Port is not available in switch config mode. So you don't think it is possible to use near wirespeed config with a sfp Port? You are right. No it's not possible for SFP <-> other ports. But it should be possible to maintain wirespeed between other ports. I guess that's the sam...

xvo

No problem,
but i'm curious. What are the benefits or downsides to each of those methods.
I could not find any definite answer on it in the mikrotik documentation.

Just answered the same question in a similar topic: viewtopic.php?f=2&t=168221&p=825432#p825432

xvo

You are mixing two configuration possibilities together: bridge vlan filtering (which is done in software on this device) and switch vlan filtering (which is done on the switch chip). No good can come out of it. You need to choose one depending on what better suit your needs: 1) Bridge vlan-filterin...

xvo

@mikrotik ... how to use VLANs correctly on CSS610-8G-2S+ ??

Why bother reading the thread two messages up from your own...
viewtopic.php?f=17&t=167049#p821159

xvo

@xvo's remark would make sense if you used 1.1.1.1 and 1.1.1.2 as GRE's local-address and remote-address; in your setup, you do need the tunnel=yes mode.

Indeed...

xvo

As you are wrapping gre in ipsec you need tunnel=no in ipsec policy.

xvo

If you use the same subnet for VPN and for your local bridge you need to set arp to proxy-arp on the bridge.

xvo

xvo

You need to disable serial console on serial port, that is used for connection to cisco.
Then setting silent-boot=yes should be enough.
If not - try enter-setup-on=delete-key too.

xvo

Ok, now I see that your initial post need some clarification: do you use CCR to control cisco or vice-versa?

xvo

/system routerboard settings set silent-boot=yes
and also
/system routerboard settings set enter-setup-on=delete-key

xvo

It seems, that you are right.

xvo

You might be right.

Ok. Another suggestion: putting vlan-mgmt into separate vrf will definitely make it unroutable, unless needed.

xvo

when i set slient-boot do i need rebootthe router?

I’m not sure: this setting is needed to prevent mikrotik from writing into console port on startup.
But I don’t know if it will be applied on first reboot or after it.

xvo

Never used it between mikrotik and cisco, only between two mikrotiks, so can't say about the needed baud rate.
But don't forget to disable serial console on mikrotik's serial port.
And also set silent-boot=yes in /system routerboard settings.

xvo

Where do you run your pi-hole?
Bare device, VM, docker container?
It looks like some misconfiguration in VM/docker networking.

Anyway, it most likely has nothing to do with mikrotik.

xvo

I believe there is even simpler way: /ip route rule add interface=vlan-mgmt action=drop With this approach, you are explicitly ending your set of rules using "drop everything else". That means you have to whitelist (allow/accept) every single separate type of traffic you want to allow. Wit...

xvo

And your question is?!
What exactly prevents you to configure what you describe?

xvo

https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering

xvo

IP -> DNS -> Static

Of course that will work only if mikrotik is used as DNS server for you network.

xvo

The second is the right one.
That's interesting to know if %interface can actually be used to "bind" ping check to this interface only.

xvo

Is ospf permitted by firewall on both sides?

xvo

Hi, Yes.
Attached known bug.
https://discourse.pi-hole.net/t/total-q ... er/31648/2

As already stated - It's not a bug, but a misinterpretation of router's config options.

xvo

I guess you entered pi-hole as DNS server in IP -> DNS?
You should additionally specify pi-hole as DNS server in IP -> DHCP -> Networks

xvo

And it works like a charm. Yes it does! And another great thing about that - the addresses doesn't have to be adjacent, so I have all my PTP links like 172.27.XXX.YYY - 172.27.YYY.XXX (where XXX is some unique identifier for this particular router). That is perfect for 1) ease of reading 2) the abi...

xvo

That should work.

xvo

I'm not sure if Mikrotik supports /31 but I thought I'd mention it.

It doesn't. You need to use pair of /32 addresses with network specified as the "opposite" one.

xvo

Hi, This is for Internet fail over. What's the best way in RouterOS to configure a route via a specific interface, so that if that interface is down it won't route via the default route (or any other less specific route)? I think I can do it by adding a route to Null for the same /32 but with worse...

xvo

Yes, that's exactly my point.

xvo

Performance-wise you're right. Configuration-wise, VLANs and centralized routing config is much simpler than distributed routing. Plus it would make a good basis for expansion (much easier to add another subnet or increase number of ports within subnet or replacement of RB760iGS with a proper manag...

xvo

that there are no additional GPIO pins

Have you seen this in the latest 6.48beta48?

*) m33g - added support for "/system gpio" menu (CLI only);

viewtopic.php?f=21&t=163308#p822721

xvo

including wiping the file storage...where I had stored a couple backup configs

Are you sure they were in /flash folder, not in the root directory that is mounted to RAM?

xvo

There are different approaches - you could route between subnets on mikrotik2-4 and have static routing rules on mikrotik1 so traffic is directed to the correct mikrotik, or you could use mikrotik2-4 as switches with VLANs and perform all of the routing/firewalling on mikrotik1 RB760iGS won't be go...

xvo

Firewall doesn't allow connections, it allows packets.
And different packets from that connection can be allowed by different rules.

xvo

This is an all wireless network with the AP's UN-tagging VLAN traffic. In this scenario, is there any advantage to tagging all the switch ports? Thanks again.

If all ports need to have the same set of tagged vlans, then there is no point really.

xvo

I've come to conclusion that the easiest way to wol a pc in remote network is running a small bash script that will connect to mikrotik by ssh and run a wol command. A special user can be used for that: only ssh and test permissions are needed. But anyway, ssh port open to outside network is not a g...

xvo

manual.jpg

That is from the very beginning of that page.
https://wiki.mikrotik.com/wiki/SwOS/CRS ... s_features

Unfortunately, it looks like RoS is the only option here.

xvo

Yes, there is 250 VLAN limit in SwOS:
https://wiki.mikrotik.com/wiki/SwOS/CRS3xx

xvo

In winbox you have to choose needed action first (in this case action=reject) and then options for this action will appear.

xvo

That is the expected behaviour - latest period of time is stored in max resolution, the next one - in lower (10 min), and so on (2 hours, 1 day).
You can change the exact time for each period in settings:

dude charts.jpg

xvo

First you have to decide: do you really need to "bridge" or to "route" will be enough? In first case you will have one subnet, only one of the routers will act as a DHCP server for both networks and so on. While in the second case you will have two completely independent networks...

xvo

A load balancer would slightly complicate things, nothing terrible, but a couple rules like sindy suggested would be a much simpler solution in this case. These rules are what load balancer is mostly. And now meaning the "destination". The only thing that is lacking - taking the up/down s...

xvo

Now ping and ssh connection are working from management RPi to DEVs! Thanks xvo! Niiice! However that makes me wonder if the guy who wrote the article ever tried it himself in the exact way he wrote. I once built a test setup somehow using this article as a guidance, but the setup itself had some m...

xvo

Then check IP -> Services, System -> Users and IP -> Firewall -> Filter (input chain) sections to see if access is not restricted to some ip's (whether for this user only, or to device in general).

xvo

Are both of PCs have the same winbox version?

xvo

I also found MikroTik RBGPOE power injectors, with these I think I should be able to use the power supply that comes with the ac²s to supply PoE. This way, all of my APs should be able to pull up to 0.8A*24V=19.2W in ideal conditions. Besides the extra wiring and cabling in the basement, that shoul...

xvo

You are misusing ECMP - it is meant to load balance routes, not the "destinations".

xvo

I have one idea. For returning packets you do this: /ip firewall mangle add action=mark-routing chain=prerouting dst-address=192.168.2.2 new-routing-mark=main Is this rule being hit at all? The idea is, dst-nat is performed after the prerouting chain, so probably the action reversing the src-nat too...

xvo

No, if the device is configured as a switch it doesn't forward any IP packets.
You can even disable IP forwarding in IP -> Settings.

xvo

I agree that it would be nice to have a bit of a buffer, but I can't seem to find that 28V 3.4A supply while browsing MikroTik products. I think it may be a one-off accessory for that specific switch. Do you happen to know if it is sold anywhere? I'm not finding similar products offered elsewhere e...

xvo

No attachments in case of hAP ac2 means no usb devices. The device itself consumes 16W which is 0.666A at 24V (not 0,5A). So 3 of them will give exactly 48W which is 2A at 24V. So theoretically this is as much as hEX PoE can provide. But that doesn't account for losses on the cables on one hand, and...

xvo

If you changed the IP for your LAN bridge you should change dhcp pool and dhcp-server network as well.

xvo

Why your vlan-interfaces are created on top of the bridge if you want ether5 to be a trunk port?
Move them to ether5. Also add all of them to interface-list=LAN.

And also move the address from ether2 to the bridge.
Despite the fact that it is in the default config it is wrong.

xvo

So, I did try that - I set a port on the bridge to untagged VLAN4 and then enabled vlan-filtering on the bridge. Plugging in a client to that port and I do not get an IP from the DHCP server on that VLAN. I may be missing something else here. Would I need to also add the VLAN interfaces to the brid...

xvo

Mikrotik uses Mode B (4,5 - 7,8) to supply power.
Most likely cameras support only Mode A (1,2 - 3,6) which is against the standard.

xvo

RB4011 doesn't support vlans on hardware.
So you should configure bridge vlan filtering (and lose hw-offloading).

xvo

Thanks for your reply, there are some default rule under the filter rules tab NAT tab or Mangle Which I am not able to delete.

If you are talking about "special dummy rules", the will be deleted on first reboot once you delete the fasttrack rule in filter forard chain.

xvo

How an untagged flow of traffic into a switch can then be turned into tagged traffic coming out other ports of the switch It will be tagged by a switch, I guess :))) Isn't that what is switch for after all: tagging, untagging and tagging again, just to fulfil the darkest of admin's designs?! You co...

xvo

Thanks for keep supporting. I know RoS has more configuration features than SwOS, but some features i didn't get in RoS what i see with SwOS such as port isolation, port forwarding, port locking, port mirroring, bandwidth limit etc. Thanks. All is there, in switch menu, with far more possibilities ...

xvo

Okay! i disappointed to know this as i thought all Mikrotik smart switches come with SwOS opeating system. Totally waste my money on this. Thanks. There are 3 families of Mikrotik switches: - CSS: that run SwOS - CRS1XX/2XX: that run RoS - CRS3XX: that allow dual-boot (you can choose what os to run...

xvo

No, you can't.

xvo

CRS1XX/2XX are RoS devices, not SwOS.

xvo

Adding an 8-port switch makes far more sense in your situation.

xvo

You don't need switch functionality if you want separate LAN on each of the ports.

xvo

Remove all firewall and NAT rules.

Or reset the device with no default configuration and configure only things you need.
Only be aware that after resetting with no config the router won't have any IP addresses, so it will be possible to connect to it only by mac-address using winbox.

xvo

It sounds like what I'm looking for is the Dual-concurrent label. Well, there are some examples (most likely the more newer ones) that don't have this said explicitly, and yet they are still dual-concurrent. To be sure, you can check the block diagram of the device, and for dual-concurrent you will...

xvo

All current dual-band Mikrotik routers from this section are dual-concurrent, meaning that they can work in 2.4Ghz and 5Ghz simultaneously: https://mikrotik.com/products/group/wireless-for-home-and-office And as an example of AP that can work either in 2.4Ghz or 5Ghz, but not at the same time: https...

xvo

PPP-profile-Scripts.jpg

xvo

Is Mikrotik RouterBoard RBD52G-5HacD2HnD-TC hAP ac2 up? This one will do? I meant up the product line. Starting from hAP ac2 and then to more powerful/expensive models. hAP ac2 will be ok for 1Gbit as long as traffic can be fasttracked (for example with the default config). If you need load balanci...

xvo

Could you please explain the sense behind this? I see no practical reason to distribute /32 routes. Each router can reach each router - but the hosts in the networks connected to the router cannot reach other hosts in network connected to other routers? It is suited fine for point-to-point links (t...

xvo

MT-Wikis says: Discovery on PTMP Subnets Point-to-MultiPoint treats the network as a collection of point-to-point links. Is this behaviour Mikrotik specific or is this "per design" of the PTMP network-type? It works exactly as stated in your quote - you end up with bunch of /32 addresses....

xvo

Yes, you can remove jumpers on PoE-out side and then it won't pass PoE further.
But there is a note, that it won't work if 802.3af/at is used - the power source device won't power the GPeR alone.
https://i.mt.lv/cdn/product_files/GPeRqg_190928.pdf

xvo

But running the default configuration makes it impossible to connect to the router because of the firewall. What do you mean? From WAN interface? Yes, so? I don't really understand what your point is. Firewall won't prevent powering the device up :))) PoE input and "internet" schould not ...

xvo

xvo, I tried your example in https://habr.com/ru/post/262091/, but it doesn't work as such. I used Raspberry PIs in ether3, ether4 and ether5 with identical addresses as yours. No connection available from 192.168.2.2 to 192.168.2.13 or 192.168.2.14. Is there something missing? You should have your...

xvo

I think this is where my knowledge on how to configure CRS1XX/2XX ends. I have only one of the line and it's in production, so I can't use it for testing purposes. I guess that port-profile is somehow messing with the vlan config, or at least with it's part that makes ether1 a trunk port. But I don'...

xvo

Why is the PoE input also the WAN interface by default? Because it is the port, that will definitely be used on a wifi router run with default config. So you don't need to reconfigure the device only to power it up from an injector. For cAP ac it is even more obvious, as it don't have separate powe...

xvo

That can't work even in theory.

xvo

May be but on the other hand it seems more cost effective just to buy a larger unit like for example CSS326-24G-2S+RM that is only a bit more expensive but is full 19" rack unit and gives you 24Gbps ports etc ... Sure, but the idea mainly is to combine two 8-port PoE switches, or one PoE and o...

xvo

It would be really nice if for smaller devices like this CSS610-8G-2S+IN switch MikroTik bundles second ear for 10" racks mount that are increasingly popular ...

And also (as a separate item) a kit that will make possible to mount two units in one 19" space.

xvo

Right you are... shame on me for not checking for this. No shame here: too many devices to remember all their specs. And no distinctive pattern between names - generations - architecture. As for this particular case: wAP ac2 LTE would be a more proper name, clearly indicating, that this a new gener...

xvo

Think about some of the devices built around the IPQ-4018/9 SoC, such as hAP ac², wAP ac, or cAP ac.

Only wAP ac LTE is IPQ-4018.
wAP ac is mipsbe, and hence not a competitor to the above ones.

xvo

To get an access from trunk port you might need to specify the correct vlan id for management access (System tab, Allow from VLAN).

xvo

it is ok , i think i do not use https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack in full config above. Actually I don't see any firewall at all, which is not good, if the router is facing the internet, and there are public IPs on any of your Dlink DSL-modems. Last think please @xvo , for the 2 WA...

xvo

also , do you think i need chain=input rules ? because i use only prerouting and output chain's ? No, you don't. Prerouting covers both "input" and "forward" traffic. how can i check https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack is enabled ? Look at your firewall/filter's f...

xvo

or it is just a problem with per-connection-classifier=both-addresses:2/0 for WAN-09 and per-connection-classifier=both-addresses:2/1 for WAN-12 ? That is definitely a problem, and has to be corrected the way you figured out yourself. Also be sure that you don't have fasttrack enabled. Apart from t...

xvo

also , can i use both-addresses-and-ports rather than both-addresses ?

You can, but it might potentially break applications that rely on multiple parallel connections.

xvo

Antenna Gain doesn't show up on my settings

Search field on the forum too? :)

xvo

There is no such product.
So, just buy a decent 16-24 port switch and continue using 4011 as a router.

xvo

CCR 2004 is not longer listed in newsleter
and caralog ;) https://download2.mikrotik.com/catalog_2020.pdf
any idea why?

It is there, announced in May/2020:
https://mikrotikdownload.s3.eu-west-1.a ... ews_95.pdf
The catalogue most likely was created earlier.

xvo

Set MAX Limit for leaf queues a little lower than for the parent.

xvo

I assume the concern is throughput and CPU impact rather than function.

Yes, exactly.

xvo

It's a separate interface.
Keep in mind that it is connected directly to CPU not to a switch chip, so it's good to use it as an uplink from ISP, and not so good as a LAN port.

xvo

How would that rule look like? (Blue VLAN is on interface "BLUE_VLAN", vlan-id is 10 and subnet is 10.0.10.0/24. Port ether1 on each switch is connected to the router.) I guess something like this: /interface bridge filter add action=drop chain=forward in-interface=ether2 mac-protocol=vla...

xvo

In that case it would be possible to isolate clients using split horizon (assuming each has own access port on one of CRSes). It would probably work nicely for clients of each CRS1xx, however isolation of clients connected to different CRS1xx would still be a challenge, which could be solved by usi...

xvo

https://wiki.mikrotik.com/wiki/Manual:C ... #Isolation

xvo

Does your hap lite have a public ip assigned to it, or is it behind some other router with some ports forwarded?

xvo

And the last steps to do are:
- create different configurations using different channels.
- and then provisioning rules for groups of caps, that will use their own configurations.

xvo

Dont know about proprietary crap but I use firewall rules to allow users on vlans to access a printer on another vlan. Firewall won't help you in case of discovery protocols that rely on broadcasts (and are supposed to work inside one broadcast domain), no matter if they are open or proprietary. On...

xvo

Can't see anything else in your config, that could interfere with it.
Apart from what @anav had already pointed out (address being assigned to the wrong interface).

xvo

/ip firewall nat add action=dst-nat chain=dstnat dst-address=your_public_IP to-addresses=192.168.1.60

And with it the hairpin rule:

/ip firewall nat add action=src-nat chain=srcnat dst-address=192.168.1.60 src-address=192.168.1.0/24 to-addresses=192.168.1.1

xvo

Yesterday i saw some posts about "hairpin nat" and tried to implement, but still doesn't work (currently are not implemented as you can see in the FW rules). How exactly did you try to implement hairpin nat? As your public IP is not assigned to your mikrotik but to the ISP router, you sho...

xvo

but it fails on phase 2 i have double checked the policy's and they match

You mean proposals, right?

xvo

Search for "hairpin nat".

And as you are behind an ISP router, you should probably implement it there, not on mikrotik.

xvo

Yes, that sounds different indeed.
Still worth "digging" the forum.

xvo

If I recall correctly, the were some messages describing similar behaviour on 4011: one cpu core maxes out, cutting out access to the device itself.
Try searching the forum for last couple of month.

xvo

I do not want to achieve anything . this is a basic setup . but what kind of problems does having wan to the same bridge as lan create ? It would be the same as using a switch instead of a router - one device would probably get internet access, all others - won't. Probably no one will get internet ...

xvo

Tryed disabling both wlans, but when I did the config change to CAP

Just disable both wlan interfaces and don't change anything else in Home AP Dual setup.

xvo

Depending on what exactly you want to achieve by that, but in most usual situation when WAN port goes to your ISP and all other ports are for your LAN devices, that is not what you want to do.

xvo

but both office and home needs public ip address

Public IP at one side is enough.

xvo

Hi.
And what if I will plug ETH1 of RB260 to some PoE Switch with 802.3af / 802.3at? Because of passive PoE I am afraid auto-negotiation will fail to set proper voltage? Or it will work OK?

802.3af / 802.3at is 48V (actually can be between 36-57V), so it is too much for RB260.

xvo

Is there an official place where I could submit a ticket directly to Mikrotik for this? At least so they're aware of the issue, since this is a new, pretty powerful device. The official way to contact support is via email: support@mikrotik.com You can add a link to this thread to your message not t...

xvo

Such a shame, I would really love to test out the features The Dude has to offer... No other ideas cross your mind? Unfortunately - no. If the Dude tab does not appear, that means something is definitely wrong. You can try it on some other device, dedicated for the dude server only: for example on ...

xvo

Could the original installation of the wrong architecture screw things up, even after uninstallation? Could be. If it's a test environment - you can try to netinstall the device and try from scratch. But arm64 being a new architecture in mikrotik line, I'd rather think that it just doesn't work pro...

xvo

Nope, can connect with winbox but can't see the Dude tab on the left side panel.
Where do I need to set up the server settings on the router side?

In this "Dude" tab.

Try disabling/enabling the package (with reboots in between).
And removing/reinstalling, if the first doesn't help.

xvo

Having two bridges doesn't disable hardware offload for one of the bridges?

Not if there are two switch chips.

xvo

Do Dude menu appear in webfig/winbox?
Have you enabled server in settings there?

xvo

Add two additional routing tables with default routes for each of WAN connections. And then a couple of routing rules, that restrict usage of the tables depending on src IP: /ip route add distance=1 gateway=gw-ip-for-isp1 routing-mark=isp1 add distance=1 gateway=gw-ip-for-isp2 routing-mark=isp2 /ip ...

xvo

So it is not possible to distribute one TCP-Stream across all available Links?

No, it's not.

What are the alternatives, to archive full speed for these protocols?

Use multiple streams and balance-xor mode: it can use l3+l4 hash policy, so takes ports into account too.

Search found 1140 matches