Community discussions

MikroTik App

Search found 1152 matches

by xvo
Wed May 05, 2021 10:14 pm
Forum: RouterBOARD hardware
Topic: SFP+ between HEXS and CSS610-8G-2S+
Replies: 4
Views: 177

Re: SFP+ between HEXS and CSS610-8G-2S+

Passive (copper) DAC will not work if the two sides mismatch in speed.
Mikrotik's DAC works perfectly fine from CCR1009's SFP+ to CRS112's SFP if autoneg is disabled and speed set to 1gbit.
So even if it is not the case here, it is still not an universal rule.
by xvo
Tue Apr 13, 2021 8:55 am
Forum: Wireless Networking
Topic: Why is CAP AC wifi speed always lower than half of spec? [SOLVED]
Replies: 5
Views: 585

Re: Why is CAP AC wifi speed always lower than half of spec? [SOLVED]

What specs?

350-400mbit is actually very good performance as for cAP ac, as for PHY rate of 866Mbps in general.
by xvo
Mon Apr 12, 2021 10:02 am
Forum: RouterBOARD hardware
Topic: RB5011?
Replies: 19
Views: 1655

Re: RB5011?

The main problem is, If there is switch in CCR2004 people won't buy CRS309 or such devices. There is absolutely no need to combine router with the switch for devices of this grade. For routing you buy a router, for switching - a switch (or multiple ones). CCR2004 is capable of routing the network w...
by xvo
Fri Apr 09, 2021 7:11 pm
Forum: General
Topic: Slow speed for marked traffic through WAN2
Replies: 4
Views: 361

Re: Slow speed for marked traffic through WAN2

Fasttrack has to be disabled for traffic that need to go through mangle - in your case it is enough to add condition routing-table=main to fasttrack rule. Or as the conditions you use in your mangle rules are as simple as a single src-address you could follow @anav's advice and replace mangle with r...
by xvo
Thu Apr 08, 2021 2:17 am
Forum: Beginner Basics
Topic: Mikrotik Switch - it is not a switch?
Replies: 30
Views: 1786

Re: Mikrotik Switch - it is not a switch?

If it's like most Mikrotik routers, with the default configuration, port 1 will be configured as the WAN port and everything else connected in a bridge.
CRS switches has different default configuration.
All ports bridged, and, if I remember correctly, a static IP assigned to that bridge.
by xvo
Thu Apr 08, 2021 2:10 am
Forum: RouterBOARD hardware
Topic: What exactly is the "RJ11 passthrough" in wsAP?
Replies: 3
Views: 408

Re: What exactly is the "RJ11 passthrough" in wsAP?

It is exactly what it is named: a passthrough - one port on one side, and one on the other.
With no connection to the rest.
by xvo
Tue Apr 06, 2021 12:10 am
Forum: Wireless Networking
Topic: How to enable Bridge VLAN Filtering on a wireless access-list rule?
Replies: 9
Views: 458

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

/interface bridge vlan add bridge=bridge-local untagged=wlan1 vlan-ids=10 set bridge=bridge-local tagged=bridge-local [find vlan-ids=10] /interface bridge port set bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1] These two parts ar...
by xvo
Mon Apr 05, 2021 9:41 pm
Forum: Wireless Networking
Topic: How to enable Bridge VLAN Filtering on a wireless access-list rule?
Replies: 9
Views: 458

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

The question is how Bridge VLAN filtering works in such configuration, how can I enable it if needed?
Same as in any other situation.
In scenario you describe you should treat your wlan-interface as just another trunk port: tagged for all the needed vlans.
by xvo
Sun Apr 04, 2021 7:44 pm
Forum: General
Topic: Dude and winbox port
Replies: 6
Views: 410

Re: Dude and winbox port

It's a long known limitation and the only reason it is still not fixed is that at least for few years now mikrotik don't develop dude at all.
We all wait for it to change, but that's how it is at the moment.
by xvo
Sun Apr 04, 2021 6:56 pm
Forum: General
Topic: Dude and winbox port
Replies: 6
Views: 410

Re: Dude and winbox port

You can create shortcuts to run external applications from the dude map or device properties, but that won't help the dude itself to connect to the device.
by xvo
Sun Apr 04, 2021 6:29 pm
Forum: General
Topic: Dude and winbox port
Replies: 6
Views: 410

Re: Dude and winbox port

Use dstnat on the target device.
by xvo
Thu Apr 01, 2021 12:07 pm
Forum: General
Topic: 10Gbe DAC on CRS326-24G-2S+
Replies: 2
Views: 267

Re: 10Gbe DAC on CRS326-24G-2S+

Bandwidth test itself is a resource-intensive operation, while CRS326 is not very powerful CPU-wise - try testing through the devices, not from one to another.
by xvo
Wed Jan 20, 2021 1:31 pm
Forum: Beginner Basics
Topic: Dividing one routerboard making it two separate wan routers
Replies: 6
Views: 507

Re: Dividing one routerboard making it two separate wan routers

What you need is VRF.
Divide your ports into two separate VRF instances and each one will use it's own routing table.
by xvo
Wed Jan 20, 2021 1:27 pm
Forum: General
Topic: ASK {switch chip}
Replies: 13
Views: 890

Re: ASK {switch chip}

You are welcome!
by xvo
Tue Jan 19, 2021 10:44 pm
Forum: General
Topic: ASK {switch chip}
Replies: 13
Views: 890

Re: ASK {switch chip}

A 5-port switch chip kind of is a 6-port switch chip actually, with one of the ports leading to CPU. And the access to the router itself, router's wifi, another switch chip, possibly firewall (if needed) - all this is behind this port. In most of the cases if you need to send a packet from ethernet ...
by xvo
Tue Jan 19, 2021 8:07 pm
Forum: Wireless Networking
Topic: Russia regulatory domain + UNII-3 channels
Replies: 6
Views: 666

Re: Russia regulatory domain + UNII-3 channels

Yes, I've read the document. Mikrotik's definitions of indoor/outdoor don't correlate with it (leaving the fact that they are weird by nature) - but overall frequency range is right. Which is the most important part, anyway. You can choose both standard and non-standard center frequencies. No surpri...
by xvo
Tue Jan 19, 2021 4:41 pm
Forum: Wireless Networking
Topic: Russia regulatory domain + UNII-3 channels
Replies: 6
Views: 666

Re: Russia regulatory domain + UNII-3 channels

Actually 6425 is right: https://digital.gov.ru/ru/appeals/faq/366/

And for indoors/outdoors there is definitely some misunderstanding, not only for "russia4" region: either on mikrotik's side, or on how mikrotik treats the whole thing, so just use "any".
by xvo
Tue Jan 19, 2021 12:24 pm
Forum: General
Topic: ASK {switch chip}
Replies: 13
Views: 890

Re: ASK {switch chip}

Depends on whether you expect vlan 99 packets reach the cpu tagged or tagless (this way they get there tagged): do you have a vlan interface, or the address is attached directly to the bridge? Also config of 8227 is also relevant (the one on the other side, not on 2011), for probably it’s the one th...
by xvo
Tue Jan 19, 2021 11:02 am
Forum: General
Topic: ASK {switch chip}
Replies: 13
Views: 890

Re: ASK {switch chip}

That doesn't look right to me: in case of 8227 default-vlan-id should be set for ether6 and ether10 too. However, for 8327 that would be the right way (except setting vlan-header to anything other than leave-as-is won't take effect). Also I see settings for switch2 cpu are missing, which also can't ...
by xvo
Tue Jan 19, 2021 10:30 am
Forum: General
Topic: ASK {switch chip}
Replies: 13
Views: 890

Re: ASK {switch chip}

@xvo from your last can i get conclusion that we can't play around with different switch chips. It must to be same, on both ends, and also how you mind differently? Nope. Of course there can be different switch chips. One device does't care what is other device's switch chip. It's just you don't co...
by xvo
Tue Jan 19, 2021 10:27 am
Forum: Wireless Networking
Topic: Russia regulatory domain + UNII-3 channels
Replies: 6
Views: 666

Re: Russia regulatory domain + UNII-3 channels

What about the latest "russia4"?
by xvo
Tue Jan 19, 2021 8:30 am
Forum: General
Topic: ASK {switch chip}
Replies: 13
Views: 890

Re: ASK {switch chip}

Surely not, but vlans on Atheros8327 and Atheros8227 are configured a little bit differently.
by xvo
Tue Jan 12, 2021 2:26 pm
Forum: SwOS
Topic: 260GSP vs. CSS106-1G-4P-1S
Replies: 12
Views: 6238

Re: 260GSP vs. CSS106-1G-4P-1S

STM32F107xxx is not a switch chip it's the CPU.
by xvo
Tue Dec 29, 2020 10:09 pm
Forum: General
Topic: Tis the Season
Replies: 9
Views: 881

Re: Tis the Season

Cheers!
by xvo
Sat Dec 26, 2020 11:21 am
Forum: RouterBOARD hardware
Topic: Which router with NAT/Masquerading Performance > 1Gbps
Replies: 9
Views: 1315

Re: Which router with NAT/Masquerading Performance > 1Gbps

this will have to involve NAT/Masquerading...a feature I was not able to gahther info, whether this will be hardware accelerated on MT (some or in general) devices or not. No it won't. All current mikrotik routers don't do NAT in HW. (Only some of mikrotik switches can do HW NAT in ROS7 now, but on...
by xvo
Thu Dec 24, 2020 6:12 pm
Forum: Beginner Basics
Topic: Setting to NOT connect automatically on boot
Replies: 3
Views: 450

Re: Setting to NOT connect automatically on boot

You can create a scheduler script that will run at boot and disable interfaces in question (or do anything else you need).
by xvo
Thu Dec 24, 2020 11:03 am
Forum: Beginner Basics
Topic: Force LT2P (IPSec) tunnel over specific WAN interface [SOLVED]
Replies: 9
Views: 963

Re: Force LT2P (IPSec) tunnel over specific WAN interface [SOLVED]

1) You can create second l2tp-tunnel through the second wan connection the same way and revert to lookup-only-in-table for both of them: switching routes between two tunnels will be much faster than rebuilding the tunnel. Especially if OSFP + BFD can be used on top of that. 2) You need this address ...
by xvo
Wed Dec 23, 2020 10:17 pm
Forum: Beginner Basics
Topic: Force LT2P (IPSec) tunnel over specific WAN interface [SOLVED]
Replies: 9
Views: 963

Re: Force LT2P (IPSec) tunnel over specific WAN interface [SOLVED]

You can try, if it's the only l2tp connection originated by the router.
Mangle output and srcnat chains are at your service.
But I don't see in what way is it simpler.
by xvo
Wed Dec 23, 2020 8:41 pm
Forum: Beginner Basics
Topic: Force LT2P (IPSec) tunnel over specific WAN interface [SOLVED]
Replies: 9
Views: 963

Re: Force LT2P (IPSec) tunnel over specific WAN interface [SOLVED]

Two possibilities: 1) Create a loopback interface (empty bridge) and assign this random/unused address there. That should work. 2) Add a script to PPP profile used for PPPoE to update the address in l2tp-client and route rule any time it changes. Anyway, try to make it work with you current dynamiс ...
by xvo
Wed Dec 23, 2020 6:51 pm
Forum: Beginner Basics
Topic: Force LT2P (IPSec) tunnel over specific WAN interface [SOLVED]
Replies: 9
Views: 963

Re: Force LT2P (IPSec) tunnel over specific WAN interface [SOLVED]

1) Fill the src-address field in l2tp-client.
2) Use /ip route rule (lookup-only-in-table) to force connections originated from this ip to desired routing table.
by xvo
Tue Dec 22, 2020 12:01 am
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 2835

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

This approach would be so much easier to understand for idiots like me. I kept thinking that the Network Address was on top. Sure, but again, as already stated, it would require to specify both values. And with the current approach the only occasion when you need to specify network manually is when...
by xvo
Mon Dec 21, 2020 11:48 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 2835

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

Can you confirm that this is the correct setting for a XXX.128/25 subnet?
Yes it is.
And you don't even need to specify the network - it will be automatically calculated from XXX.129/25 address/mask.
by xvo
Mon Dec 21, 2020 11:40 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 2835

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

but for anything that starts with a 0/XX, the Network Address get set to 1/XX.
No it's not.
Your own screenshot:
network.jpg
by xvo
Mon Dec 21, 2020 11:37 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 2835

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

This is how my router defines the Network Address out of the box, not as 0/24, but as 1/24. If I change it to 0/24, the subnet stops working. I am crazy at this point? Untitled.jpg At your screenshot it defines your router's address - 192.168.88.1, your network address - 192.168.88.0 and your subne...
by xvo
Mon Dec 21, 2020 11:26 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 2835

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

At this point it feels like I'm talking to a wall. I REALIZE how it works, I'm saying that if you gave a monkey an example of XXX.XXX.XXX.0/25 Subnet >>> XXX.XXX.XXX.1/25 Network Address and told it to replace it on .128/25, it would make it like so: XXX.XXX.XXX.128/25 Subnet >>> XXX.XXX.XXX.129/25...
by xvo
Mon Dec 21, 2020 3:30 pm
Forum: General
Topic: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]
Replies: 35
Views: 2835

Re: What is the difference between 192.168.88.1/24 and 192.168.88.0/24 address list? [SOLVED]

There are no exceptions here.

XXX.XXX.XXX.128/25 is not a valid address for a device, just as XXX.XXX.XXX.0/25

They are both reserved to be a network address.

Same for XXX.XXX.XXX.127/25 and XXX.XXX.XXX.255/25 which are broadcast addresses for these two networks.
by xvo
Sat Dec 19, 2020 4:55 pm
Forum: General
Topic: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%
Replies: 7
Views: 848

Re: RB760iGS - Very Slow transfer speeds vlan to vlan and cpu usage is just 30%

1) Inter-VLAN traffic should be fasttracked on hEX (and you need to enable Fast Path in IP -> Settings for it to work). It is not powerful enough to route full gigabit without it. 2) As you are using one of the ports outside of the bridge for uplink, and SFP port as part of the bridge, the CPU <-> S...
by xvo
Sat Dec 19, 2020 12:08 am
Forum: General
Topic: RB4011 Inter-VLAN routing performance
Replies: 12
Views: 1468

Re: RB4011 Inter-VLAN routing performance

Fastpath is not enabled, does this have to be working for fastrack to work correctly? Yes, it absolutely does. That should be the solution to your problem. I have VLAN filtering enabled on the router. From what i was reading if vlan filtering is enabled fastpath is disabled. Fastpath is used by dif...
by xvo
Fri Dec 18, 2020 10:17 am
Forum: General
Topic: RB4011 Inter-VLAN routing performance
Replies: 12
Views: 1468

Re: RB4011 Inter-VLAN routing performance

I am fairly certain it catching and processing the packets through those rules as when i run my iperf test now i see a massive spike in bytes and packets on those to rules in Winbox only during the duration of the test. Something is definitely wrong, the fasttrack rule should be hitted only once pe...
by xvo
Fri Dec 18, 2020 10:00 am
Forum: RouterOS v7 BETA
Topic: Feature Request: Proper support for RTL8367
Replies: 5
Views: 1084

Re: Feature Request: Proper support for RTL8367

While the chip seems to support up to 32 VLANs in hardware the functionality is not exposed in ROS. Most likely the switch chip vlan layer is used inside ROS to provide individual (non-switched) ports functionality. And as the switch chip can't do vlan stacking, there is simply no additional vlan l...
by xvo
Thu Dec 17, 2020 11:46 am
Forum: RouterBOARD hardware
Topic: HELP: POE OUTPUT
Replies: 3
Views: 548

Re: HELP: POE OUTPUT

UAP-AC-HD needs more than 44V according to datasheet, so 48V power supply is needed anyway.
And no passive poe support is mentioned at all.
So no guarantee it will work from 4011 at all.
Better wait for someone who actually tried it to confirm.
by xvo
Thu Dec 17, 2020 9:57 am
Forum: General
Topic: RB4011 Inter-VLAN routing performance
Replies: 12
Views: 1468

Re: RB4011 Inter-VLAN routing performance

Established/related etc are states between WAN - LAN etc. not from VLAN to VLAN. Why do you think VLAN to VLAN traffic if somehow special? For multiple connections the device should utilise more than one core. But still, this is the kind of traffic you should apply fasttrack to, in order to increas...
by xvo
Mon Dec 14, 2020 5:58 pm
Forum: Scripting
Topic: VPN up/down scripts username variable [SOLVED]
Replies: 2
Views: 506

Re: VPN up/down scripts username variable [SOLVED]

$user
by xvo
Mon Dec 14, 2020 11:25 am
Forum: Scripting
Topic: WoL triggered by VPN client connection
Replies: 2
Views: 369

Re: WoL triggered by VPN client connection

There is a dedicated tab for that in ppp profile settings:
ppp-profile-scripts.jpg
by xvo
Sat Dec 12, 2020 1:30 pm
Forum: General
Topic: Ip addresses through Mikrotik takes the router's ip
Replies: 20
Views: 1605

Re: Ip addresses through Mikrotik takes the router's ip

If the static DNS records provided by the router are simple to distinguish, you can use matching of the queries to regular expressions listed under /ip firewall layer7-protocol to make the action=dst-nat rule selective: what needs to be answered by the external DNS server will be redirected (dst-na...
by xvo
Sat Dec 12, 2020 12:31 pm
Forum: General
Topic: Ip addresses through Mikrotik takes the router's ip
Replies: 20
Views: 1605

Re: Ip addresses through Mikrotik takes the router's ip

I changed the IP of the DNS server to 10.10.10.1 and then used that address in the NAT it forwarded the request to that DNS server, but the IP entering the DNS server is still the IP of the router rather than the client's actual ip That was the solution to make NAT work, not for your initial proble...
by xvo
Fri Dec 11, 2020 2:32 pm
Forum: General
Topic: Ip addresses through Mikrotik takes the router's ip
Replies: 20
Views: 1605

Re: Ip addresses through Mikrotik takes the router's ip

What if I changed the IP of the DNS Server to a different range?
Yes, that is the best solution.
by xvo
Fri Dec 11, 2020 2:27 pm
Forum: General
Topic: Ip addresses through Mikrotik takes the router's ip
Replies: 20
Views: 1605

Re: Ip addresses through Mikrotik takes the router's ip

why if I use a public DNS IP in DST-NAT everything returns to normal but when I use a local IP like 0.33 everything stops? Because the local server sends the reply directly to the client (and the router has no chance to do the reverse translation), while the client waits for the answer from the rou...
by xvo
Fri Dec 11, 2020 2:22 pm
Forum: General
Topic: Ip addresses through Mikrotik takes the router's ip
Replies: 20
Views: 1605

Re: Ip addresses through Mikrotik takes the router's ip

yes i think I'll just have to live with that, i tried using NAT dst-nat but that didn't work at all the requests wouldn't resolve. Dst-nat could help you to forward the request to the server, and let the server answer instead of mikrotik. But you can either forward the request to the server (needed...
by xvo
Fri Dec 11, 2020 1:32 pm
Forum: General
Topic: Ip addresses through Mikrotik takes the router's ip
Replies: 20
Views: 1605

Re: Ip addresses through Mikrotik takes the router's ip

I can't do that there are some specific static DNS entries available on the router, required to be available.
Either move these entries to your server at .33, or you have to live with what you have now.
by xvo
Fri Dec 11, 2020 1:24 pm
Forum: General
Topic: Ip addresses through Mikrotik takes the router's ip
Replies: 20
Views: 1605

Re: Ip addresses through Mikrotik takes the router's ip

yes, exactly I set the router's DNS as 192.168.0.33 and "allowed remote requests" but all the requests coming to the DNS Server 0.33 are from the client IP 0.1(the router) i need them to be the source IP address not masked with the router's address. Use 192.168.0.33 as DNS server on your ...
by xvo
Wed Dec 09, 2020 10:59 am
Forum: Beginner Basics
Topic: Slow LAN transfer speeds through RB4011. [SOLVED]
Replies: 5
Views: 518

Re: Slow LAN transfer speeds through RB4011. [SOLVED]

Probably RSTP is enabled on the bridge, and as a result hw-offloading is disabled.
by xvo
Sun Dec 06, 2020 11:33 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta3 [development] is released!
Replies: 262
Views: 45999

Re: v7.1beta3 [development] is released!

Interestingly only 9 wired ports..
Probably 8-port switch + 10Gb combo-port.
Would be nice.
by xvo
Sat Dec 05, 2020 9:44 pm
Forum: Announcements
Topic: v6.47.8 [stable] is released!
Replies: 56
Views: 14068

Re: v6.47.8 [stable] is released!

Oh, it was my impression that this figure is the max EIRP per chain on that specific frequency. So subtract the antenna gain and you get the max output power per chain. Total, not per chain. And with antenna gain already subtracted. So for ac you can set this as tx-power. For n - might need to subt...
by xvo
Sat Dec 05, 2020 9:10 pm
Forum: Beginner Basics
Topic: Issues with Mikrotik hAP AC2
Replies: 17
Views: 1678

Re: Issues with Mikrotik hAP AC2

bpwl is bailing, would someone please explain his parting words, to me? Please? Bottom line: no one even cares if quickset is buggy, because no one is using it. At least for scenarios more complex, then the home ap. Simply no point - you will need to redo most of the config anyway, so why not start...
by xvo
Sat Dec 05, 2020 9:06 pm
Forum: Announcements
Topic: v6.47.8 [stable] is released!
Replies: 56
Views: 14068

Re: v6.47.8 [stable] is released!

You have "some" information in the status of the interface. Here 17dBm. That is shown only in tx-power-mode=regulatory-domain and that is simply maximum allowed tx-power. Don't even know if it is calculated from actual antenna gain, as you describe, or just hard-coded from the default ant...
by xvo
Sat Dec 05, 2020 5:00 pm
Forum: Announcements
Topic: v6.47.8 [stable] is released!
Replies: 56
Views: 14068

Re: v6.47.8 [stable] is released!

Is this a bug, but I can't see 5GHz Current Tx Power? It is working fine and devices are connected, but just can't see anywhere the transmit power.
The tab is just empty. in 2.4GHz it's filled with numbers.
It has nothing to do with the ROS version, this was always the case for 5GHz ac cards.
by xvo
Fri Dec 04, 2020 5:36 pm
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 64
Views: 5928

Re: "antenna gain" missing in 6.46.8?

What most people really want is to enter simple value that lowers the gain proportionally for all modulations by a specified number. If I want 5dBm weaker signal, I just enter "5" and I get 5dBm less signal over all modulations and modes. Irregardless of regulation domain settings, MIMO c...
by xvo
Thu Dec 03, 2020 2:45 pm
Forum: Wireless Networking
Topic: Country Code [SOLVED]
Replies: 56
Views: 14792

Re: Country Code [SOLVED]

ISSUE FIXED !!!

I'm now on MacOS 11.0.1 Big Sur.
But i assume the solution is the same on previous MacOS Versions
Nope.
Broadcom 4331 still needs kext modification on High Sierra.

So perhaps this is true only for some of wireless chips, or only for 11.0.1.
by xvo
Tue Dec 01, 2020 10:47 am
Forum: Forwarding Protocols
Topic: Disable ECMP on OSPF?
Replies: 7
Views: 677

Re: Disable ECMP on OSPF?

Even if you somehow disable ECMP, you will still have "unpredictable routing".
Only instead of having ECMP routes, which at least are easily seen in the routing table, you can end up with asymmetric routes.
by xvo
Tue Dec 01, 2020 10:01 am
Forum: Forwarding Protocols
Topic: Disable ECMP on OSPF?
Replies: 7
Views: 677

Re: Disable ECMP on OSPF?

If you don't care what path will be chosen between two points (which is the case, as you don't want to fine-tune the path costs), then why do you care if it is ECMP or not?
by xvo
Fri Nov 27, 2020 12:43 pm
Forum: RouterBOARD hardware
Topic: new hardware Wireless Wire nRAY 60 ghz
Replies: 75
Views: 12600

Re: new hardware Wireless Wire nRAY 60 ghz

If I remember correctly higher channels are available via CLI only.
by xvo
Wed Nov 25, 2020 8:33 pm
Forum: Beginner Basics
Topic: Manual DNS for individual clients? [SOLVED]
Replies: 6
Views: 650

Re: Manual DNS for individual clients? [SOLVED]

Or create a more specific dhcp-server network(s) with different dns-server specified.
by xvo
Sun Nov 22, 2020 10:33 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 101327

Re: v7.1beta2 [development] is released!

Should i paid HALF of price?
Well, you kind of do...
Maybe even less, compared to other brands :)
by xvo
Sun Nov 22, 2020 4:05 pm
Forum: Beginner Basics
Topic: Network Speed Reduce
Replies: 6
Views: 424

Re: Network Speed Reduce

Thanks, it is clear, what about the device - mAP 2nd is OK? Can I assign the same IP address on ehter1 and ether2, to avoid NAT, or there is some other trick? You don't need router for the task, any managed switch can do that. Or I think any unmanaged 100mbit one will do the trick too. And even if ...
by xvo
Sun Nov 22, 2020 1:29 pm
Forum: Beginner Basics
Topic: Network Speed Reduce
Replies: 6
Views: 424

Re: Network Speed Reduce

port_speed.jpg
by xvo
Sun Nov 22, 2020 10:30 am
Forum: Beginner Basics
Topic: Network Speed Reduce
Replies: 6
Views: 424

Re: Network Speed Reduce

If the device can work only on 10 or 100 it will autonegotiate at 10 or 100.
If for some reason autonegotiation doesn't work you can set the speed manually.
by xvo
Sat Nov 21, 2020 12:03 pm
Forum: Beginner Basics
Topic: CRS312-4C-8XG reboot loop & windows netinstall failure
Replies: 3
Views: 307

Re: CRS312-4C-8XG reboot loop & windows netinstall failure

I guess this is because netinstall is compiled for win32.
It is. Always forget about such limitations in newer macOS.
Using it myself on a machine that is still on High Sierra.
by xvo
Fri Nov 20, 2020 11:13 pm
Forum: Beginner Basics
Topic: CRS312-4C-8XG reboot loop & windows netinstall failure
Replies: 3
Views: 307

Re: CRS312-4C-8XG reboot loop & windows netinstall failure

You can run Netinstall with Wine.
by xvo
Thu Nov 19, 2020 11:24 pm
Forum: SwOS
Topic: CRS305 SFP+ connect speedtest
Replies: 2
Views: 617

Re: CRS305 SFP+ connect speedtest

What exactly do you want to test? When testing by bandwidth test in ROS between two devices you are not really testing network performance, but rather CPU performance of the devices. To test bandwidth properly you should test through your devices, not between them. And you can do so for SwOS as well...
by xvo
Thu Nov 19, 2020 12:40 am
Forum: Wireless Networking
Topic: Audience wireless speed
Replies: 14
Views: 985

Re: Audience wireless speed

Shouldn't this speed happen between the 2 clients? If they are both on the same wireless? Of course not: each frame needs at least twice the airtime to be transmitted - from A to AP and then from AP to B. So maximum you can get is 1/2 of what you have, when only one client is on wireless, and in re...
by xvo
Wed Nov 18, 2020 4:15 pm
Forum: Wireless Networking
Topic: Audience wireless speed
Replies: 14
Views: 985

Re: Audience wireless speed

Curious enough, when both tested with Speedtest, each of them achieves ~470/25 Mbps, my contract being 500/25. Why do you find it curious: 230mbit between two wireless clients on one radio is actually more or less the same as 470mbit from one of them to outside network. To have the idea of maximum ...
by xvo
Wed Nov 18, 2020 3:28 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 64
Views: 14817

Re: MikroTik newsletter November 2020 (#98)

Not the wap ac LTE Kit (QCA9531).
Can't find any info on that one.
As I remember wAP ac LTE Kit was IPQ4018 from the start.
by xvo
Tue Nov 17, 2020 3:32 pm
Forum: Wireless Networking
Topic: netPower Lite 7R - Reverse POE misunderstanding!
Replies: 6
Views: 691

Re: netPower Lite 7R - What a Disappointment?

Looks like you missed that it is kind of special reverse-PoE switch.
For PoE-out there are different models.
by xvo
Mon Nov 16, 2020 6:38 pm
Forum: General
Topic: Is there a way to log into admin panel if service on port 80 was accidentially turned off
Replies: 13
Views: 902

Re: Is there a way to log into admin panel if service on port 80 was accidentially turned off

I've been trying to login from winbox for Win, but no luck.
And you are sure that you tried to connect by MAC, not by IP?
by xvo
Mon Nov 16, 2020 6:30 pm
Forum: General
Topic: hEX S does not respond on MGMT interface
Replies: 4
Views: 288

Re: hEX S does not respond on MGMT interface

As for hardware vlan issue, I see that now, but i cannot figure out how to do this without that. https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Management_access_configuration and for all your other vlan's: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.231_.28Trunk_an...
by xvo
Mon Nov 16, 2020 6:26 pm
Forum: General
Topic: MikroTik HAP AC2 fails to link 1Gbps
Replies: 17
Views: 1018

Re: MikroTik HAP AC2 fails to link 1Gbps

Check, that you advertise 1000M:
ether1.jpg
by xvo
Mon Nov 16, 2020 5:02 pm
Forum: General
Topic: MikroTik HAP AC2 fails to link 1Gbps
Replies: 17
Views: 1018

Re: MikroTik HAP AC2 fails to link 1Gbps

Neither your hAP ac2, nor the device on either end is advertising 1Gbit.
by xvo
Mon Nov 16, 2020 4:58 pm
Forum: General
Topic: Is there a way to log into admin panel if service on port 80 was accidentially turned off
Replies: 13
Views: 902

Re: Is there a way to log into admin panel if service on port 80 was accidentially turned off

I guess the easiest way if you disabled winbox and ssh as well is to try mac-winbox. It is controlled by different menu, so if you didn't have a chance to mess with it before proceeding to IP -> Services it should still be open from the LAN by default. Open winbox, go to the neighbours tab and wait ...
by xvo
Mon Nov 16, 2020 1:49 pm
Forum: RouterBOARD hardware
Topic: Question regarding Hex PoE (RB960PGS)
Replies: 3
Views: 452

Re: Question regarding Hex PoE (RB960PGS)

TP-link is probably using different pairs when in Passive-PoE mode.
by xvo
Mon Nov 16, 2020 1:39 pm
Forum: General
Topic: hEX S does not respond on MGMT interface
Replies: 4
Views: 288

Re: hEX S does not respond on MGMT interface

hEX S doesn't support vlan filtering on switch chip.
Only on the bridge.
by xvo
Mon Nov 09, 2020 9:54 pm
Forum: General
Topic: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions
Replies: 25
Views: 1642

Re: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions

What makes access list an "enterprise solution" and why being "enterprise solution" is a "bad thing" in the first place?
by xvo
Mon Nov 09, 2020 6:19 pm
Forum: General
Topic: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions
Replies: 25
Views: 1642

Re: iOS14 "Use Private Address" Random MAC (Default) and Time Restrictions

One way to solve this problem is to use Static-only for the DHCP server. In this case, if users change their MAC address they will not be able to obtain an IP address. This will force them to disable the option in iOS settings. Also this will not work for all users, because some of them will set th...
by xvo
Sun Nov 08, 2020 10:16 am
Forum: Beginner Basics
Topic: Mysterious "denied winbox/dude connect from 117.202.126.x" log
Replies: 7
Views: 2861

Re: Mysterious "denied winbox/dude connect from 117.202.126.x" log

I doubt the CAPsMAN rule ,,,,, possible ?
Try ading src-address=127.0.0.1 to this rule as well.
by xvo
Tue Nov 03, 2020 10:42 pm
Forum: Virtualization
Topic: Hetzner CHR issue
Replies: 9
Views: 1203

Re: Hetzner CHR issue

Ok. Short googling tells that you need forced reboot at the end of procedure, not the "regular" one:
echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger
From here (in Russian).
by xvo
Tue Nov 03, 2020 7:58 pm
Forum: Virtualization
Topic: Hetzner CHR issue
Replies: 9
Views: 1203

Re: Hetzner CHR issue

Try of=/dev/vda
If I remember correctly that helped me with Aruba Cloud.
by xvo
Tue Nov 03, 2020 7:01 pm
Forum: Beginner Basics
Topic: NAT + Tag/Untag multiple identical devices
Replies: 17
Views: 1126

Re: NAT + Tag/Untag multiple identical devices

I don't think you need bridges at all: just vlan-interfaces on top of each of ethernet ports.
It's not that you will be switching between to ports with vlan tag in mind, but rather untagging - routing - then tagging again.
by xvo
Tue Nov 03, 2020 1:20 pm
Forum: General
Topic: Help to load balancing for more than 4 wan
Replies: 2
Views: 243

Re: Help to load balancing for more than 4 wan

What's the difference between 4 and 6?
Just scale accordingly.

And if I recall correctly, you already posted the same question earlier?!
by xvo
Tue Nov 03, 2020 11:44 am
Forum: RouterBOARD hardware
Topic: SIM slot on wAP LR8 (LoRa) kit
Replies: 4
Views: 581

Re: SIM slot on wAP LR8 (LoRa) kit

The sim slot is there to be used if you swap LoRa card for a 3G/4G modem card.
The kit is basically a wAP R device + LoRa card, so no modem included, and there is no way to use both (modem and LoRa) at the same time.
by xvo
Sat Oct 31, 2020 11:59 pm
Forum: RouterBOARD hardware
Topic: Connect non-PoE to Passive PoE output of cap ac?
Replies: 3
Views: 396

Re: Connect non-PoE to Passive PoE output of cap ac?

You can use any PoE-out port on any of Mikrotik devices (except for PoE injectors) to connect a non-PoE device without any risk. If you don't manually put such port to poe-out=forced-on , but leave it on auto-on or off the power won't be applied to it. And it's clearly mentioned in the manual: https...
by xvo
Fri Oct 30, 2020 9:03 am
Forum: Beginner Basics
Topic: Default route gateway is unreachable
Replies: 5
Views: 1312

Re: Default route gateway is unreachable

I suggested OP (on the other forum) to add /ip route add dst-address=137.17.4.1/32 gateway=137.17.24.1 scope=10 And he already confirmed, that it resolved the issue. But per @Sob 's suggestion I would still add a lease script: to update this route instead, in case of gateway or network change (proba...
by xvo
Thu Oct 29, 2020 1:38 pm
Forum: General
Topic: Ports bridged, how to ip firewall per port?
Replies: 2
Views: 212

Re: Ports bridged, how to ip firewall per port?

Set use-ip-firewall=yes on the bridge or use bridge filter if it's capabilities are sufficient for your task.
by xvo
Wed Oct 28, 2020 11:05 pm
Forum: General
Topic: DHCP on VLAN [SOLVED]
Replies: 8
Views: 1558

Re: DHCP on VLAN [SOLVED]

Ok...so i need to add the switch cpu port in the vlan Table for VLAN-ID 20. But this also enables access to device management. What is a good strategy to get around this problem? There are multiple options how to restrict unwanted access to device itself: IP -> Firewall and IP -> Services for L3 ac...
by xvo
Wed Oct 28, 2020 9:27 pm
Forum: General
Topic: hAP AC VLAN Trunk with SFP
Replies: 7
Views: 581

Re: hAP AC VLAN Trunk with SFP

Unfortunately the SFP-Port is not available in switch config mode. So you don't think it is possible to use near wirespeed config with a sfp Port? You are right. No it's not possible for SFP <-> other ports. But it should be possible to maintain wirespeed between other ports. I guess that's the sam...
by xvo
Wed Oct 28, 2020 8:54 pm
Forum: General
Topic: DHCP on VLAN [SOLVED]
Replies: 8
Views: 1558

Re: DHCP on VLAN [SOLVED]

No problem,
but i'm curious. What are the benefits or downsides to each of those methods.
I could not find any definite answer on it in the mikrotik documentation.
Just answered the same question in a similar topic: viewtopic.php?f=2&t=168221&p=825432#p825432
by xvo
Wed Oct 28, 2020 8:52 pm
Forum: General
Topic: hAP AC VLAN Trunk with SFP
Replies: 7
Views: 581

Re: hAP AC VLAN Trunk with SFP

You are mixing two configuration possibilities together: bridge vlan filtering (which is done in software on this device) and switch vlan filtering (which is done on the switch chip). No good can come out of it. You need to choose one depending on what better suit your needs: 1) Bridge vlan-filterin...
by xvo
Wed Oct 28, 2020 5:36 pm
Forum: SwOS
Topic: CSS610-8G-2S+IN - SWOS 2.12rc2 Upgrade missing
Replies: 15
Views: 2878

Re: CSS610-8G-2S+IN - SWOS 2.12rc2 Upgrade missing

@mikrotik ... how to use VLANs correctly on CSS610-8G-2S+ ??
Why bother reading the thread two messages up from your own...
viewtopic.php?f=17&t=167049#p821159
by xvo
Wed Oct 28, 2020 12:10 am
Forum: General
Topic: IPSEC over GRE - SA installed - but gre interface is down [SOLVED]
Replies: 6
Views: 1653

Re: IPSEC over GRE - SA installed - but gre interface is down [SOLVED]

@xvo's remark would make sense if you used 1.1.1.1 and 1.1.1.2 as GRE's local-address and remote-address; in your setup, you do need the tunnel=yes mode.
Indeed...
by xvo
Tue Oct 27, 2020 10:21 pm
Forum: General
Topic: IPSEC over GRE - SA installed - but gre interface is down [SOLVED]
Replies: 6
Views: 1653

Re: IPSEC over GRE - SA installed - but gre interface is down [SOLVED]

As you are wrapping gre in ipsec you need tunnel=no in ipsec policy.
by xvo
Sun Oct 25, 2020 4:14 pm
Forum: Forwarding Protocols
Topic: How to merge VPN and existing network in one subnet?
Replies: 3
Views: 457

Re: How to merge VPN and existing network in one subnet?

If you use the same subnet for VPN and for your local bridge you need to set arp to proxy-arp on the bridge.
by xvo
Fri Oct 23, 2020 12:14 pm
Forum: General
Topic: Routerboot
Replies: 8
Views: 455

Re: Routerboot

Yes.
by xvo
Fri Oct 23, 2020 12:02 pm
Forum: General
Topic: Routerboot
Replies: 8
Views: 455

Re: Routerboot

You need to disable serial console on serial port, that is used for connection to cisco.
Then setting silent-boot=yes should be enough.
If not - try enter-setup-on=delete-key too.
by xvo
Fri Oct 23, 2020 11:44 am
Forum: General
Topic: Routerboot
Replies: 8
Views: 455

Re: Routerboot

Ok, now I see that your initial post need some clarification: do you use CCR to control cisco or vice-versa?
by xvo
Fri Oct 23, 2020 11:38 am
Forum: General
Topic: Routerboot
Replies: 8
Views: 455

Re: Routerboot

/system routerboard settings set silent-boot=yes
and also
/system routerboard settings set enter-setup-on=delete-key
by xvo
Wed Oct 21, 2020 10:11 pm
Forum: Beginner Basics
Topic: Route via a Specific Interface Only
Replies: 11
Views: 659

Re: Route via a Specific Interface Only

It seems, that you are right.
by xvo
Wed Oct 21, 2020 2:55 pm
Forum: RouterOS v7 BETA
Topic: Feature Request : Non routable Management VLAN
Replies: 6
Views: 809

Re: Feature Request : Non routable Management VLAN

You might be right.

Ok. Another suggestion: putting vlan-mgmt into separate vrf will definitely make it unroutable, unless needed.
by xvo
Wed Oct 21, 2020 2:47 pm
Forum: General
Topic: Mikrotik CCR as Console server for cisco ?
Replies: 6
Views: 465

Re: Mikrotik CCR as Console server for cisco ?

when i set slient-boot do i need rebootthe router?
I’m not sure: this setting is needed to prevent mikrotik from writing into console port on startup.
But I don’t know if it will be applied on first reboot or after it.
by xvo
Wed Oct 21, 2020 1:03 pm
Forum: General
Topic: Mikrotik CCR as Console server for cisco ?
Replies: 6
Views: 465

Re: Mikrotik CCR as Console server for cisco ?

Never used it between mikrotik and cisco, only between two mikrotiks, so can't say about the needed baud rate.
But don't forget to disable serial console on mikrotik's serial port.
And also set silent-boot=yes in /system routerboard settings.
by xvo
Wed Oct 21, 2020 12:55 pm
Forum: Beginner Basics
Topic: Pi-Hole and Mikrotik - DNS - Pi-hole only show my router’s IP address
Replies: 12
Views: 1845

Re: Pi-Hole and Mikrotik - DNS - Pi-hole only show my router’s IP address

Where do you run your pi-hole?
Bare device, VM, docker container?
It looks like some misconfiguration in VM/docker networking.

Anyway, it most likely has nothing to do with mikrotik.
by xvo
Wed Oct 21, 2020 10:45 am
Forum: RouterOS v7 BETA
Topic: Feature Request : Non routable Management VLAN
Replies: 6
Views: 809

Re: Feature Request : Non routable Management VLAN

I believe there is even simpler way: /ip route rule add interface=vlan-mgmt action=drop With this approach, you are explicitly ending your set of rules using "drop everything else". That means you have to whitelist (allow/accept) every single separate type of traffic you want to allow. Wit...
by xvo
Wed Oct 21, 2020 7:39 am
Forum: RouterOS v7 BETA
Topic: Feature Request : Non routable Management VLAN
Replies: 6
Views: 809

Re: Feature Request : Non routable Management VLAN

And your question is?!
What exactly prevents you to configure what you describe?
by xvo
Wed Oct 21, 2020 12:02 am
Forum: Beginner Basics
Topic: Mikrotik DNS resolver [SOLVED]
Replies: 2
Views: 314

Re: Mikrotik DNS resolver [SOLVED]

IP -> DNS -> Static

Of course that will work only if mikrotik is used as DNS server for you network.
by xvo
Wed Oct 21, 2020 12:01 am
Forum: Beginner Basics
Topic: Route via a Specific Interface Only
Replies: 11
Views: 659

Re: Route via a Specific Interface Only

The second is the right one.
That's interesting to know if %interface can actually be used to "bind" ping check to this interface only.
by xvo
Tue Oct 20, 2020 11:44 pm
Forum: Forwarding Protocols
Topic: 1-way OSPF between RB2011 and RB4011
Replies: 3
Views: 554

Re: 1-way OSPF between RB2011 and RB4011

Is ospf permitted by firewall on both sides?
by xvo
Mon Oct 19, 2020 8:02 pm
Forum: Beginner Basics
Topic: Pi-Hole and Mikrotik - DNS - Pi-hole only show my router’s IP address
Replies: 12
Views: 1845

Re: Pi-Hole and Mikrotik - DNS - Pi-hole only show my router’s IP address

As already stated - It's not a bug, but a misinterpretation of router's config options.
by xvo
Mon Oct 19, 2020 7:14 pm
Forum: Beginner Basics
Topic: Pi-Hole and Mikrotik - DNS - Pi-hole only show my router’s IP address
Replies: 12
Views: 1845

Re: Pi-Hole and Mikrotik - DNS - Pi-hole only show my router’s IP address

I guess you entered pi-hole as DNS server in IP -> DNS?
You should additionally specify pi-hole as DNS server in IP -> DHCP -> Networks
by xvo
Sun Oct 18, 2020 7:54 pm
Forum: Beginner Basics
Topic: Building LAN from scratch: 4 mikrotiks - 4 networks
Replies: 15
Views: 773

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

And it works like a charm. Yes it does! And another great thing about that - the addresses doesn't have to be adjacent, so I have all my PTP links like 172.27.XXX.YYY - 172.27.YYY.XXX (where XXX is some unique identifier for this particular router). That is perfect for 1) ease of reading 2) the abi...
by xvo
Sun Oct 18, 2020 7:17 pm
Forum: Beginner Basics
Topic: Route via a Specific Interface Only
Replies: 11
Views: 659

Re: Route via a Specific Interface Only

That should work.
by xvo
Sun Oct 18, 2020 6:36 pm
Forum: Beginner Basics
Topic: Building LAN from scratch: 4 mikrotiks - 4 networks
Replies: 15
Views: 773

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

I'm not sure if Mikrotik supports /31 but I thought I'd mention it.
It doesn't. You need to use pair of /32 addresses with network specified as the "opposite" one.
by xvo
Sun Oct 18, 2020 6:29 pm
Forum: Beginner Basics
Topic: Route via a Specific Interface Only
Replies: 11
Views: 659

Re: Route via a Specific Interface Only

Hi, This is for Internet fail over. What's the best way in RouterOS to configure a route via a specific interface, so that if that interface is down it won't route via the default route (or any other less specific route)? I think I can do it by adding a route to Null for the same /32 but with worse...
by xvo
Sun Oct 18, 2020 4:20 pm
Forum: Beginner Basics
Topic: Building LAN from scratch: 4 mikrotiks - 4 networks
Replies: 15
Views: 773

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Yes, that's exactly my point.
by xvo
Sun Oct 18, 2020 3:41 pm
Forum: Beginner Basics
Topic: Building LAN from scratch: 4 mikrotiks - 4 networks
Replies: 15
Views: 773

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Performance-wise you're right. Configuration-wise, VLANs and centralized routing config is much simpler than distributed routing. Plus it would make a good basis for expansion (much easier to add another subnet or increase number of ports within subnet or replacement of RB760iGS with a proper manag...
by xvo
Sun Oct 18, 2020 12:21 pm
Forum: RouterBOARD hardware
Topic: RBM33G Voltage Monitoring
Replies: 8
Views: 3872

Re: RBM33G Voltage Monitoring

that there are no additional GPIO pins
Have you seen this in the latest 6.48beta48?
*) m33g - added support for "/system gpio" menu (CLI only);
viewtopic.php?f=21&t=163308#p822721
by xvo
Fri Oct 16, 2020 11:35 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta2 [development] is released!
Replies: 387
Views: 101327

Re: v7.1beta2 [development] is released!

including wiping the file storage...where I had stored a couple backup configs
Are you sure they were in /flash folder, not in the root directory that is mounted to RAM?
by xvo
Fri Oct 16, 2020 11:32 pm
Forum: Beginner Basics
Topic: Building LAN from scratch: 4 mikrotiks - 4 networks
Replies: 15
Views: 773

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

There are different approaches - you could route between subnets on mikrotik2-4 and have static routing rules on mikrotik1 so traffic is directed to the correct mikrotik, or you could use mikrotik2-4 as switches with VLANs and perform all of the routing/firewalling on mikrotik1 RB760iGS won't be go...
by xvo
Fri Oct 16, 2020 9:54 pm
Forum: General
Topic: Which rule is a connection matching
Replies: 3
Views: 387

Re: Which rule is a connection matching

Firewall doesn't allow connections, it allows packets.
And different packets from that connection can be allowed by different rules.
by xvo
Thu Oct 15, 2020 12:44 pm
Forum: SwOS
Topic: Number of SWOS VLANs
Replies: 7
Views: 826

Re: Number of SWOS VLANs

This is an all wireless network with the AP's UN-tagging VLAN traffic. In this scenario, is there any advantage to tagging all the switch ports? Thanks again.
If all ports need to have the same set of tagged vlans, then there is no point really.
by xvo
Thu Oct 15, 2020 1:32 am
Forum: Beginner Basics
Topic: WOL before RDP
Replies: 2
Views: 351

Re: WOL before RDP

I've come to conclusion that the easiest way to wol a pc in remote network is running a small bash script that will connect to mikrotik by ssh and run a wol command. A special user can be used for that: only ssh and test permissions are needed. But anyway, ssh port open to outside network is not a g...
by xvo
Tue Oct 13, 2020 6:26 pm
Forum: SwOS
Topic: Number of SWOS VLANs
Replies: 7
Views: 826

Re: Number of SWOS VLANs

manual.jpg
That is from the very beginning of that page.
https://wiki.mikrotik.com/wiki/SwOS/CRS ... s_features

Unfortunately, it looks like RoS is the only option here.
by xvo
Tue Oct 13, 2020 11:36 am
Forum: SwOS
Topic: Number of SWOS VLANs
Replies: 7
Views: 826

Re: Number of SWOS VLANs

Yes, there is 250 VLAN limit in SwOS:
https://wiki.mikrotik.com/wiki/SwOS/CRS3xx
by xvo
Sun Oct 11, 2020 2:51 pm
Forum: Beginner Basics
Topic: IPV6 Firewall [SOLVED]
Replies: 55
Views: 2780

Re: IPV6 Firewall [SOLVED]

In winbox you have to choose needed action first (in this case action=reject) and then options for this action will appear.
by xvo
Sat Oct 10, 2020 11:45 am
Forum: The Dude
Topic: Strange graphs plot [SOLVED]
Replies: 2
Views: 499

Re: Strange graphs plot [SOLVED]

That is the expected behaviour - latest period of time is stored in max resolution, the next one - in lower (10 min), and so on (2 hours, 1 day).
You can change the exact time for each period in settings:
dude charts.jpg
by xvo
Sat Oct 10, 2020 12:24 am
Forum: Forwarding Protocols
Topic: Routing Advices
Replies: 7
Views: 843

Re: Routing Advices

First you have to decide: do you really need to "bridge" or to "route" will be enough? In first case you will have one subnet, only one of the routers will act as a DHCP server for both networks and so on. While in the second case you will have two completely independent networks...
by xvo
Sat Oct 10, 2020 12:07 am
Forum: General
Topic: ECMP balancing sometimes breaks TCP connection
Replies: 9
Views: 693

Re: ECMP balancing sometimes breaks TCP connection

A load balancer would slightly complicate things, nothing terrible, but a couple rules like sindy suggested would be a much simpler solution in this case. These rules are what load balancer is mostly. And now meaning the "destination". The only thing that is lacking - taking the up/down s...
by xvo
Fri Oct 09, 2020 11:45 pm
Forum: Beginner Basics
Topic: NAT + Tag/Untag multiple identical devices
Replies: 17
Views: 1126

Re: NAT + Tag/Untag multiple identical devices

Now ping and ssh connection are working from management RPi to DEVs! Thanks xvo! Niiice! However that makes me wonder if the guy who wrote the article ever tried it himself in the exact way he wrote. I once built a test setup somehow using this article as a guidance, but the setup itself had some m...
by xvo
Fri Oct 09, 2020 10:45 am
Forum: Beginner Basics
Topic: Unable to Access [SOLVED]
Replies: 5
Views: 342

Re: Unable to Access [SOLVED]

Then check IP -> Services, System -> Users and IP -> Firewall -> Filter (input chain) sections to see if access is not restricted to some ip's (whether for this user only, or to device in general).
by xvo
Thu Oct 08, 2020 10:20 pm
Forum: Beginner Basics
Topic: Unable to Access [SOLVED]
Replies: 5
Views: 342

Re: Unable to Access [SOLVED]

Are both of PCs have the same winbox version?
by xvo
Thu Oct 08, 2020 10:18 pm
Forum: Beginner Basics
Topic: Help validating PoE will work in my setup?
Replies: 5
Views: 374

Re: Help validating PoE will work in my setup?

I also found MikroTik RBGPOE power injectors, with these I think I should be able to use the power supply that comes with the ac²s to supply PoE. This way, all of my APs should be able to pull up to 0.8A*24V=19.2W in ideal conditions. Besides the extra wiring and cabling in the basement, that shoul...
by xvo
Thu Oct 08, 2020 10:10 pm
Forum: General
Topic: ECMP balancing sometimes breaks TCP connection
Replies: 9
Views: 693

Re: ECMP balancing sometimes breaks TCP connection

You are misusing ECMP - it is meant to load balance routes, not the "destinations".
by xvo
Thu Oct 08, 2020 10:08 pm
Forum: Beginner Basics
Topic: NAT + Tag/Untag multiple identical devices
Replies: 17
Views: 1126

Re: NAT + Tag/Untag multiple identical devices

I have one idea. For returning packets you do this: /ip firewall mangle add action=mark-routing chain=prerouting dst-address=192.168.2.2 new-routing-mark=main Is this rule being hit at all? The idea is, dst-nat is performed after the prerouting chain, so probably the action reversing the src-nat too...
by xvo
Thu Oct 08, 2020 4:48 pm
Forum: General
Topic: Firewall for ROS device used as internal switch? [SOLVED]
Replies: 2
Views: 338

Re: Firewall for ROS device used as internal switch? [SOLVED]

No, if the device is configured as a switch it doesn't forward any IP packets.
You can even disable IP forwarding in IP -> Settings.
by xvo
Thu Oct 08, 2020 10:01 am
Forum: Beginner Basics
Topic: Help validating PoE will work in my setup?
Replies: 5
Views: 374

Re: Help validating PoE will work in my setup?

I agree that it would be nice to have a bit of a buffer, but I can't seem to find that 28V 3.4A supply while browsing MikroTik products. I think it may be a one-off accessory for that specific switch. Do you happen to know if it is sold anywhere? I'm not finding similar products offered elsewhere e...
by xvo
Thu Oct 08, 2020 12:12 am
Forum: Beginner Basics
Topic: Help validating PoE will work in my setup?
Replies: 5
Views: 374

Re: Help validating PoE will work in my setup?

No attachments in case of hAP ac2 means no usb devices. The device itself consumes 16W which is 0.666A at 24V (not 0,5A). So 3 of them will give exactly 48W which is 2A at 24V. So theoretically this is as much as hEX PoE can provide. But that doesn't account for losses on the cables on one hand, and...
by xvo
Thu Oct 08, 2020 12:00 am
Forum: Beginner Basics
Topic: Help setting up new router - RB4011
Replies: 2
Views: 275

Re: Help setting up new router - RB4011

If you changed the IP for your LAN bridge you should change dhcp pool and dhcp-server network as well.
by xvo
Wed Oct 07, 2020 11:58 pm
Forum: Beginner Basics
Topic: Hex and VLAN trunk port Ether5
Replies: 1
Views: 190

Re: Hex and VLAN trunk port Ether5

Why your vlan-interfaces are created on top of the bridge if you want ether5 to be a trunk port?
Move them to ether5. Also add all of them to interface-list=LAN.

And also move the address from ether2 to the bridge.
Despite the fact that it is in the default config it is wrong.
by xvo
Wed Oct 07, 2020 5:15 pm
Forum: Beginner Basics
Topic: Hitting a brick wall with VLANs on RB4011 [SOLVED]
Replies: 4
Views: 512

Re: Hitting a brick wall with VLANs on RB4011 [SOLVED]

So, I did try that - I set a port on the bridge to untagged VLAN4 and then enabled vlan-filtering on the bridge. Plugging in a client to that port and I do not get an IP from the DHCP server on that VLAN. I may be missing something else here. Would I need to also add the VLAN interfaces to the brid...
by xvo
Wed Oct 07, 2020 5:08 pm
Forum: General
Topic: Help with POE at Powerbox Pro
Replies: 1
Views: 229

Re: Help with POE at Powerbox Pro

Mikrotik uses Mode B (4,5 - 7,8) to supply power.
Most likely cameras support only Mode A (1,2 - 3,6) which is against the standard.
by xvo
Wed Oct 07, 2020 4:57 pm
Forum: Beginner Basics
Topic: Hitting a brick wall with VLANs on RB4011 [SOLVED]
Replies: 4
Views: 512

Re: Hitting a brick wall with VLANs on RB4011 [SOLVED]

RB4011 doesn't support vlans on hardware.
So you should configure bridge vlan filtering (and lose hw-offloading).
by xvo
Wed Oct 07, 2020 11:48 am
Forum: General
Topic: Disable Firewall and NAT (Allow Traffic in both Directions
Replies: 3
Views: 309

Re: Disable Firewall and NAT (Allow Traffic in both Directions

Thanks for your reply, there are some default rule under the filter rules tab NAT tab or Mangle Which I am not able to delete.
If you are talking about "special dummy rules", the will be deleted on first reboot once you delete the fasttrack rule in filter forard chain.
by xvo
Tue Oct 06, 2020 10:49 pm
Forum: Beginner Basics
Topic: RB4011 VLAN + unifi [SOLVED]
Replies: 14
Views: 1031

Re: RB4011 VLAN + unifi [SOLVED]

How an untagged flow of traffic into a switch can then be turned into tagged traffic coming out other ports of the switch It will be tagged by a switch, I guess :))) Isn't that what is switch for after all: tagging, untagging and tagging again, just to fulfil the darkest of admin's designs?! You co...
by xvo
Tue Oct 06, 2020 7:42 pm
Forum: SwOS
Topic: Mikrotik SwOS for CRS112-8P-4S-IN
Replies: 8
Views: 805

Re: Mikrotik SwOS for CRS112-8P-4S-IN

Thanks for keep supporting. I know RoS has more configuration features than SwOS, but some features i didn't get in RoS what i see with SwOS such as port isolation, port forwarding, port locking, port mirroring, bandwidth limit etc. Thanks. All is there, in switch menu, with far more possibilities ...
by xvo
Tue Oct 06, 2020 7:13 pm
Forum: SwOS
Topic: Mikrotik SwOS for CRS112-8P-4S-IN
Replies: 8
Views: 805

Re: Mikrotik SwOS for CRS112-8P-4S-IN

Okay! i disappointed to know this as i thought all Mikrotik smart switches come with SwOS opeating system. Totally waste my money on this. Thanks. There are 3 families of Mikrotik switches: - CSS: that run SwOS - CRS1XX/2XX: that run RoS - CRS3XX: that allow dual-boot (you can choose what os to run...
by xvo
Tue Oct 06, 2020 6:55 pm
Forum: SwOS
Topic: Mikrotik SwOS for CRS112-8P-4S-IN
Replies: 8
Views: 805

Re: Mikrotik SwOS for CRS112-8P-4S-IN

No, you can't.
by xvo
Tue Oct 06, 2020 6:39 pm
Forum: SwOS
Topic: Mikrotik SwOS for CRS112-8P-4S-IN
Replies: 8
Views: 805

Re: Mikrotik SwOS for CRS112-8P-4S-IN

CRS1XX/2XX are RoS devices, not SwOS.
by xvo
Tue Oct 06, 2020 1:04 pm
Forum: Beginner Basics
Topic: New Router Choice RB4011iGS+5HacQ2HnD-IN or what?
Replies: 1
Views: 251

Re: New Router Choice RB4011iGS+5HacQ2HnD-IN or what?

Adding an 8-port switch makes far more sense in your situation.
by xvo
Tue Oct 06, 2020 11:07 am
Forum: Beginner Basics
Topic: interVlan Routering with only routerBoard
Replies: 2
Views: 227

Re: interVlan Routering with only routerBoard

You don't need switch functionality if you want separate LAN on each of the ports.
by xvo
Tue Oct 06, 2020 11:04 am
Forum: General
Topic: Disable Firewall and NAT (Allow Traffic in both Directions
Replies: 3
Views: 309

Re: Disable Firewall and NAT (Allow Traffic in both Directions

Remove all firewall and NAT rules.

Or reset the device with no default configuration and configure only things you need.
Only be aware that after resetting with no config the router won't have any IP addresses, so it will be possible to connect to it only by mac-address using winbox.
by xvo
Tue Oct 06, 2020 12:02 am
Forum: RouterBOARD hardware
Topic: What's a good router that supports both 2.4 GHz and 5 GHz at the same time?
Replies: 4
Views: 502

Re: What's a good router that supports both 2.4 GHz and 5 GHz at the same time?

It sounds like what I'm looking for is the Dual-concurrent label. Well, there are some examples (most likely the more newer ones) that don't have this said explicitly, and yet they are still dual-concurrent. To be sure, you can check the block diagram of the device, and for dual-concurrent you will...
by xvo
Mon Oct 05, 2020 11:42 pm
Forum: RouterBOARD hardware
Topic: What's a good router that supports both 2.4 GHz and 5 GHz at the same time?
Replies: 4
Views: 502

Re: What's a good router that supports both 2.4 GHz and 5 GHz at the same time?

All current dual-band Mikrotik routers from this section are dual-concurrent, meaning that they can work in 2.4Ghz and 5Ghz simultaneously: https://mikrotik.com/products/group/wireless-for-home-and-office And as an example of AP that can work either in 2.4Ghz or 5Ghz, but not at the same time: https...
by xvo
Mon Oct 05, 2020 10:57 pm
Forum: Scripting
Topic: notification on incoming and established vpn connection
Replies: 2
Views: 328

Re: notification on incoming and established vpn connection

PPP-profile-Scripts.jpg
by xvo
Mon Oct 05, 2020 7:11 pm
Forum: RouterBOARD hardware
Topic: 951G-2HnD too slow for 1Gbps connection?
Replies: 36
Views: 6607

Re: 951G-2HnD too slow for 1Gbps connection?

Is Mikrotik RouterBoard RBD52G-5HacD2HnD-TC hAP ac2 up? This one will do? I meant up the product line. Starting from hAP ac2 and then to more powerful/expensive models. hAP ac2 will be ok for 1Gbit as long as traffic can be fasttracked (for example with the default config). If you need load balanci...
by xvo
Sun Oct 04, 2020 12:43 pm
Forum: Forwarding Protocols
Topic: OSPF / PTMP no subnets
Replies: 5
Views: 647

Re: OSPF / PTMP no subnets

Could you please explain the sense behind this? I see no practical reason to distribute /32 routes. Each router can reach each router - but the hosts in the networks connected to the router cannot reach other hosts in network connected to other routers? It is suited fine for point-to-point links (t...
by xvo
Sun Oct 04, 2020 2:45 am
Forum: Forwarding Protocols
Topic: OSPF / PTMP no subnets
Replies: 5
Views: 647

Re: OSPF / PTMP no subnets

MT-Wikis says: Discovery on PTMP Subnets Point-to-MultiPoint treats the network as a collection of point-to-point links. Is this behaviour Mikrotik specific or is this "per design" of the PTMP network-type? It works exactly as stated in your quote - you end up with bunch of /32 addresses....
by xvo
Sun Oct 04, 2020 2:26 am
Forum: RouterBOARD hardware
Topic: GPeR
Replies: 2
Views: 320

Re: GPeR

Yes, you can remove jumpers on PoE-out side and then it won't pass PoE further.
But there is a note, that it won't work if 802.3af/at is used - the power source device won't power the GPeR alone.
https://i.mt.lv/cdn/product_files/GPeRqg_190928.pdf
by xvo
Sun Oct 04, 2020 2:03 am
Forum: RouterBOARD hardware
Topic: hAP ac2 vs. cAP ac, CAP only usage
Replies: 10
Views: 932

Re: hAP ac2 vs. cAP ac, CAP only usage

But running the default configuration makes it impossible to connect to the router because of the firewall. What do you mean? From WAN interface? Yes, so? I don't really understand what your point is. Firewall won't prevent powering the device up :))) PoE input and "internet" schould not ...
by xvo
Fri Oct 02, 2020 11:18 pm
Forum: Beginner Basics
Topic: NAT + Tag/Untag multiple identical devices
Replies: 17
Views: 1126

Re: NAT + Tag/Untag multiple identical devices

xvo, I tried your example in https://habr.com/ru/post/262091/, but it doesn't work as such. I used Raspberry PIs in ether3, ether4 and ether5 with identical addresses as yours. No connection available from 192.168.2.2 to 192.168.2.13 or 192.168.2.14. Is there something missing? You should have your...
by xvo
Thu Oct 01, 2020 11:57 pm
Forum: Beginner Basics
Topic: VLAN Client Isolation
Replies: 10
Views: 1364

Re: VLAN Client Isolation

I think this is where my knowledge on how to configure CRS1XX/2XX ends. I have only one of the line and it's in production, so I can't use it for testing purposes. I guess that port-profile is somehow messing with the vlan config, or at least with it's part that makes ether1 a trunk port. But I don'...
by xvo
Thu Oct 01, 2020 11:42 pm
Forum: RouterBOARD hardware
Topic: hAP ac2 vs. cAP ac, CAP only usage
Replies: 10
Views: 932

Re: hAP ac2 vs. cAP ac, CAP only usage

Why is the PoE input also the WAN interface by default? Because it is the port, that will definitely be used on a wifi router run with default config. So you don't need to reconfigure the device only to power it up from an injector. For cAP ac it is even more obvious, as it don't have separate powe...
by xvo
Wed Sep 30, 2020 12:52 am
Forum: Beginner Basics
Topic: NAT from a TCP port to a UDP port
Replies: 3
Views: 264

Re: NAT from a TCP port to a UDP port

That can't work even in theory.
by xvo
Wed Sep 30, 2020 12:48 am
Forum: Announcements
Topic: Newsletter 97 (September 2020)
Replies: 86
Views: 16658

Re: Newsletter 97 (September 2020)

May be but on the other hand it seems more cost effective just to buy a larger unit like for example CSS326-24G-2S+RM that is only a bit more expensive but is full 19" rack unit and gives you 24Gbps ports etc ... Sure, but the idea mainly is to combine two 8-port PoE switches, or one PoE and o...
by xvo
Mon Sep 28, 2020 2:10 pm
Forum: Announcements
Topic: Newsletter 97 (September 2020)
Replies: 86
Views: 16658

Re: Newsletter 97 (September 2020)

It would be really nice if for smaller devices like this CSS610-8G-2S+IN switch MikroTik bundles second ear for 10" racks mount that are increasingly popular ...
And also (as a separate item) a kit that will make possible to mount two units in one 19" space.
by xvo
Mon Sep 28, 2020 1:45 pm
Forum: General
Topic: Is there a router/switch to beat the 4011?
Replies: 21
Views: 2443

Re: Is there a router/switch to beat the 4011?

Right you are... shame on me for not checking for this. No shame here: too many devices to remember all their specs. And no distinctive pattern between names - generations - architecture. As for this particular case: wAP ac2 LTE would be a more proper name, clearly indicating, that this a new gener...
by xvo
Mon Sep 28, 2020 1:12 pm
Forum: General
Topic: Is there a router/switch to beat the 4011?
Replies: 21
Views: 2443

Re: Is there a router/switch to beat the 4011?

Think about some of the devices built around the IPQ-4018/9 SoC, such as hAP ac², wAP ac, or cAP ac.
Only wAP ac LTE is IPQ-4018.
wAP ac is mipsbe, and hence not a competitor to the above ones.
by xvo
Mon Sep 28, 2020 11:24 am
Forum: SwOS
Topic: Help me please, switch keeps briking on me
Replies: 3
Views: 529

Re: Help me please, switch keeps briking on me

To get an access from trunk port you might need to specify the correct vlan id for management access (System tab, Allow from VLAN).
by xvo
Mon Sep 28, 2020 12:27 am
Forum: Beginner Basics
Topic: [problem] high ping latency - MultiWAN
Replies: 14
Views: 1417

Re: [problem] high ping latency - MultiWAN

it is ok , i think i do not use https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack in full config above. Actually I don't see any firewall at all, which is not good, if the router is facing the internet, and there are public IPs on any of your Dlink DSL-modems. Last think please @xvo , for the 2 WA...
by xvo
Mon Sep 28, 2020 12:02 am
Forum: Beginner Basics
Topic: [problem] high ping latency - MultiWAN
Replies: 14
Views: 1417

Re: [problem] high ping latency - MultiWAN

also , do you think i need chain=input rules ? because i use only prerouting and output chain's ? No, you don't. Prerouting covers both "input" and "forward" traffic. how can i check https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack is enabled ? Look at your firewall/filter's f...
by xvo
Sun Sep 27, 2020 11:42 pm
Forum: Beginner Basics
Topic: [problem] high ping latency - MultiWAN
Replies: 14
Views: 1417

Re: [problem] high ping latency - MultiWAN

or it is just a problem with per-connection-classifier=both-addresses:2/0 for WAN-09 and per-connection-classifier=both-addresses:2/1 for WAN-12 ? That is definitely a problem, and has to be corrected the way you figured out yourself. Also be sure that you don't have fasttrack enabled. Apart from t...
by xvo
Sun Sep 27, 2020 10:52 pm
Forum: Beginner Basics
Topic: [problem] high ping latency - MultiWAN
Replies: 14
Views: 1417

Re: [problem] high ping latency - MultiWAN

also , can i use both-addresses-and-ports rather than both-addresses ?
You can, but it might potentially break applications that rely on multiple parallel connections.
by xvo
Sun Sep 27, 2020 9:10 pm
Forum: Wireless Networking
Topic: Compare United States wireless country settings [SOLVED]
Replies: 11
Views: 5649

Re: Compare United States wireless country settings [SOLVED]

Antenna Gain doesn't show up on my settings
Search field on the forum too? :)
by xvo
Sun Sep 27, 2020 6:28 pm
Forum: General
Topic: Is there a router/switch to beat the 4011?
Replies: 21
Views: 2443

Re: Is there a router/switch to beat the 4011?

There is no such product.
So, just buy a decent 16-24 port switch and continue using 4011 as a router.
by xvo
Sun Sep 27, 2020 3:03 pm
Forum: Announcements
Topic: Newsletter 97 (September 2020)
Replies: 86
Views: 16658

Re: Newsletter 97 (September 2020)

CCR 2004 is not longer listed in newsleter
and caralog ;) https://download2.mikrotik.com/catalog_2020.pdf
any idea why?
It is there, announced in May/2020:
https://mikrotikdownload.s3.eu-west-1.a ... ews_95.pdf
The catalogue most likely was created earlier.
by xvo
Sun Sep 27, 2020 12:14 am
Forum: General
Topic: Share 2mbps equal on two user with different limit-at
Replies: 5
Views: 1816

Re: Share 2mbps equal on two user with different limit-at

Set MAX Limit for leaf queues a little lower than for the parent.
by xvo
Sat Sep 26, 2020 2:46 pm
Forum: Beginner Basics
Topic: HAP AC - SFP port [SOLVED]
Replies: 3
Views: 350

Re: HAP AC - SFP port [SOLVED]

I assume the concern is throughput and CPU impact rather than function.
Yes, exactly.
by xvo
Sat Sep 26, 2020 1:39 pm
Forum: Beginner Basics
Topic: HAP AC - SFP port [SOLVED]
Replies: 3
Views: 350

Re: HAP AC - SFP port [SOLVED]

It's a separate interface.
Keep in mind that it is connected directly to CPU not to a switch chip, so it's good to use it as an uplink from ISP, and not so good as a LAN port.
by xvo
Fri Sep 25, 2020 11:00 am
Forum: Beginner Basics
Topic: VLAN Client Isolation
Replies: 10
Views: 1364

Re: VLAN Client Isolation

How would that rule look like? (Blue VLAN is on interface "BLUE_VLAN", vlan-id is 10 and subnet is 10.0.10.0/24. Port ether1 on each switch is connected to the router.) I guess something like this: /interface bridge filter add action=drop chain=forward in-interface=ether2 mac-protocol=vla...
by xvo
Fri Sep 25, 2020 10:19 am
Forum: Beginner Basics
Topic: VLAN Client Isolation
Replies: 10
Views: 1364

Re: VLAN Client Isolation

In that case it would be possible to isolate clients using split horizon (assuming each has own access port on one of CRSes). It would probably work nicely for clients of each CRS1xx, however isolation of clients connected to different CRS1xx would still be a challenge, which could be solved by usi...
by xvo
Wed Sep 23, 2020 9:36 pm
Forum: Beginner Basics
Topic: VPN Works with PPTP but not with L2TP
Replies: 3
Views: 416

Re: VPN Works with PPTP but not with L2TP

Does your hap lite have a public ip assigned to it, or is it behind some other router with some ports forwarded?
by xvo
Wed Sep 23, 2020 10:03 am
Forum: Wireless Networking
Topic: CAPsMAN manual channel
Replies: 1
Views: 248

Re: CAPsMAN manual channel

And the last steps to do are:
- create different configurations using different channels.
- and then provisioning rules for groups of caps, that will use their own configurations.
by xvo
Wed Sep 23, 2020 9:52 am
Forum: Beginner Basics
Topic: AT&T FTTH, VLANs, CapsMAN Full Config
Replies: 18
Views: 2542

Re: AT&T FTTH, VLANs, CapsMAN Full Config

Dont know about proprietary crap but I use firewall rules to allow users on vlans to access a printer on another vlan. Firewall won't help you in case of discovery protocols that rely on broadcasts (and are supposed to work inside one broadcast domain), no matter if they are open or proprietary. On...
by xvo
Wed Sep 23, 2020 1:03 am
Forum: Beginner Basics
Topic: Can't access to my services with my public IP
Replies: 11
Views: 1134

Re: Can't access to my services with my public IP

Can't see anything else in your config, that could interfere with it.
Apart from what @anav had already pointed out (address being assigned to the wrong interface).
by xvo
Tue Sep 22, 2020 10:39 pm
Forum: Beginner Basics
Topic: Can't access to my services with my public IP
Replies: 11
Views: 1134

Re: Can't access to my services with my public IP

/ip firewall nat add action=dst-nat chain=dstnat dst-address=your_public_IP to-addresses=192.168.1.60

And with it the hairpin rule:

/ip firewall nat add action=src-nat chain=srcnat dst-address=192.168.1.60 src-address=192.168.1.0/24 to-addresses=192.168.1.1
by xvo
Tue Sep 22, 2020 2:39 pm
Forum: Beginner Basics
Topic: Can't access to my services with my public IP
Replies: 11
Views: 1134

Re: Can't access to my services with my public IP

Yesterday i saw some posts about "hairpin nat" and tried to implement, but still doesn't work (currently are not implemented as you can see in the FW rules). How exactly did you try to implement hairpin nat? As your public IP is not assigned to your mikrotik but to the ISP router, you sho...
by xvo
Tue Sep 22, 2020 12:51 pm
Forum: General
Topic: L2tp+bcp+ipsec not working
Replies: 7
Views: 720

Re: L2tp+bcp+ipsec not working

but it fails on phase 2 i have double checked the policy's and they match
You mean proposals, right?
by xvo
Tue Sep 22, 2020 12:30 pm
Forum: Beginner Basics
Topic: Can't access to my services with my public IP
Replies: 11
Views: 1134

Re: Can't access to my services with my public IP

Search for "hairpin nat".

And as you are behind an ISP router, you should probably implement it there, not on mikrotik.
by xvo
Mon Sep 21, 2020 11:56 pm
Forum: RouterBOARD hardware
Topic: RB4011 carrying traffic but access is lost
Replies: 4
Views: 498

Re: RB4011 carrying traffic but access is lost

Yes, that sounds different indeed.
Still worth "digging" the forum.
by xvo
Mon Sep 21, 2020 10:33 pm
Forum: RouterBOARD hardware
Topic: RB4011 carrying traffic but access is lost
Replies: 4
Views: 498

Re: RB4011 carrying traffic but access is lost

If I recall correctly, the were some messages describing similar behaviour on 4011: one cpu core maxes out, cutting out access to the device itself.
Try searching the forum for last couple of month.
by xvo
Mon Sep 21, 2020 8:35 pm
Forum: Beginner Basics
Topic: Wan added on bridge [SOLVED]
Replies: 3
Views: 316

Re: Wan added on bridge [SOLVED]

I do not want to achieve anything . this is a basic setup . but what kind of problems does having wan to the same bridge as lan create ? It would be the same as using a switch instead of a router - one device would probably get internet access, all others - won't. Probably no one will get internet ...
by xvo
Mon Sep 21, 2020 8:21 pm
Forum: Beginner Basics
Topic: How to Setup hap ac2 are router w/o wifi
Replies: 3
Views: 294

Re: How to Setup hap ac2 are router w/o wifi

Tryed disabling both wlans, but when I did the config change to CAP
Just disable both wlan interfaces and don't change anything else in Home AP Dual setup.
by xvo
Mon Sep 21, 2020 8:17 pm
Forum: Beginner Basics
Topic: Wan added on bridge [SOLVED]
Replies: 3
Views: 316

Re: Wan added on bridge [SOLVED]

Depending on what exactly you want to achieve by that, but in most usual situation when WAN port goes to your ISP and all other ports are for your LAN devices, that is not what you want to do.
by xvo
Mon Sep 21, 2020 7:01 pm
Forum: Beginner Basics
Topic: h AP Lite VPN
Replies: 4
Views: 419

Re: h AP Lite VPN

but both office and home needs public ip address
Public IP at one side is enough.
by xvo
Mon Sep 21, 2020 5:39 pm
Forum: SwOS
Topic: Powering RB260GS from PoE
Replies: 3
Views: 2662

Re: Powering RB260GS from PoE

Hi.
And what if I will plug ETH1 of RB260 to some PoE Switch with 802.3af / 802.3at? Because of passive PoE I am afraid auto-negotiation will fail to set proper voltage? Or it will work OK?
802.3af / 802.3at is 48V (actually can be between 36-57V), so it is too much for RB260.
by xvo
Mon Sep 21, 2020 3:14 pm
Forum: The Dude
Topic: The Dude installed & enabled but not working
Replies: 16
Views: 1462

Re: The Dude installed & enabled but not working

Is there an official place where I could submit a ticket directly to Mikrotik for this? At least so they're aware of the issue, since this is a new, pretty powerful device. The official way to contact support is via email: support@mikrotik.com You can add a link to this thread to your message not t...
by xvo
Mon Sep 21, 2020 2:39 pm
Forum: The Dude
Topic: The Dude installed & enabled but not working
Replies: 16
Views: 1462

Re: The Dude installed & enabled but not working

Such a shame, I would really love to test out the features The Dude has to offer... No other ideas cross your mind? Unfortunately - no. If the Dude tab does not appear, that means something is definitely wrong. You can try it on some other device, dedicated for the dude server only: for example on ...
by xvo
Mon Sep 21, 2020 2:27 pm
Forum: The Dude
Topic: The Dude installed & enabled but not working
Replies: 16
Views: 1462

Re: The Dude installed & enabled but not working

Could the original installation of the wrong architecture screw things up, even after uninstallation? Could be. If it's a test environment - you can try to netinstall the device and try from scratch. But arm64 being a new architecture in mikrotik line, I'd rather think that it just doesn't work pro...
by xvo
Mon Sep 21, 2020 1:06 pm
Forum: The Dude
Topic: The Dude installed & enabled but not working
Replies: 16
Views: 1462

Re: The Dude installed & enabled but not working

Nope, can connect with winbox but can't see the Dude tab on the left side panel.
Where do I need to set up the server settings on the router side?
In this "Dude" tab.

Try disabling/enabling the package (with reboots in between).
And removing/reinstalling, if the first doesn't help.
by xvo
Mon Sep 21, 2020 12:52 pm
Forum: General
Topic: Weird PING behavior on RouterOS
Replies: 10
Views: 853

Re: Weird PING behavior on RouterOS

Having two bridges doesn't disable hardware offload for one of the bridges?
Not if there are two switch chips.
by xvo
Mon Sep 21, 2020 12:33 pm
Forum: The Dude
Topic: The Dude installed & enabled but not working
Replies: 16
Views: 1462

Re: The Dude installed & enabled but not working

Do Dude menu appear in webfig/winbox?
Have you enabled server in settings there?
by xvo
Mon Sep 21, 2020 1:20 am
Forum: Beginner Basics
Topic: Dual WAN Setup - how to get both public IPs reachable
Replies: 3
Views: 410

Re: Dual WAN Setup - how to get both public IPs reachable

Add two additional routing tables with default routes for each of WAN connections. And then a couple of routing rules, that restrict usage of the tables depending on src IP: /ip route add distance=1 gateway=gw-ip-for-isp1 routing-mark=isp1 add distance=1 gateway=gw-ip-for-isp2 routing-mark=isp2 /ip ...
by xvo
Mon Sep 21, 2020 1:13 am
Forum: RouterBOARD hardware
Topic: CRS326-24S+2Q+ // MTU 9000 // Bonding // Balance-RR // Hardware-Offloading
Replies: 3
Views: 504

Re: CRS326-24S+2Q+ // MTU 9000 // Bonding // Balance-RR // Hardware-Offloading

So it is not possible to distribute one TCP-Stream across all available Links?
No, it's not.
What are the alternatives, to archive full speed for these protocols?
Use multiple streams and balance-xor mode: it can use l3+l4 hash policy, so takes ports into account too.
by xvo
Sun Sep 20, 2020 1:02 pm
Forum: Beginner Basics
Topic: Blocking internet
Replies: 36
Views: 1743

Re: Blocking internet

What makes you think 30-30-30 should work for mikrotik?!

Here you can read about reset procedure:
https://i.mt.lv/cdn/product_files/hEXSqg_191001.pdf

If nothing works - try netinstall.
by xvo
Sat Sep 19, 2020 11:00 pm
Forum: Wireless Networking
Topic: hAP ac3 recommended buy?
Replies: 50
Views: 6849

Re: hAP ac3 recommended buy?

Nobody has rukus I've never seen anyway
Yeah, sure, things you've never seen, don't exist at all ;)
by xvo
Sat Sep 19, 2020 10:50 pm
Forum: Beginner Basics
Topic: Set bandwidth limit on WAN [SOLVED]
Replies: 11
Views: 907

Re: Set bandwidth limit on WAN [SOLVED]

What if we leave target as blank though?
Should work the same way in this scenario.
by xvo
Thu Sep 17, 2020 1:17 pm
Forum: Beginner Basics
Topic: No NAT for a host
Replies: 1
Views: 374

Re: No NAT for a host

If it's on the wan bridge, isn't it bypassing mikrotik's NAT anyway?!
Or are you talking about traffic from local subnets to Cisco?
by xvo
Thu Sep 17, 2020 1:08 pm
Forum: Beginner Basics
Topic: Using hEX as VPN gateway only - almost working, sorta [SOLVED]
Replies: 7
Views: 512

Re: Using hEX as VPN gateway only - almost working, sorta [SOLVED]

I guess you are missing local-address in your ppp-profile. I suggest you set it to 192.168.252.1 and change to /24 instead of /30 in the route on the modem and in ovpn-server settings. Can leave /30 in the pool though. And for sure no such route should be present: 2 A S 192.168.252.240/30 192.168.1....
by xvo
Thu Sep 17, 2020 12:14 am
Forum: Beginner Basics
Topic: Using hEX as VPN gateway only - almost working, sorta [SOLVED]
Replies: 7
Views: 512

Re: Using hEX as VPN gateway only - almost working, sorta [SOLVED]

Mikrotik has static IP from modem - 192.168.1.252 Ok, so in the modem all you need is a route to 192.168.252.0/24 via 192.168.1.252. That's all. I see, that you already have it. Modem range is 192.168.1.0/24 subnet 255.255.255.0 --DHCP scope 192.168.1.50-150 --should subnet be 255.255.0.0 if I want...
by xvo
Wed Sep 16, 2020 7:50 pm
Forum: General
Topic: Very slow PPTP tunnel
Replies: 6
Views: 706

Re: Very slow PPTP tunnel

PPTP can't be "a good road warrior VPN solution" anyway.

As for the problem - try lowering MTU on the tunnel to smth like 1400.
by xvo
Wed Sep 16, 2020 11:19 am
Forum: Beginner Basics
Topic: Using hEX as VPN gateway only - almost working, sorta [SOLVED]
Replies: 7
Views: 512

Re: Using hEX as VPN gateway only - almost working, sorta [SOLVED]

When I connect to the VPN, my router assigns my laptop the same IP address I have when I'm normally connected locally on wifi. Local IPs work, but not the internet. Well, don't do it. What Ip does your hEX get from your modem? Specify the completely different subnet for vpn clients. And then two op...
by xvo
Tue Sep 15, 2020 5:10 pm
Forum: Beginner Basics
Topic: Routing mark bug?
Replies: 33
Views: 1868

Re: Routing mark bug?

Yes, xvo, you describe more accurately, what I mean... But suppose, this is bug... RP-filter or route with route mark can't be existed at one time. No, it is a limitation, but not a bug. All is working logically... so one just need to understand this logic to workaround this limitations. Thank you ...
by xvo
Tue Sep 15, 2020 4:54 pm
Forum: Beginner Basics
Topic: Routing mark bug?
Replies: 33
Views: 1868

Re: Routing mark bug?

Packets routes by route mark to vpn interface... Reply come from the other side, checked by RP-Filter, based on rules without route mark, and discarded. Yes, exactly! The way to overcome it: 1) copy routes pointing to local networks to tovpn routing table 2) and mark the returning packets to use it...
by xvo
Tue Sep 15, 2020 4:43 pm
Forum: Beginner Basics
Topic: Routing mark bug?
Replies: 33
Views: 1868

Re: Routing mark bug?

Thank you for patience, xvo I rebooted device and claimed, that this is RP-filter, which discard reply packed in strict mode. I don't understand why... Suppose routers must use only loose mode? So it was rp-filter after all?! I think that is what was happening: - the original packet was routed by t...
by xvo
Tue Sep 15, 2020 3:46 pm
Forum: Beginner Basics
Topic: Routing mark bug?
Replies: 33
Views: 1868

Re: Routing mark bug?

And yes, rp-filter=strict, but I changed it to "no" without any success...
Probably you should wait for route cache to expire.

Anyway, that was my last guess...
by xvo
Tue Sep 15, 2020 3:23 pm
Forum: Beginner Basics
Topic: Routing mark bug?
Replies: 33
Views: 1868

Re: Routing mark bug?

Do adding the ip directly to the list instead of domain name change anything?

And another suggestion - is rp-filter set in ip settings?
by xvo
Tue Sep 15, 2020 2:58 pm
Forum: Beginner Basics
Topic: Routing mark bug?
Replies: 33
Views: 1868

Re: Routing mark bug?

Does routing through vpn work if you make it the default route not only for marked traffic, but for all?
by xvo
Tue Sep 15, 2020 2:23 pm
Forum: Beginner Basics
Topic: Routing mark bug?
Replies: 33
Views: 1868

Re: Routing mark bug?

add action=mark-routing chain=prerouting connection-state=new dst-address-list=blocked new-routing-mark=tovpn passthrough=yes First of all: you can't use mark-routinng for only the first packet. Second: same thing about fasttrack - you can't use it for traffic, that has to be mangled and routed thr...
by xvo
Tue Sep 15, 2020 12:52 pm
Forum: General
Topic: wrong vlan id on swith crs3xx/crs326-24G-2S+ [SOLVED]
Replies: 1
Views: 304

Re: wrong vlan id on swith crs3xx/crs326-24G-2S+ [SOLVED]

Bridge -> Ports, open ports in question and set the proper PVID=4 for them.
by xvo
Tue Sep 15, 2020 12:31 pm
Forum: Beginner Basics
Topic: Routing mark bug?
Replies: 33
Views: 1868

Re: Routing mark bug?

Ok.
I think I know what the problem is: you need to use address as a gateway, not interface.
It works for a /32 address, thinking that it's just another end of ptp-link, but won't work for destinations with wider mask.
by xvo
Tue Sep 15, 2020 12:19 pm
Forum: RouterBOARD hardware
Topic: 951G-2HnD too slow for 1Gbps connection?
Replies: 36
Views: 6607

Re: 951G-2HnD too slow for 1Gbps connection?

That's hEX on the latest 6.46.7 (long-term).

As I have 300/800 + 600/600 as my Internet connection, I even tried to add something parallel to speedtest, to see if I can push it up to the full gigabit, but no luck there.
So I guess that's actually as much as it can do.
hex_wan.jpg
by xvo
Tue Sep 15, 2020 11:32 am
Forum: RouterBOARD hardware
Topic: 951G-2HnD too slow for 1Gbps connection?
Replies: 36
Views: 6607

Re: 951G-2HnD too slow for 1Gbps connection?

If you're extremely lucky.
No luck involved here.
As surprising as it is.
Regular config: NAT, firewall, fasttrack (obviously).
Even tested the case when WAN connection is L2TP couple of days ago - still good results (800/700mbit).
by xvo
Tue Sep 15, 2020 12:39 am
Forum: RouterBOARD hardware
Topic: 951G-2HnD too slow for 1Gbps connection?
Replies: 36
Views: 6607

Re: 951G-2HnD too slow for 1Gbps connection?

And what You say about HEX S? Better? Worse? (I do not need wifi antenna inside)
Not exactly worse. Just different.
Nevertheless - slower: will cap at 800-900 in real-life scenarios.
by xvo
Mon Sep 14, 2020 8:27 pm
Forum: Forwarding Protocols
Topic: Adding routing mark weird behaviour.
Replies: 6
Views: 554

Re: Adding routing mark weird behaviour.

I prefer to put the distance higher for the non marked route as this allow to sort per distance and makes complex routing table more readable
Yeah, I kind of also sometimes use distance to sort the routes, for which the exact order has no difference.
by xvo
Mon Sep 14, 2020 6:58 pm
Forum: Forwarding Protocols
Topic: Adding routing mark weird behaviour.
Replies: 6
Views: 554

Re: Adding routing mark weird behaviour.

Then have one route (the one you actually want) with higher distance and no routing mark on it... Distance is irrelevant in this case. For packets using the named table, route selection falls back to main table (if it is allowed) only after it failed to find a route in the named one. And if named t...
by xvo
Mon Sep 14, 2020 12:54 pm
Forum: RouterBOARD hardware
Topic: 951G-2HnD too slow for 1Gbps connection?
Replies: 36
Views: 6607

Re: 951G-2HnD too slow for 1Gbps connection?

Dears,

I confirm that the 951g-2hnd is not able to carry more than 300-400 Mbps on 1Gbps link. In this case: which Mikrotik router do you recommend to fully use 1Gbps?
hAP ac2/RB450Gx4 and up.
by xvo
Mon Sep 14, 2020 11:10 am
Forum: Announcements
Topic: v6.46.7 [long-term] is released!
Replies: 45
Views: 12180

Re: v6.46.7 [long-term] is released!

Shouldn't we be seeing the changelog from 6.45.9 to 6.46.7 not from 6.46.6 ? Going up a major version in a long-term release should be looked over a bit more carefully before we take the plunge.
Yes, that would be logical.
by xvo
Mon Sep 14, 2020 8:59 am
Forum: RouterBOARD hardware
Topic: hEX RB750Gr3 micro SD not recognized
Replies: 8
Views: 940

Re: hEX RB750Gr3 micro SD not recognized

Pin side UP is the right way.
by xvo
Sun Sep 13, 2020 6:38 pm
Forum: Beginner Basics
Topic: VLAN bridge - tagged and untagged
Replies: 11
Views: 801

Re: VLAN bridge - tagged and untagged

I tried to follow wiki manual, still unifi AP is nto visible on trunk port ether5. Leaving aside the fact, that you've chosen the less desirable configuration approach, and keeping in mind the mistake, that bpwl already mentioned, I can't see anything wrong in your config at first glance. Recheck w...
by xvo
Sun Sep 13, 2020 1:28 pm
Forum: Beginner Basics
Topic: VLAN bridge - tagged and untagged
Replies: 11
Views: 801

Re: VLAN bridge - tagged and untagged

You need to have: 1) Only one bridge 2) ether2 and ether5 added as bridge ports to that bridge 3) Two vlan-interfaces created on that bridge (created on, not added like the bridge ports) - one for each of the vid's. 4) Add IP configuration to vlan-interfaces 5a) Vlan filtering done in switch menu if...
by xvo
Sun Sep 13, 2020 9:54 am
Forum: General
Topic: Slow routing, fixed by reboot - how to troubleshoot?
Replies: 13
Views: 930

Re: Slow routing, fixed by reboot - how to troubleshoot?

I would try another router between ISP and CRS (use CRS like a switch only) to rule out the possibility, that the problem is on ISP side.
by xvo
Sat Sep 12, 2020 10:47 pm
Forum: General
Topic: A place for poetry
Replies: 46
Views: 201407

Re: A place for poetry

[moderated]
Sophisticacted poetry please.
by xvo
Sat Sep 12, 2020 8:13 pm
Forum: Beginner Basics
Topic: Routing mark bug?
Replies: 33
Views: 1868

Re: Routing mark bug?

Post your whole /ip firewall section.
And /ip route as well.
by xvo
Sat Sep 12, 2020 7:11 pm
Forum: Beginner Basics
Topic: Routing mark bug?
Replies: 33
Views: 1868

Re: Routing mark bug?

I concatenated two rules, dst-address and route-mark in one route, and it's ignore reply again :( I can't uderstand this situation and hope anybody help me to diagnose it... Having different distances means nothing in this case - these two rules are in the different routing tables. The fact that di...
by xvo
Sat Sep 12, 2020 1:44 pm
Forum: General
Topic: Best Way to let L2TP server accessible only from Local IPs
Replies: 2
Views: 251

Re: Best Way to let L2TP server accessible only from Local IPs

Default firewall will block it, just as any other incoming traffic from the outside world.
by xvo
Thu Sep 10, 2020 11:19 pm
Forum: Wireless Networking
Topic: Antenna Gain 6.47.x Winbox error
Replies: 3
Views: 445

Re: Antenna Gain 6.47.x Winbox error

Use forum search.
At least another two similar topics were created for the last week.
by xvo
Thu Sep 10, 2020 8:34 pm
Forum: General
Topic: Slow routing, fixed by reboot - how to troubleshoot?
Replies: 13
Views: 930

Re: Slow routing, fixed by reboot - how to troubleshoot?

Have you checked the physical port status after the slow down?
Could be some problems on the line, that force renegotiating to 10mbit.
by xvo
Thu Sep 10, 2020 5:21 pm
Forum: Beginner Basics
Topic: Bandwidth limit on Mikrotik RB750Gr3 HEX Gigabit Router
Replies: 3
Views: 354

Re: Bandwidth limit on Mikrotik RB750Gr3 HEX Gigabit Router

the question I have is, is the excess shared equally or goes to the first person accessing it??
If you use PCQ, then yes.
If all queues are configured manually, you can use priority to modify this behaviour in favour of some users.
by xvo
Thu Sep 10, 2020 12:08 pm
Forum: General
Topic: Per Connection Classiefier (PCC) blocks incomming FaceTime calls
Replies: 34
Views: 3262

Re: Per Connection Classiefier (PCC) blocks incomming FaceTime calls

They also offer endpoint as a cloud service which likely has high availability - so no issue with single point of failure. That's the key to effectively move from per-connection to per-packet. You can do the same (more or less) with Mikrotik: get a CHR in the cloud and multiple tunnels running to i...