MikroTik

macsrwe

Ugh. Coincidentally, I tried reading this writeup several weeks ago just for continuing education purposes, got total brain cramp from it, and gave up. It looks like it was written to control two gateways into the same edge router, where routing marks are already in play to load-balance traffic. In ...

macsrwe

I have a wireless network serving an outdoor location, configured as a ring. There are two gateways (DSL), at opposite (geographical) ends of the ring. OSPF is set up in simple fashion to deliver traffic to the closest gateway, and to reroute all traffic to the working gateway if a gateway or interv...

macsrwe

Very strange that mikrotik don't plan to finally fix this issue once and for all for many years now.

MikroTik has never even acknowledged that this issue exists.

macsrwe

I have put UDP/123 log rule on top of INPUT chain before ACCEPT related,established,untracked. And I also made sure fasttrack was disabled.

Where it is is only half the question. What it is is the other half. Could you please export your firewall rules and post them here?

macsrwe

One very common reason for NTP replies to fail is that good administration practice requires you to block NTP requests coming from the WAN interfaces. However, if done Incorrectly, this will also block all replies to your own NTP client. The proper security blocking rule includes connection state in...

macsrwe

All ROS can run SNTP client.

To run NTP server you must include ntp package. Then if you also run client, you are running NTP client; which I believe is not the same code as SNTP client, which is unavailable when ntp package is present.

macsrwe

If you know for sure the BOGON address your ISP is going to present you, just put a FW rule ahead of the blocking one that jumps around the blocking one for traffic from that address. That lets you continue to decide what input and forarding traffic you are going to accept from the ISP connection, b...

macsrwe

Looks like Winbox needs an adequate beta test program. What it has now doesn't even pretend to qualify. This sort of thing should have been nipped in the bud prior to release. Now we can't get rid of it.

macsrwe

NTP DDoS is extremely low probability, since only one router model is reporting this issue so far (correct me if I am wrong). Also, to prevent DDoS, your firewall should be blocking "new connection" and "unrelated" NTP traffic from the WAN interface(s) (don't block all incoming traffic on the NTP po...

macsrwe

Actually, for illustration purposes, I probably should not have used the ROMON window, but the standard Winbox neighbors window: Screen Shot 2020-04-23 at 2.22.00 PM.jpg If a router has no IP address defined, the MAC address still shows up here, but the address is 0.0.0.0. You can still do a MAC log...

macsrwe

I just logged entirely out of Tapatalk and back in, and I'm still getting the "SQL error" message on the Mikrotik forum, though other forums continue to work.

macsrwe

ROS firewall fakes connection state for UDP connections. Might not be as accurate as for statefull protocols, but helps to make constructing firewall filter rules easier. Probably helps for performance as well.

Good to know, thanks. I've never had reason to block UDP.

macsrwe

The output of that print is completely empty (as expected - noone else has access to the router and I don't use the default config setup at all, I always do a reset to a blank no-config state and only configure the desired fuctionality from scratch). As do I, without fail, but not running the defau...

macsrwe

Mangle is the wrong tool for this job. Firewall can block connections with these parameters most straightforwardly. If you are rejecting or accepting traffic on connection-based protocols (e.g., not UDP), you should always use connection-state=new. This causes the firewall rule to be checked only on...

macsrwe

N rates table is not under "Data Rates," it is under "HT MCS."

macsrwe

Still is the issue with forum opening with Tapatalk? I have following error at iOS

Still broken. No action. Sigh.

macsrwe

If you're trying to enter over the WAN port, you will fail because default configuration blocks login. If you're trying to enter over the LAN port, and you have reset the unit, there is some other issue I can't definitively name.

macsrwe

If I were going to allow transferring a backup to another device (as the official docs do indeed mention) I don't guess that's a feature I would have included as default Backup was never designed as a migration method. The document concedes that it kinda sorta works with some limitations, but nobod...

macsrwe

Wine seems to work fine with Winbox on a Mac FWIW as long as the router is giving out an IP

Mac WInbox works surprisingly well even with MAC address connections...

macsrwe

Let me take a contrary tack... if the 5GHz frequencies work interunit, then fine; but you may discover that need to resort to the 2.4 instead to penetrate all those walls, especially the exterior walls. As far as naming the SSID's same or different, there are issues either way. If they are all the s...

macsrwe

Hi, I don't understand the following syntax. What does the 0 there represent? Is it a username or what? 1 https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Access_by_IP_address " Access by IP address Besides the fact that default firewall protects your router from unauthorized access from ...

macsrwe

You can if you name your queues with a first character that is a digit, otherwise you would have to do :find of a collation string. There's no function that returns the raw byte value of an arbitrary element.

macsrwe

Please help me . how i can identify that i have poe version or not , because on mikrotik website manual says omnitik is with poe output. Even easier is to examine ports 2-5 -- if they have a yellow border on the label, they provide POE, otherwise, they do not. True of all MT products.

macsrwe

Post your configuration.

/export hide-sensitive file=whatever.rsc

macsrwe

I think you're worrying needlessly. The ports in question would be on the forward chain, not the input chain, so they wouldn't expose the router itself to anything. They would only expose the gaming device, but no more than it is already exposed by attaching directly to the modem. If you're not worr...

macsrwe

Metal 52 runs 5 or 2.4, not both at the same time. So no dual.

macsrwe

I get the routers to show up in Netinstall and choose my packages but when I press Install it does nothing. The "Ready" will disappear for around 5 seconds then come back up.

This is the symptom of a very common netinstall problem with an easy solution in most cases.

macsrwe

The original problem is to take a very limited number of public IPs and serve a data center (many devices), only a few of which he wants to be directly accessible from the outside. That requires a NATted LAN. That requires /firewall ip nat entries.

macsrwe

Using this 2 simple steps I can crash it pretty much on demand with any ROS version up to 6.47Beta54 within less than 10 minutes.

Is this specific to hAP ac2, or is it reproducible on arbitrary models?

macsrwe

"Inner window size" problem not solved From posted change list, I inferred that they admitted in advance that this part of the problem was not yet solved. Baby steps, I guess. I wish things got broken only in baby steps. "Check for update" still does not admit availability of this version, though.

macsrwe

I think you can try this way:
Just have a try , i didn't test it.

Nothing in your example addresses his public IP issue.

macsrwe

You are using webfig or WInbox. These are handy tools, but do not provide complete information on your configuration.

Either use a Terminal window in Winbox, or ssh into your router to obtain a native terminal window.

macsrwe

The problem with expecting the MikroTik bandwidth test to show you an accurate wireless throughput is that most of the units dedicated to serious wireless don't have powerful CPUs, and the CPUs at the far end max out trying to run all the bandwidth test servers long before the wireless link is satur...

macsrwe

Although one might infer that a wAP is directional from its wall-mount design, it is in fact omnidirectional.

macsrwe

using the antenna that came in the box, both are 52ac so hoppfully they aren't the wrong ones from packing. So the OmniTIK would be better with its dual chain? then I thought of putting a mAP lite on each one for clients to connect too. Do you want an indoor or an outdoor machine? Because mAP lites...

macsrwe

Just remove usermanager unless you are using it?

I would have to assume that if he wasn't using it, it wouldn't be storing transactions on disk or logging error messages.

macsrwe

currently its floating around -71/-72 and they are on 50ft apart. That's extremely punk at 50'. Something is wrong. Sorry for the basic question, but what antenna do you have attached and are you sure it's rated for the frequency you chose? A couple years ago, I asked MikroTik a relevant question; ...

macsrwe

Assuming you means "cars" as in automobiles (i.e., as opposed to "AV carts"), I would expect you would like a weatherproof unit. My first choice would be one of the wAP models.

macsrwe

If I understand your request correctly, you have multiple public IPs available at your WAN port, you have several public servers on your LAN, and you want each of those servers to be accessible from and to use one and only one of those public IPs pemanently. If this is so, the configuration is mostl...

macsrwe

Check the casing on that bad boy before returning it to service. We've had consistent case failures on these units, unlike any other MT unit we use.

macsrwe

Tried exporting firewall filter and nothing came out for line 22 instead, a bunch of blocked IP came out for line 23. @macsrwe like you said its definitely not line 23. I will try exporting line 22 again tomorrow. But looks like either its already "deny all" so nothing came out or im doing somethin...

macsrwe

However, the default firewall rules in RouterOS do not have ALLOW for all the desired traffic but a DENY of all traffic NOT originating from LAN. So, when you add a DENY ALL rule at the end of that, without first adding some more ALLOW rules for management etc, you will have locked yourself out of ...

macsrwe

Curious... this is the opposite of the advice I have always heard, which is to craft firewall rules to explicitly allow the traffic you want to allow, then "deny all" at the end. Almost invariably for the input chain, and perhaps for the forward chain as well, depending on your application. (In my c...

macsrwe

For one thing, a separate Radius server allows you to use an online billing service other than the one or two that ROS supports.

macsrwe

Rule 23 is definitely not a "deny all" rule -- it only denies traffic that matches the specified source address list. Rule 22 "looks" like a deny all rule, but it's impossible to tell from a Winbox window whether or not there are additional conditions set in columns that are not selected. To tell fo...

macsrwe

Yes, i guess they sould implement some kind of a popup message informing the user of a success or failure... Not logical. They do report success. They cannot explicitly report failure due to an MT bug that aborts the process without intending to. To me it would be obvious that netinstall not succee...

macsrwe

Yes, i guess they sould implement some kind of a popup message informing the user of a success or failure...

Not logical. They do report success. They cannot explicitly report failure due to an MT bug that aborts the process without intending to.

macsrwe

had cases where i tried 4 different versions, isnt that obvious that i was closing and opening the program again ? So if that's the case as soon as i opened netinstall for second time, it should have worked... But it didn't... Also, tell me how do you explain that it does not work the first time bu...

macsrwe

The proccess is : ready -> formatting ->installing-> reboot I 've never seen a case where the above 4 steps completed one by one but netinstall did not actually happen.. So i guess the progress bar might went full but actually you never saw the words formatting and/or installing ... Usually what yo...

macsrwe

ctrl-c, ctrl-v everywhere... +1. I have never found a MikroTik user who found the current ^v "lock" feature useful. Conversely, I have assisted a number who were screaming "Jane! Stop this crazy thing!" after having activated it accidentally. Maybe it's time to bite the bullet, discontinue it (or m...

macsrwe

Launch Netinstall, quickly select "previous install" (it's always selected, by the way) and press "Install"? No, this not helps. Please don't suggest changing the version of Netinstall, changing the network adapter and other irrational things anymore. At first, I have alredy checked this and other ...

macsrwe

If even 6.45.7 is not a long-term solution to the problem, a workaround could be to permit access to public NTP servers (and nowhere else) to just one of those devices and let the other ones synchronize from it. I read this as: let some other device on your network run NTP server. That's great as l...

macsrwe

The interface menu retains total bytes/packets in/out for each interface. You can copy out the numbers on the first of each month than zero it for next month. If router is not rebooted for all month :) One nice thing I will never hesitate to say about using MT gear over the past 12 years is that gr...

macsrwe

System->auto-upgrade, still problem, from ftp source !! ehhhh.... I'm very unhappy with MikroTik's recent release performance. They are releasing new features while at the same time breaking old features, then never fixing the old features. System auto-upgrade hasn't worked for months, the Dude is ...

macsrwe

Thanks, but powering a Powerbox Pro is irrelevant to this thread, as the subject problem is present only in older Powerbox (not-Pro) and original Omnitik models, which use passive POE only. Our experience was that the issue showed itself over as short as an 8-meter cable, about the absolute minimum ...

macsrwe

No hard feelings, thanks for all your work.

macsrwe

Then why Dude does not crash the other 30 devices? It chose just to crash the 4011 ? The other 30 do not use ROS @macsrwe ? The Dude is executing only on the 4011, isn't it? Or did I misunderstand the original post? It's comparatively unlikely that the Dude would be crashing a machine other than th...

macsrwe

Color me dubious. I've upgraded netinstall dozens of times over the past 12 years, and since this problem started showing up about four years ago it has never changed.

macsrwe

If that happened, i do not know how, but lets say that dude does that, you wouldn't get "router was rebooted without proper shutdown" but just a "router rebooted"... The message you get means that the router neither was rebooted normally or shutdown through it's menu but that it lost power.... No, ...

macsrwe

I think you ought to report this as a bug. As I showed in the image, it's still possible for ROS to report a yes setting that was set some time ago, but if it no longer allows you to set a yes setting, I really believe that is a bug. These devices need that setting to run in almost all situations, w...

macsrwe

But as compared with the article, I don't see a progress bar, flashing process took 3-4 seconds and then router's status becomes "Ready".

I strongly suspect you have encountered a common netinstall problem where the install just doesn't happen. Fix is in the link.

macsrwe

My next suggestion was going to be for you to run /system default-configuration script print and peruse the output for matching strings, in case someone had established a non-standard default configuration on your router. But if mrz says this is a known bug, then it is. (I bet if you ran the command...

macsrwe

I don't know if this satisfies whatever requirement you envision for management, but the standard way to configure this is to make the two SXTs into an L2 bridge on a /29 or so, and just have the hosts at either end treat them as a stupid cable. (Don't try to run OSPF on the SXTs themselves, they wi...

macsrwe

I am trying to imagine Ethernet connectors that will fit into a standard jack, and yet are too wide to fit through a Groove cap with the rubber grommet removed, and also too long to fit into an SXT with the door closed. I think a model of "tool-less" CAT6 tips I once carried may fit this bill, but w...

macsrwe

So just to confirm theres nothing i can do to wirelessly bridge and mesh using the cap lite units? You can, but doesn't provide optimal signal coverage. Instead of putting an emitter right in the remote room where you need one, you have to locate the emitter halfway between there and your base unit...

macsrwe

wireless - added "U-NII-2" support for hAP ac2
ok, but where did U-NII-3 missing??
U-NII-2
what does that mean?

GIYF...

macsrwe

Freshly rebooted and I have these environment variables. Any ideas what they are? They look like scripts? And some are quite long. If I delete them, they'll remain deleted until the next reboot. They are global functions . From the behavior you describe, your router executes a script on startup tha...

macsrwe

I'm not an authority on roaming. From what I've gathered from some threads I've read, there are three networking standards that have to be implemented to achieve seamless roaming, and MikroTik has implemented (I think) part of two and none of the third. I would recommend you search this forum for th...

macsrwe

It's a bit of busywork, but you could create a tunnel interface (PPTP, L2TP, EOIP, etc.) between routers A and C and test through it.

macsrwe

Sometimes you can achieve adequate "near line of sight" connections with 2.4GHz, though spectrum is crowded. Better for NLOS is 900MHz, but it is even more crowded. 5GHz and higher, you need true line of sight. You can use Google Earth's "viewshed" feature to determine line of sight (modulo building...

macsrwe

Nobody is answering because the question doesn't make sense. From Wikipedia: A mesh refers to rich interconnection among devices or nodes. Wireless mesh networks often consist of mesh clients, mesh routers and gateways. Mobility of nodes is less frequent. If nodes constantly or frequently move, the ...

macsrwe

I ve used this command on a 6.44.2 Version that was Released on 2019-Apr-01 12:47 ... So, how sure are you that the above does not work ? This thread is a duplicate of this one . The command works (and is necessary almost always) on Powerboxes. It does not work (nor is it necessary) on Powerbox Pros.

macsrwe

There is no "in other words." In this post , you say, "I bought a Mikrotik PowerBox (didn't realize at the time there was a Pro version)." You have Powerbox, which is old model (although still sold) and uses only passive POE. ROS command shown is available on old model, and usually always needed. Po...

macsrwe

The interface menu retains total bytes/packets in/out for each interface. You can copy out the numbers on the first of each month than zero it for next month.

macsrwe

I have already told you the most straightforward way to pursue this issue. Let me know when you have performed it.

macsrwe

Your new figure contains nearly no IP address labels, so I can't follow your explanation. If you have determined that return routing of messages from 10.6.0.4 is failing with OSPF enabled, then run a traceroute from 10.6.0.4 to the original origin of the message, examine the results with OSPF disabl...

macsrwe

True... I only suggested it might do "what he actually wanted," not necessarily "the way he thought he wanted to do it."

macsrwe

Frankly, I'm flabbergasted to learn that anyone is deploying Discs indoors. Then again, with all units I have had with split casings, maybe that is the best place to deploy them.

macsrwe

No, they have not removed it -- it is just hidden well, as it always has been. See image, taken today on operating equipment. If you had followed the instructions in the 2014 document, you would have found it. Note that this parameter is only available for old models of outdoor POE-out units that do...

macsrwe

Best explanation of this entire issue is here: https://wiki.mikrotik.com/wiki/Manual:Wireless_Station_Modes Once you understand section about "limitations of L2 bridging," you will understand how all the other modes work the way they do, and that the proprietary extensions like "station-bridge" that...

macsrwe

MKT tends to restrict more and more the rules per regulatory domains, with every new release. In all fairness, MikroTik is being told by national governments to obey more and more restrictions to obtain certification to sell in that country. Gone are the days when the end-user engineer was responsi...

macsrwe

Check out the "kid protect" feature, it may do what you need.

macsrwe

You did not include the firewall rule, which is necessary for any rational attempt at analysis. Preferably, all firewall rules, so that applicable prior rules can be inspected as well. You will note that the number of packets is wildly different as well. Clearly the firewall rule isn't doing what yo...

macsrwe

The limitation of bandwidth-test is that the number of server processes it starts often saturate the CPU well before the communication channel. It is best performed to a powerful router beyond the router you want to test. Using the "both" mode doubles the number of server processes, which degrades c...

macsrwe

In smartphone app, tools / graphing / interface graphs has useful sliding bar that measures traffic volume at any time, but should also display the time/date, which is available nowhere, including x axis

macsrwe

You may be looking for the problem on the wrong unit. OSPF should be constructing reciprocal routes on the other unit, and those may be wrong. Torch the interface at 10.6.0.4 to see if your requests from 10.200.0.4 are arriving and departing. Torch the interface at 10.200.0.1 and I suspect you will ...

macsrwe

So putting the little ones in bridge mode should do the trick? In that event, do I exclude their ports (the ports they are connected to on the RB3011) from the bridge on the RB3011? No, put everything on the bridge. You need only one "router" for your house, at the ingress point. Everything else sh...

macsrwe

Maybe your ISP's router is miffy about talking to anything that hasn't gotten its address through their DHCP server.

macsrwe

Sorry, I misspoke. The function is :tostr, not :tochar.

https://wiki.mikrotik.com/wiki/Manual:S ... g#Commands

macsrwe

Suggest you send this directly to support@mikrotik.com to get manufacturer to address this.

macsrwe

Optimal procedure would be:

Take supout
Save supout
Reboot router
See if problem went away
If not, take second supout
Send supout(s) to support@mikrotik.com along with description of what happened.

macsrwe

The way I'm interpreting this question is: he has a custom default configuration he wants to impose with netinstall, and the script he created works when he invokes it by hand, but it doesn't work when invoked automatically at router reboot/reset-configuration time. If this isn't correct, apologies....

macsrwe

All I could think of is that in Winbox, wireless interface shows up in italics as inactive (which someone may mistake for disabled) when no one is registered to it. Either that, or this is incompetent commercial spam, following the sudden rash we have been experiencing on MT forum this week (see OP ...

macsrwe

Good day all, I am in South Africa and have a Mikrotik LTESXT kit with a Hikvision IP camera connected to Port 2 with POE. I can see the camera on IVMS 4200 if LAN cable is plugged into my PC,but as soon as i take it out i lose connection. Do you lose connection because Hikvision loses power? Widel...

macsrwe

You could try physically tilting the AP... but that might not solve your underlying problem anyway.

If your router is having problems penetrating to the floor above, your devices on the floor above are likely to have exactly the same problems penetrating to the router on the floor below.

macsrwe

This company still using mainframes with timesharing? "CP\CMS GOING DOWN IN 00:05"?

This is not a networking function OSI layer 1-3. They need to invest in some sort of groupware application OSI layers 5-7.

macsrwe

Common problem. Use [:tochar ] (correction) [:tostr ] to turn variable contents into a string instead of a numeric address.

macsrwe

I suspect you have discovered another user-interface pessimization caused by the new update mechanism introduced in 6.46.2. You can read much about it here, keep searching for posts containing the words "hidden" and "hide."

macsrwe

Lacking some terribly basic information, such as: what model equipment are you talking about?

macsrwe

Lots of reports of NTP package causing reboots in recent releases, this may be your only problem.

MikroTik is not guaranteed to be here. To assure MikroTik attention, email bug report to support@mikrotik.com.

macsrwe

ROS does not allow this. You would have to downgrade all of ROS to that version.

macsrwe

You would think so… but as I already said, those lines are no longer useful to clear any part of the memory log, assuming they ever were. Seriously, try them – they do nothing.

macsrwe

I believe you will find the answers to precisely these questions here.

macsrwe

Known deficiency in ROS that "auto" distance is often wildly overestimated on one side of a PTP link, while correct on the other. Efficiency improvement can be had by entering specific distance into wireless config parameters instead of "auto" default. This alone may improve your CCQ situation. You ...

macsrwe

Misunderstood your requirement. I did not understand you wanted to clear memory-resident log. I don't make much use of memory-resident logs because they are not persistent, and IMHO anything worth logging is worth having available after a crash. I have determined that not even the commands previousl...

macsrwe

You should at least have a default 0.0.0.0/0 route defined in /ip route, preferably also a small number of dependable static routes. One of your complaints was that you would lose some number of pings before establishing good traffic, that is a common symptom of having 100% dynamic routing. OSPF &c ...

macsrwe

I cannot seem to find any /ip route anywhere. That would be a major omission.

macsrwe

The default firewall in the default configuration protects the router if you connect to the internet via the default port (ether1). However, if you are playing with your own custom configurations or firewall rules, and hook up through an unprotected port, your router is visible to hackers who indeed...

macsrwe

It was on fiber, come to think of it, not copper.

macsrwe

Keep in mind that a posting in this forum is not guaranteed to be seen or responded to by MikroTik personnel. If you want to make sure MikroTik sees and responds to your issue, you should email it to support@mikrotik.com. Feel free to return back here and post the gist of their response for those wh...

macsrwe

If true, the standard is not uniformly obeyed. In my region, CenturyLink gateway feeds are routinely supplied that run 1G and refuse negotiation, and you can't connect with them unless you configure your interface as 1G non-negotiated. Something to watch out for.

macsrwe

It's quite possible you're not doing anything incorrectly. If your peripherals default to 100M in the absence of negotiation, and require negotiation to step up to 1G -- which is not unreasonable default operation -- all of the behavior you describe would occur. You don't specifically say, but I inf...

macsrwe

Without configuration, impossible to guess well. My first guess would be an ambiguous addressing setup or ARP issues.

/export hide-sensitive file=whatever

Post contents of whatever.rsc here.

macsrwe

I believe easiest way to think of this problem is to remember that firewall rules must be present that specifically enable fasttrack between designated pairs of interfaces. (Interface lists can muddle the underlying behavior, so pretend for the moment that they are not there to use.) Ensure your con...

macsrwe

This posting is short on specifics. Is the host containing/generating this image allowed in your set of walled garden hosts?

macsrwe

You don't say what version of ROS it was running... to be safest, you should netinstall unit entirely.

macsrwe

It depends how loosely you define "achieve." If the radio isn't staying there in production use, it's almost always because you wouldn't like the results if it stayed there. A higher modulation that craters your CCQ is no bargain.

macsrwe

As stated, this is a Windows peculiarity, not MikroTik limitation. Another option is that you can just invent your own local TLD (e.g., .icarus) and define all your local devices that way; then you would resolve "sqlserver.icarus" with no problems.

macsrwe

Again, you don't provide any useful description of what you did, so my answer can only be so helpful. You cannot make this change just in /ip address and expect the router to work. You must also potentially change /ip firewall nat, /ip dhcp-server, and possibly other places before everything will ta...

macsrwe

Change the channel on the hAP and see if that improves things. You could be "auto"ing to a channel your USB dongle doesn't work with.

macsrwe

Is there anything planned like a virtual mum /VMUM/ - like live streaming ?

Every attendee gets a free virtual router (CHR) and a virtual t-shirt (sunscreen not included).

macsrwe

...or just drag the window wider.

macsrwe

I'm not surprised it disappeared -- 0.0.0.0/0 is the default ("everywhere"). Your rule is in the input chain. That means that traffic to the router itself (not your network, just the router) will be accepted from those addresses. If you're trying to get your router to serve this traffic to some othe...

macsrwe

I suspect your problem is that 0.0.0.0 is not the same as 0.0.0.0/0 .

macsrwe

After changing some of the polling parameters, and saving historical data at less detail, it is still struggling, and often will lock up, forcing me to re-open the client. I am now under the impression that I must either downgrade the Dude, or offload polling to agents Yeah, I did the polling time ...

macsrwe

Speed limit of the device is here. If routing properly with fasttrack, you should be able to achieve gigabit with all reasonable packet sizes.

macsrwe

What wireless channels are being used on each device?

What speed do you get if you cable in to the Deco?

macsrwe

Stupid spam, too. He forgot to global-replace "Iran" with "Ireland" inside the spam.

macsrwe

+1. Nothing like having the freedom to plan out a good wired network before the walls are up.

And don't forget to pull a few to your roof as well, for later use for security cameras, wireless bridges to outbuildings, or whatever.

macsrwe

Trying to serve a large house wirelessly from a single central point, particularly if there are intervening walls, plumbing, appliances, or masonry, is a bad choice. It doesn't matter how strong your router signal is -- your PC, phone, and IOT device signals won't be strong enough to be seen reliabl...

macsrwe

I ran an RB951 for years and was happy with it; then replaced it with a hAP ac lite I got as checkin swag at a MUM, which added 5GHz. I'm equally happy with that. I ran both from a central location, wall-mounted, and fed with POE. Realize that if you have a large house or many intervening walls, run...

macsrwe

It's difficult to tell from your text precisely what your problem is. But from what I can gather, you have some routers showing API errors and some not showing them, yet all are on same RouterOS level. My first guess would be that some of your units were compromised by the rash of exploits that occu...

macsrwe

As far as I know the "old" version of the RB260GS was the RB250GS. I'm not aware of two RB260 versions.

macsrwe

I have found that very dirty power failures (where power fluctuates off/on several times close together at just the right delay) can scramble configurations of many devices, including MikroTiks, up to and including full factory reset.

macsrwe

we do this already, in 5 minute intervals if change is detected

I am curious... given the nearly nonexistent support of file contents availability in the command language, how do you detect a configuration change?

macsrwe

This is theoretically possible, except that you cannot exceed the output power budget on the single port on PowerBox 1 that runs PowerBox 2 and its attached devices. Unless you are running some very low power devices on PB2, you will have a hard time. You may do better installing a POE splitoff adap...

macsrwe

What's wrong with

/ip firewall filter add copy-from ... ?

macsrwe

Did you ever solve your problem?

macsrwe

You can do this with simple port forwarding, but for security purposes it is discouraged to leave WAN-facing ports open on a MikroTik.

macsrwe

It's been great for me - up until I expanded my map - added sub-maps. Now it barely runs with 200 devices. It freezes up on the client side frequently. The number 200 grabbed my attention. My own Dude layout began dropping stuff on the floor at this level. I discovered the host router (hEX) was spe...

macsrwe

Use the :pick function. You may also need to use :tostr and :tonum ("0x" . $whatever) appropriately, depending on what you need to have in hand for intermediate values.

macsrwe

use /tool profile to determine what flavor of process is eating your CPU.

macsrwe

My experience has been that you cannot disable a wireless data rate with MT HCS without unticking both sides. If you untick just one side, the data rate still gets used. It's not even as useful as to say that you can limit the transmit or the receive data rate alone by unticking one side, I have nev...

macsrwe

Recommend you test at full distance without hidden ID; only hide it after everything else works. Been there.

macsrwe

The window size should be stored in session file. Make sure you have autosave on or save the session before closing. Yes, outermost window size is saved with session file, but zoom level is not. Yes, I no longer have to drag the window larger before zooming it, but I still have to zoom it ^3 every ...

macsrwe

To secure the bridge SSID, define a profile under /interface wireless security, and then enter that profile name in /interface wireless for that interface. Be aware that if you hide the SSID you must "hardwire" that SSID in the main wireless settings on the station side; it will not work with a "con...

macsrwe

And layer7 matcher is practically obsolete, because everyone uses tunnels now. You are chasing a dragon here.

macsrwe

I don't know how geographically distributed your users are (e.g., especially if your ether cables go to wireless interfaces to remote places), but it appears to me that you are using a bridged architecture on a single bridge that encompasses all your users, and that bridge is using the default proto...

macsrwe

If you are running the units close together for testing and do not turn down the power, you will get garbage speed. Keep them at least on opposite sides of a normal room and turn the power down to absolute minimum until you deploy them outside. Even then, watch your power levels, keep the registrati...

macsrwe

Your question is ambiguous. "I have a router, and far away a device I want to connect to the network, so I believe the configuration desired is bridge" But you don't say whether you are locating the SXTsq at the router side or at the device side, so no one can answer you. You don't say whether this ...

macsrwe

There are currently no problems with schedules if they are built by SNMP. Ah, so you are saying that data collection is unimpaired, but data display by /tool graph (only) is faulty...? Specially after your question I translated the schedule from ROS to SNMP. As you can see, the same graph is displa...

macsrwe

There are currently no problems with schedules if they are built by SNMP.

Ah, so you are saying that data collection is unimpaired, but data display by /tool graph (only) is faulty...?

macsrwe

"Can you" if the physical object interference is negligible and the distance is not too great? Of course, that's what it's for. Are those conditions true in your particular house? Only you can best judge this, not someone on a forum. But you cannot just plug an antenna into it, you must use a third ...

macsrwe

Can you make an actual connection in mode=station to any one of the networks shown in the scan? If not, my suspicion is that the transmitter section is fried in the WiFi chip.

macsrwe

New problems with 6.46.4. All information that is removed through the ROS is distorted. For example, on graphs of loading of interfaces of jumping 2-3 times bigger than real. What is the % CPU usage on your DynaDish? This graph looks symptomatic of the metering process periodically missing interval...

macsrwe

In specific, the backup file size under V6.44.6 is about 1.1MB, but the size of backup file under V6.45.8 is just 640KB. Such difference maybe a proof of incomplete backup file generated in newer version which results in failure of restoration. Make sure you report this via email to support@mikroti...

macsrwe

It looks like this problem is being reported by many people . One post estimates a 1:4 failure rate for Hikvision units in powering up, and the same problem is reported with many models of POE gear. My only suggestion would be for you to power up other 802.3af units from the OmniTik port and satisfy...

macsrwe

Sorry for barging in like this but I have a question too, in similar manner: Why do I need to turn "Forced On" on Ominitk 5 PoE ac, to be able to power Hikvision camera ? Auto ON simply doesn't work. Both are 802.3af compatible and I have 48V PSU on Omnitik. Typically that's an indication that the ...

macsrwe

Is there any reason you can't just use a shifting spanner, fixed wrench or socket wrench? You sort of have to... but that's often not a very tower-friendly solution. Keep in mind that half the time, the nut is on the far side of the unit from you, where you can't see it. On some of these mounts, yo...

macsrwe

One point I overlooked: if you're trying to distribute a configuration as a backup file, it won't work. Backup files are specific to individual units. They don't work at all between different router models, and even if you try to load them on identical router models with identical firmware and ROS l...

macsrwe

Usually this indicates that there is a error (sometimes syntax, sometimes interface-specific, etc.) in the configuration file, and configuration was aborted ether before it started or when the error was encountered. The only direct way to debug this is to reset the router with no-default-configurati...

macsrwe

DynaDish mount also suffers from this shortcoming. Sometimes possible to use a ratcheting end wrench, but even so sometimes there is not enough room to swing it one ratchet step. We have had to do these much more than we would like using adjustable Crescent wrenches.

macsrwe

Maybe I'm missing something (because I cannot believe this would not have been noticed by now), but I think you've found a bug. Tools / btest-server allows you to select a set of ports other than the default 2000-2100, which would normally address your issue. However, I can find no provision to make...

macsrwe

I'll mention, just in case you might be unaware, that any queue priorities you assign traffic are entirely internal to the RouterBoard, and get discarded when the traffic exits an interface. So, if the problem is indeed at or in the modem, priorities won't solve it. Have you run a traceroute instead...

macsrwe

Totally wild guess: perhaps you are trained on a sidelobe instead of the main lobe?

macsrwe

Do you have a MikroTik as your gateway router? You can use the (free) proxy facility right in that router to do this. You will, however, need some website where you can store the message to the customer (it can be on your LAN if you have a server running 24/7). Here is the configuration I used to pr...

macsrwe

There are other threads about this same issue. It was introduced in an upgrade version within the past six months or so. It's pretty clearly a bug.

macsrwe

I don't understand your setup. Terms like "shooting bench side" and "camera side" don't mean much when you haven't diagrammed your setup. Especially since the way I am imagining such a setup, you have them backwards, but I can't be sure what you think you are trying to do.

macsrwe

What are the differences? They seem the same on paper, 2x2 802.11ac APs. Not so much performance, but environmental, connectivity, and decor. OmniTik line doesn't do 2.4GHz or wall-mounting, and offers multiple ports which can be had with POE-out; cAP AC is not an outdoor unit, and comes with two E...

macsrwe

Facing a problem, The system auto-upgrade broken since 6.46.1 Yup, and no announcement that a fix is in the works. And since then, they broke the Dude. I am absolutely not upgrading anything anywhere until these two regressions are fixed. Hope you have someone working on these high priority, MT.

macsrwe

Since OP is on limited budget, don't hesitate to use AirB&B...it could surprise you!

Agreed. Don't overlook VRBO/HomeAway as well. Have used them before in cases of "sold-out function hotel" with fine results.

macsrwe

That's pretty normal, but it's not going to show you an intermittent problem. I'd replace the power adapter right off, if possible, with one offering slightly more current.

Also, the 2011 has one POE-out port, and a real or illusory power draw on that port may be overtaxing the power adapter.

macsrwe

Was your "new device" by any chance an Apple device? Shortly after PPTP was deemed insecure, the propeller-heads at Apple unilaterally decided to remove all support for it from their OSes, so now you cannot access any networks that still offer only PPTP interfaces.

macsrwe

It just seems somehow wasteful to me to buy a switch with POE out and then not use it. If you power the cAP from the POE-out port, you gain the advantage of being able to power-cycle it remotely if you ever have to (e.g., if it stops talking to you). Plus, it gives you a spare injector for when a wa...

macsrwe

Maybe it would be worthwhile if you could describe a situation that would require a NAT rule to deactivate itself after a specific period, because my imagination is failing me.

macsrwe

It's a unique "router ID" for OSPF and MPLS. "The router ID is the highest IP address on the box—or, if a loopback exists, the loopback becomes the router ID. It is highly recommended that you define a loopback address so that it will be elected as a router ID. One good reason is that, if a link is ...

macsrwe

@Cameroon: yes there is no creation of energy out of nothing.

Cameroon is a spammer. He has been making worthless posts like this in many forums today, and they have all been removed.

macsrwe

I hope I understand your problem description correctly. There is a 260GS and a 260GSP. The first has no POE out, and the second does. Although you insist that you don't have one of each, I suspect you really do, because only the second model will show a POE menu or give you POE error messages. Look ...

macsrwe

And yet that rule DOES take a dst-address-list argument that has to be matched in order to invoke it... so put the router's own WAN address in an address list with an expiration time (in addition to a non-expiring bogus address, just to be safe) and the dst-nat will stop working when that entry expi...

macsrwe

If you were clever, and your specific requirement suited such a strategy, you could configure your rules to use address lists instead of addresses, and then populate those address lists with expiring entries. Otherwise, I can't think of anything short of scripting.

macsrwe

I reported above that the log window columns crop the data at the right side edge because the columns are too narrow in the zoomed view. They also lack headers to be able to manually resize them to the desired width.

Well, yes, but that's always been a deficiency in the log window.

macsrwe

I did have it time out once and go back into "ready" mode. I did nothing but close Netinsall, restart it and tried again - boom it simply worked. I see this same complaint so often, MikroTik should put it in the netinstall Wiki (if they're not going to fix the bug). If I can use "Previous install" ...

macsrwe

It looks like it does what you want, but I have to wonder why you think rebooting the router is the best (or even an effective) way to get the Internet back.

macsrwe

I would insert the following rule after 5: chain=forward action=passthrough dst-address=192.168.9.225 src-address-list=God_Mode log=yes log-prefix="666?" Then check the log for occurrences when you think you should be seeing a packet that 5 should have accepted, and see what the log says about the p...

macsrwe

Ah, well, then, clearly something in rule 5 is deficient and is not matching the packets. It could be something that doesn't show in the Winbox window because it's in a column you aren't showing, like perhaps the TCP flags or whatever. Use the CLI to do a /ip firewall filter print, and look for some...

macsrwe

First question: do you also see the counts for rule 5 or 6 increasing, or just 10? If not, something is wrong with your specification in 5 and 6.

macsrwe

macsrwe

They're never going to see those broadcasts. The mechanics of why have been previously posted. Bonjour will not work on remote access connections without active server assistance. If you absolutely need Bonjour to work, you'll have to obtain the avahi server, invest in a Linux device to run it, and ...

macsrwe

Give your devices names and preassigned DHCP reservations, then reference them by name instead of using Bonjour at all.

Yes, it's replacing a zero-configuration process with a configuration process. Sorry, but that's all there is.

macsrwe

It's not that you can use a DNS to make Bonjour work, it's that you can use a DNS as a next-best option to compensate for the fact that Bonjour doesn't work.

macsrwe

For God's shake! How many users or IT professionals are going to work seriously on a MikroTik from iPad?? - Definitely its not a simple task.

I have at times been forced to work on MikroTiks from my iPhone; at least on an iPad I wouldn't have to cross my eyes.

macsrwe

Normis, you just denied this man the benefit of a healthy 7 min brisk walk at least twice a day.
Watch out, you may get sued for denying an americans right to exercise

Not to worry, Normis promised me they were remembering to print the 3X-4X t-shirts this year.

macsrwe

Can't be done in RouterOS without MT creating an avahi server package, which they have no plans to do.

macsrwe

There's no requirement to do it in any order. You can install the Dude client on your PC any time you want, but until the server is enabled, it won't have anything to talk to.

macsrwe

Have I got the perfect deal for you!

macsrwe

Log window (only!) is totally unreadable because the top and bottom of every line is sheared off. a fix for log window is needed before this can be used in production. Furthermore, /log print in Terminal is also useless because scrolling back Terminal screen to anything before the final contents re...

macsrwe

OK... I've used the Discovery feature no more than three times in my life, and at least two of those were on the old incarnation of the Dude when the server was on your PC instead of being on the MT device. I don't remember links ever being automatically generated, but my memory could be lacking, or...

macsrwe

I don't know of one, maybe someone else does.

The Dude has a particularly elegant frequency monitor tool, but I suspect if you try to use it remotely on a CPE, you'll just get disconnected.

macsrwe

The answer is quite simple: there is no "save-file" option to frequency-monitor.

macsrwe

Grand Avenue Broadband in Wickenburg, Arizona USA, was until recently a 100% MikroTik WISP with >200 subscribers in three towns. In the past nine months, a number of the wireless units (some AP sectors and long PTP links) have been replaced with more effective competitive radio equipment, but the bu...

Search found 962 matches