Community discussions

MikroTik App

Search found 145 matches

by squeeze
Thu Jun 20, 2019 2:09 pm
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 15
Views: 6564

Re: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

https://isc.sans.edu/forums/diary/What+You+Need+To+Know+About+TCP+SACK+Panic/25046/ You are vulnerable if you are using a current Linux system, have selective acknowledgments enabled (a common default) and are using a network card with TCP Segment Offload (again, a common default in modern servers)....
by squeeze
Tue Feb 12, 2019 3:18 pm
Forum: General
Topic: Tagging all traffic from port or interface with VLAN ID 0
Replies: 1
Views: 1517

Tagging all traffic from port or interface with VLAN ID 0

How could you tag all (egress) traffic from a port or interface with VLAN ID 0 in RouterOS? This is a general question, i.e. I am not trying to solve any specific problem. I am also aware this is non-standard. However, the reason I ask is because some manufacturers and service providers DO use VLAN ...
by squeeze
Tue Oct 23, 2018 4:30 pm
Forum: Beginner Basics
Topic: CAKE or other network algorithms to be used?
Replies: 4
Views: 3453

Re: CAKE or other network algorithms to be used?

Mikrotik RouterOS has no modern AQM (Active Queue Management), i.e. modern network queue scheduling algorithms support, unfortunately. RouterOS only supports ancient RED (Random Early Drop) which is magnitudes less effective than modern algorithms and also requires careful tuning to be of any real u...
by squeeze
Thu Aug 30, 2018 12:08 pm
Forum: Wireless Networking
Topic: hAP AC^2 - slow wifi
Replies: 8
Views: 3403

Re: hAP AC^2 - slow wifi

You are using an overlapping channel on 2GHz. 2442 MHz = Channel #7. There are only three non-overlapping channels: #1 (2412 MHz), #6 (2437 MHz), #11 (2462 MHz). Choose one after using a WiFi analyzer app to check neighboring channels, to ensure you do not use the same channel as the closest APs. Al...
by squeeze
Sat Aug 25, 2018 8:07 pm
Forum: Beginner Basics
Topic: hAP ac slow ethernet
Replies: 3
Views: 1344

Re: hAP ac slow ethernet

Try,

/interface bridge set bridge protocol-mode=none
by squeeze
Sun Aug 12, 2018 12:58 pm
Forum: General
Topic: Best VPN
Replies: 19
Views: 21275

Re: Best VPN

PureVPN is one of the worst possible VPNs you can choose if you care about security and privacy since they are infamous for logging and leaks. I do not understand why people simply do not google a potential new service or product they want to use and type "productservicename bad" / "p...
by squeeze
Sun Aug 05, 2018 2:55 pm
Forum: Wireless Networking
Topic: PMKID Attack - clientless WPA2/WPA PSK attack
Replies: 6
Views: 6608

PMKID Attack - clientless WPA2/WPA PSK attack

In the past 24h, there has been public information released in the Hashcat forums by one of their administrators of an improvement on brute force, offline dictionary attacks against WPA/WPA2 PSK (Pre-Shared Key) passwords. The specific improvement is that this can take place without the presence of ...
by squeeze
Thu Jul 19, 2018 8:44 pm
Forum: Wireless Networking
Topic: HAP-AC DFS channels
Replies: 1
Views: 1224

Re: HAP-AC DFS channels

There is no DFS channels available with the US versions of wireless Mikrotik products. It is hardware locked so I suspect even going out of your way to install other firmware like LEDE will not work. It is also explicitly stated in the product specifications on the Mikrotik website since they list t...
by squeeze
Fri Jul 13, 2018 12:34 pm
Forum: Wireless Networking
Topic: Cap AC, Hap AC2 or UniFi?
Replies: 38
Views: 29138

Re: Cap AC, Hap AC2 or UniFi?

Completely agree with Steve. There are far better (non-point to point) wireless options than Mikrotik.
by squeeze
Fri Jul 06, 2018 6:46 pm
Forum: Beginner Basics
Topic: Google Fiber + Mikrotik hEX
Replies: 3
Views: 1863

Re: Google Fiber + Mikrotik hEX

People are probably confused because with the default configuration, it should already just work. The default configuration on SOHO devices is plug and play. There should be a single bridge containing ports 2-5. The bridge should have a dhcp server for 192.168.88.x. The firewall should forward all t...
by squeeze
Tue Jul 03, 2018 2:55 pm
Forum: General
Topic: Untagged VLAN Access port on hEX
Replies: 7
Views: 4981

Re: Untagged VLAN Access port on hEX

/interface bridge vlan
add bridge=bridge untagged=bridge,ether5 vlan-ids=10
by squeeze
Mon Jul 02, 2018 5:38 pm
Forum: General
Topic: Full control of DHCP Options
Replies: 3
Views: 1200

Re: Full control of DHCP Options

Completely different options and order can be and are sent by different types of DHCP clients. So much so that they can be used for fingerprinting. If such behavior is described in an RFC, then it is a very loose one and therefore not relevant for control of these options.
by squeeze
Mon Jul 02, 2018 4:44 pm
Forum: General
Topic: Full control of DHCP Options
Replies: 3
Views: 1200

Full control of DHCP Options

https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Client States the following options are sent by the RouterOS DHCP Client: option 1 - SUBNET_MASK, option 3 - GATEWAY_LIST, option 6 - TAG_DNS_LIST, option 33 - STATIC_ROUTE, option 42 - NTP_LIST, option 121 - CLASSLESS_ROUTE, Can these be overridden, rem...
by squeeze
Sun Jul 01, 2018 1:35 pm
Forum: Beginner Basics
Topic: hEX and hAP ac with VLAN filtering - Integrating WLAN with VLAN tags
Replies: 10
Views: 2767

Re: hEX and hAP ac with VLAN filtering - Integrating WLAN with VLAN tags

hEX: Why are you using dhcp-relay? Do not add VLAN interfaces, which are logical interface, to bridge ports. They are meant only for physical interfaces Do not add VLAN interfaces to bridge vlan interfaces ("untagged=VLAN140"). Again use physical interfaces only, except for the bridge inte...
by squeeze
Sat Jun 30, 2018 2:02 pm
Forum: Beginner Basics
Topic: hEX and hAP ac with VLAN filtering - Integrating WLAN with VLAN tags
Replies: 10
Views: 2767

Re: hEX and hAP ac with VLAN filtering - Integrating WLAN with VLAN tags

Why do you have a DHCP relay and why do you have DNS server (remote requests + cache) enabled on the AP? On the AP, try adding a DHCP Client with interface set to the bridge and add ether1 as a bridge port too since there is no routing. Remember to change the list member of ether1 from WAN to LAN too.
by squeeze
Thu Jun 28, 2018 4:36 pm
Forum: General
Topic: Memory (RAM) used per NAT connection under Connection Tracking
Replies: 0
Views: 752

Memory (RAM) used per NAT connection under Connection Tracking

When Connection Tracking is enabled, IPv4 only (IPv6 disabled), and assume there is at least one non-FastTrack'd firewall filter rule enabled, how much RAM does adding a single (srcnat/masqueraded) connection consume? Are there any other significant resources consumed that scale with connections and...
by squeeze
Wed Jun 27, 2018 11:34 pm
Forum: General
Topic: WPA3 on existing Mikrotik routers/APs [SOLVED]
Replies: 27
Views: 37471

Re: WPA3 on existing Mikrotik routers/APs [SOLVED]

Looks like very good news from upstream and others regarding WPA3, from customer perspective: https://www.snbforums.com/threads/better-news-about-wpa3-device-support.47434/ Quoting: The WPA3 Certification announced yesterday revealed that only one of the four mechanisms described when WPA3 was first...
by squeeze
Wed Jun 27, 2018 3:42 pm
Forum: General
Topic: WPA3 on existing Mikrotik routers/APs [SOLVED]
Replies: 27
Views: 37471

Re: WPA3 on existing Mikrotik routers/APs [SOLVED]

The big question is how long will it take Mikrotik to implement WPA3? We have no 802.11ac spectral scan, no 5 GHz TX power, no Wave2 support, no 802.11w support.. there are lots of other wireless protocol improvements that have been missing for a long time. I must be missing something: there's dual...
by squeeze
Wed Jun 27, 2018 3:03 am
Forum: General
Topic: WPA3 on existing Mikrotik routers/APs [SOLVED]
Replies: 27
Views: 37471

Re: WPA3 on existing Mikrotik routers/APs [SOLVED]

https://www.mathyvanhoef.com/2018/06/wpa3-missed-opportunity.html Well, that's disappointing. WPA3 Certification consists of a grand total of one change to existing handshake called Simultaneous Authentication of Equals (SAE) instead of what most people anticipated as a wholesale dramatic improvemen...
by squeeze
Thu Jun 21, 2018 1:09 am
Forum: General
Topic: getting ip from mikrotik VLAN for ubiquiti UAP
Replies: 7
Views: 2629

Re: getting ip from mikrotik VLAN for ubiquiti UAP

Does that mean, in general, if you only have one trunk line and no managed switch that you will need to have a Mikrotik device that supports hybrid ports (afaik only QCA8337, AR8327 switch chips) in order to setup a management VLAN interface on Ubiquiti Unifi access points (APs), assuming you may en...
by squeeze
Thu Jun 21, 2018 12:53 am
Forum: General
Topic: HAP ac ipsec HW acceleration
Replies: 2
Views: 2302

Re: HAP ac ipsec HW acceleration

What IPSEC hardware acceleration? There's no mention of that in either hAP ac product's Test Results or the QCA9558 datasheet.
by squeeze
Sun Jun 17, 2018 3:57 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 190
Views: 145535

Re: VPNfilter official statement

The recent large security redesigns flowed from the April 0-day. Normis even explicitly stated it, so you are discussing nothing new: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
by squeeze
Sun Jun 17, 2018 3:22 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 190
Views: 145535

Re: VPNfilter official statement

In other news, if I understand this correctly, ALL versions pre-6.43 (which is still in Release Candidate stage) are vulnerable to this 0-day WinBox exploit? What are you talking about? What 0-day? There hasn't been a public 0-day since Bugfix 6.40.8, Release 6.42.1, Release Candidate 6.43rc4, all ...
by squeeze
Mon Jun 11, 2018 10:00 pm
Forum: General
Topic: Need recommendations on a FAST mikrotik box (1Gb link)
Replies: 8
Views: 4105

Re: Need recommendations on a FAST mikrotik box (1Gb link)

Always good to know about others experience So hap-ac2 is comparable if not better with 3011 ?? So it should be better than HEX or HEXs ? Or is it quality vs price involved in your comparation ? You can see the Test Results yourself from each Mikrotik product page. Mikrotik are transparent that way...
by squeeze
Mon Jun 11, 2018 8:14 pm
Forum: General
Topic: Need recommendations on a FAST mikrotik box (1Gb link)
Replies: 8
Views: 4105

Re: Need recommendations on a FAST mikrotik box (1Gb link)

Squeeze, What about RB3011 in the list ? Too many bad issues in the past and does not represent as good value for performance as the others anyway. I am not sure why anyone would buy an RB3011 for Internet traffic when for most medium and lower packets outside of fastpath it cannot even compete wit...
by squeeze
Mon Jun 11, 2018 7:44 pm
Forum: General
Topic: Need recommendations on a FAST mikrotik box (1Gb link)
Replies: 8
Views: 4105

Re: Need recommendations on a FAST mikrotik box (1Gb link)

1. hAP ac2 or hEX (RB750Gr3) 2. RB1100AHx4 or Dx4 variant (Dude edition) 3. CCR1009 (CCR1009-7G-1C-1S+PC is passively cooled) Those are affordable Gigabit Ethernet WAN routing options depending on how aggressively you use your connection and the nature of the traffic. All but the RB1100 can be silen...
by squeeze
Mon Jun 11, 2018 7:01 pm
Forum: Beginner Basics
Topic: Basic firewall setup (going off wiki post)
Replies: 8
Views: 11089

Re: Basic firewall setup (going off wiki post)

These are the default firewall rules on SOHO Mikrotik devices. They are sufficient for all basic purposes: /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input co...
by squeeze
Fri Jun 08, 2018 12:45 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 190
Views: 145535

Re: VPNfilter official statement

Once your device is compromised it can do anything. What actual value is there in changing user-level rules within a compromised router for what it can do? It has already been compromised, by no less than one of the most sophisticated state-level malwares seen to date ... The output chain is there f...
by squeeze
Wed Jun 06, 2018 6:01 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 190
Views: 145535

Re: VPNfilter official statement

Since the remote exploit targets previously known RouterOS vulnerabilities, then naturally it would have included all RouterOS devices anyway. These Affected Devices lists are more informational than containing any new warnings because they simply show what devices they are seeing being targeted in ...
by squeeze
Tue Jun 05, 2018 6:07 am
Forum: General
Topic: Test Results: mysterious "25 ip filter rules" and "25 simple queues" [SOLVED]
Replies: 4
Views: 3172

Re: Test Results: mysterious "25 ip filter rules" and "25 simple queues" [SOLVED]

I read the RFC, and it does give a clearer indication of the general process. But it says nothing about queues and also states:
   The exact filters configuration command lines used SHOULD be included
   with the report of the results.
by squeeze
Tue Jun 05, 2018 3:30 am
Forum: General
Topic: Test Results: mysterious "25 ip filter rules" and "25 simple queues" [SOLVED]
Replies: 4
Views: 3172

Test Results: mysterious "25 ip filter rules" and "25 simple queues" [SOLVED]

Am I missing something, what exactly are these "25 ip filter rules" and "25 simple queues" that cause such dramatic changes in Test Results of all Mikrotik routers? I can find no further information about them, yet at the same time we seem to be encouraged to perform similar perf...
by squeeze
Mon Jun 04, 2018 12:07 am
Forum: Announcements
Topic: VPNfilter official statement
Replies: 190
Views: 145535

Re: VPNfilter official statement

1. If you are running any open ports on your router, then you are unsecured and implicitly accepting ALL the associated risks of remote exploits. That is regardless of the manufacturer. The device and service you choose to run is irrelevant. 2. Scans against any ports, specific or otherwise, mean no...
by squeeze
Sun Jun 03, 2018 9:51 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

After some weekend performance testing of Release build 6.42.3 wrt. Mikrotik hAP ac2, I found multiple significant improvements. TL;DR. Apart from a slight worsening in legacy 2.4 GHz @ 20 MHz wireless stability, I believe Mikrotik have largely solved the worst of the hAP ac2 wireless issues. Using ...
by squeeze
Thu May 31, 2018 3:43 pm
Forum: General
Topic: Hex PLUS
Replies: 15
Views: 3806

Re: Hex PLUS

Unless you are an ISP, it makes zero sense to use (large) permanent blacklists. So, this is anything but a common use case for a SOHO device, no matter who you get it from. However, you could get any Ubiquiti Edgerouter, including the similarly priced Edgerouter X. That has 256 MB NAND, full OpenVPN...
by squeeze
Wed May 30, 2018 12:02 am
Forum: Beginner Basics
Topic: Firewall Rule Concept
Replies: 10
Views: 2362

Re: Firewall Rule Concept

So if I can be permitted to Squeeze Sob ;-P, Then you are both saying the same thing. If no rules are matched in the SSH chain it is accepted, to the next rule after the initial JUMP rule in firewall filter list. In other words, the packet was not needed after all, in the jump chain, and should go ...
by squeeze
Tue May 29, 2018 8:38 pm
Forum: Beginner Basics
Topic: Firewall Rule Concept
Replies: 10
Views: 2362

Re: Firewall Rule Concept

If there's matching rule in ssh-in, processing ends there. In your case, #7 will match anything, so it will never return to original chain. If you didn't have #7 and nothing matched in ssh-in, it would return back to input and would be dropped by #3. Are you sure about that? In the wiki it says : W...
by squeeze
Fri May 25, 2018 4:53 pm
Forum: Virtualization
Topic: OpenWrt for ARM-based RB1100AHx4
Replies: 12
Views: 10984

Re: OpenWrt for ARM-based RB1100AHx4

If you get it working, we'd love to know! I'm looking closely at RB1100 devices as my next Mikrotik. Thanks.
by squeeze
Fri May 25, 2018 4:28 pm
Forum: Announcements
Topic: VPNfilter official statement
Replies: 190
Views: 145535

Re: VPNfilter official statement

The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do. Will I have enough passwords and firmware updates? That´s a fraud/fake call, google for that one that wants you t...
by squeeze
Thu May 24, 2018 4:54 am
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 221398

Re: v6.43rc [release candidate] is released!

Loving the priority on security improvements. Keep it coming!
by squeeze
Thu May 24, 2018 4:52 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

*) wireless - increased stability on hAP ac^2 and cAP ac with legacy data rates;

I am going to wait until something as fundamental as logging in works, then I'll rerun the stability tests. How exciting, I didn't expect Mikrotik to update so fast on these ARM devices!
by squeeze
Sun May 20, 2018 10:24 pm
Forum: General
Topic: Wired connection was flaky with MikroTik hAP ac2.
Replies: 19
Views: 4139

Re: Wired connection was flaky with MikroTik hAP ac2.

Never had any issues with DHCP on hAP ac2 on 6.41.3. I suspect your issues have little to do with the router. We know for a fact that 6.42+ introduced new DHCP issues. So, that may not help you. However, you could either switch to firmware version Bugfix (uses mainly by businesses) or latest Release...
by squeeze
Sat May 19, 2018 1:03 am
Forum: General
Topic: VLANs no switch chip
Replies: 10
Views: 2956

Re: VLANs no switch chip

OTOH it makes sense to use common bridge even without having switch chip.
Why?
by squeeze
Mon May 14, 2018 6:57 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

Release candidates are not for production in any form of business environment. Nor are they intended as a substitute for basic troubleshooting. Since your posts have nothing whatsover to do with the hAP ac2 (it is not even similar architecture, let alone radios), please refrain from bumping this top...
by squeeze
Mon May 14, 2018 2:05 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

@startus With release candidate RouterOS software (6.43rc5+) the hAP ac2 WiFi is good enough for anything for a typical consumer - though I would not recommend its WiFi for low latency applications at the moment, e.g. gaming, but you should be using wired for that anyway in most situations. Since yo...
by squeeze
Fri May 11, 2018 8:06 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 19790

Re: Access Control between VLANs

I cannot actually see any interface called "all-vlan" anywhere in Winbox nor in the online documentation. Would be very convenient if it did exist!
by squeeze
Fri May 11, 2018 7:02 pm
Forum: General
Topic: Netinstall + ubuntu 16.04 [SOLVED]
Replies: 6
Views: 12478

Re: Netinstall + ubuntu 16.04 [SOLVED]

Can you tell us the chipset of the on-board network card or the exact model of the laptop (preferably from a sticker somewhere), please? For the sake of other people in future, or even Mikrotik
by squeeze
Fri May 11, 2018 4:39 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 19790

Re: Access Control between VLANs

I liked your idea Sob, and since I already had implemented Drop By Default on the more security-sensitive Input chain (only allowing DNS and ICMP Echo Request from LAN), I decided to implement it for VLAN interfaces on the Forward chain. Still, I was interested to see if another List method would wo...
by squeeze
Fri May 11, 2018 5:10 am
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 19790

Re: Access Control between VLANs

/ip firewall address-list add list=VLAN address=192.168.10.0/24 comment="VLAN: 10" add list=VLAN address=192.168.20.0/24 comment="VLAN: 20" add list=VLAN address=192.168.30.0/24 comment="VLAN: 30" /ip firewall filter add chain=forward action="drop" comment=&q...
by squeeze
Wed May 09, 2018 4:23 pm
Forum: General
Topic: 6.42.1, hap ac, time sync not working
Replies: 11
Views: 3188

Re: 6.42.1, hap ac, time sync not working

/ip cloud set update-time=no
/system ntp client set enabled=yes server-dns-names=0.ru.pool.ntp.org,ru.pool.ntp.org
by squeeze
Tue May 08, 2018 6:04 pm
Forum: Beginner Basics
Topic: Uh, can I think of the hAP ac as a wireless router?
Replies: 40
Views: 6207

Re: Uh, can I think of the hAP ac as a wireless router?

You cannot compare a hAP ac to a hEX. The latter will obliterate the former in Gigabit Ethernet routing and IPSEC. They are designed for different things. Anyway, to answer OP's question: the R7000 was the top ranked 3x3 consumer router for a long time and is still massively popular (how often do yo...
by squeeze
Sun May 06, 2018 10:45 pm
Forum: Beginner Basics
Topic: Preventing MySQL and MSSQL Bruteforce attacks
Replies: 7
Views: 3081

Re: Preventing MySQL and MSSQL Bruteforce attacks

Not clear why this is necessary. Either a professional or security conscious technical individual would only ever be either using network segments like VLANs (non-Internet) or a single firewall point of entry on a dedicated edge device (Internet). So, these types of attacks would be all but impossib...
by squeeze
Sun May 06, 2018 6:35 pm
Forum: Beginner Basics
Topic: Firewall Rules: Block ICMP from WAN (PPPOE connection) [SOLVED]
Replies: 22
Views: 9408

Re: Firewall Rules: Block ICMP from WAN (PPPOE connection) [SOLVED]

Rules 5 and 6 should not exist in your configuration, especially if your WAN is your Internet connection. Remove these entirely: 5 chain=input action=drop protocol=icmp in-interface=ether1 icmp-options=8:0 log=no log-prefix="" 6 chain=input action=accept protocol=icmp log=no log-prefix=&qu...
by squeeze
Sun May 06, 2018 5:22 pm
Forum: General
Topic: default-configuration and secure wifipassword
Replies: 2
Views: 1085

Re: default-configuration and secure wifipassword

Ask in the Scripting section. It should absolutely be possible. You may even be able to use cpu-load and clock time as entropy sources.
by squeeze
Sun May 06, 2018 2:58 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

I decided to adapt morph1's low latency testing approach, but for best case scenario, relative stability tests. These were my results. TL;DR. Mikrotik hAP ac2 has a stability issue with 5 GHz band at 40 MHz channel width (visible also on morph1's results), but all other widths and bands performed we...
by squeeze
Fri May 04, 2018 7:10 pm
Forum: Beginner Basics
Topic: Differences between "Port based" and "bridge based" VLAN
Replies: 22
Views: 16449

Re: Differences between "Port based" and "bridge based" VLAN

I wanted to permit clients in vlan10 and 20 to see each other, and clinets in vlan 10 and vlan20 should not see clients in the admin LAN (vlan1). You changed your requirements. First you say you wanted vlan10 and vlan20 to talk, then you say you don't. I was going by your original request and only ...
by squeeze
Fri May 04, 2018 1:01 am
Forum: Beginner Basics
Topic: Differences between "Port based" and "bridge based" VLAN
Replies: 22
Views: 16449

Re: Differences between "Port based" and "bridge based" VLAN

In RouterOS firewall the order of the rules matters. The CPU is going down the list starting from the top. RouterOS Firewall Filtering is Accept-based, i.e. if something does not match it is Accepted. That's why you should always have a Drop rule for any category of filtering, look at the default ru...
by squeeze
Wed May 02, 2018 6:50 pm
Forum: Beginner Basics
Topic: Differences between "Port based" and "bridge based" VLAN
Replies: 22
Views: 16449

Re: Differences between "Port based" and "bridge based" VLAN

I have several questions of my own. :) Am I missing something, what is your device? This is important because VLAN filtering can be different for different devices and setups like hybrid ports Which of these physical interfaces are trunks to other VLAN-aware switches or routers? Why do you have vlan...
by squeeze
Wed May 02, 2018 2:58 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi [Not]

P.S.: still using the same settings/methods as in my previous post

Thanks for the tests. I don't understand the new bottom scale, compared to your previous ones. Is it still 10ms pings and 60k ping count?
by squeeze
Tue May 01, 2018 2:27 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi [Not]

Listing 1: Download Test on 5G hAP ac^2 with v6.43rc5 RouterOS uisng CHUWI ac interface (Intel Dual-Band Wireless-AC 3165) [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.02 sec 28.9 MBytes 24.2 Mbits/sec 0 sender You get no "Retr" from your TCP reverse tests? Or are you not using the &...
by squeeze
Tue May 01, 2018 4:50 am
Forum: General
Topic: Should I choose switch or router for simple home VPN setup?
Replies: 3
Views: 1810

Re: Should I choose switch or router for simple home VPN setup?

Is this for IPSEC or OpenVPN? I would absolutely not recommend Mikrotik as an OpenVPN client. It is perfectly good for business VPN or site to site VPN that you control, but not for connection to consumer VPNs due to limited OpenVPN support. Since you have many Apple devices and Apple are discontinu...
by squeeze
Mon Apr 30, 2018 2:30 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

@squeeze: Colud you please explain to me how did you, based on your test on distance of 1m, concluded that wireless part is good? On distance of 1m, I would use cable, this is not the type of test that is used for wireless. Put distance of 5m, then 10m, and even if you can 15m between devices. Then...
by squeeze
Mon Apr 30, 2018 6:21 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

After some testing this weekend with a Realtek USB AC adapter and a single client device, I found the following trying to get the best I could from the router without heavy tweaking of the Wireless settings: 2.4 GHz: no significant performance difference from RouterOS 6.42.1 to 6.43rc5. Approx. 130 ...
by squeeze
Sun Apr 29, 2018 2:38 am
Forum: General
Topic: Windows Port Knock Application
Replies: 24
Views: 14469

Re: Windows Port Knock Application

The most secure method is VPS, because it does not expose anything directly on the Internet interface, is securely authenticated up front and not subject to replay.

Port knocking is ideally just another backup. Just like, for example, running a Tor Hidden Service ...
by squeeze
Sat Apr 28, 2018 10:05 pm
Forum: Beginner Basics
Topic: Differences between "Port based" and "bridge based" VLAN
Replies: 22
Views: 16449

Re: Differences between "Port based" and "bridge based" VLAN

https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples Note very carefully that in the above link they only use Switch commands when the device supports specific switch chips. If you don't know what you're doing, use VLANs on a single bridge and don't touch any Switch options. Def...
by squeeze
Fri Apr 27, 2018 7:10 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 272
Views: 98187

Re: v6.42.1 [current]

@Xymox Ive spent the morning downgrading all my clients from 6.42.1 to 6.41.4.. Over the last few days ive seen a number of weird things on client systems that are previously reported on this thread. I do not consider 42.1 "stable"... The other BIG deciding factor to revert to 41.4 is Netw...
by squeeze
Fri Apr 27, 2018 6:47 pm
Forum: General
Topic: Feature request: disable LED lights on all SOHO devices
Replies: 1
Views: 1031

Feature request: disable LED lights on all SOHO devices

Feature request: the ability to disable all LED lights on all SOHO devices, especially popular ones like the Mikrotik hEX. By definition, SOHO devices are often in workplace environments in direct line of sight visible by all throughout the day or in home living rooms and bedrooms under all types of...
by squeeze
Fri Apr 27, 2018 5:04 pm
Forum: General
Topic: Windows Port Knock Application
Replies: 24
Views: 14469

Re: Windows Port Knock Application

Why not just use AutoIt itself for sending packets since that's what you're using already?
by squeeze
Fri Apr 27, 2018 5:09 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

Can you stop bumping the thread about completely unrelated issues, please. Some people receive a lot of notifications, including via email. Keep it specific to the hAP ac2 WiFi issues.
by squeeze
Fri Apr 27, 2018 1:03 am
Forum: General
Topic: Urgent feature request: Bind IP services to a specific IP / Interface
Replies: 6
Views: 2756

Re: Urgent feature request: Bind IP services to a specific IP / Interface

Good request. Seems obvious in hindsight. Defense in Depth.
by squeeze
Fri Apr 27, 2018 12:33 am
Forum: General
Topic: How to prevent block providers' redirection?
Replies: 8
Views: 1802

Re: How to prevent block providers' redirection?

For example imagine self that ISP blocked your best VPN pool or tried to block any VPN services which works via secure protocols :\ What you can to do? I would try in order: Tor obfuscated Tor (Tor bridges) SSH tunnel via free unix shell account change VPN provider change ISP VPS machine and run ss...
by squeeze
Thu Apr 26, 2018 8:31 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

morph1,

If you are still here, can you tell us the models of the competitors you were comparing to or at least whether they were routers or APs. APs can have quite different antenna design ...
by squeeze
Thu Apr 26, 2018 5:13 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

Given you have now shown you are in a noisy setting for 2.4GHz It's for me? I tested AC 5GHz. When scanning hap ac ^ 2 did not find any transmitters 5 GHz near. Please note I was replying to yhfung, the OP, and talking exclusively about 2.4GHz. However, the current release candidate of rc5 could re...
by squeeze
Thu Apr 26, 2018 4:53 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

Given you have now shown you are in a noisy setting for 2.4GHz and are effectively testing stability rather than peak performance, have you disabled auto-channel selection and used a WiFi analyzer to pick from 1,6,11,(14) channels? use only 20MHz channel width disabled a/b/g protocols If so, then th...
by squeeze
Thu Apr 26, 2018 4:39 am
Forum: General
Topic: hardware offload for rb922 and hEX
Replies: 11
Views: 7990

Re: hardware offload for rb922 and hEX

I checked the default configuration of a hEX (gr3) today, after resetting it, and there's no indication of hw-offload being enabled with the default single bridge. I am not sure what to make of that.
by squeeze
Thu Apr 26, 2018 4:25 am
Forum: Beginner Basics
Topic: hAP AC restarting
Replies: 2
Views: 1097

Re: hAP AC restarting

If it was not happening before you upgraded the firmware, then downgrade and see if that fixes it. Alternatively, if it only happens when you are using the connection and how you are using it, then it could be a router configuration causing it. Commonly, it could also be a mains power issue. Try a d...
by squeeze
Thu Apr 26, 2018 2:14 am
Forum: General
Topic: hAP ac2: hardware offload decreases performance, vlan
Replies: 2
Views: 1519

Re: hAP ac2: hardware offload decreases performance, vlan

Why do you have two bridges? Only one of the bridges will benefit from hardware offloading.
by squeeze
Thu Apr 26, 2018 2:06 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems - 5Ghz wireless network - irregular ping-response time and transmission lags
Replies: 9
Views: 3152

Re: hAP ac^2 Problems - 5Ghz wireless network - irregular ping-repsonse time and transmission lags

How were you testing, as in what client in particular, and generating that graph?

Also, Mikrotik have confirmed to multiple customers with a closed/pre-release version of RouterOS that they may have very significantly improved the WiFi performance of the hAP ac^2.
by squeeze
Thu Apr 26, 2018 1:57 am
Forum: Wireless Networking
Topic: hAP lite ac Country, Frequency and Frequency mode
Replies: 13
Views: 7637

Re: hAP lite ac Country, Frequency and Frequency mode

Upgrade RouterOS and upgrade firmware/RouterBOOT (/system routerboard upgrade, then /system reboot).

Mikrotik only sell one international version and one US-locked version.
by squeeze
Thu Apr 26, 2018 1:30 am
Forum: General
Topic: Terminal History (Like UNIX shell)
Replies: 1
Views: 946

Re: Terminal History (Like UNIX shell)

I think many would kill for the command log equivalent of this, and for all changes not just Terminal ones.
by squeeze
Thu Apr 26, 2018 1:22 am
Forum: General
Topic: Ping Knock
Replies: 20
Views: 10410

Re: Ping Knock

Use a short period of one minute timeout to connect after knocking. Keep te connection by using established. This way any parallel hackers on the same source IP have less than a minute to do harm. After you disconnect established is over and you have to nock again to get in. Would that work reliabl...
by squeeze
Thu Apr 26, 2018 12:01 am
Forum: General
Topic: Ping Knock
Replies: 20
Views: 10410

Re: Ping Knock

Very client friendly concept. However, I don't understand why all the different "action=return" rules and the ordering in the knock section. I am new to this, but what is wrong with just this: /ip firewall filter # Place this rule early in the list. add chain=input action=jump comment=&quo...
by squeeze
Wed Apr 25, 2018 2:15 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 203
Views: 257989

Re: Advisory: Vulnerability exploiting the Winbox port

Can we get a straight answer for... THIS ROUTER OS UPDATE PREVENTS THIS EXPLOIT. AKA... one CAN NOT download the user file from router OS 6.42.1, using port 8291, without authenticating to the router first. If you cannot be bothered to read the manufacturer's changelog for code that you download an...
by squeeze
Wed Apr 25, 2018 3:41 am
Forum: General
Topic: Let's encrypt and Mikrotik
Replies: 13
Views: 19684

Re: Let's encrypt and Mikrotik

Unfortunately there is no http-to-https redirection in Mikrotik devices

Would this work for your purposes?
/ip firewall nat add chain=dstnat dst-port=80 action=redirect protocol=tcp to-port=443
by squeeze
Tue Apr 24, 2018 2:38 am
Forum: Beginner Basics
Topic: Management VLAN hAP AC Lite
Replies: 4
Views: 2369

Re: Management VLAN hAP AC Lite

I added an IP address of 10.10.10.60/24 (I'm not sure why you put 10.10.10.1 since that's my gateway EdgeRouter?) Now, if I add ether1 to the existing default bridge I can access any of the other devices on VLAN 10 (but not 10.10.10.60) e.g., 10.10.10.2 is a remote wireless AP 3 hops away I can get...
by squeeze
Mon Apr 23, 2018 8:00 pm
Forum: Beginner Basics
Topic: WiFi comparison between hAP ac2 and hAP ac
Replies: 12
Views: 19422

Re: WiFi comparison between hAP ac2 and hAP ac

To answer your question on initial price positioning it is simple: hAP ac = 3x3 router while hAP ac2 = 2x2 router. Also, whatever tests you have done do not appear to be particularly thorough. The hAP ac2 is suffering from serious stability and performance issues. The performance side is being very ...
by squeeze
Mon Apr 23, 2018 3:31 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 203
Views: 257989

Re: Advisory: Vulnerability exploiting the Winbox port

What is happening here is downloading files from a router without the password. Over a port that normally doesn't even allow downloading those files. I find it hard to believe that this is simply "a bug". There must be base functionality of downloading, and the bug is only that it can be ...
by squeeze
Mon Apr 23, 2018 2:22 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 203
Views: 257989

Re: Advisory: Vulnerability exploiting the Winbox port

If the Winbox server is the one doing the IP filtering, then an IP Services "Available From" restriction may not prevent the attacker from using the exploit against the Winbox server because the vulnerability is in the Winbox server ... To be safe for now, only put IP restrictions on the I...
by squeeze
Mon Apr 23, 2018 1:48 pm
Forum: Announcements
Topic: Advisory: Vulnerability exploiting the Winbox port [SOLVED]
Replies: 203
Views: 257989

Re: Advisory: Vulnerability exploiting the Winbox port

So is this it https://www.securityweek.com/remotely-exploitable-vulnerability-discovered-mikrotiks-routeros ? As its over month old post.. That is a completely different vulnerability that relates only to the SMB service, which by default is not even enabled (hence why you didn't hear much about th...
by squeeze
Mon Apr 23, 2018 1:25 am
Forum: General
Topic: winbox vulnerable! Unusual login to routers [SOLVED]
Replies: 44
Views: 27587

Re: winbox vulnerable! Unusual login to routers [SOLVED]

Do any of these affected routers have the UPnP service enabled at all, including on LAN?
by squeeze
Sun Apr 22, 2018 9:12 pm
Forum: Beginner Basics
Topic: Management VLAN hAP AC Lite
Replies: 4
Views: 2369

Re: Management VLAN hAP AC Lite

Use Quick Set profile to do all the basic configuration since you're doing a static IP, instead of the default DHCP WAN setup. I don't know what profiles are available on the Lite, but perhaps "Home AP Dual". # WAN: Identify VLAN and its ID to this router /interface vlan add interface=ethe...
by squeeze
Sat Apr 21, 2018 8:15 pm
Forum: Beginner Basics
Topic: Mikrotik vulnerability
Replies: 16
Views: 6150

Re: Mikrotik vulnerability

Winbox should not necessarily be a fixed port and wondered why I dont have the opportunity to change it. My current router allows HTTPS from a non-standard port for example (of my choosing). You can trivially change port on the Winbox client just by adding the usual port number ending you see in ot...
by squeeze
Sat Apr 21, 2018 4:46 pm
Forum: Beginner Basics
Topic: Mikrotik vulnerability
Replies: 16
Views: 6150

Re: Mikrotik vulnerability

You should not allow login to your router from the internet! Fix your firewall configuration... What if I need ability to login to router from any random address (travelling admin)? Shouldn't non-standard username and super-strong password be secure enough? Disabling everything might be secure, but...
by squeeze
Sat Apr 21, 2018 12:45 am
Forum: General
Topic: winbox vulnerable! Unusual login to routers [SOLVED]
Replies: 44
Views: 27587

Re: winbox vulnerable! Unusual login to routers [SOLVED]

If true, this is a very serious vulnerability and you should report it directly to Mikrotik support so they can fix it ASAP. Btw, a basic security precaution is to remove or rename the "admin" user and use a different name entirely. There is nothing special about the "admin" nam...
by squeeze
Fri Apr 20, 2018 12:22 pm
Forum: General
Topic: hAP ac² LAN->WiFi 5GHz performance issue.
Replies: 23
Views: 11344

Re: hAP ac² LAN->WiFi 5GHz performance issue.

There might also be a problem in ROS, but its unlikly, a lot of thousens of other users would experience the same as you. Except they do. The problems with hap ac2 WiFi are already widely reported, acknowledged by Mikrotik themselves (who have been struggling to fix them with rapid successive firmw...
by squeeze
Thu Apr 19, 2018 5:57 pm
Forum: Beginner Basics
Topic: Bridge Vlan vs. Switch Vlan [SOLVED]
Replies: 5
Views: 22605

Re: Bridge Vlan vs. Switch Vlan [SOLVED]

Ah, yes, you're right "hw=yes" per port is true, but "H - hw-offload" is not.
by squeeze
Thu Apr 19, 2018 4:22 pm
Forum: Beginner Basics
Topic: Bridge Vlan vs. Switch Vlan [SOLVED]
Replies: 5
Views: 22605

Re: Bridge Vlan vs. Switch Vlan [SOLVED]

Other devices that have a built-in switch chip must also be configured under /interface ethernet switch. You must first create a bridge to switch desired ports together (/interface bridge) and then you can configure VLAN tagging and invalid VLAN filtering in /interface ethernet switch. This does no...
by squeeze
Tue Apr 17, 2018 2:44 pm
Forum: Announcements
Topic: v6.42 [current]
Replies: 147
Views: 76286

Re: v6.42 [current]

*) winbox - added 160 MHz "channel-width" to wireless settings;

What Mikrotik devices support 160 MHz channel WiFi?
by squeeze
Tue Apr 17, 2018 1:09 pm
Forum: General
Topic: OpenVPN SHA256 + UDP
Replies: 67
Views: 48067

Re: OpenVPN SHA256 + UDP

I'd consider switching to L2TP+ipsec or EoIP+ipsec(for mikrotik on both sides), both use UDP and encryption and should perform the same or better in performance. OpenVPN on UDP has been requested years ago and won't come too soon on Mikrotik, probably never. SHA256 is supported on the mentioned pro...
by squeeze
Mon Apr 16, 2018 5:27 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

This is worthless advice from Mikrotik support, if they really are asking you to remove the default bridge configuration, even for testing.
by squeeze
Mon Apr 16, 2018 5:23 pm
Forum: General
Topic: hap AC Lan no Gigabit connection
Replies: 1
Views: 741

Re: hap AC Lan no Gigabit connection

Different cable.
by squeeze
Sat Apr 14, 2018 8:51 pm
Forum: General
Topic: Port Forwarding for Security Camera's
Replies: 7
Views: 4524

Re: Port Forwarding for Security Camera's

TCP port 80 is the default HTTP port. This is basic World Wide Web and TCP protocol knowledge. In other words, all web browsers implicitly understand http://example.com as http://example.com:80. If you actually need both of these services on this default (unsecured) web services port, then there is ...
by squeeze
Sat Apr 14, 2018 3:45 pm
Forum: Beginner Basics
Topic: CCR - Mikrotik Bridge usage with multiple Vlans
Replies: 6
Views: 2858

Re: Mikrotik Bridge usage with multiple Vlans

Unless you have a switch chip, its single bridge for all VLANs. Also, why are you explicitly disabling hardware offloading?

You may also need to add the bridge name itself to the "tagged=" list for trunks to other devices.
by squeeze
Fri Apr 13, 2018 9:49 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

The IPQ4018 SoC supports beamforming (802.11ac TxBF), but that would require a phased antenna array design, which is highly unlikely. Basically, the chip is far more advanced than this specific device can fully support.
by squeeze
Fri Apr 13, 2018 3:34 am
Forum: Announcements
Topic: Winbox 3.13 released!
Replies: 59
Views: 42430

Re: Winbox 3.13 released!

Still no signature checking or HTTPS... man in the middle can easily compromise administrator's PC. https://i.imgur.com/TX7G9pq.gifv I was wondering what you meant. I did a Wireshark http monitor after pressing Check for Updates in Winbox: GET /routeros/winbox/LATEST.3 HTTP/1.1 HTTP/1.1 200 OK (app...
by squeeze
Thu Apr 12, 2018 3:55 pm
Forum: General
Topic: Interface or usb wifi for RB750Gr3? [SOLVED]
Replies: 1
Views: 1973

Re: Interface or usb wifi for RB750Gr3? [SOLVED]

No, return it and get a hAP AC or hAP AC lite. RB750Gr3 is a pure wired router.

Better yet, state your WiFi requirements for a more precise recommendation.
by squeeze
Thu Apr 12, 2018 12:46 pm
Forum: Beginner Basics
Topic: Batch set all LEDs [SOLVED]
Replies: 2
Views: 1747

Re: Batch set all LEDs [SOLVED]

/system leds set [find] type=off

worked for me. Thank you for the inspiration.
by squeeze
Thu Apr 12, 2018 11:44 am
Forum: General
Topic: Secure my DNS requests
Replies: 14
Views: 8710

Re: Secure my DNS requests

From their homepage: WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. So one day it may become great and i...
by squeeze
Tue Apr 10, 2018 10:30 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

Nope, pls check viewtopic.php?f=2&t=132576
I meant WLAN<->WAN (not Ethernet LAN<->WAN). Thank you for the clarification.
by squeeze
Tue Apr 10, 2018 2:02 pm
Forum: Beginner Basics
Topic: Batch set all LEDs [SOLVED]
Replies: 2
Views: 1747

Batch set all LEDs [SOLVED]

Is it possible to batch set the type of all LEDs in one line or command string?

Pseudo-example:
/system leds set [find where leds=XXX] type=off

Can the above work and what would XXX be to set all LEDs regardless of names?
by squeeze
Tue Apr 10, 2018 1:20 pm
Forum: Announcements
Topic: Winbox 3.13 released!
Replies: 59
Views: 42430

Re: Winbox 3.13 released!

winbox.exe is now signed executable;
Thank you.

Image
by squeeze
Tue Apr 10, 2018 12:34 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

Based on the above findings, the problem comes from the link between the data of APs and the routing block to the external interface WAN port. If the hAP ac^2 is configured as an AP, it should work very well. So, it is a LAN-WAN routing issue. Can I confirm with all on here who have posted data acr...
by squeeze
Tue Apr 10, 2018 3:15 am
Forum: General
Topic: Low Bandwidth / Firewall Rules
Replies: 2
Views: 917

Re: Low Bandwidth / Firewall Rules

IP has no source address validation - that is the reason why IP spoofing exists at all - therefore you cannot trust the source IP from unknown sources.
by squeeze
Tue Apr 10, 2018 2:06 am
Forum: Beginner Basics
Topic: I'm at a loss, any help is good help at this moment...
Replies: 22
Views: 4579

Re: I'm at a loss, any help is good help at this moment...

You've isolated the problem to RB2011 or all its clients and all their physical connections (except cable to issue PC). Isolate the problem much more to the PC or router, i.e. physically disconnect all other clients to the RB2011 ports or disable their Ethernet/WiFi interfaces on the router. If prob...
by squeeze
Tue Apr 10, 2018 12:36 am
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi

You can test as reliably as iperf3 (though without the range of options) using the Windows btest.exe application or Bandwidth Test on other router devices, as long as you run it from two devices through the router being tested. Btest actually has functionality iperf3 does not, though iperf2 has: you...
by squeeze
Mon Apr 09, 2018 3:18 pm
Forum: General
Topic: Secure my DNS requests
Replies: 14
Views: 8710

Re: Secure my DNS requests

Let's hope that Mikrotik is going to develop better support in router, for OpenVPN and IKE2 as client.
And Wireguard which trounces both of them for security, throughput, and latency.
by squeeze
Sun Apr 08, 2018 6:00 pm
Forum: Scripting
Topic: Best scripts for firewall and router protection [SOLVED]
Replies: 16
Views: 109432

Re: Best scripts for firewall and router protection [SOLVED]

Before anything else. I just want to clarify your initial post for other new people: The best additional protections for your new Mikrotik router are simply everything on " Manual:Securing Your Router " page before the "Firewall" section. Absolutely stop reading past this point :...
by squeeze
Sat Apr 07, 2018 7:48 pm
Forum: Scripting
Topic: Best scripts for firewall and router protection [SOLVED]
Replies: 16
Views: 109432

Re: Best scripts for firewall and router protection [SOLVED]

Either you, 1. Be very careful to understand what parts constitute every component of your firewall from the Default Configuration, then re-apply them to your customized setup, OR 2. Export your config, save the non-firewall parts that you changed from default, then factory reset the router and star...
by squeeze
Sat Apr 07, 2018 11:46 am
Forum: Beginner Basics
Topic: Need a little explanation about log entries...
Replies: 5
Views: 2460

Re: Need a little explanation about log entries...

IP by default has no source validation.

They are forging/spoofing their source IP to probe your MT weaknesses, i.e. one of which is the ND port.

Depending on what type of business you run, you can just ignore it if you're not some type of ISP, as far as I'm aware.
by squeeze
Thu Apr 05, 2018 5:28 am
Forum: General
Topic: Any plans to make cross-platform WinBox?
Replies: 33
Views: 8084

Re: Any plans to make cross-platform WinBox?

Web and SSH are already as cross-platform as it is possible to be. On top of that, Mikrotik's feature-complete CLI is much easier to use and learn than competitors, afaik. No one but some subset of power users would want anything more, and power users already have access to emulators and VMs, includ...
by squeeze
Wed Apr 04, 2018 2:09 pm
Forum: General
Topic: Log all console commands [SOLVED]
Replies: 31
Views: 19087

Re: Log all console commands [SOLVED]

Impressive six year thread for a feature that appears almost trivial for Mikrotik compared to direct competitors (*) and would instantly increase their popularity with businesses scaling up and larger enterprises ... How strange to ignore such an easy win when they have already done 90% of the leg w...
by squeeze
Wed Apr 04, 2018 1:17 pm
Forum: Wireless Networking
Topic: hAP ac 5GHz max speed
Replies: 52
Views: 25084

Re: hAP ac 5GHz max speed

Hi, I can confirm that the hAP AC connects with 3 chans to a newer MacBookPro on 1G+ Thruput tested with iperf3 from this MBP to a server on the wired part of my local network On 1GB wire I get approx 960Mbit/s On 5GHz wifi I get approx 530Mbit/s This 530Mbit/s seems about the max because the hAP A...
by squeeze
Wed Apr 04, 2018 7:06 am
Forum: General
Topic: WiFi with VLANS
Replies: 9
Views: 1562

Re: WiFi with VLANS

Make sure your trunk port is a tagged member of your management VLAN. Ideally, avoid the use of VLAN ID 1, which seems to correspond to the default VLAN ID of Mikrotik, therefore used for untagged traffic. Like some other devices, this common default VLAN ID either does not behave exactly like other...
by squeeze
Wed Apr 04, 2018 5:37 am
Forum: Wireless Networking
Topic: Wi-Fi speed issues on hAP AC Lite
Replies: 39
Views: 36802

Re: Wi-Fi speed issues on hAP AC Lite

Would be nice if people would not talk so loosely about wildly different WiFi models. After all this thread started specifically about the hAP AC Lite and an asymmetric download issue. provide client and distance information. Are you using an AC client and what type, e.g. phone, tablet, laptop, MacB...
by squeeze
Mon Apr 02, 2018 11:11 am
Forum: Beginner Basics
Topic: slow internet after 1 or 2 hours ...
Replies: 9
Views: 4006

Re: slow internet after 1 or 2 hours ...

i reset the router still the same problem i removed torrent rules What does that mean? If you firmware or factory reset the router, how could you remove any "torrent rules". There should not be any. You need to test the router with a perfectly default configuration from a reset back to fi...
by squeeze
Mon Apr 02, 2018 12:40 am
Forum: Announcements
Topic: Urgent security advisory
Replies: 110
Views: 142099

Re: Urgent security advisory

TL;DR. Centralization in security information helps Mikrotik every bit as it does its existing customers, prospective customers and the broader community. Mikrotik need to be much more direct and centralized about even the very basics, like what specific vulnerabilities have been fixed and when (we...
by squeeze
Sun Apr 01, 2018 11:20 pm
Forum: Wireless Networking
Topic: hAP ac^2 Problems---Extremely Poor Performance found in 2.4G and 5G WiFi
Replies: 304
Views: 152627

Re: hAP ac^2---Extremely Poor Performance found in 2.4G and 5G WiFi

This is 5Ghz on my hAP AC2

http://www.speedtest.net/result/7188352780

We cannot see the image and your speed test information is useless without knowing the expected speed of the connection.
by squeeze
Sun Apr 01, 2018 8:01 am
Forum: General
Topic: Disabling wireless radios so that they use no power
Replies: 1
Views: 987

Disabling wireless radios so that they use no power

Is there a method in RouterOS or otherwise in Mikrotik routers to disable wireless radios, such as for WiFi, so that they consume no power? If not, what about minimum power consumption? Does simply disabling the RouterOS Wireless interfaces in the device user interface have any impact on power draws...
by squeeze
Sun Apr 01, 2018 7:48 am
Forum: General
Topic: hAP ac² noisy when using WiFi [SOLVED]
Replies: 21
Views: 7853

Re: hAP ac² noisy when using WiFi [SOLVED]

Do not interfere with it, just return it as faulty and describe the reason for useful feedback to all. This is clearly a hardware QA issue, i.e. probably not even an issue with the model at all. Also, why are you considering to interfer with the faulty hardware of a brand new device, especially for ...
by squeeze
Sun Apr 01, 2018 1:16 am
Forum: Beginner Basics
Topic: HAP AC performance issues
Replies: 9
Views: 4116

Re: HAP AC performance issues

Out of interest, can you determine the make and model of the ISP's router?
by squeeze
Fri Mar 30, 2018 10:01 pm
Forum: General
Topic: Mikrotik for 900/100 Mbit WAN
Replies: 7
Views: 1920

Re: Mikrotik for 900/100 Mbit WAN

So I have bought hAP ac2 and its amazing, on same settings as my RB951G cpu usage is only 2-3% when fully using 100 Mbit PPPoE, while on RB951G cpu usage was ~20% ( with fastpath, without it was double that ). Did you get 900/100 Mbit WAN connection speed with the hAP ac2, PPPoE and same IP firewal...
by squeeze
Fri Mar 30, 2018 2:34 am
Forum: General
Topic: hEX - missing usb hub support
Replies: 6
Views: 2181

Re: hEX - missing usb hub support

Thank you very much for the report and your careful research!

Do you or anyone else happen to know if the new hAP ac² (RBD52G-5HacD2HnD-TC (International), RBD52G-5HacD2HnD-TC-US (USA)) would also have similar issues with USB controllers?
by squeeze
Thu Mar 29, 2018 3:14 pm
Forum: General
Topic: Thank you for the great Cable Test feature!
Replies: 5
Views: 1808

Re: Thank you for the great Cable Test feature!

It is implemented in only few models unfortunately. Isn't port mirroring supported in almost all the switch chips ? Oh nevermind, you meant this about the cable test: This works on SXT-G, SXT Lite, RB711G, RB2011, RB750 series and other devices with the same switch chips, and also the Cloud Core se...
by squeeze
Thu Mar 29, 2018 6:49 am
Forum: General
Topic: Help me decide
Replies: 11
Views: 2505

Re: Help me decide

I would have loved to hear sindy's suggestions for an alternative. At this price point, you could consider building your own pfSense box or even get an RT-AC86U as an edge VPN router, if you care about OpenVPN performance at all. Both of those have fast enough CPUs with hardware acceleration (AES-NI...
by squeeze
Thu Mar 29, 2018 1:33 am
Forum: General
Topic: Router + switch + ap all in one solution
Replies: 15
Views: 3871

Re: Router + switch + ap all in one solution

There is no single device on the market that could guarantee all those features, especially at that price point. If you really want all those features, your time and money is likely better served researching separate devices, i.e. a router just for routing tech + NAT + (basic) VPN, connected to a sw...
by squeeze
Wed Mar 28, 2018 11:44 pm
Forum: Beginner Basics
Topic: DHCP Server Error
Replies: 4
Views: 4938

Re: DHCP Server Error

Router: /system logging topics=dhcp Process of elimination: MAC "lock": unlock whatever it is you did with the MAC. If it works, then you know it is this, or what do you mean? Device: test with a different device Connection logical type: check with another network or a different band (2.4G...
by squeeze
Wed Mar 28, 2018 2:29 pm
Forum: General
Topic: Why isn't WMM Support default?
Replies: 19
Views: 17206

Re: Why isn't WMM Support default?

Just being going through my Wireless settings: Why is WMM disabled by default in 802.11n/ac devices? This is already perverse because those standards are stated to require tools in WMM for HT (High Throughput) link rates, i.e. greater than 54Mbps (*) and is enabled by default for Wi-Fi Certified dev...
by squeeze
Wed Mar 28, 2018 6:44 am
Forum: Beginner Basics
Topic: Please add a wiki document on settings to maximize home user privacy. [SOLVED]
Replies: 4
Views: 2004

Re: Please add a wiki document on settings to maximize home user privacy. [SOLVED]

First, Mikrotik routers with the latest RouterOS and firmware appear already very private and have a high security potential. The default is nothing available on the WAN and no responses except to pings. Even penetration tools like nmap will find no WAN leaks with all conventional scans. If your rou...
by squeeze
Tue Mar 27, 2018 10:54 am
Forum: Beginner Basics
Topic: [RB750Gr3] DHCP failure on default/native VLAN (VLAN ID 1) of bridge [SOLVED]
Replies: 2
Views: 2870

Re: [RB750Gr3] DHCP failure on default/native VLAN (VLAN ID 1) of bridge [SOLVED]

I conducted a simple experiment and changed VLAN ID 1 everywhere to VLAN ID 4. DHCP on that subnet promptly started working on one of the "Default" VLAN ports of the router. That is, I did the equivalent of: /interface vlan set interface=bridge-vlan name=Default vlan-id=4 set interface=bri...
by squeeze
Tue Mar 27, 2018 1:24 am
Forum: Beginner Basics
Topic: [RB750Gr3] DHCP failure on default/native VLAN (VLAN ID 1) of bridge [SOLVED]
Replies: 2
Views: 2870

[RB750Gr3] DHCP failure on default/native VLAN (VLAN ID 1) of bridge [SOLVED]

Device: RB750Gr3 on RouterOS 6.41.3 Problem: DHCP clients are not receiving IPs from the default or native VLAN (VLAN ID 1). I tested both a default VLAN port on the router and a native VLAN port on a VLAN-aware switch attached to the trunk. Neither worked. DHCP works on all other ports. Context: a...
by squeeze
Fri Mar 23, 2018 7:22 pm
Forum: Beginner Basics
Topic: [RB750Gr3 (hEX)] - Simple VLAN and Management network
Replies: 1
Views: 6142

Re: [RB750Gr3 (hEX)] - Simple VLAN and Management network

Solution: The key was realizing that, despite the VLAN ID user interface to the NIC in Windows, my PC client was not VLAN-aware. So, having a tagged management port was preventing the router from talking to the PC above Layer 2. This occurred to me after the Wireshark software traffic analyzer coul...
by squeeze
Thu Mar 22, 2018 8:55 pm
Forum: Beginner Basics
Topic: [RB750Gr3 (hEX)] - Simple VLAN and Management network
Replies: 1
Views: 6142

[RB750Gr3 (hEX)] - Simple VLAN and Management network

FIRST POST I recently purchased an RB750Gr3 for home use. I am just trying to get a simple VLAN setup working, including a Management port on the Hex itself and a Management VLAN. Using typical VLAN membership tables I have seen on other routers, this is my intent: VLAN Ports 2 3 4 5 1 X U U U Segre...