MikroTik

whatever

Use multiple vlans to separate your stuff.

whatever

Yes, one capsman channel is actually more like a channel list and can have multiple frequencies.

whatever

Defining a channel in capsman does nothing until you refer to it in a configuration.

whatever

Your IP addresses are both assigned to ether2 which is part of the bridge, you probably meant to assign them to bride and ether5, like your dhcp servers.

Edit: 172.0.0.0/8 is not a private ip range!!! Don't use it on your LAN. Your configured netmask fucks up routing to any public 172.x.y.z IP.

whatever

I've tried enabling all rates, and I get the same result.

Expected result, i don't think you understand how basic rates are used.
Why do you want to use custom rates at all? Is there any issue with the default rateset?

PS: Try enabling only 12Mbps as basic rate.

whatever

You have disabled all basic rates!? I don't think that is a good idea.

whatever

This seems to be a common pattern, looks like it's pretty much impossible to achieve more than 250-300 Mbit/s real world single client throughput with Mikrotik ac WiFi.
In case you ever manage to break this limit please let me know how you did it

whatever

[Ticket#2019030922002071] CAP not correctly forwarding tagged vlan traffic towards wired network Glad it is not just me, I have the same issue effecting 1000's of units, if you disable the CAP and enable everything works again for a period of time and stops again. I have raised tickets with support...

whatever

New driver will be bundled with ROS 7

whatever

Is this "very important" way of tracking people legal in your country? As far as I know iOS devices as well as the latest Android versions already randomize their mac address when probing for wifi networks as countermeasure to this kind of privacy violation.

whatever

This might be related to viewtopic.php?f=7&t=148263 !?
At least it sounds similar.

whatever

I have the same issue, forcing channel reselect is enough to revive the 5GHz interface. I'm using a low channel reselect interval as workaround.

Edit: I'm running only hap ac2 units with local forwarding and one of them acting as capsman, no other hardware involved.

whatever

I think that's only possible without capsman.

whatever

You can only achieve that by setting password and vlan id per client MAC address. As you probably won't know all your guest's devices, you would have to set up an access rule for each of your private devices. I wouldn't recommend it, a second SSID is most likely the better solution.

whatever

So MIMO is broken in some way that prevent any speed gain from additional chains? Interesting observation, let's hope that this is reproducible and fixable by mikrotik.

whatever

Is it safe to downgrade from 6.44?
Edit: Did it, appears to work fine.

whatever

Once you start to change settings outside of quickset you should stop using quickset.

whatever

Are you 100% sure that your converter outputs standard Ethernet frames?

whatever

Personally, I get > 100Mbps using wAP AC + RB3011 running CAPsMAN, local forwarding.

But you shouldn't you expect > 500Mbps with three chains on 5GHz ac? I consider 100Mbps with that hardware pretty slow, that speed is already achievable with 2.4GHz dual chain n.

whatever

You really shouldn't try to use only local addresses and NAT with IPv6. If you want local addresses use them additionally to your public prefix. For public routable addresses enable IPv6 prefix delegation on your Fritz Box, add DHCPv6 client on your Fritz Box facing mikrotik interface to request pre...

whatever

Try local forwarding

whatever

How do you decide how fast your wireless speed is supposed to be? My hap ac2 802.11ac 2x2 speed with capsman and local forwarding is indeed about half of what you would expect from the standard under perfect conditions, until now I've been blaming it on cheap hardware and poor drivers. But consideri...

whatever

Are there still people dumb enough to expose winbox to anything but an isolated management vlan? Don't do it, the winbox protocol obviously is not designed to be secure.

whatever

Did you try to change your MAC address to something that doesn't look like mikrotik? Like use your phone mac and increment the last byte?

whatever

Local forwarding means the traffic is forwarded to a bridge on the cap itself, not on capsman. You can select the bridge in the cap settings on your cap.

whatever

In optimal conditions I get up to ~230 Mbit/s WiFi downstream with hap ac2 as AP on a 400 Mbit/s Internet Connection. 5 GHz, 80 Mhz channel (Ceee), dual chain, ac-only, 1-2m distance without any obstacles. It should be possible to achieve more than 400Mbit/s in this conditions (I maxed out 400 with ...

whatever

@Darman: if your device got infected you should reset it to factory defaults to ensure all the nasty stuff is removed.

whatever

You can raise the "antenna gain" setting on the 2.4GHz interface by some db, this will lower its tx power and cause most clients to prefer the now stronger 5GHz network.
However, this will also reduce your 2.4GHz signal range, so this "solution" isn't always feasible.

whatever

Afaik there is no way to change it. Other models like hap ac2 are similarly affected.

whatever

So do not make this big change in "long-term". This is not a bugfix, but a change in function....... I guess releasing a "new" version which doesn't respect country regulations might cause legal trouble. But a simple notice in the changelog wouldn't hurt either: "Make sure you are compliant with yo...

whatever

https://cxsecurity.com/issue/WLB-2018120151

Wow. Does every process in routeros run with unrestricted root privileges?

whatever

Thank you for that info, it's rather interesting that wifi is still usable with 36 sec update interval.
I really hope that the fix gets backported to long-term soon.

whatever

*) capsman - fixed "group-key-update" parameter not using correct units;

Can we get some details on this?
How was the parameter interpreted before this fix? Is the long-term release affected by the same bug? If yes: when can we expect a backport of this bugfix to long-term?

whatever

As already mentioned: You can only benefit from features which are supported by AP and client. If your client only supports 80 MHz with dual chain you will not benefit from all four chains which are available on the 4011.

whatever

It's highly unlikely that your dst-address=127.0.0.1 rule will match traffic to 192.168.0.1:5246. Try to use a dst-address-type=local src-address-type=local rule like documented at https://wiki.mikrotik.com/wiki/Manual:S ... in_CAPsMAN

whatever

RTSP or WDS is completely unrelated to your problem. I had some ARP issues that disappeared as soon as I set multicast-helper on the wireless interfaces to "full", you might try if that helps your usecase. In order to support your client devices in roaming you should rather lower the tx-power of you...

whatever

Didn't even know they were doing this, that's definitely something I'd like to turn off. +1

whatever

You dont!?
Nowadays the majority of websites uses https which is designed to be non-interceptable.

whatever

You don't. You can only toggle the QOS part, why do you want to disable it completely?

whatever

Shouldn't they have a WSUS server for centralized update management?

whatever

Changing identity to serial number via script should be possible.

whatever

That is not possible with the standard linux transmit hash policies for 802.3ad.
Thoughts: Why the hell would you want that???

whatever

Well, regex "79" does indeed match "179", etc., so the result you are experiencing is expected.
Try using "^" and "$" in your regexes to match beginning and end of your identity strings.

whatever

That's interesting, I guess the change happened with the switch to factory software 6.42+. I own several devices with factory software 6.40 and 6.41 and all of them have 233MB.

whatever

Has anyone ever received a unit with less than 230MB RAM?

whatever

While it's currently unavailable at all the large distributors, the smaller ones apparently have some stock left.

whatever

For local forwarding to work you got to setup your L2 network accordingly and configure the bridge to drop the traffic on the CAP.
Without local forwarding all your traffic will be tunneled (possibly encrypted) to the CapsMan, that's not a good idea on a device with low CPU power.

whatever

Try local forwarding

whatever

You have to set a different transmit hash policy on the Huawei router.

whatever

RSTP is enabled per default on the bridge. If you don't need it you may disable it in bridge settings.

whatever

RSTP
See https://wiki.mikrotik.com/wiki/Manual:S ... e_Protocol

whatever

My understanding is that per VLAN you need an associated bridge. You cannot have a single Bridge with multiple VLANs.

Your understanding is wrong, please read the manual.

whatever

If I remember correctly, the patch which dropped tile from the Linux Kernel explicitly stated, that nobody was using tile in current Kernels back then and that the vendors who are still shipping tile hardware had no interest in having it maintained for future Kernels. Therefore the chances that tile...

whatever

I think the device will always use the power input with the highest voltage. Having similar voltage on different inputs may cause flapping between them.

whatever

I think what you are asking for would negate any security benefits gained by using cap certificates in the first place.

whatever

Must have missed that, thank you for pointing it out.

whatever

How is it possible that I'm still able to login with my password after downgrading from 6.43.2 to 6.42.9? I thought 6.43 changed the authentication API in order to be able to save passwords as hashes and not as plaintext. However, the fact that I'm still able to login after downgrade to 6.42 clearly...

whatever

Try local forwarding (datapath) for even faster speed.

whatever

Agree its going to catch a few people out, but if you look at the link in my post 152 ( https://forum.mikrotik.com/viewtopic.php?p=688286#p687944 ) they are only €35 new, Are you using any of their products? They are offering 10GbE Multimode optics for 15€ while the competition is selling them for ...

whatever

Imho the lack of switch chip features could be neglected if you had the possibility to connect a "real" switch to the 10G port via a cheap cable. However, the lack of passive DAC support forces you to spend 100+€ for this connection instead of ~25€. Combining both these weaknesses into an otherwise ...

whatever

Footnote 4 says you can only use a SFP+ DAC at 10Gb

Doesn't it rather say that you cannot use passive SFP+ DAC at all? RB4011 seems to be the only Mikrotik SFP+ device which is incompatible with Mikrotik's own direct attach cables.

whatever

The only technical reason I can think of is, that the username is now part of the salt for the new password hashes. Otherwise it might just be a case of "not yet implemented".

whatever

Hi, do you know what wireless specs will this device have? How many chains on which bands?

2.4Ghz b/g/n, dual chain. See https://fccid.io/TV7PL64112ND

whatever

There's as slight bug in switch chip in IPQ4xxx which bit me and MT doesn't have a solution (yet).

What is the bug? Could you share some information?

whatever

One can argue about "router on a stick" SFP+ setup to lift possible limit to 15Gbps total, but i think those will not be numbers anyone is looking for.

Why not? That 15Gbps is exactly the number I'd expected to see as achievable benchmark limit for this block diagram.

whatever

https://forum.mikrotik.com/download/file.php?id=33451 Anybody else wondering why RB4011 CPU-throughput appears to be capped to 10Gbit/s? Assuming both Realtek GbE switchgroups are connected at 2.5Gbit/s each to the CPU (like RB1100AHx4), this leaves only 5Gbit/s possible thoughput for the 10GbE SFP...

whatever

1. Use physical security on your ports.
2. You cannot prevent anyone from using "your" SSID, but using WPA2+Radius authentification should prevent MITM.

whatever

Oh boy, it does look ugly with those rack-mount ears attached.

It's a pretty clever way of combining rack-mount capability and desktop case into the same product. Not exactly pretty, but very funktional; I like it.

whatever

No sensor.

whatever

It's the same as with every other 16 MB routeros device: The update is stored in RAM until installed. Just try it.

whatever

What happens if you try to upgrade?

whatever

You shouldn't use local passwords at all for this kind of deployment. Look into asymmetric crypto (ssh public keys) and/or centralized authentication (radius, etc).

whatever

Use system->resources->CPU and tools->profile to monitor CPU usage while running the speed test. Is any of the cores maxed out? If yes: find out what process causes the high cpu usage, try fasttrack, etc. If not: Check cables and interface speed. Are all the involved interfaces running at gigabit sp...

whatever

This has already been discussed here two weeks ago. The corresponding topics have been deleted/hidden, so it's probably not meant to be public yet.

whatever

Please stop calling ethernet over fibre "fibre channel", these are two different things.

whatever

It's rather a fcked up design than a bug, this is even documented in the wiki. Documentation suggests allowing "all" and forbidding every unwanted interface. This could easily be fixed by introducing an "allow local" setting. Link: https://wiki.mikrotik.com/wiki/Manual:Simple_CAPsMAN_setup#CAP_in_CA...

whatever

viewtopic.php?f=21&t=137572

whatever

But if I'm forced to connect a "real" switch anyway I can get all the ports i need from the switch. Want to connect three ISPs? Configure three ports on your switch on separate vlans and pass them through a "WAN" trunk to your router. Want multiple local networks? Separate them on your switch and pa...

whatever

Thank you for the confirmation. While I get that a router is expected to provide only limited switching features and has the necessary CPU power to perform certain things in software, I'm still confused by this decision. Why would I need 10+ ports on a router if it can't do proper vlan switching in ...

whatever

I'm looking for a way to do reverse path filtering for IPv6 in RouterOS. I request a dynamic pool via DHCPv6-PD on my WAN interface and use it to deploy separate /64 prefixes on local vlan interfaces. As far as I can tell, the only way to implement something like rp_filter for IPv6 would be a script...

whatever

You should really use the firewall to protect your management ports. Yes, there is a _very_ bad bug in old routeros versions, but it's only exploitable if you f*cked up your firewall rules. Only port accessible from the outside is the Winbox port and SSH custom port. But why are these accessible fr...

whatever

You should really use the firewall to protect your management ports. Yes, there is a _very_ bad bug in old routeros versions, but it's only exploitable if you f*cked up your firewall rules.

whatever

Imho you shouldn't be using telnet at all, not even in LAN. You shouldn't just firewall it but also disable the corresponding service.

whatever

According to https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features the Realtek switch chip used by RB1100AHx4 (and possibly also *future* RBs ;)) lacks a vlan table. Does that result in no way of doing vlan filtering in hardware on these devices? The idea, that a lot of the cheap low-end device...

whatever

Wouldn't it be much easier to delay the dhcp client execution on the rpi?

whatever

Try to disable hw-offload on your bridge ports. If the packets can be forwarded in hardware by the switch chip, they will never reach the cpu for filtering.

whatever

https://wiki.mikrotik.com/wiki/Manual:C ... figuration
Your datapath does not include local-forwarding=yes, therefore all your wifi traffic will be tunneled through capsman.

whatever

Edit: why no local forwarding?
I can easily max out 150 Mbit/s downstream with hap ac2 (no capsman) and iPhone 7.

whatever

Sounds like this: viewtopic.php?t=134538

whatever

Challenge-Response requires the device to have your password available in plain text, which is the reason why the latest winbox bug was able to leak your passwords, no matter how strong they were. The new login mechanisms allows the device to save only password hashes, even if an attacker manages to...

whatever

Did you disable fastpath/fasttrack? You should.

whatever

The Wiki (https://wiki.mikrotik.com/wiki/Manual:S ... in_CAPsMAN) suggests using

/ip firewall filter
add action=accept chain=input dst-address-type=local src-address-type=local

whatever

If you take a look at Google's IPv6 data , you will realize that IPv6 adoption in Latvia is negligible. Guess that's one of the reasons for its current state in RouterOS. On the other Hand, there are countries where Dual Stack (or DS-Lite) has become the default for most ISPs. Belguim is already at ...

whatever

Don't expose the mgmt interface to the internet? If you have to: use additional security features like port knocking and vpn.

whatever

Wow, thank you for the extensive reply and sorry for my late response. whatever - 1) Bridge VLAN filtering is not so easy to implement on these switch chips. ok, noted. 2) Which examples are missing vlan-header values? If you are talking about the hybrid port setup, then by default it is set to "lea...

whatever

Why don't you use a stateful firewall with connection tracking? The first packet of a TCP connection will always be "new", no need to reinvent the wheel by checking flags manually.

whatever

Current channel is beta only. If you don't like to participate in beta testing programme, stay in bugfix channel. My hAP ac² came preloaded with 6.41.3; am I really expected to downgrade to 6.40.8 if I wish to run non-beta software? I was under the impression, that "current" means stable, "bugfix o...

whatever

1. Switch Menu in Winbox is missing (hAP AC2 - 6.42.4).. Would be nice if someone else can confirm. 2. Configuring it via CLI works and HW offload is working Both confirmed. 3. New Bridge implementation is incomplete (at best) as documented in Wiki. As someone who just got a hAP ac² as his first Ro...

Search found 98 matches