MikroTik

whatever

Yep, show us your settings. Datapath should be something like

/caps-man datapath add client-to-client-forwarding=yes local-forwarding=yes name=xyz vlan-id=10 vlan-mode=use-tag

whatever

In local-forwarding mode you select the bridge on the cap itself in

/interface wireless cap
set bridge=...

.
I don't think you are able to select multiple bridges, use tagged vlans in datapath instead.

whatever

I agree, most clients should roam better without signal strength based access rules. Especially iPhones and newer Android devices have been optimized to do pretty good roaming decisions by themselves.

whatever

whatever

Yes. All ports in one bridge, configure vlan settings for bridge ports, enable bridge vlan filtering, create WAN interface as vlan interface with id 99 on top of the bridge itself.

whatever

That still leaves you 82% of CPU totally unused.

Well, it's a 4-core CPU. A single-threaded load can cause 100% usage on one of these cores and you will only see 25% global CPU usage.

whatever

Can a Windows PC get an IPv6 DNS server by SLAAC, RAVD?

Yes, Windows 10 supports this since version 1703.

whatever

ipv6 is dead https://www.google.de/ipv6/statistics.html One third of Google's users already use IPv6. Several minor countries like USA, India, Germany, France, etc. have already exceeded 40% adoption rate and are approaching 50%. So yes, IPv6 is very dead. We should ignore it and continue to use IP...

whatever

I ended replacing my hap ac² router with rb4011, so MikroTik's decision not to provide IPv6 Fasttrack even earned them some money this time. Should have switched vendors, but getting my existing config up and running within minutes was just too tempting... :( Now that I've already spent this money: ...

whatever

I'm currently using OpenWRT on my AC2 with ath10k ct smallbuffers driver

That is interesting. Did you perform some benchmarks to compare WiFi Speed between RouterOS and OpenWRT?
Is it possible to revert to RouterOS with included license?

whatever

32/64MB chips are very very cheap, but Mikrotik puts only 16MB. Why???

I guess because it's even cheaper.

whatever

You can use split horizon to isolate bridge ports. Be aware that this will disable hw acceleration on the bridge.
Why are you using local forwarding if you don't want to have local traffic?

whatever

just clear the rates= parameter in your capsman configurations

whatever

Why did you choose such an unconventional set of rates? Try the default rate-set instead.

whatever

You should always use different frequencies unless both APs are at least more than twice the signal range apart from each other.

whatever

I went from hAP ac² to RB4011iGS+RM in order to achieve gigabit speed IPv6 routing with stateful firewall, which isn't possible on hAP ac² due to the lack of IPv6 fasttrack. My workaround for the lack of hardware switching with vlan filtering is to use one of the switch groups with vlan filtering co...

whatever

*) arm - added support for automatic CPU frequency stepping for IPQ4018/IPQ4019 devices;

Is this comparable to "ondemand" scheduler from x86 linux? Any numbers on expected power savings when the device is idle?

whatever

Multicast-helper causes higher battery usage. If battery life is a concern you might want to disable it.

whatever

And I'm using CAPsMAN in order to optimize the roaming between devices, to avoid DHCP or negotiation during roaming. CAPSMAN does not optimize roaming on any way. It does not affect DHCP or any negotiations. 0 name="Rates" basic=24Mbps,36Mbps,48Mbps,54Mbps supported=24Mbps,36Mbps,48Mbps,54Mbps Why?...

whatever

How would you send out packets on this VLAN? Either you tag them, or you don't, it's mutually exclusive.

whatever

You are almost two years too late for that.

whatever

Is it possible for a Mikrotik router to receive a public IPv6 IP with SLAAC? I use SLAAC with the following settings that may be helpful for you: /ipv6 dhcp-client add add-default-route=yes comment="delgate ISP-assigned prefix" interface=\ ether1 pool-name=ipv6 prefix-hint=::/56 request=address,pre...

whatever

https://wiki.mikrotik.com/wiki/Manual:B ... _switching

whatever

in addidion to that what will be the max on 5Ghz for AC^2 ?

Expect about ~300 Mbps on a 2x2 client in the same room. Occasionally you may even see some peaks up to 400 Mbps.

whatever

Keep ubiquiti for Wi-Fi, replace USG with RB4011 for routing.
Mikrotik wifi will be considerably slower than ubiquiti, especially with capsman.
CRS devices are meant to be used as switches. They can do routing, but performance will be slow.

whatever

Same as the wireless interface setting without capsman: It allows you to add virtual interfaces to an existing physical wifi interface. Channel frequency etc. is inherited from master.
See https://wiki.mikrotik.com/wiki/Manual:I ... interfaces

whatever

I suggest using "/export terse" as it makes every line of the output executable on its own, without relying on previous lines.
(Of course, dependent objects still have to be created in the correct order.)

whatever

!) system kernel has been updated to version 5.6.3;

That is a really pleasant surprise. Never expected to see a 5.x kernel in ROS after TILE architecture has been removed from upstream Linux.

whatever

Put all three old IPs on the rb interface facing m and configure DNAT to the new IPs.

whatever

Add "connection-state=new".

whatever

That sounds like the right direction. Depending on the way you want to access your mgmt IP, you should include the bridge itself (=its CPU interface) into your vlan setup. If you put the IP directly on the bridge, you probably want to add it as untagged with pvid set. Another option is to create a v...

whatever

You have ether1 as bridge member, but still have vlan, IP and dhcp-client assigned to this single interface. That doesn't make sense, if you want ether1 as part of the bridge you should move any services assigned to it to the bridge itself. See https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switch...

whatever

Basic rates 12, 24 Supported rates 12 and up You should only do that, if your APs are very close to each other. My roaming experience has improved a lot after switching from basic 12,24 to basic 6,12,24: It allows the client to keep a stable connection to the old AP (at a low rate) while scanning f...

whatever

https://mikrotik.com/product/hex_s#fndtn-testresults Routing, 25 ip filter rules, 512 byte: 385.4 Mbps What did you expect? If you don't need the SFP Port and only use IPv4 you can get hap ac² , it will route gigabit with stateful IPv4 firewall and fasttrack enabled. If you need gigabit speed with I...

whatever

*) filesystem - fixed NAND memory going into read-only mode or becoming unstable over time;

Which previous versions are/were affected by this issue?

whatever

[...] but still would like to know what that maximum realistic throughput of these devices would be in an ideal situation. It think you already reached the maximum expectable single stream TCP throughput with mikrotik wifi. You might be able to get 10-20% improvements with careful tuning of paramet...

whatever

- i'm think that graph doesn't work properly cause it's empty

You have to enable resource graphing by adding a new rule under "Resource Rules" tab.

whatever

The CPU of your switch is too slow for capsman tunnel traffic. Try to enable local forwarding in datapath.

whatever

Why would CAPsMAN produce slower speeds?
Not sure, I suspect they are using 2048 in AMSDU, I got the exactly same speed by setting it to 2048 in wireless interface.

If that is really the reason, why doesn't mikrotik "fix" it?

whatever

For this usecase, you don't need to use bonding at all: On ESXi side assign both physical interfaces to same vSwitch, set 10G interface as active and 1G as standby. On your CRS just treat them as separate ports to the same networks, ESXi will handle failover on its own.

whatever

Hey, at least the 5 GHz interface is stable now, it used to be crashing regularly for more than a year. Another 1-2 years from now mikrotik wifi transfer speed might be up to what other vendors provide today. However, 200-300 Mbps wifi speed is already pretty ok in most situations. If you really nee...

whatever

Is that with or without capsman? What's your result with a single TCP stream?

whatever

Updated one of my hap ac² which is used as a switch and AP. No issues so far, I'm getting ~300 Mbps TCP download speed on a 5GHz 2x2 device while it used to be in the 200-250 Mbps range before (6.45.8 long-term). Still not as fast as the competition, but it looks like an improvement.

whatever

PS. And, by the way, band steering is an ugly hack, not a standard feature of any 802.11 standards.

Doesn't 802.11v allow band steering without hacks?

whatever

You cannot do VLAN filtering on the RTL8367 switch chip built into RB4011. It's a hardware limitation, see https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features . Either do it in software on the CPU (https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering) or use a separate...

whatever

The update-button will perform a reboot even if there is no update pending.

whatever

It would be really helpful, if the product page (https://mikrotik.com/product/) included IPv6 routing performance test results, to be able to estimate achievable IPv6 performance of a specific device before purchase.
Is it possible to provide this data, at least for the newer models?

whatever

RBGPOE does not require a switch!?

whatever

Disabling the firewall is not feasible in many situations. With firewall my hap ac2 can do about 940Mbps in IPv4 fasttrack but only close to 500 Mbps with IPv6. Even if I was willing to escape this limitation by switching to more powerful hardware: There are no official IPv6 routing performance benc...

whatever

See https://wiki.mikrotik.com/wiki/Manual:S ... in_CAPsMAN

whatever

I don't think anyone has ever been able to achieve more than 300Mbps single stream TCP throughput on 5GHz mikrotik ARM with capsman.

whatever

Can you achieve this speed with Capsman as well?

whatever

Maybe it's just a bug in RouterOS!?
To be honest, I never tried it without use-tag. I configured two SSIDs with different VLAN IDs and use-tag, hit ARP issues and found out I could make it work with multicast-helper.

whatever

Multicast helper is not about routing, it avoids wifi broadcast by translating any wifi bum traffic to unicast. I fixed my wifi ARP issues by enabling it and suggest that you at least give it a try.

whatever

Try setting multicast-helper to full on your WiFi interface.

whatever

The default was changed some versions ago from 100MBps to 1Gbps. Export lists every setting which differs from default, so every device which was initially configured with an old ROS Version will have the old default in export.
Just set it to 1G and it won't show up in export anymore.

whatever

If you don't want to use radius, you have to know the device's mac addresses.

whatever

I have been testing various LTE modems with v7 and was given access to debug some issues.

Is there any support for usb_modeswitch?

whatever

I don't readily have access to any other device that supports ext3 format or microSD cards. You don't have a PC? Unlikely. You don't have a microSD reader? There are very cheap USB devices. You don't use Linux on your PC? Boot a live Linux from USB stick. Once you have everything in place: Use dd t...

whatever

Why do you have your management ports exposed to the internet? Stop doing that.

whatever

I think 2.5G support from mikrotik is limited to 10G RJ45 hardware.

whatever

Mikrotik dhcpv6 server only supports prefix delegation, you cannot use it for managing IP addresses. Use SLAAC if possible.

whatever

My routing hap ac2 has cpu0 @ ~70% and cpu3 @ ~30% when running a single wget IPv6 download at 420 Mbit/s. I'm running latest long-term and would expect it to max out at 500-600 Mbit/s.

profile_ipv6-speedtest.png

whatever

I have successfully updated 4x hap ac², haven't noticed any issues yet. I'm curios to see if 5GHz wifi stability has really improved.

Edit: 5GHz is still crashing/disappearing, waiting for the latest beta changes to get backported.

whatever

*) wireless - improved IPQ4019, QCA9984, QCA9888 wireless interface stability;

Holy sh*t, I really hope that 5Ghz WiFi is stable now and we get this fix backported to long-term asap.

whatever

Your wifi signal might improve if you use the device in vertical orientation, it's always worth a try.

whatever

I think dual-concurrent implies that you can use both bands at the same time. In contrast, there are dual-band devices where you can only choose between either 2.4 ghz or 5ghz, but cannot use both in parallel.

whatever

Provided you will most likely build your network using dual-band APs what should happen for one network to go down while another to remain up? Unfortunately the 5GHz WiFi is unstable on devices like rb4011 or hap ac2 and the signal will crash/disappear from time to time. 2.4Ghz on the same devices ...

whatever

Are you using capsman? Do capsman interfaces honor ampdu settings on the cap?

whatever

Use multiple vlans to separate your stuff.

whatever

Yes, one capsman channel is actually more like a channel list and can have multiple frequencies.

whatever

Defining a channel in capsman does nothing until you refer to it in a configuration.

whatever

Your IP addresses are both assigned to ether2 which is part of the bridge, you probably meant to assign them to bride and ether5, like your dhcp servers.

Edit: 172.0.0.0/8 is not a private ip range!!! Don't use it on your LAN. Your configured netmask fucks up routing to any public 172.x.y.z IP.

whatever

I've tried enabling all rates, and I get the same result.

Expected result, i don't think you understand how basic rates are used.
Why do you want to use custom rates at all? Is there any issue with the default rateset?

PS: Try enabling only 12Mbps as basic rate.

whatever

You have disabled all basic rates!? I don't think that is a good idea.

whatever

This seems to be a common pattern, looks like it's pretty much impossible to achieve more than 250-300 Mbit/s real world single client throughput with Mikrotik ac WiFi.
In case you ever manage to break this limit please let me know how you did it

whatever

[Ticket#2019030922002071] CAP not correctly forwarding tagged vlan traffic towards wired network Glad it is not just me, I have the same issue effecting 1000's of units, if you disable the CAP and enable everything works again for a period of time and stops again. I have raised tickets with support...

whatever

New driver will be bundled with ROS 7

whatever

Is this "very important" way of tracking people legal in your country? As far as I know iOS devices as well as the latest Android versions already randomize their mac address when probing for wifi networks as countermeasure to this kind of privacy violation.

whatever

This might be related to viewtopic.php?f=7&t=148263 !?
At least it sounds similar.

whatever

I have the same issue, forcing channel reselect is enough to revive the 5GHz interface. I'm using a low channel reselect interval as workaround.

Edit: I'm running only hap ac2 units with local forwarding and one of them acting as capsman, no other hardware involved.

whatever

I think that's only possible without capsman.

whatever

You can only achieve that by setting password and vlan id per client MAC address. As you probably won't know all your guest's devices, you would have to set up an access rule for each of your private devices. I wouldn't recommend it, a second SSID is most likely the better solution.

whatever

So MIMO is broken in some way that prevent any speed gain from additional chains? Interesting observation, let's hope that this is reproducible and fixable by mikrotik.

whatever

Is it safe to downgrade from 6.44?
Edit: Did it, appears to work fine.

whatever

Once you start to change settings outside of quickset you should stop using quickset.

whatever

Are you 100% sure that your converter outputs standard Ethernet frames?

whatever

Personally, I get > 100Mbps using wAP AC + RB3011 running CAPsMAN, local forwarding.

But you shouldn't you expect > 500Mbps with three chains on 5GHz ac? I consider 100Mbps with that hardware pretty slow, that speed is already achievable with 2.4GHz dual chain n.

whatever

You really shouldn't try to use only local addresses and NAT with IPv6. If you want local addresses use them additionally to your public prefix. For public routable addresses enable IPv6 prefix delegation on your Fritz Box, add DHCPv6 client on your Fritz Box facing mikrotik interface to request pre...

whatever

Try local forwarding

whatever

How do you decide how fast your wireless speed is supposed to be? My hap ac2 802.11ac 2x2 speed with capsman and local forwarding is indeed about half of what you would expect from the standard under perfect conditions, until now I've been blaming it on cheap hardware and poor drivers. But consideri...

whatever

Are there still people dumb enough to expose winbox to anything but an isolated management vlan? Don't do it, the winbox protocol obviously is not designed to be secure.

whatever

Did you try to change your MAC address to something that doesn't look like mikrotik? Like use your phone mac and increment the last byte?

whatever

Local forwarding means the traffic is forwarded to a bridge on the cap itself, not on capsman. You can select the bridge in the cap settings on your cap.

whatever

In optimal conditions I get up to ~230 Mbit/s WiFi downstream with hap ac2 as AP on a 400 Mbit/s Internet Connection. 5 GHz, 80 Mhz channel (Ceee), dual chain, ac-only, 1-2m distance without any obstacles. It should be possible to achieve more than 400Mbit/s in this conditions (I maxed out 400 with ...

whatever

@Darman: if your device got infected you should reset it to factory defaults to ensure all the nasty stuff is removed.

whatever

You can raise the "antenna gain" setting on the 2.4GHz interface by some db, this will lower its tx power and cause most clients to prefer the now stronger 5GHz network.
However, this will also reduce your 2.4GHz signal range, so this "solution" isn't always feasible.

whatever

Afaik there is no way to change it. Other models like hap ac2 are similarly affected.

whatever

So do not make this big change in "long-term". This is not a bugfix, but a change in function....... I guess releasing a "new" version which doesn't respect country regulations might cause legal trouble. But a simple notice in the changelog wouldn't hurt either: "Make sure you are compliant with yo...

whatever

https://cxsecurity.com/issue/WLB-2018120151

Wow. Does every process in routeros run with unrestricted root privileges?

whatever

Thank you for that info, it's rather interesting that wifi is still usable with 36 sec update interval.
I really hope that the fix gets backported to long-term soon.

whatever

*) capsman - fixed "group-key-update" parameter not using correct units;

Can we get some details on this?
How was the parameter interpreted before this fix? Is the long-term release affected by the same bug? If yes: when can we expect a backport of this bugfix to long-term?

whatever

As already mentioned: You can only benefit from features which are supported by AP and client. If your client only supports 80 MHz with dual chain you will not benefit from all four chains which are available on the 4011.

whatever

It's highly unlikely that your dst-address=127.0.0.1 rule will match traffic to 192.168.0.1:5246. Try to use a dst-address-type=local src-address-type=local rule like documented at https://wiki.mikrotik.com/wiki/Manual:S ... in_CAPsMAN

whatever

RTSP or WDS is completely unrelated to your problem. I had some ARP issues that disappeared as soon as I set multicast-helper on the wireless interfaces to "full", you might try if that helps your usecase. In order to support your client devices in roaming you should rather lower the tx-power of you...

whatever

Didn't even know they were doing this, that's definitely something I'd like to turn off. +1

whatever

You dont!?
Nowadays the majority of websites uses https which is designed to be non-interceptable.

whatever

You don't. You can only toggle the QOS part, why do you want to disable it completely?

whatever

Shouldn't they have a WSUS server for centralized update management?

whatever

Changing identity to serial number via script should be possible.

whatever

That is not possible with the standard linux transmit hash policies for 802.3ad.
Thoughts: Why the hell would you want that???

whatever

Well, regex "79" does indeed match "179", etc., so the result you are experiencing is expected.
Try using "^" and "$" in your regexes to match beginning and end of your identity strings.

whatever

That's interesting, I guess the change happened with the switch to factory software 6.42+. I own several devices with factory software 6.40 and 6.41 and all of them have 233MB.

whatever

Has anyone ever received a unit with less than 230MB RAM?

whatever

While it's currently unavailable at all the large distributors, the smaller ones apparently have some stock left.

whatever

For local forwarding to work you got to setup your L2 network accordingly and configure the bridge to drop the traffic on the CAP.
Without local forwarding all your traffic will be tunneled (possibly encrypted) to the CapsMan, that's not a good idea on a device with low CPU power.

whatever

Try local forwarding

whatever

You have to set a different transmit hash policy on the Huawei router.

whatever

RSTP is enabled per default on the bridge. If you don't need it you may disable it in bridge settings.

whatever

RSTP
See https://wiki.mikrotik.com/wiki/Manual:S ... e_Protocol

whatever

My understanding is that per VLAN you need an associated bridge. You cannot have a single Bridge with multiple VLANs.

Your understanding is wrong, please read the manual.

whatever

If I remember correctly, the patch which dropped tile from the Linux Kernel explicitly stated, that nobody was using tile in current Kernels back then and that the vendors who are still shipping tile hardware had no interest in having it maintained for future Kernels. Therefore the chances that tile...

whatever

I think the device will always use the power input with the highest voltage. Having similar voltage on different inputs may cause flapping between them.

whatever

I think what you are asking for would negate any security benefits gained by using cap certificates in the first place.

whatever

Must have missed that, thank you for pointing it out.

whatever

How is it possible that I'm still able to login with my password after downgrading from 6.43.2 to 6.42.9? I thought 6.43 changed the authentication API in order to be able to save passwords as hashes and not as plaintext. However, the fact that I'm still able to login after downgrade to 6.42 clearly...

whatever

Try local forwarding (datapath) for even faster speed.

whatever

Agree its going to catch a few people out, but if you look at the link in my post 152 ( https://forum.mikrotik.com/viewtopic.php?p=688286#p687944 ) they are only €35 new, Are you using any of their products? They are offering 10GbE Multimode optics for 15€ while the competition is selling them for ...

whatever

Imho the lack of switch chip features could be neglected if you had the possibility to connect a "real" switch to the 10G port via a cheap cable. However, the lack of passive DAC support forces you to spend 100+€ for this connection instead of ~25€. Combining both these weaknesses into an otherwise ...

whatever

Footnote 4 says you can only use a SFP+ DAC at 10Gb

Doesn't it rather say that you cannot use passive SFP+ DAC at all? RB4011 seems to be the only Mikrotik SFP+ device which is incompatible with Mikrotik's own direct attach cables.

whatever

The only technical reason I can think of is, that the username is now part of the salt for the new password hashes. Otherwise it might just be a case of "not yet implemented".

whatever

Hi, do you know what wireless specs will this device have? How many chains on which bands?

2.4Ghz b/g/n, dual chain. See https://fccid.io/TV7PL64112ND

whatever

There's as slight bug in switch chip in IPQ4xxx which bit me and MT doesn't have a solution (yet).

What is the bug? Could you share some information?

whatever

One can argue about "router on a stick" SFP+ setup to lift possible limit to 15Gbps total, but i think those will not be numbers anyone is looking for.

Why not? That 15Gbps is exactly the number I'd expected to see as achievable benchmark limit for this block diagram.

whatever

https://forum.mikrotik.com/download/file.php?id=33451 Anybody else wondering why RB4011 CPU-throughput appears to be capped to 10Gbit/s? Assuming both Realtek GbE switchgroups are connected at 2.5Gbit/s each to the CPU (like RB1100AHx4), this leaves only 5Gbit/s possible thoughput for the 10GbE SFP...

whatever

1. Use physical security on your ports.
2. You cannot prevent anyone from using "your" SSID, but using WPA2+Radius authentification should prevent MITM.

whatever

Oh boy, it does look ugly with those rack-mount ears attached.

It's a pretty clever way of combining rack-mount capability and desktop case into the same product. Not exactly pretty, but very funktional; I like it.

whatever

No sensor.

whatever

It's the same as with every other 16 MB routeros device: The update is stored in RAM until installed. Just try it.

whatever

What happens if you try to upgrade?

whatever

You shouldn't use local passwords at all for this kind of deployment. Look into asymmetric crypto (ssh public keys) and/or centralized authentication (radius, etc).

whatever

Use system->resources->CPU and tools->profile to monitor CPU usage while running the speed test. Is any of the cores maxed out? If yes: find out what process causes the high cpu usage, try fasttrack, etc. If not: Check cables and interface speed. Are all the involved interfaces running at gigabit sp...

whatever

This has already been discussed here two weeks ago. The corresponding topics have been deleted/hidden, so it's probably not meant to be public yet.

whatever

Please stop calling ethernet over fibre "fibre channel", these are two different things.

whatever

It's rather a fcked up design than a bug, this is even documented in the wiki. Documentation suggests allowing "all" and forbidding every unwanted interface. This could easily be fixed by introducing an "allow local" setting. Link: https://wiki.mikrotik.com/wiki/Manual:Simple_CAPsMAN_setup#CAP_in_CA...

whatever

viewtopic.php?f=21&t=137572

whatever

But if I'm forced to connect a "real" switch anyway I can get all the ports i need from the switch. Want to connect three ISPs? Configure three ports on your switch on separate vlans and pass them through a "WAN" trunk to your router. Want multiple local networks? Separate them on your switch and pa...

whatever

Thank you for the confirmation. While I get that a router is expected to provide only limited switching features and has the necessary CPU power to perform certain things in software, I'm still confused by this decision. Why would I need 10+ ports on a router if it can't do proper vlan switching in ...

whatever

I'm looking for a way to do reverse path filtering for IPv6 in RouterOS. I request a dynamic pool via DHCPv6-PD on my WAN interface and use it to deploy separate /64 prefixes on local vlan interfaces. As far as I can tell, the only way to implement something like rp_filter for IPv6 would be a script...

whatever

You should really use the firewall to protect your management ports. Yes, there is a _very_ bad bug in old routeros versions, but it's only exploitable if you f*cked up your firewall rules. Only port accessible from the outside is the Winbox port and SSH custom port. But why are these accessible fr...

whatever

You should really use the firewall to protect your management ports. Yes, there is a _very_ bad bug in old routeros versions, but it's only exploitable if you f*cked up your firewall rules.

whatever

Imho you shouldn't be using telnet at all, not even in LAN. You shouldn't just firewall it but also disable the corresponding service.

whatever

According to https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features the Realtek switch chip used by RB1100AHx4 (and possibly also *future* RBs ;)) lacks a vlan table. Does that result in no way of doing vlan filtering in hardware on these devices? The idea, that a lot of the cheap low-end device...

whatever

Wouldn't it be much easier to delay the dhcp client execution on the rpi?

whatever

Try to disable hw-offload on your bridge ports. If the packets can be forwarded in hardware by the switch chip, they will never reach the cpu for filtering.

whatever

https://wiki.mikrotik.com/wiki/Manual:C ... figuration
Your datapath does not include local-forwarding=yes, therefore all your wifi traffic will be tunneled through capsman.

whatever

Edit: why no local forwarding?
I can easily max out 150 Mbit/s downstream with hap ac2 (no capsman) and iPhone 7.

whatever

Sounds like this: viewtopic.php?t=134538

whatever

Challenge-Response requires the device to have your password available in plain text, which is the reason why the latest winbox bug was able to leak your passwords, no matter how strong they were. The new login mechanisms allows the device to save only password hashes, even if an attacker manages to...

whatever

Did you disable fastpath/fasttrack? You should.

whatever

The Wiki (https://wiki.mikrotik.com/wiki/Manual:S ... in_CAPsMAN) suggests using

/ip firewall filter
add action=accept chain=input dst-address-type=local src-address-type=local

whatever

If you take a look at Google's IPv6 data , you will realize that IPv6 adoption in Latvia is negligible. Guess that's one of the reasons for its current state in RouterOS. On the other Hand, there are countries where Dual Stack (or DS-Lite) has become the default for most ISPs. Belguim is already at ...

whatever

Don't expose the mgmt interface to the internet? If you have to: use additional security features like port knocking and vpn.

whatever

Wow, thank you for the extensive reply and sorry for my late response. whatever - 1) Bridge VLAN filtering is not so easy to implement on these switch chips. ok, noted. 2) Which examples are missing vlan-header values? If you are talking about the hybrid port setup, then by default it is set to "lea...

whatever

Why don't you use a stateful firewall with connection tracking? The first packet of a TCP connection will always be "new", no need to reinvent the wheel by checking flags manually.

whatever

Current channel is beta only. If you don't like to participate in beta testing programme, stay in bugfix channel. My hAP ac² came preloaded with 6.41.3; am I really expected to downgrade to 6.40.8 if I wish to run non-beta software? I was under the impression, that "current" means stable, "bugfix o...

whatever

1. Switch Menu in Winbox is missing (hAP AC2 - 6.42.4).. Would be nice if someone else can confirm. 2. Configuring it via CLI works and HW offload is working Both confirmed. 3. New Bridge implementation is incomplete (at best) as documented in Wiki. As someone who just got a hAP ac² as his first Ro...

Search found 167 matches