MikroTik

joshhboss

This was exactly whaat I was looking for.. thanks for this !!

joshhboss

Yes you are right.. Ok so we are just waiting for an update? should still work ok right.. im using these guys everywhere with that firmware at the moment

joshhboss

I go to try and check if I can find what ports my APs are connected to, and it doesn't let me, I was wondering if anyone has seen this error before.. Im on firmware version 2.18

ERROR: SyntaxError: Unexpected token ')'. Expected either a closing ']' or a ',' following an array element.

joshhboss

SO I have my fail-over that is check on 1.1.1.1 and it is set to use the gateway address of ISP1.. but what im noticing is that is gateway for ISP1 is reachable from anywhere on the internet, so when that interface link went down.. it look like the net watch rule kept enabling and disabled, because ...

joshhboss

Wait I can use torch.. so that is pretty cool.. Sorry im almost to much of a newbie for such a heavy duty device like the 2116 lol

joshhboss

I got the same. My advice is; - search for specific subnet, (by using Y next to the comment), or - user terminal Well ok I was able to get some results with.. /ip firewall/connection/print where src-address~"10.130." but I was wondering if it were possible to sort them by the ones using t...

joshhboss

I got the same.
My advice is;
- search for specific subnet, (by using Y next to the comment), or
- user terminal

Im sorry could you maybe give me the exact command for that..

something like this maybe

/ip/firewall/connection> print where src-address~"10.130.0.0/22"

joshhboss

So this is the first event where I have put the entire load of the event on just one router. But it is the 2116 so I thought that it wouldn't be an issue. Have around 1900 clients connected and the network is running fine, but when I went to kind of check how many connections there were.. I get this...

joshhboss

No I think its pretty known that the CRS3X series with HW offload.. just dont do loop protect or storm control well.. But scripting kind of lets you do something about it yourself. I like that.. I mean the email come in like crazy but at an event I can react to the emails

joshhboss

Just bear in mind that the post you've quoted is more than 4 years old, so maybe RouterOS 7 has changed something about it. Not that I would give it too much chance. Im still on 6.49 but we are going into an event right now so im nervous to make the change but my next event isnt until Mid march so ...

joshhboss

Went a step beyond and added an email to it..

joshhboss

So since the CRS3XX series switches do not really do loop protect and ive tested the storm control feature and it does not work good at all. I thought of asking the Globally hated ChatGPT to check logs for a message with "probably a loop" and then act on that message and so far it seems to...

joshhboss

Just bear in mind that the post you've quoted is more than 4 years old, so maybe RouterOS 7 has changed something about it. Not that I would give it too much chance. I just tested this.. to check the logs and look for "probably a loop" and shut down the interface where it came from.. migh...

joshhboss

Ok this seems to be working for now.. lol.. I tried putting this on the Core switch and then testing on one of the switches out in the event.. the scheduler has it running every 30 seconds.. but I did get an email before anything went haywire.. but I did see on the CRS318 were I create the loop, rap...

joshhboss

So while testing here at an event where we provide wifi, I was tasked with handing out some internet on Untagged Access Ports, now what scares me at events like this sometimes.. is people like to bring their own stuff and when you leave they grab the cable you gave them and add a switch of some sort...

joshhboss

Just bear in mind that the post you've quoted is more than 4 years old, so maybe RouterOS 7 has changed something about it. Not that I would give it too much chance. Im still on 6.49 but we are going into an event right now so im nervous to make the change but my next event isnt until Mid march so ...

joshhboss

So if you can make sure that you use the same pvid on all Ethernet ports belonging to the same bridge, you are fine to use loop-protect on those Ethernet ports. If you need to use the same VLAN tagged on some ports of a bridge and tagless on other ports of the same bridge, the loop-protect mechanis...

joshhboss

I was hoping to get a little help with something.. Now I already know that spanning tree can get super complicated and should take a lot of consideration and planning. Now I know I dont know much but id like to get some real world experience giving the situation im in at the moment. And im will to t...

joshhboss

Try ingress ACL to apply the limits, i made some test with 7.6 on CRS 317 and looks like it worked Sorry I was kind of look for these specific commands to write the ACLs.. you did mentioned that you got them to work.. I didnt notice that in the post I created.. Sorry maybe im just barking up the wr...

joshhboss

i think currently there is no solution for that as stated on another related topic https://forum.mikrotik.com/viewtopic.php?t=193356#p982830 Maybe in some future when Hardware QoS be fully operative, currently appears to be a work in progress, as always there is no deadline defined for this develop...

joshhboss

For simple queues to work you have to disable HW offload on upstream interface (sfp-sfpplus16). But beware that this will severely load CRS's main CPU and will limit max throughput via that interface possibly to less than 1Gbps depending on traffic patterns (check test results of your device, you'r...

joshhboss

Try ingress ACL to apply the limits, i made some test with 7.6 on CRS 317 and looks like it worked Could you please show an example im having the same problem.. and handing off a port tomorrow for a client that is strictly a layer2 hand off.. So no router involved.. and I cant get the Ingress rate ...

joshhboss

Well done! Thanks for sharing solution!!

How exactly did you do this ? I try and do ingress/egress rates on the ports and they just preform horribly.. I mean the egress I ok.. but the ingress doesnt match at all.

joshhboss

I am having an issue.. I do events and at times we have to ration out internet at certain rates.. I was at first going to use the Router (CCR2116) to handle Queues.. But it turns out that im just going to Layer2 them one of the publics.. So now that is not an option.. I did try and Use the egress/in...

joshhboss

On some of the CRS326's I have I dont know if it's the revision, but the latest stable is 6.49. and I might be able to upgrade. but not being on stable scares me. I did try and switch the link negotiation and force it to 1gig to my router.. which matches the negotiation where I 1gig connected to the...

joshhboss

I know I keep writing on my own post.. but does this maybe have something to do with the 10 gig links and the 1gig wan. I think ive read somewhere that, those things could present issues sometimes. I dont I feel braindead

joshhboss

Yet these are my results? I dont get it..

SO the hell are these drops?!

joshhboss

Ive tried to post on this topic before .. this odd "Tx-DROP" counter on my CRS3X switches.. I see them all the time. Now in this case I do have a 1 gig internet connection that im Accepting on a NetFiber Crs310-in on the copper port, from what I understand it is connected to the switch chi...

joshhboss

the entire switch config.. incase that helps understand what I might being accidentally right or wrong. /interface bridge add comment=defconf dhcp-snooping=yes name=bridge vlan-filtering=yes /interface ethernet set [ find default-name=ether1 ] comment=defconf set [ find default-name=ether2 ] comment...

joshhboss

Sooo I ended up changing the access points to the VLANs and then setting ports to Admit-only-vlan-tagged.. but now they dont show up on /ip neighbor print. Did you adjust discover-interface-list (and/or interface list membership)? Under /ip/neighbor/discovery-settings/ ... So it has been set to &qu...

joshhboss

AFAIK adding bridge filters on CRS3xx drops L2 HW offload. On those switches one should be using ACLs under /interface ethernet switch rule . I'd go with VLANs though, makes adding devices (or moving them between switches) so much easier. Sooo I ended up changing the access points to the VLANs and ...

joshhboss

AFAIK adding bridge filters on CRS3xx drops L2 HW offload. On those switches one should be using ACLs under /interface ethernet switch rule . I'd go with VLANs though, makes adding devices (or moving them between switches) so much easier. Sooo I ended up changing the access points to the VLANs and ...

joshhboss

AFAIK adding bridge filters on CRS3xx drops L2 HW offload. On those switches one should be using ACLs under /interface ethernet switch rule . I'd go with VLANs though, makes adding devices (or moving them between switches) so much easier. lol that’s what I’ll do .. on the ubiquiti controller that w...

joshhboss

I was curious.. I have access points from ubiquiti that will be connecting to the network on a vlan but the vlan will be untagged on the ports.. so I was wondering if there were maybe bridge filter rules that would drop all over the devices that dont match like the first 3 sets of the Mac address of...

joshhboss

Devices can't be downgraded below factory version. Apparently new revision has some chip changes that can only work with v7 kernel. So there is nothing you can do to run v6. Can you still flashFig between different revision switches.. Ive been configuring a CRS326-24S+2Q+ and set the stable channel...

joshhboss

Backup script to send config to Gmail account. # # Created Jotne 2023 v1.6 # # 1.6 Fixed script for x86 devicews (Credit rextended) # 1.5 Fixed for router missing serial # 1.4 Added Router OS version # 1.3r Revised by rextended # 1.3 / 1.2 try to fix v6/v7 compability # 1.1 added "show-sensiti...

joshhboss

but would self heal after about 10 to 15 seconds (in the worse cases) Netwatch takes time to detect, that is somewhat controllable. But it also takes some time for the client to detect the problem, which is not controllable. Basically an app needs to timeout – just dropping the connection does not ...

joshhboss

Thank you!!

joshhboss

So using .ids will execute the commands faster ? and they wont change if the tables receive new routes ? If route is static and you only edit them, then .id is stable. Essentially the .id is assigned by the /ip/route/add — so if you remove it, and then add same again, only then will it get a new .i...

joshhboss

Also, if you have static routes for you WAN, you can use the .id (/ip/route/print show-ids) of the route instead of a /ip/route/find. i.e. /ip route enable [find where comment=WAN1-21] If you don't have a lot of routers, it's likely insignificant compared with TCP re-establishments. But find ain't ...

joshhboss

was wondering if doing this in any way breaks fast track before im using Mangle (even tho that particular network, I have rules above that are capturing those packets before fast track, but just kind want to know.) Going out a WAN is already going to "break" fasttrack (and not covered by ...

joshhboss

I have a failover working with netwatch rules and ive been trying to mess around with a way to break the connections tied to specific WANs so that when the failover happens I can swiftly break all the connections only tied to the WAN that failed I'll add my forward chain rules.. routes.. mangle and ...

joshhboss

I was working with my switch and was having trouble getting a link so I force negotiated and then it worked but, now since then.. On Auto-negotiate I can not get the link light on the physical switch to work but the link itself is ok ?>

Anyone ever had this issue.. ?

ROS - v6.48.6

joshhboss

I do not set the separator out of scope, it is you who did not copy the { }, if there are, there must be a reason. It is logical that it gives you error if you do not copy exactly. {... :if ($i = 0) do={ :set separator "," } ^--- this is a clue you did not put { at the beginning for add a...

joshhboss

Given the continued ingratitude of the forum's administrative staff, I will stop. Did it cost so much to admit that, even if in good faith, the moderator had been wrong? Someone will finally celebrate this event and be happy (is not one allusion for the administrative staff). I feel sorry for the o...

joshhboss

I use these in PTMP deployments as well, with OmniTik 5AC's as the 5GHz AP and its POE out powering a couple of wAP60's at half of my MikroTik-based sites. The rest are 60GHz-only to wAP60's. The bond on the CPE side is active/passive, with the 60GHz as primary, and all of the AP's (5GHz + 60GHz) i...

joshhboss

nooooooo... lol damn im really trying to get this 60 with 5ghz failover to work.. so what happened.. they would just reboot over and over throughout the day.. ?

joshhboss

Seemed OK on the test bench, although we know test bench != the real world. Yeah, about that.....now it's installed my CubeSA 60Pro ac has rebooted 7 times so far today, max uptime is 33 minutes. It seems like weak stations will cause repeated reboots. Going to try 7.10rc! How is this working out ,...

joshhboss

Now I did do my research !! and found this link here that kind of led me to what I feel is a working setup for these (3) 60G AC Cubes.. working as a 60ghz PTMP with 5gz FailOver.. https://forum.mikrotik.com/viewtopic.php?p=998884#p998884 I did have some issues getting things to work with the Master ...

joshhboss

DOnt know if I need to tick "Drop" or not but this rule is in place to not forward CDP or PVSTP Packets..

joshhboss

I need to turn this into a ACLs in SWOS and I feel a little confused /interface ethernet switch rule add comment=Cisco-PVSTP dst-mac-address=01:00:0C:CC:CC:CD/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,eth...

joshhboss

Im seeing this and still dont understand why.
I think I found the same post on reddit that you posted.. I replied to that one as well

joshhboss

I was once told not to worry about the TX Drops, I will search this reply...

Find anything ?

joshhboss

Thank you.. I’ve been losing my mind over this ..

joshhboss

Im going to first like my original post.. https://forum.mikrotik.com/viewtopic.php?t=203237 But ummm I ended up just for the sake of it checking basically every CRS I have out in the wild.. and they span across 6.48.. 7.0.. 7.12.1... I mean everywhere lol.. and I have CRS317, CRS310, CRS328, the com...

joshhboss

would tx or rx flow control help ?

joshhboss

I am working an event and I wanted to link all my switches with 10gig off of my RB5009.. so I have 1 gig internet and im using the 10 gig SFP+ to connect to a CRS310 to connect to other switches. Now im using all the ports on the LAN side.. so all 4 SFP+ ports (@ 10gig) and all 5 1gig ports (@1gig)....

joshhboss

Sorry I feel like im rambling on my own post.. but I wonder.. what actually happens if/after the internet connection is actually down and now the internet failover taking place.. im going to need to lab this to see the behavior of all this once the internet fails and how the markings along with fail...

joshhboss

Tried this.. add address=10.0.0.0/8 list=LocalNetworks add address=172.16.0.0/12 list=LocalNetworks add address=192.168.0.0/16 list=LocalNetworks /ip firewall mangle add action=mark-connection chain=prerouting comment="Mark New Packets " connection-mark=no-mark connection-state=new \ dst-a...

joshhboss

I hope I can get some eyes on this to tell me more or less if it might work.. So I was just thinking about adding these mangles for each network and how I decide to split the WANs add action=mark-connection chain=prerouting comment="Mark New Packets " connection-mark=no-mark connection-sta...

joshhboss

Wow thank you completely understand the situation im in and have got me looking in a new direction..

Thank you so much

joshhboss

So I have these two netwatch rules designed to trigger failover for two different ISP that each get used for Primary WANs on different sets of routing rules /tool netwatch add comment="Internet Test 1.1.1.1" disabled=no down-script="/ip route disable [find where comment=WAN1]\r\ \n/ip...

joshhboss

Classic "Watts = Volts * Amps" problem. Both HEX-POE & Unifi-U6LR support up to 57V passive PoE. The HEX is limited to 450mA (e.g. 0.45 amp), and with 48V power supply, that mean each port has 21 watts max. (https://i.mt.lv/cdn/product_files/hEX__poe_190723.pdf) The spec for Ubiquiti ...

joshhboss

I'll note the HEX POE's bigger downside, IMO, is not the PoE output. It's a MIPSBE device. So no Container or ZeroTier & Mikrotik has focused more on ARM in V7. I wish I could budget in an RB5009 with POE.. Ive been using the L009 and its been pretty decent.. if it had some more POE flexibility...

joshhboss

I was hoping that 802.3at would be the same on both but I do admit it I dont feel comfortable

joshhboss

I am planning on installed a HEX POE for a client, but the client is pretty remote.. It'll be something simple just the HEXPOE and a ubiquiti Long Range Access point but it's a pretty hefty Access Point. I was hoping to just buy the Mikrotik 48V1.4AMP power supply to power it from the router itself....

joshhboss

I mainly got these switches because we do a lot of events in south Florida and we typically put the switches out side during these events.. we tried using other switches before but just always had over heating problems. I thought that this was going to be the solution. while I admit I can not be Sur...

joshhboss

But I noticed even with those rules enabled and the ports set to edge, when I click on the status page I see saw that it was checked on SENDING RTSP. Unfortunately, sending-rstp shows yes even on a port that is configured as edge=yes and sniffing shows that indeed no BPDUs are sent out via that por...

joshhboss

Until someone comes with a better solution, I recommend you to use bridge filter to drop packets with destination MAC address 01:80:C2:00:00:00 which come in through that physical interface. As the bridge filter permits filtering by specific STP fields, I deduce that the filter acts before the STP ...

joshhboss

I was curious, even tho ive never had a problem in the past.. I do festival and event wifi, and for years now ive always just handed down public dns servers to the clients so kind of relieve stress off the routers. I have been experimenting with other ideas to do DNS in house, but at the moment I do...

joshhboss

I think this sounds like something you could do with output mangle rules. something like.. /ip firewall mangle add action=mark-routing chain=output comment="Ping Through WAN2" \ new-routing-mark=useWAN2 passthrough=no protocol=icmp first creating routing table useWAN2 and in that table mak...

joshhboss

You didn't show what kind of sills you installed. It will be triggered when any threshold is reached. If you claim to have observed an average ping of 600ms, you can set such thresholds. Screenshot_31.jpg Then the main indicator will be 85% packet loss. If false alarms continue, increase the thresh...

joshhboss

I tried those values, thank you again for engaging, been battling this for a few weeks now, im already seeing a massive improvement. now I feel better on how I should play around with this more.

joshhboss

Now here is one that is a failure along with how the ping looks from the terminal, is ping from the terminal now a safe way to gauge how to configure netwatch ?

joshhboss

still triggering down and I have the thr. avg at 600.00 ms..

I dont understand

joshhboss

Thank you so much. What a critical piece of information that I did not know and I guess maybe I glossed over when trying to figure this out. I felt that it was triggered by any of the values that were declared. Now knowing it’s the “Avg” I can adapt to that. Really appreciate it. I’ll make the chang...

joshhboss

I can not get netwatch to work properly.. im using a starlink and a cellular netgear hotspot to a L009 on 7.11.12 and netwatch is just the most unreliable thing ive ever seen.. 1 ;;; Internet Test - WAN1 host=1.1.1.1 type=icmp interval=15s up-script=/ip route enable [find where comment=WAN1] down-sc...

joshhboss

Just wanted to add what im seeing..

The ping terminal shows no packet loss but the netwatch rules is reporting a drop.. WTH

joshhboss

So I have some bad experiences with recursive routes and an event I was working about 2 weeks ago. the internet worked but would constantly break any connections that ran for more than a few moments (so downloads would break after a few moments. but all new POS connections seemed to always work). I ...

joshhboss

https://forum.mikrotik.com/viewtopic.php?t=200521 Ok what I thought before was just some issue with the iperf testing looks like the connections are being killed really quickly when using the wan connection im currently using. But now when I started a longer download. it just kills it after it is r...

joshhboss

I have some ports that I noticed whenever we plugged in Access points that they would not come up and the port would then say Short Circuit, we troubleshoot the cable and its good.. then just moving the cable to a different port. Powers up perfect and it's a full gig connection. we are using the mk ...

joshhboss

With a 53V power supply, then we get these values: Per port: 53*0.6 = 31.8W Per group of 8 ports (1-8 and 9-16): 53*1.4 = 74.2W For the whole switch: 53*2.8 = 148.4W Because the whole switch limit is less than the power supply limit, the power supply will never be an limiting factor. Does this look ...

joshhboss

If im using the 53v Power supply from mikrotik,

MTP250-53V47-OD

What is the most I can get per port. and a total when referring to watts.

Sorry still working on understand electrical jargon.

joshhboss

I cleared the tracking table and now it seems to be fine, even with the recursive tables.. but so weird how it happened like that in the first place Edit.. Scratch that it keeps happening, Ive tried other speed test sites to run for longer times.. for about 120seconds at a time.. and it just stops a...

joshhboss

So I have 2 internet connections and I was trying to set up 2 tables to have a way to set some networks to use one wan and another to use another, all with tables that were using recursive routes.. I first noticed some weirdness when I tried to do some test with my iperf server in the cloud.. kept g...

joshhboss

I have used these SFPs with these switches before but I was always running on ROSv6.. Now after 7.11.2 somethings are weird. When I do a "show int trans detail" on my cisco switch that is connected to CRS328. It should me tx and rx power.. Link shows full duplex on both ends. Any idea guys...

joshhboss

(201|2[0-9][2-9]|290) = 201, 290, and all 2x2..2x9, so 200, 210, 211, 220, 221, ... , 280, 281, 291 are ignored, but also 292..299 are considered. from 201 to 290 = (20[1-9]|2[1-8][0-9]|290) ChatGPT = no further help. Tell me what you think of this.. I think it was pretty clever this approach to re...

joshhboss

Im trying to just basically remove a bulk of vlans from a single interface and ive been fighting with this command for hours already.. set [find where vlan-ids~"(201|2[0-9][2-9]|290)"] tagged=sfp1,sfp2,sfp3,sfp4,sfp5,sfp6,sfp7,sfp8,sfp9,sfp10,sfp11,sfp12,sfp13,sfp14,s fp15,sfp16,sfp17,sfp1...

joshhboss

Ok I think I got it.. GPT helped out.. Absolutely, let me break it down for you! /interface bridge vlan: This is the command that tells the router you're working with VLAN settings in the context of a bridge interface. set: This is a command used to modify or set parameters. In this case, you're abo...

joshhboss

...( from ) 25 to 50 ... mmm.... /interface bridge vlan set [find where vlan-ids~"(2[5-9]|[3-4][0-9]|50)"] tagged=ether1,ether2,ether3,ether4,ether5 Could you break that down.. im trying to do the similar thing where I have vlans on numbers 35 X bridge 400 36 X bridge 401 37 X bridge 600 ...

joshhboss

I did an update hoping to fix some weird things I was seeing on the route list that didnt match the CLI on 7.8.

But now the inactive routes are no longer red on inbox..

anyway to get that back? I still have the flags but the red was more better..

joshhboss

--- Again another concerned I had with NAT and port exhaustion. I can edit that. Ive honestly never even come close to having a problem but ive always had really strict connection tracking on all my setups.. I am up to trying PCC .. also on these circuits I should mention that on one circuit it'll b...

joshhboss

Why this rule??? what is the default...... what was recommended to me is 30 minutes. /ip firewall connection tracking set tcp-established-timeout=6m --- Again another concerned I had with NAT and port exhaustion. I can edit that. Ive honestly never even come close to having a problem but ive always...

joshhboss

Sounds like PCC is the way to go. A. do you have any external originating traffic heading to the router or the network ( aka to config the router, or to port forward to devices )? B. Will all the users/subnets on the router be subject to PCC, ( are there some subnets or users that have no option bu...

joshhboss

Sounds like PCC is the way to go. A. do you have any external originating traffic heading to the router or the network ( aka to config the router, or to port forward to devices )? B. Will all the users/subnets on the router be subject to PCC, ( are there some subnets or users that have no option bu...

joshhboss

Sounds like PCC is the way to go. A. do you have any external originating traffic heading to the router or the network ( aka to config the router, or to port forward to devices )? B. Will all the users/subnets on the router be subject to PCC, ( are there some subnets or users that have no option bu...

joshhboss

Not a a problem but why not use PCC then and the traffic will always be shared more or less equally between both ISPs, no monitoring or making changes on the fly necessary. Logic works, whimsy does not LOL. Knowing all the rules and/or limitations beforehand is essential to a good working config. F...

joshhboss

Not a a problem but why not use PCC then and the traffic will always be shared more or less equally between both ISPs, no monitoring or making changes on the fly necessary. Logic works, whimsy does not LOL. Knowing all the rules and/or limitations beforehand is essential to a good working config. F...

joshhboss

I understand Primary and Failover. The other requirements seem vague to me. Can you provide more clarification and without any config talk . a. identify user(s)/device(s) or groups of users/devices b. identify what traffic they need to accomplish. In a perfect world I want all clients on all networ...

joshhboss

with simple rules like this after setting ups address list

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!PrivateIps new-routing-mark=WAN21 passthrough=yes src-address-list=130Production

joshhboss

Do you want a. primary and failover WANs b. PCC load balanced WANS c. FIxed Subnets to WANS setup I want a main routing table (pretty much carrying everything) ISP1 failover to ISP2 But I also want to have a routing table basically sitting dormant in the event that I just need to start using it for...

joshhboss

Also whats a little annoying is that the immediategw in WINBOX and the immediatgegw in the cli are not the same..

whats the deal with that?

joshhboss

Im preparing for an event in 3 weeks. At that event I'll have two totally different circuits for my internet handoff. So 2 different blocks of Public IPS. Since I have 2 publics on my office router but on the same block. What I was going for was to try and simulate the conditions of the internet ill...

joshhboss

When I use normal static routes ( not recursive) the src nat rules work just fine on the hex -- so the hex is setup fine.. it justs gets weird on the ccr2116 with the 2nd routing table (WAN21) where the immediate gateway just never choses the right routes..

joshhboss

Hi Josh, So I understand, you a hex that has two WANIP connections. --- YES YOu VLAN these WAN connections to the router that is going to use them the CR2116. --- YES to simulate 2 different routes to the internet.. Source nat rule will use vlan 1702 (ccr2116's WAN2) to go out my 2nd public In othe...

joshhboss

Here is how im try to lab it out.

joshhboss

I posted about this before today but maybe I just over explained and wrote it bad.. Let me try and do this in parts cause I think this could be a factor to my problem. I have 2nd routing table and its not going to the internet using the route I intended it too.. using my wan2 gateway to get to 9.9.9...

joshhboss

So I have a mikrotik router at my office that has 2 publics on it at the moment ANd im using it to practice on a 2116 below One office router I created 2 vlans that im using to throw down to a switch and then uplink the 2116 on 2 different ports with those two vlans 1701(wan1) and 1702(wan2) On the ...

joshhboss

Thank you !!

joshhboss

I mainly use wireguard for all my mikrotik devices.. but I just watched a Mikrotik Canada Video about the CCR2116, and it was mention that this router does not support traffic encryption? Can someone help me understand what they meant by that in the video ? I need the power of this router but I defi...

joshhboss

So I have been building a pretty beefy Festival Core Router network, firstly about 98% of my traffic is all destined for the internet, basically all of it is for POS networks of streaming networks, Office Production and Ticketing type stuff. If anything the devices on these networks that do need to ...

joshhboss

Version of the 13 May 2023, 01:50 # APPLY TO /ip dhcp-client add script= section. :global HealthCheckIP 8.8.8.8 ; # IP to use to check if ISP path is working. Use different IPs for each ISP. :global ISPPriority 1 ; # Which ISP path to use first. 1 is the highest priority. Each ISP needs a different...

joshhboss

65500 is about the maximum number of session per single NAT IP (in general your public IP). If you need to do more sessions, make shure you have more IP's to do NAT on. False, if you use RouterOS, you have only 32767 ports (for each tcp and udp), because the nat start at 32768 and end on 65534... P...

joshhboss

Looks like I need at least this one to get back over the tunnel..

4    ;;; AllowWireguard
      chain=input action=accept in-interface-list=Wireguard log=no 
      log-prefix=""

the tunnel forms without it but I cant into the network without that.

On the client mikrotik

joshhboss

its acting as a VPN server for some routers that I have that are behind NAT and networks that are not under my control. Small network in an office building for instance where we can not get a public but still have a lot of remote needs.. but I was just thinking.. Since the pFsense box is in the clou...

joshhboss

Ive set up a bunch of these routers with Wireguard all connecting to my wireguard server.. and for the most part it is all working great but I had a moment there where my router would not create a link and then messing around with the rules. a bunch of different ways I was able to get it to work but...

joshhboss

I have a switch that’s running router os 7.8 that I was hoping to export the config to a file and then use that file to flashfig the same switch but on 6.48 Would this cause a problem. Also a side question, Once you do a flashfig with Flash boot once and nand.: does that mean now the reset button wi...

joshhboss

:local cpes [/ip neighbor print detail as-value where interface~"ether" and identity~"AP"]; :foreach cpe in=$cpes do={ /interface set [/interface find name=[:pick ($cpe->"interface") 0 [:find ($cpe->"interface") "b"]]] comment=($cpe->"identity&...

joshhboss

Tried this..

add comment=CDP-Rule dst-mac-address=01:00:0C:CC:CC:CC/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=combo1,combo2,combo3,combo4,sfp1,sfp2,sfp3,sfp4,sfp5,sfp6,sfp7,sfp8,sfp9,sfp10,sfp11,sfp12,sfp13,sfp14,sfp15,sfp16,sfp17,sfp18,sfp19,sfp20 switch=switch1

joshhboss

I was wondering if someone could help me write a switch rule to stop passing CDP packets.. In this post of mine. https://forum.mikrotik.com/viewtopic.php?t=194719 I have an issue with native vlan mismatch error happening with switches not directly connected to each other but both connected to the sa...

joshhboss

Is it picking gsm because there is no likely lte ? I’m working on this remotely so I’m worried I’ll lose connection and not get it back .. safe mode ??

joshhboss

Im trying to understand how to read these outputs from my LTE dish but I cant full understand what to make of it ..

the *1 on the interface also the readings when I monitor the interface.

I dont see RSSI. Is there enough info in these outputs for me to be able to position this antenna.

joshhboss

I am seeing something weird. I am getting my internet handed to me on a copper port to this switch that I was going to use just layer 2 the publics to the 2 routers im using. But Im getting these FCS errors and the Rate is unknown and it doesnt show that the port is connected at any rate.. When I as...

joshhboss

I wonder if this is something that this rule would also fix ??

interface ethernet switch rule
add dst-mac-address=01:00:0C:CC:CC:CD/FF:FF:FF:FF:FF:FF new-dst-ports="" ports=ether1 switch=switch

joshhboss

I’m going to try and explain this the best i can without a drawing, if I don’t make it clear enough i will be more then happy to add one. Just super early and thought i would take a shot at explaining what is happening.. Switches in the mix Sw1 - CRS328 Sw2 - Cisco 3750 Sw3 - Cisco 2960 So at my cor...

joshhboss

Did you ever get this going? I always had a problem with this setup using the spoke routers with the /24.. I ended up using separate /30 tunnels. setting the address as /32 for the wg interface wont allow it to work.. On Pfsense and Edge Routers its not a problem and It works fine..

joshhboss

Weird.. I got all excited cause they're like 60W per port.. but I have these Mikrotik point to points.. that work fine with the 3750X24/48P series but then the UPOE wont power them, they aren't high draw devices either.. but if I add a poe powered switch (repeater) and then add the mikrotik p2p afte...

joshhboss

Divide-and-conquer do not concentrate a labor on a single device, when you can is better to have multiple devices to distribute the load specially at the access layer This is kind of my approach right now.. I have a pretty hefty.. Pfsense router but its so expensive and Im just really getting sucke...

joshhboss

I’m curious to hear any results on this event? What’d you go with? I have a similar goal but with a smaller event.. shooting for 4K to 6k clients on a CCR2004-1G-12s+… all the same situations. Nat dhcp .. maybe a few different source nat rules.

joshhboss

Disabled Mange btw! Cause im keeping fasttrack and it's a small network, just wanted some sort of fail over.

joshhboss

And I’ve read how fast track causes problems with mangle just during the labs it looked like it was working,, didn’t know if the post I was reading was older or maybe something in ROS. Which made it possible even tho I didn’t see it in the change log.. ANYWAYS!! Since I wasn’t sure and don’t trust C...

joshhboss

So give up and not try? Don’t post and just pay someone else to do it ? Always amazes me the guys who never needed to learn and just spawned onto the earth and knew everything.. if only there were a place you could find a community of people who enjoy learning and helping others learn… Jeez.. Sorry ...

joshhboss

So im new to mikrotik.. but ive been kind of obsessing and spending all my free time trying to understand and improve.. what I was trying to practice here on a small hex.. because im providing internet to just one office for an event so I figured this would be a good exercise.. Should only have abou...

joshhboss

As far as I remember, the conntract table gets resized automatically when you are reaching its current size limit.
The real limit is the ammount of RAM on the router.

If you get problems with syn floods, enable syn cookie.

Does that work similar to PfSense 1kb per state/connection ?

joshhboss

Let me bother you with another question... Lets say I just go ahead and untagged the port and just use the PVID of the vlan that I need.. pvid=40.. and its an end device.. not a switch or anything like that.. what's the problem there lol with ingress filter=yes what's the big deal ? I know so many p...

joshhboss

I respect your wishes. But suggested change is not the best. IMO better solution would be adding sort capability to print command. It could work similarly to the filtering option (print where) ...

could you show me a quick example of the print where command ?

joshhboss

Ive just been struggling with making quick changes on the fly We do events mainly and Im slowly moving L2 to Mikrotik instead of Cisco. With Cisco I can go very quickly default int gig1/0/1-2 swithcport trunk encapsulation dot1q switchport trunk native vl 10 Switchport mode trunk and Bam I have a Tr...

joshhboss

I was wondering if in the CLI there is a way to add a new vlan and then be able to place it above another vlan.. Like if I have 10,30,40,50 1 bridge 10 sfp-sfpplus1 2 bridge 30 sfp-sfpplus1 3 bridge 40 sfp-sfpplus1 4 bridge 50 sfp-sfpplus1 5 bridge 60 sfp-sfpplus1 6 bridge 69 sfp-sfpplus1 If I wante...

joshhboss

I am trying to reserve resources on the router and keep as many states available as possible, do you think me going this route makes sense?

Still learning..

joshhboss

They are blocked in chain=input (because chain=input is used for traffic destined to router itself ... and broadcasts can target router, e.g. for DHCP discovery etc.) ... However they are not even hitting chain=forward because router will not pass them to another interface. I didnt even think about...

joshhboss

The "pseudo ROS" firewall rule won't do anything. Broadcasts are not routed between different router interfaces (which is where chain=forward works). I'm not fluent in edge-ish, but I guess you would like to disable connection tracking for certain traffic. You can achieve that by rule som...

joshhboss

I did this to try and log it and it looks like the broadcast connections are being blocked.

Does this look correct.. these rules are the first 2

add action=log chain=input dst-address=255.255.255.255
add action=drop chain=input dst-address=255.255.255.255

joshhboss

I use this command for my edge routers at times. I was wondering if it could be also used for Mikrotik? set system conntrack ignore rule 10 destination address 255.255.255.255 ive tried .. /ip firewall filter add action=drop chain=forward dst-address=255.255.255.255 But it doesn't seem to work.. Goa...

joshhboss

Instead of posting a photo it would have been more useful to describe your usage scenario and network layout. It looks like it is "providing internet at an event", e.g. via multiple WiFi APs or connections to other people's switches? In that case, make sure you wire things differently tha...

joshhboss

Sorry guys no I actually havent had an issue yet but im entering another event and just wanted to make sure I didnt have any issues..

joshhboss

Read this....... https://forum.mikrotik.com/viewtopic.php?p=956155#p956155 Did go over that link and very useful stuff, I kind of wanted to explain what I was trying to under stand.. So in my use cases when im out and about at these events.. from one moment to the next I will be asked to make a few...

joshhboss

The 16k hosts are per network segment, not for the entire network. By the time you get any close to that, you should long have divided the network into multiple segments with routing between them, rather than switching. Sorry coming back to get some more clarity lol .. does this mean.. 16k per vlan...

joshhboss

This worked for me after working with support. RouterOS supports the standardized M/R/STP protocols, and you can select which ports will not participate in the spanning tree using "edge=yes". So these ports will not send and ignore standardized BPDUs (01:80:C2:00:00:00). However, RouterOS...

joshhboss

This worked for me after working with support. RouterOS supports the standardized M/R/STP protocols, and you can select which ports will not participate in the spanning tree using "edge=yes". So these ports will not send and ignore standardized BPDUs (01:80:C2:00:00:00). However, RouterOS ...

joshhboss

This worked for me after working with support. RouterOS supports the standardized M/R/STP protocols, and you can select which ports will not participate in the spanning tree using "edge=yes". So these ports will not send and ignore standardized BPDUs (01:80:C2:00:00:00). However, RouterOS ...

joshhboss

OKKKK I was able to find get some success with this.. :local wgcheckip 10.X.X.X :local endpointip my.ddns.com #:log info "wg check-ip $wgcheckip " :if ([/ping 10.X.X.x interval=1 count=5] =0) do={ :log info "WG down $wgcheckip" /interface/wireguard/peers/disable [find endpoint-ad...

joshhboss

And now ive found this one but I dont know if I need to make any changes to it.. how to run it.. how to check if it is working.. how to set it to run every few minutes.. im lost.. but I am trying im going through forum posts and seeing what I can do.. any tips would be greatly appreciated. {; # Begi...

joshhboss

I did find this but I dont know really how to apply the script.. I tried messing with it but I dont know what im doing wrong.. {; # BeginOfScript # scripted by msatter # function: bring up stalled WireGuard interfaces after restart of the router :local timesRetried 15; # how many times WireGuard is ...

joshhboss

I have this script ive been using on my Ubiquiti Edge Routers and it has been amazing. Constantly solves a DNS weirdness that happens when a site might change its public address. I was hoping there was a way to create the same one here for Mikrotik because ive already had my HEX poe go offline and f...

joshhboss

What gear have you already purchased?

CRS326-24S+2QRM
and about 5 CRS317-1G-16S+
and for routing the
CCR2004-1G-12S+SXS

joshhboss

Is there anything I should take into consideration when doing something like this. This network will primarily be internet traffic as well. Not a whole lot of local traffic beyond management. but I was able to get my hands on some cool Mikrotik gear and im going to set up everything with 10 gig. But...

joshhboss

Hardware offload breaks edge=yes apparently ..

joshhboss

didn't work for me.. followed everything in the links

joshhboss

Still with this problem in 2022 heading into 2023.. Been looking everywhere to try and figure it out ..

joshhboss

Just disabled hardware off load on that port and it seems to work.. Does hardware offload disable edge=yes.. that would suck.. or what other functions of spanning tree configurations?

joshhboss

I did try the switch rules in the documentation and the bridge filter rules.. they did not help.. also I dont know if they would break hardware offloading, or just not working right if they aren't hitting the CPU.. either way this is rough.. all im trying to do is take a vlan untagged.. tag it and k...

joshhboss

Basically what is happening in this post.. that was never resolved is happening to me :( https://forum.mikrotik.com/viewtopic.php?t=102751 I have the internet comming from a Cisco 3750 and the port is just set as Switchport mode access Switchport access vl 170.. Now when I connect it to my switch.. ...

joshhboss

Did just look at the CCR2216.. and that looks more like it!! but I have the ccr2004 on the way lol..

joshhboss

i think CCR2004-1G-12S+2XS is a niche product aimed to replace another niche product, the CCR1016-12S-1S+ what niche? In a role that can be described like a Simple Distribution Router with all the interfaces in fiber in this context the CCR2004-1G-12S+2XS meet its main goal, which is to serve as an...

joshhboss

. Also, using the SFP28 ports for uplinks to the ISP and the SFP+ ports as downlinks to customers yielded the best CPU performance in my testing. Question .. in my case I’ll end up with (2) 1 gig hand offs and I’ll 10gig everything below the CCR.. should I enable flow control on any of the interfac...

joshhboss

2Gbps for 4K users? I guess you mentioned it's event work, so not the same as traditional home or business customers, where the average is 5-7Mbps per user. It sounds like the bandwidth comes into the CCR2004, then you'd distribute to up to a dozen switches around the facility, and from there to th...

joshhboss

How much throughput are you expecting? The CCR2004 maxes out at roughly 19-20Gbps on both routing and bridging. If you're only pushing around a gigabit or two through all the ports combined, you'll be fine and have no need for a separate switch. If you're doing straight-up routing (no firewalls, no...

joshhboss

Ill take that as a yes.. lol routed ports only to crs3X switch it is

joshhboss

I have just been getting into Mikrotik recently and i have for a long time I’ve always just used routers with having routed ports going into a switch and then handling the switch after that. But i was wondering if it would be doable to just add the ports on this router to the bridge and then connect...

joshhboss

THe only quirky thing is ubiquti that wants the managment vlan to reach the AP UNTAGGED............ Thats bizarro. That's true for adoption, and it is the default. But since UniFi controller 5.8.23 (released June 25, 2018), you have been able to set it to a tagged management vlan . But the initial ...

joshhboss

Add the jk lol.. incase anyone didnt get it...

joshhboss

Why would someone wait 17 years, wait, is your name Rip Van Joshhboss ???

I was joking,, just trying to learn... sorry I didnt make that clear.. jeez...
thanks

joshhboss

So I am moving away from the Ubiquiti Edge Routers since they havent release a new version or firmware in 17 years. How is anyone supposed to take anything you say seriously when you make statements like that, that are easily factually refuted? Ubiquiti released the first EdgeRouter in Sept 2012. r...

joshhboss

WAIT>. I think it was a poe issue from the Mikrotik to the AP.. After adding a POE injector is actually seems to work fine..

joshhboss

And the vlan settings in Unifi are correct. Just wanted to add that.

joshhboss

So I am moving away from the Ubiquiti Edge Routers since they havent release a new version or firmware in 17 years, lol jk. And I have been playing with the HEX routers and just ordered an rb5009 to handle my events that I mainly use the edge routers for. But just doing something as simple as connec...

joshhboss

Ive been using this rule for Guest networks on edge routers and I have been trying to recreate the same thing on the Mikrotik. Im trying to allow access from one network to the other but I dont want the second network to be able to initiate the communication. I dont know what im doing wrong but on e...

joshhboss

I don’t know if I should of done this but I updated my device to 7.6 but I did notice when I tried to do the auto upgrade it didn’t let me go past 6.46..

Should I of not updated ?? I just wanted to put WireGuard on it

joshhboss

I was messing around trying to understand recursive routes but after getting everything setup I can seem to get my vlans to work properly. The internet just goes in and out but for sure the internet connection is working well. I dont know if im missing something in the mangle rules or really where e...

joshhboss

Does anyone have any experience with this, maybe to help me go in the right direction. Im trying to get one of these and use it with either Verizon and Att. Just need a little help knowing more or less how its setup. I did watch a video, im hoping its just as easy. I didnt see anywhere what carriers...

joshhboss

I don't use recursive routing, but did you see this recent thread? recursive routing not wokring I was able to get this to work, Part of the problem was that in v7 it doesnt look like it actually displayed visually that recursive routes are actually happy ( routing to x recursively) like I v6 but t...

joshhboss

What port are you connecting the dhcp client to? Are you expecting to be connected vlan 1 or vlan 200? what is your dhcp client? Windows? If so what does ipconfig /all show ? Providing some of those details would be helpful, as well as letting us know what you were expecting and what you got, inclu...

joshhboss

Yes, above poster is right, v6 will only see critical security fixes. All development is concentrated on v7, this is why I ask, is there anything specific the OP would like help with I admit that I spent quite sometime about (2) years finally getting an understand and a level of conform with the ed...

joshhboss

Probably should of researched the answer to that question before you switched in the first place.

Ahh man thanks!! You are so helpful… kind of have a 14 year old wearing a headset playing Call of Duty energy going on..

Keep on bringing so much to the forum..

joshhboss

I have no idea what im missing but I can statically assign my computer to be on the proper subnet and ive untagged it and set PVID settings. But I can not for the life of me getting dhcp to work properly. I was hoping someone could look at my config and tell me what im missing. Thank you. [admin@Mik...

joshhboss

Im having a VERY hard time with Mikrotik as it is lol and ive been reading about how things aren't the same on v7. At least with regards to recursive routing. I know before I updated it, that it was actually working and now since the update its not. And im completely failing at getting support on fo...

joshhboss

and now all I did was upgrade the firmware and the recursive routes disappear.. I dont get it.. these Mikrotik are a missssssssssion..

joshhboss

Ok that worked.. I noticed that my pings would drop and not come back until I started a new session. I wondering if that is something that can be fixed.. wow there is just so much to learn. Im having sillier problem.. I tried to upgrade the firmware.. and dragged and dropped the file I download and ...

joshhboss

initially I did have the address obtained by dhcp but then set them to static

joshhboss

Ive watched a few videos trying to recreate this process so I can have an active failover if a directly connected Wan losing connection to the internet. Not just if lets say its power goes out.. I thought I followed the instructions pretty well but apparently I haven't been able to change the routes...

joshhboss

I ended up just taking the time and removing the tags on the access port.. being lazy can get you into trouble..

joshhboss

So I was wondering, I have been lately just always removing the tags off of the ports that I use as access ports. just on some configs I always catch myself forgetting to remove a tag here and there. I was wondering if the port is set to only accept untagged and priority tagged. Will that mean I sho...

joshhboss

Would this switch fall into CRS3X series of switches that support Bridge Hardware Offloading. I know the articles says CRS3XX series of switches but I didnt see it mentioned in the models section of that page.

joshhboss

I see the MTP250-53V47-OD but I wish I knew what the heck it connected to? lol it only shows the device itself. What do the ends of the cables look like and what do they need to be spliced to or connected to. Product page of netpower 16p has a few pictures, one of them is showing the connection sid...

joshhboss

The netPower 16p switch (CRS318-16P-2S+OUT) specifies a max power consumption of 316W. However, the two 48V power supplies (48POW, 48V2A96W) provided by Mikrotik only supply 70W or 96W. And even the MTP250-53V47-OD power supply only provides up to 250W, which is significantly lower than 316W. 48POW...

joshhboss

I was considering purchasing this.. to power the 16p. Mainly because it looks easier for me to install then the Mikrotik Device MTP250-53V47-OD. I posted a picture of the power adapter. Any insight would be greatly appreciated. I am only really considering putting at/af devices on it. For 24v ill us...

joshhboss

The switch has two power inputs, one for 18-30 V and one for 48-57 V. Recomended power supplies (MTP250-26V94-OD and MTP250-53V47-OD) can supply up to 250W each. Then it depends on powered devices what kind of supply voltage require. Most Mikrotik devices gladly accept the low voltage variant and m...

joshhboss

I was hoping to use this device for events. But how many Aps Would I actually be able to do with this? is 96Watts Enough. What if I wanted to actually use all 16 ports on this device. Is that possible. to Get 30Watts per port? or even 15?

joshhboss

Sorry I know this might be a bit of a open questions.. hopefully it turns into a longer forum where I learn a lot. lol.. But I just purchased the 60 WAP and (2) 60 cube acs. I was able to get them linked together but I was wondering if there were maybe some tips and tricks on things to look for when...

joshhboss

Can you set up the cubes as ptmp with out the Mikrotik wAP 60Gx3 AP?

Search found 274 matches