Community discussions

MikroTik App

Search found 293 matches

by kleshki
Sun Nov 17, 2024 11:34 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

I'm at the same driver version but can't confirm this works on 7.16.x, not sure about beta
by kleshki
Sun Nov 17, 2024 6:08 am
Forum: General
Topic: Separate YouTube, Facebook, Instagram, and Netflix traffic or IPs (CDN of ISP)
Replies: 9
Views: 506

Re: Seprate YouTube, Facebook, Instagram, and Netflix traffic or IPs (CDN of ISP)

You actually can, but this would be kinda tricky to do. Note that I'm not guarantee you that what I've described below will give you desired results and maybe @anav is right, but I'll try to give Mikrotik a chance. In ROS7 there's a DNS record called FWD. What you can do is: 1. Inject MikroTik DNS i...
by kleshki
Sun Nov 17, 2024 12:41 am
Forum: General
Topic: RouterOS pxe boot
Replies: 0
Views: 214

RouterOS pxe boot

Is it possible to boot entire RouterOS from network for ARM/ARM64 devices? The RouterBOARD seems to support "try-ethernet", so I assume it is possible to extract the flash image and put it onto boot server.
by kleshki
Fri Nov 15, 2024 3:42 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

Looks like Intel new Wireless Bluetooth driver 23.90.0 and 7.17beta5 work fine for me. No more discconects under load. I'm testing about 3 hours. Can anybody else confirm that?
What's the version is shown on WiFi dongle itself in the device manager?
by kleshki
Thu Nov 14, 2024 11:49 pm
Forum: General
Topic: CapsMan - "slower" timeout before deprovisioning possible?
Replies: 2
Views: 231

Re: CapsMan - "slower" timeout before deprovisioning possible?

There's a checkbox Lock to CAPsMAN on AP itself - is it what you mean?
by kleshki
Thu Nov 14, 2024 7:54 pm
Forum: General
Topic: cannot remove directory
Replies: 12
Views: 14661

Re: cannot remove directory

The problem is same for me when I try to remove container directory from external drive. It removes around 100-300 files of container then fails. So I have to press delete for multiple ten times to actually remove it. FS is NTFS
by kleshki
Thu Nov 14, 2024 5:41 pm
Forum: General
Topic: Bonding 802.3ad
Replies: 8
Views: 522

Re: Bonding 802.3ad

L3+L4 is less common tho, but it should work good between two mikrotiks L3+L4 can spread traffic between one pair of devices to both bond links ... if devices use multiple connections in parallel. However, a single connection (e.g. single file transfer using SMB - windows file sharing) will still o...
by kleshki
Thu Nov 14, 2024 12:31 am
Forum: General
Topic: Bonding 802.3ad
Replies: 8
Views: 522

Re: Bonding 802.3ad

L2+L3 means IP is taken into consideration, so all traffic between two same hosts will go through single link. This will shine when you have multiple devices behind bonding
L3+L4 is less common tho, but it should work good between two mikrotiks
by kleshki
Wed Nov 13, 2024 5:45 pm
Forum: General
Topic: Routeros V7.15.3 randomly deleted users once a day.
Replies: 16
Views: 898

Re: Routeros V7.15.3 randomly deleted users once a day.

The same Routerboard Here. https://postimg.cc/qhy0q50j https://postimg.cc/qhy0q50j Oh wow! What is with this sector writes numbers? And most of it are since the last reboot? sector-writes.png That seems /system logging action set 0 memory-lines=5000 set 1 disk-lines-per-file=5000 so just pushing lo...
by kleshki
Tue Nov 12, 2024 11:45 pm
Forum: General
Topic: untagg multiple VLAN on ether port
Replies: 14
Views: 722

Re: untagg multiple VLAN on ether port

Nope I meant that traffic passes through dumb switch without any tags and reaches untagged to router at port where switch is connected. Then, if MAC address is found in bridge/host table, traffic gets tagged according to MAC->VID mapping and goes with tag through MT bridge. The return traffic gets u...
by kleshki
Tue Nov 12, 2024 7:55 pm
Forum: General
Topic: untagg multiple VLAN on ether port
Replies: 14
Views: 722

Re: untagg multiple VLAN on ether port

Concur, and is why in post #3 I presented clear feedback. It was not me that muddied the waters by saying oh what your doing is possible sort of with caveats, oh yeah so clear !!!! ;-PP It's actually possible to have multiple untagged vlans per port. The setup can be like this: MikroTik -> dumb swi...
by kleshki
Tue Nov 12, 2024 7:40 pm
Forum: General
Topic: untagg multiple VLAN on ether port
Replies: 14
Views: 722

Re: untagg multiple VLAN on ether port

The OP seems to be confused about the terms, so don't make pointless argues. Let's ask OP about network diagram: where VLANs 10 and 20 originate and where they should or should not go.
by kleshki
Tue Nov 12, 2024 6:17 pm
Forum: General
Topic: QnQ help
Replies: 10
Views: 677

Re: QnQ help

According to your description, here's what I think /interface bridge add name=bridge vlan-filtering=yes ether-type=0x88a8 /interface bridge port add interface=sfpplus2 bridge=bridge pvid=100 tag-stacking=yes add interface=sfpplus1 bridge=bridge /interface bridge vlan add bridge=bridge tagged=sfpplus...
by kleshki
Tue Nov 12, 2024 5:31 pm
Forum: General
Topic: Routeros V7.15.3 randomly deleted users once a day.
Replies: 16
Views: 898

Re: Routeros V7.15.3 randomly deleted users once a day.

1. Check your logs for any actions done (every configuration change in ROS7 is logged, and the user@source (local/winbox/ssh and so on) is described)
2. Post your /export file=config while omitting any sensitive data
3. Try backup -> netinstall -> restore
by kleshki
Tue Nov 12, 2024 5:12 pm
Forum: General
Topic: QnQ help
Replies: 10
Views: 677

Re: QnQ help

So, can you specify, you receive tagged 802.1Q traffic from sfpplus2 right? This would be trunk port with customer tags.
Then you apply additional tag and then push traffic to sfpplus1 with Q-in-Q?
Maybe a network diagram of desired setup would help more, if I got you wrong.
by kleshki
Tue Nov 12, 2024 3:07 pm
Forum: General
Topic: QnQ help
Replies: 10
Views: 677

Re: QnQ help

Looking at your config, to make it according to docs, this looks like it's something to be done from scratch almost: 1. Remove all VLANs from /interface bridge port 2. Add all physical ports to /interface bridge port and add appropriate PVID, check Tag stacking=yes where appropriate. Setup bridge ho...
by kleshki
Tue Nov 12, 2024 1:16 am
Forum: General
Topic: QnQ help
Replies: 10
Views: 677

Re: QnQ help

Hello.
I have read it but I really dont know how to do it.
tomorrow I will export my current configuration and please can you suggest me doing it in the new way ?
I am not able to make a working test. I really dont understand the way to do it.
Post the config and we'll see :)
by kleshki
Mon Nov 11, 2024 5:02 pm
Forum: General
Topic: Make LAN hosts available to via WAN
Replies: 5
Views: 356

Re: Make LAN hosts available to via WAN

Use VLANs to separate devices on a single bridge. Pretty sure you can manage all VLAN stuff on pfSense, which would be a nice centralized solution
by kleshki
Mon Nov 11, 2024 4:20 pm
Forum: General
Topic: Make LAN hosts available to via WAN
Replies: 5
Views: 356

Re: Make LAN hosts available to via WAN

My bad, meant wrong thing. The device should be accessible from another network, if it has gateway configured properly (i.e. 192.168.66.1 for all IoT stuff behind mAP). Another suggest is why you can't just bridge ether1 and wlan1 to have all management on pfsense?
by kleshki
Mon Nov 11, 2024 3:24 pm
Forum: General
Topic: Make LAN hosts available to via WAN
Replies: 5
Views: 356

Re: Make LAN hosts available to via WAN

You should add the reverse route 10.9.4.0/24 via 192.168.66.1 on map. Then you don't need dstnat at all
by kleshki
Mon Nov 11, 2024 12:42 am
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 740

Re: Periodic connectivity issues to external WinBox

1 0.000000 laptop_ip server_ip TCP 70 52536 → 8291 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM 2 0.000016 laptop_ip server_ip TCP 70 [TCP Retransmission] 52536 → 8291 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM 3 0.000020 laptop_ip server_ip TCP 66 [TCP Retransmission] 52536 → 8...
by kleshki
Sun Nov 10, 2024 8:09 pm
Forum: General
Topic: Connect Failed
Replies: 6
Views: 352

Re: Connect Failed

I mean you can at least do first while second is not that fast. Other option is to setup Netwatch to ping something like 8.8.8.8 and restart interface on fail pings at some reasonable threshold - that would be more suitable if your disconnects doesn't fall to some "scheduled" time. This is...
by kleshki
Sun Nov 10, 2024 6:39 pm
Forum: General
Topic: Connect Failed
Replies: 6
Views: 352

Re: Connect Failed

Easy way is to make a scheduled script to restart interface each day.
Harder but maybe more proper way would be to diagnose the reason of this problem.
by kleshki
Sun Nov 10, 2024 3:46 pm
Forum: General
Topic: qinq
Replies: 5
Views: 408

Re: qinq

thanks a lot for your help, i think i see what ive misunderstood; i wasnt thinking of qinq as an extension to the vlan, rather, i was considering it more like a vpn. loosely put, the qinq is my feature in vlanning and not yours (if you are a client to me i can allow you to trunk). In my case, i am ...
by kleshki
Sun Nov 10, 2024 3:40 pm
Forum: General
Topic: ROS 7.17 SMB share - Not seen in Win 11 File Manager Network browser
Replies: 3
Views: 283

Re: ROS 7.17 SMB share - Not seen in Win 11 File Manager Network browser

Isn't that more convenient to just mount share as disk using it's \\IP\path and forget?
by kleshki
Sun Nov 10, 2024 3:38 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 740

Re: Periodic connectivity issues to external WinBox

My hosting provider recently reported troubles with their network adapter - I had losses about 5% over some specific connections only, so they migrated VM to some other host (I suppose LACP troubles on their side). Previous problems are gone after migration, so maybe this could be related. However i...
by kleshki
Sun Nov 10, 2024 12:08 am
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 740

Re: Periodic connectivity issues to external WinBox

1 0.000000 IPs Removed TCP 88 8291 → 55013 [PSH, ACK] Seq=1 Ack=1 Win=502 Len=34 2 0.000007 IPs Removed TCP 88 [TCP Retransmission] 8291 → 55013 [PSH, ACK] Seq=1 Ack=1 Win=502 Len=34 3 0.459990 IPs Removed TCP 70 55024 → 8291 [SYN] Seq=0 Win=64240 Len=0 MSS=1452 WS=256 SACK_PERM 4 0.459996 IPs Remo...
by kleshki
Sat Nov 09, 2024 10:42 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 740

Re: Periodic connectivity issues to external WinBox

That's a cool idea, gonna do that next time connection lags. I'm not using any mangling on CHR side tho, haven't seen any issues with connections before
by kleshki
Sat Nov 09, 2024 10:18 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 740

Re: Periodic connectivity issues to external WinBox

I've also checked in connection tracking now that when Winbox is stuck, the connection is shown as established, meanwhile changed to "fin wait" to close or straight to close. The latter is not consistent (may be just close or fin wait first from time to time), but the amount of bytes trans...
by kleshki
Sat Nov 09, 2024 9:42 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 740

Re: Periodic connectivity issues to external WinBox

If that's MTU on multipath then it would be tricky as hell to figure out. CHR has 1500 default ether MTU and home router is 1492 (PPPoE) with mss-clamp mangle rule configured. I should also notice that I use same scheme with IPv6 (i.e. external access by whitelist) and while IPv4 connectivity is bro...
by kleshki
Sat Nov 09, 2024 9:25 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 740

Re: Periodic connectivity issues to external WinBox

1. Never allow external access to config the router. The ONLY access path using winbox should be LOCALLY from an authorized LANIP or list of admin IPs, AND via VPN where the remote user has used VPN to access the router ( and is know considered local or internal ) and the config. 2. Telnet is anoth...
by kleshki
Sat Nov 09, 2024 8:47 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 740

Periodic connectivity issues to external WinBox

Hello everyone. I have a CHR v. 7.16 configured with whitelist access to Winbox (chain=input action=accept dst-port=8291 src-address-list=Whitelist and in Whitelist I keep my Cloud address of home router). Everything worked fine and config was untouched for quite long time, but suddenly a periodic i...
by kleshki
Sat Nov 09, 2024 4:05 pm
Forum: General
Topic: QnQ help
Replies: 10
Views: 677

Re: QnQ help

https://help.mikrotik.com/docs/spaces/ROS/pages/28606465/Bridge+VLAN+Table check this out. Here you create L2 q-in-q, then just add /interface/vlan ontop of bridge (not bridge existing vlan interfaces as this is a described misconfiguration https://help.mikrotik.com/docs/spaces/ROS/pages/19136718/La...
by kleshki
Sat Nov 02, 2024 6:00 pm
Forum: General
Topic: changing login password
Replies: 1
Views: 221

Re: changing login password

Using centralized controllers for APs is the way to go (Capsman for MT, unifi for ubnt)
by kleshki
Thu Oct 31, 2024 2:43 pm
Forum: General
Topic: CCR2116 & L3HW NAT with absurd numbers of connections?
Replies: 2
Views: 335

Re: CCR2116 & L3HW NAT with absurd numbers of connections?

I think NAT is L3 and above cpu functionality and switch chip work/make changes only with L2 protocols, not IP for example.
Here's mentioned L3 hardware offloading described here. You talk about regular switch chips like on RB-devices, which are different.
by kleshki
Wed Oct 30, 2024 12:25 pm
Forum: General
Topic: Slow Device after upgrading from 6.x to 7.6, anything we can do to improve?
Replies: 6
Views: 1138

Re: Slow Device after upgrading from 6.x to 7.6, anything we can do to improve?

While posting config I would also check this:
1. /system/routerboard current firmware is equal to current ROS version installed, upgrade&reboot if not
2. /tool/profile to see what actually consumes CPU
by kleshki
Wed Oct 30, 2024 11:20 am
Forum: General
Topic: DHCP Relay and Redundant DHCP Servers, sync dynamic leases??
Replies: 3
Views: 309

Re: DHCP Relay and Redundant DHCP Servers, sync dynamic leases??

Microsoft DHCP Server can do what you ask, i.e. replication and lease sharing. You can learn more here With MT there's a thing called authoritative dhcp and delay dhcp, so you can have "active-backup" dhcp with mikrotiks kinda easily, but syncing configs and static leases is up to you, als...
by kleshki
Wed Oct 30, 2024 10:52 am
Forum: General
Topic: 10gb switch saturation problem [SOLVED]
Replies: 3
Views: 741

Re: 10gb switch saturation problem [SOLVED]

btest itself consumes CPU to generate traffic. Use iperf on devices connected to switch instead.
by kleshki
Tue Oct 29, 2024 2:41 am
Forum: General
Topic: Hairpin NAT not working
Replies: 11
Views: 932

Re: Hairpin NAT not working

TBH I've never seen hairpin NAT with masquerade, only with action=src-nat
But yeah, easily googleable
by kleshki
Mon Oct 28, 2024 4:14 pm
Forum: General
Topic: Mikrotik router should connect to Opnsense via WG.
Replies: 8
Views: 538

Re: Mikrotik router should connect to Opnsense via WG.

It's not clear for me, you posted a config where interface should have 10.90.200.4/32. Now you tell us it's 10.55.55.254/24. For the route, you should set gateway IP to the address of the peer, so if Opnsense peer is 10.55.55.253 - this is your gateway. Also you can consider using smaller networks f...
by kleshki
Mon Oct 28, 2024 3:56 pm
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2483

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

Curious if drivers could be added to the image so easily, can MT do some kind of driver repository for CHR, instead of pushing it to the image itself
by kleshki
Mon Oct 28, 2024 3:09 pm
Forum: General
Topic: Mikrotik router should connect to Opnsense via WG.
Replies: 8
Views: 538

Re: Mikrotik router should connect to Opnsense via WG.

In peer config, set persistent keepalive to something like 20s and check if it works. Your Opnsense seems to be configured as responder and doesn't initiate connection on it's own.
by kleshki
Sun Oct 27, 2024 9:14 pm
Forum: General
Topic: Mikrotik router should connect to Opnsense via WG.
Replies: 8
Views: 538

Re: Mikrotik router should connect to Opnsense via WG.

MikroTik can be WG peer (as there's no transparent server or client in WG terminology) to any other WG device. Check if you have 1. Correct keys on both sides 2. Assigned IP address to WG interface 3. WG port allowed in input firewall chain If you still couldn't spot the issue, post your config with...
by kleshki
Sun Oct 27, 2024 9:05 pm
Forum: General
Topic: Change the routing table for OVPN connections dynamically on a MikroTik router
Replies: 4
Views: 796

Re: Change the routing table for OVPN connections dynamically on a MikroTik router

It's not a good practice to have same pool for LAN and VPN clients. What you can best do is to make a separate pool for OVPN clients and setup routing to both bridges. What you can do if you don't want solution above is to add route to another bridge to Table_ISP1 like dst-address=192.168.10.0/24 ga...
by kleshki
Sun Oct 27, 2024 2:19 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

What is in itself the problem of remaining at 7.14.3 (at least for the time being)?
Is there specific functionality missing that was introduced from 7.15 upwards?
7.15 patch notes include wifi-qcom driver update.
by kleshki
Sun Oct 27, 2024 2:55 am
Forum: General
Topic: Multiple Vlan for ISP router
Replies: 5
Views: 470

Re: Multiple Vlan for ISP router

Yeah, it purely depends on the unmanaged switch firmware, which could either ignore or drop VLAN tags, so you can either have expected behavior or no VLANs at all. Better find cheapest managed switch for this purpose. D-Link DGS1100 is very affordable, and you can find some vlan-aware stuff on aliex...
by kleshki
Sun Oct 27, 2024 2:53 am
Forum: General
Topic: RouterOS 7 WAN failover -- ARP?
Replies: 11
Views: 684

Re: RouterOS 7 WAN failover -- ARP?

Recursive has been the same for every sub version of version7, to my knowledge anyway. In early versions, IIRC, there was a bug where scope was auto-decrementeded, so you had to specify target-scope 21 instead of 20 or something to hit scope 20 (maybe I'm wrong in exact terms but the description wi...
by kleshki
Sun Oct 27, 2024 1:11 am
Forum: General
Topic: LACP fallback
Replies: 5
Views: 1655

Re: LACP fallback

Can't this be just a scheduled script that monitors link status and switches between 802.3ad and active-standby with primary interface? Not a single config line like Arista, but still may do the trick
by kleshki
Sat Oct 26, 2024 10:51 pm
Forum: General
Topic: RouterOS 7 WAN failover -- ARP?
Replies: 11
Views: 684

Re: RouterOS 7 WAN failover -- ARP?

When I tested extensively in 2022 the behaviour was inconsistent. In some cases default route's target scope needed to be 10 to find the gateway (scope 10), in other cases it needed to be 11. And some other inconsistencies. Hence trial and error to find the rule actually in effect for any specific ...
by kleshki
Sat Oct 26, 2024 5:30 pm
Forum: General
Topic: Suggestion for 1500+ VPN endpoints
Replies: 6
Views: 1143

Re: Suggestion for 1500+ VPN endpoints

As in the first post NVR mentioned, I think the use case is to have a centralized security camera monitoring, maybe at some small outlets. It is true about sufficient VPN server tho, even from abstract numbers, 1500 endpoints * 10Mbit is around 15Gbit/s of encrypted data which is a lot. There probab...
by kleshki
Sat Oct 26, 2024 4:11 pm
Forum: General
Topic: IPv6 Connection display bug
Replies: 2
Views: 277

Re: IPv6 Connection display bug

Seems to be webfig-only related, as Winbox shows v6 connections correctly for me
by kleshki
Sat Oct 26, 2024 3:30 pm
Forum: General
Topic: RouterOS 7 WAN failover -- ARP?
Replies: 11
Views: 684

Re: RouterOS 7 WAN failover -- ARP?

There's no need for trial and error. You set it like this: 0.0.0.0/0 via 8.8.8.8/32 scope=30 target-scope= 20 check-gateway=ping 8.8.8.8/32 via whatever-gw-you-want scope= 20 target-scope=10 so default route targets scope that a real route has. After that, you can check immediate gateway on default ...
by kleshki
Sat Oct 26, 2024 3:18 pm
Forum: General
Topic: Suggestion for 1500+ VPN endpoints
Replies: 6
Views: 1143

Re: Suggestion for 1500+ VPN endpoints

My suggest would be something with RADIUS, like IKEv2, to manage authentication centrally. Even wireguard configuration generation can be scripted, there's still error-prone things here. With RADIUS, configurations are pushed through RADIUS-attributes, you only need to set equal config for each endp...
by kleshki
Sat Oct 26, 2024 4:43 am
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2483

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

Is there a real reason to use passthrough instead of virtio driver or maybe try to use SR-IOV?
by kleshki
Sat Oct 26, 2024 1:29 am
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2483

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

A quick google search I've found there's a way to boot on bhyve guide
Can't try myself, but there's a bunch of guides how to boot ROS7, maybe this could solve your problem
by kleshki
Sat Oct 26, 2024 1:10 am
Forum: General
Topic: No fasttrack on HAP AX2 ?
Replies: 10
Views: 639

Re: No fasttrack on HAP AX2 ?

@anav I expected to see a config with fasttrack enabled and checkbox disabled for the situation to be strange. Now I only see disabled fasttrack and disabled checkbox as a result. OP should try reboot. As for your question in n.1 add address=192.168.88.1 comment=defconf name=router.lan type=A is act...
by kleshki
Fri Oct 25, 2024 11:54 pm
Forum: General
Topic: No fasttrack on HAP AX2 ?
Replies: 10
Views: 639

Re: No fasttrack on HAP AX2 ?

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=no-mark connection-state=established,related disabled=yes \
    hw-offload=yes
disabled=yes
by kleshki
Fri Oct 25, 2024 7:51 pm
Forum: General
Topic: MikroTik hAP lite - Internet is working, but not in the device itself.
Replies: 7
Views: 421

Re: MikroTik hAP lite - Internet is working, but not in the device itself.

You tell us you have your upstream router as port 4. Why do you put address on ether2 and route through ether2? Why do you bridge ports 2-4? Your WAN list has ether1 port only.
by kleshki
Fri Oct 25, 2024 7:11 pm
Forum: General
Topic: MikroTik hAP lite - Internet is working, but not in the device itself.
Replies: 7
Views: 421

Re: MikroTik hAP lite - Internet is working, but not in the device itself.

You have to specify DNS server under /ip/dns and not just in DHCP Network in order to Mikrotik be able to resolve update-server name - that's my suggestion. Otherwise, post config.
by kleshki
Fri Oct 25, 2024 12:49 am
Forum: General
Topic: Firewall for PublicIP on Vlan [SOLVED]
Replies: 2
Views: 334

Re: Firewall for PublicIP on Vlan [SOLVED]

IP firewall doesn't look into packets flowing inside bridge. You can either use /bridge/filter or enable IP Firewall for bridges. Chain is also wrong - should be forward not input. Another option is to use firewall inside VM.
by kleshki
Thu Oct 24, 2024 11:06 pm
Forum: General
Topic: Wireguard setup
Replies: 2
Views: 283

Re: Wireguard setup

Hello I am testing WireGuard, i got the basic site-to-site config to work. But i want to modify it litle bit. i would like to add secondary router that has its own public ip and route all internet traffic to there, but when i remove the 0.0.0.0/0 from my wireguard router then peers wount connect an...
by kleshki
Wed Oct 23, 2024 5:57 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

I'm on 7.16.1 for now, intel driver v. 23.70.2.3. I don't have time now to play games and so on, so it's hard for me to notice disconnects that I had before. But logs are filled with this: 19:08:39 wireless,info 0C:7A:15:F5:D2:AF@wifi-5ghz disconnected, connection lost, signal strength -70 19:08:39 ...
by kleshki
Wed Oct 23, 2024 1:11 am
Forum: General
Topic: Mikrotik support please have a look!
Replies: 4
Views: 436

Re: Mikrotik support please have a look!

ChatGPT v4 says my config is fine so it's your fault Mikrotik blah blah :D
by kleshki
Wed Oct 23, 2024 1:10 am
Forum: General
Topic: 1 Packet over Multiple Routs?
Replies: 14
Views: 1384

Re: 1 Packet over Multiple Routs?

Even if you could manage to implement duplicating packets through multiple interfaces, I doubt other side will accept it normally, since it would expect a packet flow from a single endpoint. Otherwise, how they should preserve packet sequence, especially with LTE delays.
by kleshki
Tue Oct 22, 2024 1:56 pm
Forum: General
Topic: Static Route
Replies: 6
Views: 429

Re: Static Route

What you ask is not a trivial task, it's not just a "youtube to WAN2 checkbox"
by kleshki
Tue Oct 22, 2024 12:41 am
Forum: General
Topic: Routing Mark problem after moving from RouterOS 6.49.17 to 7.15.3 [SOLVED]
Replies: 10
Views: 2493

Re: Routing Mark problem after moving from RouterOS 6.49.17 to 7.15.3 [SOLVED]

Hello guys, I'm trying to follow this tutorial https://www.youtube.com/watch?v=2pFcVRaoscE to add a VPN connection using Wireguard to warp Cloudflare. But when I try to add mangle rules, on action "mark routing", the 'new routing mark' doesn't show the routing tables that I already add. I...
by kleshki
Mon Oct 21, 2024 9:33 pm
Forum: General
Topic: Whats the point of this default FW rule?
Replies: 21
Views: 1600

Re: Whats the point of this default FW rule?

Is there a possibility that topic starter is just behind ISP NAT that's why no one hitting him? Because normally there's a lot stuff hitting router outside in input chain, but if your ISP doesn't care about security, you can be unprotected from L2 neighbors, so they can just route to private range t...
by kleshki
Fri Oct 18, 2024 5:02 pm
Forum: General
Topic: User Manager for 30K Subscribers [SOLVED]
Replies: 19
Views: 1137

Re: User Manager for 30K Subscribers [SOLVED]

User manager is just radius server, how can this be only solution?
by kleshki
Thu Oct 17, 2024 1:32 pm
Forum: General
Topic: RB4011iGS+5HacQ2HnD Password after Update.
Replies: 2
Views: 261

Re: RB4011iGS+5HacQ2HnD Password after Update.

Can you connect through console?
by kleshki
Tue Oct 15, 2024 11:03 am
Forum: General
Topic: Queue tree help needed, limit not applied on parent queue...
Replies: 5
Views: 515

Re: Queue tree help needed, limit not applied on parent queue...

If the problem costs you thousands dollars, hire a competent specialist to make it for you, this will be way cheaper. Otherwise, no need to babycry on a forum, where answering your questions is some kind of volunteering, and support also doesn't help with configuration, only when bug occurs to debug...
by kleshki
Tue Oct 15, 2024 10:49 am
Forum: General
Topic: Opening ports makes me lose connection
Replies: 5
Views: 353

Re: Opening ports makes me lose connection

Found the solution, I had to set the in interface. Now everything is working fine. By the way I’m opening all ports because my mikrotik is connected to another router where I have a firewall, so I don’t need to block any port on the mikrotik, I already handle it in my other router. That's weird any...
by kleshki
Tue Oct 15, 2024 10:46 am
Forum: General
Topic: Not enough permission to export config
Replies: 11
Views: 653

Re: Not enough permission to export config

It's not "probably", it is definitely compromised. This is now a common botnet thing, which creates System user and partially restricts you. It occurs almost instant via api on unportected device Reset your device or do netinstall, take care of default security measures before throwing it ...
by kleshki
Tue Oct 15, 2024 3:47 am
Forum: General
Topic: HTTP speed limit if going through Mikrotik [SOLVED]
Replies: 10
Views: 672

Re: HTTP speed limit if going through Mikrotik [SOLVED]

170 MB/s is slightly above 1.3Gbit/s which is only half of 2.5Gbit and slightly above of what you experience during HTTP download (1Gbit/s) with direct connection. At this point I doubt this is router problem
by kleshki
Tue Oct 15, 2024 1:42 am
Forum: General
Topic: HTTP speed limit if going through Mikrotik [SOLVED]
Replies: 10
Views: 672

Re: HTTP speed limit if going through Mikrotik [SOLVED]

May this be related to some tcp offloading on a laptop working improperly and network card can't handle buffers? When you did iperf test, you probably did udp. What if you try tcp instead and see what happens? Try to check laptop network adapter's settings, increase buffers, update driver and so on.
by kleshki
Mon Oct 14, 2024 11:43 pm
Forum: General
Topic: Opening ports makes me lose connection
Replies: 5
Views: 353

Re: Opening ports makes me lose connection

Except of strangeness of your action, what you're doing wrong is probably not specifying restrictions on dst-nat rule, so ports 443 and 80 for outbound also match it and are being forwarded.
by kleshki
Mon Oct 14, 2024 9:39 pm
Forum: General
Topic: MikroTik RouterOS Enterprise
Replies: 11
Views: 944

Re: MikroTik RouterOS Enterprise

I doubt a lot of resources are spent to make ROSE package. This could be just recompile of well-known linux packages and that's it, not that much resources wasted. Agree on ax troubles tho. 2 versions no fix.
by kleshki
Mon Oct 14, 2024 6:49 pm
Forum: General
Topic: How to maximize throughput on SSTP
Replies: 8
Views: 574

Re: How to maximize throughput on SSTP

No, SSTP uses AES and you can't just disable it, as it defeats the purpose of protocol, best you can do with that is use device with aes-hw-offload. Or use another protocol which has optimized software encryption, like wireguard.
by kleshki
Sun Oct 13, 2024 8:22 pm
Forum: General
Topic: Mac to comment idea
Replies: 2
Views: 363

Re: Mac to comment idea

I saw somewhere script that does lookup logs for ipsec errors to block undesired connection attempts. You can try and do the same - make a script that looks up for whatever you want, extract MAC from the message, look for dhcp-lease with corresponding MAC, :log info $MAC . $AP with the format you wa...
by kleshki
Sat Oct 12, 2024 7:20 pm
Forum: General
Topic: CHR v7.16.1 Hyper-V - No DHCP/broken connectivity on 3rd ethernet interface
Replies: 2
Views: 349

Re: CHR v7.16.1 Hyper-V - No DHCP/broken connectivity on 3rd ethernet interface

I think that's because a hypervisor (not only Hyper-V but others too) doesn't allow VM to advertise MAC address, that is different from assigned to a specific adapter. But RouterOS chooses one MAC for a bridge and announces it to all bridge ports. MAC is chosen from one of bridge ports, so it was ch...
by kleshki
Sat Oct 12, 2024 4:14 pm
Forum: General
Topic: Why do I (apparently) need to use vrrp interfaces in firewall?
Replies: 6
Views: 830

Re: Why do I (apparently) need to use vrrp interfaces in firewall?

You can try the reverse thing: create a single VRRP, create VLANs on top of VRRP. This should work, if it's ok that a single VRRP handles all VLANs at once.
by kleshki
Fri Oct 11, 2024 11:23 pm
Forum: General
Topic: How to maximize throughput on SSTP
Replies: 8
Views: 574

Re: How to maximize throughput on SSTP

I'm pretty sure it's bottlenecked by a single core of your routers. Since it's stream cipher, I doubt it can be multithreaded, as packet order should be preserved. HEX has two cores, so one of cores is fully loaded, that's why it's slightly above 50%. Ac3 has four cores, that's why it's slightly abo...
by kleshki
Fri Oct 11, 2024 9:40 pm
Forum: General
Topic: OSPF gateway when you have a local gateway
Replies: 5
Views: 478

Re: OSPF gateway when you have a local gateway

TBF your description is not clear (at least for me). By default, if you have, for example, 0.0.0.0/0 via ISP and 10.0.2.0/24 via vlan66, no matter the distance, 10.0.2.0/24 should go via vlan ignoring default gateway, as more "strict" routes have priority. Since it doesn't work for you as ...
by kleshki
Fri Oct 11, 2024 7:37 pm
Forum: General
Topic: How to maximize throughput on SSTP
Replies: 8
Views: 574

Re: How to maximize throughput on SSTP

I've managed to push 400 Mbit btest between gigabit single-core CHR VMs with SSTP and H flag on it. This could be more I suppose, because btest also takes CPU cycles to generate UDP traffic. Wireguard pushed around 850+ same channel, so you can compare the numbers. I have an ax3 with 300Mbit channel...
by kleshki
Fri Oct 11, 2024 6:53 pm
Forum: General
Topic: Problem with certificate on SSTP (doesn't work on Windows but all is ok)
Replies: 2
Views: 316

Re: Problem with certificate on SSTP (doesn't work on Windows but all is ok)

Different IPs on different routers? Certificate name should match SSTP server IP or FQDN
by kleshki
Fri Oct 11, 2024 5:49 pm
Forum: General
Topic: How to maximize throughput on SSTP
Replies: 8
Views: 574

Re: How to maximize throughput on SSTP

You can only improve your performance of SSTP with hardware encryption. IIRC, ac3 doesn't support that. Ax3 does, however.
That's the nature of SSTP protocol, which uses TCP, compared to Wireguard and UDP. ANd encryption algorithm also matters.
by kleshki
Mon Oct 07, 2024 12:13 am
Forum: General
Topic: Feature Request: Link "check-gateway" in routes to a netwatch item(s)
Replies: 11
Views: 2567

Re: Feature Request: Link "check-gateway" in routes to a netwatch item(s)

Still can't get from thread what's wrong with recursive routes? Just setup both recursive route and netwatch to same host to have both route failover and up/down scripts
by kleshki
Sun Oct 06, 2024 3:12 pm
Forum: General
Topic: Script or process for sanitizing exports?
Replies: 2
Views: 1151

Re: Script or process for sanitizing exports?

If you do /export hide-sensitive, secrets aren't exported that way. Dynamic entries aren't exported with /export too.
by kleshki
Sat Oct 05, 2024 6:43 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

I've recently heard an opinion that connected USB3 device may affect wireless (friends who have ax3 had problems with usb and didn't have without). I had problems before I attached USB disk, and now there isn't much transfers (only error logs by now). Maybe it will be useful if anyone who has proble...
by kleshki
Fri Oct 04, 2024 12:41 am
Forum: General
Topic: multiple devices whit one wireguard client
Replies: 6
Views: 655

Re: multiple devices whit one wireguard client

This is not possible, because wireguard uses public-key routing (or whatever they call that), so with same keys, server won't know where to route traffic. It's however possible to connect two wireguard clients from same subnet but with different keypairs (dunno why you want to have same keypairs) II...
by kleshki
Thu Oct 03, 2024 10:14 pm
Forum: General
Topic: Hotspot with automatic SSO Active DIrectory authentication [SOLVED]
Replies: 3
Views: 447

Re: Hotspot with automatic SSO Active DIrectory authentication [SOLVED]

Isn't 802.1x and GPO a better solution for that? (but you have to have clients connected to managed switch directly, not through some 5port dumb ones)
by kleshki
Thu Oct 03, 2024 1:31 pm
Forum: General
Topic: Bogon filtering with dynamic IP address list? [SOLVED]
Replies: 12
Views: 692

Re: Bogon filtering with dynamic IP address list? [SOLVED]

There was another separate article using this approach with list, however the drop rule was in input for some reason, I just moved it to prerouting. I see there's a similar chain, but the approach is different. Instead of parsing all bad traffic all time, you remember source of undesired traffic onc...
by kleshki
Wed Oct 02, 2024 10:47 pm
Forum: General
Topic: Bogon filtering with dynamic IP address list? [SOLVED]
Replies: 12
Views: 692

Re: Bogon filtering with dynamic IP address list? [SOLVED]

Could you link to that particular info please? I can't find the exact wiki page, as the link I've found is dead already. But I can post you my firewall export in case you interested: /ip firewall filter add action=add-src-to-address-list address-list=Port-Scanners address-list-timeout=2w chain=inpu...
by kleshki
Wed Oct 02, 2024 7:57 pm
Forum: General
Topic: Wireguard on standalone server with mikrotik router
Replies: 2
Views: 304

Re: Wireguard on standalone server with mikrotik router

It's possible, but the traffic will flow out and in to the router anyway, and wireguard doesn't hurt performance much. So maybe you should consider telling what router/ROS version you using, what perfmon tells you under wireguard load and so on. if not, then you can just route traffic to a "box...
by kleshki
Wed Oct 02, 2024 1:59 pm
Forum: General
Topic: LACP doesn't work in CHR
Replies: 9
Views: 1483

Re: LACP doesn't work in CHR

Can you please elaborate more? I mean by default hypervisor host only expects VMs to connect to network using MAC-address given by host. But LACP may announce other MAC on links so host just blocks those eframes. Feature is called "Allow MAC Spoofing" or similar and is located in VM setti...
by kleshki
Wed Oct 02, 2024 1:29 am
Forum: General
Topic: LACP doesn't work in CHR
Replies: 9
Views: 1483

Re: LACP doesn't work in CHR

Any chance Mac-spoofing enabling on vm helps with this?
by kleshki
Tue Oct 01, 2024 10:24 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

Ax3 is a single stand-alone device, so there's nowhere to roam. Sure there is: from 5 GHz to 2.4 and back when both radios have the same SSID. FT does apply in this case! I have 5GHz and 2.4GHz SSIDs separate as 5GHz covers area well enough, so I wanna make sure all devices use 5GHz all time
by kleshki
Tue Oct 01, 2024 9:57 pm
Forum: General
Topic: Bogon filtering with dynamic IP address list? [SOLVED]
Replies: 12
Views: 692

Re: Bogon filtering with dynamic IP address list? [SOLVED]

Thank you for the answers. I am still interested to learn about those other security measures. Could you elaborate? It depends on what you have and what you're protecting. For me it now seems that you're solving problems you aren't facing in reality. If you are facing DoS attack on your system, try...
by kleshki
Tue Oct 01, 2024 6:27 pm
Forum: General
Topic: Bogon filtering with dynamic IP address list? [SOLVED]
Replies: 12
Views: 692

Re: Bogon filtering with dynamic IP address list? [SOLVED]

2. The list isn't actually "long", it's only 1787 entries at the moment I've opened it. How can it be measured? Load it into your router and test RAM and CPU usage for blocking this (try raw prerouting for that). Wouldn't take noticeable performance on a good device. 3. In my opinion, appr...
by kleshki
Tue Oct 01, 2024 6:13 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

You getting any issues with that setup? Does your devices roam without ft=yes ft-over-ds=yes? Yes I had disconnects with Intel AX on that. Ax3 is a single stand-alone device, so there's nowhere to roam. Support told me that those options make no sense in my setup (but are enabled by default). In on...
by kleshki
Tue Oct 01, 2024 6:11 pm
Forum: General
Topic: Bogon filtering with dynamic IP address list? [SOLVED]
Replies: 12
Views: 692

Re: Bogon filtering with dynamic IP address list? [SOLVED]

Because you can open this list on your own and clearly see that it contains public IPs. Those IPs aren't issues yet to anyone but eventually will.
Bogons in a MT guide are IPs that are intended to use as private, loopback, multicast and so on. Those things are different.
by kleshki
Tue Oct 01, 2024 4:49 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

/interface wifi channel add band=5ghz-ax disabled=no frequency=5220,5180-5320,5660-5845 name=5ghz skip-dfs-channels=10min-cac width=20/40/80mhz /interface wifi security add authentication-types=wpa2-psk disabled=no management-protection=disabled name=home-private /interface wifi set [ find default-...
by kleshki
Tue Oct 01, 2024 4:33 pm
Forum: General
Topic: Bogon filtering with dynamic IP address list? [SOLVED]
Replies: 12
Views: 692

Re: Bogon filtering with dynamic IP address list? [SOLVED]

Actual bogons are different of what you've linked - those are IPs from which malicious traffic was detected (port-scanning, brute-forcing etc.).
by kleshki
Tue Oct 01, 2024 3:00 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

Rather than name-call the others, I prefer to contribute positively, as with this article I've just written, presenting a working configuration for at least one person, me. How much broader does that go? I don't know, but it's objectively the case that everything isn't terrible for everyone. I didn...
by kleshki
Tue Oct 01, 2024 2:28 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

It happens with any kind of configuration, whether it's defconf or not, and support guy told me they replicated the problem with Intel AX in their lab. I haven't noticed any issues with 7.14.3. But any 7.15 onwards the disconnects are just waaaay to often. All stuff that we tried with support worked...
by kleshki
Mon Sep 30, 2024 9:29 pm
Forum: General
Topic: Our mikrotik hacked
Replies: 23
Views: 1602

Re: Our mikrotik hacked

Your device probably has reset jumpers, you may try it. Also, netinstall may help, if bootloader is not in protected mode, otherwise gg.
by kleshki
Mon Sep 30, 2024 6:16 pm
Forum: General
Topic: Route DNS traffic between multiple CHR based on source and destination
Replies: 0
Views: 234

Route DNS traffic between multiple CHR based on source and destination

Hi everyone! I have such scheme: Wireguard clients -> CHR1 -> CHR2/3/4 BGP peer with "set gw 127.0.0.2" routing filter on CHR1. So if CHR2 fails then CHR3 kicks in and so on. All works fine. /ip route add check-gateway=ping disabled=no distance=1 dst-address=127.0.0.2/32 gateway=10.1.0.2%w...
by kleshki
Mon Sep 30, 2024 2:38 pm
Forum: General
Topic: Help please with guest wlan
Replies: 8
Views: 1040

Re: Help please with guest wlan

Yes, here it is /interface bridge port add bridge=bridge interface=wifi-5ghz /interface bridge vlan add bridge=bridge tagged=bridge,wifi-5ghz-guest vlan-ids=10 add bridge=bridge tagged=bridge,wifi-5ghz vlan-ids=100 add bridge=bridge tagged=bridge vlan-ids=50 /interface vlan add arp=reply-only interf...
by kleshki
Mon Sep 30, 2024 2:06 pm
Forum: General
Topic: set DHCP option for VLAN
Replies: 2
Views: 247

Re: set DHCP option for VLAN

If you have only static leases and DHCP is on a bridge with vlan-filtering, you can use /int/bridge/host static entries for that and add devices per their MAC.
by kleshki
Mon Sep 30, 2024 2:48 am
Forum: General
Topic: Prevent L2TP server from creating dynamic interface
Replies: 1
Views: 205

Re: Prevent L2TP server from creating dynamic interface

Maybe "one session per host" tick may help you in L2TP server configuration.
by kleshki
Mon Sep 30, 2024 1:26 am
Forum: General
Topic: Wanted feature in logging or info about logging issue.
Replies: 3
Views: 577

Re: Wanted feature in logging or info about logging issue.

You may want to add custom info into your script flow. I.e.
:if (whatever) :log info "script X failed on Y"
by kleshki
Mon Sep 30, 2024 12:13 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

TLDR; The fix was to limit myself to only channels up to 124.
What's the ROS version you have where it works?
by kleshki
Sun Sep 29, 2024 3:54 pm
Forum: General
Topic: Wifi traffic prioritization on bridge [SOLVED]
Replies: 22
Views: 1336

Re: Wifi traffic prioritization on bridge [SOLVED]

Another XY problem. That's why its good to
1. Post entire config
2. Ask right questions
by kleshki
Sun Sep 29, 2024 12:47 am
Forum: General
Topic: Wireguard peer traffic counters
Replies: 0
Views: 523

Wireguard peer traffic counters

Googled this thread viewtopic.php?t=196632 and then noticed it's in beta forum.
So, peer counters still reset after reaching 4096MB (ROS 7.16) any update on this, will there be a fix?
by kleshki
Sun Sep 29, 2024 12:00 am
Forum: General
Topic: Wifi traffic prioritization on bridge [SOLVED]
Replies: 22
Views: 1336

Re: Wifi traffic prioritization on bridge [SOLVED]

How is this a bottleneck if you don't have CPU pumping to 100% (or atleast one core to 100%)? We also know now you have queues, they may be misconfigured, leading to problems you described Edit: you can't have switch-hw configuration as you don't have switch chip in hap ac. This is hardware not soft...
by kleshki
Sat Sep 28, 2024 11:24 pm
Forum: General
Topic: Wifi traffic prioritization on bridge [SOLVED]
Replies: 22
Views: 1336

Re: Wifi traffic prioritization on bridge [SOLVED]

Connect wired until you figure out
by kleshki
Sat Sep 28, 2024 10:38 pm
Forum: RouterOS beta
Topic: WireGuard: peer traffic counter 32bit
Replies: 14
Views: 5201

Re: WireGuard: peer traffic counter 32bit

Is there any progress on the issue? Year gone and peer counters still reset @32bit byte value
by kleshki
Sat Sep 28, 2024 10:22 pm
Forum: General
Topic: RouterOS Upgrade: Recommendations for hAP ac3 [SOLVED]
Replies: 12
Views: 1166

Re: RouterOS Upgrade: Recommendations for hAP ac3 [SOLVED]

He meant old wifi config won't help since in new versions there's new wifi package which differs in configuration, and you should do it from scratch
by kleshki
Sat Sep 28, 2024 10:06 pm
Forum: General
Topic: Wifi traffic prioritization on bridge [SOLVED]
Replies: 22
Views: 1336

Re: Wifi traffic prioritization on bridge [SOLVED]

I'm using ax3 device, which is a bit more powerful than ac2, but have no issues with pushing 600 Mbps speed over 5GHz ax using vlan filtering (tagged only bridge 3 vlans, ether and wlan2.4 and wlan5 bridged in a single bridge). It also doesn't have a built-in switch chip so I just use regular bridge...
by kleshki
Sat Sep 28, 2024 6:27 pm
Forum: General
Topic: Wireguard peer responder clarification
Replies: 15
Views: 1634

Re: Wireguard peer responder clarification

The first block should contain them. The problem is that current implementation is buggy and gonna be fixed in 7.17, so no more handshake failures in logs. Currently, if client doesn't handshake in a default 2min window, server tries to handshake on its own using discovered client endpoint, which sh...
by kleshki
Sat Sep 28, 2024 5:31 pm
Forum: General
Topic: Wireguard peer responder clarification
Replies: 15
Views: 1634

Re: Wireguard peer responder clarification

It's a server-side config "per-user", you can have multiple peers on a single interface, and for a reason want to be some as initiators, and others as responders. But that only means if server wish to start connection first or not, but doesn't affect "client wishes" in any way.
by kleshki
Sat Sep 28, 2024 5:13 pm
Forum: General
Topic: Wireguard peer responder clarification
Replies: 15
Views: 1634

Re: Wireguard peer responder clarification

Responder should be side that can have static connectivity and IP address (let's call it server, maybe? WG seem to not love this word), so dynamic devices can initiate connection to it, and responder, well, responds to them.
by kleshki
Sat Sep 28, 2024 4:07 pm
Forum: General
Topic: storage issues?
Replies: 2
Views: 461

Re: storage issues?

Maybe your router is insecure and compromised. "admin" is not a secure login and should be removed right after turning on your device and before letting it to Internet. My advice would be: 1. Inspect your config (maybe with help of a professional) for vulnerabilities or if it's compromised...
by kleshki
Sat Sep 28, 2024 4:03 pm
Forum: General
Topic: To limit one device from accessing another on the same subnet.
Replies: 4
Views: 648

Re: To limit one device from accessing another on the same subnet.

Firewall is always enabled but for L3. Enabling "Use IP Firewall" in /int/bridge section means firewall also starts processing L2 traffic. Yes, it will have a performance hit - but depends on your environment, if it will be noticeable or not. My suggestion would be to create a VLAN for eac...
by kleshki
Sat Sep 28, 2024 4:00 pm
Forum: Announcements
Topic: Question to our users about controllers
Replies: 71
Views: 47894

Re: Question to our users about controllers

a Java application deployable on some Java runtime container like Tomcat or JBoss
This should be a docker container or a self-contained app, not a java application. Unifi has its controller with java dependency and it's annoying af.
by kleshki
Sat Sep 28, 2024 1:12 am
Forum: General
Topic: Wifi traffic prioritization on bridge [SOLVED]
Replies: 22
Views: 1336

Re: Wifi traffic prioritization on bridge [SOLVED]

I doubt 50 Mbps is the amount hap ac can't handle. Check your router resource consumption under load. Maybe you have your firewall overloaded or something. Also what's the firmware version?
by kleshki
Fri Sep 27, 2024 11:21 pm
Forum: General
Topic: Wifi traffic prioritization on bridge [SOLVED]
Replies: 22
Views: 1336

Re: Wifi traffic prioritization on bridge [SOLVED]

What's your internet bandwidth, so just a package update breaks your streaming? If you have a good enough ISP link, you probably should investigate your wireless issues and fix them, rather than baking queues into where they're not needed at all
by kleshki
Fri Sep 27, 2024 3:40 pm
Forum: General
Topic: Any plan for Mikrotk to upgrade its travel router ?
Replies: 11
Views: 1335

Re: Any plan for Mikrotk to upgrade its travel router ?

5GHz would still be nice to see because of wireless interference in some places where you can come.
hap ax lite lte is nice with everything but 5GHz absence. If it's by design to make a more compact router, I'd personally prefer this to be with 5GHz-only.
by kleshki
Wed Sep 25, 2024 9:08 pm
Forum: General
Topic: lo-Interface loopback
Replies: 8
Views: 8671

Re: lo-Interface loopback

The advantage is you have one less interface in your configuration, which is already something :P
by kleshki
Wed Sep 25, 2024 12:02 pm
Forum: General
Topic: System login
Replies: 21
Views: 4818

Re: System login

Same stuff via api.
MikroTik please react! This is common
by kleshki
Wed Sep 25, 2024 1:06 am
Forum: General
Topic: Struggling with VLAN configuration (egress works but not ingress)
Replies: 16
Views: 1263

Re: Struggling with VLAN configuration (egress works but not ingress)

My assumption is that EoIP should be set as tagged in /bridge/vlan like regular port (someone should confirm this or you may try it out yourself) as I don't see any tagged traffic in torch output.
by kleshki
Tue Sep 24, 2024 11:26 pm
Forum: General
Topic: Device got hacked 1 min after connected to internet
Replies: 51
Views: 5376

Re: Device got hacked 1 min after connected to internet

Nah there are lots of hosts that are focused on scanning such things. I got caught by the same thing and ALSO with api but on a fresh CHR on VPS. It's actually your fault that you netinstall with WAN/modem link up, eject it until your config is reapplied and device is secure. P.S.: still propose MT ...
by kleshki
Tue Sep 24, 2024 11:22 pm
Forum: General
Topic: Help please with guest wlan
Replies: 8
Views: 1040

Re: Help please with guest wlan

There's not much of configuration related to VLANs in this setup. Bridge filter, two interfaces, move IP from bridge to lan vlan, appropriate datapath per wlan. Then what you said: firewall and so on.

Your solution works too tho, it's fine. It's just my opinion that it should be configured this way
by kleshki
Tue Sep 24, 2024 11:19 pm
Forum: General
Topic: Wishes for 7.17 beta
Replies: 12
Views: 1376

Re: Wishes for 7.17 beta

I guess this is not high priority since small companies barely need that, and big enterprises can implement it on their own without much effort. My bet is people having same request as yours can be counted on fingers.
by kleshki
Tue Sep 24, 2024 11:14 pm
Forum: General
Topic: Help please with guest wlan
Replies: 8
Views: 1040

Re: Help please with guest wlan

Implement separate VLAN for LAN and guest and assign DHCP servers per VLAN. Adjust firewall accordingly. This will fix your problems, including red dhcp (which is red because wlan interface is considered disabled until at least single client is connected, and dhcp on disabled interface is red indeed).
by kleshki
Tue Sep 24, 2024 11:08 pm
Forum: General
Topic: Struggling with VLAN configuration (egress works but not ingress)
Replies: 16
Views: 1263

Re: Struggling with VLAN configuration (egress works but not ingress)

Try to establish EoIP between RB and switch so traffic flows through tunnel. This way you will exclude AP problems or state that they're involved and go with this solution. If the problem persists, the problem is with either RB or switch (but I personally can't spot it for now). If not - either use ...
by kleshki
Tue Sep 24, 2024 10:42 pm
Forum: Announcements
Topic: Question to our users about controllers
Replies: 71
Views: 47894

Re: Question to our users about controllers

1. b 2. b and b (which seems to be "c"). Either CHR package or docker container. Would be nice to see native Windows service, not just *nix, since I use MikroTiks in Windows environments much. 3. -Active Directory integration for service itself (to split device configuration/monitoring per...
by kleshki
Tue Sep 24, 2024 7:35 pm
Forum: General
Topic: Wishes for 7.17 beta
Replies: 12
Views: 1376

Re: Wishes for 7.17 beta

On one side you are right, but on the other - if you asking something for years for a really huge enterprise - why not just create your own log proxy to convert it to whatever you want?
by kleshki
Mon Sep 23, 2024 7:28 pm
Forum: General
Topic: Struggling with VLAN configuration (egress works but not ingress)
Replies: 16
Views: 1263

Re: Struggling with VLAN configuration (egress works but not ingress)

My bad I missed that connection point, need glasses LOL. in that case will only work if the APs are managed and can pass vlans. Happens, everyone can miss details :D Since topicstarter wants to save his APs, my proposal still remains - use wireless bridge as transport for EoIP or L2TPv3 tunnel or s...
by kleshki
Mon Sep 23, 2024 6:26 pm
Forum: General
Topic: Problems with a large number of users
Replies: 1
Views: 509

Re: Problems with a large number of users

You probably should setup queues to limit user bandwidth
by kleshki
Mon Sep 23, 2024 5:32 pm
Forum: General
Topic: Segregate an internal Wireguard server
Replies: 16
Views: 1113

Re: Segregate an internal Wireguard server

User can set whatever he wants, but wg traffic still doesn't bypass firewall. So if you tell in-interface=wg-users out-interface=whatever-allowed action accept and drop at the end, you are fine.
by kleshki
Mon Sep 23, 2024 5:16 pm
Forum: General
Topic: Struggling with VLAN configuration (egress works but not ingress)
Replies: 16
Views: 1263

Re: Struggling with VLAN configuration (egress works but not ingress)

I don't say it's impossible, I only say that scheme states there's WiFi 7 between APs, not wire. We can only guess if it's possible to wire them or not, until topic starter returns back with answers
by kleshki
Mon Sep 23, 2024 5:10 pm
Forum: General
Topic: Struggling with VLAN configuration (egress works but not ingress)
Replies: 16
Views: 1263

Re: Struggling with VLAN configuration (egress works but not ingress)

I guess the idea is that it's impossible to have wired connection between APs, since locations are called home and office, they are separate. And APs build a wireless bridge. In that case, it doesn't matter if APs are directly attached to CRS and RB, or through small smart switches and trunk ports.
by kleshki
Mon Sep 23, 2024 2:21 pm
Forum: General
Topic: Winbox 4
Replies: 4
Views: 833

Re: Winbox 4

No, admin privileges are not required to run winbox, it only may ask you to add to the firewall but that's automatic. You may have some kind of "custom image" of windows, where everything is cut for "performance" reasons. Those sucks, but no one can guess what causes your problem...
by kleshki
Mon Sep 23, 2024 1:47 pm
Forum: General
Topic: Segregate an internal Wireguard server
Replies: 16
Views: 1113

Re: Segregate an internal Wireguard server

You can create multiple wireguard interfaces and connect to them separately.
by kleshki
Mon Sep 23, 2024 1:45 pm
Forum: General
Topic: Struggling with VLAN configuration (egress works but not ingress)
Replies: 16
Views: 1263

Re: Struggling with VLAN configuration (egress works but not ingress)

If you want to put VLAN-unaware devices to VLAN, you use untagged ports on your VLAN-aware switch and that's it. Won't that make all the devices connected via the switch part of the same VLAN? I want the segregation to happen also at the switch level, I want to have different ports associated with ...
by kleshki
Mon Sep 23, 2024 2:51 am
Forum: General
Topic: Struggling with VLAN configuration (egress works but not ingress)
Replies: 16
Views: 1263

Re: Struggling with VLAN configuration (egress works but not ingress)

If you want to put VLAN-unaware devices to VLAN, you use untagged ports on your VLAN-aware switch and that's it.
by kleshki
Sun Sep 22, 2024 2:38 am
Forum: General
Topic: Too many winboxes
Replies: 11
Views: 1277

Re: Too many winboxes

Do like this

Image
by kleshki
Sat Sep 21, 2024 11:57 pm
Forum: General
Topic: Pc not reachable [SOLVED]
Replies: 8
Views: 1423

Re: Pc not reachable [SOLVED]

You probably should just have correct gateway on your WS. If it's only at vlan10, you should specify default gateway of the corresponding vlan and the traffic will pass to it without any extra actions. It's also weird for me that you use 10.x.x.0/24 address for each vlan, this is not intended for us...
by kleshki
Sat Sep 21, 2024 9:05 pm
Forum: General
Topic: CHR dhcp-client in defconf
Replies: 4
Views: 817

Re: CHR dhcp-client in defconf

https://i.imgur.com/qPURAfr.png This is literally what happens when you follow official wiki guide to install CHR into ubuntu VPS (curl -> unzip -> dd) here . While you enter "admin" through VNC, kindly decline an offer to read full license agreement, type new password twice, a bot that s...
by kleshki
Sat Sep 21, 2024 8:20 pm
Forum: General
Topic: Too many winboxes
Replies: 11
Views: 1277

Re: Too many winboxes

Seems to be an XY problem. Ask what you wish, not about winboxes.
Very true noted above, if it's just for logs, you can log to remote.
by kleshki
Fri Sep 20, 2024 4:38 pm
Forum: General
Topic: endpoint-independent-nat 100% CPU
Replies: 2
Views: 1249

Re: endpoint-independent-nat 100% CPU

Didn't have a deal with e-i-n, but you can probably try to supout when CPU is already high but not 100% yet (around 95%+)
by kleshki
Fri Sep 20, 2024 12:19 pm
Forum: General
Topic: DNS handling on mikrotik - i'm confused
Replies: 1
Views: 669

Re: DNS handling on mikrotik - i'm confused

1) If DoH is configured, regular DNS is used to resolve DoH hostname only 2) It is on 7.16 already, you can try it out. On older versions, static entries are ignored when DoH is configured, so you may or may not disable it - doesn't matter 3) No way currently, only one DoH can be configured at once ...
by kleshki
Fri Sep 20, 2024 2:05 am
Forum: General
Topic: CHR dhcp-client in defconf
Replies: 4
Views: 817

Re: CHR dhcp-client in defconf

IIRC, it's pretty new that CHR has dhcp in defconf. And firewall stuff is usually extra-service for extra money, pretty unnecessary after you setup your own security. I think a good thing is to have all stuff like dhcp, L2 discovery, IP services and MAC-access stuff to be disabled by default, and pr...
by kleshki
Fri Sep 20, 2024 12:49 am
Forum: General
Topic: CHR dhcp-client in defconf
Replies: 4
Views: 817

CHR dhcp-client in defconf

What's the point of dhcp-client in default CHR configuration? If CHR is deployed on owned servers, it's no problem to setup address through console or even login through MAC. I got caught in a situation, where I did fresh CHR installation on a VPS using dd, and was literally too slow to login though...
by kleshki
Tue Sep 17, 2024 10:35 pm
Forum: General
Topic: [SOLVED] IPv6 - Advertise router as DNS - dynamic IPv6 prefix
Replies: 3
Views: 693

Re: IPv6 - Advertise router as DNS - dynamic IPv6 prefix

You can advertise LL address fe80::whateveritis/64 which is not dynamic
by kleshki
Tue Sep 17, 2024 1:07 am
Forum: General
Topic: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik website
Replies: 9
Views: 1214

Re: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik websi

Blaming MikroTik for setting proxy properties in your browser in another stage of weirdness. Check if your PC is compromised
by kleshki
Mon Sep 16, 2024 8:35 pm
Forum: General
Topic: May you recomend me an SSTP VPN service?
Replies: 9
Views: 1227

Re: May you recomend me an SSTP VPN service?

SSTP has decent speeds with CHR where VPS provider has correct passthrough of AES-hw encryption AND you specify AES256-GCM encoding (while AES256-SHA doesn't enable Hw.Crypto flag for some reason). I personally do not know what exactly means "correct passthrough" but I've seen around 50-70...
by kleshki
Sat Sep 14, 2024 6:43 pm
Forum: General
Topic: Suggest load balancing method for imbalance 4 PPPoE wan uplinks
Replies: 2
Views: 577

Re: Suggest load balancing method for imbalance 4 PPPoE wan uplinks

You can still use PCC but play with values, so more goes into WAN1
by kleshki
Sat Sep 14, 2024 1:26 pm
Forum: General
Topic: Suggestion to MikroTik - market verticals
Replies: 14
Views: 1264

Re: Suggestion to MikroTik - market verticals

I use hap ax3 at home, why would I lose functionality because someone bought wrong home device that "just don't work"? Those who did it accidentally can just return it back to shop. When you open MT shop cart, in literally every shop you can definitely see reviews like "it's HARD to s...
by kleshki
Sat Sep 14, 2024 12:14 am
Forum: General
Topic: RouterOS CHR limits bandwidth to ~400Mbit....
Replies: 25
Views: 1925

Re: RouterOS CHR limits bandwidth to ~400Mbit....

It's both 1Gb/s up and down simultaneously, so it's actually 2Gb/s speed according to your screen. You can try setting direction to send/receive and you probably see more. For P10 it seems to be a bug with license limitation, since P-unl works fine. Do you also monitor host resources state? Maybe in...
by kleshki
Fri Sep 13, 2024 9:48 pm
Forum: General
Topic: Suggestion to MikroTik - market verticals
Replies: 14
Views: 1264

Re: Suggestion to MikroTik - market verticals

Oddly enough - https://help.mikrotik.com/docs/display/ROS/Device-mode [admin@MikroTik] > system/device-mode/print mode: enterprise interesting. Perhaps MikroTik is already been thinking they need to segment in some manner. You can set mode manually, this is another thing, probably created to rent t...
by kleshki
Fri Sep 13, 2024 1:39 pm
Forum: General
Topic: RouterOS CHR limits bandwidth to ~400Mbit....
Replies: 25
Views: 1925

Re: RouterOS CHR limits bandwidth to ~400Mbit....

Yep, true.
I think the first thing that should be tested is P unlimited, so there's no internal limiting mechanism involved.
If the issue resolves, than it's a P1/P10 bug, if not - something else.
by kleshki
Fri Sep 13, 2024 1:23 pm
Forum: General
Topic: RouterOS CHR limits bandwidth to ~400Mbit....
Replies: 25
Views: 1925

Re: RouterOS CHR limits bandwidth to ~400Mbit....

I know this seems to be related to a license at first, but maybe not. It's interesting to see if the problem persists on another type of hypervisor, especially in Hyper-V since it doesn't use virtio drivers for switches. Also, what happens if you try to acquire different type of license for testing ...
by kleshki
Thu Sep 12, 2024 9:44 pm
Forum: General
Topic: 7.16rc memory leak probably related to OSPF
Replies: 2
Views: 834

Re: 7.16rc memory leak probably related to OSPF

I didn't open a separate ticket for that, but send my supout in another ticket wifi-related (I've notified them that I can't test wifi further because of that crash), so they know I had this problem and received supout, but dunno how do they handle this. No response for ticket where I send it.
by kleshki
Wed Sep 11, 2024 12:44 am
Forum: General
Topic: RouterOS CHR limits bandwidth to ~400Mbit....
Replies: 25
Views: 1925

Re: RouterOS CHR limits bandwidth to ~400Mbit....

No, in first post you stated that you run speedtest from container. Can you do the same but now watch perfmon
by kleshki
Tue Sep 10, 2024 11:15 pm
Forum: General
Topic: RouterOS CHR limits bandwidth to ~400Mbit....
Replies: 25
Views: 1925

Re: RouterOS CHR limits bandwidth to ~400Mbit....

What if you do profiling when you do iperf from internal source through CHR?
by kleshki
Tue Sep 10, 2024 3:20 pm
Forum: General
Topic: RouterOS CHR limits bandwidth to ~400Mbit....
Replies: 25
Views: 1925

Re: RouterOS CHR limits bandwidth to ~400Mbit....

With BTest your CPU is under 100% load, that may probably cause issues. Can you use Tools->Profile to see if your router handles your loads maybe?
by kleshki
Tue Sep 10, 2024 2:06 am
Forum: General
Topic: RouterOS CHR limits bandwidth to ~400Mbit....
Replies: 25
Views: 1925

Re: RouterOS CHR limits bandwidth to ~400Mbit....

Or just spin a CHR on the same prox host without any config just with BTest server, can't see a reason why it can take more than 2 minutes to do so
by kleshki
Mon Sep 09, 2024 11:56 pm
Forum: General
Topic: RouterOS CHR limits bandwidth to ~400Mbit....
Replies: 25
Views: 1925

Re: RouterOS CHR limits bandwidth to ~400Mbit....

You can try to spin iperf container inside CHR and test there (there are example of successful setups)
by kleshki
Mon Sep 09, 2024 10:13 pm
Forum: Announcements
Topic: v7.16rc [testing] is released!
Replies: 362
Views: 117317

Re: v7.16rc [testing] is released!

I'm using same version 23.70.2.3 adapter is AX201
by kleshki
Mon Sep 09, 2024 9:35 pm
Forum: General
Topic: RouterOS CHR limits bandwidth to ~400Mbit....
Replies: 25
Views: 1925

Re: RouterOS CHR limits bandwidth to ~400Mbit....

What is your configuration? I.e. firewall rules and so on.
Have you run perftests from CHR directly to some local host?
What are resources of the CHR VM? How many vCPU and RAM
by kleshki
Mon Sep 09, 2024 7:48 pm
Forum: Announcements
Topic: v7.16rc [testing] is released!
Replies: 362
Views: 117317

Re: v7.16rc [testing] is released!

I am facing Wi-Fi connection issues with my hAP ax3, causing the laptop to disconnect during Zoom meetings. As you can see in the logs the laptop gets disconnected from AP despite having the strong signal. This happened in the recent stable version (7.15.3) and still happens in the latest rc versio...
by kleshki
Sun Sep 08, 2024 8:59 pm
Forum: General
Topic: SOLVED | RouterOS bridge blocking traffic but not SwOS [SOLVED]
Replies: 8
Views: 1739

Re: RouterOS bridge blocking traffic but not SwOS [SOLVED]

/summon mind-reader guys
without config export I doubt anyone can help you
by kleshki
Sat Sep 07, 2024 9:03 pm
Forum: General
Topic: Untagged VLAN1, tagged VLAN10 and untagged VLAN10 on the same bonding interface
Replies: 6
Views: 674

Re: Untagged VLAN1, tagged VLAN10 and untagged VLAN10 on the same bonding interface

Make a separate tagged wireless network for those several clients, create an appropriate L3 routing between "several-clients-vlan" and work vlan. Block in firewall when work access is not desired.
by kleshki
Fri Sep 06, 2024 9:16 pm
Forum: General
Topic: DHCP is offered but not bound to Brother printers only [SOLVED]
Replies: 36
Views: 3279

Re: DHCP is offered but not bound to Brother printers only [SOLVED]

Printers tend to be kinda dumb with wireless and can keep their address longer. If you can access printer's network stack through its physical panel, you can check out if maybe an address is stuck and should be reset, my suggestion is this now Everything connected smoothly! Thank you very much kles...
by kleshki
Fri Sep 06, 2024 7:29 pm
Forum: General
Topic: DHCP is offered but not bound to Brother printers only [SOLVED]
Replies: 36
Views: 3279

Re: DHCP is offered but not bound to Brother printers only [SOLVED]

Printers tend to be kinda dumb with wireless and can keep their address longer. If you can access printer's network stack through its physical panel, you can check out if maybe an address is stuck and should be reset, my suggestion is this now
by kleshki
Fri Sep 06, 2024 5:19 pm
Forum: General
Topic: DHCP is offered but not bound to Brother printers only [SOLVED]
Replies: 36
Views: 3279

Re: DHCP is offered but not bound to Brother printers only [SOLVED]

/interface wifi datapath add bridge=bridge disabled=no name=home-private-datapath vlan-id=100 add bridge=bridge disabled=no name=home-guest-datapath vlan-id=10 add bridge=bridge disabled=no name=iot-datapath vlan-id=50 /interface bridge vlan add bridge=bridge tagged=bridge,wifi-5ghz-guest vlan-ids=...
by kleshki
Fri Sep 06, 2024 2:06 pm
Forum: General
Topic: Question for firewall
Replies: 5
Views: 526

Re: Question for firewall

Are you trying to catch L2 traffic in firewall? This doesn't pass through it. If device is connected directly, you need to enable IP firewall for bridge (or better consider other options of doing what you want).
by kleshki
Fri Sep 06, 2024 2:03 pm
Forum: General
Topic: address-list for static DNS entries
Replies: 3
Views: 1041

Re: address-list for static DNS entries

This looks like a request loop, so request is forwarded to localhost and hits FWD record again. I've also tried to point FWD record to localhost (so it resolves further with upstream), but this didn't work. Try to specify external DNS server.
by kleshki
Fri Sep 06, 2024 12:35 pm
Forum: General
Topic: Translate ip range
Replies: 1
Views: 435

Re: Translate ip range

Hello and welcome to forum
You probably have to post your firewall rules, including filter ones, so we don't have to guess what you have already done and what can be wrong with it.
by kleshki
Fri Sep 06, 2024 12:31 pm
Forum: General
Topic: DHCP is offered but not bound to Brother printers only [SOLVED]
Replies: 36
Views: 3279

Re: DHCP is offered but not bound to Brother printers only [SOLVED]

Can you manually add wireless interfaces to the ;;;luogo vlan as Tagged?
After that, restart your wireless interfaces, so they are removed from untagged
by kleshki
Fri Sep 06, 2024 10:11 am
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1799

Re: IPv6 for SSH Tunnel Server

Maybe you can try to ssh into router with IPv6?
by kleshki
Fri Sep 06, 2024 10:00 am
Forum: General
Topic: VRRP on Hyper-V instance ROS 7.15.3 not working (MAC Spoofing enabled)
Replies: 11
Views: 1556

Re: VRRP on Hyper-V instance ROS 7.15.3 not working (MAC Spoofing enabled)

There is a promiscuous mode in Hyper-V, however, it seems that just enabled spoofing and trunk mode on a virtual port is enough. At least this seem to work between two CHR instances on a single Windows 11 hyper-v host - they failover correctly with just one packet lost. Will try it out with separate...
by kleshki
Fri Sep 06, 2024 12:47 am
Forum: General
Topic: TRACEROUTE - REVERSE DNS
Replies: 4
Views: 958

Re: TRACEROUTE - REVERSE DNS

In the Mikrotik DNS , add static entries for the MT devices.
It will create the corresponding reverse DNS (PTR) entries with the correct syntax for you.
.
Klembord3.jpg
Is it possible to do the same for IPv6 when prefix is dynamic? ::1/64 something like that AAAA record
by kleshki
Fri Sep 06, 2024 12:42 am
Forum: General
Topic: DHCP is offered but not bound to Brother printers only [SOLVED]
Replies: 36
Views: 3279

Re: DHCP is offered but not bound to Brother printers only [SOLVED]

I suggest you change admit frame type to "admit all" on wireless interfaces and try it out. I can't explain, but I remember I had issues with wifi and vlans on 7.x, but now I look at my own config and see that wifi interfaces are actually shown under "Current tagged" in /interfa...
by kleshki
Thu Sep 05, 2024 11:56 pm
Forum: General
Topic: DHCP is offered but not bound to Brother printers only [SOLVED]
Replies: 36
Views: 3279

Re: DHCP is offered but not bound to Brother printers only [SOLVED]

I suggest you change admit frame type to "admit all" on wireless interfaces and try it out. I can't explain, but I remember I had issues with wifi and vlans on 7.x, but now I look at my own config and see that wifi interfaces are actually shown under "Current tagged" in /interfac...
by kleshki
Thu Sep 05, 2024 8:19 pm
Forum: General
Topic: VRRP on Hyper-V instance ROS 7.15.3 not working (MAC Spoofing enabled)
Replies: 11
Views: 1556

Re: VRRP on Hyper-V instance ROS 7.15.3 not working (MAC Spoofing enabled)

Answering own question:
1. Set bridge port passed-though off vswitch frame types to admit tagged-only
2. Set bridge frame types to admit all, set PVID to the desired VLAN for VRRP packets
3. In bridge/vlans add desired VLAN to list, add bridge as untagged, port as tagged
by kleshki
Thu Sep 05, 2024 7:24 pm
Forum: General
Topic: DHCP is offered but not bound to Brother printers only [SOLVED]
Replies: 36
Views: 3279

Re: DHCP is offered but not bound to Brother printers only [SOLVED]

Can you post some kind of your connection scheme, like are those printers wireless or wired and what ports/networks do they use, is there a switch (managed or dumb) in-between and so on
by kleshki
Thu Sep 05, 2024 3:56 pm
Forum: General
Topic: VRRP on Hyper-V instance ROS 7.15.3 not working (MAC Spoofing enabled)
Replies: 11
Views: 1556

Re: VRRP on Hyper-V instance ROS 7.15.3 not working (MAC Spoofing enabled)

Ok, after some investigation I've found out that: Attempt 2: was a stupid misconfiguration by me, where I duplicated vlan20-vrrp IP and static IP of another device in subnet. Everything works. Attempt 1: I managed to get it working by: 1. Create a bridge. Add ether1 to bridge. Assign unused subnet I...
by kleshki
Thu Sep 05, 2024 2:30 pm
Forum: General
Topic: DHCP is offered but not bound to Brother printers only [SOLVED]
Replies: 36
Views: 3279

Re: DHCP is offered but not bound to Brother printers only [SOLVED]

Nothing. /interface bridge add admin-mac=48:A9:8A:XX:YY:ZZ auto-mac=no comment=defconf frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes You can check it with either UI or by typing /interface bridge export verbose There is pvid=1 which is not exported since it's default value, but ...
by kleshki
Thu Sep 05, 2024 2:20 pm
Forum: General
Topic: DHCP is offered but not bound to Brother printers only [SOLVED]
Replies: 36
Views: 3279

Re: DHCP is offered but not bound to Brother printers only [SOLVED]

Once you set a port as trunk, default remains at 1, true, since the setting "Admit only VLAN tagged" obsoletes that anyhow. Access ports should be set to the pvid for the VLAN they are supposed to handle and "Only admit untagged ...". Nowhere else (besides trunk ports) I have pv...
by kleshki
Thu Sep 05, 2024 2:06 pm
Forum: General
Topic: DHCP is offered but not bound to Brother printers only [SOLVED]
Replies: 36
Views: 3279

Re: DHCP is offered but not bound to Brother printers only [SOLVED]

From The unofficial official VLAN bible: https://forum.mikrotik.com/viewtopic.php?t=143620 A word of caution if you are thinking of using VLAN 1 in your network design. Most vendors use VLAN 1 as the native VLAN for their hardware. MikroTik uses VLAN 0. If you try to create a VLAN 1 scenario with M...
by kleshki
Thu Sep 05, 2024 1:12 pm
Forum: General
Topic: lo iface in LAN list
Replies: 11
Views: 884

Re: lo iface in LAN list

5678 seems to be LLDP traffic
by kleshki
Thu Sep 05, 2024 12:53 pm
Forum: General
Topic: lo iface in LAN list
Replies: 11
Views: 884

Re: lo iface in LAN list

As already stated above, there's a defconf rule to accept input from loopback (commented for CAPsMAN) on some devices, so you probably already had the rule but accidentally removed it.
by kleshki
Thu Sep 05, 2024 12:40 pm
Forum: General
Topic: lo iface in LAN list
Replies: 11
Views: 884

Re: lo iface in LAN list

For me it doesn't look ok, because lo doesn't actually represent LAN. Eventually you could have some case when you have to have it separate. So my suggestion is to make an explicit accept rule for lo interface and place it before drop rule:
/ip firewall filter add action=accept in-interface=lo
by kleshki
Thu Sep 05, 2024 12:04 pm
Forum: General
Topic: DHCP is offered but not bound to Brother printers only [SOLVED]
Replies: 36
Views: 3279

Re: DHCP is offered but not bound to Brother printers only [SOLVED]

DHCP offer but not accepted I've usually seen with incorrect VLAN configuration (so traffic goes out but doesn't return back). Haven't check yet the config, but maybe you will find it yourself, or probably there's a misconfigured switch in-between. Edit: my assumption is that you have pvid=10 on bot...
by kleshki
Thu Sep 05, 2024 12:00 pm
Forum: General
Topic: Potential RouterOS Bug: Slow Wireguard Performance over IPv6
Replies: 2
Views: 639

Re: Potential RouterOS Bug: Slow Wireguard Performance over IPv6

I have both IPv4 and IPv6 tunnels established (using separate interfaces and peers) and I have equal bandwidth on both protocol versions. Tunnels are between hap ax3 <-> CHR and CHR <-> CHR.
by kleshki
Thu Sep 05, 2024 11:58 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

This is not a (permanent) solution since reducing channel width also lowers throughput.
by kleshki
Wed Sep 04, 2024 4:41 pm
Forum: General
Topic: SFP+ inactive when in 802.3ad Bonding
Replies: 1
Views: 471

Re: SFP+ inactive when in 802.3ad Bonding

802.3ad requires you to have same interface speed to establish
by kleshki
Wed Sep 04, 2024 3:17 pm
Forum: General
Topic: 7.16rc memory leak probably related to OSPF
Replies: 2
Views: 834

7.16rc memory leak probably related to OSPF

Hello Using hap ax3 device, with 7.16rc4 firmware. Just established ospfv2+v3 sessions. After receiving routes, I had around 500mb free ram (as usual), but in a minute router rebooted. After returning back it tells that kernel failure happened with out of memory condition. After tunnel and session r...
by kleshki
Tue Sep 03, 2024 5:32 pm
Forum: General
Topic: CHR UEFI boot
Replies: 0
Views: 852

CHR UEFI boot

Why does CHR images still cannot boot in EFI mode natively? I've seen a bunch of topics that the image itself already contains all necessary files to do it, it's just formatted to ext2 and there are people who had success in running it. So, what is the reason not to fix it in all new VM images? One ...
by kleshki
Tue Sep 03, 2024 1:36 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

I've updated the driver with MT support from Intel site, at the moment of ticket opening it was v. 23.30.something release date 01.24 latest driver and there was no success. I've downloaded the one from your link and it shows v. 23.70.2.3 release date 24.07.2024 (AX201). It seems releases occur less...
by kleshki
Tue Sep 03, 2024 11:27 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

I'm not sure, does it make sense to share my ticket here? Can other people see my supouts and so on?
by kleshki
Mon Sep 02, 2024 10:48 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

I've sent a bunch of supouts already, the last advice is to set channel width to 20 Mhz which is kinda weird for a 5Ghz network. They also stated that the issue only reproduces with windows version of Intel drivers (Linux clients are stable) dunno if it is the case. It's also worth noting that windo...
by kleshki
Mon Sep 02, 2024 10:28 pm
Forum: General
Topic: VRRP on Hyper-V instance ROS 7.15.3 not working (MAC Spoofing enabled)
Replies: 11
Views: 1556

Re: VRRP on Hyper-V instance ROS 7.15.3 not working (MAC Spoofing enabled)

is there maybe anything which disallows or filters 00-00-5E-00-01-.. mac addresses? vrrp interfaces use those No such things. I had no success at all until I googled for esxi that mac spoofing should be enabled and found where to fix that for hyper-v. Now it's this. Gonna give it a try on a sr-iov ...
by kleshki
Mon Sep 02, 2024 7:54 am
Forum: General
Topic: VRRP on Hyper-V instance ROS 7.15.3 not working (MAC Spoofing enabled)
Replies: 11
Views: 1556

Re: VRRP on Hyper-V instance ROS 7.15.3 not working (MAC Spoofing enabled)

you should run VRRPs inside each VLAN if you are working with group-authority on one VRRP (and there only can be one if there are multiple VRRPs) the vrrp group-authority only works correct on the lowest VLAN ID (found that one out last week after about 2h of "wiresharking" and eliminatin...
by kleshki
Sat Aug 31, 2024 7:41 pm
Forum: General
Topic: executing script from winbox failed, please check it manually
Replies: 13
Views: 3601

Re: executing script from winbox failed, please check it manually

I think Mikrotik should implement a more verbose error info, since finding these errors is very time-consuming.
Or it's up to you to well-document things you do in your network, to decrease diagnostics time
by kleshki
Sat Aug 31, 2024 5:24 pm
Forum: General
Topic: IPv6 over SSTP [SOLVED]
Replies: 2
Views: 1574

Re: IPv6 over SSTP [SOLVED]

Thanks for explanation, now it's all clear for me!
by kleshki
Sat Aug 31, 2024 5:12 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

TL:DR; 7.16rc4 fixes all wifi related issues. I recently was trying to stream a remux to LG C2 via Plex and found out i was also running into the same problem. The Plex log was showing as device(WebOS tv) was constantly getting disconnected and reconnected which then continued the stream on tv. Aft...
by kleshki
Sat Aug 31, 2024 2:51 pm
Forum: General
Topic: IPv6 over SSTP [SOLVED]
Replies: 2
Views: 1574

IPv6 over SSTP [SOLVED]

Hello! Haven't found any related information, because all questions related are mostly about PD through tunnels, but my is different. I have an SSTP tunnel between two MikroTiks. In PPP->Protocols there's an IPv6 option. When enabled, I have a LL-address on both sides of tunnel. They can be pinged f...
by kleshki
Thu Aug 29, 2024 2:13 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1527
Views: 366486

Re: 📣 WinBox 4 is here 📣

Huge release, nice one MikroTik!

Things I've noticed:
1. Log tab is not automatically scrolled to the end, so each time should scroll manually
2. New dropdown instead of tabs isn't very comfortable (2 actions to navigate instead of 1), probably should be a setting to switch
by kleshki
Wed Aug 28, 2024 4:34 pm
Forum: Announcements
Topic: v7.16rc [testing] is released!
Replies: 362
Views: 117317

Re: v7.16rc [testing] is released!

ppptran, this is your first comment in this topic. Have you reported your issue somewhere else? Mikrotik are no mind-reader. Well, i am well aware of the issue. I have search the whole mikrotik forum and it came up with several fellas have the same issue. Basically: Im using X86 and Compex WLE900VX...
by kleshki
Tue Aug 27, 2024 11:49 pm
Forum: General
Topic: VRRP on Hyper-V instance ROS 7.15.3 not working (MAC Spoofing enabled)
Replies: 11
Views: 1556

VRRP on Hyper-V instance ROS 7.15.3 not working (MAC Spoofing enabled)

Hello. I'm trying to setup redundancy with Hyper-V CHR instances. The desired configuration is ISP switch (single public IP) -> VLAN4000 -> My stackable switches -> LACP Bonding to server -> Windows Server with Intel X520-2 (both ports bound in LACP) -> vSwitch with SR-IOV enabled VMQ enabled -> CHR...
by kleshki
Fri Aug 23, 2024 5:05 pm
Forum: General
Topic: Firewall drop DHCP across EoIP
Replies: 27
Views: 2194

Re: Firewall drop DHCP across EoIP

Make an interface list for dhcp-enabled or dhcp-disabled interfaces and create an appropriate rule for the specified interface list (rule template above).
by kleshki
Thu Aug 22, 2024 2:25 pm
Forum: General
Topic: Winbox neighbors with EoIP
Replies: 2
Views: 772

Re: Winbox neighbors with EoIP

Should be doable if you enable neighbor discovery for eoip in IP->Neighbors and add your eoip to bridge
by kleshki
Sun Aug 18, 2024 1:24 am
Forum: Containers
Topic: TeamSpeak 5 docker
Replies: 0
Views: 4372

TeamSpeak 5 docker

Hello. Recently I've managed to get TeamSpeak 3 working in a ROS container, which involves installing mariadb and ts server itself (two containers) and a bunch of env's for them. Now I've found there's a beta of TS5 server here . It contains docker-compose file, but it looks way longer and requires ...
by kleshki
Tue Aug 13, 2024 7:28 pm
Forum: General
Topic: IPv6 troubles with multiple static addresses in CHR
Replies: 3
Views: 907

Re: IPv6 troubles with multiple static addresses in CHR

Is there anything I can do about this? Adding multiple IPv6 addresses works bad - some of them work flawless, some have packet loss and huge ping... Is this a thing to blame the provider or it's a fault in my configuration? In traceroute I can see, that previous hop before my host timeouts, is that ...
by kleshki
Sun Aug 11, 2024 11:06 pm
Forum: General
Topic: Mangling Wireguard handshakes through another tunnel
Replies: 20
Views: 2041

Re: Mangling Wireguard handshakes through another tunnel

https://forum.mikrotik.com/viewtopic.php?p=902082#p902082 Hope I've done this right, and you can get my email correctly: UvGFl/RK9dWVo97zOpy8dZqIfX9HYJsYrd57656vhtpyXbvmiPjqQZ/urM85ZItK nsHhML2Q/1Ul7z8b8+1i1LdU4t40PgRA3WkpQpiWLoqy/KkA2a4n/g2tn7fHGA2O ZURgZn3srPYVNJpLctGI9pFzdRxIBh48L9slkqu5ZUAFMKcR...
by kleshki
Sun Aug 11, 2024 10:16 pm
Forum: General
Topic: Mangling Wireguard handshakes through another tunnel
Replies: 20
Views: 2041

Re: Mangling Wireguard handshakes through another tunnel

Are you sure you don't want to continue this discussion in private?
Yes, we can continue in private
by kleshki
Sun Aug 11, 2024 9:41 pm
Forum: General
Topic: Mangling Wireguard handshakes through another tunnel
Replies: 20
Views: 2041

Re: Mangling Wireguard handshakes through another tunnel

not a WG expert, so could be wrong Same here, but I can easily imagine the whole "responder" thing just means that if the session towards the peer is currently not established, an arrival of a payload packet that would normally trigger its establishing is ignored, but while a session exis...
by kleshki
Sun Aug 11, 2024 8:03 pm
Forum: General
Topic: Mangling Wireguard handshakes through another tunnel
Replies: 20
Views: 2041

Re: Mangling Wireguard handshakes through another tunnel

I do understand the purpose, I would just expect that you send the distinctive types of packets via SSTP in both directions, hence the reversed order would not obstruct the purpose...? Maybe this would be the only way, but ideally this should be one-way only, because if I attach just one additional...
by kleshki
Sun Aug 11, 2024 7:16 pm
Forum: General
Topic: Mangling Wireguard handshakes through another tunnel
Replies: 20
Views: 2041

Re: Mangling Wireguard handshakes through another tunnel

Yep, maybe I expressed myself wrong. Not strictly wrong, just ambigously. It's dynamic, so may change after reboot and so on, but it's public. That's why the srcnat rule's action is masquerade but not src-nat Understood, but as the initial packet passes (or at least should pass) through the SSTP, y...
by kleshki
Sun Aug 11, 2024 7:04 pm
Forum: General
Topic: Mangling Wireguard handshakes through another tunnel
Replies: 20
Views: 2041

Re: Mangling Wireguard handshakes through another tunnel

In Wireshark I do filter by wg-specific packets (wg.type == 1 || wg.type == 2 || wg.keepalive) so I can detach them clearly from the data packets which are also sniffed by udp port. OK, I never dug that deep, given my prejudice against WG :) PPPoE external means the address that I can see in /ip ad...
by kleshki
Sun Aug 11, 2024 6:55 pm
Forum: General
Topic: Mangling Wireguard handshakes through another tunnel
Replies: 20
Views: 2041

Re: Mangling Wireguard handshakes through another tunnel

I've tried the /tool sniffer thing, but there's a ton of packets passing into it and they just fly, so I think using shark could be equal tool. Wireshark would be interesting if you were interested in the contents of the packets, but since they are encrypted anyway, there is not much point. After s...
by kleshki
Sun Aug 11, 2024 6:06 pm
Forum: General
Topic: Mangling Wireguard handshakes through another tunnel
Replies: 20
Views: 2041

Re: Mangling Wireguard handshakes through another tunnel

I think I'm almost got what you mean. :D would change of language help? can do the trick, am I right? ... Edit: seems that not, tried that - mangle packet counter increases, srcnat rule stays at zero. The wireguard packets are sent by the router itself, so their source address is chosen in the firs...
by kleshki
Sun Aug 11, 2024 3:47 pm
Forum: General
Topic: Mangling Wireguard handshakes through another tunnel
Replies: 20
Views: 2041

Re: Mangling Wireguard handshakes through another tunnel

Your widespan action=masquerade rule is most likely causing the issues - the initial transport packet is a "handshake" one so you send it via SSTP, but as the masquerade rule is not selective, the reply-dst-address of the Wireguard connection becomes the one attached to the SSTP interface...
by kleshki
Sun Aug 11, 2024 2:22 pm
Forum: General
Topic: Mangling Wireguard handshakes through another tunnel
Replies: 20
Views: 2041

Re: Mangling Wireguard handshakes through another tunnel

Second config is in code tag too, but post looks weird, I dunno how to fix this also
by kleshki
Sun Aug 11, 2024 2:19 pm
Forum: General
Topic: Mangling Wireguard handshakes through another tunnel
Replies: 20
Views: 2041

Mangling Wireguard handshakes through another tunnel

Hello! I have a Wireguard both IPv4/v6 setup between CHR VPS (ROS 7.15) and hap ax3 (ROS 7.14.1) connected through PPPoE (but not behind NAT). Now I have a task to hide WG service packets, so I decided to raise SSTP tunnel. Then I discovered through Wireshark, that IPv4 handshake is 176 bytes, keepa...
by kleshki
Wed Aug 07, 2024 10:23 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

What I did to “fix” disconnections on my hAP AX3 was increasing the DHCP lease time from 30 minutes to 1 day on all the interfaces. My iPhone was disconnecting all the time before doing this change. I've also tried this, (un)fortunately I'm not an Apple user, so all my devices work regardless of DH...
by kleshki
Wed Aug 07, 2024 11:47 am
Forum: General
Topic: Connect with OVPN to the same subnet
Replies: 1
Views: 461

Re: Connect with OVPN to the same subnet

Setup OVPN in different subnet. Establish something like EoIP over OVPN, add EoIP interface to bridge on both sides
by kleshki
Tue Aug 06, 2024 3:54 pm
Forum: Announcements
Topic: v7.16rc [testing] is released!
Replies: 362
Views: 117317

Re: v7.16rc [testing] is released!

Any fixes for WiFi disconnects on ax devices? https://forum.mikrotik.com/viewtopic.php?t=208199 this is annoying bug, not allowing to use any of new firmwares released I replied to you in that thread - I have not noticed any problems with the operation of WiFi access points in AC/AX bands. I use CA...
by kleshki
Tue Aug 06, 2024 11:47 am
Forum: Announcements
Topic: v7.16rc [testing] is released!
Replies: 362
Views: 117317

Re: v7.16rc [testing] is released!

Any fixes for WiFi disconnects on ax devices?
viewtopic.php?t=208199 this is annoying bug, not allowing to use any of new firmwares released
by kleshki
Sun Aug 04, 2024 10:53 pm
Forum: General
Topic: IPv6 troubles with multiple static addresses in CHR
Replies: 3
Views: 907

IPv6 troubles with multiple static addresses in CHR

Hello! I'm trying to setup IPv6 in my VPS with CHR (v 7.15). VPS provider gave me a /64 prefix and fe80::1 as gateway. Here's config on my side (first 4 blocks of addresses are omitted): /ipv6 address add address=0000:0000:0000:0000:: advertise=no interface=ether1 add address=0000:0000:0000:0000:abc...
by kleshki
Fri Jul 26, 2024 10:54 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

Update 7.15.3 does not solve the problem
This seems to not happen until "wifi-qcom" note appears in a patch-note (which is not the case for 7.15.3 nor beta branch)
by kleshki
Sun Jul 21, 2024 12:52 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

Hi, Did you try changing security to WPA2-PSK only and Management Protection to disabled? I have had similar issues/inconsistencies and this seems to have helped (although it is certainly not an ideal solution). I am currently at 7.15.2, so I have yet to do more testing with newer ROS versions. Thi...
by kleshki
Mon Jul 08, 2024 8:02 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

7.15.2 out, seems still no fix. As I understand from reading through the pinned topic of 7.15 update, the issue is mostly related to ax devices. Has anyone tried beta branch, are there any changes?
by kleshki
Tue Jun 25, 2024 2:28 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

After contacting MikroTik support, they told me there's a bunch of feedback about 7.15 fw having disconnects, but they also told me there's some kind of problems reproducing this bug in their lab. So current solution for home devices is to revert back to latest 7.14.x, since in 7.15 there's qcom-dri...
by kleshki
Mon Jun 17, 2024 8:11 am
Forum: General
Topic: ROS 7.15 problems with slave guest wireless interface
Replies: 6
Views: 1188

Re: ROS 7.15 problems with slave guest wireless interface

/interface bridge vlan
add bridge=lan-bridge untagged=wifi-5ghz-guest vlan-ids=10
Is that all you have in vlan filtering settings? And where should your AP send tagged traffic then?
There's an interface in /interface/vlan it should go there, no?
by kleshki
Thu Jun 13, 2024 1:39 am
Forum: General
Topic: ROS 7.15 problems with slave guest wireless interface
Replies: 6
Views: 1188

Re: ROS 7.15 problems with slave guest wireless interface

Yes, I've added them statically. Here's current relevant configuration /interface bridge add name=lan-bridge vlan-filtering=yes /interface vlan add interface=lan-bridge name=guest vlan-id=10 add interface=lan-bridge name=lan vlan-id=100 /interface wifi configuration add antenna-gain=0 country="...
by kleshki
Wed Jun 12, 2024 8:15 pm
Forum: General
Topic: ROS 7.15 problems with slave guest wireless interface
Replies: 6
Views: 1188

Re: ROS 7.15 problems with slave guest wireless interface

You have to make guest interfaces static and manually add them to bridge and filter them in vlan filtering. As such: /interface wifi cap set discovery-interfaces=vlan241_mgmt enabled=yes slaves-static=yes New ax devices able to grab datapath from capsman and use vlan settings from capsman. Older de...
by kleshki
Wed Jun 12, 2024 4:46 pm
Forum: General
Topic: ROS 7.15 problems with slave guest wireless interface
Replies: 6
Views: 1188

ROS 7.15 problems with slave guest wireless interface

Hello! I'm trying to create a guest wlan in ROS7 (did that before in ROS6 with/without capsman, all good). # 2024-06-12 18:37:07 by RouterOS 7.15.1 /interface bridge add name=lan-bridge vlan-filtering=yes /interface vlan add interface=lan-bridge name=guest vlan-id=10 add interface=lan-bridge name=la...
by kleshki
Thu Jun 06, 2024 10:42 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

An optimistic update on the topic: I decided to rollback from 7.15 to factory firmware which is 7.14.1 and it seems to be no disconnects for some hours already. The bandwidth is still bad so there is a place for tweaks still. But at least it's stable now.
by kleshki
Thu Jun 06, 2024 6:04 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

And got another disconnect with above config. 20:01:47 wireless,info 0C:7A:15:F5:D2:AF@wifi-5ghz disconnected, connection lost, signal strength -75 20:01:47 wireless,debug 0C:7A:15:F5:D2:AF@wifi-5ghz disassociated, connection lost, signal strength -75 20:02:15 wireless,debug 0C:7A:15:F5:D2:AF@wifi-5...
by kleshki
Thu Jun 06, 2024 5:32 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

Here's my current configuration, now looks pretty simple. /interface wifi channel add band=5ghz-ax disabled=no frequency=5180,5220,5640-5730 name=5ghz skip-dfs-channels=all width=20/40/80mhz /interface wifi configuration add antenna-gain=5 country="United States" disabled=no name=home-priv...
by kleshki
Thu Jun 06, 2024 2:59 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

WiFi Analyzer tells this: Channel 136 5680 GHz (I've added some channels after another connection drop) Channel width 20 MHz Protocol 802.11ax (metro UI still shows 802.11ac, was also ax with tp-link) Dunno what to trust there now, reverting to old router shows ax proto in metro UI again After setti...
by kleshki
Thu Jun 06, 2024 12:48 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

What exact wireless card is in the laptop?
Intel(R) Wi-Fi 6 AX201 160MHz
by kleshki
Thu Jun 06, 2024 12:24 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

The antenna gain is incorrect, it should be 5 or 6 (in the manual it shows 5.5). Don't know what the default is, at least it is not 0. Can't set it to decimal value, gonna try with 5 and respond back with results. Any ideas on why laptop is not recognizing ax protocol tho? Because Samsung shows &qu...
by kleshki
Thu Jun 06, 2024 11:49 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 139
Views: 16076

Re: hap ax3 random wireless disconnects

Hi @tangent and thanks for your detailed answer! Here's export of wifi section int wifi export # 2024-06-06 13:21:28 by RouterOS 7.15 # software id = **ELIDED** # # model = C53UiG+5HPaxD2HPaxD # serial number = **ELIDED** /interface wifi channel add band=5ghz-ax disabled=no frequency=5180,5220 name=...