MikroTik

Moba

You have multiple APs, that could be the first reason for coverage issues. Then, the walls and the materials inside them can also cause issues. I would check the coverage/signal power with the main unit (the L009) across the house and add the hAP's only where needed to reduce interference. Usually, ...

Moba

LOL @anav. I guess the OP had trouble finding a suitable name for /export file=anynameyouwish

Moba

Even high-end firewall devices can be overwhelmed without mitigation under attack once cores are loaded/buffers are full. The 5009 is a small wonder router, but it's still a low power ARM device. Basically, if it can't be done by the ASIC, it has to be done on the CPU. If you know how to run softwar...

Moba

I'm assuming the uplink is the WAN interface, then, yes, it works for traffic going through that port (ether1 by default). However, in this case, upload/download limits are reversed (only matters if the link is non-symmetrical). You can also limit the bridge or the LAN (192.168.88.0/24 or whatever l...

Moba

The 4011 can handle 940 Mbps up and down easily over WAN (max port speed minus overhead), even on newer firmwares with QoS. Something is wrong with your config or your Ethernet cables are really bad... - check your speed without the 4011 - use a default config - check your CPU usage per core on the ...

Moba

Your device is a switch by design - the CPU used is not designed for high bandwidth NAT. While FastTrack does lower the load, it's still not an optimal device to be used as a router. The RB5009 would be a more suitable device. https://mikrotik.com/product/crs310_8g_2s_in#fndtn-testresults https://mi...

Moba

@anav Your UK friend has the correct answer https://forum.mikrotik.com/viewtopic.php?t=148825#p733499 I don't believe it's that simple. If you prioritize the consoles by IP, they will hog the bandwidth when downloading games and updates, just like with the Asus. If you put the streaming clients abo...

Moba

Since posting in this thread, I have been surprised by the very good performance of the wave2 drivers under 7.12 with my aging RB4011 with default values (not much to tweak anyway). I am reaching 900 Mbps with an ac class device using ax clients and 550 Mbps with ac clients. I have almost no interfe...

Moba

For budgetary reasons I was planning to order the ax lite if its wireless performance is indeed better than my current router.

You should be happy with the lite. It will also receive updates for a few years...

Moba

@Moba
Not sure if it was 7.12, definitely in 7.13beta, I already tested it.
Check release notes.

Noted. There were complaints in the past about this feature being removed. I do not use it...

Moba

No problem, happy you got it working...

Moba

Like previously mentioned, it looks like a security protocol mismatch. Also, make sure you have the exact same SSID/password combination.

Moba

Still ... I can get 400Mbps with AX Lite. On 2.4GHz and when having a proper wifi6 client.

That is indeed very good. My ac clients barely get more than that on 5 GHz. I couldn't find Wi-Fi results yesterday, other than what was posted on YT by MT.

Moba

The ax lite will be enough for the bandwidth you described and 2.4 GHz offers better signal penetration than 5 GHz. The ax2 is the best price/performance purchase, but it is almost double the price. @holvoetn, how is the range on your ax lite unit ? Device's with external antennas usually give bette...

Moba

Without a complete config, it seems that you are only limiting traffic marked from LAN (with src address) going out to WAN in the prerouting chain. Please check pcunite's thread for the correct way to mark all traffic so downloads are also limited. You can also con mark by interface - it's less effi...

Moba

Without knowing the speed of your internet package, any model of the hAP ax series. The ax lite is a budget model that has only one 2.4 GHz radio and might be underpowered for more than 300 Mbps, but the ax2 and ax3 are solid models for up to 1 Gbps internet service. The current wave2 drivers on tho...

Moba

If the product was recommended by your vendor, I would return it. This model has been discontinued. MT does offer newer (current) low-cost solutions that should perform much better...

Moba

A simple and naive question: Why do I have a router with Gibit ports if he is not able to rout in GBits speed with a simple fasttrack rule? While mkx's explanation is valid, there is also marketing. The SoC manufacturers sell products with planned interconnects for various retail products with hype...

Moba

Isn't the new smaller wave2 driver in 7.13 available for this model ? I am not sure what was changed (maybe updates on the clients), but the package available in 7.12.1 has been exceptionally good on my 4011. I am getting a solid 900 Mbps on ax clients for the first time... Everything is automatic w...

Moba

I have no experience with this model, but I would expect better results with the default config (FastTrack). Almost everything you add thereafter will increase CPU load. Did you check the individual cores or just the average ? The average result under CPU can hide a single core at 100% which becomes...

Moba

The NSS driver is probably closed source, just like Broadcom's acceleration bits. Again, those drivers are surely for a specific kernel version and must be updated by the SoC manufacturer. So basically, MT can't update or use that driver - they rely on FastTrack for NAT and L3 HW offloading on the P...

Moba

There is no fix and there won't be. Routers, like any other embedded device, have a limited lifespan. They worked as described in 2015 and weren't lemons under v6. Why anyone would buy this model new at the end of 2023 is beyond reason. If these units are "hobbled" for your use case, then ...

Moba

There's a cost/performance balance that needs to be part of the discussion on purchasing a new device IMO. Where I live, there are absolutely not discounts to be had on older MT devices, so they are being sold at more or less the same price as newer devices. As 1 Gbps+ home packages are becoming mai...

Moba

You don't provide any scenario requiring monitoring, so this is a generic answer. As a low impact home solution, you can make a simple queue to monitor your gateway interface and reset it manually each month. You can make a queue for each user/client, and do the same thing. The problem with services...

Moba

The hEX is underpowered by today's standard. If you ever need QoS or extra firewall rules, it won't handle that speed. hAP ax models are more powerful and designed for ROS 7. You can turn off the radios.

Moba

No, I haven't, with any version. Have you tried to reset your config since you upgraded ? If you did, maybe Netinstall. I am testing 7.12.1 presently. I will update you in a few weeks.

Maybe check if there are differences between those 13 configs that could explain this behaviour.

Moba

Like previously said, 127.0.0.1 is a special address for the local computer connecting to itself, and !WAN means not from WAN. The default filter rules are solid and shouldn't be changed unless you know what the rules are doing.

Moba

I had time to waste and checked my theory - blocking the two ranges used by Discord at my location in raw, and no more Discord. Simple solution - the app loads with a blank screen. Using an address list (from content strings) doesn't block the app completely even if the addresses are part of those r...

Moba

Asking over and over won't change the facts. MT doesn't have DPI and ROS can't decrypt SSL. Everything else is easily circumvented at this point, because traffic is encrypted now, including DNS. Even very expensive enterprise proxy/firewall solutions aren't 100% effective these days (they do block m...

Moba

@mkx, I think you missed what I meant by without FastTrack . I never implied that FastTrack wasn't available in v7, but if you need queues, FT is more or less out. The performance loss on single uploads/downloads has been documented since the cache was removed in 3.6 (more than a decade ago !). Neti...

Moba

My RB4011 has cores at 100% at less than 1 Gbps without FastTrack on v7 - which is the reason I reverted to the previous branch where the cores reach 60% under the same conditions. You cannot compare it to the RB5009 with MT official numbers, since they didn't use the same kernel. The latter is a mu...

Moba

Why reply to a post after almost 3 months and claim that it is off-topic when you can't be bothered to read the question preceding said post ?

Moba

Do what every one else does, use steam to play online. I use switch when family comes over and we play mario cart etc......... @anav, Steam is just a portal - the port forwarding requirement for certain games has nothing to do with Valve - it's a developer decision. For example, Xbox port 3074 is a...

Moba

FastTrack is not bypassed, you just set it to a specific client's IP traffic (by default it processes all tcp/upd established connections), so it can use the reserved bandwidth if there is congestion. Your 40 Mbps connection might be over-provisioned (a WAN speed test will determine this) by 5 Mbps....

Moba

@mutluit, the main issue is that the hAP ac3 doesn't appear to be supported...

Many old supported routers can be purchased for almost nothing if one wants to try OpenWRT (all supported models are listed on the official site).

Moba

https://openwrt.org/toh/mikrotik/start
https://openwrt.org/toh/mikrotik/common

Moba

You need to change the subnet to match your network range and the client's static ip (from the DHCP server). You must also disable the default FastTrack rule in the firewall - otherwise the queue is bypassed. At the very least, the queue will provide fair sharing of the bandwidth, making sure you do...

Moba

I was actually surprised by my results because I had done my homework and tested multiple clients before settling on my settings. However, it's been my experience that even updating firmware can have a major negative impact on performance with various clients for no apparent reason. There are lots o...

Moba

You can lower the priority of large downloads with mangle rules. It would be for all downloads using the same protocol and the same port, however. This is explained in the QoS guide that you can find in the forums.

Moba

I played with my RB4011 5 GHz (WLAN drivers) and an old iPhone 11 to show how much little changes can make a huge difference without any bad tweaks that can make performance much worse: From 2 feet - avg 3 runs Default values --> no channel error - radio disabled 20 MHz + 5180 (best free available) ...

Moba

The 400-440 Mbps is internal network traffic or internet up and down? How do I measure the Wifi performance using MacOS? It's down from my ISPs speed test portal - so WAN and on a recent phone. My older Apple devices get 350-380 Mbps. It doesn't get better with these on LAN. Settings are: 20/40/80M...

Moba

You can FastTrack the gaming client (with a static address) and queue everything else as you wish, with a limit 20% lower than your max (the rest would be reserved for the gaming client to avoid queuing latency). A SFQ type simple queue can do that. You can FastTrack the game ports as well, if you p...

Moba

The hAP ac2 can route close to 1 Gbps with FastTrack. Over Wi-Fi, my units get around 400-440 Mbps from a few feet - throughput falls apart with distance and a few walls. The ax3 should get at least 50% more and have far better range. Something isn't right with your results...

Moba

You can prioritize packets only by queuing them, i.e. you delay or drop other packets... Otherwise, you can try adding the game ports to a FastTrack rule in the firewall and disable the default one, but then the CPU will take a big hit from NAT for all other traffic - unless you have a more powerful...

Moba

8 Mbps isn't enough for 4K and the lower limit for HD. Without knowing how your queue was implemented, if mangle is used and where you're streaming from, how can we help you ? If you're streaming online, do a trace route. Packets aren't queued if the limit isn't reached, so it has no effect on traff...

Moba

Routers have no control on cloud providers - you would need some creative mangle rules/queues to make downloads fail. Try another browser/file location.

Moba

Good to know you managed to get things working. Many vulnerabilities on MT concern people who leave WAN access to services and WinBox/Webfig. By changing the default admin account and restricting access to the input chain to your LAN only, you solve most of these potential issues. There are many tut...

Moba

@mikrotix I think there's a language barrier making dialogue difficult. I just tried to point out that marketing is a tool that may or may not reflect actual client experience - because you started a thread that seemed to claim that MT has bad marketing/they don't care about anyone because your own ...

Moba

Please do not take offence at the following... 1. Marketing is meant to put a product/service in a favourable light to sell more of them. Some advertisers will even mislead or lie to get more sales in order to achieve market growth. It's not wasted resources, it's how business works. MikroTik has yo...

Moba

Can I replace the memory in RB3011?

No you can’t. If you replace the chip, you lose your ROS license.

Moba

Once you have a diagram... 1. Set a new system/password 2. Set the WAN port and DHCP client 3. Create a bridge for LAN and bind the ports as required (including wlan on WiFi models) 4. Add your LAN range to ip/addresses 5. Configure the DHCP server - you can add static addresses - ping to verify 6. ...

Moba

I played with this a bit, and the major issue for me is the path switching between both routers. NAT is required by the gateway in IPv4, so obviously using two routers, even if you reverse the path, still incurs double NAT. I got failover working (following the MT guide) quite easily when the second...

Moba

Reposting the same question will probably get you the same answers. Still no budget...and buying older models at the same price as newer models seems counterproductive. AFAIK, MT doesn't discount older models, so a 4011 will cost the same as a newer 5009 (at least locally). @anav - clever new name -...

Moba

1. If you require more help, a network diagram will get you better guidance - and help you get things running correctly... 2. Building your own config from scratch will greatly improve your knowledge of ROS and help you understand how packets travel on your network. Make sure you add basic firewall ...

Moba

Welcome to the forums... Forgive me, but considering the length of your post, I will just give brief answers... - There are many ways to achieve QoS on ROS. However, the more you rely on mangle and queues, the more you risk latency and CPU load. If you regularly saturate your connection, you can pri...

Moba

What is the policy for warranty of Mikrotik devices bought from Amazon? The main advantage of Amazon purchases is fast/free delivery, and their 30 days return window on almost everything. You're basically at the mercy of the third party vendor or the manufacturer thereafter, at least according to A...

Moba

viewtopic.php?t=143620
https://help.mikrotik.com/docs/display/ROS/VLAN

Moba

There might be a way to direct NAT on the main router to router 2 and masquerade on that router then. I won't have time until Friday to test my theory, though - and I might not be knowledgeable enough to get it to work, since I always set NAT on the router connected to the gateway. In this sense, th...

Moba

The whole point of using an advanced LAN-WAN double router topology is to isolate one network from the other. But since both routers are on the same subnet, it must be a firewall issue. While this is becoming a common setup, I am not equipped to test it at home and my knowledge is limited in this re...

Moba

You can check the configuration of both routers - ideally, only the router connected to your internet gateway (WAN) should have NAT. /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN This is often a subject of d...

Moba

Moba you have 150 useless comments so please be quite. Helping ourselves before insisting for help from others goes a very long way in getting what we need in life. No one here has to provide you anything. The question isn't the issue... As for my useless posts, they never ask for help here from an...

Moba

Is NAT provided only by the first router ?

Moba

Basic setup that insures connectivity, assuming that the main router is connected to the internet... Main router ip: 192.168.88.1 DHCP server range: 192.168.88.10-192.168.88.254 NAT enabled Gateway: set by ISP In LAN-WAN: Second router: 192.168.89.1 DHCP server range: 192.168.89.10-192.168.89.254 NA...

Moba

You have VLANs and 2 routers that seem to be in a cascade using LAN-WAN on two subnets - so probably a configuration issue and maybe double NAT as well. Are you using 2 DHCP servers ? From a blank config, add the new subnet ip address and DHCP server on that range, bridge the ports, set the radio, e...

Moba

could please anyone answer questions above? Why can't you search for them ? I honestly stopped reading after "get rid of password" and fail to see this as a major issue when you have one device. The workarounds were posted here already if you search for them, and the final answer is you c...

Moba

You're trying to run VPN encryption on a very weak embedded device. If you can't use Nord's client software (PCs, tablets and phones are much more powerful), you will need to purchase a more powerful router. You can also use some sort of low-cost security gateway or a firewall appliance as a drop in...

Moba

Many devices do not yet support WPA3. As a home user, you do not need to worry. There is nothing broken with WPA2, unlike WPA.

Moba

Logically, any data that needs to be saved during normal operation will have its process fail if no memory is available, which can cause major issues. These routers are nice, but they weren't designed for v7 and that branch has numerous issues yet unresolved. I understand your need for ZeroTier, but...

Moba

You can replace the default password to whatever you want. If you reset the device with Netinstall, the original password is restored, as it should be for obvious reasons. BTW, MikroTik was required to do this. If you don't like it, purchase an older device. A simple search would have given you that...

Moba

Planing to combine this 2 connections more or less 60 devices and 3 AP's Thanks in advance for the help My recommendation is based on the fact that I am not a fan of running containers, VPNs and USB drives on small routers when it can be avoided, simply because they use performance limited processo...

Moba

I got curious and searched around for information on these new Wi-Fi 7 routers. Broadcom just makes it ridiculously difficult to get any performance information for their SoCs...why would end-users want to make informed decisions based on tested numbers instead of marketing BS... Anyway, one manufac...

Moba

My primary objective is to optimize my network for gaming, and my current internet service provider offers a speed of 500Mbps. I've heard that VLANs can be a key component in achieving this. Welcome to the forums... VLANs have nothing to do with gaming performance. If you want the best latency for ...

Moba

So, lawyer ask is better.

Indeed, the best advice. Ironically, the film industry has lots of experience in taking legal action to protect their property online and in many parts of the world, even VPN providers have to comply with requests by local authorities in criminal investigations...

Moba

You'd be surprised how many organizations are still running XP !!

I wouldn't. I work for an organization that prefers to pay low level techs countless hours to fix unfixable issues instead of buying something new...

Moba

MikroTik is still only catching up with WiFi 6. There's not even an successor of wAP ac for outdoor weatherproof use. I do not work for MikroTik and 6e will be like Vista if Wi-Fi 7 delivers on only 50% of its promises. Objectively, a 5009 combined with some new Wi-Fi 7 APs (when available) will pr...

Moba

Quick answer is hex, but no wifi, best answers is hapax3 for best bang for buck providing wifi and routing up to 1 gig and will have a long future for you being a new model with arm64 processor and plenty of ram etc..... No offence, but residential service plans where I live have already surpassed ...

Moba

Fastracking in Firewall comes after Mangle, so Mangle has more influence.

You're right. It's the queues that are bypassed.

Moba

Wireless repeaters will always give you limited performance, and properly placed APs will usually perform better than a single AIO unit (some of those ugly spiders do perform very well over wireless, though). Meshed units are another solution. With Wi-Fi 7 around the corner, I would wait if possible...

Moba

Fasttrack works fine with mangle rules, it's the default rule that doesn't because it forces connections to bypass mangle because it's a firewall rule. The fasttrack no-mark/all other traffic in mangle is an efficient way around the issue, but you can also fasttrack any marked connection as well to ...

Moba

This is not going to be very helpful, but I have two of these and the only issues I have had (incl. a bricked 3rd unit years ago) have been with v7. They run hot, but they have been rock solid as APs for me. To be fair, I dot not need to push them, since I have another router doing all the NAT/VLAN ...

Moba

Hello, please tell me how you managed to solve the problem? I have a similar problem and I cannot fix this problem using the officially proposed solutions

I replied to your other thread. Netinstall should not be necessary in your case.

Moba

Last night I tried to change the local IP address from 192 168 88 1 to 192 168 1 using WinBox with windows10. That's not a valid local IP address, so WinBox wouldn't have saved it. When you launch WinBox, is the router listed in the "neighbors" tab (connect via MAC address)? There is more...

Moba

Finally, after a whole night of trials, reset button pressed and waitings, I unbricked the ATL with NetInstall. Thanks you all for your support! This is good news. For the future, aside from the excellent backup power advice already given, you absolutely DO NOT "have to download the latest fir...

Moba

Tell me, did you manage to solve this problem? It seems we have the same problem Netinstall is the only viable option. By erasing the chip or replacing it, you also lose the ROS licence assigned to the device at the factory. So unless you plan to use OpenWrt... I have 2 of these, and they work a lo...

Moba

The simple answer, probably not. While I believe Wave2 specs state 200+ users per radio, theoretical and real world are two different things because of interference between clients. At my workplace (not using MT), 2x2 APs (low-end enterprise AC i.e. not Meraki or Ruckus) are deployed to cover around...

Moba

I'm sorry, I forgot that this feature is missing on new ax models (I don't have any). Having to use 2 MT devices makes its use restrictive...

Moba

The underlying difference may be elsewhere. That Asus uses 4x4 MIMO on AC if I read the specs correctly. AX3 uses 2x2 AX So even if there is a difference between wifi5 (Asus) and Wifi6 (MT), the difference in MIMO-usage gives an advantage to Asus. Not an equal comparison then. MT wireless cannot be...

Moba

Unless the unit is defective (possible, but unlikely), there's surely a setting/firmware issue in a space with probably lots of interference. You should downgrade back to the factory firmware just in case. Even if I had an ax3, my results would be different from yours. Anyway, it would also be good ...

Moba

I'm guessing that what you are looking for is wireless repeater mode . With a clean config, from the wireless tab, there's an option to set up a wireless repeater - you simply enter your SSID and password. You should be able to create a bridge with all the ports afterwards if you require Ethernet fu...

Moba

The supported channel bonding is 20+20 as mentioned (and usually not recommended), so you'll need to use the other band to get the speed you require on that device.

Moba

That seems very low for an AX class device. However, the AC86 was known for its range - even newer ASUS routers have a hard time keeping up. The ASUS can also automatically change the band used (Smart Connect) as required by the client. 1. How was the performance with the previous firmware, and are ...

Moba

FWIW I don't know what "microCAKE" is.

It was a v6 config posted in pcunite's QoS thread that was meant to somewhat replicate CAKE before it became available with the kernel update in v7. It used SFQ type queues with a minimal amount of mangle rules.

Moba

At the end, it all depends on what do you expect from wifi, for me stability is more important then have great speeds. Definitely agree, my 4011 has been the most stable router I have ever owned. I have never kept anything computer related for more than 2 years in more than 3 decades - that says a ...

Moba

At the risk of starting another QoS debate thread... 1. Get the best Internet service you can afford (many latency issues occur on the WAN side, where you can't control anything). 2. You can't improve your base latency with QoS, because schedulers/traffic shapers always add latency and CPU time . On...

Moba

Sorry for the late reply, but as you probably found out by now, they are sadly not user replaceable. And probably not worth the risk, since any AP can be used from a LAN port.

Moba

Thermal management may be an issue, I agree. As for the enclosure itself being the blocking factor, that's remediated with an external antenna. It exists. L009 with wifi. Maybe someone from MT will reply. Looking at the monstrous size of most tri-band/quad-band consumer grade routers, also using up...

Moba

L009 ? Same form factor as RB5009 ( I think ?) and with wifi possible. ( ok, only 2.4GHz but wifi nonetheless) I will try to find the video...it was after the 5009 launch when a lot of users were asking for an updated RB4011 (probably linked here somewhere or on Reddit since I dot not speak Russian...

Moba

What flak? The only big problem of that model is that its 2.4GHz wireless chip is not supported by wifiwave2, otherwise it's a great device (even the two switch-chip oddity is survivable). People were complaining about the bad Wi-Fi performance with early firmware versions and many experienced long...

Moba

You already have a somewhat official statement, and nobody knows what MT will offer in the next 24 months with Wi-Fi 7 around the corner. However, it's been clear for a long time that a Wi-Fi RB5009 would not be offered - a video was available years ago online (in Russian I believe) explaining that ...

Moba

I haven't upgraded to MT AX yet at home, but I would expect the newer units to perform better with their native drivers (only option with them anyway).

Moba

I've seen many RB4011/RB5009 for sale on the second hand market in the last year. Some people upgraded, while others probably didn't want to suffer the learning curve. Worth a look...

Moba

Wow, you're trying way too hard. If you went through the Netinstall troubleshooting procedure to no avail (search for tips on the forums), it's probably gone.

Moba

Did you search the forums ? User bpwl has posted a trove of tips over the years for fixing such issues. Also, depending on the firmware branch, results may vary. I get much better throughput on the wave2 drivers, but range is better for me with the in-house MT drivers.

Moba

Firmware and Software is on 6.49.10 .. ist there a way back for both ? or is only a software rollback necessary ? (sorry, it is my first time for a potential rollback) :-) btw: it's also a RB4011iGS+5HacQ2HnD-IN ... but no errors RX or TX on the interfaces ?!? Did you upload the older firmware to t...

Moba

Not sure where you're going with this thread. Doubling clock speed doesn't double processing power because other factors impact performance and become the bottleneck in any computer system . ARM is designed for specific tasks and low power requirements. There's documentation online explaining the di...

Moba

Real world and specs were never on par in the past. However, WiFi 6 offers up to eight streams on 5 GHz with ridiculous theoretical throughput, but even 2x2 and 4x4 devices are reaching max theoretical speeds on 80 MHz according to trustworthy sources (obviously in ideal conditions). Hopefully, MT w...

Moba

You shouldn't just copy configs from someone else. "WAN" and "LAN" are just the names used for the corresponding interfaces. They appear in the parent queue as defined on your router's interface settings, i.e. you can name them whatever you wish. If your WAN uses the name "e...

Moba

Throwing money at your problem is not the smart way to fix your issues. I can easily get bad WiFi by not setting up my gear correctly and using auto. Plan your network and AP locations (even if it's one). Survey. Start again with other devices. Compare. Tweak. It's not an As**, defaults are not grea...

Moba

Do a search for posts by user bpwl. Lots of advice already provided to tweak Wifi on MikroTik. If you don't provide your settings and how you obtained those results, not much more can be done. Wifi scanning software should be used. BTW, did you turn off the Wifi on the ISP router before connecting t...

Moba

Tracert on different routers shows some variation on the third hop (modem to isp) on my end. Sadly, my bad rural connection shows a lot more than 2 ms - jitter is terrible with my provider. Router to modem is always 1 ms though, and my ping times/jitter to Google are more or less stable. Which ROS v...

Moba

They have made choices about resource allocation and maintaining older hardware. The number of users who have issues with v7 on aging hardware is testament to this (and the godly patience of the people who reply to them on a daily basis). To be fair, many manufacturers who have better Wifi numbers a...

Moba

The 4011 is a great router, but its performance is disappointing on v7 (CPU pegged on mine just downloading/routing, which never happened for me on v6). That, and it's a weak ARM chip in the grand scheme of things. The 5009 is a major ARM revision is this regard overall. Without offloading, a cheap ...

Moba

Thanks for the update. You are either very unlucky or there might be a batch issue. I have seen a few threads about similar symptoms. Usually, link speed problems in homes are caused by damaged cables or cheap uncertified cables from Amazon. Good to know that the ax3 is working well...

Moba

Noted. @anav use Lynk...

Moba

It's not Firefox. Works fine here...

Moba

AFAIK, there’s no known issue causing this. The suggestion you were provided with already is the proper troubleshooting procedure ... 1. Netinstall 6.48.6 (latest long term): https://wiki.mikrotik.com/wiki/Manual:Netinstall 2. Try another power supply (any MikroTik supplier should have some in stock...

Moba

No problem.

Moba

Reposting the same question will not get you better answers...you can simply edit your initial post.

Moba

Well, since I can now assume that you are selling vouchers with set limits, you should probably pay someone qualified to answer your question. My examples would work in a free access coffee shop scenario, where one would want to stop users from abusing the free service. User accounting and billing i...

Moba

The people you know sound boring. I leave rooms in my house open all the time so people I don't know can come in and do as they please...

Moba

There's something wrong if you tested over ethernet. This device can handle a lot more bandwidth with Fasttrack unless the CPU is pegged doing other things. Reset the device, connect a single computer over ethernet and monitor the CPU cores while testing. Anything that can't be handle by the switch ...

Moba

The Hotspot functionality anav linked to might work. Otherwise, you can use mangle to mark connections exceeding a set number of bytes and queue them so that the bandwidth limit available will discourage any heavy downloading. This method is detailed in the QoS thread - in reality, you can not only ...

Moba

Reset the device with the latest long term firmware/software. By default, both switches are linked with a bridge and communicate without problem. Unless a switch chip died...

Moba

With a default setup using Fasttrack, the hAP ac2 is capable of close to Gigabit internet speed with NAT. Without NAT, it will switch over LAN at its rated speed no problem (computer to computer). It's the WIFI that's a bit disappointing. I would reset the device with the latest long term firmware a...

Moba

Why revive a thread after 4 years as a first post ? And your understanding is mostly misleading and wrong. The current options in 2023 are the hAP ax2, hAP ax3 or RB5009 with an AP.

Moba

Router cascade in LAN-LAN should bypass NAT (LAN-WAN would have double NAT, but the second router would be isolated on its own subnet). DHCP must be disabled on the second router though and it would need its own IP to work (192.168.88.2). I'd have to test this on MikroTik to be sure. Too late tonigh...

Moba

Optimization or not, the SoC is from 2010. Kernel 2.x was used at the time. Expecting the same performance from kernel 5.x 12 years later is not understanding all the things that go into a kernel update. Furthermore, internet speeds have increased dramatically in that timeline. The route cache remov...

Moba

The Pi was my recommendation for the DNS sinkhole, not for torrents. However, that seems low bandwidth for a Pi 4 over USB, which is reported to reach around 500-600 MB/s. Maybe it's the adapter you're using - try another external drive if you have one ? Regardless, having dedicated devices is the w...

Moba

Use the AP mode, if available, on the TP-Link.

Moba

It's a router with a low power ARM SoC. Adding ram to use it to run multiple servers won't make it a better/more secure router. I really don't get why these posts keep appearing - a humble Pi can do this much more efficiently and without risking issues with a critical network component that most peo...

Moba

Minecraft requires both UDP and TCP - UDP is always the most important for gaming. Without any other info, inbound requests are blocked by default (firewall) and is expected behaviour on any home router, modem-router and Windows/macOS. So, you need to disable the modem-router firewall (bridge mode s...

Moba

Without more info, lots of issues could be causing this... - firmware/software version (v7 still has issues) - interfaces not set properly - interference from neighbouring devices on 2.4 GHz - Distance and walls (worse on 5 GHz) - Device not behaving as expected with the MikroTik radio - Bad configu...

Moba

Where did MikroTik promote the idea of using their routers for Dockers or Pi-hole ? The 5009 has a very good SoC for routing (in home router world), but in computing world, it's a very limited low power ARM based SoC. Hence, any similar SoC in a router or NAS will have lots of limitations. An Intel ...

Moba

I can't replicate your issue. Have you tried older firmwares or 7.6? I've had other issues with the 6.49 branch and downgraded. All ports work as they should on my unit i.e. ports go down if the client connected goes to sleep/loses power, but otherwise stays up forever according to the logs. My mode...

Moba

I would start over with default rules and only add the top parent queue until it works. Since 192.168.88.0/24 matches the local IP, it should catch both the bridge (LAN) and ether1 (WAN). The child queues you add below the parent queue need their DHCP leases set to static and, with minor exceptions,...

Moba

Is the default FastTrack rule enabled in the firewall?

Moba

Without an official statement or insider knowledge, your guess is as good as any regarding future availability. The chip shortage isn't over and is still causing problems for many very large manufacturers in every sector. There's also a war going on. Marvell isn't the largest player, but they are st...

Moba

If you send me the devices, I'll properly compare whatever you wish and even post the results you want... Seriously, the published numbers are provided to compare devices in MikroTik's catalog - those numbers may or may not represent actual performance in the field. The AX2/AX3 were clearly designed...

Moba

Indeed, doubling core speed generally never equals doubling the performance because of other hardware/architecture limitations. This is a small, low power ARM SoC networking platform by design.

Moba

"They" as in MikroTik? The interface queue type is shown in the appropriate tab and can be changed there without a Simple Queue or a Queue Tree added. Ethernet ports will show only-hardware-queue by default. Any non-default queue type created should be available there as well. queue interf...

Moba

Limit the interface that your internet is connected to with a simple queue...??

Moba

CPU usage doubled on my box with v7 when I tested it (YMMV). It's not a bug, but to be expected with the upgraded kernel...

Moba

The published numbers show that the performance of the upgraded SoC on v7 is on par with the AC2 on v6 i.e. routing performance should be very good with FastTrack considering the cost. However, I doubt that it will handle CAKE/CoDel or other queue types any better than the previous gen because the i...

Moba

ASUS has buggy firmware, and if I remember correctly, getting the Dual Wan failover feature to work requires manually setting the DHCP list. If you tried getting help to no avail where Merlin lives, then MT is a good solution. I agree with both previous posters, the entry level hEX and hAP ac2 will ...

Moba

Once you have isolated your server from the rest of the network, you might consider additional DDoS protection:

https://tcpshield.com/

Moba

There's this great and useful thing called WinBox. I didn't test it myself, but it's said that it works with Wine, so you don't need Windows to use it.

Yes, it does work with Wine without any issues.

Moba

I will try to answer this clearly... 1. It's not my script...but a simple way to avoid clients starving off others is fair queuing. SFQ allows packets from each flow with a round-robin scheduler. It doesn't prioritize anything, so it will delay high priority packets once the limit is reached. The MT...

Moba

Firewall Raw if it's a limited range - you can use the firewall connections tab to get the addresses. Alternatively, L7 and TLS Host methods can work to build an address list, but are easily bypassed. MT doesn't offer simple URL or keyword filtering like those found on consumer routers. With a DNS s...

Moba

To Moba: Nobody, but find good HW is very hard. I don't need router with wifi, so almost every router has wifi part. I wanted strong router, but also a good software on it. So I choosed mikrotik, but I don't know, how buggy is. I still hoping, it will be better... If I buy router around 200USD, I a...

Moba

Yes, OpenWrt is ok for this device and it's also for simple user and the function is good. This is problem on the both sides...TP-Link, Asus..cheap HW, but on SW sides is ok. TP-Link is dead after 2 years of using (HW problems).. Mikrotik has very good HW and the SW is buggy...Not open for open sou...

Moba

Do not use the mangle rules and the queue tree you had. Create a new SFQ queue type with a perturb time of 10. Then add a simple queue with your LAN as target, a max limit of 90M/45M and use the new SFQ queue type you created. This should stop any client from starving all others by sharing the bandw...

Moba

I could overwhelm my RB4011 easily with a 400M WAN link using VLANs and badly configured mangle rules/queues. CPU is relative. Anyway, to answer your question clearly: There is no best queue type. It's the word "best" that made me reply and hype in general annoys me. When someone has used ...

Moba

What marketing? How is code provided through sponsored research and included for years in Linux kernels marketed exactly? Searching where? The authors have a very complete website explaining the purpose of CAKE, how to use it and its limitations. Furthermore, there's many published papers comparing ...

Moba

well so how you can explane why the same wifi card in the laptop works great on Qnap router but not on RB4011 :shock: I didn't reply to diminish the issues you had. I replied because this thread makes the RB4011 look like a bad option for wireless when it has worked well for me and I assume many ot...

Moba

For what it's worth, the WIFI on my RB4011 works fine for my use (even in my yard) and I've only had bad performance on very old Intel cards, while the proper APs from another manufacturer I have at work are terrible all around because they were apparently never configured properly (we're still wait...

Moba

As already noted, you need to correctly assign limits to the traffic to and from your router. To control traffic congestion, those limits must be 5%-20% lower than what is allocated by your ISP because there's no free lunch for QoS: traffic is controlled by either dropping packets over a hard limit ...

Moba

5 Mbps up is barely enough for 2 users these days for streaming Netflix and videoconferencing at the same time. Add a single Apple device using iCloud and bye bye gaming. Thus, excess packet buffering (bufferbloat) is quite probable...especially if the ISP is throttling bandwidth during peak hours. ...

Moba

I believe I explained that opening ports would not magically make gaming packets move faster nor provide a better gaming experience unless listen servers were required. If you disable the firewall, does the problem go away? That is what port forwarding does for those ports by allowing inbound connec...

Moba

Ads have been around for over 20 years on the web, just like the methods to block them. As public reliance on the web has skyrocketed through free services, so has the need for monetization through ads to provide those services (do you work for free?). Hence, Google is working very hard to maintain ...

Moba

add action=accept chain=forward dst-address=192.168.88.xxx dst-port=xxxx in-interface=xxxxx protocol=xxx If you need to forward more than one port, you can add all of them to the same rule. The more you add rules, the more confusing your config gets and the more resources are required to process ev...

Moba

Why are LAN clients connecting to your game server from the WAN ip? If you forward ports, why are you using UPnP? By default, only outbound connections are allowed for all LAN clients in the firewall filter. NAT is setup both ways accordingly. Logically, for clients to connect from the WAN side to y...

Moba

AFAIK, you can create a simple pcq queue on the interface that covers the address pool or a queue tree for each package on the server. There's even a tutorial on YT on how to use a script to create a QoS tree for each pppoe user automatically (it polls for new clients at a set interval). All of thes...

Moba

Dynamic speed for each client? Schedulers and queues must have a limit somewhere that is smaller than the physical limit of the connection for QoS. If the connection is never congested (limitless bandwidth), then QoS is not required because any number of packets can be sent or received at the same t...

Moba

A limit must be set globally somewhere for congestion in the queue structure to have control on which packets are prioritized, which are delayed, which are dropped first and to minimize bufferbloat. It's a trade-off for effective traffic shaping. If you do not set a limit, your ISP decides how to ha...

Moba

ROS has no way to identify application data, other than the workarounds I mentioned. The problem is that those workarounds are processor intensive and fiddly to setup even with tutorials. So port based QoS is usually recommended as the easiest way to avoid congestion for critical applications. This ...

Moba

You're absolutely right mkx, I just didn't check in WinBox when I replied. Oddly, I can enter 06:00:00 to 00:00:00 in the firewall schedule parameter without an error.

Moba

24:00:00 isn't a valid time. 12 am is 00:00:00.

Moba

What is the problem you're having? All these apps use port 80, 443 and many other ports. Usually, it's the VoIP and video conferencing ports that need to be prioritized over UDP. DSCP is the easiest way to insure that time sensitive packets aren't delayed or dropped (if DSCP is respected). You can a...

Moba

These threads keep coming back and you can use search for lengthy explanations (and rants in my case) about solutions. Some simple advice: - Use a default config and only add rules that you really need to avoid issues. - You only need to forward UDP 3074 for COD if you must have an open NAT type (te...

Moba

I've never tested the ac3, but it doesn't use the same SoC as the ac2. I had disappointing speeds with my RB4011+ at first compared to some ac2's I had experience with. I had to start with a new default config and manually set each radio. After tweaks, the WiFi range and speeds are very good for a s...

Moba

There's is no simple solution because QoS is a complicated topic. People have been working on this for decades. Routers that promise easy one click solutions don't work that well, otherwise everyone would include magic solutions on their hardware. CoDel and Cake have improved things for ease of use ...

Moba

All three of us are privileged to be living in a country where social policies have steadily increased disposable income for families in the last 50 years. MT has a big presence in countries that are not so lucky and where tech in general is not as accessible. I have no practical need for all the ne...

Moba

To be fair, modern consoles are now more or less completely locked down for economic reasons. Gaming computers on the other hand are not. Any competitive game means cheats installed long before titles hit retail. Rogue code and UPnP is a winning combination on any network. Your business experience s...

Moba

Why do you need to isolate it if it's safe ? And while you may know how to limit gaming clients, most novice users don't. All those vulnerabilities security researchers found must have been fake news...

Moba

You're a patient person. I have few solutions when port forwarding magically speeds up packets on a router on the authority of a gaming company.

Moba

The wireless is a buggy mess on MikroTik in general. Just checking my wireless settings causes the interface to reset (not changing anything!). On my 4011+, the defaults don't even enable the 5 GHz radio at all (invalid range message). I need to change the channel width and play with the bands used ...

Moba

I'll add that using UPnP on a secure router defeats its purpose. Might as well use that crap from Best Buy, hence my recommendation.

Moba

Yes, a destination rule opening only udp port 3074 in the firewall's forward chain for the client's IP (obviously made static) and a corresponding destination NAT rule so the client can act like a server. Game state traffic in COD (and other latency sensitive games) only uses udp. That's the connect...

Moba

There isn't a better queue type for QoS: It all depends on what your QoS objectives are. A single SFQ queue can insure an adequate user experience by simply dividing the bandwidth among users evenly. PCQ goes further by allowing address based queuing, as explained in the Wiki. For more complex QoS s...

Moba

I am a bit confused by what you are asking... PCQ is a queue type used for QoS to implement a form of fair queuing as you said. However, I am not sure about the rest... Queuing occurs when a bandwidth threshold is reached regardless of the number of users. You cannot have a functional QoS strategy w...

Moba

I aways like to check things myself before giving a final answer... It is a simple two step process in ROS: one NAT rule for the client and one firewall rule for the client. Proof it works on my 4011: https://ibb.co/D8B5DVq And like I explained already, it does not reduce latency or change anything ...

Moba

When listen servers are used on clients, you may have issues connecting to other players, as they will to you, depending on your NAT type. So you could get lag or wait a long time to connect. It's possible that listen servers are still used on consoles for CW or MW - I don't have an Xbox to check. I...

Moba

I used to play UT long before consoles where a thing and I ran quite a few servers back then, including home servers for my kids and their friends. I was also around when the Xbox came out and they added listen servers for MW2 on PC. But what do I know...you should listen to the gaming community tha...

Moba

I don't have time to go through all the thread this morning, but you seem to be fixing issues you don't have. Opening ports doesn't speed up anything for games - it lets you host matches on your client and it isn't required to play (listen servers). That's what the NAT type says. Adding any unnecess...

Moba

The update killed the wireless speed on a RB4011+ down to less than 8M. I couldn't even log in with WinBox/WebFig. Wired, everything was OK. I don't use the default channel width, so maybe I need to reset everything to default and start over. Since I spent many hours testing various devices to get g...

Moba

COD shouldn't require opening port 3074 unless CW went back to using listen servers and you want to host games on your client. If they are using listen servers, the garbage about NAT types on Activision's site applies.

Moba

When you connect the switch, devices behind it get an ip address from the router's DHCP server. Make them static and add them to an address list, then limit the list with a queue. If it's a managed switch, limit its ip.

Moba

/interface bridge port print
/interface bridge port remove numbers=

You haven't told us what you are trying to do. You can limit a client connected to a port by its address or a few ports by creating a VLAN for them.

Moba

I just tested limiting ether1 on my router (which isn't part of the bridge) using a queue and it works as expected (1M up and down). If you limit the bridge, you limit all ports on the bridge AFAIK. I can also limit ether1 using a simple queue without marking. But you can't limit a port that is part...

Moba

Ronald, if you don't want to use OpenDNS, you can look into using Pi-Hole to block porn and ads (a local DNS server). L7 isn't the right tool for the job.

Moba

6.47 is buggy and you will have better feedback if you post your config with an explanation as to why you want to limit ports.

Moba

My own testing proved that it is possible to limit or block streaming sites with L7 over 443 when the connection is initiated (I have no merit - I used the work that others shared). There are issues if you use Google's DNS (when unencrypted DNS is used to block) and everything is bypassed using Tor ...

Moba

The short answer is yes, it is possible. The problem is making a regex that covers half the internet...

^..+\.(pornhub|porn).*$

You mark the tcp connections with L7 in mangle for the network or certain addresses and then reject or drop them in the firewall filter.

Edit: Regex fixed

Moba

Your pic doesn't let us see neither what's blocked nor why you have two drop rules in the forward chain.

Moba

You can change the in. interface in /ip firewall mangle or /ip firewall filter (clearly accessible in Winbox). You can also fasttrack the ports directly without marking the connections first - 1 step instead of 2, so it should save a little CPU - a dev would need to confirm if this is the case or not.

Moba

Your topic title is misleading...
In order to help you unblock YT (if that is what you're asking), I would need to know how it was blocked in the first place.

Moba

Netinstall.

Moba

You can connect to the router, so that's good. I'm not a fan of anything after 6.45.8 - too many bugs reported - so I would downgrade and reset the default config. Your modem is set to bridge mode with NAT disabled if it has a built-in router, right ? Use Quick Set Home AP in Winbox. With your WAN c...

Moba

It's a config issue - I use Office 365 for work and have no problems accessing my account through ROS.

Moba

Yes, I have no experience with such requirements. Plus I have been batting zero percent all day and why would I break my losing streak LOL. So I take it that there is no way to identify and thus control gaming traffic. Well faced with this impossibility, if I was the OP I would not hesitate to chan...

Search found 214 matches