Community discussions

MikroTik App

Search found 1647 matches

by tangent
Sun Nov 03, 2024 10:58 am
Forum: Beginner Basics
Topic: Added 2nd rb5009 to my setup and lost internet connectivity.
Replies: 2
Views: 192

Re: Added 2nd rb5009 to my setup and lost internet connectivity.

The damage from having duplicate IPs can last ~10 minutes after disconnecting the offending device as the ARP caches time out.

When you try this again, you likely want to configure the second RB5009 as a smart switch, not as a router.
by tangent
Fri Nov 01, 2024 10:30 am
Forum: Beginner Basics
Topic: Connecting Two Remote Locations Without Public IP
Replies: 13
Views: 489

Re: Connecting Two Remote Locations Without Public IP

Those were two separate questions, port-forwarding and public IP. A good many ISP-supplied modems do give port-forwarding capabilities without needing a public IP. Alternately, a good many can be put into bridge mode, allowing your hEX to acquire the public IP from the ISP directly, easing VPN setup...
by tangent
Fri Nov 01, 2024 2:11 am
Forum: Beginner Basics
Topic: Connecting Two Remote Locations Without Public IP
Replies: 13
Views: 489

Re: Connecting Two Remote Locations Without Public IP

an old hEX, that can offload IPSec encryption, but that is IPSec singular benefit. Granted, no question. It’s just that after you factor your time in, it might net out cheaper to drop in a 2024 hEX. you forgot a loopback and GRE tunnel parts in your list ;). I am planning my next MikroTik Solutions...
by tangent
Thu Oct 31, 2024 11:56 pm
Forum: Beginner Basics
Topic: Connecting Two Remote Locations Without Public IP
Replies: 13
Views: 489

Re: Connecting Two Remote Locations Without Public IP

IKEv2 is a bit more complex to setup… A bit? Hah! More like 3-10× more complicated, depending. Let's see: Three ports you need to forward through the firewall, not one. The vastly over-engineered X.509 certificate system vs Base64 hex strings for keys. Working out how each third-party vendor has ma...
by tangent
Thu Oct 31, 2024 10:59 pm
Forum: Beginner Basics
Topic: The first microtick in my life. VPN [SOLVED]
Replies: 1
Views: 165

Re: The first microtick in my life. VPN [SOLVED]

As a MikroTik forum, this isn't the best place to get advice on third-party solutions. If your VPN tech of choice is not among those that ship in RouterOS — or at least offer a compatible interface allowing interoperability — then you're risking having your posts deleted as off-topic here. In partic...
by tangent
Thu Oct 31, 2024 10:51 pm
Forum: Beginner Basics
Topic: Connecting Two Remote Locations Without Public IP
Replies: 13
Views: 489

Re: Connecting Two Remote Locations Without Public IP

There are a bunch of different VPN technologies built into RouterOS, largely because there isn't a single definition for what "VPN" means or why you'd set one up. What's your purpose in having a VPN? Yes, you say you want two sites connected, but why? For what specific purpose? Knowing tha...
by tangent
Thu Oct 31, 2024 10:40 pm
Forum: Beginner Basics
Topic: Help with setting up my first Mikrotik
Replies: 5
Views: 271

Re: Help with setting up my first Mikrotik

Starting over from scratch is either a stunt, a proof of network engineer "manliness," or it is an expression of NIH syndrome . It is perfectly fine to start with the default configuration and work from there. This is the position of my article on the default configuration : don't replace ...
by tangent
Tue Oct 29, 2024 12:21 pm
Forum: Beginner Basics
Topic: Hairpin NAT in v7.10
Replies: 4
Views: 246

Re: Hairpin NAT [can't figure it out]

My Lan network is 172.168.10.0/24. May I ask which division of Microsoft's LAN you run for them, then? ( Ahem …) I'm not able to get to this site from LAN with http://mywebsite:5000. The necessary configuration is documented . Show your work, then we can explain what you've missed. The simplest thi...
by tangent
Fri Oct 25, 2024 3:10 pm
Forum: Announcements
Topic: Newsletter #121 | October 2024
Replies: 50
Views: 4906

Re: Newsletter #121 | October 2024

Block Diagram is available Another strange PoE choice: the PoE-in port is off the switch, a sensible choice for a router-class device, but we then have to ask which ISP modems provide PoE input power? Stretching for a use case, I suppose you could use this to create semi-airgapped small LANs off a ...
by tangent
Fri Oct 25, 2024 2:39 pm
Forum: Beginner Basics
Topic: From old AirPort Express to cAP
Replies: 3
Views: 379

Re: From old AirPort Express to cAP

I do not want a subnet That's an incompatible wish given your prior requirement that it be a router and not a bridge. The IP schemes have to be different on each side for routing to do its thing. There is no this side/ that side distinction otherwise. The wifi would be used for unregistered devices...
by tangent
Fri Oct 25, 2024 1:14 pm
Forum: Announcements
Topic: Newsletter #121 | October 2024
Replies: 50
Views: 4906

Re: Newsletter #121 | October 2024

don't have block diagram too Other open questions: The capabilities of this new switch chip; a doc search for “EN7562CT” turns up nothing. Can it do bridge VLAN filtering, for instance? The “E” prefix isn’t documented in the naming guide . I’d want that explanation to cover the reason why the 2024 ...
by tangent
Fri Oct 25, 2024 12:47 pm
Forum: General
Topic: S-RJ01 installed in server motherboard - not working
Replies: 2
Views: 196

Re: S-RJ01 installed in server motherboard - not working

Try the command at the end of this article. I’ve never had the chance to use this specific variant, but we did use the copper version (X11SPM-TF) for a while, which had a possibly related behavior quirk: you could run them no slower than 1G. If you accidentally plugged them into a 100M port, it woul...
by tangent
Tue Oct 22, 2024 12:01 pm
Forum: Announcements
Topic: v7.17beta [testing] is released!
Replies: 574
Views: 95047

Re: v7.17beta [testing] is released!

Depending on what type of router you use

hAP ax³ for the moment, 128 MB.

configure partitioning

Solid plan. Thanks for reminding me of the option.

I set the fallback sequence up for part0 → part1→ Etherboot. Sane?
by tangent
Tue Oct 22, 2024 7:41 am
Forum: Announcements
Topic: v7.17beta [testing] is released!
Replies: 574
Views: 95047

Re: v7.17beta [testing] is released!

I just had to revert another device from 7.17beta4 to 7.16.1 owing to these DHCP changes. This latest beta utterly wrecked an existing configuration: Three independent devices stopped getting their lease renewals: an iPhone 14 running iOS 17.6.1, a cheap WiiM DAC, and an AlmaLinux VM bridged to the ...
by tangent
Sat Oct 19, 2024 10:23 am
Forum: General
Topic: fingerprinting
Replies: 2
Views: 243

Re: fingerprinting

EAP? One unique fingerprint per device. Yay!
by tangent
Fri Oct 18, 2024 7:11 pm
Forum: General
Topic: IPv6 distribution within the LAN [SOLVED]
Replies: 14
Views: 768

Re: IPv6 distribution within the LAN [SOLVED]

Quick update: the switch is still getting a globally-routable IPv6 address under 7.17beta4 with my variant of @tdw's config fix applied, but it continues to show the NDP multicast regression issue despite a claimed fix in the Changelog. It looks like we'll have to wait for the third beta for a prope...
by tangent
Fri Oct 18, 2024 6:45 pm
Forum: Announcements
Topic: v7.17beta [testing] is released!
Replies: 574
Views: 95047

Re: v7.17beta [testing] is released!

/interface/bridge/mdb/add bridge=bridge group=FF02::2 ports=[/interface/bridge/port/find where bridge=bridge] I get "input does not match any value of port" from that command. However, on inspecting the MDB, I do see an entry for that IPv6 multicast group on the CRS328's bridge and on the...
by tangent
Thu Oct 17, 2024 8:52 am
Forum: Beginner Basics
Topic: Cannot connect to Jellyfin (Plex) on LAN
Replies: 3
Views: 377

Re: Cannot connect to Jellyfin (Plex) on LAN

The /16 mask is iffy. That takes over one entire RFC1918 range as a single subnet. If you want a /16, use one of 172.16 thru 172.31.

Since I don’t see .13 in your static DHCP reservation list, I’m going to guess the Plex box is set for /24 (255.255.255.0) That will cause havoc.
by tangent
Wed Oct 16, 2024 10:37 pm
Forum: General
Topic: IPv6 distribution within the LAN [SOLVED]
Replies: 14
Views: 768

Re: IPv6 distribution within the LAN [SOLVED]

/ipv6 settings set accept-router-advertisements=yes-if-forwarding-disabled Aha! This leads me to one of the solutions I was seeking in my top post: /ipv6/settings/set accept-router-advertisements=yes Simpler and more direct for a near-defconf smart-switch config, don't you think? And yes, it does f...
by tangent
Wed Oct 16, 2024 8:19 pm
Forum: General
Topic: IPv6 distribution within the LAN [SOLVED]
Replies: 14
Views: 768

Re: IPv6 distribution within the LAN [SOLVED]

And all clients that are connected via cable are successfully getting IPv6 addresses. Can't we chalk that up to DHCPv6 vs NDP/SLAAC? DHCPv6 has a different role than DHCPv4. I'm running a DHCPv6 client on the border router purely in order to get a PD from my ISP, and I am not running a DHCPv6 serve...
by tangent
Wed Oct 16, 2024 7:45 pm
Forum: General
Topic: IPv6 distribution within the LAN [SOLVED]
Replies: 14
Views: 768

Re: IPv6 distribution within the LAN [SOLVED]

Here is my current home configuration Thanks for sharing! I don't want to use DHCPv6 inside the LAN, but I did try applying your shorter RA lifetimes to the border router which owns the PD, and it didn't help. I also tried disabling ND on the CRS328, per both your advice and @tdw, but that also did...
by tangent
Wed Oct 16, 2024 7:31 pm
Forum: Announcements
Topic: v7.17beta [testing] is released!
Replies: 574
Views: 95047

Re: v7.17beta [testing] is released!

This upgrade appears to be breaking IPv6 ND (a.k.a. NDP) to wired clients connected to RouterOS switches, when those switches sit between the client and the NDP source. Full saga here , but the tl;dr is that rolling back to 7.16.1 via netinstall fixed the symptom, and re-upgrading to 7.17beta2 broke...
by tangent
Wed Oct 16, 2024 7:25 pm
Forum: General
Topic: IPv6 distribution within the LAN [SOLVED]
Replies: 14
Views: 768

Re: IPv6 distribution within the LAN [SOLVED]

Some bridge settings broke multicast until very recent versions of 7.x which prevented IPv6 from working properly Well, it looks like they've broken it again. After rebuilding my configuration from text backups atop the 7.16.1 netinstall, the client continued to get its NDP messages, but then on up...
by tangent
Wed Oct 16, 2024 5:01 pm
Forum: General
Topic: IPv6 distribution within the LAN [SOLVED]
Replies: 14
Views: 768

Re: IPv6 distribution within the LAN [SOLVED]

Progress: I just netinstalled the switch with 7.16.1 and suddenly the same client machine called out above is getting a globally-routable IPv6 address from the gateway. Next steps: Find out why the CRS328 itself is still not getting one despite "/ipv6 nd prefix default autonomous=yes". Upg...
by tangent
Wed Oct 16, 2024 8:11 am
Forum: General
Topic: IPv6 distribution within the LAN [SOLVED]
Replies: 14
Views: 768

Re: IPv6 distribution within the LAN [SOLVED]

i have similiar setup but a tplink switch instead but all mine work?? Are you telling me that your TPLink switch is getting a globally-routable IPv6 address from your gateway router, and that all of the wired-only clients behind it are, too? i just followed my isp directions like this then rebooted...
by tangent
Wed Oct 16, 2024 5:10 am
Forum: General
Topic: IPv6 distribution within the LAN [SOLVED]
Replies: 14
Views: 768

IPv6 distribution within the LAN [SOLVED]

I have a working IPv6 configuration to my ISP. It gets a /64 prefix via DHCPv6 and assigns itself an address from that pool. WiFi clients can then connect to that hAP ax³ and get an IPv6 address within that pool. These clients then get successful results when visiting the usual IPv6 test sites. My p...
by tangent
Thu Oct 10, 2024 12:41 am
Forum: General
Topic: New Ubiquiti Multi-gig RJ45 NBASE-T Transceiver not working
Replies: 58
Views: 11533

Re: New Ubiquiti Multi-gig RJ45 NBASE-T Transceiver not working

In my experience coding the SFP(+) for different vendors is only done to get around vendor lock-in. The experience behind the post above is from accidentally ordering a Huawei-coded version of FS.com's SFP-10G-T-30I after being advised that this unit runs far cooler than MikroTik's S+RJ10 , the clo...
by tangent
Wed Oct 09, 2024 11:05 pm
Forum: General
Topic: New Ubiquiti Multi-gig RJ45 NBASE-T Transceiver not working
Replies: 58
Views: 11533

Re: New Ubiquiti Multi-gig RJ45 NBASE-T Transceiver not working

It's SFP. It is an industry standard. You'd think. And you'd think wrong . Why else would FS.com ship a given module matching the rough specs of this thread's topic in 20 different versions plus "Generic," each with a different product ordering attribute? Why would their staff follow up a...
by tangent
Mon Oct 07, 2024 3:28 pm
Forum: Beginner Basics
Topic: Bridge: 100 Mb or 1 G?
Replies: 10
Views: 2756

Re: Bridge: 100 Mb or 1 G?

I'm also having the same issue That's presumptive. You might be having the same symptom but by a different cause . Atop that, you're already telling us that the above solutions didn't work for you, right? I mean, you did try everything listed above, yes? Therefore, how can your problem be "the...
by tangent
Mon Oct 07, 2024 3:03 pm
Forum: General
Topic: Looking for instrction to isolate guest wifi networks
Replies: 12
Views: 633

Re: Looking for instrction to isolate guest wifi networks

Can someone explain the missing part with “…” (two places)
To replace it with properties related to wifi slave configuration…

Also local details like country settings, SSID, PSK… Things I don’t want to reveal about my local config and cannot predict for yours. Fill in the blanks.
by tangent
Mon Oct 07, 2024 2:45 pm
Forum: General
Topic: Looking for instrction to isolate guest wifi networks
Replies: 12
Views: 633

Re: Looking for instrction to isolate guest wifi networks

5g guest network rejects WAN request, so smartphone could not connect to internet. Mikrotik hap AC^2, 7.15.3 That’s a documented feature of my scheme: guests do not get full-service WiFi. I have no desire to prototype an alternative that lifts that restriction for you, but it would involve creating...
by tangent
Wed Oct 02, 2024 5:30 pm
Forum: General
Topic: error DHCP
Replies: 4
Views: 266

Re: error DHCP

I don't know where the problem is

Short of more guessing, neither do we until you post your /export output, as requested.
by tangent
Wed Oct 02, 2024 3:15 pm
Forum: SwOS
Topic: Install SwOS on RouterOS [SOLVED]
Replies: 10
Views: 37144

Re: Install SwOS on RouterOS [SOLVED]

no need any advanced options

You might be surprised at some of the things you lose by booting into SwOS. It’s rarely worth it, IMO.
by tangent
Wed Oct 02, 2024 3:04 pm
Forum: Beginner Basics
Topic: Getting no internet on Hap AC Lite
Replies: 3
Views: 249

Re: Getting no internet on Hap AC Lite

We diagnosed this over on the Discord server. The tl;dr is that on the hAP ac lite, the Reset button has an extra optional capability to trigger the WPS server for a time, and the only thing separating the cases is how long you hold it. Too long, and your intended WPS trigger becomes a reset to defc...
by tangent
Wed Oct 02, 2024 2:51 pm
Forum: General
Topic: error DHCP
Replies: 4
Views: 266

Re: error DHCP

Your question is vague to the point of allowing guessing only. My guess? You need to put the DHCP server on the bridge instead.

If that’s not it, post your sanitized /export output here and explain in more detail what isn’t working.
by tangent
Tue Oct 01, 2024 10:14 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 126
Views: 13020

Re: hap ax3 random wireless disconnects

Ax3 is a single stand-alone device, so there's nowhere to roam.

Sure there is: from 5 GHz to 2.4 and back when both radios have the same SSID. FT does apply in this case!
by tangent
Tue Oct 01, 2024 10:11 pm
Forum: Announcements
Topic: Newsletter #120 | September 2024
Replies: 56
Views: 17987

Re: Newsletter #120 | September 2024

CRS304 (plastic)

Check the other pics: the plastic shell overlays a bottom-half heat sink.

The true distinction here is on price: the CRS304 retails for the cost of a CRS305 plus one copper 10GigE module. Add anything more and the 304 wins.
by tangent
Tue Oct 01, 2024 2:45 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 126
Views: 13020

Re: hap ax3 random wireless disconnects

…support guy told me they replicated the problem with Intel AX in their lab I was speaking of Apple devices, which as far as I know, do not include the affected Intel AX chipsets. Regardless, I am not attempting to gainsay the MT engineers on this one; if they say the chipset has a bug that affects...
by tangent
Tue Oct 01, 2024 2:01 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 126
Views: 13020

Re: hap ax3 random wireless disconnects

Apple recommends DTIM interval of 4. Where? Their current recommendations do not speak of DTIM at all. For what it's worth, I've gone back and documented my hAP ax³ WiFi configuration in more detail than my post #2 above , which continues to work nicely with several Apple devices, and has done sinc...
by tangent
Sun Sep 29, 2024 10:41 am
Forum: Beginner Basics
Topic: Challenges, Deficiencies, and Constraints in Developing Computer Network Practical Modules Using Mikrotik
Replies: 3
Views: 800

Re: Challenges, Deficiencies, and Constraints in Developing Computer Network Practical Modules Using Mikrotik

While the initial post smacks of "write my curriculum for me," I will repeat this common observation: the best way to learn how something works is to try to teach it to someone else. Therefore, begin writing. Each time you run into a wall, experiment, then write down what you have found ou...
by tangent
Sat Sep 28, 2024 11:56 am
Forum: Wireless Networking
Topic: radius authentication wifi with wifi-qcom-ac 7.13rc3
Replies: 15
Views: 5389

Re: radius authentication wifi with wifi-qcom-ac 7.13rc3

Is there any newby friendly guide I can follow to configure it? That's a big ask for a brand-new feature. Your best bet right now is the official docs . I have no idea how this integrates with the optional (!) on-device RADIUS server called User Manager , available as user-manager-*.npk in the extr...
by tangent
Sat Sep 28, 2024 11:04 am
Forum: Wireless Networking
Topic: radius authentication wifi with wifi-qcom-ac 7.13rc3
Replies: 15
Views: 5389

Re: radius authentication wifi with wifi-qcom-ac 7.13rc3

I want to have per MAC VLAN tagging using external RADIUS server. And this feature seems to be unsupported. Or do I miss something?

That feature was just added in 7.17beta2 as part of the new PPSK feature, but only for ax devices. Details here.
by tangent
Fri Sep 27, 2024 5:34 pm
Forum: Announcements
Topic: Newsletter #120 | September 2024
Replies: 56
Views: 17987

Re: Newsletter #120 | September 2024

Why is the CRS304 not called the CRS305? It has 5 wired interfaces, just like the existing CRS305 does. Management-only ports are excluded from the count, as they aren’t meant for general-purpose I/O. Prior art: CRS312, with 4× combo ports, 8× 10GigE, and a 100M management port. In both cases, the ...
by tangent
Fri Sep 27, 2024 6:09 am
Forum: Beginner Basics
Topic: HDHomeRun broadcast is blocked
Replies: 11
Views: 830

Re: HDHomeRun broadcast is blocked

It's easy to test @Ammo0's prediction: try hdhomerun_config's discovery command from the Cisco side of the network, on the PC shown on the PDF diagram. If that works, then it's the firewall to blame, as he says. Firewalls almost always block broadcasts. Separately, there's a lot that can be cleaned ...
by tangent
Thu Sep 26, 2024 6:30 am
Forum: Containers
Topic: Containers wont start on RB3011 UiAS Topic is solved
Replies: 29
Views: 2289

Re: Containers wont start on RB3011 UiAS Topic is solved

It's driving me crazy cause it doesnt even log anything...

Setting "logging=yes" isn't enough. You also have to enable the "container" topic:

/system/logging/set topics=container action=memory
by tangent
Wed Sep 25, 2024 9:35 am
Forum: Containers
Topic: Small Ookla Speedtest container
Replies: 16
Views: 10093

Re: Small Ookla Speedtest container

but then /container/start 0 16:58:30 container,info,debug execve: No such file or directory I don't get that error, but I do get a different one, owing to the fact that above, I was echoing "--json" from @toffifee's post above without having tested it. That flag is for a third-party speed...
by tangent
Tue Sep 24, 2024 5:24 am
Forum: Containers
Topic: Small Ookla Speedtest container
Replies: 16
Views: 10093

Re: Small Ookla Speedtest container

add remote-image seems to require to set a registry-url first. what would be the correct one? Quoting the container's README.md file , "Start by installing the container package per MikroTik’s docs …" That link gives you this command: /container/config/set registry-url=https://registry-1....
by tangent
Sun Sep 22, 2024 6:43 am
Forum: Beginner Basics
Topic: Can not Ping New Router
Replies: 3
Views: 806

Re: Can not Ping New Router

You've given a static IP to the WAN interface but no route to it. Add something like this:

/ip/route/add gateway=sfp-sfpplus1

You should also remove sfp-sfpplus1 from the bridge, not merely disable it.
by tangent
Sat Sep 21, 2024 10:53 am
Forum: General
Topic: [RB5009UG+S+] Wireguard slow speeds
Replies: 3
Views: 851

Re: [RB5009UG+S+] Wireguard slow speeds

What happens when you drop the -R from your test?

Why is the -P argument so high? In my testing, setting it higher than the server’s core count makes it slower, if anything.
by tangent
Sat Sep 21, 2024 6:58 am
Forum: Containers
Topic: Encountering Issues Installing PHP Through Containers
Replies: 1
Views: 772

Re: Encountering Issues Installing PHP Through Containers

No such thing.

You would do well to read the whole article before proceeding with container.npk, freeing you of the weight of your preconceptions dragging behind you.
by tangent
Mon Sep 16, 2024 7:39 am
Forum: General
Topic: Cannot ping from console VETH interface in containers bridge
Replies: 4
Views: 696

Re: Cannot ping from console VETH interface in containers bridge

it is a bug of 7.15.3 or some radical change of approach It sounds like you're describing a change coming in 7.16: *) container - clear VETH address on container exit and mark interface as running only when VETH is in use; It's an intentional answer to a few complaints from people about containers ...
by tangent
Fri Sep 13, 2024 7:03 pm
Forum: Containers
Topic: Container level RAM limit
Replies: 2
Views: 757

Re: Container level RAM limit

container/config/set ram-high= OP addressed that in the first paragraph; it sets a single aggregate limit for all containers. OP wants a per-container limit. It is one of many reasons calling container.npk “docker” misleads more than helps. The only path forward is to file a formal request for the ...
by tangent
Fri Sep 06, 2024 2:54 pm
Forum: General
Topic: Internet slow with Mikrotik router
Replies: 5
Views: 612

Re: Internet slow with Mikrotik router

It configured using vlan2 and vlan4. Is this a requirement from your ISP? That is, do you need to "join" these two VLANs from your ISP in order to get Internet access? If so, then you should only be using the VLAN virtual interfaces, not the physical interfaces. what I maight have done wr...
by tangent
Wed Sep 04, 2024 4:11 pm
Forum: Useful user articles
Topic: Isolated Guest WiFi Sans VLANs
Replies: 15
Views: 5530

Re: Isolated Guest WiFi Sans VLANs

I was wondering if you had any updates, refinements, suggestions, or comments on this solution?

It's still working here, as originally presented.

Were you hoping for some change, or just confirming the article's published history, that nothing has changed in half a year?
by tangent
Sat Aug 31, 2024 4:15 pm
Forum: Beginner Basics
Topic: Default conf
Replies: 1
Views: 456

Re: Default conf

What's the difficulty? Change the 1 to a 2 in "ether1" and vice versa, like so.
by tangent
Tue Aug 27, 2024 9:30 pm
Forum: Beginner Basics
Topic: Troubleshooting Wireguard connection
Replies: 5
Views: 886

Re: Troubleshooting Wireguard connection

However if the OP wants to use the internet of the ISP router, thats a different story. It's not an "if". OP stated it explicitly, else I wouldn't have pointed him to my double-NAT WG guide. One would suspect that anything leaving the MT is going out the LANIP of the MT on the ISP router ...
by tangent
Tue Aug 27, 2024 12:42 pm
Forum: Beginner Basics
Topic: Troubleshooting Wireguard connection
Replies: 5
Views: 886

Re: Troubleshooting Wireguard connection

You're probably neglecting to NAT the reply traffic on its way back out of the network.

Try this guide.
by tangent
Tue Aug 27, 2024 12:39 pm
Forum: Beginner Basics
Topic: Hotspot User Expiry Date Not Displaying
Replies: 1
Views: 1723

Re: Hotspot User Expiry Date Not Displaying

I have another MikroTik router with the same configuration running on ARM architecture with RouterOS v7.9.2, and it displays the expiry date correctly. The RB4011 is running the default firmware version (v7.10), and unfortunately, I cannot downgrade it to v7.9.2. Quoting the 7.10 changelog entry: &...
by tangent
Wed Aug 21, 2024 2:15 am
Forum: RouterBOARD hardware
Topic: Default password Frustration
Replies: 101
Views: 12432

Re: Default password Frustration

If your point is that we cannot know how many of those 250k attack bots were set up using default or easily-guessed passwords, then yes, we indeed do not know that. But this is a side issue. The point is, we have data showing that a whole lot of historical RouterOS boxes have no password (the old de...
by tangent
Wed Aug 21, 2024 1:28 am
Forum: RouterBOARD hardware
Topic: Default password Frustration
Replies: 101
Views: 12432

Re: Default password Frustration

But, if I recall correctly, the 250,000 of Meris were connected to a router os bug/vulnerability, not to 250,000 compromised passwords. That's the 2018 attack. While many remained unpatched by the time of the 2021 attack, the first linked article says, "…compromised devices that…use the defaul...
by tangent
Wed Aug 21, 2024 12:35 am
Forum: RouterBOARD hardware
Topic: Default password Frustration
Replies: 101
Views: 12432

Re: Default password Frustration

Well, if some fella is sloppy… That's the thing: it isn't "some fella." There were around 250k compromised MT boxes in the 2021 Meris attack alone , creating enough traffic to nearly double Cloudflare's normal load . This isn't a problem for "some fella," it's a problem for ever...
by tangent
Tue Aug 20, 2024 10:19 pm
Forum: RouterBOARD hardware
Topic: Default password Frustration
Replies: 101
Views: 12432

Re: Default password Frustration

among all other tasks we now have to also keep a record of all RBs deployed “Also”? You weren’t already assigning random passwords to each RB and storing them in a password manager? If you were, then this change merely means you have two passwords to store per device: the one you generate locally a...
by tangent
Tue Aug 20, 2024 5:23 am
Forum: General
Topic: hap ac2 issue after not successful upgrade
Replies: 4
Views: 535

Re: hap ac2 issue after not successful upgrade

I've been trying to upgrade my router from routeros v6.4 up to 7.15 (stable). Please tell me you mean a recent 6.4x.yy, not literally 6.4 from 2013 ? It seems that I did download wrong package ( https://download.mikrotik.com/routeros/7.15.3/routeros-7.15.3-arm.npk ) and as an instruction said uploa...
by tangent
Tue Aug 20, 2024 5:05 am
Forum: General
Topic: Home Assistant container does not starts
Replies: 29
Views: 3037

Re: Home Assistant container does not starts

PS C:\Users\allan> docker save -o ha_arm64.tar Even if "ha_arm64.tar" wasn't bound as the option to the -o flag, making it unavailable to be interpreted as the "IMAGE" argument, it it isn't an "IMAGE" in the context of that command at all. The -o flag names an OCI imag...
by tangent
Thu Aug 15, 2024 5:58 am
Forum: The Dude
Topic: Any RTSP probe via TCP port 554 available?
Replies: 1
Views: 833

Re: Any RTSP probe via TCP port 554 available?

RTSP isn’t “a” stream. It is a control protocol for negotiating other streams, at least one, often two. (Separate audio + video.) Atop that, RTSP is TCP, but the other streams are typically UDP. Dig into the RTSP negotiation, and then typically the SIP negotiation beneath that . Only then will you h...
by tangent
Wed Aug 14, 2024 9:29 pm
Forum: Beginner Basics
Topic: Does this setup makes sense?
Replies: 6
Views: 886

Re: Does this setup makes sense?

Yes, and if you find yourself needing to do any serious firewalling, you can bounce the packets up from the CRS328 to the RB5009 for a decision. This duplicates the I/O, but that shouldn't be a significant concern since it's a full-duplex connection. The RB5009 is capable of making these decisions a...
by tangent
Tue Aug 13, 2024 10:00 pm
Forum: Beginner Basics
Topic: Does this setup makes sense?
Replies: 6
Views: 886

Re: Does this setup makes sense?

what happens when vlanX needs to hit VLANY, is this somehow routed between subnets at wirespeed then??

Use some combination of hardware inter-VLAN routing and hardware VLAN filtering. This takes up precious ACL rule space, but 128 rules is enough for a home lab, no problem.
by tangent
Tue Aug 13, 2024 8:22 pm
Forum: Beginner Basics
Topic: Does this setup makes sense?
Replies: 6
Views: 886

Re: Does this setup makes sense?

That should perform admirably.

I wish more people would think to offload switching to a dedicated switch like that.
by tangent
Sun Aug 11, 2024 5:19 pm
Forum: Beginner Basics
Topic: Weird filtering issue on 7.15.3
Replies: 2
Views: 646

Re: Weird filtering issue on 7.15.3

"All LANs" implies VLANs are in use. Does your "LANS" interface list contain the raw interface names (e.g. "ether1") or the VLAN virtual interfaces (e.g. "vlan99")? Also, are you aware of — and happy with — the fact that this rule catches only traffic destined...
by tangent
Sun Aug 11, 2024 1:06 pm
Forum: Containers
Topic: Container usb3?
Replies: 15
Views: 4733

Re: Container usb3?

1024M - 256M + 128M = 640MB

🤦‍♂️

1024M - 256M + 128M = 896M
1024M - (256M + 128M) = 640M
1024M - 256M - 128M = 640M
by tangent
Sun Aug 11, 2024 12:33 pm
Forum: RouterBOARD hardware
Topic: hAP ax lite
Replies: 95
Views: 22183

Re: hAP ax lite

They should call it a Type-C port if they aren't going to support any of the USB protocols. I know of a pair of competing vendors in a section of the computing hardware world far outside of networking that use Type-C connectors for data transfer, but with a proprietary non-USB protocol. Both of them...
by tangent
Sat Aug 10, 2024 7:53 pm
Forum: Containers
Topic: Mounted folder gets cleared when removing Container
Replies: 15
Views: 6973

Re: Mounted folder gets cleared when removing Container

All I'm saying is that if you make it as simple as "copy from Jira, paste to CHR, then look here" the support people will have no cause to bounce the report back to you with a bogus won't-fix explanation or a second-guessing of your intent. They'll have no choice but to send it on to the d...
by tangent
Sat Aug 10, 2024 7:24 pm
Forum: Containers
Topic: Mounted folder gets cleared when removing Container
Replies: 15
Views: 6973

Re: Mounted folder gets cleared when removing Container

I would distill that even further before filing a bug with MikroTik. Your "/export" has both far more info than needed (e.g. ether1 config, dude, time zone…) and also not enough to replicate the symptom. The "/container add" line in particular doesn't show the remote image name. ...
by tangent
Sat Aug 10, 2024 5:50 pm
Forum: Containers
Topic: Mounted folder gets cleared when removing Container
Replies: 15
Views: 6973

Re: Mounted folder gets cleared when removing Container

I guess it will be the same for any container using mount pattern like that...

And if not, then you will have learned something interesting, possibly even important.
by tangent
Sat Aug 10, 2024 5:40 pm
Forum: Containers
Topic: non-root container and volume
Replies: 12
Views: 4618

Re: non-root container and volume

non-root user process write to mounted dir This is one of the many reasons I continue to castigate container.npk for being thinly-documented. The mechanism it uses for UID mapping is important to understand in cases like this, but the word "user" scarcely appears in the single-page docume...
by tangent
Sat Aug 10, 2024 5:33 pm
Forum: Containers
Topic: Mounted folder gets cleared when removing Container
Replies: 15
Views: 6973

Re: Mounted folder gets cleared when removing Container

it seems it is ROS bug. Boil it down to a simple example like I have above with Podman and Alpine, and you will have solid grounds for filing a bug report . The easier you make it to reproduce the symptom, the faster it will be fixed. Dragging Unbound into it complicates matters to no useful end. C...
by tangent
Sat Aug 10, 2024 5:26 pm
Forum: Containers
Topic: non-root container and volume
Replies: 12
Views: 4618

Re: non-root container and volume

I'm deploying a non-root container No such thing in RouterOS . (I suggest reading the whole article. This is only one area where thinking of container.npk as "Docker" will lead you into grief.) I need to write file as the container user (non-root) but the volume is always mounted as root....
by tangent
Sat Aug 10, 2024 4:28 pm
Forum: Containers
Topic: Mounted folder gets cleared when removing Container
Replies: 15
Views: 6973

Re: Mounted folder gets cleared when removing Container

/container/mounts> print ... 5 name="unbound_etc_unbound" src="/usb1/containers/mounts/unbound/etc/unbound" dst="/etc/unbound" 7 name="unbound_etc_unbound_zonefiles" src="/tmpfs1/containers/mounts/unbound/etc/unbound/zonefiles" This looks like a bug...
by tangent
Thu Aug 08, 2024 8:47 pm
Forum: RouterBOARD hardware
Topic: hAP ax lite
Replies: 95
Views: 22183

Re: hAP ax lite

adding two tiny resistors to the Ax lite is enough I will happily pay $0.02 more per ax Lite to get the freedom of carrying only one USB-C power supply with me on trips. While they're in there redesigning, I want a version that will plug into the laptop's second USB-C port and not only vampire powe...
by tangent
Mon Aug 05, 2024 9:09 pm
Forum: Beginner Basics
Topic: Wi-FI Connection issues
Replies: 11
Views: 1368

Re: Wi-FI Connection issues

What is strange is that the Mikrotik DHCP server assign leases (usually) starting from the highest address in the range ISC dhcpd did that. At the time I was last using it, it was the most popular FOSS DHCP server in the world. I don't remember what order dnsmasq assigns leases in, the most common ...
by tangent
Mon Aug 05, 2024 6:03 pm
Forum: Beginner Basics
Topic: Wi-FI Connection issues
Replies: 11
Views: 1368

Re: Wi-FI Connection issues

I decided to change the diapason… We borrowed that word into English, but it's used in reference to tuning forks and such, getting an orchestra into tune. What application does it have here, in this context? …everything started working! Why? You don't give enough details for more than speculation. ...
by tangent
Mon Aug 05, 2024 3:45 pm
Forum: Containers
Topic: how to install debian os on mikrotik container?
Replies: 3
Views: 4303

Re: how to install debian os on mikrotik container?

anyone here can help me with this. As the others have said, containers are not VMs . Atop that, you are also likely to run repeatedly into the several inherent limitations of container.npk , some of which may prevent it from working, others of which will merely make this scheme unsatisfactory.
by tangent
Sun Aug 04, 2024 2:24 pm
Forum: RouterBOARD hardware
Topic: How to intentionally make cable that will negotiate at 10 mbps?
Replies: 16
Views: 2067

Re: How to intentionally make cable that will negotiate at 10 mbps?

inserting a 10Mbps switch Sneaky plan: buy a box of bulk cable, pull a few meters out from each end, terminate them, and pass the assembly off to your students as “a really long cable, portably packaged.” But inside, there are two cables joined by a PoE-powered CSS106 tucked into one corner. (Fallb...
by tangent
Fri Aug 02, 2024 12:44 pm
Forum: RouterBOARD hardware
Topic: How to intentionally make cable that will negotiate at 10 mbps?
Replies: 16
Views: 2067

Re: How to intentionally make cable that will negotiate at 10 mbps?

I don't think that such a miniaturized low pass filter is something that can be done at home I would not reach for active filters or IC passives here unless you had to have something that worked every time, across all manufacturers and devices. The thing is, @jaclaz's ferrite bead idea is a DIYable...
by tangent
Fri Aug 02, 2024 11:23 am
Forum: Virtualization
Topic: Router Os 7.15.3 on Qnap Nas
Replies: 14
Views: 1724

Re: Router Os 7.15.3 on Qnap Nas

https://tangentsoft.com/mikrotik/wiki?name=Containers+Are+Not+VMs&p (section: CHR Complications) I thank you for thinking of my article, @holvoetn, but I think it's misapplied in the context of this thread. First, a nit: you'll want to remove the "&p" bit from the end of the bookm...
by tangent
Fri Aug 02, 2024 11:01 am
Forum: RouterBOARD hardware
Topic: How to intentionally make cable that will negotiate at 10 mbps?
Replies: 16
Views: 2067

Re: How to intentionally make cable that will negotiate at 10 mbps?

miswiring the cable (not the correct color sequence, but of course the same on both ends) will do it. I held off suggesting this because I have successfully run gigabit over "rainbow-wired" cables. (e.g. Orange, white-orange, green, green-white, blue, blue-white, brown, brown-white.) Purp...
by tangent
Fri Aug 02, 2024 9:01 am
Forum: Scripting
Topic: If the uptime was more than 1 minute
Replies: 14
Views: 1532

Re: If the uptime was more than 1 minute

You’re not reading @holvoetn’s post carefully. His scheme will cause the script to run one minute after boot, as you asked. If the system goes down before then, it will be “cancelled,” hard.

It’s both elegant and correct.
by tangent
Fri Aug 02, 2024 8:46 am
Forum: RouterBOARD hardware
Topic: How to intentionally make cable that will negotiate at 10 mbps?
Replies: 16
Views: 2067

Re: How to intentionally make cable that will negotiate at 10 mbps?

a little box on the cable Chokes and caps are bulky, but we aren’t building power supplies here. Properly engineered for the tiny currents involved, they might be surprisingly small. We live in a world where Thunderbolt cables look identical to USB-C cables despite one having a complicated IC embed...
by tangent
Thu Jul 25, 2024 9:23 am
Forum: General
Topic: no PTP for CRS320-8P-8B-4S+RM
Replies: 5
Views: 642

Re: no PTP for CRS320-8P-8B-4S+RM

I wonder what's your use case for CRS320 which asks for (explicit) PTP support? It's used in any area where distributed precision time matters. In addition to A/V cases exemplified by the OP's Dante use case, there are things like LXI that depend on it for accurate timing of measurements. The deskt...
by tangent
Thu Jul 25, 2024 9:18 am
Forum: General
Topic: PIM / one Client ends Multicast for other Clients?!
Replies: 2
Views: 343

Re: PIM / one Client ends Multicast for other Clients?!

Are the MDB tables populated properly on both sides of the PIM link? If not, there's no way for it to realize N-1 > 0 when N=2.
by tangent
Thu Jul 25, 2024 9:10 am
Forum: Announcements
Topic: WinBox v3.41 released!
Replies: 41
Views: 19256

Re: WinBox v3.41 released!

Why not use webfig Because you can't rearrange the windows into a dashboard, it can't MAC-WinBox into a RouterOS device that has no IP yet (or a broken IP), it doesn't do neighbor discovery, refreshing the browser logs you out… While I'm here, allow me to mention the option of Crossover , which for...
by tangent
Tue Jul 23, 2024 11:44 pm
Forum: Beginner Basics
Topic: NTP server configuration [SOLVED]
Replies: 9
Views: 3693

Re: NTP server configuration [SOLVED]

NTP hates step-changes. It is specifically engineered to slew slowly forward in time, only, always. If you start off far enough out of sync, it can indeed take days to get in sync.
by tangent
Mon Jul 22, 2024 11:38 pm
Forum: General
Topic: Please add basic portScan tool ( port scanner scan )
Replies: 92
Views: 55321

Re: Please add basic portScan tool ( port scanner scan )

just chuck in a linux container …or use one that's already there , as there's a high chance it either can already do this or can be extended on an ad hoc basis to do this. This feature idea has legs anywhere container.npk isn't installed, won't ever be installed, or cannot be installed. if your rea...
by tangent
Mon Jul 22, 2024 8:46 pm
Forum: General
Topic: Please add basic portScan tool ( port scanner scan )
Replies: 92
Views: 55321

Re: Please add basic portScan tool ( port scanner scan )

I expect you have the recent bandwidth test abuse in mind when you write that, @rextended, but if our goal is to make all RouterOS boxes useless to an intruder, we'd also have to remove nearly everything under /tools, including your favorite in scripting, /fetch. And also scripting , period. No; the...
by tangent
Mon Jul 22, 2024 8:07 pm
Forum: RouterBOARD hardware
Topic: Default password Frustration
Replies: 101
Views: 12432

Re: Default password Frustration

And people still arguing for empty admin password should really go to hell. That's like lobbying for cars without seatbelts...

Difference being, these MikroTik "cars" drive over global-scale highways and can "crash" into thousands of other "cars" per minute.
by tangent
Mon Jul 22, 2024 8:02 pm
Forum: Beginner Basics
Topic: NTP server configuration [SOLVED]
Replies: 9
Views: 3693

Re: NTP server configuration [SOLVED]

ntpdate -q Hmm, that does give better error messages: You've apparently got the minimalist " ntpsec " version of these tools installed. I had in mind the more mainstream ntp.org ones, which give more readable output. For reference, here is its output when run against my properly-functioni...
by tangent
Sun Jul 21, 2024 5:12 pm
Forum: Beginner Basics
Topic: I'm just ready to tear my hair out...
Replies: 21
Views: 1519

Re: I'm just ready to tear my hair out...

Cards on the table; show your config.
by tangent
Sun Jul 21, 2024 9:46 am
Forum: Wireless Networking
Topic: The most arduous access point ever: hAP ax³
Replies: 48
Views: 3305

Re: The most arduous access point ever: hAP ax³

So you'll be able to test if the config works on the US version then :wink: I've taken enough risks with my home IT core for one Saturday. Maybe tomorrow, but probably not, and definitely not during the week; I work from home. I also have a pet theory that some of these weird ax3s are coming from A...
by tangent
Sun Jul 21, 2024 8:57 am
Forum: Wireless Networking
Topic: The most arduous access point ever: hAP ax³
Replies: 48
Views: 3305

Re: The most arduous access point ever: hAP ax³

'monitor' command from cli. Thank you. My 5 GHz radio is on 5500/ax/Ceee at the moment, which according to the Freq. Scan tool in WinBox has 0% usage on all four of the 20 MHz sub-channels. I take that as validation that it did a good job choosing automatically even with a fair bit of competition a...
by tangent
Sun Jul 21, 2024 8:38 am
Forum: Wireless Networking
Topic: The most arduous access point ever: hAP ax³
Replies: 48
Views: 3305

Re: The most arduous access point ever: hAP ax³

I have the international version of the hAP ax3. Mine's the "-US" variant even though it came to me through Getic. It auto-chose frequency 5745 How do you make it admit that truth, please? All I can get is a long list of available channels, plus the "Scan" function, which doesn'...
by tangent
Sun Jul 21, 2024 8:19 am
Forum: Wireless Networking
Topic: The most arduous access point ever: hAP ax³
Replies: 48
Views: 3305

Re: The most arduous access point ever: hAP ax³

I had to dangle an RB1100 from an Ethernet cable Fun coincidence: my ax³ was dangling from its Ethernet cables at one point in the above testing, too, and it was due to a design error I'll happily lay at MT's feet: putting only one PoE port on it, and making it the same one for in and out. I power ...
by tangent
Sun Jul 21, 2024 6:33 am
Forum: Wireless Networking
Topic: The most arduous access point ever: hAP ax³
Replies: 48
Views: 3305

Re: The most arduous access point ever: hAP ax³

naming SSIDs …might hide the problem, by the means of clients learning to roam away from the slow 5GHz radio If that were happening here, I wouldn't be getting 656 Mbit/sec with iperf3. That's plain impossible on 2.4 GHz, particularly since I took the OP's implicit hint and switched off 40 MHz chan...
by tangent
Sun Jul 21, 2024 5:32 am
Forum: Wireless Networking
Topic: The most arduous access point ever: hAP ax³
Replies: 48
Views: 3305

Re: The most arduous access point ever: hAP ax³

Having 2.4 GHz and 5 GHz networks separate is a matter of preference. You're telling me that bridging the two wifi networks has no effect on the original problem statement, where one side works and the other doesn't? You don't think it's even worth trying to see if it suddenly starts working when y...
by tangent
Sun Jul 21, 2024 2:45 am
Forum: Wireless Networking
Topic: The most arduous access point ever: hAP ax³
Replies: 48
Views: 3305

Re: The most arduous access point ever: hAP ax³

Here you go Tangent: That isn't at all what I asked you for. It isn't… …the default configuration, but instead this heavily-changed AP bridge thing you're trying to set up. While it is highly useful to see what you're trying to do, I want you to realize that the reason I asked for the defconf was s...
by tangent
Sat Jul 20, 2024 9:00 am
Forum: Wireless Networking
Topic: The most arduous access point ever: hAP ax³
Replies: 48
Views: 3305

Re: The most arduous access point ever: hAP ax³

…my near 20 years of using Mikrotik products… …may be leading you astray, because these new ax routers' behavior differs in quite a number of ways from the old ones. If all you did was copy your RB4011 config over, it's no wonder you're having trouble. (Details: 1 , 2 ) I literally want to take thi...
by tangent
Fri Jul 19, 2024 8:54 am
Forum: Beginner Basics
Topic: NTP server configuration [SOLVED]
Replies: 9
Views: 3693

Re: NTP server configuration [SOLVED]

It was more the NAT I was reacting to, but sure, we’re singing from the same hymn book, mkx.

But if I wanted input firewalling on a CRS305, I’d reach for bridge filters first, switch rules second, and the software IP firewall last.
by tangent
Fri Jul 19, 2024 7:35 am
Forum: Beginner Basics
Topic: I'm just ready to tear my hair out...
Replies: 21
Views: 1519

Re: I'm just ready to tear my hair out...

It isn't meant to be intuitive. It's meant to be powerful. Great power comes with great responsibility, including a willingness to learn the tool's capabilities lest you end up causing more damage than handicraft. As for the "Windows" thing, WinBox runs just fine under Wine. To be frank, t...
by tangent
Fri Jul 19, 2024 7:29 am
Forum: Beginner Basics
Topic: NTP server configuration [SOLVED]
Replies: 9
Views: 3693

Re: NTP server configuration [SOLVED]

123/tcp closed ntp NTP is a UDP protocol; nmap's default TCP port scan is correct to show it closed. While there is a UDP port-scanning option , I'd prefer a tool like ntpdate -q for testing availability. Your own choice of ntpq should also work, though lacking experience with it, I cannot reassure...
by tangent
Fri Jul 19, 2024 6:09 am
Forum: Beginner Basics
Topic: I'm just ready to tear my hair out...
Replies: 21
Views: 1519

Re: I'm just ready to tear my hair out...

I do NOT want the Microtik routers giving out 192.168.88.xxx address to devices So get its competing DHCP server out of the way, then. The fastest way is to give this CLI command: /ip/dhcp-server/disable 0 There's a GUI alternative, and if you want to be really thorough you will remove it entirely,...
by tangent
Wed Jul 17, 2024 5:17 pm
Forum: General
Topic: Wireguard and iOS [SOLVED]
Replies: 29
Views: 3586

Re: Wireguard and iOS [SOLVED]

get rid of the 128 too..... not sure why thats there It's a somewhat dirty trick to ensure that the WG tunnel becomes the default route of choice even when other default routes exist. 0.0.0.0/1 is the lower half of the IPv4 space, and 128.0.0.0/1 is the upper half. Together, they cover the same ran...
by tangent
Wed Jul 17, 2024 2:07 pm
Forum: General
Topic: Wireguard and iOS [SOLVED]
Replies: 29
Views: 3586

Re: Wireguard and iOS [SOLVED]

AllowedIPs = 0.0.0.0/1, 128.0.0.0/1 Have you tried 0.0.0.0/0? Yes, I'm aware of the longest-prefix /1 trick, but the question stands. Alternately, try checking the WG client's "Exclude private IPs" box, which will change this value to a long list that avoids tunneling access to RFC1918 ad...
by tangent
Wed Jul 17, 2024 8:08 am
Forum: Beginner Basics
Topic: Two MicroTik routers...
Replies: 4
Views: 846

Re: Two MicroTik routers...

Unlike other OSes — there's one from Redmond Washington I'm thinking of in particular — RouterOS doesn't make it any more difficult to add 50 addresses to an interface than to add one. Moreover, it doesn't care about the mix of dynamic and static addresses. Therefore, you can keep the defconf static...
by tangent
Fri Jul 12, 2024 7:57 am
Forum: General
Topic: Error when comment has a space when executing from ssh
Replies: 8
Views: 642

Re: error cuando en comment tiene un espacio al ejecutar desde ssh

This is an English speaking forum. So please write in English If you want help. Where is that rule written? I can't find it in either the registration agreement or the stock phpBB FAQ. While I do think it's moderately foolish to post in other languages since it limits the number of people who are l...
by tangent
Fri Jul 12, 2024 7:49 am
Forum: General
Topic: Error when comment has a space when executing from ssh
Replies: 8
Views: 642

Re: error cuando en comment tiene un espacio al ejecutar desde ssh

/usr/bin/ssh -i ~/.ssh/pass admin@100.255.255.205 ":put [/user-manager/user add name=pepe group=premium comment="jose perez mikrotik 2024"]" This isn't a RouterOS problem; it's a misunderstanding of how your OS's shell works. Simply put, if you try nesting quotes like that, your...
by tangent
Fri Jul 12, 2024 6:23 am
Forum: General
Topic: What changed with SSH on 6.49?
Replies: 6
Views: 611

Re: What changed with SSH on 6.49?

I would prefer to do it as this instead: Much easier if you combine those two steps into one: ssh username@router-address /export terse show-sensitive > backup.rsc Bonus 1: You don't add any wear to the device's flash. Bonus 2: It's immune to the terminal I/O strangeness that the OP's send/expect m...
by tangent
Fri Jul 12, 2024 12:41 am
Forum: Beginner Basics
Topic: MAAS PXE Boot with external Mikrotik DHCP Server.
Replies: 3
Views: 1084

Re: MAAS PXE Boot with external Mikrotik DHCP Server.

next-server=192.168.88.11

I've never set up PXE, but isn't next-server the TFTP server's address? Why is it inside your DHCP reservation range?
by tangent
Mon Jul 08, 2024 12:55 pm
Forum: General
Topic: Internet suddenly stopped working for inner network - [SOLVED]
Replies: 11
Views: 2743

Re: Internet suddenly stopped working for inner network - [SOLVED]

I hope that any DoS attacks will be prevented more by out of the box features of the router That's not any more likely than stopping yourself from asphyxiating when someone stuffs a firehose down your throat by begging time from your attacker to install a dental dam first. It'll do about as much go...
by tangent
Sun Jul 07, 2024 11:53 pm
Forum: General
Topic: Adding veth slows internet
Replies: 30
Views: 2954

Re: Adding veth slows internet

No WiFi. It's connected via the 2.5Gb ethernet port.

Then I'm stuck.

If the problem is as simple as you claim, why do I get 7 Gbit/sec to my iperf3 container when bridged to an RB4011?
by tangent
Sun Jul 07, 2024 9:46 pm
Forum: Beginner Basics
Topic: why does this rule interfere with my doing "apt update"?
Replies: 11
Views: 935

Re: why does this rule interfere with my doing "apt update"?

Thanks for that! Not so fast…I think it's me hallucinating now. Going back to your original post, there's this: /ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf I saw that in red here when diffing it against the fully-stock default configuration file I have here, meaning ...
by tangent
Sun Jul 07, 2024 9:29 pm
Forum: Forwarding Protocols
Topic: PIM-SM problem
Replies: 8
Views: 1987

Re: PIM-SM problem

Why are you trying to save IP addresses? RFC1918 sets aside tens of millions of them for your use in applications like this. Furthermore, PIM is designed to work in the presence of regular routing, not NAT. Therefore, make these senders 10.0.0.1 thru 10.0.0.3, and then configure PIM to forward their...
by tangent
Sun Jul 07, 2024 9:25 pm
Forum: Containers
Topic: Nextcloud / owncloud Container. is it a bad idea?
Replies: 1
Views: 4358

Re: Nextcloud / owncloud Container. is it a bad idea?

Bad idea? Yes. Can it work anyway? Maybe. Try it and let us know, okay? 🤓
by tangent
Sun Jul 07, 2024 9:09 pm
Forum: Beginner Basics
Topic: why does this rule interfere with my doing "apt update"?
Replies: 11
Views: 935

Re: why does this rule interfere with my doing "apt update"?

While we're nit-picking, this:

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1

…is useless now that you've removed the default DHCP server.
by tangent
Sun Jul 07, 2024 4:16 pm
Forum: General
Topic: Help me setup WiFi 6
Replies: 1
Views: 264

Re: Help me setup WiFi 6

My router model is LTE 18. No, it isn't. That's one non-unique fragment of the product name, and it refers to LTE user equipment category 18 . There are at least three different MikroTik products with "LTE18" in their name. Fortunately, only one appears to also have WiFi in it. Are you sp...
by tangent
Sun Jul 07, 2024 2:35 pm
Forum: General
Topic: Adding veth slows internet
Replies: 30
Views: 2954

Re: Adding veth slows internet

otherwise I would see the same problem when I run the client on a different PC That's a detail you should have led with, not needed to have dragged out after days worth of back-and-forth. This thread's initial post implies that it affects all hosts on the network, and then you come along and claim ...
by tangent
Sun Jul 07, 2024 5:47 am
Forum: General
Topic: Adding veth slows internet
Replies: 30
Views: 2954

Re: Adding veth slows internet

I doubt there are many people in a position to "download from newsgroups" for you as a test, and even if there was one willing and able, that's not what I'd call a repeatable test. Which file, which group, which platform…? Here's what a repeatable test looks like: go to this page and downl...
by tangent
Sat Jul 06, 2024 7:57 pm
Forum: General
Topic: Adding veth slows internet
Replies: 30
Views: 2954

Re: Adding veth slows internet

If I add the veth to my single bridge, it completely tanks my download speeds, although speed tests are at full speed for some reason. That doesn't happen here, but then, you haven't told us how you're determining this slowdown in a repeatable manner. You can tell us it's repeatable where you are, ...
by tangent
Sat Jul 06, 2024 5:15 pm
Forum: General
Topic: Adding veth slows internet
Replies: 30
Views: 2954

Re: Adding veth slows internet

Is there an alternative way to use containers without resorting to a second bridge?

Yes.
by tangent
Fri Jul 05, 2024 3:12 pm
Forum: General
Topic: OCHcloud: When Core Routers Turn Evil
Replies: 12
Views: 1138

Re: OCHcloud: When Core Routers Turn Evil

an easily accessible repository with the "standard" (or "factory") configuration .rsc files, one for each model Here's a start . Consider this an open solicitation for more files. I'm willing to take: Descriptive diffs, e.g. "the RB5009 is like the RB4011 but with these few...
by tangent
Fri Jul 05, 2024 9:51 am
Forum: General
Topic: OCHcloud: When Core Routers Turn Evil
Replies: 12
Views: 1138

Re: OCHcloud: When Core Routers Turn Evil

Would have been nice with a better hardened default config out of the box. Such as…? If that includes a wish that the recent policy of random default passwords started much earlier, then I agree. But, go read all the threads here moaning about how terrible a burden it was when it finally did land. ...
by tangent
Fri Jul 05, 2024 12:49 am
Forum: General
Topic: import Address-list
Replies: 2
Views: 686

Re: import Address-list

I'd write a short sed/awk/perl/whatever command/script to recast your input data into the proper format:

/ip firewall address-list add address=192.168.88.1 list=MyListName

So, what does the input format look like?
by tangent
Fri Jul 05, 2024 12:37 am
Forum: General
Topic: Simulate a dummy interface with a bridge interface?
Replies: 1
Views: 253

Re: Simulate a dummy interface with a bridge interface?

In 7.14, they exposed the actual underlying network stack's "lo" interface.

Whether that's what you need or not, I can only speculate, since you haven't said why you want to have a dummy interface.
by tangent
Thu Jul 04, 2024 7:49 pm
Forum: General
Topic: Firewall routing help
Replies: 9
Views: 627

Re: Firewall routing help

A) Purchase MikroTik products only if you are an expert in TCP/IP …or mean to become one through experience, which is why I so often lead with links to relevant docs. If the poster shows evidence that they either won't read or won't attempt to understand and apply what they did read, then that fall...
by tangent
Thu Jul 04, 2024 6:46 pm
Forum: General
Topic: Firewall routing help
Replies: 9
Views: 627

Re: Firewall routing help

handled by Mikrotik They've explicitly ruled out this category in point 6, here : "Technical support does not include training on TCP/IP." I'll readily grant that this is a poor-quality question, but as the mod who approved it, I'll tell you why: rejecting it would not have helped the OP....
by tangent
Wed Jul 03, 2024 3:44 pm
Forum: General
Topic: Please add basic portScan tool ( port scanner scan )
Replies: 92
Views: 55321

Re: Please add basic portScan tool ( port scanner scan )

that works but i would say half. The "-t 10" bit in my command example overrides the default port scan timeout of 5 seconds (5000 ms) to just 10 ms, suitable for scanning fast hosts on a quiet LAN. Your next-hop may be more than 10 ms away, meaning it times out too fast to get any results.
by tangent
Wed Jul 03, 2024 7:31 am
Forum: General
Topic: Please add basic portScan tool ( port scanner scan )
Replies: 92
Views: 55321

Re: Please add basic portScan tool ( port scanner scan )

It would be incredibly useful to be able to scan for live devices and available ports (similar to a very basic NMAP) You mean like the pscan tool built into Busybox, thus into every Alpine Linux based container? 🤓 > /interface/veth > add address=192.168.88.3/24 gateway=192.168.88.1 > /interface/bri...
by tangent
Wed Jul 03, 2024 7:20 am
Forum: General
Topic: Socks5 client setup in Mikrotik
Replies: 1
Views: 569

Re: Socks5 client setup in Mikrotik

This feels like an XY problem . Tell us your end goal, in detail, not about your difficulties achieving the goal given the current contents of your mental toolbox. One or another of the various VPN features in RouterOS will probably do what you want. Realize also that "VPN" is a broader cl...
by tangent
Wed Jul 03, 2024 6:44 am
Forum: Forwarding Protocols
Topic: send udp packet with destination 255.255.255.255 to other subnet In router
Replies: 5
Views: 1204

Re: send udp packet with destination 255.255.255.255 to other subnet In router

I was using it for Wake on Lan. I have two different WoL clients here, and both support setting a directed broadcast address. At that point, your routing rules should transport the WoL packet across the boundary without any extra help. If it's being blocked, that's likely a firewall configuration l...
by tangent
Wed Jul 03, 2024 5:12 am
Forum: General
Topic: Is RouterOS Affected by CVE-2024-6387?
Replies: 9
Views: 2345

Re: Is RouterOS Affected by CVE-2024-6387?

Who uses SSH??? Approximately the entirety of The Cloud . How else do you suppose all those zillions of remote Linux boxes are managed? I mean SSH1 as that is what Open SSH was based on?? Completely incorrect, but off-topic, so I won't chase it further here. Instead, read this , then realize that R...
by tangent
Mon Jul 01, 2024 4:27 am
Forum: Beginner Basics
Topic: Need Help on the IP Firewall Filter
Replies: 4
Views: 708

Re: Need Help on the IP Firewall Filter

I moved and re-titled your post because the term scripting has an unrelated meaning to what you posted above. But as for that post, I'm not sure what type of "sorting" you're wanting. At a quick glance, it looks like nearly all of it can be sorted directly into the round file . There is ze...
by tangent
Sun Jun 30, 2024 1:51 pm
Forum: General
Topic: Load Balancing
Replies: 4
Views: 381

Re: Load Balancing

by tangent
Sat Jun 29, 2024 10:15 am
Forum: Useful user articles
Topic: IPv6 with Xfinity
Replies: 5
Views: 4694

Re: IPv6 with Xfinity

Kept telling me that there is no pool name ipv6. That pool is dynamically created by the first step in the article, "/ipv6 dhcp-client add …" Note that the command can be given on one line without the line breaks and the backslash, or it can be given on two lines, with "/ipv6 dhcp-cl...
by tangent
Sat Jun 29, 2024 9:59 am
Forum: Scripting
Topic: Update Cloudflare DNS with script
Replies: 4
Views: 1902

Re: Update Cloudflare DNS with script

Do you have an interface called “wan1”? If not, the script will of course fail. Either change the name to that of your actual WAN interface or rename it to wan1 to placate the script.
by tangent
Thu Jun 27, 2024 7:25 pm
Forum: Beginner Basics
Topic: Which dstnat rules?
Replies: 3
Views: 587

Re: Which dstnat rules?

The first is best, being straightforward, yet flexible. If the second succeeds, it is only by the accident that there is no service at port 1234 on the router itself. It would not work for port-forwarding external HTTP conns to your public IP while still allowing WebFig access from the LAN, for exam...
by tangent
Mon Jun 24, 2024 5:49 am
Forum: General
Topic: Regex Format in Conditional DNS forwarding
Replies: 24
Views: 1714

Re: Conditional DNS forwarding

/ip dns static add regexp="^(?![\\w]*[-][\\d]{2})(.*[\\.]?ad\\.localdomain)$"… failure: name or regexp required That isn't a "POSIX basic regular expression" (BRE) that this setting is documented as taking . It's vaguely PCRE style, though with odd variations like with the doubl...
by tangent
Sun Jun 23, 2024 2:42 am
Forum: Beginner Basics
Topic: Port forwarding [SOLVED]
Replies: 7
Views: 2543

Re: Local Server Firewall [SOLVED]

<moderator-hat> @denzkie1191, please don't post essentially the same thing in multiple forums. I merged my reply to the other thread into this one, below, then deleted the other one. I chose this one only because it has other replies. </moderator-hat> I just want to ask what what firewall rules sho...
by tangent
Fri Jun 21, 2024 10:38 pm
Forum: RouterBOARD hardware
Topic: CRS520-4XS-16XQ-RM (NEW)
Replies: 20
Views: 3613

Re: CRS520-4XS-16XQ-RM (NEW)

Never mind…confused on the product naming…
by tangent
Fri Jun 21, 2024 10:29 pm
Forum: RouterBOARD hardware
Topic: [RB5009] "We will have several products in this series"
Replies: 13
Views: 3020

Re: [RB5009] "We will have several products in this series"

I can shop around for and purchase PCIe 4.0 x16 network cards that technically should be able to enable local area network (lan) connections up to 100 to 250 gigabits per second Have you tested whether putting a pair of those into your local computers lets you push 100-250 Gbit/sec between them con...
by tangent
Fri Jun 21, 2024 10:17 pm
Forum: Scripting
Topic: Temperature monitoring script stoped working after v7 upgrade
Replies: 10
Views: 1306

Re: Temperature monitoring script stoped working after v7 upgrade

<moderator hat on> Please don't cross-post, @mmdelhajj. I just deleted a duplicate of your post above in the linked thread. If you want this post merged into the other thread, you can ask and have the matter considered, but don't open the same topic in multiple locations. Also, in case you're wonder...
by tangent
Fri Jun 21, 2024 6:27 pm
Forum: Beginner Basics
Topic: NTP server not sync and showing status waiting
Replies: 3
Views: 993

Re: NTP server not sync and showing status waiting

Your NTP configuration relies on DNS working properly due to the use of address pools. What happens when you say… /tool/ping 0.asia.pool.ntp.org By the way, the whole point of NTP pools is that you don't have to list many addresses. I would pare your local NTP configuration back to a single pool add...
by tangent
Fri Jun 21, 2024 4:28 pm
Forum: Beginner Basics
Topic: NTP server not sync and showing status waiting
Replies: 3
Views: 993

Re: NTP server not sync and showing status waiting

Without the rest of the /export output, we're going to have to speculate somewhat. Your issue might have to do with "/ip/firewall/filter" rules, for instance.

Short of that, have you tried the several solutions given in this long thread?
by tangent
Fri Jun 21, 2024 3:09 pm
Forum: Virtualization
Topic: Increase CHR Free license limit to 10 Mbit/s
Replies: 33
Views: 3812

Re: Increase CHR Free license limit to 10 Mbit/s

it probably adds some overhead for Mikrotik You want to talk about overhead, let's talk about what it costs to keep "… more than 280 employees " coming back to the office day after day. You want production-grade software for free because…? Give me a better reason than "because I want...
by tangent
Tue Jun 18, 2024 7:06 pm
Forum: Containers
Topic: Start a container with the net_raw capability
Replies: 3
Views: 4595

Re: Start a container with the net_raw capability

Build a child container using the following Dockerfile, then install that:

FROM zabbix/zabbix-proxy-sqlite3:ol-7.0-latest
RUN setcap cap_net_raw=ep /usr/sbin/fping
by tangent
Mon Jun 10, 2024 5:53 am
Forum: RouterBOARD hardware
Topic: Power adapter for Audience
Replies: 1
Views: 1019

Re: Power adapter for Audience

The first one initially appears under-powered, but given the Audience's 27W max power draw spec , you come up with 1.125A at 24V, so 1.2A may work. The main worry here is that you're running the PSU right at its limits and thus may shorten its life. I don't have a good sense of how you would make th...
by tangent
Mon Jun 10, 2024 5:43 am
Forum: Beginner Basics
Topic: configuration wireless network not showing up after upgrade to 7.15 [SOLVED]
Replies: 2
Views: 4240

Re: configuration wireless network not showing up after upgrade to 7.15 [SOLVED]

I already reflashed the firmware via the netinstall methode, using the -e and -r flags, but it did not change anything. Is there anything i'm missing? The thing you might be missing is that when netinstalling to a WiFi device, it's best to pass both the base "routeros" package and the one...
by tangent
Fri Jun 07, 2024 2:16 am
Forum: SwOS
Topic: Password length limit on SwOS? Seriously?
Replies: 20
Views: 2701

Re: Password length limit on SwOS? Seriously?

Not only does the same hardware run high-security crypto algorithms just fine (VPN, SSH, HTTPS…) the web login use case is on the order of one per hour. As long as the salt+hash computation completes in ~1 second, it’s fast enough.
by tangent
Thu Jun 06, 2024 2:01 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 126
Views: 13020

Re: hap ax3 random wireless disconnects

authentication types - they seem to be ignored from security config, leaving my network "open" This is the kind of thing I meant in my first reply: you're setting it from two different places, creating a conflict: /interface wifi configuration add antenna-gain=0 country="United State...
by tangent
Thu Jun 06, 2024 11:32 am
Forum: SwOS
Topic: Password length limit on SwOS? Seriously?
Replies: 20
Views: 2701

Re: Password length limit on SwOS? Seriously?

Please stop using passwords use ssh keys instead.

The thread is about SwOS, which doesn't support SSH.
by tangent
Thu Jun 06, 2024 11:32 am
Forum: SwOS
Topic: Password length limit on SwOS? Seriously?
Replies: 20
Views: 2701

Re: Password length limit on SwOS? Seriously?

BTW the link to the NIST document recommending 8 character passwords, that recommendation is from 2017. I find it hard to belief that anybody would consider that secure today. It depends on what type of rate-limiting is in place in front of it. That's why I bothered to set up fail2ban in front of R...
by tangent
Thu Jun 06, 2024 8:58 am
Forum: SwOS
Topic: Password length limit on SwOS? Seriously?
Replies: 20
Views: 2701

Re: Password length limit on SwOS? Seriously?

A sensible limit of that type will be based on a buffer size, as I indicated. 256 bytes is sensible. 1k is sensible. 64k is sensible. 18 smacks of a fixed-length plaintext field in a C structure stored as-is in the flash RAM; there are no common 144-bit hash functions. What they ought to use that sp...
by tangent
Thu Jun 06, 2024 5:18 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 126
Views: 13020

Re: hap ax3 random wireless disconnects

Here's my config It would be clearer if you posted the sanitized output of "/interface/wifi/export", not "print" because that includes sub-items like the configuration and security sections. One thing this can show more clearly is when you have redundant or conflicting items in ...
by tangent
Thu Jun 06, 2024 1:52 am
Forum: SwOS
Topic: Password length limit on SwOS? Seriously?
Replies: 20
Views: 2701

Re: Seriously?

I don't think that a 18 characters long password can be that much insecure I believe you're missing @mwiesenhaan's point. A length limit implies that they're storing the password in plaintext, thus that it can be retrieved and reused as-is. If they were salting and hashing the password as has been ...
by tangent
Wed Jun 05, 2024 10:34 am
Forum: Scripting
Topic: FTP configuration problems with CRS326
Replies: 2
Views: 809

Re: FTP configuration problems with CRS326

I’ve moved the topic. It beggars belief that the OP could have tried this and gotten that result on SwOS. The true issue must be something else.
by tangent
Tue Jun 04, 2024 8:40 am
Forum: Forwarding Protocols
Topic: PIM-SSM Support
Replies: 7
Views: 2551

Re: PIM-SSM Support

Would someone here please clarify if these German Telekom users want PIM-SM, or SSM, or SSM over a PIM-managed network, or…? It feels like an acronym mashup, but lacking experience with these foreign networks, I can’t disentangle it on my own. Both are features of IP multicast, but PIM Sparse Mode ≠...
by tangent
Tue Jun 04, 2024 8:26 am
Forum: General
Topic: Mikrotik hex S can't handle with 500Mbps - CPU 95%
Replies: 6
Views: 615

Re: Mikrotik hex S can't handle with 500Mbps - CPU 95%

What's the point than to "have" gigabit port?

@anav said it, but to clarify, traffic between wired interfaces in the default configuration’s “LAN” list will go at a full gigabit, being hardware-offloaded.
by tangent
Thu May 30, 2024 6:01 pm
Forum: Containers
Topic: Horrible container performance from 7.14 up to 7.15rc2
Replies: 29
Views: 7256

Re: Horrible container performance from 7.14 up to 7.15rc2

Maybe it's time to show your config ? That, or a minimal reproducible test case that is expected to show the same result everywhere. It's unreasonable to expect third-party testers to set up complex things like VictoriaMetrics, but if you instead give us something that can be tried in under a minut...
by tangent
Wed May 29, 2024 3:59 pm
Forum: Containers
Topic: Horrible container performance from 7.14 up to 7.15rc2
Replies: 29
Views: 7256

Re: Horrible container performance from 7.14 up to 7.15rc2

Are you using one of the official container images for this, or is it something you've built locally?
by tangent
Wed May 29, 2024 3:19 pm
Forum: General
Topic: ccr2116 nvme issue
Replies: 1
Views: 411

Re: ccr2116 nvme issue

I tried to find out what the heck a “J.ZAO QL SERIES” was, but I found little that was enlightening. The best of the bunch was this test result, where its ranking of around ¼ that of mainstream top products suggests it’s a cheap PoS at best.

What brand name did this thing come under?
by tangent
Tue May 28, 2024 10:11 pm
Forum: General
Topic: Same subnet but cannot access server HELP!
Replies: 1
Views: 350

Re: Same subnet but cannot access server HELP!

I created 1 network 10.0.0.1/22 and the dhcp gave me ip pool of 10.0.0.100-10.0.1.254. Was it your intention to assign only half the space to DHCP? A /22 subnet spans 10.0.0.1 to 10.0.3.255. Now, we have a linux server from another office in another location which has the ip of 172.16.10.254. What ...
by tangent
Tue May 28, 2024 10:06 pm
Forum: Beginner Basics
Topic: Port forward for Minecraft server 25565
Replies: 3
Views: 1012

Re: Port forward for Minecraft server 25565

Port mapping has nothing to do with this.

The second result for "port forward" in the docs is this: https://help.mikrotik.com/docs/display/ ... forwarding
by tangent
Mon May 27, 2024 8:55 pm
Forum: Forwarding Protocols
Topic: Need a helping hand with port forwarding [SOLVED]
Replies: 7
Views: 3218

Re: Need a helping hand with port forwarding [SOLVED]

/ip firewall filter add action=drop chain=input comment="WAN -> FW | Ping blockieren" \ in-interface=ether1 protocol=icmp This is a bad idea . add action=drop chain=forward comment="ALLG. | Alles andere verwerfen" \ connection-nat-state="" connection-state=""...
by tangent
Mon May 27, 2024 6:26 pm
Forum: Forwarding Protocols
Topic: Need a helping hand with port forwarding [SOLVED]
Replies: 7
Views: 3218

Re: Need a helping hand with port forwarding [SOLVED]

I don't see what the actual problem is, but this rule needs to go: add action=accept chain=forward comment="ALLG. | Port-Forwarding" connection-nat-state=dstnat in-interface-list=WAN As you can see from this packet flow diagram , it does you no good, the dst-nat chain being part of PREROUT...
by tangent
Sun May 26, 2024 6:16 pm
Forum: General
Topic: iperf3 in docker container not showing 10Gb/sec speed
Replies: 13
Views: 2115

Re: iperf3 in docker container not showing 10Gb/sec speed

to get ~10g routed traffic on my 2004 i have to turn the MTU up to around 8k Across the OP's CRS309, standard-sized Ethernet packets suffice, if we can go by my CRS328 tests here. I have yet to be able to justify jumbo packets with any test I've been able to devise here. That's not to say it isn't ...
by tangent
Sat May 25, 2024 3:12 am
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 2037

Re: wireGuard does not work for me on my mikrotik RB750r2

is rule number 8 well located there or do I have to lower it all the way down? It's as far down as it can get already. Rules apply within a given chain, so with no other "input" chain rules after it, that one is at the end already. Pushing it further down in the list shown by WinBox will ...
by tangent
Fri May 24, 2024 6:34 am
Forum: General
Topic: CRS328 mangle rules [SOLVED]
Replies: 3
Views: 970

Re: CRS328 mangle rules [SOLVED]

You should be looking at something like hardware queues instead. It’s a switch, not a router.
by tangent
Fri May 24, 2024 6:29 am
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 2037

Re: wireGuard does not work for me on my mikrotik RB750r2

This article shows a successful WG config with double NAT. Not ideal, but I ran that way for about a year before I was able to replace the border router with an ax³ and move WG service to it.
by tangent
Thu May 23, 2024 4:18 am
Forum: Wireless Networking
Topic: Apple Airplay not working
Replies: 11
Views: 2711

Re: Apple Airplay not working

.multicast-enhance=enabled
?
by tangent
Wed May 22, 2024 11:16 pm
Forum: Containers
Topic: Stopped containers respond to ping
Replies: 18
Views: 5392

Re: Stopped containers respond to ping

If something is little, it doesn’t automatically mean it should be treated as true and correct.

The more smarts you add, the bigger it gets. There isn’t room left even for something the size of crun on some ROS devices that support containers today, much less Podman scale or larger.

TANSTAAFL.
by tangent
Wed May 22, 2024 9:37 pm
Forum: Containers
Topic: Stopped containers respond to ping
Replies: 18
Views: 5392

Re: Stopped containers respond to ping

Part of your misapprehension is assuming there is a 1:1 correspondence between IPs and containers. There isn't, and there should not be. Thanks for contributing your time to this issue and writing such a long message. I appreciate your opinion. The part you quoted isn't an opinion. Consider a Kuber...
by tangent
Wed May 22, 2024 6:57 pm
Forum: Containers
Topic: Stopped containers respond to ping
Replies: 18
Views: 5392

Re: Stopped containers respond to ping

why should anybody want a VETH independent of any container? I don't think it's a matter of "want" but more a reflection of the bare-bones nature of RouterOS's container runtime. It has no equivalent of " podman network create " for example, much less the even more elaborate beh...
by tangent
Wed May 22, 2024 1:42 pm
Forum: Containers
Topic: Stopped containers respond to ping
Replies: 18
Views: 5392

Re: Stopped containers respond to ping

Community , if you use containers, do you think stopped containers should respond to pings? Your question is based on a misapprehension: that started containers respond to pings. They don't. It's the VETH that responds to pings, because it owns the IP you're pinging. Since the VETH lifetime is inde...
by tangent
Wed May 22, 2024 12:14 pm
Forum: Beginner Basics
Topic: [delete]
Replies: 23
Views: 1622

Re: CRS310-8G+S2 reality check on CPU use when using internet traffic

Are you sure ? Because my CRS by default works like a router. Are you sure? 🤓 Become sure by saying "/system/default-configuration/print without-paging" and then stripping away all the conditional logic, unrolling the "for" loops, etc. When I do that here on my CRS328 running 7....
by tangent
Mon May 20, 2024 6:57 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 15116

Re: [Discussion] MikroTik configuration abstraction complexity

Ubiquiti is absolutely horseshit. MikroTik should learn from VyOS developers Are you trying to get banned with all these unprofessional tirades? Bad language aside, UBNT's EdgeRouter series were based on a fork of VyOS. ( Source ) If VyOS is the fount of networking wisdom…? The mind boggles attempt...
by tangent
Sun May 19, 2024 5:30 pm
Forum: Beginner Basics
Topic: CRS310-8G+2S+IN - Low speed ISP [SOLVED]
Replies: 18
Views: 3514

Re: CRS310-8G+2S+IN - Low speed ISP [SOLVED]

I think you should keep the CRS310 and extend your existing network like this: https://tangentsoft.com/mikrotik/doc/trunk/images/crs310-rb5009.pikchr?popup The thick arrows represent an aggregation of multiple links, to contrast them with the single-link arrows. This leaves you with a single spare 1...
by tangent
Sun May 19, 2024 5:01 pm
Forum: Beginner Basics
Topic: CRS310-8G+2S+IN - Low speed ISP [SOLVED]
Replies: 18
Views: 3514

Re: CRS310-8G+2S+IN - Low speed ISP [SOLVED]

The overcompensation came because my network is 10G ready, and I don't want to waste money over years upgrading devices. So, I wanted to keep the 10G ready network. This is why I suggested segregating switching from routing, with 10G on the LAN side bottle-necking to 2.5G at the WAN link. Let's use...
by tangent
Sat May 18, 2024 6:18 pm
Forum: Beginner Basics
Topic: CRS310-8G+2S+IN - Low speed ISP [SOLVED]
Replies: 18
Views: 3514

Re: CRS310-8G+2S+IN - Low speed ISP [SOLVED]

Mikrotik, unfortunately, doesn't have competitive routers…Maybe the NETGEAR PR60X would be the best choice at the moment Either you have a strange definition of "competitive," or you're trolling. You offer a $700 NetGear router as an alternative to a $465 MT unit and call the latter non-c...
by tangent
Fri May 17, 2024 11:38 pm
Forum: Beginner Basics
Topic: CRS310-8G+2S+IN - Low speed ISP [SOLVED]
Replies: 18
Views: 3514

Re: CRS310-8G+2S+IN - Low speed ISP [SOLVED]

If the purpose of getting the CRS310 is to have more 10G ports than an RB5009 gets you, you can connect these two together with a short DAC cable. Separating switching from routing is an excellent way to get the best speed. It segregates the 10G LAN traffic from that going out to the Internet throug...
by tangent
Fri May 17, 2024 9:20 pm
Forum: Beginner Basics
Topic: CRS310-8G+2S+IN - Low speed ISP [SOLVED]
Replies: 18
Views: 3514

Re: CRS310-8G+2S+IN - Low speed ISP [SOLVED]

I upgrade the routerboard with CRS310-8G+2S+IN.

No, you downgraded from a router to a switch. Check the test results:


A proper ~2.5 Gbit/sec upgrade for a hEX class router is an RB5009. They've even got a PoE version now.
by tangent
Tue May 14, 2024 5:58 am
Forum: Beginner Basics
Topic: Internal clients DNS over HTTPS
Replies: 6
Views: 1351

Re: Internal clients DNS over HTTPS

Seriously? Encrypting DNS across the private LAN is a "huge miss in the entire market space"? That seems a rather niche requirement.

Encrypting over the Internet is the bulk of the market need, and for that, the current facilities suffice.
by tangent
Mon May 13, 2024 11:22 pm
Forum: Beginner Basics
Topic: Internal clients DNS over HTTPS
Replies: 6
Views: 1351

Re: Internal clients DNS over HTTPS

The internal hosts don’t use DoH themselves. They ask the router questions via plain old DNS, and it asks Cloudflare (in this case) questions via DoH on their behalf.
by tangent
Mon May 13, 2024 8:56 pm
Forum: Beginner Basics
Topic: Internal clients DNS over HTTPS
Replies: 6
Views: 1351

Re: Internal clients DNS over HTTPS

I don't know whether you're overthinking matters or overlooking something obvious, but there's no obscurity here at all. You set the router up to use DoH as documented, enable an externally-responding DNS server on same with your DoH as the upstream, then pass your router's IP out with DHCP requests...
by tangent
Fri May 10, 2024 1:50 pm
Forum: General
Topic: iperf3 in docker container not showing 10Gb/sec speed
Replies: 13
Views: 2115

Re: iperf3 in docker container not showing 10Gb/sec speed

server is 2012 era…Lenovo Thinkstation C 30 That looks like your problem to me. I wasn't in the 10G market in 2012, but I don't remember anything "workstation" grade coming with 10G NICs, not even the top-end Mac Pro. That didn't start happening until 2016-2017. PCI express lanes on my 20...
by tangent
Fri May 10, 2024 4:14 am
Forum: General
Topic: iperf3 in docker container not showing 10Gb/sec speed
Replies: 13
Views: 2115

Re: iperf3 in docker container not showing 10Gb/sec speed

I'm still only getting 3-4gbits/sec across the switch.. isn't that a bit weird? First rule of troubleshooting: test one thing at a time. You've got several unnecessary complexities in this setup: Two fiber links to the Home Server in the lower left corner of the network diagram. Unplug one to give ...
by tangent
Fri May 10, 2024 3:59 am
Forum: Beginner Basics
Topic: Can't access local web by IP address
Replies: 6
Views: 1165

Re: Can't access local web by IP address

listBridge is the exact name from there Yes, that's resulting in unnecessary confusion, for both of us. I reported this issue to MT support, and they've made a whole series of improvements to the First Time Configuration article, and not merely to standardize the article's naming choices relative t...
by tangent
Mon May 06, 2024 2:05 pm
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 343
Views: 117772

Re: v7.15rc [testing] is released!

Hmmm,...the alternative would be to declair those devices "End of Live" or "End of Support"... but would this be the better solution instead of supporting old devices with the newest ROS with concerns? One of the things that pushed me into the RouterOS world is the promise of 5 ...
by tangent
Mon May 06, 2024 3:33 am
Forum: Beginner Basics
Topic: Can't access local web by IP address
Replies: 6
Views: 1165

Re: Can't access local web by IP address

I went this way as it should give me better understanding of how things work In principle, over the long haul, sure, but as we’ve seen, you made a few serious mistakes already. The biggie is putting the WAN and LAN sides in the same interface list. It had no effect in your prior config, but it was ...
by tangent
Sun May 05, 2024 8:27 am
Forum: RouterBOARD hardware
Topic: L009UiGS-2HaxD-IN downgrade routeros v6
Replies: 3
Views: 1546

Re: L009UiGS-2HaxD-IN downgrade routeros v6

I can not migrate my config to L009UiGS-2HaxD-IN routeros v7. Apply the config in parts. Most things are unchanged. When you get to the part or parts that fail, you can look for advice in the Upgrading to v7 guide in the manual, or by comparing what doesn't work with what is currently documented el...
by tangent
Sun May 05, 2024 1:05 am
Forum: Beginner Basics
Topic: Can't access local web by IP address
Replies: 6
Views: 1165

Re: Can't access local web by IP address

listBridge is the exact name from there Yes, that's resulting in unnecessary confusion, for both of us. Me because I didn't recognize the alternate configuration and map it back to the defaults, you because this doc leads you to discarding the defaults and starting over from scratch, unnecessarily....
by tangent
Sat May 04, 2024 11:50 am
Forum: Beginner Basics
Topic: Can't access local web by IP address
Replies: 6
Views: 1165

Re: Can't access local web by IP address

/interface list add name=listBridge You shouldn't be renaming defaults before you fully understand them. The purpose of the "LAN" interface list isn't to alias the bridge or anything like that. It merely expresses the truth that in the default configuration there is only one "interfa...
by tangent
Fri May 03, 2024 12:17 am
Forum: Beginner Basics
Topic: Looking for clarification on how switch chips and bridging work
Replies: 1
Views: 428

Re: Looking for clarification on how switch chips and bridging work

how does AR8327 Switch know to have all of these ports and bridge port on the same broadcast domain? Because you configured RouterOS to tell it so. If you're asking how switch chips work internally, you might be able to dig up a bootleg copy of the IC manual without signing an NDA, but it'll be a s...
by tangent
Thu May 02, 2024 9:08 am
Forum: Beginner Basics
Topic: Multicast between subnets
Replies: 1
Views: 371

Re: Multicast between subnets

by tangent
Thu May 02, 2024 12:25 am
Forum: General
Topic: iperf3 in docker container not showing 10Gb/sec speed
Replies: 13
Views: 2115

Re: iperf3 in docker container not showing 10Gb/sec speed

a docker container May I ask, whose? Mine is capable of better than that with an RB4011, and an RB5009 should do a smidge better still. See the benchmark results at the bottom of the linked documentation. Partly that's the low-overhead nature of the setup, but also it's careful setup of the test. T...
by tangent
Wed May 01, 2024 8:23 pm
Forum: Beginner Basics
Topic: Low performance on RB5009 with machine behind NAT
Replies: 24
Views: 3229

Re: Low performance on RB5009 with machine behind NAT

MikroTik didn't expose jack. Where's EVPN? The Marvell ASICs on CCR2k supports it, where's the “exposé”? We're arguing two separate points. You're welcome to demand every single feature of the chip in RouterOS, but MT has finite resources, and their priorities likely differ from yours atop that. My...
by tangent
Wed May 01, 2024 6:39 pm
Forum: Beginner Basics
Topic: Low performance on RB5009 with machine behind NAT
Replies: 24
Views: 3229

Re: Low performance on RB5009 with machine behind NAT

That thread linked of mine isn't a Thesis I’m using that word in the “proposition stated as the basis of an argument to be proven” sense, not the “doctoral dissertation” sense. I do assume you are interested in reasoned argumentation over mere argumentativeness, yes? Linux bridge doesn't have good ...
by tangent
Tue Apr 30, 2024 12:13 am
Forum: Beginner Basics
Topic: Low performance on RB5009 with machine behind NAT
Replies: 24
Views: 3229

Re: Low performance on RB5009 with machine behind NAT

configuration abstraction complexity of MikroTik The way I summarize that thread's application to this one is that there is some RouterOS configuration change that would somehow cause the OP's application to proceed much faster, and the only reason it isn't being done is that there are too many pos...
by tangent
Sun Apr 28, 2024 12:12 am
Forum: General
Topic: Unsquashfs
Replies: 7
Views: 801

Re: Unsquashfs

Does "unsquashfs --help" list xz as an available decompressor?
by tangent
Sat Apr 27, 2024 11:17 pm
Forum: General
Topic: Unsquashfs
Replies: 7
Views: 801

Re: Unsquashfs

What's your version of unsquashfs?
by tangent
Fri Apr 26, 2024 5:37 pm
Forum: Scripting
Topic: Automating configuration of APs [SOLVED]
Replies: 2
Views: 4803

Re: script [SOLVED]

Install an OS designed to be scripted from the ground up, then use that to netinstall your routers. One of many possible expressions of this basic philosophy is this article . This is meant as inspiration, not prescription. No one here is going to design your automated deployment system for you and ...
by tangent
Thu Apr 25, 2024 1:02 am
Forum: Wireless Networking
Topic: hAP ax²: clients connection stability issue
Replies: 36
Views: 3941

Re: hAP ax²: clients connection stability issue

It should be "configuration.ssid" and "datapath.client-isolation=yes" instead.

The abbreviation is standard, emitted by RouterOS, not something the user did. You can see an example of it here, in MT's own docs.
by tangent
Wed Apr 24, 2024 6:05 pm
Forum: Beginner Basics
Topic: Pass through / Media Converter
Replies: 4
Views: 677

Re: Pass through / Media Converter

Do you suggest disabling flow control in the slow-to-fast direction?

I would expect it to have no effect either way, but how about you do the test and tell us?
by tangent
Wed Apr 24, 2024 5:32 pm
Forum: General
Topic: Why Mikrotik decided to get rid of their Power Lan devices
Replies: 11
Views: 1044

Re: Why Mikrotik decided to get rid of their Power Lan devices

Do you know why? If you're asking for end-user guesswork, I'd say it's because the entire product category sucks , and MT decided they didn't want to play in the mud any more. Does Mikrotik have a plan to bring back this line of devices? Ask MikroTik. This is a user-to-user forum, not a channel for...
by tangent
Wed Apr 24, 2024 5:26 pm
Forum: Beginner Basics
Topic: Pass through / Media Converter
Replies: 4
Views: 677

Re: Pass through / Media Converter

are there any improvements I can make? I don't see any. You've got the main thing there, being the Ethernet flow control, needed with the speed mismatch and protocols like UDP that don't have their own flow control, such as a WG tunnel out to a peer elsewhere on the Internet. Ethernet flow control ...
by tangent
Wed Apr 24, 2024 5:59 am
Forum: Beginner Basics
Topic: Cannot access Apache server from the internet, only get as far as the routeros www server.
Replies: 10
Views: 1082

Re: Cannot access Apache server from the internet, only get as far as the routeros www server.

any idea which is best? Mine, unconditionally, always. 😜 The only material difference is "in-interface=pppoe-out1" vs "in-interface-list=WAN". Since the WAN list has exactly one interface in it, pppoe-out1, the two rules mean the same thing. Which you choose is more a matter of ...
by tangent
Tue Apr 23, 2024 2:08 pm
Forum: Beginner Basics
Topic: Cannot access Apache server from the internet, only get as far as the routeros www server.
Replies: 10
Views: 1082

Re: Cannot access Apache server from the internet, only get as far as the routeros www server.

/ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.1.2 dst-port=80 \ in-interface=bridge-local protocol=tcp src-address=192.168.1.253 \ to-addresses=192.168.1.2 to-ports=80 Drop the src-address bit. It's simply wrong. The packets' source addresses will be unpredictable, being that...
by tangent
Mon Apr 22, 2024 3:48 pm
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 343
Views: 117772

Re: v7.15rc [testing] is released!

And what about the upgrade for devices with 15.3MB memory(hapac2) ?

"*) system - general work on optimizing the size of RouterOS packages;"
by tangent
Sun Apr 21, 2024 4:13 pm
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 343
Views: 117772

Re: v7.15rc [testing] is released!

Why force older configs to "short"/10 anyway if the default is "long"/20000? Answers at the top here ; solution in the "Bridge Interface Path Costs" section near the end. As it says, this behavior change is two releases old now. Please keep this thread on-topic. EDIT: ...
by tangent
Sun Apr 21, 2024 4:09 pm
Forum: RouterBOARD hardware
Topic: CRS328-24P-4S+RM
Replies: 3
Views: 1412

Re: CRS328-24P-4S+RM

The RB5009UPr+S+IN meets that description, though I assume what you really want is a PoE version of the CRS310-8G+2S+IN. Yeah, me, too; been asking for it for nearly three years now, and I'm not alone.
by tangent
Sun Apr 21, 2024 12:40 pm
Forum: Beginner Basics
Topic: NAT port 443 breaks SSL on webserver [SOLVED]
Replies: 4
Views: 3369

Re: NAT port 443 breaks SSL on webserver [SOLVED]

all I get is 3 to 5 Gb on my 10G hardware You need to have everything dialed in to peg the meters on a 10G link with consumer-grade hardware. Disk, memory, packet sizes, drivers… everything . It's why it's taken so long for 10G to reach the consumer market; most PCs couldn't make decent use of it u...
by tangent
Sun Apr 21, 2024 6:18 am
Forum: General
Topic: Trouble with WireGuard.
Replies: 4
Views: 930

Re: Trouble with WireGuard.

What am I doing wrong? Let's start with the fact that you haven't posted a single relevant detail about your configuration. Post the output of "/interface/wireguard/export" and the Android-side config at minimum, stripped of all keys. (You could technically leave the public keys in, but s...
by tangent
Sun Apr 21, 2024 6:06 am
Forum: Beginner Basics
Topic: NAT port 443 breaks SSL on webserver [SOLVED]
Replies: 4
Views: 3369

Re: NAT port 443 breaks SSL on webserver [SOLVED]

NET:ERR_CERT_COMMON_NAME_INVALID That means the name you put into your browser's address bar doesn't match the CN field of the certificate. Use your browser's certificate inspection tools to cross-check this. This is my current conf (i've been trying random stuff for hours so may be a bit messy) Ye...
by tangent
Sat Apr 20, 2024 8:14 am
Forum: General
Topic: Severe port flapping on CRS328-24P-4S+ and CRS317-1G-16S+
Replies: 222
Views: 74685

Re: Severe port flapping on CRS328-24P-4S+ and CRS317-1G-16S+

…the same port flapping… What makes you believe our flapping is your flapping? I'm serious. The "severe" in this thread's title was correct, at the time, and it is now fixed. It was bad in the early 7.x days. Now it seems any time someone sees more than one flap, it's suddenly "sever...
by tangent
Tue Apr 16, 2024 3:29 pm
Forum: Beginner Basics
Topic: Low performance on RB5009 with machine behind NAT
Replies: 24
Views: 3229

Re: Low performance on RB5009 with machine behind NAT

What's up with this toxicity? That's not the intent. I'm reacting to a combination of things. You currently have a post count of five, and yet you are insisting that you know how RouterOS works internally. I believe my years of experience counts for something here, but at the same time, I've taken ...
by tangent
Tue Apr 16, 2024 9:36 am
Forum: Beginner Basics
Topic: Cannot create a guests Wi-Fi network.
Replies: 28
Views: 2372

Re: Cannot create a guests Wi-Fi network.

But the other ports are not connected phisically to the network, does that matter? There are control freaks here who think you should have to go into the router/switch configuration to explicitly enable the port when plugging a new device in. Me, I just bridge all the LAN-side ports and be done wit...
by tangent
Mon Apr 15, 2024 4:37 am
Forum: Beginner Basics
Topic: Low performance on RB5009 with machine behind NAT
Replies: 24
Views: 3229

Re: Low performance on RB5009 with machine behind NAT

It's not like each interface is dedicated to it's own single CPU core You’re presuming an implementation. I thought you came here to ask how RouterOS works, not tell us. We forum denizens are fellow end users for the most part, not RouterOS software engineering insiders, but one thing I can confide...
by tangent
Sun Apr 14, 2024 2:08 pm
Forum: Beginner Basics
Topic: Low performance on RB5009 with machine behind NAT
Replies: 24
Views: 3229

Re: Low performance on RB5009 with machine behind NAT

I created this post so somebody who has knowledge about Mikrotik hopefully can explain why the performance is so bad. You already got that, to a lesser extent from me, and then mkx, who's about as knowledgeable as it gets around here. The test seems to be using UDP. I guess that makes things quite ...
by tangent
Sun Apr 14, 2024 9:35 am
Forum: Beginner Basics
Topic: Low performance on RB5009 with machine behind NAT
Replies: 24
Views: 3229

Re: Low performance on RB5009 with machine behind NAT

I have firewalls upstream, so that would not give me the correct results. So you're measuring the speed of the firewalls, not the speed of the network. Take a look at the RB5009 test results . Your application is the lower rightmost number in the first table, tiny packet sizes, so that almost nothi...
by tangent
Sun Apr 14, 2024 5:07 am
Forum: Beginner Basics
Topic: Low performance on RB5009 with machine behind NAT
Replies: 24
Views: 3229

Re: Low performance on RB5009 with machine behind NAT

I have a server behind NAT Why isn't it bridged to the LAN it needs to examine instead? Why is only 50 % of the packets showing up as FP Because that decision can't be made until after the first SYN is seen, where the default firewall applies the fasttrack-connection flag . This is one of many cost...
by tangent
Sun Apr 14, 2024 4:59 am
Forum: Beginner Basics
Topic: netinstall for ax2
Replies: 7
Views: 765

Re: netinstall for ax2

It is the "Default Router Configuration Script" given immediately below the "-s reset.scr" bit that references it. If you don't like mine, write one that configures the router as you please.
by tangent
Sun Apr 14, 2024 4:45 am
Forum: General
Topic: Where can we see active multicast groups with bridge igmp snooping, external querier, hardware offloaded. CRS326
Replies: 3
Views: 1048

Re: Where can we see active multicast groups with bridge igmp snooping, external querier, hardware offloaded. CRS326

My suspicion is that the IGMP snooping happens with hardware offload and the OS isn't pulling all the info from the switch chip. While it is true that IGMP snooping is a layer 2 function best offloaded to the switch chip, that doesn't mean you can only see the MDB on devices configured as the queri...
by tangent
Sun Apr 14, 2024 4:11 am
Forum: Beginner Basics
Topic: netinstall for ax2
Replies: 7
Views: 765

Re: netinstall for ax2

So hard..

It’s easier this way

If nothing else, reading that will give you insights into the necessary complexities in this process, as opposed to the unnecessary ones imposed by pressing a general-purpose Windows laptop into this role instead.
by tangent
Fri Apr 12, 2024 4:07 pm
Forum: Beginner Basics
Topic: Cannot create a guests Wi-Fi network.
Replies: 28
Views: 2372

Re: Cannot create a guests Wi-Fi network.

This one doesn't teach how to do it with CAPsMAN so it doesn't work for me. One of the things that CAPsMAN does is create a single virtual bridge among all the WiFi routers under its control. I've never used CAPsMAN, but doesn't that mean the bridge filtering option at the end of that article would...
by tangent
Fri Apr 12, 2024 3:23 pm
Forum: Beginner Basics
Topic: Cannot create a guests Wi-Fi network.
Replies: 28
Views: 2372

Re: Cannot create a guests Wi-Fi network.

Pease I need an answer guys I need you.🥺

The article I linked you to above gives two different solutions. What was wrong with them?
by tangent
Fri Apr 12, 2024 7:30 am
Forum: Beginner Basics
Topic: DHCP client stuck searching
Replies: 2
Views: 1078

Re: DHCP client stuck searching

I just got a Mikrotik CRS112-8G-4S-IN 8 port Gigabit Cloud Router Switch and I need to use it as a router. Postel's ghost help you, then. That's a gigabit switch , not a gigabit router . Yes, it can route, but at tens of megabits per second with a likely configuration, low hundreds at best with a h...
by tangent
Wed Apr 10, 2024 3:00 pm
Forum: Beginner Basics
Topic: Cannot create a guests Wi-Fi network.
Replies: 28
Views: 2372

Re: Cannot create a guests Wi-Fi network.

If the OP was already using VLANs, putting the guest WiFi on another one would be perfectly justified.

Converting this configuration to VLANs for that single purpose, however, is not. You do not need VLANs to have an isolated guest WiFi network.
by tangent
Tue Apr 09, 2024 6:10 pm
Forum: General
Topic: xz Backdoor CVE-2024-3094 [SOLVED]
Replies: 23
Views: 51042

Re: xz Backdoor CVE-2024-3094 [SOLVED]

you can't put that new pest on a 16MB flash anyways :lol: Turns out, you can, but that's about all you can get into that space: $ rpm --queryformat='%6{SIZE:humaniec} %{NAME}\n' -q systemd 12M systemd I realize you're joking, but the on-topic point here for this thread is, "No, there is no sys...
by tangent
Mon Apr 08, 2024 1:07 pm
Forum: General
Topic: UTF-8 representation problem?
Replies: 8
Views: 1203

Re: UTF-8 representation problem?

because I don't use Windows. So the winbox will be not an option for me. WINE runs WinBox well. But in fact the behaviour should be uniform. Either everything or nothing escaped. It's not nearly that simple. The stupendous compound complications of human languages are collectively and imperfectly r...
by tangent
Mon Apr 08, 2024 12:48 pm
Forum: SwOS
Topic: CSS610 Multicast IGMP-Snooping parameters
Replies: 3
Views: 1846

Re: CSS610 Multicast IGMP-Snooping parameters

the css610 needs to be working with the ver2? anybody knows the details of the right values? IGMPv3 simply adds features to v2, without breaking compatibility. However, the rules of the protocol are that any IGMPv3 device that sees a v2 packet is supposed to shift into v2 mode, using no v3 features...
by tangent
Mon Apr 08, 2024 4:33 am
Forum: General
Topic: Port Forward based on Destination Interface
Replies: 15
Views: 1322

Re: Port Forward based on Destination Interface

I get the error "outgoing interface matching not possible in input and prerouting chains" when I put out interface That’s why you need the mangle rules and additional routing tables @pimmie initially suggested. Study that PCC doc I linked above. Once you understand it, you will understand...
by tangent
Sun Apr 07, 2024 12:13 am
Forum: General
Topic: vpn servers over wan1 and wifi clients over wan2
Replies: 8
Views: 732

Re: vpn servers over wan1 and wifi clients over wan2

There are a vast number of "cloud services," which is why I did not dare presume your meaning before, but I am now willing to dare a guess that you mean RouterOS's Cloud feature . If that's the case, you simply modify the route command I gave you before to direct packets to the documented ...
by tangent
Sat Apr 06, 2024 11:28 pm
Forum: General
Topic: vpn servers over wan1 and wifi clients over wan2
Replies: 8
Views: 732

Re: vpn servers over wan1 and wifi clients over wan2

I think the part I was missing is the direction of the VPN tunnel establishment. You did not state that, and so I presumed that you were allowing an external network to connect into your VPN server via that public IP you speak of, in which case you get the behavior I predicted. It sounds like the VP...
by tangent
Sat Apr 06, 2024 11:00 pm
Forum: Beginner Basics
Topic: Changing from bridge to router mode via Command Line?
Replies: 3
Views: 883

Re: Changing from bridge to router mode via Command Line?

I don't think it's possible to switch between Router and Bridge mode or do whatever Quickset configuration on the CLI There's nothing QuickSet can do that you cannot do from the CLI. The only tricky bit is doing it in a single step without locking yourself out. For this, you have to rely on RouterO...
by tangent
Sat Apr 06, 2024 10:41 pm
Forum: General
Topic: Where can we see active multicast groups with bridge igmp snooping, external querier, hardware offloaded. CRS326
Replies: 3
Views: 1048

Re: Where can we see active multicast groups with bridge igmp snooping, external querier, hardware offloaded. CRS326

one port linked into another network where the igmp querier is configured. By "another network" do you mean another subnet, putting it beyond a routing layer, inside another broadcast domain, or do you mean another segment of the same LAN? There needs to be one querier per subnet; no more...
by tangent
Sat Apr 06, 2024 9:48 pm
Forum: General
Topic: vpn servers over wan1 and wifi clients over wan2
Replies: 8
Views: 732

Re: vpn servers over wan1 and wifi clients over wan2

I’m not seeing that you need to do anything more clever than set the default route to WAN2. That sends local traffic out that direction, but inbound VPN traffic comes in on the public IP bound to WAN1, which means the outbound replies go back out the same direction. What am I missing that makes this...
by tangent
Sat Apr 06, 2024 11:38 am
Forum: General
Topic: Port Forward based on Destination Interface
Replies: 15
Views: 1322

Re: Port Forward based on Destination Interface

I think we’re getting caught up in a confusing use of “client” here. Study the diagram. OP refers to two business client hosts running servers on the same IP. The network clients are across the Internet, if I’m reading this correctly.
by tangent
Sat Apr 06, 2024 9:36 am
Forum: General
Topic: Port Forward based on Destination Interface
Replies: 15
Views: 1322

Re: Port Forward based on Destination Interface

Will have to research this one. @pimmie is essentially proposing the inverse of a typical PCC load-balancing configuration . Instead of one LAN fed by two ISPs, you have two LANs accessed from the one-and-only Internet. They also used default ports like port 80 If all Internet clients connect to po...
by tangent
Fri Apr 05, 2024 4:26 pm
Forum: General
Topic: Port Forward based on Destination Interface
Replies: 15
Views: 1322

Re: Port Forward based on Destination Interface

@pimmie, yes.

The only remaining question is how will they discriminate the incoming connections? Will it be acceptable to port-forward $PUBLIC_IP:8000 to Web Server 1 and :9000 to Server 2, or are they going to want some type of domain name-based routing?