MikroTik

It should be "configuration.ssid" and "datapath.client-isolation=yes" instead.

The abbreviation is standard, emitted by RouterOS, not something the user did. You can see an example of it here, in MT's own docs.

Do you suggest disabling flow control in the slow-to-fast direction?

I would expect it to have no effect either way, but how about you do the test and tell us?

Do you know why? If you're asking for end-user guesswork, I'd say it's because the entire product category sucks , and MT decided they didn't want to play in the mud any more. Does Mikrotik have a plan to bring back this line of devices? Ask MikroTik. This is a user-to-user forum, not a channel for...

are there any improvements I can make? I don't see any. You've got the main thing there, being the Ethernet flow control, needed with the speed mismatch and protocols like UDP that don't have their own flow control, such as a WG tunnel out to a peer elsewhere on the Internet. Ethernet flow control ...

any idea which is best? Mine, unconditionally, always. 😜 The only material difference is "in-interface=pppoe-out1" vs "in-interface-list=WAN". Since the WAN list has exactly one interface in it, pppoe-out1, the two rules mean the same thing. Which you choose is more a matter of ...

/ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.1.2 dst-port=80 \ in-interface=bridge-local protocol=tcp src-address=192.168.1.253 \ to-addresses=192.168.1.2 to-ports=80 Drop the src-address bit. It's simply wrong. The packets' source addresses will be unpredictable, being that...

And what about the upgrade for devices with 15.3MB memory(hapac2) ?

"*) system - general work on optimizing the size of RouterOS packages;"

Why force older configs to "short"/10 anyway if the default is "long"/20000? Answers at the top here ; solution in the "Bridge Interface Path Costs" section near the end. As it says, this behavior change is two releases old now. Please keep this thread on-topic. EDIT: ...

The RB5009UPr+S+IN meets that description, though I assume what you really want is a PoE version of the CRS310-8G+2S+IN. Yeah, me, too; been asking for it for nearly three years now, and I'm not alone.

all I get is 3 to 5 Gb on my 10G hardware You need to have everything dialed in to peg the meters on a 10G link with consumer-grade hardware. Disk, memory, packet sizes, drivers… everything . It's why it's taken so long for 10G to reach the consumer market; most PCs couldn't make decent use of it u...

What am I doing wrong? Let's start with the fact that you haven't posted a single relevant detail about your configuration. Post the output of "/interface/wireguard/export" and the Android-side config at minimum, stripped of all keys. (You could technically leave the public keys in, but s...

NET:ERR_CERT_COMMON_NAME_INVALID That means the name you put into your browser's address bar doesn't match the CN field of the certificate. Use your browser's certificate inspection tools to cross-check this. This is my current conf (i've been trying random stuff for hours so may be a bit messy) Ye...

…the same port flapping… What makes you believe our flapping is your flapping? I'm serious. The "severe" in this thread's title was correct, at the time, and it is now fixed. It was bad in the early 7.x days. Now it seems any time someone sees more than one flap, it's suddenly "sever...

What's up with this toxicity? That's not the intent. I'm reacting to a combination of things. You currently have a post count of five, and yet you are insisting that you know how RouterOS works internally. I believe my years of experience counts for something here, but at the same time, I've taken ...

But the other ports are not connected phisically to the network, does that matter? There are control freaks here who think you should have to go into the router/switch configuration to explicitly enable the port when plugging a new device in. Me, I just bridge all the LAN-side ports and be done wit...

It's not like each interface is dedicated to it's own single CPU core You’re presuming an implementation. I thought you came here to ask how RouterOS works, not tell us. We forum denizens are fellow end users for the most part, not RouterOS software engineering insiders, but one thing I can confide...

I created this post so somebody who has knowledge about Mikrotik hopefully can explain why the performance is so bad. You already got that, to a lesser extent from me, and then mkx, who's about as knowledgeable as it gets around here. The test seems to be using UDP. I guess that makes things quite ...

I have firewalls upstream, so that would not give me the correct results. So you're measuring the speed of the firewalls, not the speed of the network. Take a look at the RB5009 test results . Your application is the lower rightmost number in the first table, tiny packet sizes, so that almost nothi...

I have a server behind NAT Why isn't it bridged to the LAN it needs to examine instead? Why is only 50 % of the packets showing up as FP Because that decision can't be made until after the first SYN is seen, where the default firewall applies the fasttrack-connection flag . This is one of many cost...

It is the "Default Router Configuration Script" given immediately below the "-s reset.scr" bit that references it. If you don't like mine, write one that configures the router as you please.

My suspicion is that the IGMP snooping happens with hardware offload and the OS isn't pulling all the info from the switch chip. While it is true that IGMP snooping is a layer 2 function best offloaded to the switch chip, that doesn't mean you can only see the MDB on devices configured as the queri...

So hard..

It’s easier this way…

If nothing else, reading that will give you insights into the necessary complexities in this process, as opposed to the unnecessary ones imposed by pressing a general-purpose Windows laptop into this role instead.

This one doesn't teach how to do it with CAPsMAN so it doesn't work for me. One of the things that CAPsMAN does is create a single virtual bridge among all the WiFi routers under its control. I've never used CAPsMAN, but doesn't that mean the bridge filtering option at the end of that article would...

Pease I need an answer guys I need you.

The article I linked you to above gives two different solutions. What was wrong with them?

I just got a Mikrotik CRS112-8G-4S-IN 8 port Gigabit Cloud Router Switch and I need to use it as a router. Postel's ghost help you, then. That's a gigabit switch , not a gigabit router . Yes, it can route, but at tens of megabits per second with a likely configuration, low hundreds at best with a h...

If the OP was already using VLANs, putting the guest WiFi on another one would be perfectly justified.

Converting this configuration to VLANs for that single purpose, however, is not. You do not need VLANs to have an isolated guest WiFi network.

you can't put that new pest on a 16MB flash anyways :lol: Turns out, you can, but that's about all you can get into that space: $ rpm --queryformat='%6{SIZE:humaniec} %{NAME}\n' -q systemd 12M systemd I realize you're joking, but the on-topic point here for this thread is, "No, there is no sys...

because I don't use Windows. So the winbox will be not an option for me. WINE runs WinBox well. But in fact the behaviour should be uniform. Either everything or nothing escaped. It's not nearly that simple. The stupendous compound complications of human languages are collectively and imperfectly r...

the css610 needs to be working with the ver2? anybody knows the details of the right values? IGMPv3 simply adds features to v2, without breaking compatibility. However, the rules of the protocol are that any IGMPv3 device that sees a v2 packet is supposed to shift into v2 mode, using no v3 features...

I get the error "outgoing interface matching not possible in input and prerouting chains" when I put out interface That’s why you need the mangle rules and additional routing tables @pimmie initially suggested. Study that PCC doc I linked above. Once you understand it, you will understand...

There are a vast number of "cloud services," which is why I did not dare presume your meaning before, but I am now willing to dare a guess that you mean RouterOS's Cloud feature . If that's the case, you simply modify the route command I gave you before to direct packets to the documented ...

I think the part I was missing is the direction of the VPN tunnel establishment. You did not state that, and so I presumed that you were allowing an external network to connect into your VPN server via that public IP you speak of, in which case you get the behavior I predicted. It sounds like the VP...

I don't think it's possible to switch between Router and Bridge mode or do whatever Quickset configuration on the CLI There's nothing QuickSet can do that you cannot do from the CLI. The only tricky bit is doing it in a single step without locking yourself out. For this, you have to rely on RouterO...

one port linked into another network where the igmp querier is configured. By "another network" do you mean another subnet, putting it beyond a routing layer, inside another broadcast domain, or do you mean another segment of the same LAN? There needs to be one querier per subnet; no more...

I’m not seeing that you need to do anything more clever than set the default route to WAN2. That sends local traffic out that direction, but inbound VPN traffic comes in on the public IP bound to WAN1, which means the outbound replies go back out the same direction. What am I missing that makes this...

I think we’re getting caught up in a confusing use of “client” here. Study the diagram. OP refers to two business client hosts running servers on the same IP. The network clients are across the Internet, if I’m reading this correctly.

Will have to research this one. @pimmie is essentially proposing the inverse of a typical PCC load-balancing configuration . Instead of one LAN fed by two ISPs, you have two LANs accessed from the one-and-only Internet. They also used default ports like port 80 If all Internet clients connect to po...

@pimmie, yes.

The only remaining question is how will they discriminate the incoming connections? Will it be acceptable to port-forward $PUBLIC_IP:8000 to Web Server 1 and :9000 to Server 2, or are they going to want some type of domain name-based routing?

how did you fix this?

Post #4.

DHCP snooping is a feature that causes a RouterOS switch to drop DHCP service replies from ports that aren't authorized to send them, to prevent a malefactor from reconfiguring your network one host at a time. There is no "database" or "table" for this, only the per-port trusted ...

That “example” becomes obsolete in the presence of ECH . A better hope is to try and force all DNS to the router’s caching server, then selectively blackhole the unwanted domain names, but then you stumble on the problem of client-side DoH/DoT. Again, this has all been discussed to death here before...

You might need to adjust MTU/MSS then, per the PPPoE docs.

If that doesn't do it, try fixing the other things I mentioned before asking for help again. Ignoring given advice discourages further advice.

That hasn't worked since the Internet went HTTPS-everything and cloud-everything. There is no easy and reliable workaround short of middleboxes that dynamically forge TLS certificates.

Don't argue; search the forum. It's been discussed to death here several times before.

If you reset the switch, the password is now blank.

What likely happened before that is that you didn't read the near-microscopic 3dpi print on the password label properly, confusing 0 with O or something similar.

somes sites don't responde Try to be even more vague next time. We love nothing better than making wild, unsupported guesses here. 🙄 With nothing to go on but your /export, I'll give you a line-by-line critique, with zero expectation that any of this fixes your actual problem, being unstated and il...

It beggars belief that this exploit could even in principle affect RouterOS. It's a an attack on the liblzma2 underlying the xz utility, and it only affects the patched version of sshd on systemd-based OSes like Debian, where they integrate with its notification system. If any of that exists in Rout...

Those are plain-text dumps of the certificates, not the certs themselves. You want the PEM format versions, available here.

That info was removed from the doc under the comment “Formatting” in the most recent update. You have to roll back to the prior version or diff them to recover the info.

The most recent MT item I bought through Amazon came from Getic, one of MT’s primary distributors, possibly even #1.

As always, check your sources.

You're going to have to be a lot more specific about what it is you're trying to accomplish here if you want sensible advice. We can't even go on the thin information you've provided so far because it doesn't specify the goals. You say you are "…concerned about preventing any traffic…" but...

That sounds like the expiration of a DHCP lease to me. Updating the DNS addresses in DHCP doesn't apply them instantly throughout your network; each client keeps using the old information from their current lease until it expires. Moreover, if the client reappears and asks for the same lease before ...

You’re referring indirectly to guides from 2016 and 2018, which would be for RouterOS 6. Presuming you’re on 7, this page in the docs is likely to be on-point.

You aren’t using your routing marks in your three static routes at the end. Without them, the rules are redundant, so that only one takes effect.

Are there things…we cannot do in software on Mikrotik?

Go fast.

That's it, as far as I'm aware.

Fair question, @anav. The first rule on the page I linked to says "l3-hw-offloading=yes". Where's that in your config, @Dulcow?

The CRS317, can route up to about 400Mbps but thats it You're talking software routing. @mkx is talking L3HW routing , where everything gets offloaded to the switch chip. The CRS317 is one of the handful devices in MT's lineup that can do this well, but even then, it isn't capable of much of what y...

For power regulation, capacitor with larger voltage rating and larger capacitance usually work better, for example, to better smooth ripple. Sure, all else being equal, but all else is not equal, because you've got a fixed area of PCB space to install it in. Greater capacity and higher voltage tole...

which of the following "health" showing the temperature of the heatsink of the transistors?? I wrote "ballpark" for a reason. It's unreasonable to expect die temp readings on every transistor in the device, but it's equally unreasonable to suppose that the PSU is running at a wi...

i cannot assess how hot the nearby heatsink of the transistor can be, You work in an industrial setting and nobody around has a DMM with a thermocouple you can borrow? The internal health readings should get you into the ballpark, at least. It’s no accident that this menu is called “health,” by the...

@kevinds: +30% isn’t “much” in this context.

Junk grade is 1000 hours @ 85ºC. And yes, they really exist, even from top-tier name-brand suppliers like Panasonic.

the same 105 Celsius, 7,000 hours roughly equal to 291 days only. Only under a naive reading of the specs. First, those two specs are inextricably paired. If you drop the temp, the lifetime rises proportionately. The accepted rule of thumb is that lifetime is expected to double for every 10ºC drop ...

I split the topic because what you wrote was what's in this thread's title, "hap ax" not "cap ax". (I copy-pasted it without change.) I therefore considered it a distinct topic, not "the same problem" as is often claimed. Instead of bumping that topic again without addi...

There is no product called a "hap ax". What exists: hAP ax lite and its LTE sister ; hAP ax² ; and hAP ax³ Which one do you mean? I'm going to guess one of the two "lite" versions, because that gives a simple solution: there is no 5GHz radio inside them at all. Check the specs on...

Yes, this now I believe.

@dmconde, you might want to read my guide on the default configuration. It was that way on purpose. Dropping that rule was not a good idea.

Even if we posit an ISP modem/antenna/whatever uplink that gets powered by the ax³, do you really want that to be your lone 2.5 Gbit/sec link? If your ISP download rate is over a gigabit, none of your other ax³ clients can pull more than a gigabit with this arrangement. Until you get 2 of them actin...

The order of these two lines should be switched

No. Ordering is immaterial for rules in different chains.

That's sensible given that there is less clutter in a typical household at the ceiling or near-ceiling wall level. One must then ask, though, what happens if you use the wall mount included with the hAP ax³ to stick it up near ceiling level? I'm tempted to try it For Science! but not that tempted. I...

I'm no expert on VLANs, but as far as I can tell, RouterOS's veth mechanism has no awareness of VLANs. Indeed, we have a nearly-opposite statement in the first caution box in the MACVLAN section of the docs . I presume packets from a VETH arrive at the routing layer untagged, and you could then add ...

Maybe Xfinity follows different policies in different regions?

You don't change any single thing on a nation-scale network all at once. Can't be done.

Nevertheless, I've updated the article to recommend using RA to get the default route first, and only if that fails fall back to DHCPv6.

Put the VETH on the bridge.

I hear you, @mkx, but my guide reports what worked here on the same ISP as the OP's, and it doesn't work as you say it should. I tried it both ways.

If swapping these settings fixes it, it means part of Xfinity's network works the way you think it ought to and the rest doesn't!

You can try accept-router-advertisements=yes. That shouldn't be necessary (or even advisable) on networks where you get the default route from DHCP, so if it works, you'd set add-default-route=no in consequence. One or the other, never both.

No idea; it all looks sensible to me.

The only suggestion I have is to post the static configuration as well, being the output of "/ipv6/export".

It seems like the Bridge Filters also only work if Hardware Offload is turned off. I expect that to depend on the switch model . That table does remind us that there's also the option of switch chip rules . This is even lower-level, and some switch chips put a sharp limit on the number of active ru...

Replacing every switch was not planned. Port isolation isn't a proprietary MikroTik technology. Your existing switches may support it. as soon as i enable hardware offload on the Bridge-Ports the IP filter rules will not working anymore. Yes, which is why I referred you to the bridge packet filter ...

I'm not sure about "instead". The old v1 protocol's reservation remains "deprecated" in the IANA IPv6 Special-Purpose Address Registry , so if traffic arrives at my router using an address from that space, continuing to treat it as "bad_ipv6" sounds right to me. Given t...

I find a Linux VM helpful, as it simplifies the networking without needing you to reconfigure the host stack each time. I’ve posted detailed instructions for that, including a tip that might solve your current problem under Windows.

The last time I tried UPX in a container, I ran into compatibility errors when doing cross-CPU testing like running the ARM version on x86_64 under Docker, which uses QEMU under the hood. This container does the opposite, running x86_64 netinstall on ARM under QEMU, but is that double emulation when...

You didn’t install container.npk.

Port isolation works at the port level, as you should've been able to guess from the name, so no, a 9-port router isn't going to be able to isolate 100+ hosts. A cascade like this might work, though: https://tangentsoft.com/mikrotik/doc/trunk/images/crs-fanout.pikchr?popup If you enable port isolati...

On the "Mikrotik-Firewall" all Interfaces are in a Bridge…I want…Linux1 & Linux2 are not able to connect to each other. These two choices are in conflict. The primary and original point of bridging is to create a single broadcast domain, where all hosts can see each other. There are o...

But when I run the last step in "/interface bridge mlag" to create mlag it shows the message: "not hw offloaded". The answer is in the first caution box on the documentation page you linked to: "The MLAG is not compatible with L3 hardware offloading. When using MLAG, the L3...

I noticed strange behaviours adding a static entry for the veth on the ARP list (I then understood this is because after every reboot it changes the MAC), adding a static entry on the DNS for its IP If you want to keep static DHCP assignments of IPs for that switch, another option is to disable the...

Try this.

What you have now is likely the Quick Set version discussed at the end, but I have yet to be talked out of preferring my version, described in the bulk of the article's text.

The important thing to realize is that "bridge" in this context is another way of saying "Ethernet switch", and there's no reason for a host plugged into the walk-up ether3 port to see hosts down the ether2 leg, nor vice versa. Contrast the singular bridge in this configuration, ...

You might need to add a drawing to this thread, because one of us is confused, maybe both. There's nothing stopping you from putting multiple DHCP clients and servers on a CRS310. As best I can discern from your prose description, you can get everything you want by putting a DHCP client directly on ...

Exactly as in my post #4 above : leave them off the bridge (singular) entirely. The only reason to bridge them together at all is if the hosts visible thru ether2 and ether3 have to intercommunicate through this switch. If instead those hosts do nothing other than talk to the switch, they don't need...

/interface bridge add name=MGMT_BRIDGE add name=WAN_BRIDGE This risks a huge performance hit. The CRS310 is among the majority of devices that supports only one hardware-offloaded bridge per switch chip. By configuring two bridges, you're giving RouterOS freedom to offload the ether2+ether3 bridge ...

It's your most popular repo on Docker Hub, with 306 pulls. Those stats aren't unique users, but clearly someone cares about what you've produced.

For a single parameter: /container add remote-image=tangentsoft/speedtest-cli:latest \ interface=veth1 cmd="--json" logging=yes For multiple parameters, RouterOS' container feature won't break arguments up by spaces, and there is no shell inside to do the work for us, so you have to rebuil...

Then I see version 7.5 (netinstall version used for this container ?) Yup. The container hasn't been updated since September 2022 . One must wonder if @semaja2 is even among us any more. 07:07:26 container,info,debug /entrypoint.sh: line 8: [: /app/images/routeros-7.15beta6-mipsbe.npk: binary opera...

This is what I meant about there being no shell to premasticate the command line for you. For containers that don't pass CMD or ENTRYPOINT through a shell, this gets sent as a single string to the container's entrypoint. This container does happen to pass things through a shell, specifically via its...

Yes, I did inadvertently leave off the TCP qualifier. WebFig, WinBox, and SSH are all TCP-only protocols. If that's all that's listening on the router, that's all you need to block. But maybe you want something more generic like this: /interface bridge filter add action=drop chain=input in-interface...

Why do we add the <my_prefex>::1 IPv6 address on the bridge interface Without it, the only LAN-side IPv6 addresses you'd have are of the link-local sort, which aren't routable. If you list your interfaces' IPs, you'll find a bunch of fe80:: stuff ; that's fine for host-to-host comms on the LAN, but...

Yes, that's much cleaner now. The main thing I'd suggest after this is to get rid of the interface lists, which aren't carrying any weight in your new configuration: /interface bridge add igmp-snooping=yes name=bridge vlan-filtering=yes /interface bonding add comment="proxmox link aggregate eth...

It's probably best if someone — ideally, @semaja2; I have no desire to take over this container's maintenance — rebuilt this container along the glob pattern scheme I suggest, since ROS 7 does seem to be increasingly broken back up again. Of my several MT devices here at home, half run with at least...

Unlike Docker, RouterOS’ container feature doesn’t have a shell to preinterpret the command line, breaking it up by spaces, modulo quoting rules and such. You’re going to need to rebuild the container from source, which then lets you pass the list of NPKs as an array. Alternately, the container coul...

Is it possible to use ENV in mikrotik container solution to bypass parameters to the speedtest-call in your container. With ENV? No, but I don’t see any reason it has to be done that particular way. Note the split between ENTRYPOINT and CMD in the Dockerfile . That’s on purpose; it lets you keep EN...

Windows defaults to UTF-16 as its internal representation but has strong support for working with UTF-8 in addition to the legacy CP-1252 and similar encodings. All true, but irrelevant in this thread's context, where we're talking about file names, because they are always encoded as UTF-16 on NTFS...

Windows…utilize UTF-8 It's actually UTF-16 , but the real issue is that it has far more special characters than any other OS, primarily owing to its ancestry, its path scheme being a mongrel mashup of CP/M, Unix, and LAN Manager rules. Most POSIX flavors have only two special characters: slash and ...

Vim, too, for the last 3 years.

Instead of bridge filtering to keep the routers from chatting across the shared broadcast domain, port isolation might be a better plan: /interface ethernet switch port-isolation set ether4 forwarding-override=sfp-sfpplus1 set ether5 forwarding-override=sfp-sfpplus1 set ether6 forwarding-override=sf...

It's my first mikrotik (hAP ax3) and I'm a little saturated with so much information. And so you invite more input? 🫨 Metcalfe help you! I can't ping from PC to mobile Presuming you could before — it's common enough for "client" type devices/OSes to block pings — then I would guess it's b...

What you failed to point out to the OP is that ports 4-8 would entail 5 WANs and 5 routers You're missing the point of my configuration, then. It puts the fiber modem and the four downstream routers into a single broadcast domain on purpose . Each router broadcasts a DHCP request, the fiber modem f...

using basic math if you have four routers you need four ports 4,5,6,7 [ including port 8 would make 5 there tangent ;-) I have no idea what point you're trying to make, anav. I didn't use the word "four" in either of my replies above, and I don't see anything that can be counted to 4 but ...

This forum is a user-to-user channel. If you want a direct-to-MikroTik support channel, it's here.

"console" is RouterOS-speak for any command you can type at the CLI. This includes your backup commands, but also scripting, etc.

There aren't any hidden "modes" here. Every variable behavior in a RouterOS device is configurable. If your switch behaves like a router, it is because you told it to do that. I think you can get your expressed intent with as little as this: /interface bridge add admin-mac=[REMOVED] auto-m...

It's best to post your new configuration whole rather than simply report that it's "fixed" by some standard, so we don't have to mentally integrate my partially-mistargeted advice with your prior configuration. It lets us start from the same basis point again. In the meantime, I suggest th...

How does one cope with a failed unit…?

Like this.

You don't have to use my backup system to get practical use out of its documented advice. Take both text and binary backups, supplement the text backup as necessary, etc.

At some point, the switch is somehow changed from switch mode to router mode Magically? All by itself? No. The CRS310 is not a great router even within its limitations, and certainly not at the speeds implied by "fiber". It is, by far, best used as a smart switch. I think what you want is...

I'm just starting my journey with networking and also Mikrotik :) Welcome! /ip firewall mangle add action=mark-packet…passthrough=no I know next to nothing about load-balancing trickery, but that seems very wrong to me. Stopping the packet after marking it drops it on the floor. Surely you want it ...

Which router models are we talking about, specifically? There are no reported improvements to health monitoring on the 6.x line in the .9 and .10 releases you have yet to install, but there have been some in the 7.x line that would not necessarily have been backported. Are you concerned with the var...

I'm far from the best to help you with your stated HW offload and VLAN issues, but I have to post anyway about several problems in your configuration, on the basis that despite being unable to help with your immediate concerns, I can't help but wonder if clearing some of them up will incidentally im...

These guesses about ISP filtering are testable. The easiest is to check the clients behind the router to see if they’re also losing time synch when pointed at their default NTP pools, not the router as their sync point. On Linux, “ntpdate -q pool.ntp.org” tests that on a one-shot basis. The OP claim...

Sure, it will run, but it destroys the admin’s hand-assigned static reservations. If they’re wrong, they need to be fixed by hand, not destroyed.

That’s why I didn’t write an unqualified “[find]”.

Give this a try.

Posted via IPv6 over Xfinity thru a MikroTik router.

There are three IPv4 blocks set aside for examples.

I've heard of these Ethernet PHrY things. Yours appears to be based on SET technology…smoke-emitting transformer.

WiFi 6, lightweight, touchscreen, works well with linux, very long battery life, and cheap enough that I don't worry of it being stolen or damaged. Sounds like a mid-range Chromebook. Mine manages to push 180 Mbit/sec to the Internet through the ax³ from a few rooms away. It's a 2021 model, so one ...

/ip/dhcp-server/lease/remove [find where dynamic]

Bewm! Badness-be-gone.

One of the reasons I suggested using an /export command instead of /print is that it suppresses sensitive info like your WiFi password by default. I've edited that out of your postings above, but you can't count on us moderators to backstop you like that every single time. Other than local details l...

I repeat: show your configuration. At minimum, the output of: /interface/wifi/export For comparison, here's a boiled-down version of my ax³ config, which gets me near a gigabit right on top of the router with an ax client, and 200-300 Mbit/sec a few rooms away. /interface wifi configuration add chan...

Maybe the bad leases persisted through reboots? Sure; the RouterOS DHCP server does indeed remember what it assigned previously, so that persistent clients can keep getting the same assignments as long as they keep renewing their leases on time. I just didn't think it would reapply prior bad config...

I tried using 2.4 GHz Unlike ax, ac isn't defined for both 2.4 and 5GHz. You would have fallen down to "n" at best. If it fell down to "g" instead, that would explain your speeds. Assuming both radios are using the same SSID, I'd try turning on FT mode on them both, giving the l...

the current IP of ether1 What does that actually mean to you? In the standard RouterOS configurations, ether1 is often a WAN uplink, placed into the "WAN" interface list, giving you little need to specify a particular IP. Is there a good reason you can't simply say something like in-inter...

Berkeley Packet Filter…user-land network drivers and libraries. While BPF may have started out as a helper for tcpdump, it was to offload packet filtering to the kernel, to limit the number of transitions to userspace to only those packets deemed "interesting," determined by your tcpdump ...

While the Quick Set menu showed the system was properly updated, the terminal (/system routerboard print) did not.. There are two parts to the upgrade: OS and firmware. There’s a setting that auto-updates the firmware after a successful OS upgrade, but you must still do the second reboot manually.

It’s “set”, not “edit”.

It sounds like you’re running on the same stale DHCP config on the switch, from before you fixed things. Presuming you don’t want to wait out the bad DHCP lease, you can restart the switch.

It will work for the same reason your laptop now works.

/interface list add name=WAN You can drop that. Nothing refers to it. /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik You can get rid of that flotsam by upgrading to 7.13+. /ip dns set allow-remote-requests=yes You aren't running a DNS server on the switc...

So wrap the call to the Windows player GUI in a script that sends the SSH "wake" call to the router first. If you're worried about handing out SSH logins to allow this, you can put the call into a *.rsc file and set the dont-require-permissions flag on it, so read-only users can call it. M...

Okay, new solution: use Home Assistant to react to a TV "power-on" event and send the WoL packet/SSH call from there. How exactly you go about that depends on the type(s) of displays involved, what type of set-back boxes you've got running, whether there's an active CEC link you can tap in...

You might think that WoL is a unicast protocol given the MAC address, but it's not; it's based on a subnet-directed broadcast packet. It has to work that way because it can't rely on ARP mappings, the FDB, etc. That much is true inside network B, but even more so in network A, where it couldn't see ...

RS232 levels (which is 5V)

±3-15. The -3 to +3V band is invalid.

Right here.

hAP ax3, iPhone can connect to both 2.4ghz and 5ghz, but doesn't get any access to the internet.

My iPhone connects to the Internet through my ax³ just fine. Post your sanitized configuration /export in a "code" block. You've almost certainly got something configured improperly.

It works here, but only once I got DNS properly configured. You don't say which local DNS server you're using, but since the only on-topic one here would be RouterOS's built-in offering, the configuration needs to look like this: /ip dns static add address=10.10.64.7 name=switch00.mylocaldomain.com ...

I watched multiple videos on youtube, to include https://www.youtube.com/@mikrotik

The first search result for "CHR" from that page brings up this video, where Normunds speaks of the same limitation 30 seconds in.

WOW... sarcasm so soon. Read my reply again. Is it correct? Would you not have been sure of the answer had you properly skimmed the single most relevant documentation page to your problem? Yes, you would. Did my answer point you directly to the section you would have found had you done that? Yes, i...

I'm not sure If the Mikrotik VM is intentionally 'throttled'

You would be sure if you’d taken the time to skim the docs before posting. You’ve plainly got a “free” license installed. 128kByte = 1Mbit.

You’ve got enough to take to tech support now. All the due diligence done, all the diagnostic data needed taken.

Let us know what they say, will ya?

Do I need a separate piece of software to run this tool from cmd in windows? With the binaries having gone missing on Dropbox in the decade (!) since this thread was last active, you'd have to build this C# program from the sources on GitHub, or find someone to do it for you. Personally, I wouldn't...

As I said, it's supposed to slew, not jump instantaneously. If it jumps forward by a big amount, it's bad. If it jumps backward by any amount, it's extra-bad.

Yes, and the docs tell you that it repeats that lookup each time it tries to sync with SNTP on ROS v6 when you set it via server-dns-names. This is what allows it to be evergreen; as public NTP servers come and go, the round-robin results of a DNS lookup on that name change accordingly.

I think I did this right... I would have also removed the software ID and MAC addresses as potential PII, but opinions differ on how big a risk that is. /system ntp client set enabled=yes primary-ntp=96.43.63.9 secondary-ntp=129.6.15.32 Those servers time out for me, too. Why not use something like...

I'm wondering if I just don't have something configured correctly.

My visual configuration debugging skills work better than my psychic ones. Post the sanitized output of "/export hide-sensitive" into a "code" block.

That sounds like your ISP is dropping them. Ask. Maybe they have a nearby NTP server they'd prefer you use instead.

"/tool/traceroute" works for IPv6 as well. What do you get with a well-known address like "2606:4700:4700::1111"? (Cloudflare DNS.)

Also, be careful posting public IPs. Are you sure you want to publish the link between this forum account and your VPS's public address?

Why are we talking about "upgrading" to a version from April 2022? There were netwatch improvements in 7.13, 7.12, 7.11, 7.10, 7.9… That's where I gave up searching; there may be more. The broader point is, why are you complaining about an old version of a facility that has received so muc...

Are you certain the NTP server is open to your traffic? Old reliable servers stop providing service from time to time, some ISPs block NTP access to third-party servers to make you use their server instead, etc. Torch the WAN link on port 123 to find out; don't guess, don't assume. Even if you've go...

Two different srcnat rules is weird, and though not likely your immediate culprit, one of the two is unhelpful. Pick one. My bet for your actual problem is having both ether1 and pppoe-out1 in the WAN list, giving your router two paths to the Internet when only one works. Drop ether1 from this list....

/ipv6 address add address=ip::/64 inteface=ether1 advertise=yes Is "inteface" a typo here on the forum, there on the CHR, or both? Secondly, you don't speak of having a peer VPS on the same virtual network at your hosting provider, so who are you "advertising" to? If this virtua...

Since there's no NAT…

There needs to be.

Static IP aliasing works on WiFi interfaces, too.

And I repeat: nothing about this is RouterOS-specific. This is generic Windows networking. The same solution would work with any network equipment, from any vendor. You're off-topic here.

Right here.

I don't need to have DHCP set up on my PC. Then why did you bring it up above? So the best option is to always change ranges No, the best option is to multi-home your PC. Put one IP for each subnet into the computer, on the same interface. If you give it 10.10.10.2, 192.168.66.2, 192.168.64.2, and ...

So how to describe the name? Multihoming in general, IP aliasing when the multiple networks are on a single L2 interface, without something like VLANs or VPNs to split them up at L2. I need to connect using WIFI That has no relevance as long as the WiFi interfaces are on the same bridge as ether1. ...

I need to set multiple static IP for ether1. I doubt it, but without a network diagram, I'm relegated to a position of basing that on past experience with other related problems, not the complete particulars of your actual problem. I work with 4 computers in the network. So I have to constantly cha...

Yes, upgrade that, too.

Think of it like the difference between the OS and UEFI, except in this case, it’s best that they be upgraded in lockstep.

or you'll have to set IPv6 addresses on server-like devices manually.

If you use SLAAC/NDP on the LAN side, won’t these server-like devices get the same v6 address each time?

What's FT?

Fast Transitions, a recently added feature. Disabled by default. “FT” is the tab name in WinBox.

Sure, should work.

Put vlan1 into the WAN interface list.

Try it again; I've added that flag to the command line.

It doesn't demand that here, but perhaps it skips that when it doesn't detect that you are in the EU.

Personal remark: it was a bit hard to understand the password ... :lol: Although I do realize you're joking, I took it as a hint that the PSK example should be clearer that it is an example and not passphrase selection advice to be taken literally. It's there because I don't want the opposite misun...

you put too much emphasis on how much you loathe VLANs It's a few paragraphs in the "motivation" section. It answers the question, "but why don't you do it with VLANs instead?" Now you know why. Consider it a personality quirk, a matter of taste, if that helps you understand me....

But this is only because the wifi2g is a 'slave' interface to the bridge. It kept yelling at me about slave this and slave that, so I gave up and did as you saw. But, as ever when someone assures you the limitation isn't hard-and-fast, it gave me the encouragement I needed to go try again. I've got...

it very much depends on the rest of configuration of the wireless device itself and on overall topology of your network I thought I made it clear in the article that we're talking about a home Internet gateway. That puts it on the border between LAN and WAN, with the intent that traffic originating...

One of several reasons I have yet to replace my non-MikroTik gateway router until this weekend despite being the biggest RouterOS fanboy evar [/b] — like, totally! — is that every guide I've seen on setting up guest/IoT WiFi thus far relies on VLANs, and that's simply a non-starter here. Maybe one d...

I doesn't surprise me at all that my working configuration is contingent on local NAN-scale engineering decisions.

(NAN = nuke-area-network. Smaller than the Internet, bigger than a typical WAN.)

There's a lot of advice floating about the Internet on configuring IPv6 on Xfinity/Comcast networks, but none of it applied 100% to my local situation. I therefore wrote up what worked here with RouterOS 7.14. While I welcome advice from the IPv6 gurus here, do keep in mind that what you see in that...

I think you have to set both, with comma in between.

Indeed; thank you! I've updated the article.

As usual, there's new configuration flotsam in this release. Removal methods for the ones affecting this release begin here , but I'm stuck on one: /interface sstp-server server set ciphers=aes256-sha That can take only one other value, but setting it to aes256-gcm-sha384 doesn't make the line go aw...

used a static DNS entry for time.nist.gov and time.windows.com to point to my local NTP server. Hope that is the way to go

Ick. Set ntp-server in the DHCP server’s network configuration instead. Any reasonable network stack will obey that in preference to its default.

I just wanted to know if MT is willing to publish the *container.npk*, if not then there is no point in trying to do anything as was said in some posts before. I don't see a reason to be that black-and-white about it. All we need at this early stage is a pledge from MT that once someone produces a ...

TILE CPUs are no longer manufactured True, but your customers have bought them, and some number of them still work. I believe the motivation behind this thread is that some subset of these customers want to stretch their useful lifetimes by using them as container runners. (For what it's worth, I d...

AFAIK such tools does not exist I outlined all the details for this above. The QEMU emulator for tilegx exists, but is bitrotted; it could be resurrected. A port of Clang to tilegx exists and probably works fine as-is, once built. With those two, one could then cross-compile the Linux distro needed...

If the tools described above existed, you could cross-compile anything. Your own PiHole example, for starters. In case anyone is confused on this point, I'm in support of this idea in principle. My primary question is simply, who's going to do all the work needed to make it happen, given all of what...

As I said in the beginning.. Chicken-Egg... I don't buy that analogy. If that were the case, no one could ever bootstrap a new CPU architecture. Bootstrapping proceeds in small steps. It's a lot of work — enough that there have been entire companies founded on doing that type of work — but there is...

Without it there is no reason to put in the effort. The reasons are independent of the existence of a TILE build of container.npk. I predict that if you take your gadfly routine to the QEMU and Alpine project fora and try to get them to include TILE support, you'll get zero traction, regardless of ...

They could build container.npk for TILE today, and it would still not get you containers on TILE. Maybe, but without it, it CAN'T happen. The same argument applies to QEMU TILE support and the requisite base container image needed to bootstrap the first practical image. Why is MT to blame for not p...

I am still disappointed in the decision. What I am trying to get across to you is that it isn't MikroTik's decision . They could build container.npk for TILE today, and it would still not get you containers on TILE. Mikrotik pulled support for containers for the Tile architecture.. "Pulled?&qu...

No one is going to undertake that for that maybe eventually. Then this "no one" is going to get exactly what they deserve: nothing. MT's incentive to do all that work is zero. If you don't show MT that it can be done, they won't take the final step of building container.npk on TILE for yo...

Oh, and one more minor detail: you'd also need to provide at least one container base image for TILE, without which you wouldn't have the TILE compiler and library binaries for QEMU to run during the OCI image build steps. Note, for example, that Alpine — a very popular container runtime base — is n...

Why/what would I need to propose? You'd need to get TILE support into QEMU, then get the Linux kernel's binfmt feature to recognize TILE binaries and send them down to QEMU for CPU emulation. This is how cross-compilation works under both Docker's BuildKit and Red Hat's Podman, at the least. QEMU d...

I want to run Docker on my CCR1036 Correction: you want to run OCI containers on your CCR1xxx. The tooling produced by Docker, Inc can produce and consume OCI images, but OCI is not "Docker", and Docker isn't the only way to produce these OCI images. This is not a pointlessly niggly disti...

With no Tile systems being able to run docker Building OCI images does not require Docker Engine to run on the target CPU. BuildKit allows cross-compiling from any supported host, provided you've installed the CPU emulators using the instructions linked from my prior post. My point is, the set of a...

Do you have a TILE build chain to create the OCI images? If I would have it I would not ask the question, would I? You've missed the point of my Socratic hint. What I wanted you to think about and realize is that even had MikroTik waved a magic wand and caused container support to appear in the TIL...

The default configuration isn't a bad place to start. Links from there into the docs are there for a reason. (Hint.)

2.I tried with In. Interface making it pppoe3-out but nothing happens like literally no packets sent

Then the packets aren't coming in over the pppoe3-out interface. Stop focusing on this port forwarding side issue and debug the main issue.

wait wdym? I'm getting confused with the multiple configs posted here. It doesn't help that I was replying on a phone, making it difficult to tell which one is active at the moment. Sorry for adding more smoke than light. All I can figure now is that what I take to be the current version of the dst...

Do you have a TILE build chain to create the OCI images?

“to-addresses=192.168.88.24“ needs to reference your PPPoE address, not your internal LAN IP.

Or, reference the interface, not the IP.

You skipped the ACL tab, where you can set a broadcast rate limit.

Beware that if you’re using the auto-mac feature on that bridge, the container’s random MAC may get chosen when you do this. That in turn may break static DHCP assignment of the router’s IP, etc.

It sounds like you’ve got enough evidence to take to MT support.

I'm somewhat dismayed at your assumption that I wasn't trying when you had no idea. You're right, I assumed, but I did it out of protective reflex. There are scars backing it. It's based in a phenomenon often seen on technical forums (not just this one) where people throw out question after questio...

Both IGMP and PIM-SM are IP-based protocols, so yes, I do expect that having no IP on the second switch is a problem.

Search found 1436 matches