MikroTik

BrateloSlava

As far as I can see from the documentation:

Features not yet supported

echo mode

enabling BFD for ip route gateways

authentication

BrateloSlava

You, at least, wrote a model of the switch and drew some kind of diagram, of what you want to get.

BrateloSlava

Why not remove, for example, Mesh from the ROS for ARM?
Surely it will be possible to gain a little in the size of the image.

BrateloSlava

Perhaps, this will help you. Read about VRRP.
Links:

BrateloSlava

Good afternoon. Today, when trying to update one hAP ac2 from 7.13.5 to 7.14, I received this out of memory error. Screenshot_log_error.png After which I conducted two experiments with installing ROS via Netinstall. Two packages are installed on the router: - routeros-7.14-arm.npk - wifi-qcom-ac-7.1...

BrateloSlava

Try force closing the application and clearing its cache. ROS 7.11.2 has long been archived.

BrateloSlava

*) wifi-qcom - improved memory allocating process;

Is this update only for wifi-qcom or also for wifi-qcom-ac?

BrateloSlava

You would not need this kind of "complex queue tree" when using CAKE queue (with diffserv).

I confess honestly. All my attempts to adjust this CAKE queue - only resulted, that the speed test is dropping by half. Even in the same simple configuration (one WAN interface and local bridge).

BrateloSlava

pls not! this qos script is not meant for fqcodel/cake.

Are you sure about this? Because my version of this script works great. In 10 places exactly.

BrateloSlava

@vanadiel
Read this - FastTrack-Friendly QoS Script

BrateloSlava

1. I don’t have hAP ax3, so I’m copying the example settings from the only place, where one hAP ac3 is installed. The majority - have long switched to several WiFi points and CAPsMAN. Or for products from other manufacturers. 2. When you, like me in some places, have a very noisy airwaves (more than...

BrateloSlava

Explain: do devices disconnect from the 5 GHz network and connect to the 2.4 GHz network? Or are they completely disconnected from the WiFi network?

Show the logs, please.

BrateloSlava

I copied similar data from one of the routers. Try it by analogy. Currently 6 Apple devices (2 laptops and 4 phones) are connected to the network and are functioning normally. [admin@rt-oleg] > /interface/wifi/actual-configuration/print 0 name="wifi1" l2mtu=1560 mac-address=2C:C8:1B:XX:XX:...

BrateloSlava

About WiFi and Sonoff devices. I have 15 relays that control the heaters. For Sonoff I had to organize a separate WiFi network with a separate controller. In order to separate the “slow” Sonoff from other devices - laptops and phones. For Sonoff I use a controller on the "wireless" package...

BrateloSlava

I compared my settings on my working router with yours. Everything is set up the same way. The only thing is that I have one more line of settings:

/ipv6 settings set accept-router-advertisements=yes max-neighbor-entries=2048

And my firewall rules are different from yours.

BrateloSlava

@ abbio90 1. For firewall settings, use the recommendations in the official documentation . At least in the basic version. 2. Show the output of such a command from your main router. Do not specify any additional parameters in this command. ping 2606:4700:4700::1001 count=5 3. Show the output of suc...

BrateloSlava

good morning, today they are assigning me another subnet in order to avoid the overlap encountered. Question, but can I divide the /64 that I have as a pool to advertise towards the LAN into two /96 pools, one towards the LAN bridge and one towards an ether other than the bridge? Using a calculator...

BrateloSlava

To be honest, I have not seen configurations in which the WAN interface advertises addresses to the local network.

BrateloSlava

Error 1. Your messages indicate either different addresses or incorrect ones. 2. If you are given a pool 2a0d:b287:ec00:52b4::/64 , then the address for your interface that goes to the provider cannot be 2a0d:b287:ec00:52b4::1 Because this address already belongs to your pool. You can assign addres...

BrateloSlava

as already mentioned the address assigned by the provider is

If all the data is known, substitute it into the commands, that I wrote earlier.
And check.

BrateloSlava

In the meantime, thank you for your valuable response. I'm not an IPv6 expert. In any case, I was given an indication of the /64 assigned and which gateway it is. At this point the doubt remains as to which subnet to indicate in the IP address and whether I should take the address from the pool or ...

BrateloSlava

just curious, does "/ipv6/neighbor/print" show anything reachable?

To whom is your question addressed?

BrateloSlava

Where do you get this /48 prefix from? You were given a network with the /64 prefix. And to which interface are you trying to assign an address? Here is an example of the settings, how it was done for me where the range of addresses was given to me manually. WAN address and gateway /ipv6 address add...

BrateloSlava

@ abbio90 You are confusing something with the addresses. Network /48 is 2001:abcd:abcd::/48 The address range of this network is from 2001:abcd:abcd:0:0:0:0:0 to 2001:abcd:abcd:ffff:ffff:ffff:ffff:ffff The /48 network contains 65536 /64 networks When setting up a router, the WAN interface address i...

BrateloSlava

After full restart of all caps "busy" went away. All good for now.

Unfortunately, rebooting “fixes” the problem only partially - temporarily. And when she next appears is not clear.

BrateloSlava

A "busy" error occurs spontaneously when connecting wireless points to the controller. There is no dependence. I'm returning to beta1.

BrateloSlava

There is no WiFi network after the update. Screenshot from the controller.
Operation is restored after two reboots of the wireless points and the controller.

BrateloSlava

@iustin @Simonej
As already written earlier, VLAN support is only through bridge ports.

BrateloSlava

Trying to understand how 802.11ac CAP device interfaces should be configured now...

So far I have not encountered any problems with this (create-dynamic-enabled) configuration.

BrateloSlava

Thanks, but still no success! If we consider the configuration that Santi70 published, I would also change this for “old” devices: add band=2ghz-ax disabled=no frequency=2462 name=channel11x width=20mhz to add band=2ghz-n disabled=no frequency=2462 name=channel11x width=20mhz Because it uses exactl...

BrateloSlava

/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no management-protection=allowed name=secWPA3 wps=disable Try to changed to /interface wifi security add authentication-types=wpa-psk,wpa2-psk disabled=no management-protection=allowed name=secWPA3 wps=disable to support y...

BrateloSlava

somehow sad and pathetic this has to be told to people (or even those who refer to themselfes as network engineers) We put together a test version and made a mistake. There are always two ways to solve a problem: simple and difficult. Difficult - we take everything back and take each device somewhe...

BrateloSlava

One day this will be resolved, but not in Winbox 3.x Currently, through the standard means of checking the firmware version in the selected update channel, it is only possible to “upgrade” the firmware version. For devices with a small amount of internal memory, for example hAP ac2, there is no opt...

BrateloSlava

We have managed to reproduce the memory leak introduced in beta2 release. We will fix it as soon as possible. It is caused by opened WinBox sessions. The memory leak on beta2 is not only due to connections via Winbox. Even simple monitoring through Dude also causes leaks. According to my observatio...

BrateloSlava

For mixed CAPSMAN setups (qcom-ac and qcom), does it matter which package is installed on the CAPSMAN? For now I kept my RB4011 on 7.12/wifiwave2, but I cannot get VLAN-s working on hap ac2 and wap ac and I can't even connect to the same SSID that works without problems on the hap ax2 with the same...

BrateloSlava

On the wireless→wifi (wave2) migration, did anyone write a guide? Or is the recommendation to rebuild from scratch, and look at all the settings? (I understand the limitations for ac devices/VLANs and datapath changes. I'm asking in general, what should one pay attention to when migrating.) Did you...

BrateloSlava

Good afternoon. I set up a test network at home on 7.13. The CAPsMAN controller was installed on RB750Gr3, access points - cAP ac, wAP ac. Configurations were exported using the command " export compact terse show-sensitive file " Access points: /interface wifi channel add band=2ghz-n disa...

BrateloSlava

Please, pay attention, for example, to this:
Clean old UPnP rules
How to remove all UPNP NAT rule using script?
UPnP NAT Entry Timeout?

BrateloSlava

As for me, the first option that comes to mind is to try to organize, for example, a separate Wi-Fi network for access to smart home devices. You buy a device that can be a Wi-Fi access point, connect it with a cable to the smart home network. Set up a Wi-Fi network on this device. Clients of this w...

BrateloSlava

It seems to me that this question does not belong to this forum. You should read this and ask similar questions here.

BrateloSlava

How this can be adjusted for 2 bridges - one for homelan and another one for guestlan? Especially for options when you have several WAN or LAN interfaces, or when you use a VLAN, I slightly modified the original script. For example, when using VLAN, it is necessary to mark packets on VLAN interface...

BrateloSlava

For my needs, I modified the script, which is posted in the first message. The new option adds the described rule to the firewall and allows multiple incoming and outgoing interfaces. Separate setting of speed limits is also possible. The work of the script with IPv6 is not changed and works, IMHO, ...

BrateloSlava

Quick question if i wanted to prioritize SIP and RTP packets, 5060,5061 udp and 10000-20000 udp up to prioity 1 what would be the best approach to this? For example, you can insert packet marking rules for the desired ports and place these rules before the ones, that this script sets. Screenshot_Ru...

BrateloSlava

Did you decide to reset because the router stopped booting normally? That is, after turning on the power, did the router blink its lights and reboot itself?

BrateloSlava

Please explain, what is the meaning of such a MTU replacement? The final (home) users will still be 1500. For example, to install 9000 on the server, NAS and switch, through which you will do backup, I still understand. And just change on all devices - I don’t understand what the point is.

BrateloSlava

I understand correctly, that all these devices have the same ROS and firmware version? You have almost a classic scheme for this switch. As in the example . It is not clear, why everything works fine for you with CRS112-8P-4S and does not work with CRS112-8G-4S. I have CRS112-8P-4S and it copes with...

BrateloSlava

Remove the link, its detected as a threat and shuts the browser down cold.

Link 2 - original source

BrateloSlava

It is possible, that this service is already known to the users of this forum. I found it by accident. Free and paid check of your DDOS protection. With free checks, my home router (hAP ax3) coped well. But, after several checks in a row, my ISP disconnected me for 20 minutes. "Protected" ...

BrateloSlava

It not blocks traffic based on invalid TCP, UDP, whatever - it blocks traffic from e.g. known bad hosts automatically. Also it does deep inspection and stops any malicous traffic which you in general would allow on a firewall level - e.g. TCP/443 for you webserver. If a bad bot would like to try so...

BrateloSlava

SELKS is an IDS/IPS while T-Pot is a Honeypot I still don't understand why this is necessary. How to block "extra" traffic with built-in tools is well done here - How to ***really*** block invalid ICMP, TCP, UDP packets and others + this . And no additional resources are needed for Debian...

BrateloSlava

And what are the differences from the already finished "set" - T-Pot

BrateloSlava

It turns out that this is not a "bug", but a "feature".

I chose the name, hop - and it itself changed to another.

BrateloSlava

I would like to continue this topic - Not Kiev, it's Kyiv . The topic was closed, but the issue has not been fully resolved. Set the "correct" time zone name before.png We perform the following sequence of actions: Uncheck "Time Zone Autodetect" Press "Apply" Check &quo...

BrateloSlava

9 cAP ac. Only two of them have 10% free space. The rest - from 5% to 8%. There are no user files in the memory of access points.
3 hAP ac2. Everyone has similar problems with free space.

On all devices, version 7.5 was installed via netinstall, then the usual update.

BrateloSlava

I have like this:

/ip dns static add forward-to=172.22.1.3 regexp=".*duos\\.loc" type=FWD
/ip dns static add forward-to=172.22.1.2 regexp=".*duos\\.loc" type=FWD

BrateloSlava

I have a couple dozen devices with 16MB of memory - cAP ac, wAP ac, hAP ac2. When I tried to upgrade from 7.6 to 7.7, I noticed that there was no free space. Example: system/resource/print uptime: 37m26s version: 7.6 (stable) build-time: Oct/17/2022 10:55:40 factory-software: 6.45.9 free-memory: 53....

BrateloSlava

Try reading this section. The question about the speed of the wireless network is on every page.

BrateloSlava

I understand correctly? Will the new wireless drivers (and the new capsman) only be compatible with the new wifi 6 hardware? And in the future there will be two "branches" of ROS - for wifi 6 devices and for the "rest of the old"?

BrateloSlava

If you dont matter the big antennas on hAP AX3 i think is a good idea

Given that the ax2 model may have problems with heat dissipation and because of this, the processor frequency in this model is reduced - I would recommend the ax3 model. which has no such problems.

BrateloSlava

If you have such an opportunity to create everything from scratch, I recommend abandoning the idea of using a router with built-in wifi. And use only wireless access points. And put the rest of the network equipment somewhere in a separate place. And, if possible, use another manufacturer as a sup...

BrateloSlava

I'd set that option to default (which is "add-arp=no") and see if it helps. Bingo! A completely unexpected result. Many thanks to @ mkx for the tip. I use "ARP reply-only" in some places, so I use the "Add ARP For Leases" setting in the DHCP server. This option has nev...

BrateloSlava

@ Ca6ko As I wrote earlier, in the case when all access points are connected to one router or one switch, there are no problems. The problem arises when there is a cascade of switches. Moreover, this chain of switches has branchings. And somewhere in these chains, access points are connected. A wire...

BrateloSlava

@ mkx I assembled a "small and simple network" at home according to scheme #3. Before that, everything worked for me according to scheme #1. The access points were directly connected to the router, and the rest of the devices worked through the CRS326 switch. hAP ac3 (172.22.99.254) as rou...

BrateloSlava

@ zett93 Show me, please, full text configuration of your AP. Without serial numbers and etc. With bridge and VLANs info. And a question along the way. When you enable "local forwarding" mode for access points, do wireless clients not get IP addresses from DHCP server? @ mkx Most likely I ...

BrateloSlava

As far as I know, such devices are VERY critical to the quality of the cable and its length.

H!fiber 10G SFP+ RJ45

BrateloSlava

There are several options for placing access points on the network.
Schematically, I displayed them in this figure.
In option #3, the "local forwarding" mode didn't work for me anywhere.

netdiag-lan-and-wifi-ap.png

An example of option #3 is a building with several floors.

BrateloSlava

Also write the model of the optical module you have installed.

BrateloSlava

Screenshot_lte.png

BrateloSlava

Have you tried making any changes that can be found through the search?

BrateloSlava

Firstly. Make a backup before making changes. Stop CAPsMAN. Remove all wireless interface names from existing bridges. On the router itself and on the access point. Further. The CAPsMAN configuration, that you have set up, does not have a description of the parameters for frequencies in the 2.4 and ...

BrateloSlava

Information about this scan

BrateloSlava

Show your current settings in text format. Export them and remove all confidential information from the resulting file. The task has a simple solution if you have two "white" IP addresses at home and on the remote side. In this case, organize two EOIP channels and combine them into boundin...

BrateloSlava

Read - AP Controller (CAPsMAN)

BrateloSlava

If you receive an address from the 192.168.100.0 subnet, is the global network available? Or rather, not even so. See, what gateway address your router is getting on the 192.168.100.0 network. I understand, that this address will be available only if there is no access to the global network. Therefo...

BrateloSlava

I can’t say how it is for anyone, but the use of "local forwarding" normally works for me only on "simple" network building schemes. In the case. when access points are "scattered" over the network and located behind several switches, everything works much easier, if th...

BrateloSlava

If you draw a diagram of your network, indicate which router interfaces are responsible for what, what subnets, vlans you have, etc. In this case, we can help you here. To study Cisco configuration - is not in this forum.

BrateloSlava

Take a look at the official documentation - Load Balancing

BrateloSlava

Manual:Simple CAPsMAN setup

For security reasons specify on which interfaces to listen to CAPs
Code: Select all
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge

BrateloSlava

Example for first router (ROS 6.x): /interface list add name=WAN /interface list add name=LAN /interface list member add interface=ether1 list=WAN /interface list member add interface=ether2 list=WAN /interface list member add interface=bridge1 list=LAN ### ISP1 /ip address add address=10.10.10.2/24...

BrateloSlava

It is not difficult for me to write a ready-made configuration for you. However, I suggest you try to figure it out. An example request for a search server - https://www.google.com/search?q=router+with+two+isp+connections+mikrotik&oq=router+with+two+isp+connections+mikrotik Or - https://www.goog...

BrateloSlava

The general rule for a firewall - at the beginning we describe allowing rules. And at the end - the rules for blocking all chains. There are a lot of extra rules that are associated with DNS traffic. You just need to block incoming traffic on the right ports from the WAN. It is necessary to try to ...

BrateloSlava

New User Pathway To Config Success

I think, that if you carefully read what is stated in this topic ... Many questions will disappear.

P.S.
As for me, I would solve your problem through traffic marking.

BrateloSlava

Quick follow up q before I look at this. This still doesn't explain the high CPU usage? What in the current config is so wrong that it causes this? And in what way is it wrong? I'm not sure exactly what you want to achieve from this switch. :lol: Low CPU load + maximum performance is only possible ...

BrateloSlava

If you need to route traffic from one network to another, then a switch is not the best choice. You just need a router. /interface list add name=LAN /interface list add name=WAN /interface vlan add comment="*** VLAN132 ***" interface=sfp-sfpplus24 name=vlan132 vlan-id=132 /ip address add a...

BrateloSlava

I looked at your configuration from the first post. It has errors. For example, you have enabled VLAN as a port in a bridge.

Draw a diagram of how you would like the network to work and how you would like to configure your switch.

BrateloSlava

I have 2 routers ...

Make an export of the current configuration. In text format. Remove all private information from there. And post it here.

BrateloSlava

But to enable the offloading in the current setup did not help.

Show

/interface/bridge/port/print

Look - Layer2 misconfiguration

Bridges on a single switch chip

BrateloSlava

is beeter to use a single bridge IMHO, one bridge is not the "best" solution. This is - the "only" solution. Only in single bridge mode will hardware offloading start working. This CPU has poor performance for such tasks, so the entire load must be handled by the switching chip....

BrateloSlava

IMHO, if the router reboots on its own - it is not in the correct (netinstall) mode. Perhaps - you need to hold down the reset button longer. https://help.mikrotik.com/docs/pages/viewpage.action?pageId=16351533#heading-Buttonsandjumpers Some topics: https://forum.mikrotik.com/viewtopic.php?t=168465 ...

BrateloSlava

"Messed up" the boot order on this (hAP ac2) router. Only Netinstall will help. Just yesterday I had a similar problem with hAP ac3, that arose due to a power failure. Try holding the reset button for 15 seconds until the indicator shows that the router is in netinstall mode. Then - reconn...

BrateloSlava

The problem has a completely normal solution. The load on the central processor did not exceed 25% with uTP traffic of 400 Mbps in one direction. Higher speeds could not be tested due to the limitations of the routers that I used. To test, I assembled the following kit: - Mikrotik hAP ac2 router (mt...

BrateloSlava

... 3) No mistake, the hAP ax2 is clocked lower than hAP ax3, due to better cooling in the larger case of hAP ax3

Thanks for the info

BrateloSlava

Screenshot_compare.png

Is this a mistake in the description or do both of these two routers support automatic CPU frequency change?

BrateloSlava

The question is whether it is worth the effort, i.e. whether management/monitoring of the device via IP is necessary or whether one-time configuration using the serial console is sufficient. @sindy It seems, that the answer to this question becomes fundamental in my problem. :) I'll do some more ex...

BrateloSlava

# sep/30/2022 10:06:24 by RouterOS 6.49.6 # software id = SZII-F003 # # model = CRS112-8P-4S /interface bridge add name=bridge1 protocol-mode=none /interface bridge port add bridge=bridge1 interface=sfp9 /interface bridge port add bridge=bridge1 interface=ether1 /interface bridge port add bridge=br...

BrateloSlava

@tangent Careful observation of the switch showed the fallacy of the solution that I wrote above. Everything works well, the load on the CPU is low. Until you start adding a separate port to manage the switch. That is, as long as I controlled the switch through the console port, everything worked p...

BrateloSlava

@BrateloSlava, what happens to CPU usage if you put that one "/ip firewall connection tracking..." rule back in? @tangent At the moment I have no way to check it. Only - next week. /ip firewall connection tracking set icmp-timeout=30s tcp-close-wait-timeout=1m tcp-established-timeout=1h t...

BrateloSlava

Solution is wrong: # Create new bridge /interface bridge add name=bridge1 protocol-mode=none /interface bridge port add bridge=bridge1 interface=sfp9 hw=yes /interface bridge port add bridge=bridge1 interface=ether1 hw=yes /interface bridge port add bridge=bridge1 interface=sfp10 hw=yes /interface ...

BrateloSlava

Currently, I have found CRS106-1C-5S - a certain analogue of my office switch (CRS112-8P-4S) and I am doing experiments on it. I make all settings through the console port. Some observations: I would like to note that, immediately after a "clean" installation of ROS via Netinstall, the CPU...

BrateloSlava

So maybe try the same first - disconnect the ISP-related ports and try to download an upgrade file using /tool fetch url=https://download.mikrotik.com/routeros/7.5/routeros-7.5-mipsbe.npk using the management bridge, watching the CPU load during the process. Some problem - free internal memory Scre...

BrateloSlava

... press the D key to take a snapshot. And then post three subsequent snapshots for each bridge. @sindy New rule /interface bridge filter add action=passthrough chain=input disabled=yes dst-mac-address=01:00:00:00:00:00/01:00:00:00:00:00 in-bridge=bridge-Maxnet add action=passthrough chain=input d...

BrateloSlava

@rextended
The documentation for this switch (CRS1xx/2xx series switches) has an ACL rules section. Is it possible that using these rules it is necessary to filter traffic between ports? Allow forwarding what you want and discard the rest.

BrateloSlava

@BrateloSlava , instead of running /tool sniffer , it is probably more useful to add the following bridge filter rules: interface bridge filter add chain=input in-bridge=bridge-name dst-mac-address=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff action=passthrough interface bridge filter add chain=input in-bri...

BrateloSlava

/interface ethernet switch port-isolation set ether1 forwarding-override=sfp9 set sfp9 forwarding-override=ether1 set ether2 forwarding-override=ether3,sfp10 set ether3 forwarding-override=ether2,sfp10 set sfp10 forwarding-override=ether2,ether3 The main idea is clear. Although these port isolation...

BrateloSlava

Why use two cable to connect same ISP on RB4011??? Probably the problem is also on other side that the cable are on loop.... Why another cable to connect back the RB4011??? 4 cable for do the work of two???... Two providers. The first - provides one IP address, the second - two. Two addresses - for...

BrateloSlava

The results of the experiments are negative. Note 1 : I strongly recommend, that you have a console cable for recovery at hand, when experimenting with setting up switch chips. Current (initial) configuration: 3 bridges. The first is provider 1 (2 ports), the second is provider 2 (3 ports), the thi...

BrateloSlava

Why not use wireguard

Most likely because, for many, it is easier to configure L2TP / SSTP

BrateloSlava

Why is the word EoIP in the title of the topic?
Make an export in text format settings. Remove private information from the file and post it here.

BrateloSlava

... What I don't like about the setup is that STP is permitted on the bridge - depending on how paranoid the ISP admins are, you may or may not break their own spanning tree topology by making your CRS a root bridge. So I'd rather disable it on the bridge(s) completely. The current config file look...

BrateloSlava

It's your device, it's your problem ... I'm not going to argue with you.

I didn't mean that your answer is a mistake. I meant that ROS 7.5 contains a bug.

BrateloSlava

Screenshot_HO.png

It is possible, that this is a mistake.

BrateloSlava

The connection diagram looks like this: two optical connections to two Internet providers are connected to the SFP9 and SFP10 ports of the CRS112-8P-4S switch CRS112-8P-4S has two bridges - SFP9+Ether1=Bridge-ISP1, SFP10+Ether2+Ether3=Bridge-ISP2 _Office.png That is, CRS112-8P-4S is used as a media ...

BrateloSlava

The solution looks very simple. Thank you so much.

BrateloSlava

There is a list of DNS names of routers, that are considered trusted. The list name is AllowedIP . The list is filled with DNS names because the provider allocates dynamic IP addresses. DNS names of this list = IP -> Cloud -> DNS Name. There is a dynamic list of IP addresses, that are temporarily bl...

BrateloSlava

*) capsman - added randomized range option for "reselect-interval" parameter (CLI only);

Example, please.

BrateloSlava

Is it possible to modify the script by adding a check, that the blocked IP address is not in the exclusion list? I will answer myself. It is enough to slightly change this line: :if ([:len [/ip fire addr find where list=IPSEC address=$logIp]] < 1) do={ To this: :if ([:len [/ip fire addr find where ...

BrateloSlava

In a highly simplified form, the network diagram looks like this: net-diag.jpg All routers have their own local networks. "Main" routers have 3 Internet connections. All routers build 2 VPN connections for redundancy. The third Internet connections of the "main" routers perform s...

BrateloSlava

Install a DHCP server. Create a range of IP addresses, that can access the Internet. Bind the IP address to the MAC of the device, that connects and receives the address.

BrateloSlava

You will be able to block something only, when you learn to distinguish between devices. For example, allocate a separate range of IP addresses for phones. And for this range already perform some kind of blocking. But you will not be able to determine in any way, which application from this device i...

BrateloSlava

Export the settings in the text format of your router. Delete all private information. Post it here on the forum. In code tags.

BrateloSlava

In the 7th version, the name of the interface most often does not need to be specified.
Do you have similar settings on both sides of the vpn tunnel?

BrateloSlava

Export the router settings in text format, delete all private information and put it here in code tags. Without this, no one can help you. Just in case, I'll show you how I did it. Until I understand, this is what you need or not. /ip dns set allow-remote-requests=yes cache-max-ttl=5m max-concurrent...

BrateloSlava

Changes in OSPF settings, that occurred during the transition from version 6 to version 7, have been discussed on the forum several times already. I recommend deleting your current settings and doing the following: /routing id add disabled=no id=172.22.99.254 name=id-slava select-dynamic-id="&q...

BrateloSlava

I recommend you take a look at this

BrateloSlava

Which vendor did u decide to go? Just curious

The equipment is a bit of a different price range. Producer - Ruckus Wireless.

BrateloSlava

There is no difference in settings for VLAN filtering at the bridge level. In your case, another switch chip model will not affect. The only thing is, that there is no Wi-Fi on the new router, so the settings will need to be changed a little.

BrateloSlava

Is it possible to modify the script by adding a check, that the blocked IP address is not in the exclusion list? There are several trusted routers, that are interconnected via IPIP(EOIP)+IpSec. Periodically, a situation arises, when the connections between these routers are interrupted and the proce...

BrateloSlava

I don't like default settings, so I would set it all up in a few steps. This is the base option. After verifying that everything is working as expected, you should optimize the WiFi channel selection and tweak the firewall rules a bit. Everything, that I wrote below, is given only as a general guide...

BrateloSlava

For a correct configuration, it is necessary to block the possibility of building a tunnel not from "your" interface. About route. Try to change, like this example: /ip route add check-gateway=ping disabled=no distance=50 dst-address=0.0.0.0/0 gateway=IP_of_GW1 routing-table=route-WAN-1 /i...

BrateloSlava

Am I understanding your settings correctly? 1. Office 1 has two internet connections. They are configured as a primary and a backup. Office 2 has one internet connection. 2. The main internet connection in Office 1 is not, for some reason, able to establish a VPN connection to Office 2. 3. You are t...

BrateloSlava

Question remains: will it work with capsman ? Given, that now the WAVE2 package is only for devices with 256 MB of RAM. Most likely some new version of CAPsMAN will appear. With support exclusively for new devices. For example - Wi-Fi 6 is only for devices with 1GB of RAM. And only for such devices...

BrateloSlava

I am waiting for wifi6 from MT, then will learn capsman.

It should have been a long time ago to write what you need.

hAP AX2 (WiFi 6)

BrateloSlava

I have discovered the problem, it will only communicate with gigabit ports on other devices ...

Apparently this module does not work with all devices. I tried to connect it to my old switch - Allied Telesis GS950/16. The result is negative. 1000X SFP Ports

BrateloSlava

About the use of VLAN in general. The implementation of VLAN on switch chips makes sense only on "real" switches. CRS type. Where hardware offloading really gives noticeable results. For home conditions, as well as for small offices - it makes no sense. Wi-Fi modules are not connected to s...

BrateloSlava

I also became interested. And I decided to turn it off.

Config:

[removed]

Where is the mistake?
Attempts to disable one at a time or all at once - the result is the same.

BrateloSlava

What does your question have to do with the problems of the devices of this manufacturer? Or to the difficulties with setting it up.

BrateloSlava

For example, Tesla is "very picky" about Wi-Fi in the parking space.

BrateloSlava

Yes, pure talker about nothing.

BrateloSlava

Is the router case sealed with a warranty seal or what?

BrateloSlava

If we already talk about performance, IMHO, you should solve the problem - VLAN via switch chips. I have significantly reduced the CPU load on the switches after such a transition. Currently, my device workflow is very similar to this - Manual:CRS1xx/2xx VLANs with Trunks . 2 gigabit channels to the...

BrateloSlava

https://www.youtube.com/watch?v=2etvgm8Yfjg

BrateloSlava

... So back to my prior point... "It doesn't matter what it costs, if it doesn't work!" ...

The story you describe is certainly interesting. Another supplier ... I asked you to answer - what other (not MT or UniF) supplier of Wi-Fi equipment do you specifically recommend.

BrateloSlava

Why would you pay that much more for the router board to run that crap you could put on a cloud key for less??? At this time, for most installations, I don't plan to purchase anything other, than the RB5009UG+S+IN. Therefore, why not try connecting a USB flash drive. And don't try run a container o...

BrateloSlava

I don't see a rule, that allows access to the INPUT chain from your Wireguard interface.

;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

BrateloSlava

It's annoying they are adding features like docker containers while still not fixing wifi issues.

A very useful thing for me for a future project of a new network is a Unifi Controller in a container on MT router.

BrateloSlava

/interface bridge vlan
add bridge=bridge tagged="bridge,ether24_opnsense2,ether23_opnsense1,ether21_SynoBond1,sfp-sfpplus3_proxmox,sfp-sfpplus1_wifi" untagged=ether2_nosbox,\
ether3_IPMI-edgebox,ether1_edgebox vlan-ids=10

Some errors. ether21_SynoBond1 is a part of Syno_Bond

BrateloSlava

I have two "places" that have almost the same number of Wi-Fi points. In both "places" there are external and internal access points. Option from Ubiquiti - it's set up once and forgot. But the version from MT - is associated with a constant "struggle". IMHO.

BrateloSlava

Sometimes. a big problem is to deal with the settings that are made through QuickSet. I don't like, it when I don't understand how it works. Or how it doesn't work. So, let's look at the configuration file. /interface bridge name=bridge vlan-filtering=yes We have a bridge, on which filtering is per...

BrateloSlava

I don't think so...

Please, write the name of the interface (port in the switch), that connects this switch to the router. That is, which port is uplinked.

BrateloSlava

Maybe I'm wrong, but you may add "bridge" interface as "tagged". As example: /interface bridge vlan add bridge=bridge1 tagged=bridge1,ether1 untagged=ether2 vlan-ids=19 One more thing. As far as I understand, you connect some ports with MTU 9000. IMHO, you need to increase L2MTU ...

BrateloSlava

Does the ping command pass from the office network to the internal address of this server? Routing between local subnets of office and shop works? Let's assume, that the internal address of this server is 192.168.88.80. In this case, you need something like this on the router in the office: /ip fire...

BrateloSlava

But how to update it ?

https://wiki.mikrotik.com/wiki/Manual:I ... re_upgrade

BrateloSlava

It is unlikely, that anyone will be able to help you with anything, if you do not publish a backup copy of your switch settings in text form. By removing all non-public information from this backup.

BrateloSlava

Nope, I've tried this already. This example shows 3 tagged VLANs via ether2 and I would need both tagged and untagged traffic. Can't get this to work...

Apparently I don't understand something.

Isn't that what you need?

Screenshot_hybrid.png

BrateloSlava

This does not answer the question. Show me which link shows how to pass both untagged and tagged traffic?

Maybe this - https://wiki.mikrotik.com/wiki/Manual:S ... rid_Ports)

BrateloSlava

If everything works for you when connected by wire, then routes, etc. configured correctly. Check the operation of the radio part. 1. "Client isolation" is set to OFF on LTU Rocket? 2. Ping from MIkrotik "C" to LTU Rocket (from 192.168.1.252 to 192.168.1.254, as I understand) suc...

BrateloSlava

2. what is wrong with country, what is it correct to set? 3. What is superchannel, how to set correctly? :) 4. How do i find supported LTE channels? Try to set the settings like mine. Only in them you should change the country to "your own", etc. My mobile operator is Kyivstar. This is ho...

BrateloSlava

/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik This ( wpa-psk ) is probably not needed. My "basic" settings for WiFi on this AP is: /interface wireless set [ find default-name=wlan1 ] adap...

BrateloSlava

I haven't done performance testing of the OVPN since the addition of hardware acceleration in version 7.2. However, prior to the release of this version, OVPN showed very poor performance results. You can find the practical results for this router when using other VPN protocols in the topic WireGuar...

BrateloSlava

Ohh... I see something on that picture...

Yes, I confess...

I use it wherever I can. Therefore, I did not hide it, because there is an effect.

BrateloSlava

IMHO, any attempt at such port remapping is pointless. The new port number is determined very quickly and the penetration attempt continues. It is highly recommended to use VPN to access internal network resources.

BrateloSlava

Before do that, ask your provider if block already same IPs

On the routers, that I "look after", I definitely see the point in cutting off the excess.

Screenshot_RAW.png

BrateloSlava

@mkx, @chechito and @anav
Do I understand correctly, that you do not recommend using separate blocking rules for lists of IP addresses, which can be obtained, for example, here - https://github.com/firehol/blocklist-ipsets/.
For home routers.

BrateloSlava

Use RAW. Example:

/ip firewall raw add action=drop chain=prerouting in-interface-list=WAN src-address-list=blacklist

You can try reducing the list. https://tehnoblog.org/ip-tools/ip-address-aggregator/

As for me:

Screenshot_blacklisr_size.png

BrateloSlava

Please, show

/interface wireguard peers add allowed-address=

Server:
Allowed Address - here you should specify 0.0.0.0/0.
Client
AllowedIPs = 0.0.0.0/0

BrateloSlava

Please, post your latest config /export wihout any public IP and serial numbers, and passwords information.

BrateloSlava

Have you tried google searching for the phrase "mikrotik sstp site to site vpn"?

BrateloSlava

Do you want to get a ready-made configuration for the router? Without doing any work yourself?

BrateloSlava

@JoshDi It seems to me, that incoming and outgoing filters should be used only when fine-tuning is necessary. Therefore, in most cases, I refused this option: /routing filter rule add chain=ospf-out comment="redistribute default route - never, redistribute static routes - as type 1" disabl...

BrateloSlava

Very High Density 802.11ac Networks Validated Reference Design ...

A very expensive and very high performance solution to the problem of multiple WiFi connections.

BrateloSlava

As for me

/routing id add disabled=no id=172.22.1.254 name=id-tp select-dynamic-id=""
/routing ospf instance add disabled=no name=rt-tp originate-default=never redistribute=static router-id=id-tp

BrateloSlava

... If you have a 50m × 50m place it's not really that big, but 2000 users on 50m × 50m are too many...
Not even the best competitor can cover everything for 2000 users with a single device...

There is some kind of prison.

BrateloSlava

So how about IPSec? Have you tried that? From what I can see 2011 doesn't support hardware acceleration. Presumably it would be even worse for CPU usage than WireGuard.

2011 + IPSec

Screenshot-2011-ipsec-speed-10-12_mbit-cpu-83-percent.png

BrateloSlava

... It somewhat works if you stick with ROS6 + fasttrack, but that's about it.

It copes well with the switch + access point function in the 2.4 range.

BrateloSlava

I will say right away - 2011 and WireGuard = a big problem even with constant traffic of 10-15 Mbps. CPU usage is high. Screenshot_2011-wireguard.png Screenshot_2011-ipip-no-ipsec.png "Gradually" I'm changing the "outdated" 2011 to 4011, hAP ac2 and hAP ac3 in the offices. All of...

BrateloSlava

can you provide me with an example please? Example: /ip route add check-gateway=arp disabled=no distance=80 dst-address=0.0.0.0/0 gateway=1.1.1.254 /ip route add check-gateway=arp disabled=no distance=80 dst-address=0.0.0.0/0 gateway=2.2.2.254 /ip route add check-gateway=arp disabled=no distance=80...

BrateloSlava

The problem is that there are not enough access points for even coverage... Thanks for the answer. It looks like, you and I live in the same city. :lol: About my problems with WiFi, office and voice calls via messenger. As I wrote earlier - problems are exclusively with audio calls through instant ...

BrateloSlava

At home I have 2 access points:cAP AC and wAP AC LTE6 Kit. And there are no noticeable problems. The signal strength of 2.4 GHz is 5 points lower than that of 5 GHz. Problems are observed in the office. The configuration of the rooms does not allow optimal placement of access points there. Employees...

BrateloSlava

I'm wondering... Will the thread starter try to achieve 100+ Mbps under ideal conditions? No walls between rooms, etc.?

BrateloSlava

To be honest, it is useless to fight with the means of ROS against attempts to penetrate through redirected ports. IMHO, of course. I forced everyone to use VPN via L2TP / SSTP / ... Otherwise, all the protection work turned into hell. After connecting to a VPN, users, depending on their VPN profile...

BrateloSlava

It's really simple... Thank you.

BrateloSlava

I'm curious.. How does it "break" ospf? Does adjacency drop? Or just all OSPF routes disappear?

Special for you.

Before.png

After.png

BrateloSlava

There are several networks, that are connected via L2TP/SSTP/IPIP/etc. OSPF configured. ROS 7.3.1 Everything is fine. Some routers redistribute their static routes. Question : how can I set up filtering of these advertised routes on some routers? For example: there is a router R1 that redistributes ...

BrateloSlava

Not needed, IMO

Screenshot_hEX.png

BrateloSlava

I used the instructions L3 Hardware Offloading for my CRS326-24G-2S+. ROS 7.3.1 After saving the configuration data in text form ( /export compact terse show-sensitive file=xxx ) , there is no information in the file about l3hw on all switch ports. Only data about switch: /interface ethernet switch ...

BrateloSlava

Today I updated my CRS326-24G-2S+ to 7.3.1. Something wrong?

Info from site:

Screenshot_site.png

Info from WinBox:

Screenshot_winbox.png

BrateloSlava

Dude has the ability to specify a "parent" for the current device. With centralized management, it is necessary to check the entire chain of "parents" before rebooting during an update. So, that there is no situation, when the "parent" has already downloaded the update ...

BrateloSlava

Good afternoon!
Just now I noticed, that the display of the CPU frequency is "lost" after update.

Screenshot_4011.png

BrateloSlava

How I upgraded my devices , which have 16 MB of internal memory , from version 6 to version 7. For example, cAP ac, hAP ac2 and etc. Made a backup. Text and binary. Disabled/stopped WiFi interfaces. Removed ALL packages from the device except these: dhcp, security and system. Updated to version 7 in...

BrateloSlava

However, one problem remained. Host A (172.22.31.254, ROS 6.49.5). Host B (172.22.99.254, ROS 7.1.5). Ping from A to B - working. But ping from B to A - not. I will answer myself . :D Given, that on devices with version 6.49.5, I use the PTMP type - changing for devices with version 7.1.5 to PTMP B...

BrateloSlava

"redistribute=..." overrides filter decision now so try to unset that. Working. Thanks. However, one problem remained. Host A (172.22.31.254, ROS 6.49.5). Host B (172.22.99.254, ROS 7.1.5). Ping from A to B - working. But ping from B to A - not. I repeat, that everything worked before upd...

BrateloSlava

In my opinion, something broke in this (7.1.5) update. In version 7.1.3 this configuration worked correctly for me. /routing id add disabled=no id=172.22.99.254 name=id-slava select-dynamic-id="" /routing ospf instance add name=rt-slava out-filter-chain=ospf-out redistribute=connected rout...

BrateloSlava

OSPF stopped working after upgrading from 7.1.3 to 7.1.5 By analyzing the text configuration, it was found that one line was "lost" on update. Like this. /routing id add disabled=no id=172.22.99.254 name=id-slava select-dynamic-id="" Therefore, the required parameter (router-id) ...

BrateloSlava

Does the computer from which the attempts are made have any configured vpn connections?

BrateloSlava

RB951Ui-2HnD
Strange problem. I'm try to disable some service ports.

Screenshot_udplite.png

Screenshot_sctp.png

Screenshot_dccp.png

BrateloSlava

strods

BrateloSlava - What do you mean by "CPU speed"? Do you refer to CPU usage under SYstem/Resources menu?

I talk about this: System->RouterBOARD->Settings->CPU freq (missing on 4011, after update)

BrateloSlava

RB4011iGS+. Cpu speed not showing after update from 7.1.2 to 7.1.3.
Other my device:

RBD53iG-5HacD2HnD (hAP ac3)

RB951G-2HnD

RB2011UiAS

RB2011UiAS-2HnD

RBcAPGi-5acD2nD (cAP ac)

RBD52G-5HacD2HnD (hAP ac2)

RB951Ui-2HnD

RB750Gr3 (hEX)

CCR1016-12G

RB3011UiAS-RM

look good after update

BrateloSlava

The tests are interesting. But how to set up those who have CAPsMAN?

BrateloSlava

Today employees brought me two RB2011UiAS-2HnD-INs from branches, which do not boot after updating to 6.49. Moreover, the packages update itself was successful, and the firmware update led to a crash. Previous version - 6.47.9. Recovery attempts were unsuccessful. The router is determined by the net...

BrateloSlava

I decided to experiment and created several rules for the indicators. How can I delete them now?
From GUI - not work, from command line - not work.

Search found 203 matches