MikroTik

woland

Hi! Using a single CAP AX here, no CAPSMAN. 2 SSIDs on both radios into different VLANs. Upgraded from 7.12.2 directly to 7.14.2. Which went surprisingly well (previous attempt to 7.14.0 resulted in netinstall to 7.12.2). Performance is great, now even the farthest corner of my flat is perfectly cov...

woland

What's new in 7.15beta6 (2024-Mar-08 08:23):
*) sfp - improved system stability for CR2004-1G-2XS-PCIe (introduced in v7.14);

woland

Hi! I was experimenting with such a card, but my plan was to use it with FreeBSD, which has never worked. I did test however after my failed attempts with Proxmox, but that was sthg like a year ago, so with maybe ROS 7.4-7.8. It worked on Proxmox without any issue, however I did not really needed in...

woland

Yeah, if it works, it´s easy. But sometimes it just doesn´t.
The issue is: I don´t know exactly why it does not work sometimes. I have to play around and waste time. That is frustrating.

woland

Same experience here: some chinese SFP 10GT just don´t work, but some others are much better& cheaper than the MT SFP 10GTs. I would add, that wherever I can I use DACs or optical MM 10G interfaces. They are cheaper , use less power and make less troubles than 10G-T. I have the same combo CRS305...

woland

Hi, maybe this: https://www.servethehome.com/the-everything-fanless-home-server-firewall-router-and-nas-appliance-qotom-qnap-teamgroup/ I did not test any however! Thanks to Chinese manufacturers, there are many more, you can find good reviews on STH. Especially the N305 CPU based ones look interest...

woland

I agree, it´s not. But this is not my problem. I did many netinstalls and most have worked. What I don´t like is: why isn´t netinstall always working? Why did my windows netinstall start only partially ? (I have seen the process and when I tried to start it again, it told me, that there is an instan...

woland

It really takes too long....

woland

Hi! It was a netinstall issue after all. Yesterday I tried to netinstall the CRS305 via 3 different PCs. 2 of them Linux, one Windows. I have no clue why netinstall-cli or netinstall with Wine did not work on Linux, it has worked many times previously. Yesterday after starting netinstall on Windows,...

woland

Hi, after upgrading my beloved CRS305 from 7.13.3 to 7.14 I can´t connect to it any more. There were no additional packages on the switch and the config was also quite simple (just a few VLANS & basic management access) -When powering on, the sequence is: -The power led is on, then all interface...

woland

I have an CRS309-1G-8S+ and I also have some 10Gtek 10G DACs and some other random 10GBaseT modules. I have never experienced this issue, but I was always running ROS and not SwOS. This switch has so many great features and a relatively powerful CPU, you should give ROS a try.

woland

A heads up @moodnasser and others: Besides the voltage, temperature, capacitance there is the tan(delta) also called Dissipation Factor, which is often not (never?) specified in the descriptions on Aliexpress. This factor shows is an indicator of the losses on the capacitance. This is especially imp...

woland

Sorry, off topic, but in support of @Rextended and @Anav: they have invested incredible amounts of time and energy into this forum. Yes their tone is sometimes harsh, but the value they have created for MT should be very much appreciated by MT! The reason why I havent given up on MT devices is these...

woland

I am using HEXPoE for a bunch of Omada EAP670 APs and an OC200 controller. Of course I had to replace the original PSU by the 48V PSU. (MT 48POW) The devices are 802.3at and not af, but af support should work. So no, the HEXPoe is a great piece of HW. Of course the datasheet must be considered: Max ...

woland

I am. Therefore your statement is false.
Me too. 😁

I do OSPF on my router for fun, at home, but I still dont have anything except a static default route on my CAPs...
And I believe statistics with 99.9% still isn´t wrong if we include you both.

woland

Agree, it should be possible to store packages on any external storage, BUT this is not enough as it does not help for WAPacs or CAPacs, which have no SD slots/USB. On my WAPac r3 with 7.14b7 only ~400 KiB are left from 15.3MB. :( So still need some more modularization. For example: probably 99.9% o...

woland

https://www.virustotal.com/gui/ip-addre ... /community
Known, reported for scanning and trying a Zyxel exploit... There are millions of similar compromised IPs scanning.
Enjoy: https://cybermap.kaspersky.com/

woland

Hi! I hope someone from MT is aware of this issue. I´d like to add, that my WAPac (ARM Version, RBwAPG-5HacD2HnD, r3) is also affected. After upgrading to 7.14b4 516 KiB are left from 15.3MB . Only routeros and wifi-qcom-ac are installed. Everything is working until now, but I don´t know for how lon...

woland

Yeah, I was all high hopes about the 7.13, and it worked, but it simply did not like my sons laptop. Still considering to maybe try 7.14b4, I just have read the relnotes. Only after downloading the backup! :) Anyway I have a working WIFI now and my sons will be back soon, so I might wait with the ne...

woland

I have downloaded the PCAP from br0, and opened it with Wireshark, but of course there is nothing special in there. I guess my only two options are to open a ticket with MT support or to wait for the next 7.13.1/7.14rc28 release then. Special thanks to @holvoethn responses to my extensive posts! Sti...

woland

Here comes some more fun: The uplink trunk interface on the CAPax does not see the ICMP replies until around rule No. 79, where I disable the 5G interface! With no 5GHz Wifi, pings are answered. /tool sniffer set file-limit=10000KiB file-name=capax filter-interface=e1uplink \ filter-ip-protocol=icmp...

woland

Thanks! Yes, actually my rb5009 is doing all the filtering and hangs on a 10G Trunk as a router on a stick. Well all the firewalling on the CAPax is just additional security measures, as I read on the forums a few years ago. (I guess I just worked in IT for too long.) But that should not be the culp...

woland

Hi,
many thanks!
Here it goes:

capax.rsc

Peter

woland

I still prefer to make sure MAC addresses are unique. OK, I see your point, but I can´t find how to set the bridge mac different from the vlan mac? If I change the bridge MAC , the vl9 MAC changes too: 6 R br0 bridge 1500 1568 48:A9:8A:BA:1F:CA 7 R vl9 vlan 1500 1564 48:A9:8A:BA:1F:CA I suppose her...

woland

Thanks @holvoetn! I have set the unique MACs now, also changed the admin MAC of the bridge: [admin@kk-ap1] /interface> print brief Flags: R - RUNNING; S - SLAVE Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS # NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS 0 RS e1 ether 1500 1568 9...

woland

Since you have an explicit forward accept rule for list "lfwd" followed by drop on forward, possibly this part ? The missing interfaces ? Thanks, Holvoetn! I don´t think it's relevant, as that list is just used in the IP firewall. The packets are not routed, but only bridged to their VLAN...

woland

this is a mission critical network
[...]
Of course I have no backup of the config.
*cough*

Unfortunately you are right, Sir!

woland

I'm running a similar setup (RB5009+CAPax). I love the RB5009, but don´t expect to run 2,5G Internet + 10G to your NAS. 4-5G throughput is more realistic with some useful firewall, QoS etc, Also if you are considering MT WIFI: it is currently improving, but you have to expect to spend many hours tin...

woland

Hi! Just replaced my old AP by a CAPax and it ran for a few months flawlessly, until I tried an update to 7.13. The wifi had issues with some devices (mainly some cheap Windows laptops with some RTL wifi chipsets) so I decided to roll back to 7.12.1, as this is a mission critical network beeing in t...

woland

I suggest not ignoring this textbox, so that you don´t waste as much time as I did with my Hex PoE first :): https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching#:~:text=On%C2%A0QCA8337,is%20assigned%20to. "On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is pr...

woland

On one side it will make sure current owners of wap AC have no real incentive anymore to move towards AX. Potential missed sales. On the other hand, since wAP AX is not yet available, it does bridge a gap until the new device is available (are they buying time, perhaps ?). Hi! Partly agree, but as ...

woland

Hi, yes you can, with switch port isolation, there is even a PVLAN chapter in the MT Wiki: https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#:~:text=overcome%20this%20limitation.-,Private%20VLAN,-In%20some%20scenarios But PVLAN is a dirty hack, do yourself a favor, use separate vlans a...

woland

https://mikrotik.com/product/s_ao0005

Thats an AOC. A DAC is Copper.
I also frequently make this error. :)

woland

"Default VLAN ID to assign to client devices connecting to this interface (only relevant to interfaces in AP mode). When a client is assigned a VLAN ID, traffic coming from the client is automatically tagged with the ID and only packets tagged with with this ID are forwarded to the client. Defa...

woland

+1 makes life easier + other vendors have it already

woland

Hmmm, I did not read every post in that thread, but after a quick look: THAT thread is about the benefits of ISIS and there the network engineers do discuss benefits of implementing ISIS. I still never said anything about OSPF being better or ISIS being inferior. In this thread the goal is to discus...

woland

OSPF is a PITA. is-is isn't. OSPF requires operational and configuration overhead when you have 1000 layer 3 devices in a network, to maintain the configuration automation template etc, across IPv4 and IPv6. I did not say, that OSPF is in any way better than ISIS. It is still a fact, that in enterp...

woland

[What makes you think MikroTik listens to customer demand from enterprise? They care more about SOHO market like storage features, bring the home/IoT type features etc. Sorry sir: strictly home user of Mikrotik here! I had my share of enterprise networks, but none of that had anything to do with MT...

woland

If XDP/DPDK is used then x86 is the best choice. XDP does not depend on any special HW: https://www.iovisor.org/technology/xdp All new routerboards have ARM. (OK, there is maybe something I miss, but most of them have ARM.) DPDK: Designed to run on Arm, PowerPC and x86 processors, DPDK runs mostly ...

woland

It says here there is stateful filtering for VPP: https://s3-docs.fd.io/vpp/23.10/usecases/acls.html I don´t know what the general preference is, but what I've experenced is the successor of pfSense: TNSR, which is a damn powerful firewall and it´s based on VPP: https://www.netgate.com/resources/art...

woland

@DarkNate: Replace XDP by VPP and keep DPDK, please! Or use all of them!

)

VyOs just transitioned from XDP to VPP and many other projects use it, to support >10G speeds.
https://wiki.fd.io/view/VPP/What_is_VPP%3F

Still, something should have already be done by MT about IPv6 performance!

woland

I think you should really consider an Omada for great WiFi, but I would say there is no need for a >600$ one like the AXE11000. Omada EAP670 is only AX5400, but that is more than sufficient for a home setup and costs around 150$. It has 2.5G PoE LAN. You can save some bucks with a EAP610 for AX1800,...

woland

I am using multimode 10G and 1G as well with MT equipment with different cheap or old transceivers. It works perfectly with most SFPs. That would eliminate any potential difference (grunding) issues. Though I would try the newest stable or beta ROS or another DAC cable. Don´t forget to update Router...

woland

@mkx No I don´t mean it´s incomprehensible, I mean it´s a lot to process, lot of exceptions. So creating some more recepies and overviews saves time and frustration. Also expands the userbase in the direction of John Does or in the direction of people who generaly don´t want to spend too much time o...

woland

What is wrong with people? MikroTik has a clear, up-to-date, concise documentation piece on basic VLAN configuration for ALL their hardware, how the hell do you get confused with this? https://help.mikrotik.com/docs/display/ ... +switching Let me cite you some sentences with warning signs from the ...

woland

I think MT products are great, but oh boy did I struggle with VLANs on my different MT HW Boxes! It´s no big science, but it is easy to get confused: on your HEX PoE you need completely different config than on your CRS309. Then I have some CAP ACs which again have slightly different needs. My netwo...

woland

Thanks for correcting me ca6ko! Looks like I shouldnt assume something by just looking at it. However, why would connecting to it an external antenna be such a bad idea? If you connect the external antenna by a proper connector, the switch disconnects the internal antenna. As long as you have a prop...

woland

Sorry but actually DSL technology is obsolete. It certainly is not the future, but it is in heavy use in many parts of the world. Not obsolete at all in the EU! :) for my part: I had to go back half a year ago from coax to dsl at home, cause fiber is not available and cable is too overcrowded dsl_c...

woland

https://en.wikipedia.org/wiki/Hirose_U.FL

woland

In my view, the biggest selling point for a new mAP should be a single USB-C connection, which serves as power supply and which is also showing up as a network interface on my laptop. As I use my current mAPlites mainly as mobile devices, capable of extending the range of bad WLAN networks. LTE is n...

woland

I totally agree in one point: using heavily shielded cable makes your life hard. I did not realize it for quite long, but it´s mostly unnecessary at home and you can pull and terminate unshielded cable so much more easily. For corrosion caused by currents: yes that´s a common problem. Epecially for ...

woland

I always thought shielding was to minimize interference sind those copper wires are basically just long antennas.

The real world is mostly more complicated, than we would think at first...
Still shielding is used mainly to minimize interference.

woland

Not really! :) For a direct lightning hit, forget it (also your Cat8 cable will just explode and your AP will burn nicely as well) . In case you have proper lightning protection and potential equalization in your home and the lightning did not hit your AP directly, shielding helps to _some_ extent e...

woland

My main switch at home is a CRS309, but I also use a CRS305 my startegy is to always try to avoid 10G RJ45 ports. First choice is a DAC cable (cheap, low power, but short runs only), second choice is using MM SFPs with fibre. (bit more expensive, but not much, less power than RJ 45 SFP+) . I only us...

woland

yeah well, I've just switched back to a Fortigate 60F from my RB5009 and I'm not looking back.

eur
Yeah, that´s a nice device, but that would cost any end user around 1k EUR with just the basic license.
The RB5009 comes for 25% of that price! Also the 60F has only 1 Gbps ports.

woland

It is exotic in the market for MikroTik devices. Ok, maybe not so much now as it was a couple of years ago, but still most MikroTik users demand OpenVPN or Wireguard, not IPsec. Well, apologies, OpenWRT again :) : https://openwrt.org/docs/guide-user/services/vpn/strongswan/site2site#route-based_vpn...

woland

Openwrt is a free OS, which you may install on many devices produced by many vendors. No one earns money selling it, so it can´t compete with ROS. https://openwrt.org/license Also it´s target userbase is quite different from the ROS users. Apart from all that: I don´t really see any harm for MT in d...

woland

Hi, don´t know exactly why, but the same happens to me if I want Dude to use the admin user.
I read on this forum somewhere to use another user.
I have added another user and the log entries disappeared.

woland

@Larsa: sry, I did not try it yet, I have seen the strange terminology and it made me curious. I think it is the same as the thing called in RFCs EIM NAT (Endpoint-Independent Mapping). AFAIK this is relevant for UDP NAT Traversal (STUN) for SIP (RTP, voice calls). Here is more info: https://wiki.un...

woland

@Larsa: Endpoint-Independent NAT: https://help.mikrotik.com/docs/pages/vi ... pendentNAT

woland

Thanks holvoetn, I have upgraded the firmware every time & I have already done a full reset with no default config- I will do 2 more things: -try running the device on PoE and on the current ROS7 -a netinstall to ros 6 again Then I get my multimeter and soldering iron... If still no success, onl...

woland

Thanks anyway RyanNet! My HAPac3 was tested with 7.9,7.10.2,7.11, but still not throwing it away yet...

woland

Hi! Unfortunately doesn´t seem like a PSU Problem. HAPac3 has shown the same issue with a different PSU.

I will try with the PoE as soon as I get my hands on a PoE adapter or PoE capable device.

woland

Hi, don´t think Metarouter is a good idea today. Latest info I could find: https://wiki.mikrotik.com/wiki/Manual:Metarouter It doesn´t even mention ARM devices, and MT went rather for containers. I tried Metarouter on ROS6 on MIPSBE (HEXpoe), but it was never stable. A somewhat relevant recent threa...

woland

Failing power supplies may test bad without load, ... Thanks Tangent, good idea! I will load the PS for testing. I had in fact already had a bad PSU from MT, which gave the correct voltage w/o the load, but voltage dropped dramatically when loaded. The MT supplied PSUs seem to be quite good, though...

woland

will do! thanks!

woland

thanks! The power supply is the correct one, that´s sure. But I will check the output or I might find another similar one& report back, if that helped. (I wish it will!)

woland

Hi! I got a HAPac3 which stayed unused for more than a year, but it was working OK on ROS 6.x. I got it out from my cupboard a few weeks ago and netinstalled it with ROS 7.9. No config on it, apart from a management IP on a port. It rebooted itself every 3-5mins with a message about kernel failure i...

woland

I have a few HEXs boxes (2 pieces :D), and they are great and versatile and they use very low power. I love them, but they don´t have the performance to be used as the primary router on my 400/200 Mbit Internet connection with CAKE queuing and with a lots of firewall rules. Also they are missing co...

woland

Hi,

no I don´t think that would be enough, try at least a HAP ax2 but rather ax3.

Sorry, looks like I'm in need of new glasses, we are discussing 100Mbps and not 1G.
Forget all I wrote! (except the missing features, but those were mentioned by others)

woland

I am thinking Mikrotik is moving forward to "detach" true L3HW from (software) fasttrack. That's what happened with IPv6. Whatever the benefits once provided, fasttrack sounds like a massive kernel hack... which would not be easy to maintain forever for every device/RouterOS release/kerne...

woland

My Knot came with a DIN Rail mount accessory, I guess it would be easy for MT to provide something like that for some switches. But to cable those ports, would be a nightmare. The ports are on the "wrong" surface!

woland

Hi, I have just started experimenting with a Knot LR8 and I belive that it needs 2 separate Antennas. At least I haven´t found any clues, why would it not be the case. Btw. if using Lora for a larger area, I would suggest replacing one of the HGO-LTE-Ws by a "868_Omni_antenna" instead. Act...

woland

Sorry, but I have just lost the not working USB Stick. I could not find out what the reason was .
I have tried 2 more USB3 Sticks, one being 16G and another one being 64G and both worked with 7.9rc5.
There seems to be no general issue with USB on HAPac3.

Regards

woland

Mi folyik itt Gyöngyösön?!

Hát a Gyöngyös-patak!

woland

bought 15 CSS610-8G-2S+IN without noticing the swos lite thingy ( never heard of it anyway ) and now im forced to use them as dummy switches cuz they dont belong elsewhere Don´t agree: -you might just have read the docs before buying it -the SwOS is minimalistic, but still enables me to use vlans a...

woland

That was MS. Now Google tried it too, without too much success.

woland

Thank you very much @normis!

Looks like MT listens to it´s customers, which I highly appreciate!

woland

Hi, I got my first device with a default psw set: a HAP ax lite. I must say, the default psw is a pain in the a... It´s printed with maybe 2,5mm character height? I had to take a photo and enlarge it to have any chance reading. I am no WISP and don´t have to install hundreds of devices, but MT pleas...

woland

Hi, here are my 2cents: the ETSI regulations are not the (only) reason, they are more about IoT. I think it´s rather the GDPR (Data Protection), which is manadatory in the EU. https://op.europa.eu/en/web/eu-law-in-force/bibliographic-details/-/elif-publication/3e485e15-11bd-11e6-ba9a-01aa75ed71a1 Th...

woland

@optio: thanks!
I don´t think it should be necessary after repartitioning and reformatting (except ROS FS/disk support has some strange bug), but I´ll give it a try if nothing else helps

woland

@mkx: thanks, nice tipp! I will check this, as soon as I get my hands on those devices again (at least a week) , and post here if I can figure out something.

woland

On Linux everything works fine. On ROS, whatever I do with these sticks, they are seen, but they can´t be formatted and don´t appear as a subfolder in the File browser. (I am quite certain I did everything correctly, as the 8G stick did format on ROS and is in use now in the HAP) I bought a bunch of...

woland

thanks optio! So it´s at least not the size, good to know! It´s also not the MBR, as I have tried removing that.
Maybe there is just some peculiarity with this vendor or this particular product.

woland

Hi, are there any known specific requirements, which USB sticks can be used for external storage? I have not found anything in the documentation. I have tried in my HAPac3 some 8G USB3 Sticks, and all worked. Then I tried a couple of 32G USB3 Sticks (all the same model) and none of them were working...

woland

Hi, thanks, mkx! I always kept myself to the general guidance. So I have always left out one SFP+ slot, between the 10GCu SFPs.
Even then my modules got hot enough to have warning messages about overheating SFPs in the logs.
So I did not wait for the summer to come...

woland

Hi, I had up to >90C° SFP+ temperatures in my CRS309-1G-8S+ on different 10G Cu modules. The worst culprits were the MT S+RJ10 modules. I have mostly replaced them by cheap DAC cables, which produce no noticeable heat. The ones I still need, I have equipped with small heatsinks from 3 sides. Between...

woland

Those PWRLine EU devices were great in combination with mAPs for quickly and temporarily solving connection problems. I can take two mAPs on travels, connecting one as a client on a spot with good WIFI access and the other one to somewhere else as an AP. I am still using this setup on the go, to ext...

woland

Hi! I have a CCR2004-1G-2XS-PCIe connected to a Mellanox ConnextX-3 by a cheap 2m DAC cable and that works fine. However I wouldn´t use the 1G to connect to a trunk. While you can perfectly do that and that would work without any restrictions, it´s nice to have a dedicated port. So you don´t cut you...

woland

Surely ikev2 configuration is not using IPSec hardware acceleration. I don´t think that´s right, as IKEv2 is just used for the key exchange. So only the asymmetric part could be affected, but there is no acceleration for that anyway. For AES CBC 256 there is HW acceleration regardless if IKEv1 or I...

woland

Look at the IPSec results:
https://mikrotik.com/product/hex_s#fndtn-testresults

You are also doing some filtering and you on the box, so I think this is what you can get out of a HEXs.

woland

Sorry, but the last netinstall was 7.4, or 7.5 (I can´t remember...) and it can´t be the way to netinstall every new stable version, to eliminate problems we didn´t have with the previous version. Unfortunately I even had to netinstall my RB5009, which is ROS7 only, after upgrading from ROS7.6 to R...

woland

Hi, MS supports certificate auth for p2s connections and the docs are great: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-cert-linux OP means p2s and not for s2s. Anyway unfortunately I don´t see the reason why OPs config would not work. Probably something about the c...

woland

Thanks for clarifying this, mkx! In my experience, the HExs is capable of wirespeed bridging from the SFP to other ports on the switch. On ROS6 I have tested that, of course there was some CPU load and it did not do anything else like routing or filtering. I have no experience with the same setup on...

woland

Hi, in my (relatively short, but intense :) )experience HEX S & HEX PoE are great for switching. Every installation of me has a HEX PoE as the uplink+power for my APs. Both the HEXs and HEXpoe can reach almost wirespeed on the SFP port as well if I am only doing bridging. With ROS 6.4x they can ...

woland

Just guessing, but I think they had a limited number of ICs, so they have decided to put those they had into the bigger box.

woland

I am not aware of any update/plans. This card is not compatible with BSD unforunately.
BR

woland

Actually the reason was CoVID: the IC could not be sourced any more and the design of the PCB could not be changed. (PCBs take long to get them maufactured, so they can´t be easily replaced to accomodate another IC.) That was probably the reason according to what I read in the forums and what I hear...

woland

I put my WOOBM already away, but I know I have installed the file: woobmfw_211105.bin
That file is still on my laptop...

woland

Do not work on v7, see other topic about that. Thanks, there might be issues, but on my HAPac2 it does work well with v7, just tested it, could connect via WOOBM: [admin@ut-r1] /system/routerboard> print routerboard: yes board-name: hAP ac^2 model: RBD52G-5HacD2HnD serial-number: E5780F4848A2 firmw...

woland

Sure, there is the WOOBM:
https://www.youtube.com/watch?v=2yWrUQ_woKQ

woland

That is not something a generic router can do. You need to buy a special box that has a maintenance contract to provide you with the dynamic information required for that. :) And yet most of ASRs & ISRs of the biggest router vendor support it... search for "SD-WAN Application Intelligence ...

woland

despite being OT but SDWAN does not have anything to do with application detection. Of course it has! The selling point of SDWAN: it can replace great quality leased lines / MPLS by redundant cheap Internet uplinks. To achieve this you want to measure the quality of your cheap links and send import...

woland

I have recently netinstalled my HAPac2 (maybe around the release of 7.4). I have 1,7MB free after the upgrade to 7.8. So a netinstall probably wont help much.

woland

This is a disappointing release as 7.8, should have been 7.7.1. When are we going to see Mikrotik address those critical route/switch features that most enterprises use. Specifically: Yep, couldn´t agree more, I am disappointed by 7.8 as well: people are not waiting for ROS to have perfect storage ...

woland

I used the HAPac2, HAPac3 and also the HEXs and I was able to reach full line speed for normal sized packets like copying files. But that was ROS6 and I have taken care to use fast track, having an efficient ruleset and using the switching chip (not doing software bridging in parallel). For ROS7 I o...

woland

Here you may find the tests: https://mikrotik.com/product/crs305_1g_4s_in#fndtn-testresults For 25 firewall rules with 512k packets, it says ~270Mbps. This value could be considered as real life performance. You might squeeze out more, but only by avoiding features like queuing, not using ipv6, etc....

woland

It´s an article for simple users, who don´t write any scripts, but expect IPv6 to work out of box. In Germany (which is also true for Austrisa and most of Hungary) the major providers will reassign you a new IPv6 prefix at least every night. Don´t know the exact reason why they are doing this, but p...

woland

Same situation here as well. Please don´t ignore BSD compatibility, Mikrotik!
Thanks for the update @herger!

woland

Yeah thanks, I have seen that remark. Also I have seen this: https://help.mikrotik.com/docs/display/ROS/Routing+Protocol+Overview Here in the table ou can see that the line on BFD support is not colored red for v7.7, like for 7.6. I´m not sure if that means anything. Making some noise here on BFD is...

woland

I think a BFD implementation with that functionality can be coded "in a friday afternoon" and I cannot understand why it is a "work in progress" for well over a year now. I can only imagine, there might be some issues with strict timing requirements, but otherwise, it must be qu...

woland

That´s OFF, sorry. Some actually useful posts for Macbook users trying Ubuntu : https://discussions.apple.com/search?q=ubuntu 8) EDIT: @rextended: had to turn my display upside down, before I noticed your "upside down answer", but I agree, ROS 7 has issues. As I am a home scale user of MT ...

woland

Hmmm, The otherwise extremely helpful Anav having a bad day? :) This is a user forum for not only ROS, but for MT devices in general. My opinion about OpenWRT is, that even if MT does not support it, it´s great to have an alternative. Even if I buy an MT for OpenWRT I still bought an MT and that´s g...

woland

i think pe1chl is exactly right here. a BFD implementation in general should be deployed between 2 direct peers to monitor that particular link overall, i don't see a practical use-case for a multihop BFD? https://www.rfc-editor.org/rfc/rfc5880 BFD can provide failure detection on any kind of path ...

woland

Always worked for me. Maybe try a different browser/disable ad blocking/DNS filtering.
BR

woland

... I cannot understand why Cisco had to invent the new nonstandard VTI protocol for something that was already covered (and implemented by them!) before as IPIP over IPsec transport mode (or GRE over IPsec transport mode). The main reason was a few extra byte of MTU, I guess. Also: reduced complex...

woland

I fixed that by exporting the config (remember show-sensitive option), installing the router using netinstall with no config, then connecting via MAC address and uploading and importing the config again.export terse show-sensitive At that time it was also required to re-arrange the config export a ...

woland

@pe1chl: thanks for sharing this, this is really useful to know! As my device got shipped with ROS 7.0.5 I did not do a netinstall yet. But I will give it a try. Given the many bugs resolved since that release, there could have been some issues regarding the config... It's not a flash chip related i...

woland

Hi, I am not entirely sure if I just have some amnesia or doing some sleepwalking, but I have apparently lost some of my config items after upgrading from 7.7rc3 to 7.7rc4. I had a config export script and a GRE tunnel config, which both have worked yesterday. Today those were missing from the confi...

woland

You are right! It´s an omnidirectional antenna.

Anyway, it seems to be much better than the built in ones and it certainly helped in my case.

woland

Hi, I am using the mAnt-LTE-5o, but not for speed boost. In normal weather I can reach the same speeds (limited by subscription at 100MBps) with or without the antenna. For more reliability in bad weather conditions. I had issues with my wAP ac LTE6 kit dropping Internet connection with just the the...

woland

I did see a need to hack a case, becuase my usecase is that of a remote location ("spoke" - meaning the flat of my family) equipped with an X86 OpenSense box, which should have been prepared for 10G interfaces. At the time of the purchase of the MT card it was no big additional cost to pur...

woland

It seems to me, for that case the cards are perfect. You don´t need a host for the cards and you could probably get multi PCIe riser boards in higher quality. Besides I´m sure you could just use any server case, powering the whole thing with a beefy standard server PSU. The missing drivers are not n...

woland

I´m not sure if that was my PicoPSU or the riser. I have measured the outputs of that PicoPSU after the fuse was blown and they were OK. So I rather tend to say, that the riser had issues and the capacitor exploded on it, so I can´t test that any more. I would not use a plastic case, but something o...

woland

I wouldn´t! Here it is how I tried and fried and also repaired it:
viewtopic.php?t=189441

Besides there are no proper cases available.

woland

Hi, I am running at home 2x CAPac (ap2+ap3), daisy chained like this: PC--firewall---switch---hEXpoe--ap2--ap3 There is a hEXs hanging on the switch and running CAPSman, ap2+ap3 are configured with local forwarding. Everything is running ROS 6.49.7. The frequency of the CPUs of the APs is configured...

woland

Hi, Between CSS610, CRS306,CRS309, CCR2004, RB5009 I was using cheap 10G Chinese cables from 10GTek and H!Fibre, from 25cm to 4m. They all worked flawlessly. I used different (recent 6.49>, 7.2>, SWOS2.14) RoS and SWOS versions. Reading the reports about SFP+ issues make me wonder if that was only p...

woland

I hope you do not understand it correctly!

I obviously don´t know this but I would love to have a mix of ax and ac devices configured the same way soon and using just one single CapsMAN.
Everything else would be a mess and I'm afraid in the end it will turn out to be a mess...

woland

Hi, In my world, mostly a HEXpoe (MIPSBE) powers a few CAPs and it is also running the Capsman. It might not make much sense for hundreds of APs, but for small home/small business installations, it does. Of course those setups use local forwarding and HEXpoe is just used as a switch to forward to so...

woland

Hi, I have installations of CapsMAN currently running on MIPS (HEX, HEXs, HEXpoe). In some of those networks, the only ARM devices are the CAPs themselves. It would be a problem to replace the CAPacs by the next generation CAP ax devices with the new Capsman not capable of running on the existing HE...

woland

cap ac xl: I am using a bunch of cap acs, they work for me and their speed is OK for everything I commonly do (you need to invest a lot of time into learning how to set them up correctly), apart from the hap ax2, there is nothing available from MT with ax support, but availability is a big topic for...

woland

Indeed: use Suricata instead, that supports multithreading. BUT: I am running suricata on an Intel desktop CPU 6 cores @3,8 GHz for a cable uplink link with 160MBps. The box has 16G RAM. (That replaced an older 4 core Intel box, which was too slow.) I admit, that runs a lot of other stuff as well, b...

woland

This is the best solution, but it involves a lot of cabling.

woland

Hi, before you buy a hap ac lite: don´t! It only has 100Mb ports, so if you connect it, you will have a bottleneck between the cap ac and the central router. Maybe you could instead go with a hap ax2 instead of the switches and the access points. It has more decent wifi than the cap ac and also 1G p...

woland

Hi! I did not notice the change until reading this post, but on my CRS305, now running 7.7beta4, I have 2 cores as well. This looks similar like on IBM mainframes, more cores can be enabled by SW. Except: IBM will ask you something in reverse.... OR maybe this is the remedy for the unavailable RB500...

woland

@holvoetn nice to know, after the issues with my hap mini on ROS 7 I did not put any efforts in upgrading any other lower end device, but it seems I should have. I love the fact that we could gather some useful info on these not so popular low end devices. I sincerely hope that MT will continue this...

woland

Hi, @pe1chl : thanks for the explanation, I have never noticed these issues, but then, I used these devices for low bw, non real time only (sensors and occasional web surfing). @hecate : good point, I forgot already, but I also did the FW upgrade on every powerline plug I used, that was necessary fo...

woland

https://www.ip-sa.com.pl/advanced_search_result.php?keywords=rb5009&osCsid=3b5d4127946e7e2cbf8d4f3aea3cfee8&x=0&y=0 RB5009UG+S+IN RB5009UG+S+IN Router CPU 4 core 1,4GHz, 1GB RAM, 7x GigE, 1x2,5G Eth, USB, RouterOS L5 pcs/carton: 20 169.43 EUR 1 Buy Now Out of stock Est. delivery: 2022-1...

woland

Thanks jbl42!

woland

Thanks jbl42! ROS 7 is out of question. If it´s not the tx power limit (which afaik can be overridden by the cli anyhow), then what could it be? I think I have to rephrase my question: what´s better in 6.47.9 wifiwise than with 6.49.7 ? pe1chl wrote it, that there was some bug or weakness introduced...

woland

The big difference is that they have only 32MB of RAM, and hence no space for a RAMdisk. Thanks, this explains the issues with the upgrades I had. So that´s one more reason not to go with v7. I was using the latest 6.48.x-6.49.x without any issues, but only for short range, low speed. I have read t...

woland

Well I am not using them as toys, but as low speed and very low power devices, with powerline support. The physical size is unbeatable. Should they get stolen, well I wouldn´t be happy, but I definitely wouldn´t loose any tears. If you netinstall them with the packetized ROS6 and remove unneeded pac...

woland

I am still using 6.49.x in most of my MT devices except on devices, which don´t support 6.x. It´s more stable and it gives you more performance. I also don´t need anything from the newer 7.x features. I have tried 7.x (maybe 7.3) once wth one of my HAP minis and it got very unstable, and also less r...

woland

The plugs do work well enough and stable (no problems for years, except with the ones with the manufacturing defects) for some situations, just don´t expect huge throughput. I have been using them since maybe 2 years for temporary or low traffic connections if no cabling present and it is not worth ...

woland

Hi, I have used a bunch of MT PL7400 (PWR-LINE EU) plugs with HAP mini and MAP lite. I guess HAP lite will work the same. I have use 6.48.x and 6.49.x ROS, they all worked stable on the software side. Beware however out of the 6 PWR-LINE EU plugs I have used, 3 are constantly going down and up. That...

woland

hi markonen! That is unfortunately true. I have proven it by blowing the fuse for the 12V supply... On standby of the host PC, ROS does not run. Even a reboot of the Linux on the PC resets my card and it stays down for a minute so (it boots fast). Maybe you could just use a small and cheap external ...

woland

Hi herger!
Thanks for the info! MT did not respond to my ticket either.
Let´s just say: there is room for some improvement ont the SW side of MT.

W

woland

Hi, if someone is still interested: after a month I again tried to get this strange card running on Opnsense. This time in another machine with a fresh install of Opnsense 22.7.6 and ROS 7.6 on the card itself. No success, but one new piece of the puzzle: the install procedure of the Opnsense hung a...

woland

Hi,
I'm hereby reporting my success in reviving the CCR2004-1G-2XS PCIe card.

After replacing only the fuse which has blown, all is back to normal.
It's hard to get a replacement fuse, except from China, but that meant almost a month of delivery delay.

W

woland

I They know exactly what this means in regards of VLANs. Its not MTs fault, its Apple fault to use mDNS. 1. Yes, mDNS is an "rfc thing" https://www.rfc-editor.org/rfc/rfc6762 (since 2013!) 2. every big vendor has some implementation 3. many people use it and it will probably get more and ...

woland

I hope you know, that like me, most people are just simple MT users here, you (and your friends) should be probably trying to contact MT directly.
Sorry if my suggestions didn´t help much, that´s all I got.
W

woland

Hi, just a few ideas: - I don´t think you should wait for MT support for Shadowsocks, but there are alternatives - you could try also OpenVPN over TCP443, but SSTP might be better - if you have ROS7 on a recent ARM MT device with enough resources, then you can have containers and then you can have a...

woland

I think an RB5009 is a pretty good device for routing 10G. At least I plan to use it for that purpose. According to the tests from MT it´s CPU is even stronger than a CCR2004. CCR2004 only has a higher throughput, because the rb5009 is limited by it´s single 10G port. Look for the 25 rules 1500k pac...

woland

I don´t know if there is someone who bought this as a 25G NIC. I did buy it for playing with an Opnsense+ROS or a Proxmox+ROS combination.
Honestly I am not sure if it works with anything else then Linux properly.

woland

Hi, I think you mean a HX Lite (rb750r2). In such cases OpenWRT is your best source of info: https://openwrt.org/toh/mikrotik/rb750_r2 This is the important bit (part of the Notes section): the bootloader is not initializing the serial PINs so the serial console wont work (until bootloader reflash) ...

woland

Hi, @masterteif: no worries, but thanks! I hold a degree in electrical engineering, so I hopefully should be able to replace that fuse by myself, even if I haven´t done electronics for the last 25 years. :) Also I bought that card basicaly to experiment with it and OpenBSD, which did not work out as...

woland

Hi, thanks for your answers! I have measured the fuse and it gives a very high (around 120kOhm) reading. The FU1 Fuse gives me a Zero reading as a not yet blown one should. I have also measured the 12V Rail (on the inside of the fuse FU2) to COM, there I have almost a MegOhm. I think that's OK, give...

woland

Hi, got a CCR2004-1G-2XS-PCIe with a blown Fuse FU2: mtCRS-PCI-blown-fuse.jpg 2 Could someone help me identify the type of the SMD fuse I need to replace ? The things I know about it: -it's marked with a P, which stands for 3Amps -approx dimensions: 3,4x1,8x0,77 mm (lengthXwidthXheight, I don´t have...

woland

Hi! Good & very bad news! It works in standalone mode and I was able to upgrade the CCR to 7.6beta8 without any issues. Setup: external 12V PSU connected to a PicoPSU 12V 80W, which again connects with a molex 4pin to a PCIe 1X to 16X adapter. The PicoPSU also connects to an ATX breakout board. ...

woland

Hi! No, not yet, the delivery of the PCI Extender was delayed and I "meet" my CCR PCI card only weekends. This extender board has DC-DC downconverters, so it needs only 12V, I can directly cable an external 12V supply. I got some old PSUs, but the reliability is key here. I dont want to le...

woland

Hi, Another way to have PoE: I wanted to have a surge protector, I already had a non PoE switch and found this: https://www.getic.com/product/axon-multi-net-protector-4 That gave me passive PoE, which works like a charm with 3x CAPac + 1x WAPac. The downside is, that you don´t get a power supply, so...

woland

Hi, I happen to have such a card, which I'm unable to use in my Opnsense box (!@!!#). I like the idea using it stand alone. So much so, that I have just purchased a PCIe Riser for Bitcoin mining . :) (There was no PCIe backplane available on Amazon and this is also really cheap for 14EUR.) If it arr...

woland

Hi, I do think, they were confusing NIPS with FIPS... Btw. both NIST releases lots of different standards and FIPS has many different parts. To complicate it: NIST has been working on FIPS. Some vendors comply to FIPS standards, more specifically: https://en.wikipedia.org/wiki/FIPS_140-3 NIST is rat...

woland

Of course you don´t get support from MT for OpenWRT. If that´s an issue, then don´t install OpenWRT.
OpenWRT is a nice alternative for some cases (eg. if you don´t get along well with RoS but have 10 years of Linux experience or something is missing from RoS which you desperately need).

woland

Hi!
ToH (Table of HW) for Openwrt compatible Mikrotik devices:

https://openwrt.org/toh/start?dataflt%5 ... D=Mikrotik

There are 73 devices on this list and lost of them are ARM or MIPS ....

W

Sorry couldn´t stand it...

woland

Do not quote preceding post - use "Post Reply" instead.

Hi! Thanks for the update! So at least there is _some_ hope that in the future something might change.
My ticket SUP-90362 (with Supout and detailed Infos) was successfully ignored.

W

woland

Hi, as a last measure before you throw out your CRS and after you have tried Netinstall: 1. There is a way to save & successfully reinstall your license key. This procedure works for some RB models, and it was documented as a way of going back from an OpenWRT install to ROS. It might work for yo...

woland

Thanks @shaw627 ! Unfortunately I don´t have currently acces to that device, but in a few weeeks I will try and consider your input. Interestingly as I remeber, I have fasttrack enabled and still have great (measured, it´s not just the gut feeling) results with the config above. Anyway I don´t have ...

woland

Hi, those are not bands, but WIFI standards, therefore the confusion. If you are on 2.4GHz, you can have devices operating accoding to G or N standard. https://en.wikipedia.org/wiki/Wi-Fi https://en.wikipedia.org/wiki/IEEE_802.11n-2009 I think it´ll be easier to get an answer asking: what should we ...

woland

Hi, that´s for 1518byte packets, for 512bytes (it´s not the "truth", but probably a more realistic measure) you have now: hAP ax2 912.9 hAP ac2 986.3 Still ac2 wins if you just want a router, at least with ROS6. And yes, also because of the USB and the lower price. The tests for the ax as ...

woland

Hi,

which version are you using? I have experienced the same issue with ROS 7.5beta8. My 2.5G port was connected to my provider modem 1G port.
I don´t have access currently to my rb5009 so I can´t test it with the latest RC.

W

woland

So while your, single, coherent complaint might seem like a drop in the bucket, a futile waste of time, I've been at this for 12 years now, and there are now billions and billions of machines that are behaving better for all of us, sticking at it, and sticking it to the man. "There is no try, ...

woland

Hi! *) rb5009 - fixed ether1 status reporting after system reboot; My rb5009 connected to the cable modem lost connection several times a day if the 2.G port was used (last tested in 7.5beta8). It´s state was reported correctly (1G FDX). I have moved the uplink connection to ether3 and the problem w...

woland

Hi, I think I have found something interesting here, a QoS script compatibel w Fasttrack: https://forum.mikrotik.com/viewtopic.php?t=113308 I tried it, by adding a new dedicated Internet bridge, but failed.... Time is over for my experiments, but I will try again next time. Edit: I tried adding a so...

woland

Hi,

I opened a ticket at MT with some additional infos, I hope to get some help or at least some statement about BSD support. Let's see.
W

woland

My 10 cents would be: MM will stay as it is cheaper and it is already there in every DC. Corning, which company knows a bit about fiber, has made some predictions in favor of MM as well: https://www.corning.com/data-center/worldwide/en/home/knowledge-center/40-100G-multimode-fiber-connectivity-data-...

woland

Hi, thanks a lot ultratoto14 ! Ooops, yes you are right. :shock: Now with the correct values fq_codel works. It gives me somewhat more jitter, than cake. Cake however seems to have significantly higher CPU usage. I am still not very sure, what else should I configure or if my settings are correct. I...

woland

Hi, I have just started to try out the queuing options on RoS 7.5b11 on an RB5009, which is currently my uplink to a DL300/UL20 Mbps cable connection over the e3inet interface. This is my current config (not the full config, just the relevant parts, I can post it if needed): /queue type add cake-dif...

woland

Hi, I agree, most providers understandably just act along their financial interests. If there is no push from the governments (in form of creating regulations which go into enough technical details), they won´t give private households fixed IPs. Even with IPv6 rolled out you only get a /64 , so that...

woland

Hi, I got to test my card again, albeit for a short period of time only. ROS 7.5b8, FreeBSD 13.1. SFP+ 10G Direct attach between an CSS610 and sfp1 on the card. It sets the state of alc0 correctly up and down. If I send something into the port while set into the passthrough mode I see the traffic vi...

woland

You can always buy a faster router. Or live with the situation that you cannot saturate the 1Gbps line. The user won't notice it in normal usage. Buying a faster router is not a great solution for the power efficiency. Regarding the users who won´t notice anyhow: "There is no reason for any in...

woland

A MT is in other words a blank linux. Nope, sorry Guscht, but did you ever build a Linux firewall from a general purpose Linux distro? There are worlds in between. An MT ROS is based on Linux, but it is very abstracted, it gives you a GUI a completely different CLI , lots of HW specific and SW patc...

woland

Hi I love the versatility of the MT devices so +1 for USB. More interesting is the test results page, which appeared on the product page: 25 ip filter rules, 512 byte packages, 544Mbps That's lower than a HAP ac2 with 986 MBps. I hope that´s going to get better with newer, more optimized releases! T...

woland

I have searched for the changes regarding the alc driver, but there have been none since the commit of Konstantin Belousov. Does not seem, like too much going on. The commit was already introduced into FreeBSD 12.3. https://www.bsdforen.de/threads/freebsd-12-3-erschienen.36360/ Also that guy Konstan...

woland

Hi! I managed to do a short test yesterday, and not surprisingly I can confirm: on Opnsense 22.7 (OpenBSD 13.1) the 4 alcX interfaces show up, link is detected at 1G. I was using an SFP+ 10G direct attach cable. Had no time for more... I did not check which ROS did it have. I will check next time wi...

woland

Is there really nothing one can do to determine wether it´s a CapsMan or a Dude issue or maybe something else? (Apart from removing one of them)
I know of /routing/stats/process, but I could not find anything useful for other kinds of processes.

woland

Hello! I seem to have an issue with a HEXs on ROS7.5beta, which I am using for Capsman and The Dude only. It has two bonded interfaces connected to a switch, but it is not doing any routing or anything else like DHCP, DNS, VPN currently. Apart from turning on debug logs & generating supout for t...

woland

I´m not entirely sure what your problem is. I am not that often configuring my MT devices, but without a guarantee I guess, it might be the following: /interface ethernet switch port set 0 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure set 1 default-vlan-id=110 vlan-header=always-stri...

woland

Largely agree, however if you want to have an open source firewall or NAS distribution, the Linux variants are nowhere near the BSD ones (the Linux ones are getting better and better over time). I have both my NAS and my Firewalls on BSD and the getting compatible new (old) hardware part was always ...

woland

Where do you see any instructions regarding FreeBSD in there?

Nowhere, but Proxmox will be my solution to still run BSD if it can´t run on bare metal. Did you read my post?

I did not find much info on BSD support, but there is a howto for Proxmox in German:

W

woland

What's new in 7.4 (2022-Jul-19 14:25):
*) wifiwave2 - added initial support for roaming (802.11r) between local AP interfaces;

Ps. sry, "dequoted"

!

woland

Hi! I have got mine delivered last week and I´m planning to put it into my Opnsense box, probably this week. This has FreeBSD 13.1, I will report about my progress, when I get so far. So no you are not alone. :) If it won´t work with BSD, I will use it with Proxmox and virtualize the Opnsense runnin...

woland

About the use of VLAN in general. The implementation of VLAN on switch chips makes sense only on "real" switches. CRS type. Where hardware offloading really gives noticeable results. For home conditions, as well as for small offices - it makes no sense. Wi-Fi modules are not connected to ...

woland

Easy dont use capsman. I dont and dont regret it all. I have not lost one nanosecond of my life and when I see the gazillion of threads, with hair pulled out, teeth gnashing and the like, I just have to smile, knowing what I avoided. Very radical opinion as always from anav. I still have kept some ...

woland

I think about every single other wireless controller i've used and how ridiculously illogical CAPSMAN is in its config/provisioning in comparison, its rubbish Every other controller manages to be immensely more user friendly and logically set up Yes and no. I've had short stint with OpenWRT: DISAST...

woland

Is telnet enabled by default ? I´m not sure but you could give it a try as well for http(Webfig). RoMon & MacTelenet are also possible from another MT device. Also you might have to consider a default firewall ruleset (don´t use the WAN port,but try LAN1). I don´t know the defaults on hEX, that...

woland

Well, if you have only ssh with public key allowed, then there is none. Otherwise you could use a WOOBM stick or telnet or Winbox...

woland

Hi,
you forgot to mention, which version of ROS you have, but I have just read this in 7.5beta4 relesae notes :

*) ssh - fixed importing of public keys;

Regards
W

woland

Thanks holvoetn! I went straight back to 6.49.6. W I'm unable to recreate this on my hAP Lite that's a simple wireless bridge/repeater Thanks! I will try later with netinstall to have a clean 7.4rc2 installation. What I can see already: on 6.49.6 I have up to 5% CPU as well, so considering v7 is no...

woland

Does it make sense to open a ticket, or should I just go back straight to 6.49.6? Thanks & regards W OSPF: I've seen that on previous ROS 7 installs coming from ROS6. Probably you will not see that if you use netinstall on that device. CPU: Some (older) devices are not really suited for ROS7. Y...

Search found 301 matches