MikroTik

ConradPino

Iis vlan-filtering=no still in effect?
Remember Safe Mode before make change.

/interface/bridge/set bridge vlan-filtering=yes

ConradPino

@sirbryan my hero! Thank you!!

ConradPino

Showing what you tried is useful even if it fails.

ConradPino

+1 @phascogale same here but thankfully not often.

ConradPino

Other forum posts say MikroTik Forum is targeted by DDOS attacks from time to time.
I often see web proxy report site temporarily unavailable, sometimes repeatedly after refreshing.
Consider possibility main page succeeds but some assets fail such as fonts, images, or JavaScript files.

ConradPino

Thank you! I would appreciate seeing any module information you may have:

/interface/ethernet/monitor sfp-sfpplusN once without-paging

ConradPino

+1 @sirbryan Thank you!!

ConradPino

IMO @loloski suggestion is simpler than SSH tunnel which require setup to at least one known IP address on either side. Another idea is a firewall destination NAT rule that specifies dst-port but omits dst-address to match any IP address on the router. Combine the above firewall adjustments with dyn...

ConradPino

I suggest every upstream DNS zone thas reasonable minimum TTL: dig www.not-existing.google.com google.com. 60 IN SOA ns1.google.com. dns-admin.google.com. 738736615 900 900 1800 60 dig www.not-existing-site.com com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1742534562 1800 900 604800 90...

ConradPino

I'm sad to see it go but I want you to know I found it useful and am grateful it was there.
Is there anything the user community could offer that might warrant a reconsideration?

ConradPino

@jaclaz, yes the price difference and is 1.8 W enough margin? @cstarritt, agreed heatsink should help but how much help? When ambient hits 78F recently, S+RJ10 shutdown at 95C standard limit. When ambient hits 96F as happens several days yearly I need to be up. I pray a proven solution with temperat...

ConradPino

@Normis I believe @Larsa makes some good points. I believe MikroTik strengths are: hardware design and manufacturing at excellent pricing value points prior history delivering reliable and stable networking software but recentl RouterOS 7 development has unmasked incompetance managing software devel...

ConradPino

I found claims Broadcom BCM84891L devices are low power like: Built-in Broadcom Chip, Max. Power Consumption 1.8W but at $140.00, more than FTC11XG option which is safest temperature risk. 2.7 Watts for S+RJ10 which idles at 90C at ambient 75F versus 1.8 Watts for new designs leaves me with some roo...

ConradPino

New ISP provides 10G fiber service but ONT is 10GBase-T (RJ45 copper) only. Despite MikroTik S-RJ10 general guidance I tried and also confirmed S+RJ10 is not reliable outside climate controlled environment. While FTC11XG looks viable but has a weatherproof price, I want to exhaust other possibilitie...

ConradPino

The ROSE-storage package supports network mounts potentially useful for container storage. Just a suggestion that I haven't tried myself.

ConradPino

Is anyone else's mind blown with the surrealism and irony going on with this thread? I started it to (1) vent and (2) beg for help due to the massive cognitive-pain being caused by VLANs. Now, this thread has evolved to a discussion/argument about minutae I did not know existed. Part of me loves it...

ConradPino

So it's very unlikely (but not impossible) to actually see fast-forward in action. Not in context of this thread. Yes, it's quite unlikely indeed but we build VLAN Filtering one command at a time and setting vlan-filtering=yes should occur after defining bridge port and bridge vlan steps otherwise ...

ConradPino

For this topic, where VLAN Filtering is the goal, Fast Forward's status is irrelevant, it would be inactive anyway.

When omitted from

/interface bridge

the

fast-forward

value defaults to

yes

so adding

fast-forward=no

is at least prudent and sometimes necessary.

ConradPino

disables ARP? really? haven't seen that ever after and i have setup a lot of bridges... old and new fashioned way arp always working so far with fast-forward set to "yes" Bridging and Switching § Fast Forward says, Fast Forward disables MAC learning, this is by design to achieve faster pa...

ConradPino

Consider Policy Routing based on source address.
https://help.mikrotik.com/docs/spaces/R ... cy+Routing

ConradPino

Agreed with @mkx that IPv4 and IPv6 have independent routing paths but only if both are native implementations. IPv6 encapsulated in IPv4 or IPv4 encapsulated in IPv6 are exceptions and both have larger MTU penalty. While 1.1.1.1 and 2606:4700:4700::1111 have a common PTR value " one.one.one.on...

ConradPino

1) Create a bridge (this is a layer 2 and operates on ethernet, also known as MAC address level; this bridge can be conceptualized as a switch within a device such as a router) -- let's name it bridge=TESTBRIDGE Useful MikroTik Help and Forum links: Bridging and Switching § Bridge Interface Setup B...

ConradPino

If I understand correctly, what you're saying is that a key to understanding this is to learn it in this specific order: 1) Add a bridge 2) Add bridge ports 3) Add bridge vlans 4) Add interface vlans Correct? Nothing works without (1) the bridge. I put interface vlan last because while they can be ...

ConradPino

Make sure firewall allows required traffic despite routing changes DHCP client makes as connections go up and down.

ConradPino

OK, let's do this in correct order and one step at a time. Correct order:

/interface bridge add
/interface bridge port add
/interface bridge vlan add
/interface vlan add

Do we agree on this?

ConradPino

Look at how routing table changes as LTE goes up and down.

ConradPino

Are we having too much fun?

ConradPino

Adding cable and module part numbers may improve feedback on this topic.
MikroTik is clear their RJ45 module has limits S-RJ10 general guidance

ConradPino

What did you provision in AWS VPC Security Groups?

ConradPino

Yeah, that also means Winbox 4 won't run on anything older than Windows 10 (ie, no XP, Vista or Win 7/8).

Another strike against Winbox!

ConradPino

@infabo makes an excellent point.
Complete and diligent CVE follow through is critical for maintaining confidence in MikroTik security management process.

ConradPino

I'm holding at 7.16.2 until a consensus emerges that 7.17 or 7.18 are safe for production environments. I can't say I read the RouterOS v7 release topics deeply but I survey all forum topics broadly at least daily. IMO time spent making Webfig look like another application is a sad time waste for no...

ConradPino

An issue may appear in multiple topics; a resolution may not be posted in every topic where issue was posted so vigilance across the multiple topics may pay off.

ConradPino

Take a look here: viewtopic.php?t=213941&start=300#p1121760

ConradPino

I hope that my point of view is clear to you.

I try to pay attention but find that alone doesn't guarantee me success.
I commend your participation and see you as another steady helping hand here.
I find diverse perspectives creative, educational, and frequently useful in shaping mine.

ConradPino

I hope you don't mean block what you need to block, but allow everything at the end ... I do mean "block then allow" versus "permit then drop" designs. Where is the objective evidence for this statement? (compare straight to inverted?) You're suggesting opinions require a founda...

ConradPino

Where is the default firewall flawed for a very simple standard connection between WAN and LAN?

It's fine for what it does for it's intended network model.
It's weakness is novices break it more readily than an inverted design.

ConradPino

@pe1chl IMO repeating suggestions from time to time is worthwhile to demonstrate continued interest and need to MikroTik along with educating new and old forum users which may lead to community consensus formation with more voices advocating their common interests.

ConradPino

I don't have a solution but noted Proxmox was popping up in topics recently while 7.17 added bugs and features. If your situation and time permits, downgrading RouterOS may or may not help isolate the issue. Polling others for downgrade advice may be worthwhile before experimenting. A forum topic ha...

ConradPino

@Cha0s LOL

ConradPino

Well, at least I am able to express my ideas without attacking or offending other people. :) You don't have enough new users to shout at today? :?: Sooner or later somebody will come by and take offense to something. Sooner or later everybody will have a bad day and lets it spill out. Welcome to th...

ConradPino

Wikipedia says, non-uniform memory access (NUMA) is a computer memory design used in multiprocessing, where the memory access time depends on the memory location relative to the processor. Under NUMA, a processor can access its own local memory faster than non-local memory (memory local to another p...

ConradPino

In most of the software world, there is a clear distinction between breaking changes (incompatible), bug fixes, and new features. However, we have to be fair - MikroTik still uses terms like alpha, beta, and stable, which feels somewhat outdated in modern software development. Let's help MikriTik g...

ConradPino

What's going on? So many questions coming out of this Why is one better than the default that comes with Mikrotik? Or more accurately, why is there a lack of understanding in the firewall mechanism? Do people not trust the firewall and temptations to modify and all hell breaks lose when something g...

ConradPino

TL;DR Great diversity in networking designs produces a great diversity of related advice. MikroTik provided router default firewall is well designed for it's intended use case: WAN DHCP client public IPv4 address LAN DHCP server private IPv4 subnet Firewall LAN to WAN includes NAT Firewall LAN to W...

ConradPino

Proxmox and RouterOS 7.17 may have issues:
viewtopic.php?t=214786
viewtopic.php?t=214782
viewtopic.php?t=213941&hilit=Proxmox&start=300#p1125309

ConradPino

Proxmox and RouterOS 7.17 may have issues:
viewtopic.php?t=214784
viewtopic.php?t=214782
viewtopic.php?t=213941&hilit=Proxmox&start=300#p1125309

ConradPino

All current and historical releases
https://mikrotik.com/download/archive

ConradPino

Swap is not for the host system. Please read the manual about it before complaining: https://help.mikrotik.com/docs/spaces/R ... -Swapspace

@normis, thank you and please thank Druvis Timma for making that update Feb 07, 2025 10:17. IMO a super addition.

ConradPino

@strods, thank you and well said. When MikroTik staff can make a forum appearance, many may find it reassuring much as I do.
More information is always better and deft words now and then deflate the speculation space which has typically calming effects.

ConradPino

Hahaha okay, I will catch a ride the next time the orange drag president flys by in his sleigh......

Fun image, thanks!
IMO "orange president" has clear meaning. How does "orange drag president" alter such?

ConradPino

Recommended procedure for posting configuration includes: Remove serial number comment Remove software license comment Replace sensitive comments language Replace usernames with unique generic names Replace passwords and secret keys with generic descriptions Replace IP address with generic numbers k...

ConradPino

IMO OP introduced themselves as one professional meeting another in a professional setting and effectively presenting their business card.

ConradPino

IMO time spent making Webfig look like a desktop or mobile GUI application is wasted time producing bloatware. IMO maintaining parallel menus and functional operations between Webfig and GUI applications is worthwhile. IMO keeping Webfig HTML and CSS simple best uses limited space on storage constra...

ConradPino

I started with RouterOS v6 Webfig then CLI and never caught the Winbox or Dude diseases.
If cancelling or postponing Winbox accelerates RouterOS v7 development then I vote so.

ConradPino

I started with RouterOS v6 Webfig then CLI and never caught the Winbox or Dude diseases. I prefer a tiered Webfig: Basic level for local device management on every device model. Advanced Private level optional package to manage an isolated network. Advanced Cloud level optional package to manage Int...

ConradPino

I am big Webfig and Let's Encrypt fan. IMO MikroTik did very nice thing adding Let's Encrypt support so I'm biased preferring best HTTPS security as default for new users.

ConradPino

I did not know ROS uses squashfs. But good to know. But still one observation remains valid: webfig assets are served uncompressed.

Serving compressed assets over HTTPS is the BREACH security vulnerability.
https://en.wikipedia.org/wiki/BREACH

ConradPino

Sip, mmmmm ... Cafe is wonderful. Over the weekend I made some progress reading configurations which raised questions best left for later. In the mean time, RB5009 is another bridge switch chip in play and where the root bridge moves when devices go down is critical considerations in what interconne...

ConradPino

@normis, it's so good to see you here! Thank you!! LTS is just a name. If we rename 7.15.1 to long-term, will it become more stable? No, without MikroTik support, of course it won't. IMO this topic arises from inadverantly unmanged expectations that arose prior to RouterOS v7 effort. Over time bug r...

ConradPino

A rush project landed on my desk this morning; I will be short on personal time but will add to specific topics as time permits.

ConradPino

Accidental double post redacted.

ConradPino

... I just now changed it to static so that should take care of any quirks. Thanks! You're welcome. IPv6 routing with single provider works with just the main routing table. If ISP deploys IPv6 and keeping Hurricane Electric is wanted, 2nd routing table for policy routing works. I use VLAN segmente...

ConradPino

@mbrad thank you. My confusion is why @TrevinLC1997 is using pool when it doesn't provide level of control wanted and static assignment does.

ConradPino

Sip, mmmmm ... Cafe I'm bring up Spanning Tree Protocol to make clear MikroTik default enables RSTP on all software bridges and switch chips. The switching loops in the current connection topology will not produce broadcast storms while RSTP remains enabled. Spanning Tree Protocol § Summary excerpt:...

ConradPino

Ahh that's unfortunate, hopefully one day Mikrotik will give us the ability to manually configure subnets or at the very least allow the option for a automatically assigned static subnet. Just color me confused; I manage my Hurricane Electric /48 tunnel with static commands and without an address p...

ConradPino

Please interpret, "May I suggest ..." as an introduction to further discussion and NOT necessarily a call to action. Thank you for an outstanding reply which I will address in part now as I must attend to my work and will return later to reply in depth. EDIT: VLAN10 has been migrated to VL...

ConradPino

It's a small homelab network, not hundreds of machines that have a high amount of packets flowing all the time. Thank you, that's helpful. Can you enumerate how many ports are free and used on current CCR2004, CRS317, and CRS326? @anav suggested firewall and configuration improvements which receive...

ConradPino

Yes, it's important and requires an entry for every MAC address a given switch sees. I have about 125-ish devices on the network (though this can sometimes reach 150 when some of my friends come over). I doubt that would be big enough to cause any issues with the CRS309's smaller Unicast FDB? The C...

ConradPino

I don't know if the "Unicast FDB" is an important thing?

Unicast FDB (Forwarding Database) is mentioned here: CRS3xx, CRS5xx, CCR2116, CCR2216 switch chip features § Features
Yes, it's important and requires an entry for every MAC address a given switch sees.

ConradPino

Device management occurs on VLAN 1. Examine which ports on both devices allow VLAN 1 traffic.

ConradPino

Double posting is considered poor form and both lack device configurations.
viewtopic.php?t=214573

ConradPino

Double posting is considered poor form and both lack device configurations.
posting.php?t=214574

ConradPino

Accelerating RouterOS boot to complete before host OS startup would be *very nice*.

ConradPino

@arainbow, excellent work. Thank you!

ConradPino

Above table apples to L3 HW Offloading and is irrelevant to Stateless Hardware Firewall and Switch Rules (ACL) whose limits are shown in ACL Rules column: Model SwChip CPU Cores SFP+ ACL Rules Unicast FDB Jumbo Frame CRS310 98DX226S 1 800MHz 4 128 16,000 10218 CRS309 98DX8208 2 800MHz 8 1024 32,000 ...

ConradPino

Ok so, viewing from the WAN side (incoming from ISP): ISP CCR2004 CRS317 CRS309* + CRS326 I misread diagram device CRS326 as CRS310 and apologize. My suggestion was: ISP CCR2004 CRS317 CRS326 which presumes CRS317 has enough free ports to downstream the CRS326 which I don't know at this time. If no...

ConradPino

Model SwChip ROS IPv4 Pre IPv4 Host IPv6 Pre IPv4 Host Nexthop Fasttrack NAT VXLAN CRS310 98DX226S 7.1 13312 3328 4K CRS309 98DX8208 7.1 16K-6K 16K 4K-6K 8K 8K 4.5K 3.9K + CRS317 98DX8216 7.1 120K-240K 64K 30K-40K 32K 8K 4.5K 4K + Source: L3 Hardware Offloading § L3HW Device Support

ConradPino

Oops, I'm late in reading existing device details. Please note CRS317 is more capable than CRS309 which is more capable than CRS310,

Consider moving CRS310 to CCR2004 connections downstream of the CRS317 and deploy L3 HW routing with a Stateless Hardware Firewall on CRS317.

ConradPino

FastTrack Thank you. Agreed, per CRS3xx: Switch DX3000 and DX2000 Series CRS310 does not hardware offload Fasttrack nor NAT whereas CRS309 per CRS3xx, CRS5xx: Switch DX8000 and DX4000 Series can hardware offloat Fasttrack and NAT but that is not a recommendation as all devices there are TCAM constr...

ConradPino

Seems like the CRS310 I proposed doesn't support FT offloading, so it seems that that won't do then? Am I correct?

Define FT please.

ConradPino

OK, I see enough to draft a CRS309 configuration; that could be a further discussion starting point. But it occurred to me CRS309 has L3HW Offload idiosyncrasies that must be kept front and center for best results. We can work on improving current configurations prior to diving into the future. Do ...

ConradPino

OK, I see enough to draft a CRS309 configuration; that could be a further discussion starting point. But it occurred to me CRS309 has L3HW Offload idiosyncrasies that must be kept front and center for best results. We can work on improving current configurations prior to diving into the future. Do y...

ConradPino

Definite progress, thank you. By now you've seen this forum is doesn't handle code blocks consistently. Please edit last post to add a blank line or two above code block begin and below code block close. All exports start with comment lines, first is device model (not sensitive) and third is serial ...

ConradPino

The quality of software development and/or a more thoughtful featureset placing into devices might be more helpful for the vendor as for customers also. The problem is when the management/development shifting to the sandboxer side, when more feature comes into new releases than bugs fixed. My grave...

ConradPino

All devices upgraded from versions <7.17 will be put in the Enterprise/Advanced device-mode, with only traffic-gen, container, install-any-version, partitions and routerboard (minus auto-upgrade) disabled. No physical access needed unless you want to enable one of those specific features. Have you ...

ConradPino

RouterOS documentation Spanning Tree Protocol has multiple flavors. I really mean export the entire CCR2004 configuration (redact only security sensitive items). Failing to fully disclose creates protracted dialogues leading to annoyance and destroying motivation to help. Your choice do you make it ...

ConradPino

Just another taste of blissfully ignorant youth!

ConradPino

Consider carefully changes in RouterOS 7.17 and 7.18 producing substantial push back which you'll see in respective Announcement topics.

ConradPino

Consider posting CCR2004 config after removing sensitive information (serial number, IP addresses, user credentials, etc). /export terse file=ccr2004-FinlayDaG33k.rsc CRS309 can do the job at Layer 2 alone, Layer 3 routing not required but that won't have the LAN independence from CCR2004 downtime y...

ConradPino

https://forum.mikrotik.com/viewtopic.php?t=180398 MikriTik forum Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN https://github.com/Fluent-networks/tailscale-mikrotik GitHub project Tailscale for Mikrotik Container Nothing above is a recommendation; just adding TailScale informati...

ConradPino

I can sense the idea that someone from some agency whispered in mikrotiks ears "fix it or be regulated" and they came up with this complete overkill bazooka "solution" to shoot their customer's foots with at least they can point and claim that *someone is doing *something But th...

ConradPino

i understand your discomfort/annoyance with the situation,but i think This situation has other facets, Mikrotik has periodically been targeted by the media in a somewhat exaggerated way, about compromised devices being used in attacks by malicious actors, that put a heavy pressure on MikroTik to ta...

ConradPino

RouterOS kernel may panic and reboot during which all links are down. Follow logs and serial port output for unexpected reboots.

ConradPino

Consider carefully recent RouterOS 7.17 and 7.18 changes before deploying to locations where physical device access has high labor, time, or travel cost.

ConradPino

I completely agree with you.

Well said and thank you!

ConradPino

Let’s go through the device-mode changes one by one. The following features are now turned off by default: - traffic-gen: I don’t think most small business MikroTik professionals need traffic generation tools often. But there might be some use-cases in (automated) big deployments. - repartition: Wh...

ConradPino

... Please make it possible to upgrade while keeping all features enabled as it was before the upgrade.

Thank you! Please come back and continue stressing what makes MirkoTik products useful.

ConradPino

... But now it is here to stay I guess. IMO that's giving up too easily. Let's be clear; MikroTik meets customer's needs or MikroTik loses customers. Like it or not, in a free market, the customer always prevails. The only real question is how much pain does MikroTik inflict on users and in turn ex...

ConradPino

No need to warn them in 2025...

The innocent newcomer will be with us forever and they too deserve our best efforts.

ConradPino

Disappointment with recent RouterOS updates is now common place but still merits open discussion to help MikroTik improve.
At this time 7.17.x has unpopular changes not yet addressed in 7.18.x; expect risk averse users to hold at 7.16.x for sometime.

ConradPino

Suggested MikroTik reading: https://help.mikrotik.com/docs/spaces/ROS/pages/30474317/CRS3xx+CRS5xx+CCR2116+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Models CRS3xx, CRS5xx, CCR2116, CCR2216 switch chip features https://help.mikrotik.com/docs/spaces/ROS/pages/6239031...

ConradPino

CRS3xx products have broad range of features depending on CPU and switch chip in specific model. Please enumerate actual part numbers for consideration.

ConradPino

1 Watt = 1 Joule / second = 3.41 BTU / hour i.e. energy per unit time.
Can we say, 1 BTU per hour per cubic feet = 10 ° F increase in temperature per hour?

ConradPino

Like I said, I (or MikroTik) would not have deleted it. It was a volunteer mod. IMO @normis is on the best path. What matters most is confidence and trust in the forum process. Forum moderation suggestions: do not delete bad posts; quote bad information in new post with correct information leave ba...

ConradPino

And it doesn't look promising when topics like this quickly gets deleted https://forum.mikrotik.com/viewtopic.php?t=214285 Still indexed by Google https://www.google.com/search?q=%22RouterOS+7.17+Firmware+Vulnerabilities%22 Well, in fairness, they do publish a "responsible disclosure policy&qu...

ConradPino

CALEA is United States law, FCC and Wikipedia links follow, 3rd link is recent scope change. https://www.fcc.gov/calea https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act https://www.lermansenter.com/fcc-expands-scope-of-calea-obligations/ Lawful Interception is a global ...

ConradPino

You could go to the EU Parliament and propose a law requiring all manufacturers to make their devices fully accessible for open-source operating systems, including the publication of specifications and all relevant documentation. I respect everyone's right to petition their governing authority for ...

ConradPino

We only make changes that improve security of the users, none of those changes are to actively deny 3rd party OSes

@normis! So good to see you out and about. I find your reassurances both credible and compelling. Thank you,

ConradPino

IMO "locking out" is deliberate and active act, "not publishing" can only be called "negligence" towards 3rd parties and is completely normal in normal (i.e. not "free as speach") corporate environments. ... So IMO ROS is MT's strength and they should focus o...

ConradPino

Not publishing bootloader specs is effectively the same thing as locking out, for as long as somebody from 3rd parties hacks and reverse engineer it at least...

MikroTik has the choice to make it 3rd party software easy with full hardware disclosure or hard by doing nothing.

ConradPino

While I may not agree with every CALEA provision, I do say the law and it's provisions are not secret. Anybody paying attention knows everybody is subject to traffic analysis and occasionally content inspection. The implication is those that aren't aware they are vulnerable are just not paying atten...

ConradPino

CRS326 can show their uptime since last restart and they log startup events so consider logging setup to remote syslog to overcome limits of default limited memory log. CRS326 has real serial port so keeping device connected to watch CRS326 console activity is another way to observer device restarts...

ConradPino

See IEEE 802.1ad on Wikipedia

ConradPino

@OptiTech IMO while RouterOS CLI is powerful, it is not at all obvious even to experienced shell users; the where clause in particular.
https://help.mikrotik.com/docs/spaces/R ... alCommands

ConradPino

Thank for you answer , apparently there is no way to do that.

IMO QinQ to any level is supported provided bridge ether-type 0x88a8 (Service VLAN ID) is used.

ConradPino

Suggested RouterOS reading:
https://help.mikrotik.com/docs/spaces/R ... ling(QinQ)
https://help.mikrotik.com/docs/spaces/R ... LAN-Q-in-Q

ConradPino

... As I see there are two type of MTik users. Ones likes playing with new features and the others would likes to serve customers with existing features in a stable environment. Not so easy to make happy both types of users. IMO volume sales are with users needing easy to manage reliable network pe...

ConradPino

What would make Mikrotik "special" in any use-worthy way if you would run other software on it? IMO MikroTik has market share by undercutting both enterprise and consumer devices. There is a forever market as the hardware performance value provider. RouterOS v7 changed development model u...

ConradPino

What does Profiler show?

ConradPino

Thanks for your input! Yeah ip arp is one option but I cannot search based on mac. Anyway my question was a bit off to begin with because routers don't generally build mac tables (ccr1072 doesn't even have a switch chip). /ip/arp/print where mac-address=xx:xx:xx:xx:xx:xx Switch chips have internal ...

ConradPino

... I am already looking for other vendors unfortunately, after 16 years of Mikrotik use.

@normis this is what the start of MikroTik business failure looks like.
Bug fix RouterOS before everything else is the best hope.
Alternative is allow third party software on MT hardware.

ConradPino

/system logging print
/system logging remove 4

ConradPino

@normis, please set this aside and get the RouterOS 7.17+ firestorm under control first.

ConradPino

IMO @rextended gives good advice; I recently bought RB5009 for router on a stick deployment. CRS305-1G-4S+IN $149.00 CRS326-24G-2S+IN $199.00 RB5009UG+S+IN $219.00 CRS309-1G-8S+IN $269.00 CRS3xx devices support L3 Hardware Offloading which can route and firewall at wire speed for some cases; the lea...

ConradPino

When reliable hardware starts misbehaving, verify cooling is working; check health (CPU temperature, fans speeds), visually verify fans.

ConradPino

When using any tunnel protocol, consider making MTU changes to take tunnel overhead into account for preventing packet fragmentation.

ConradPino

IPv4 and IPv6 firewalls are distinct (already split). Every firewall rule counts the bytes and packets it matches. The GUI interfaces have graphs.

ConradPino

Thanks... But for what??? 🤷‍♂️

Helping @evilsabc, a generous and substantial commitment IMO.

ConradPino

@rextended Thank you, and well done!

ConradPino

/interface/ethernet/reset [find] mtu=

Runs with no complaints and chooses 1500 as default with RouterOS 7.16.2.

ConradPino

Excerpt from RouterOS documenation: https://help.mikrotik.com/docs/spaces/R ... CPv6Server
RouterOS DHCPv6 server can only delegate IPv6 prefixes, not addresses.
I can't say I fully understand but it does raise concerns here.

ConradPino

/interface/ethernet/set [find] mtu=1500

ConradPino

Set priority1 and priority2 based upon what is known of device clock behavior to bias elections towards best known device clock.

ConradPino

I have a /60 delegation from Comcast: [admin@c53uig] > /ipv6/pool/print detail without-paging Flags: D - dynamic 0 D name="Comcast" prefix=2601:642:xxxx:xxx0::/60 prefix-length=64 expires-after=3d13h41m4s Assign a /64 to four (4) VLAN: /ipv6/address/add interface=vlan20 address=::1/64 from...

ConradPino

Sonic Internet is installing 10G FTTH; their ONT is RJ45 only. *sigh* I learned at 2.5G with CRS326 module shuts down above 87 F ambient; CRS326 CRS309 stacked on solid shelf in still air. I have since come to love SolidRack 10 with 1U separation above and below all networking devices plus external ...

ConradPino

My PTP reading suggests any PTP enabled device coming online does peer discovery on enabled ports, and if discovered and depending on topology, boundary clocks are chosen if needed, and a grandmaster is found or elected as needed. Which devices become boundary clocks and grandmaster depend on priori...

ConradPino

Lurker888 knows his stuff! Kudos to him!

Thank you for showing your appreciation; IMO Lurker and others add so much here the acknowledgment is well deserved.

ConradPino

Default is leave firmware (RouterBOOT) as is. RouterBOOT upgrades usually not critical; RoutBOOT does hardware initialization and some changes require firmware upgrade. See https://help.mikrotik.com/docs/spaces/ROS/pages/40992878/RouterBOARD for "auto-upgrade" setting which automates a bit...

ConradPino

Searching for "boundary clock" finds the term here:
https://help.mikrotik.com/docs/spaces/R ... e+Protocol
https://help.mikrotik.com/docs/spaces/R ... p+features

ConradPino

Some "monitor" output follows: [admin@mtrb5009a] > /interface/bridge/monitor [find] once without-paging state: enabled current-mac-address: F4:1E:57:32:23:BD root-bridge: no root-bridge-id: 0x2000.D4:01:C3:99:D9:8E regional-root-bridge-id: 0x2000.D4:01:C3:99:D9:8E root-path-cost: 0 root-po...

ConradPino

I see STP events only when interface changes state; unplug and replug same follows. [admin@mtrb5009a] /> /system/logging/export terse # 2025-01-21 17:32:30 by RouterOS 7.16.2 # software id = KWPA-GEH1 # # model = RB5009UG+S+ # serial number = XXXXXXXXXXX /system logging action add name=mempage targe...

ConradPino

viewtopic.php?t=204158

ConradPino

Serve The Homes does nice job showing the insides:
https://www.servethehome.com/mikrotik-c ... -switch/2/

ConradPino

2) If I get a prefix e.g. "fd3d:3e86:540f::/48" from my ISP via a DHCPv6 client, I can't create my own IPv6 pool e.g. "fd3d:3e86:540f:ffff::/64" - it prints an error "prefix of two pools cannot overlap!". How can this be solved? Thank you PD creates a dynamic pool that...

ConradPino

Can't say I've done so but based on reading and my single IPv6 PD experience, I would bet yes.
VLAN interface has dual IPv6 setup, one from each PD with RA enabled; clients see MikroTik as gateway.
Use different DHCP6 client gateway metric / priority setting to prefer a WAN.

ConradPino

Here's some advice then, to everybody who complains every time there's a new release, from someone who's been doing this for 20+ years: Don't put brand new releases on your devices unless there's a feature or fix you specifically need, and even then, be prepared for other things to break. With Rout...

ConradPino

Maybe you are willing to participate in the beta and rc cycles to identify more bugs, before it gets "stable" like I do? :-) Most users like myself can't afford to duplicate their network. IMO MikroTik is making two (2) mistakes, (A) sub-standard software testing (too many regressions) co...

ConradPino

Searching forum topic titles for "sale" finds few; most viewed don't get much interest.
MikroTik staff Normis did comment here: viewtopic.php?t=49186&hilit=sale#p249842

ConradPino

Thank you, very useful to confirm Xfinity service 500/20 plan: 1 minute average was 24.2 Mbps/604.5 Mbps

ConradPino

Just curious, what makes CHR RouterOS attractive at AWS that VPC Security Groups and ACL don't cover?

ConradPino

GPL source code is public, not sure what you are talking about. Last time was when, in 1998?

This is the latest v7 GPL archive: https://box.mikrotik.com/d/81912835977544a291c9/
Given to anyone who needs it.

@normis the link shows Last Update 3 years ago. Has that code changed since then?

ConradPino

https://cdn.mikrotik.com/web-assets/product_files/CCR2004-16G-2S_240151.png Switch Chip 88E6191X times 2 with 8 ports per switch, supports Bridge VLAN Filtering. No L3 Hardware Offloading. https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features https://help.mikrotik.com/docs/sp...

ConradPino

IMO your topic is acceptable here. Consider trying here:
https://www.ebay.ie/sch/i.html?_nkw=Mik ... &_osacat=0

ConradPino

https://en.wikipedia.org/wiki/Physical_layer#PHY
https://www.servethehome.com/mikrotik-c ... -switch/2/

ConradPino

/ipv6/neighbor/print detail without-paging where mac-address=<MAC>

https://help.mikrotik.com/docs/spaces/R ... ghborsList

ConradPino

https://help.mikrotik.com/docs/spaces/R ... Offloading
Is Bridge Hardware Offloading enabled?
Swutch Chip model 88E6393X

ConradPino

The documentation: https://help.mikrotik.com/docs/spaces/R ... geFirewall

ConradPino

Cosnider Active Directory, Domain Master Browser service.
https://en.wikipedia.org/wiki/Domain_Master_Browser

ConradPino

I like your contribution. Thank you!

ConradPino

@wuspmikrotik And yet, it seems that MikroTik is expected to know every possible scenario and real-world setup and perform functional tests to ensure that absolutely no one experiences any problems in their specific environment. MT should be using enterprise software development practices which inc...

ConradPino

I believe there’s been a misunderstanding. I’m not looking to be a beta tester, as I use RouterOS in a private capacity and don’t have the inclination to take on that additional work. Good to know we are commonly situated. However, in a professional environment with dedicated network administrators...

ConradPino

Unless operating in SAFE mode, configuration commands are persisted and viewable with export command. Command I supplied is incomplete; and may require "chain=forward" amongst other parameters; I'm just drawing attention to the capability that is there despite the absent documentation. My ...

ConradPino

You're welcome. Besides limiting the topics, the distinct action is an isolated view.

ConradPino

https://help.mikrotik.com/docs/spaces/R ... properties

ConradPino

/system logging action add memory-lines=36 name=mempage target=memory
/system logging add action=mempage topics=stp

ConradPino

The command line parser accepts this:

/interface bridge filter add action=drop mac-protocol=!arp,ip,0x888E

Enter that line fragment followed by TAB key to see what else you can add.

ConradPino

Yeah and some random guy here dreamed *THIS* will be a long-term, because it took so long... LOL This is a typical MT point-zero release, 3 steps forward and 5 back... The long-term is as far away as with the v7.0 release. This is because many people wait for the final release to pull the trigger: ...

ConradPino

Stay with single bridge as switch chip hardware offload is limited to single bridge; added bridges are CPU only. Understand switch chip features: https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features Use Bridge VLAN Filtering: https://help.mikrotik.com/docs/spaces/ROS/pages/3...

ConradPino

Due to a chip issue which reports board temperature MikroTik decided to remove this parameter from health.

The questions was "WHY?" What is the chip doing to cause this decision?

ConradPino

You haven't posted your configuration (redact security sensitive values and serial number); don't expect much until you do.

ConradPino

Well, now I know disabling every firewall rule has no effect.

ConradPino

Bah, humbug! Works when after adding default gateway IP address (hAP ax3 running NTP server). Good enough to move forward.
You know, I should disable the firewall since I just presumed it was not in play. Thanks for the reply, helps the mind work here.

ConradPino

No complaints; just want to help.

ConradPino

Nginx showing 403 Forbidden for any user:
memberlist.php?mode=viewprofile&u=5

ConradPino

Assumption: When running Bridge VLAN setups, the bridge must be a tagged port on the VLAN for Layer 3 services to function through the network.

Assumption is false; make all bridge VLAN untagged. Make exceptions with:

/interface vlan add interface=bridge name=vlan40 vlan-id=40

ConradPino

You don't need rose package.

Agrees; my bad.

ConradPino

I'm adding RB5009U to hAP ax3 and CRS3xx fleet. Bridge VLAN Filtering for multiple VLAN/subnets is working; no switching issues IPv4/IPv6 routing and firewall are working; RouterOS package upgrades work. hAP ax3 has WAN interface; all RB5009U ports are on default bridge. All RB5009U interfaces are i...

ConradPino

Add ROSE-storage package and reboot then create SMB disk:

/disk add type=smb ...

ConradPino

There seems to be many ways to configure the RouterOS and your answer seems a bit "my way is best" and misses the question completely. You misunderstand, @anav was polite whereas I will say "your way is worse and you've killed your performance", see Layer2 misconfiguration - Bri...

ConradPino

You have switching loops in your broadcast domain: unmanaged switch and MikroTik bridge interface. The Spanning Tree Protocol may block ports.
Placing insecure and secure subnets on same switch is bad practice; just plug modem directly into MT WAN port for security and reliability.

ConradPino

How about Rate Limiting with Nginx? Works well for a customer's Java web application to restrain the crawler bots.

ConradPino

For high ambient temperature, CRS309 needs good air flow; assure 1U clearance above and below each unit; consider temperature controlled fan to vent the cabinet. 10G-Base-T modules get quite hot, be prepared to 3D print side fan mount for 120mm x 32mm centrifugal blower to move air sideways through ...

ConradPino

Multilink Solutions Inc. has the product as two (2) models:
https://multilink.us/mikrotik-chateau-p ... haxq2haxq/
https://multilink.us/mikrotik-chateau-p ... q2haxq-us/

ConradPino

/ipv6 address add from-pool=test-ipv6 address=::1/64 interface=WIRED_VLAN0 advertise=yes no-dad=yes /ipv6 address add from-pool=test-ipv6 address=::1/64 interface=WIRED_VLAN1 advertise=yes no-dad=yes /ipv6 address add from-pool=test-ipv6 address=::1/64 interface=WIRED_VLAN2 advertise=yes no-dad=yes...

ConradPino

CLI is only built-in script friendly configuration mechanism
WebFig and Winbox are both script hostile GUI tools
WebFig is built-in and sufficiently useful
Winbox is not built-in and superfluous

Winbox has an audience but it's not universal.

ConradPino

Example from hAP ax3 core router deployment:

/ipv6 firewall raw
add action=drop chain=prerouting icmp-options=134:0-255 in-interface=vlanIX protocol=icmpv6

Neighbor Discovery packets received from upstream router are dropped.

ConradPino

Try these ping tests between the following devices:

wlan1 192.168.0.10 and PC 192.168.0.2
wlan1 192.168.0.10 and Mobile Phone 192.168.0.n

If wlan1 is reachable from those Clients (PC & Mobile) then adding routes to Client routing tables makes IoT and RP reachable from Clients.

ConradPino

Never infringe the original poster's right to be stupid!

ConradPino

What are the distance values for all routes?
Try a larger distance value for backup route.

ConradPino

@maxspeed this is a classic XY Problem I have better uses for my time.
Disabling Spanning Tree Protocol is an issue; VLAN aware MSTP is best choice.
Parting thought: Layer2 misconfiguration § Bridges on a single switch chip

ConradPino

Use one bridge on the CCR2116, not two separate ones, and configure the /interface bridge vlan membership accordingly on the two trunks. General agreement but I suggest holding off on big changes until requirements are completely known. You do not need /interface vlan and /ip address entries for ev...

ConradPino

OSPF operates over IP / layer 3, VLANs operate over ethernet /layer 2 - they are completely unrelated to each other. Technically correct. The block on the diagram "OSPF link with 8 subnet with1 Trunk inside of ccr2116 - 8 vlans id:100-107" makes absolutely no sense. One broadcast domain (...

ConradPino

Suggested documentation answers questions posed but the experience to recognize them as such suggests appears absent and coming here can help fill that gap. It's not uncommon for users to share a problem and leave with working solution developed from a dialogue between original poster (OP) and forum...

ConradPino

Webfig and Winbox are very similar, but Winbox is more user friendly, it has side by side windows and such features. It was an honest question. If one thing has something you need, why keep using the other thing ... Winbox is an extra download an extra installation an extra learning curve an extra ...

ConradPino

I only used CLI to export/import large sections of configuration

Welcome brother, sorry you hear your escape attempt failed.

ConradPino

Getting the most out of this forum by normis, MikroTik Support

ConradPino

could you just explain your idea please, i try to figure the way

No, a short explanation is not possible. The solution is Bridge VLAN Filtering.
Start reading here: https://help.mikrotik.com/docs/display/ ... NFiltering

ConradPino

What I am doing wrong?

IMO probably nothing. I concluded that function "needs substantial improvement".

ConradPino

I would like to know if it's possible to join several VLANs from 2 differents switches to only one Bridge with another switch? Question : is it possible to do that or do you have a better solution TL;DR Yes, IMO it's possible. However a VLAN specification for EVERY PORT on EVERY SWITCH is needed to...

Search found 533 matches