MikroTik

jaclaz

However... if you take a pristine 7.18.2 and go [admin@xxx] > /ip firewall nat add chain= <<TAB>> dstnat input output srcnat they're there. I sometimes (very-very rarely) use these chains, and I have verified that they are fully functional and correctly available. Very good :).. The quick table I p...

jaclaz

As requested: 1. #8 chain=input 2. #10 chain=dstnat 3. #20 chain=output 4. #25 chain=srcnat For all the boxes: #2 chain=prerouting #4 chain=prerouting #6 chain=input #7 chain=input #8 chain=input #10 chain=dstnat (*) #13 chain=forward #14 chain=forward #17 chain=output #19 chain=output #20 chain=ou...

jaclaz

Thank you for the suggestion for the wAP AX.

I can't find its radiation pattern, is it unidirectional?

It is 180°. Front side.

Using very wide degrees, in more commonly used ones it is more like 90-120°:
viewtopic.php?t=212255#p1107142

jaclaz

I will try again. 1. In which chain= should 8 go? 2. In which chain= should 10 go? 3. In which chain= should 20 go? 4. In which chain= should 25 go? I am asking 4 (four) questions, numbered 1 to 4. I expect 4 (four) answers, numbered 1 to 4. Any other answer - particularly if partial - only confuses...

jaclaz

The problem stems from the fact that Mikrotik renamed "nat PREROUTING" to "/ip firewall nat add chain= dstnat " and "nat POSTROUTING" to "/ip firewall nat add chain= srcnat ". This is not terrible naming, btw. And yes, they renamed just these two, in the othe...

jaclaz

@jaclaz: I'm sorry to notice this only at this late stage, but logically reading your diagram (I mean the horizontal and vertical arrows at the left and top) it's not easy to deduce that no. 10 would be used in Mikrotik as "nat add chain=dstnat" (not chain=postrounting), and similarly wit...

jaclaz

In the next release, I will add something *like* this.
Hopefully giving the impression of "a bunch of stuff floating inside the router".

Mt_services.JPG

jaclaz

6. detect internet

You must be joking

, that is Rule #5 of the Mikrotik Club:
viewtopic.php?t=215004
no way it will be mentioned on the flowchart as people might believe that it actually does something (useful).

jaclaz

This post does self-destruct within 5 seconds, doesn't it ?

Naah, it uses Mikrotik v 6 date/time format, but runs on v 7 so it will self-destruct at a random instant between last week and next year.

jaclaz

Why exactly do you think that the example has three dots last? :) I could even change those to "etc." :wink: Your mission, should you accept it, is to list a number (no less than 6, no more than 12) of the most commonly used *things*, those that can be considered exemplary for the concept ...

jaclaz

I was referring to something very much like yours, with the gray circle. My suggestion was to basically just have the gray circle, and give the things that are now rounded rectangley less focus. Simply because it's pointless to write "to local process", when we have a box labeled "lo...

jaclaz

Let's see if I can help. This is not strictly Mikrotik specific, in *most* scripting language something like this: [/ip hotspot cookie get [find where user = "test" ] mac-address ] loosely means: in the context of current place (/ip hotspot cookie) get the value of the field mac-address of...

jaclaz

Added some semi-random graphics in the middle.

It seems to me like better representing the idea that there is some mechanism inside the router that will take some decision.

Flowchart_beta_02_cogs.svg.png

jaclaz

When you want to practice RouterOS configuration you can download a CHR version of RouterOS and run it in a virtualization program. But CHR has not *anything* wireless AFAIK, so while testing in - say GNS3[1] - is extremely useful for routing, firewall, etc. it is not for anything wireless related....

jaclaz

I don't think that's necessary (something describing the "link" between #9 & #15), because for a packet destined for the router, its lifetime ended at #9. The "flow" of that packet has finished there. Let's say we add something explaining the fact that after a packet has rea...

jaclaz

Well, not exactly. 1->9 is the flow for the initial packet client->router; 15->27 is for the response packet router->client. They are different packets - that the ssh server (daemon) produced the second packet in direct response to the first is not a firewall question. E.g. a DNS request may trigge...

jaclaz

You can try Winbox 4, that though still in the works, should work fine for normal settings of a router and can run on Mac.

jaclaz

And what do you call [1] the people working at FCC managing the technical part of the norms, attending technical committees and similar, if not electrical engineers? [1] not what you actually like to call them or what you would like to call them :roll: , their official title or what they usually ans...

jaclaz

A basic accessory whenever doing connections Is to have a set of suitable adapters/converters: https://store.rokland.com/en-de/blogs/news/connectors-101-rp-sma-vs-sma and rest assured that this kind of mess Is created by electrical engineers (and their committees) exactly to make consumers go crazy....

jaclaz

The first thing to do when encountering issues is to stop digging! ;-P There is still a few guys in the pic without name. You can add some comments and one will be named anav :D anav could be the one top left, depressed/frustrated as in this thread he cannot suggest VLANs nor "drop all else&qu...

jaclaz

There will always be something cosmetic left to do, but that's what I would call basically (almost) done. Thanks for the not insignificant effort! For me at least the latest 100% opaque is shown as 100% transparent :-) Is there this much difference between browsers? Can the page's css interact with...

jaclaz

Yep, I'll fix the /ip firewall filter. The fun thing is that I didn't use (AFAIK) a gradient, anyway it is far more dark *everywhere* than I would have expected. Maybe the 50% opacity is too transparent for your darkmode I'll check the gradient (if any) and try with 70% opacity EDIT: files in post #...

jaclaz

OK.
Let's see how it goes with this version (directly as svg).
Background set to 2.5% Grey (in practice a non-brilliant white) with Opacity 50% 70% (in a .zip file as the board does not allow .svg extension).
Added inline the png version.

EDIT: files removed

jaclaz

Why not publish plain svg?

Sure

, that's entirely possible.

jaclaz

If unit is kept inside, I'm lost at how that much water could start to leak...although I guess the RB5009 does get hot, so if you have a lot of humidity perhaps... but thermodynamics is not my speciality so IDK. Not really thermodynamics, more like chemistry. Anyway when humid air encounters a cold...

jaclaz

Very minor, but eventually, if you use GIF with Alpha channel that might allow better support for dark-mode, to avoid the hideous sand color background. I think that png is better in resizing/adapting to various resolutions, and it supports Alpha channel just fine. The question is what colour (and ...

jaclaz

* On the background color. I think that at least for the default png version legibility should be primary (come on, we all know that will be the one that's going to be viewed the most - people are lazy) For me the current color works in this regard, but I'm sure someone with more experience can com...

jaclaz

Yep, and it will be a two step at least update.
You need to first get to 7.12.1, and only once you are at that version you can update again.
https://help.mikrotik.com/docs/spaces/R ... ding+to+v7

jaclaz

CRS means Cloud Router Switch (I usually write it as Cloud Router Switch it is a switch with marginal routing capabilities, the leading Cloud has been added by the marketing department for no apparent - probably they had to justify their salaries - reason). RB means Router Board so, clearly :? it is...

jaclaz

before purchasing the equipment i wanted to know if anyonew has anything particular to say about this device?

... speak now or forever hold your peace ...

Ahem...
cough, cough,
RB5009 is 110 bucks less ...
cough, cough.

jaclaz

@Paternot
The item you hover the mouse on is unning, what's the problem?

jaclaz

Have people had problems upgrading from 6 to 7? I mean in a simple set up like mine? I don't think you will have issues in the upgrading, in a basic configuration, and on a device without wi-fi the changes (if any) should be minimal. Take into account that 7 is a bit slower, some say by 15%, some s...

jaclaz

OK, another version. New numbers/text: 1 Incoming Packet 2 raw PREROUTING 3 Connection (state) tracking 4 mangle PREROUTING 5 src addr=self? (loopback) 6 mangle INPUT 7 filter INPUT 8 nat (srcnat) INPUT 9 to router's internal process 10 nat (dstnat) Prerouting 11 Routing Lookup 12 dst addr=self? (lo...

jaclaz

I have to think about the symbol/shape for "loopback (lo)", instinctively It should be different as It Is "pass-through". Strictly speaking the wavy rectangle Is not standard flowchart the symbols for "begin" and "end" Is the rectangle with rounded ends, same ...

jaclaz

I think this latter can be solved, I could add a "loopback" box (between 9 and 26) and from it feed it back to 2. That would be something that I would understand much more than either the current go to Outgoing Packet or "direct re-feeding to #2". What about the exact text for th...

jaclaz

Power loss consideration has also crossed my mind. RBM will be powered by about 12m of cat6a, so given 28V power supply and your figures for power loss I'm looking at ~13-13.5 watts of disposable power. Looks borderline sufficient , too bad RBM33G doesn't expose any power/voltage readings to look a...

jaclaz

I don't know. I am only trying to make the IPTABLES flowchart lurker888 posted a link to at the same time more suited to Mikrotik while keeping it readable by IPTABLES experts AND make it understandable to the "masses" AND attempt to organize it visually in such a way that WHERE the settin...

jaclaz

Good that it is solved :) . Very likely you (or the script) deleted the WAN interface list (why?) and the net result is: /ip firewall filter ... add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-li...

jaclaz

Besides the configuration script, post the actual configuration export after you have run that script.

jaclaz

Yep, though usually the power consumption declared by Mikrotik is a bit "abundant", there are several reports about real life measured power consumptions, most report this to be 2/3 to 3/4 what Mikrotik states in specs. I would be concerned also by the type and length of cable between the ...

jaclaz

I fear i have totally deleted the os on the router Naah, don't worry :) , it is nearly impossible to delete the RoS (if not via hardware). Normally you can reset the device and it will (should) be exactly in the same condition you received it. The reset procedure is easy enough, though you might ne...

jaclaz

I´ve dug up an old-ish MT DISC Lite5 ac point-to-point antenna that I will use for sending IP network via wireless cable. Yep, but you (IMHO) need two such devices, one on the island, the other one at the cabin, for PtP links like these having the same device on both ends (when possible) will elimi...

jaclaz

No prob, here it is in .pdf (which I doubt will be useful in dark mode)

and in .xls (zipped).

and in png with a beige background.

EDIT: removed files, see below for new version.

jaclaz

Sure

, noone ever said that /32 (or /31) are not valid address schemes.

BUT since the /32 doesn't work in the OP setup, then it is not appropriate in the specific case.

jaclaz

2nd (actually 3rd) attempt. Items re-numbered as follows: 1 Incoming Packet 2 raw PREROUTING 3 Connection (state) tracking 4 mangle PREROUTING 5 Is src addr router's own? 6 mangle INPUT 7 filter INPUT 8 nat (srcnat) INPUT 9 to router's internal process 10 nat (dstnat) Prerouting 11 Routing Lookup 12...

jaclaz

I think I can re-add them (12 and 19) in an added column between "chain=input" and "chain=forward" keeping all the rest of the new layout unchanged. The triangle Is the standard symbol in flowchart that means "merge", I could remove the filling if that helps in visualiz...

jaclaz

You can Copy and Paste the configuration. Importing an export Is NEVER a good idea, particularly when the two devices are not the same, but - more generally - usually the destination device has some minimal configuration and importing the export from the old device could create conflicts. A suitable...

jaclaz

How many addresses are available in a /32 network?

Hints:
in a /24 there are 256 addresses of which 254 usabile;
in a /30 there are 4 of which 2 usable.

jaclaz

The connector on the board in the image is not ufl, it is mmcx, see: https://forum.mikrotik.com/viewtopic.php?t=178743 https://forum.mikrotik.com/viewtopic.php?f=3&t=173681 Mikrotik sells a pigtail (for Basebox) that should do (but it has to be checked, maybe it is too long: https://mikrotik.com...

jaclaz

Well, you are perfectly right, but you forget the "my switch (or wi-fi) is faster than yours" factor, that often drives customers shopping choices.

jaclaz

@xsentinel
Yep, sorry for the hijacking

.

@lurker888
Let's move the discussion here

:
viewtopic.php?t=217270

jaclaz

Previous steps (how this idea was born) on another thread, starting from here: https://forum.mikrotik.com/viewtopic.php?t=217249#p1146842 ... working on it ... EDIT: Attached a tentative version. I tried to align boxes along a grid where rows are Mikrotik configuration sections and columns are Mikro...

jaclaz

<placeholder post for the final version - once ready>

I am in the habit of taking pictures to document the progression of works, so here it is (9 June 2025 8:00 Zulu):

photo1.jpg

jaclaz

Yep, but (to me) It makes little sense to use a DHCP server (that at this point needs to be on the ISP router to dynamically provide a single IP to the Ax3 that (I have to assume) is never disconnected and moved around, or connected differently. I may be (actually am) old fashion, but any device tha...

jaclaz

It shows you skippped drawing class for years ... :wink: :lol: therefore I guess I would need to take the interface 2 off of the bridge to configure as a second backup failover WAN? Yep. can the WAN IP's be dynamic DHCP clients? DHCP clients to which DHCP server(s)? It depends on how (EXACTLY) the r...

jaclaz

Yep, forgot last arrow. I like the initial and final routing lookup (#20 and #25), it makes sense to the reader and keeps the distinction between the two otherwise identical boxes. Do we need an attribute for #7? Like "preliminary"? So #15 can be simply removed, right? Or maybe visually mo...

jaclaz

Start by getting some ideas on this thread:
viewtopic.php?t=206680

jaclaz

People watch those "tech youtubers" ... Like - you know - the Mikrotik videos that Mikrotik likes so much to produce ( instead of proper documentation/articles/blog entries). Personally (and this probably shows how old I am getting), youtube is for this or that fun videos (lolcats) and fo...

jaclaz

@lurker888 Attached a re-working of the IP tables diagram (only removed the yellow security-related boxes). In .png and .svg (inkscape) formats. Boxes are numbered from 1 to 27. Tell me, with a list 1 to 27, which text should go in each box (and please find a synonym for the "Decision" in ...

jaclaz

@jaclaz: You're too kind to assign me my own faction. I was under the impression that there are no factions and the usual posters around here (including me) are saying the same thing: * the default firewall is actually a good... well... default - so if you don't have a good idea of what you're doin...

jaclaz

@lurker888 You are complicating my view on firewalling factions, I thought one had to decide which gang to join, the rextenders or the anavites, it seems like there is a third one now, the lurkerans, right in the middle of the two. It Is difficult to define that position, it seems like they could be...

jaclaz

Around 500m distance, on approx same elevation. Well, you would need a directional antenna (actually two of them if using the netmetal) to get the signal at 500 m, point is that directional antennas are directional (i.e. you will cover an area the size of a coin or of a dish. If I get right now you...

jaclaz

My recommendation to try to understand EVERYTHING in the default firewall BEFORE trying to create your own. There is a LOT of subtle things going on there...

And it is also Rule #8 of the Mikrotik Club:
viewtopic.php?t=215004

jaclaz

Only as a side note the (nicely looking and colourful) flowchart posted by chechito and linked to by anav is seemingly wrong/incomplete. The rhombus/diamond shape (purple in the mentioned diagram) is a "decision" so it MUST have two exits. In the diagram the top left "Routing decision...

jaclaz

I mean Normis has to eat!!

Sure

the point is on which diet.
Would crackers and water (ramen and tea and one beer on sundays) be enough or caviar, lobster and champagne?

jaclaz

So traffic coming in goes though the rules as they are laid out in order on my screen right? Regardless of "chain"? In other words since my input rules are listed first then traffic would go through input rules first and then to the forward chain rules next right? And so on until it reach...

jaclaz

The ATL 5G R16 has seemingly only one port, so your topology with two connections to it cannot be done. The Netmetal Ax has also only one port, so you will need to connect both devices to the "solar switch". BTW that Ubiquity thingy has 10/100 Mb ports, whilst both the ATL and Netmetal hav...

jaclaz

Only as an idea (not necessarily a good one, and not necessarily applicable to Mikrotik) I have a license for a completely unrelated local (Italian) accounting software with what I find an interesting licensing formula, basically: a) you pay the license only once (lifetime license) b) each year you ...

jaclaz

The Wap LTE kit is discontinued: https://mikrotik.com/product/wap_lte_kit The successor is the 2024 version: https://mikrotik.com/product/wap_lte_kit_2024 which however still has 16 Mb of storage (that has been found as "tight" for Ros 7.x) For the same money, and depending on what other f...

jaclaz

It is not due to "latest firmware". That happened to people that updated the bootloader with a specific "universal" bootloader update (that later came out as being "not-so-universal"). That particular file never was part of the "normal" update/upgrade. If you ...

jaclaz

Good.

jaclaz

Try uninstalling the other packages on you current version and try downgrading to 7.14.3 or list the installed packages you have now and add ALL the corresponding packages, besides the main one, of 7.14.3 before rebooting.

jaclaz

viewtopic.php?t=176408

jaclaz

7.7 Is rather old. When upgrading there was a paradigm shift on 7.12.1, (different packages) so you needed to first upgrade to 7.12.1 and only from that version you could upgrade further. Probably something similar Is needed when downgrading crossing this 7.12.1-7.13 border. BUT if the issue is with...

jaclaz

Here starts the fun part. In almost any other router you would find somewhere a drop down list with numbers 1 to 11. But It Is too simple for Mikrotik, here you need to find the channel corresponding frequency. https://en.m.wikipedia.org/wiki/List_of_WLAN_channels Example for channel 11 -> 2462 MHz....

jaclaz

Each time pull out power cord will result in abnormal power off, risk to lose data. So will do any blackout (if you are not running an UPS, in which case it will be a UPS failure :wink: ) or limiter switch on that line triggered by *anything*, or someone tripping on the power cord . While it is not...

jaclaz

Plan to make pass-through holes at the angle, and then simply adhere them in place with UV stable silicone/eurethane. Well, you still IMHO need something co-planar to tighten correctly the nuts of the pigtails, so maybe you can get away with pouring something that hardens enough (fiberglass, fiber ...

jaclaz

Hello, I didn't understand, thanks Have you handy an Android smartphone? If yes, get this: https://www.wifianalyzer.info/ scan your environment for wi-fi signals on the 2.4GHz band. Try to set the Ax lite to a channel that doesn't overlap with other, if the channel width of the channel you choose o...

jaclaz

On the 50cm distance - is that best measured at the bottom of the antenna where it passes through the mount tube? (I might as well be precise, since I can cut that to any length) No :shock: , the 50 cm need to be measured exactly (+/- 0.1 mm) on the center of radio gravity of each HGO antenna. Just...

jaclaz

AFAIK the default for EU is to apply GDPR protection but usually one can opt out, examples https://www.pairdomains.com/kb/10-what-is-whois-privacy/?from=pairnic https://support.dnsimple.com/articles/domain-privacy-after-gdpr/ the exact procedure will vary as each registrar will have their own one, b...

jaclaz

@mkx Yep, actually there are three kinds of them: 1) the cheaper ones (transmitter+receiver) which allow no switch (only direct cable) they are not "over IP" they are "over Cat5/6 cable" 2) the mid-range (also transmitter+receiver) ones (like the ones talked about, tesmart, Av-ac...

jaclaz

ok seems clear now!! but then i would effectively need the pc in the kitchen as you had already mentioned.. my Idea was to put the monitor on the kichen wall and a mouse so my mom can turn it on or off when the NVR buzzer sounds and check if it's my cat in the yard and wants to get fed, through the...

jaclaz

Just entered "tiktube" on google and found this: https://www.trustpilot.com/review/tiktube.com Just entered infabo in google and got this: https://www.facebook.com/infabostore/ The one that is on the trustpilot page you found is one of the many scams around, JFYI: https://www.androidb.com...

jaclaz

Good to know about that "true" settings. :) The "mode" button is only on some devices, it is a programmable button to which you can "attach" a script or however an action/command that will be normally executed when pressed. A very simple/basic example here: https://foru...

jaclaz

Ok :) , the Mikrotik list completed with device name and model and (cleverly?) coloured (how it should have been made). The LTAP mini and the KNOT don't have an evident way to check the modem model or it is not present in Mikroptik's original table, if anyone know, please post the info and I will up...

jaclaz

Also, check if the behaviour is the same in Winbox (i.e. is the issue something not generating the data or is it something connected to the way it is rendered in the Webfig UI?)

jaclaz

... I recently changed the default queue type to fq-codel and updated into v7.19.1 stable. One of the common recommendations (not limited to Mikrotik devices and Ros) is to never change two things at the same time, particularly in production. If I were you I would first try changing back the queue ...

jaclaz

i see that they are effectively 69 Euros on Amazon, i can get two of these, and connect as per my diagram? No, not really, it doesn't work that way. The device is a self-standing (mini/micro) computer with these functions: 1) receive (input) the local HDMI signal from a PC (or similar device) and t...

jaclaz

The Ax lite is a single band (2.4 GHz) and Ax600 (574 rounded up to 600). Mikrotik dual band AX devices marked Wi-Fi 6 (like the Ax2) are Ax1800 which should mean (574 rounded to 600+1200=1800): at 2.4 GHz 574 Mbit/s at 5 Ghz 1200 Mbit/s so the 5 GHz is in theory double the speed of 2.4 GHz (reach/c...

jaclaz

Not that I understand much of the VLANs and mangle and firewall filter rules you have, but generally speaking, it seems that your configuration (from 18-05-2025) is what I would call "a bloody mess of inconsistent and illogical names/comments, capable of confusing *any* reader, including you&qu...

jaclaz

... and in my kitchen I was going to place the device on the kitchen wall with velcro :-) Well, don't. :shock: Use instead a "better" velcro, the plastic pegs one (usually made by 3M, "dual lock"), , since you are italian, the kind used to fix the telepass to the windshield, *li...

jaclaz

Doesn't cover the OP's request at all... Well, the OP request was some 5 years ago by now he will have found a solution or learned to live with the issue happily. The thread was revived re-stating the question in much more general terms, and Josephny's suggestion does cover one of the possible even...

jaclaz

On tha packaging of the eSIM physical cards, it is written: TelcoVillage GmbH, Hennigsdorfer Str. 126, 13503 Berlin, Germany I assume this is the vendor (the brand) of the cards. I think it is the actual company behind the esim.me "brand", esim.me is listed among their "products"...

jaclaz

Well, if you have a Netpower Lite it should have VLAN support (even if it runs SwOS Lite). Going through non-managed switch(es) may (or may not) work, it depends on the specific switch make/model behaviour, some let VLANs "pass through" without changes and work just fine, some may strip th...

jaclaz

I confirm I was able to save the eSIM to the physical card without using the mobile app of esim.me. This is huge advantage because esim.me have some fees that confused me. Very good news. :) If you still have the device handy, can you try the commands that were cited earlier and confirm (or deny) t...

jaclaz

Confirmed reboot the router will make the change work. The temperature finally goes down, thanks for all the help. Good. :) It is not at all clear (and actually not even the first reboot is often documented) which particular commands/changes actually need a reboot to be effective (most don't of cou...

jaclaz

What happens with:

{:local "curIP" 10
:put ($"curIP"+1)}

?

jaclaz

Yep. If you get similar antennas but with a joint, you could mount them directly and orient them at 45 degrees diverging, set aside the weatherproofing issues they may work. The hgo-out are "normal" antennas, I don't think they are better or worse than other similar ones, if set apart enou...

jaclaz

The two antennas separated Is good ( the suggested two hgo-out are nonsense, too near each other to work correctly and they cannot be inclined) but not too far apart, the ideal distance is some multiple of the wavelength usually 3x of the 2.4GHz i.e. around 37 cm that Is roughly 6x the 5GHz waveleng...

jaclaz

Ok, with a bit of fiddling, it is actually possible to have a simple compare sheet that needs not to be re-synchronized when inserting or removing cells. Stand-alone, so it can be used by itself or added to the Config_Parser workbook. Attached Config_Compare. (Alpha1, but hopefully there can't be mu...

jaclaz

Yep, but that configuration is from 18-05-2025, thought you had changed something in the meantime.

jaclaz

Hmmm.

Check also in terminal, should be:
https://wiki.mikrotik.com/Manual:System/Resource

/system resource print

And try rebooting again, it might be an artifact of Winbox UI.

jaclaz

I always write down the default setting before I change any setting in case I need to set it back to default ... except this time I forgot. Can someone please tell me what the default setting for IP-> Pool-> dhcp is please? Thank you Just in case tangent keeps a repository with the default configur...

jaclaz

the NVR LAN is well hidden behind that Fortinet firewall and therefore network wise is on a different subnet Not on the drawing you posted. In that drawing there is a connection from the NVR to the Mikrotik switch A, and the firewall is connected to the Mikrotik switch A, not to the NVR. But since ...

jaclaz

But of course your external AP needs to have a free ethernet port to connect the Starlink, the wap AC has only one, so you need a switch or anyway a managed device (better if inside) to connect the Cat6 cable from the hex to the AP and to the Starlink. If you need to put it outdoors, the PowerBox Pr...

jaclaz

Any solution yet, or any workaround? If not allowed by device mode (6), in what mode i can change the CPU speed? Are you asking how to set device mode to allow the CPU speed change or are you asking how to workaround the device mode? If the first: https://help.mikrotik.com/docs/spaces/ROS/pages/937...

jaclaz

A single device is 60 €, either Rx or Tx, but you need two of them, one Receiver and one Transmitter. (and the transmitter is out of stock at the moment). The new version is 77 € so 144 € for the pair. And the kit with the pair is seemingly unavailable on the EU shop) But available on the US one: ht...

jaclaz

Start by posting the EXACT make/models of those KVM extenders. I have used some pairs of them a couple times, and needed not anything IGMP, so maybe you are overthinking it? Last time I used them it was a matter of plugging one device to the network near the controlled PC and the other one to the ne...

jaclaz

Is anyone @Mikrotik looking into this issue? Can I open a case for this issue? Not until you open a ticket at support, while the Mikrotik guys do from time to time use the forum, cases like yours are request for bug fix/new feature (like a setting for - say - RFC1035-max-bytes=512|unlimited) and ha...

jaclaz

To sebastia's joking point -- should we all start waiting a year before buying new release device, so they can fix initial busted designs?? Well, once upon a time it was common advice to not buy a first version of a new car, but wait one year or so for the second version. Running on the edge of lat...

jaclaz

Here: https://mikrotik.com/software Other x86: Netinstall will write RouterOS to any secondary drive you have attached to your Windows PC. Move the drive to your Router PC and boot it it says that netinstall can be used on another PC to install on a hard disk that can later be moved back to the mini...

jaclaz

Yep, still, from what I understand from the OP physical layout: Router A (normally Master in VRRP) has a direct connection ONLY to ISP1 Router B (normally Slave in VRRP) has a direct connection ONLY to ISP2 So when both the routers are working, everything goes through Router A that can well have a p...

jaclaz

That's where a certain number of helium filled balloons may come handy... :) Naah, the Netmetal Ax is not very new, maybe it is just out of stock. But you would need an external 2x2 omnidirectional antenna, which may actually be more difficult to procure, or a couple of simple external ones. The alt...

jaclaz

Ooops, my bad :oops: (though there may be similar issues on the x86 version) Netinstall is said to be able to install the x86 on a hard disk temporarily attached to another PC, maybe you can try that way. Or you can try Pxe booting your minipc to netinstall. Anyway the official instructions suggest ...

jaclaz

The wAP ax has a 180° radiation pattern, ...

Unless you use very narrow

degrees, more like 90-120°.

jaclaz

Yeah, I wondered about that too. Miktotik's product page says "The cAP ac is a very capable and powerful wireless access point that looks beautiful on both walls and ceilings"... Beauty is in the eye of the beholder, but looking beautiful doesn't mean it works properly in whatever orienta...

jaclaz

Yep, but any line beginning with / is not a command, it is a section (or path), normally you issue that line and "change directory" to it and then issue one or more commands all belonging to that same section (the prompt changes telling you "where" you are). In terse this / line ...

jaclaz

2. Normally the wireguard interface is added to /interface list member (as either LAN or WAN, or in some cases even BOTH :shock: , usually LAN ): https://forum.mikrotik.com/viewtopic.php?t=212219 , as there may be other default configuration firewall filter rules blocking the connection. You should ...

jaclaz

Alpha4 attached.

What's new in Alpha 4:
*) the_core - fixed a formula to add compatibility with pasted data with blank lines
*) *_check -added a conditional WARNING message for non existing sections
*) terse - fixed something else somewhere affecting lines after comments losing prefix/section

jaclaz

I still find it odd, ...

You probably mean weird

.

jaclaz

therfore I need to use a phone & remove the SIM card to change the eSIM in use But the actual advantage of having an e-sim Is the possibility to not having to, i.e. avoid climbing up a pole or up a ladder, or having to walk on a roof, etc. Unless some of these physical e-sims are FULLY supporte...

jaclaz

Also open to any replies that say "you're an idiot, you need to turn on X"... ;-) I am pretty sure that you can have that, too, and for free! :lol: The WapAx is an exception, it is rather directional, the W stays for Wall, so in the back there is little radiation, the most is projected fo...

jaclaz

One thing to note is that when you give the command "system/device-mode/update routerboard=yes", the CRS must be powered down for the update to take eeffect. upon reboot you can now reset the OS to SWOS. Yep, the good Mikrotik guys are seemingly all subject to special training to make the...

jaclaz

Oh! The single line is exclusive of the top level and command ("/ip address" in this case). Got it -- thanks. Not really, any looong configuration line that gets split by export is multi-line. Another example, here BOTH settings are multi-line: /interface wifi set [ find default-name=wifi...

jaclaz

The CHR image is usually not validly partitioned for UEFI (wrong filesystem and another couple of issues).

Try with the FAT modified image from here:
viewtopic.php?t=184254
https://github.com/tikoci/fat-chr/releases

jaclaz

so, the next question is....How on earth do I get the CRS into SWOS? I assume device mode must be disabled. Well, you cannot disable it, but you could try setting the update routerboard to yes: https://forum.mikrotik.com/viewtopic.php?t=214402 https://help.mikrotik.com/docs/spaces/ROS/pages/3047431...

jaclaz

Example. The first entry here is multi-line: /ip address add address=192.168.88.1/24 comment=defconf \ interface=br-main network=192.168.88.0 add address=10.0.254.1 interface=P8-MGMT network=255.255.255.0 Translated to single-lines: /ip address add address=192.168.88.1/24 comment=defconf interface=b...

jaclaz

I hate this deja-vu feeling I have...

No, wait

:
viewtopic.php?t=213043

Repetita iuvant ...
https://en.wikipedia.org/wiki/List_of_Latin_phrases_(R)

jaclaz

Anything is better than printed labels, that will get lost and damaged

Not *anything*.
Only as an example papyrus self-destruct messages:

would have been much worse:

jaclaz

Just buy 9esim.
You can see all profiles and switch between them in winbox.

You should add this piece of info (possibly expanding on it) on the same thread where you stated that 9esim doesn't work or doesn't fully work:
viewtopic.php?p=1137223

jaclaz

1) This will take an exported config and provide the Export in both single line (which appears to be multi-line) and "terse" formats; 2) It pulls out (i.e., makes a separate worksheet) for /ip/firewall/filter, other /ip, /interface, Yep, that is the idea. The "single line" is ac...

jaclaz

Remember isn't Mikrotiks idea, it's the idiots in the EU Parlament. Not really-really. The "idiots in the EU parliament" [1] wrote vaguely something about increasing security to protect EU citizens. Mikrotik decided to implement it in this particular way (other manufacturers still use &qu...

jaclaz

@Amm0 Your nice suggestion/request may be a tad bit too ambitious for Mikrotik. It could represent "stage 2" of e-sim compatibility. In "stage 1" Mikrotik could invest: 1) esim.me $35 2) esim.5ber.com $25 3) sysmocom.de $24 4) .9esim.com $24 5) one or two days of engineer work Al...

jaclaz

Version Alpha 3 attached. Now it is (should be) compatible with all three common forms of exported config: 1) actual .rsc file/text file 2) posted config on board (within CODE tags) 3) NEW! posted config on board (direct on post or within QUOTE tags)[1] What's new in Alpha 3: *) Config_Input - edite...

jaclaz

Well, you are running 7.19 something, a couple of versions ago the good Mikrotik guys decided that to make life easier safer for their user they had to implement device mode.
Check:
https://help.mikrotik.com/docs/spaces/R ... evice-mode

jaclaz

The speed declared Is exactly the same for the hex refresh and for the new hex S. (same chips and block diagram) For ten bucks more you get a SFP cage and 802.3af/at compatibility. Even if the real throughput of the SFP is only 1 GB, It still is one port more than the plain hex (refresh). Of course ...

jaclaz

If you want something flatter, you can replace the pipe with a short piece of plate or a small round bar with two holes for the plain anchors, all you need is a couple washers to keep it enough away from the wall to allow the clamp to pass behind the plate/rod. *like*: https://nautos-usa.com/product...

jaclaz

Very good :) . The possible issue with your script as is, is that if the rx-packets are low for ANOTHER reason (let's say a flaky cable/connector or the power to the cameras is off, or whatever) the power-cycle on ether2 will change nothing, so you will have the interface being powered cycled again ...

jaclaz

Visual explanation, the unplugger

:
https://www.youtube.com/watch?v=ApRllnOHxOg

jaclaz

Thus in everything Ive read its not clear if VRRP is simply for hardware failure only or if the unavailability of the ISP connection also comes into play. It is simply for hardware failure AFAICU (because as said the *whatever* triggers the master/slave status is ARP based), that is the point, in t...

jaclaz

I meant the installation in a 19" network rack, not in an electrical rack on the DIN rail. That way I can attach the switch with a wire to an internal pole. I see, now :) . I think the idea is to sell the faster (but almost double the price) CRS328-24P-4S+RM: https://mikrotik.com/product/crs32...

jaclaz

The device is already intended for pole/post mount (via a normal tie/clamp[1]), so I don't understand the second part of your question. If you want to remain in Mikrotik's "solutions", you can get one of these: https://mikrotik.com/product/QMP https://mikrotik.com/product/QME Both simply &...

jaclaz

Hmmm. I don't think that recursive has any consequences on VRRP setup. I.e. a master with failed connection will remain master, as the status/detection is ARP based from what I understand. It is more probable that a netwatch script triggering the status will be needed, *like*: https://forum.mikrotik...

jaclaz

I haven't seen many reports about Mikrowizard "not working" (reports are more this is missing or this >particular thing> doesn't work as I expect): https://forum.mikrotik.com/viewtopic.php?t=209925 yours may well be the one exception to the rule, but I would try again and in case try troub...

jaclaz

Why isn't there a rack mountable version of netPower 16P?

Because it is easy to make one yourself if needed?
JFYI:
viewtopic.php?t=216995

jaclaz

For what is worth, find attached a spreadsheet with a quick comparisons of the specifications of the two "plain" Hex's and of the two Hex_S's. The new Hex S (2025) seemingly has exactly the same architecture/block diagram as the Hex refresh (with the added SFP, of course). If/when the know...

jaclaz

Surprised to not have heard anything back on this. This is resolved as noted above. Mikrotik as still continued not to respond at all to my support request any further for weeks now. -Steve It is not unheard of that in some cases they take a lot of time to reply (while in some other cases they are ...

jaclaz

Given the frequency with which the 3011 Is reported developing this issue, after having worked just fine as PoE PSE for months or years, my bet would be on the switching transistors or mosfets either aging prematurely or however failing.

jaclaz

Personally I can only dream about a 300/300 internet connection, but going with the good ol' rule of thumb of 512 bytes packets with 25 firewall rule, I would look at the hex (RB750GR3): Routing 25 ip filter rules 265.2 and would judge it as "too weak" (though we have seen that in real wor...

jaclaz

Check:
viewtopic.php?t=210031

https://blog.linitx.com/mikrotik-lte-ho ... pn-issues/

jaclaz

I don't even know what these settings are, Essentially cellular LTE connection revolves around this thing called APN, Access Point Name. A given provider may set this automatically or require It to be entered manually. In some cases, even if the provider attempts to set It automatically, the device...

jaclaz

I would read the message as:
1) contact Mikrotik support
2) send to them the supout file OR if you cannot generate one, tell them so

jaclaz

Obligatory xkcd, workflow

:
https://xkcd.com/1172/

jaclaz

Try Winbox 4. It should work, besides with the crappy Windows we (good?) ol' time dinosaurs use (Windows XP, and SP2 while we are at it, in my case, and yes, I know) also with (hard core) Linux and (hipster) Mac, though being still in the works it has still some corners that needs be rounded. Winbox...

jaclaz

Worth noting that I have yet to fully understand the scope/target scope mechanism. Which makes two (an even, round number) of us. :) Hence the simplified approach, quoting myself: 10. Both routes must have scope=10 11. The "narrow" (/32) route to the canary must have target-scope=11 12. T...

jaclaz

Also, seen in my (newish, experimental

) parser (shameless plug

) :
viewtopic.php?t=217063
it seems like you have some empty fields in routes settings.

jaclaz

At first sight, your configuration is very neat and ordered (good :) ) but I believe you have not correct scope/target-scope on the routes. See starting from here: https://forum.mikrotik.com/viewtopic.php?t=216395&hilit=target+scope#p1140238 The simplified approach: https://forum.mikrotik.com/vi...

jaclaz

You haven't got any
*) ... fixed ... (introduced in Alpha 1)
lines.

Yep

, since Alpha1 is the first release it would have been redundant, rest assured that if needed the "introduced in" formula will be used in next release.

jaclaz

Do check the cable-test, see links here: https://forum.mikrotik.com/viewtopic.php?t=215553#p1144605 From my very limited testing (only on a single old device) it looks like it is not particularly reliable/accurate, since likely the short (or resistance) checking mechanism uses the same methods, mayb...

jaclaz

Updated to version Alpha2. Alpha1 removed. What's new in Alpha 2: *) Config_Input - added note to input to increase compatibility with pasted data *) the_core - fixed a formula to increase compatibility with partial configurations *) *_check - fixed a typo, coumns to columns *) *_check - fixed a typ...

jaclaz

I think that it is wrong or at least useless to analyze this accident attempting to put the blame on this or that forum user or this or that line of text or its (mis-) interpretation. Accidents often happen because of multiple concurrent causes or because the preventive measures and appropriate proc...

jaclaz

I thought there were more info, according to the wiki: https://wiki.mikrotik.com/Manual:PoE-Out maybe the 3011 misses them i.e. it has an injector and not a controller. The 3011 is reknown for having this issue, see: https://forum.mikrotik.com/viewtopic.php?t=121974 but two out of two is really toug...

jaclaz

In any case, discussion about the (not so much) "UNIVERSAL" update should go on the dedicated thread (where in the meantime user felixca posted a nice recovery guide for such bricked RB5009s: https://forum.mikrotik.com/viewtopic.php?t=216738 https://forum.mikrotik.com/viewtopic.php?t=21673...

jaclaz

Not an article, but possibly useful. Very often, when reviewing the export of the full configuration some forum users post for review or check, I find extremely difficult to read it, particularly when it is not posted enclosed in "code" tags. Even when the proper formatting is used, I have...

jaclaz

What do you see on the RB3011 with:

/interface ethernet poe monitor [find]

?
Post the output.

jaclaz

FIrst thing, a forced reboot is not a very good idea (you lose log), and it should be used as last-last solution if everything else fails. So you should try if the connection resumes after performing some "softer" actions (enable/disable the LTE interface or the USB bus, or *something else...

jaclaz

Yes, you need to find out first WHAT caused the issue before replacing the chip. That kind of "chip explosion" is actually quite rare, usually they just show some sign of over-heating, as lurker888 stated it is likely that it is the effect of an excessive current going through it (I rememb...

jaclaz

I think it may depend on the RoS version, but there can be a few (sanity) checks performed on the line even when it is poe-out=forced-on. I.e. "forced-on" does not really mean "forced-on", but rather " forced-on IF I can measure a resistance between 3kOhm and 26.5 kOhm AND N...

jaclaz

Here's my guide for recovering the device: https://github.com/kaechele/rb5009-unbrick Very good work! :D Besides the good engineering work, the Latvian proverb is a touch of genius. :lol: If I may make a suggestion, you should put some better reference here (possibly with a link to the forum thread...

jaclaz

I still might make use of a sticker. Q.E.D. :) ... and has potential of dammaging your retina because failing to see LED's activity increases probability of looking directly into it. Sure, lots of people became blind by staring at surveillance cameras at night and trying to visually check if their ...

jaclaz

As is written above: The bricking issue is not related to the 7.19 release but to having upgraded your protected RouterBOOT environment which you shouldn't have done on a RB5009.

You have an appropriate avatar

, Bork, bork, bork!

jaclaz

Out of curiosity, and of course only if you are willing to take the time to test it and report, it would be interesting to see what the built-in utility of the Mikrotik (cable test) sees on that cable. Some reference: https://forum.mikrotik.com/viewtopic.php?t=214457 https://forum.mikrotik.com/viewt...

jaclaz

Ok, there is no other possibility then putting a sticker in top? Strange.... You can solder a pull-down resistor to the led to dim it, or replace the led with an infrared one :shock: (it sounds stupid, I know :) , but usually you can see infrared led activity through your smartphone camera, so you ...

jaclaz

I just have to ask. I have a RB5009 with 7.18.2, Factory firmware 7.6, current firmware 7.16. I never uploaded anything else than official packages on it. Can i update to 7.19 safely or not. It's my main route to the net, so it would be good if it doesn't get bricked. The issue is not with the new ...

jaclaz

Or ( common PVC insulation tape adhesive tends to smear over time), dedicated stickers (hopefully with more stable adhesive) do exist, google for "LED Light Blocking Stickers" or "LED Light Dimming Stickers"

jaclaz

I follow you in the first part of your post, but I have difficulties in following you in the second. :? The resistance of 100 m of one of the the wires inside a Cat 5 or better cable (AWG 22/23/24) should be in the order of magnitude of "a few" Ohms (5-10): https://en.wikipedia.org/wiki/Am...

jaclaz

If you write to support, providing the router serial, they should be able to verify if It Is still under warranty.

jaclaz

Yep :) , thank goodness netinstall has some mechanisms to identify the hardware/architecture and only shows update files (.npk) that are suitable for the connected device. Probably an added warning *like* "Netinstall cannot find any suitable update file, check the architecture of this device an...

jaclaz

( besides 10.20.20.1=wg0 , well sort of )

Yep

, but since the examples on the help page:
https://help.mikrotik.com/docs/spaces/R ... /WireGuard
use the wireguard interface (and not the IP on the other side of it) I would expect to start from there.

jaclaz

What is this funny business with the webfig mikrotik_logo.svg?

m for measles ?

jaclaz

I would try adding a route with gateway set to the wireguard interface.

/ip route
add dst-address=0.0.0.0/0 gateway=wg0 routing-table=main

jaclaz

Not that It necessarily applies to Wi-Fi radios, but in the (good?) all times, as a kid, I did fry a few radios (think of CB radios with 1970's discrete components electronics). Those radios never failed "gracefully", one moment they worked nicely, the next they didn't anymore, sometimes e...

jaclaz

Post the output of:

/ip route print

thrice, once when everything is working as it is supposed to, once when you have the false positive (should be the same as the first), and once when the secondary link is down.

jaclaz

169.254.x.y are APIPA or local-link addresses: https://en.wikipedia.org/wiki/Link-local_address basically a device running a dhcp-client that for *whatever* reasons does not receive "fast enough" a "proper" IP address from the dhcp-server *may* self-assign an APIPA address to hav...

jaclaz

https://mikrotik.com/product/RBwAPG-5HacT2HnD

Product code RBwAPG-5HacT2HnD
Architecture MIPSBE

BUT:

I downloaded the routeros-7.19-arm.npk package (also tried with 6.x versions).

I would try with the routeros-7.19-mipsbe.npk package.

jaclaz

A simple sign *like* this would have probably helped

.

But the base issue remains, it is the software that should check and NOT run unless ALL the conditions are met.

jaclaz

(The manual has been clarified).

Which implies that before it was not clear enough...

jaclaz

The package is 3.1 Kg: https://www.mikrotik-store.eu/en/mikrotik-crs318-16p-2sout-netpower-16p so yes, 3 Kg is roughly correct. The problem with DIN rail mounting of such a large device is not weight (provided that the rail is properly fixed to the wall and that the clips are not fixed too off from ...

jaclaz

@normis If you want to believe that you are right, that your customers are demented and do silly things for no reason, you are welcome, but this time (and as often happens with Mikrotik help) the message was - to say the least - ambiguous. blunt for blunt: You can cry and stamp your feet as much as ...

jaclaz

I don't understand how your setup works, anyway I believe you can run via scheduler a script every - say - 1 minute - and check rx-bytes on the interface, like here: https://forum.mikrotik.com/viewtopic.php?t=208977#p1086419 In a nutshell: /interface {:put [get ether2 rx-bytes]} then, after a short ...

jaclaz

Yep, on most if not all Mikrotik routers (the SoHo ones, including Ax3) the default configuration is with ether1 as WAN and all other ports into a bridge as LAN. Some devices even have (had) ether1 marked as "internet" on the case. Even if on a switch it makes no real difference, It makes ...

jaclaz

Not that it changes anything, but if you decide that the emergency management port is ether1, you should have ether1 as mgmt also on the router. The "usual" convention in Mikrotik is the opposite (the reserved emergency management port is the last one and ether1 or SFP1 is the one "to...

jaclaz

You are welcome :) , happy you found a way out. Only thinking aloud, but I would try to change the distance of the routes (as opposed to disabling them). This way you would have another matcher (the distance). In the down-script you would change the distance from 1 to 10 (or from 5 to 50), and in th...

jaclaz

I don't think that there is that much choice, when the eSIM support was announced: https://forum.mikrotik.com/viewtopic.php?t=214977 it seemed that there were only two eSIM provider in EU: https://forum.mikrotik.com/viewtopic.php?t=214977#p1130907 to which you can add 9esim https://www.9esim.com/ (t...

jaclaz

I have no experience actually using a fusion splicer, when I needed some splices I called an electrician I knew and he made the four fusions for 100 € (with the fiber and pigtails I provided) but I believe that it is not too difficult, we have this nice report of someone documenting a DIY job: https...

jaclaz

Yep, being locked out Is one of the common mistakes when starting with Mikrotik devices, it is part of the learning experience.
But there should not be the need of doing a netinstall, a simpler reset should be enough.

jaclaz

Winbox3 or Winbox4?
(the latter has been reported as having sometimes issues with MAC connections)
IP access ( if available) should be more reliable.

Time to get familiar with the rules of the Mikrotik Club?
viewtopic.php?t=215004
Namely #7.

jaclaz

Assuming that you have already tried both bootloaders (one with reset button pressed/shorted before applying power, the other with reset button pressed/shorted immediately after applying power), there is not much else you can try if not attempting a complete reset and then netinstall. Should be 300 ...

jaclaz

A Camera is connected to ether2 and sometimes, for some obscure reasons stops video streaming. What happens in the "other" direction? I.e. does the camera: 1) respond to pings when it is working 2) stops responding to pings when it stops streaming If both the above are true, you can use a...

jaclaz

Yep, now what is happening is clear, how to change this behaviour is another thing. Pairing the routes in /ip route export with those in /ip route print (simplified) and matching them with the netwatch script lines (see the attached image) it seems to me clear that each time the down-script is run t...

Search found 3125 matches