MikroTik

jaclaz

But then, you have a switch connected to ether3 ( in order to connect more than one device to it)? And on the "other" side (WAN, ether1) you have only the modem/router? I am struggling to understand if the Mikrotik role should be that of a router or that of a switch ( or maybe a mix of the...

jaclaz

Hmmm, I see. :( In hindsight it is obvious :oops: , my bad, ether3 is not "connected" to anything, and when you add an address to it, a new route is created that goes in ECMP with the one already created by the connection on ether1, so it is essentially mixing up LAN with WAN. Maybe making...

jaclaz

Maybe you can follow this path: https://forum.mikrotik.com/viewtopic.php?p=998884#p1074217 First make a PTP, test it one pair at the time, then change the AP to the mode supporting more clients (stations). Otherwise there is a full configuration posted here: https://forum.mikrotik.com/viewtopic.php?...

jaclaz

The Chateau LTE 18 Ax : https://mikrotik.com/product/chateaulte18_ax Size of RAM 1 GB Storage size 128 MB The Chateau 5G Ax: https://mikrotik.com/product/chateau_5g_ax Size of RAM 1 GB Storage size 128 MB The Chateau LTE12: https://mikrotik.com/product/chateau_lte12 Size of RAM 256 MB Storage size 1...

jaclaz

The error message should be telling what the issue is: # No IP address on interface Try adding a static IP address to the ether3 interface, in the same range as the "parent" DHCP server, i.e. 192.168.3.0/24 but outside of its pool (usually a DHCP server excludes a number of addresses besid...

jaclaz

The SXT6 has only one port? https://mikrotik.com/product/rbsxtg_6hpnd Ahh, wait, maybe you mean a SXT LTE6, this one: https://mikrotik.com/product/sxt_lte6_kit It has passive only PoE (both In and out) in a very wide range of voltage, 12-57V , it depends at which voltage you power it (through its Po...

jaclaz

Generally speaking the issue with the LTE modem inside and the external antenna is the distance between them. The loss on the cable between the two is very relevant, so if you can stay within a short length of cable (5 m are already a lot, possibly 3 m or less, the shorter the better) it might be OK...

jaclaz

I think you need to allow/accept explicitly in input chain UDP traffic for 224.0.0.251 and port 5353 for mDNS, see:
viewtopic.php?t=208937#p1098656

jaclaz

There is no need of a second bridge, as a matter of fact it is usually advised to have a single bridge, you can take ether3 interface out of bridge "bridge" and use it "self-standing", without adding a bridge. What probably caused the no ping and no internet is the firewall, it i...

jaclaz

<r>Also, keep an eye on this:<br/> <URL url="https://forum.mikrotik.com/viewtopic.php?t=214795"><LINK_TEXT text="viewtopic.php?t=214795">https://forum.mikrotik.com/viewtopic.php?t=214795</LINK_TEXT></URL><br/> <br/> If it works it seems to me like a nice way to double check and exclude false alarms ...

jaclaz

I don't think that it can ever fit in a 1U, unless you remove the heatsinks (replacing them with something else somewhere else, flat heat pipes to a new external heatsink on the back?[1]) the device is "as is" 78 mm but even if you cut away other parts of the case or make your own one, the...

jaclaz

All I said was factual. I have not heard anyone else state drop all else is a problem. In your arrogance (or senseless hostility, or both) you missed the essence of my post, in my opinion the issue is not the "drop all else" rule in itself, it is the way some people (particularly you) adv...

jaclaz

You're right ... need to investigate more .... Yes, as from log both, or at least the second, http-resp-time (and http-status-code) happen once event down happened, which makes little sense. The second set appears almost a second later, that seems to me too much to be a delay of the OS, You need to...

jaclaz

Drop all else is only a problem in your mind, and because you dont follow a methodical use case and requirements based process in your thinking.

Well, at least I am able to express my ideas without attacking or offending other people.

You don't have enough new users to shout at today?

jaclaz

In your log the http-resp-time has once 3.092ms and once 2.788ms, so they don't seem the same remained sticky".

jaclaz

The issue with the "drop all else" is that it drops all else . :shock: Anything that is allowed in any of the previous rules won't ever get to the drop all else one (as well, anything that has been dropped in any of the previous rules, of course). So in itself the "drop all else"...

jaclaz

Under a bridge, the first one is in WAN1 and the second is in WAN2, and after connecting the two lines, the second line is shown red on the slave interface. I don't know how to do it. I will try again. WAN1 (ether1) should NOT be part of a bridge. WAN2 (ether2) should NOT be part of a bridge. Even ...

jaclaz

You should post your full configuration, the issue may (or may not ) be in the firewall.

jaclaz

I wonder if it would be possible to take the NetPower 16P out of the outdoor enclosure completely, and then make something custom, possibly even mountable in K-79 bracket, so that it doesn't look like a hack job. Though for how much it costs I'd rather not accidentally damage it while doing that. A...

jaclaz

They are simply two different approaches, one believing that the default firewall rules in Mikrotik Soho devices configuration is "good enough" (and they seemingly are in most cases). The other one believes that that it is more "accurate" or more "safe" to explicitly al...

jaclaz

In terms of the question................. answered.

JFYI, in Tuscany "Che cosa?" would be more probably "Icchè?'" or "icchè t'ha detto?".

jaclaz

Create a LAG (Bonding) on Device1 and on Device2 -> thats all

Which one is device1 and which one is device2? (among the devices OP listed)

jaclaz

No, whenever possible only one bridge is advised. Typicallly you have: 1. ether1 as WAN1 2. ether2 as Wan2 3. a single bridge with all other interfaces as LAN bridge 4. some configuration that load balances the two WAN connections in a given ratio or "semi-randomly". The above is the essen...

jaclaz

The Wap Ax (which is reported as being a very good device and is a recent addition to Mikrotik range) is rather directional (being a Wall AP) in the 90° to 120° angle, so it is not a direct replacement for the Groove, which is omnidirectional. So it depends on the size/shape of your home and outside...

jaclaz

* Change IPv4 Multipath Hash Policy under IP -> Settings to L4. That is the setting that I didn't know about, thanks. :) If I get it right (from this post by Amm0): https://forum.mikrotik.com/viewtopic.php?t=210016#p1090803 it helps the ECMP algorithm used to divide the traffic between the two rout...

jaclaz

Right now I have nothing connected to the Mikrotik device eth1. It is connected only using a cable to eth3. To handle only the DHCP part, is the above connection correct? Yes, why not? (assuming you are using a Soho Mikrotik router with its default configuration that normally sets ether1 as WAN and...

jaclaz

aha, so you suggest to try the plain x86 release? I will release as soon I have possibility to have some downtime. Thank you, I didnt think to use the x86 on CHR to downgrade. They aren't two versions/releases. On the "current" page the same file is listed/linked twice: 1. RouterOs v7 -> ...

jaclaz

Yep, but we can go step by step. there is always time to replace the current TP-Link with a faster switch. At the moment the questions are more or less (as I see the matter): 1. Can I connect two (LAN) 1Gb ports on the ISP router to two (1Gb) ports of the RB5009 and get more speed than a single conn...

jaclaz

Yes, if you stay on the /20 network it will work :) . I was thinking that it would be cleaner to have different subnets and multiple IP addresses on the gateway port (this can be done on Mikrotiks, it has to be seen if it is possible on your current gateway). Or you could have two Mikrotik routers i...

jaclaz

Well the Netpower 16p (CRS318) is actually narrower (212 mm wide) and it is 78 mm thick (i.e. less than 44x2=88 mm), so if you cut away the door and the corresponding lower protrusion it would fit (but in 2U). If it fits, I sits: https://www.boredpanda.com/blog/wp-content/uploads/2014/02/funny-cats-...

jaclaz

No mercy.

Poor misdirected packets

.

jaclaz

I don't understand your diagram. If the server has a network address 10.0.84.20 and the ISP router has (LAN side) 10.0.84.10 they will "talk" to each other, OK. But the Mikrotik router has ALSO 10.0.84.20 (on the WAN side) and since it is also connected to the same ISP router, there will b...

jaclaz

Rules of the Mikrotik Club: 1. You do not use VLAN1 2. You DO NOT use VLAN1 3. You remove default user admin and set a strong password before connecting to the internet. 4. You do not use Quickset. 5. You do not use detect internet. 6. You keep routerboard firmware upgraded to the same release as Ro...

jaclaz

Are you familiar with Winbox and its terminal? This is an example of a basic setup that can be used in a simple environment, it is half CLI commands and half description on what to do in Winbox. https://github.com/misterkrittin/Scripts-MikroTik/blob/main/PCC%20Load%20Balancing%20(DHCP%202%20WAN).txt...

jaclaz

The technology is fine, it is the implementation and (lack of clear) documentation that create the issues.
I love standards, there are so many of them ...

Classic XKCD:
https://xkcd.com/927/

jaclaz

You asked about recursive backup (actually failover).

But there are other ways, I would suggest you to use netwatch instead, see:
viewtopic.php?t=198999
viewtopic.php?t=198999#p1102129
the above is as simple as it can be.

jaclaz

Only as a side note: 1) it is IMHO not a very good idea to have the DHCP server set to serve the whole subnet, I would keep a few addresses of each subnet not assigned i.e. 192.168.12.1 0 -192.168.14.254 2) You seem to have ignored this note by Sindy: Many devices are unable to handle a gateway outs...

jaclaz

It depends a lot on the specific ISP, many (most if not all) will provide a device (ONT or Optical network terminal) that may come in the forn of a "black box" with the fiber IN and an ethernet port for you to connect to, other may provide their SFP module (that you can use in your own rou...

jaclaz

My MSP provider suggested 254.254.240.0 That should handle 192.168.0.1 till 192.168.15.254 You mean 255.255.240.0 i.e. /20 that covers that range: https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=20&cip=192.168.0.1&ctype=ipv4&x=Calculate it is a very large add...

jaclaz

Something like the new CSS318-16G-2S+IN, but can fit in the K-79 bracket, taking the space of two x009 devices. PoE+ would also be nice. I am not sure, but very likely (with some adapted ears/connectors/whatever) a CSS318-16G-2S+IN would fit besides 1 (or 2) RB5009's in a 19" rack. The CSS318 ...

jaclaz

Maybe I am a bit tough :shock: , but I fail to perceive the severity of the vulnerability in practice. IF you have Winbox access , then: If you try to log in with a wrong username, you get a reply 35 bytes long. If you try to log in with a right username, you get a 51 bytes long one. So this allows ...

jaclaz

Beyond the firewall everything else is LAN

Well, that depends on which side of the wall you are

, I like to think that "this side" is LAN (safe) and the other one is WAN (hic sunt leones

) .

jaclaz

Thanks for the answer, but yesterday my boss and I already realized this in the office when we connected the power supply from the AC2 router. If I understand correctly, then there is no voltage control in the main router, and if I want to connect something via POE, should I use an adapter with the...

jaclaz

... when people do web searches for "do I really need 1Gbps?" and the like...

People do not do those web searches, they just want moooore speed and power.

jaclaz

Screenshots say very little, particularly without context.
Follow the instructions here:
viewtopic.php?t=203686#p1051720
and post your configuration, some members may be able to spot where the issue(s) may lie.

jaclaz

There Is seemingly not any provision in the script to create the table, so It must be created before and outside the script.

/routing table add name=WAN1 fib

jaclaz

Any suggestions as to what we are missing? The default settings in /ip firewall filter should prevent connections from WAN (internet). And - generally speaking - it is not a good idea to have the device open to the internet, usually a tunnel (often Wireguard) is used to remotely access a Mikrotik r...

jaclaz

It is so old that I cannot find its specs on Mikrotik site, but they are here: https://www.cloudrouterswitches.com/RB750.asp I am attaching the .pdf just in case it disappears. 32 MB Ram 64 MB flash 400 MHz, yes, it sounds like it would run much better with v 6.x. But in a 10/100 network can still I...

jaclaz

... which is a more powerful and newer model than the first one. Or, in other words, a VERY different model (possibly also running a more recent version of Ros than the device on which the backup was made). You are more or less in case #4 of my PC analogy, or - if you are lucky - in #3. You can try...

jaclaz

Yep :) , if you prefer the default rules that Mikrotik sets on SOHO devices were written by someone who knows a lot about firewall rules and till now they weren't proved by anyone to be particularly inadequate or defective, so they - UNmodified - are very likely much better than anything we can come...

jaclaz

PoE power has little to do with link up/down. You need to provide more details. Ac2 accepts DC in 12-30 V and PoE in (passive) 18-28V (please read as 24V). Chateau Pro Ax accept (DC in) 18-57V and can output on ether5 PoE out (passive) 18-57V (please read as 48V) AND it comes with a power supply tha...

jaclaz

Adding a DHCP client on the AC2 bridge would probably help for having the AC2 get a dynamic address from the Ax3. :wink: I would also (probably not connected to the issue you are having) change this: /interface detect-internet set detect-interface-list=all to: /interface detect-internet set detect-i...

jaclaz

Since the issue likely revolves around IP addresses and networks, even if your privacy needs to be respected, replacing everything with xxxx doesn't really help in troubleshooting the problem. Idea: replace 1:1 your real IP's and network in use (LAN) with arbitrary addresses in the 10.0.0.0/8. As an...

jaclaz

It costs nothing for you to test. Just add the drop all rule after the last one you have. add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN add action=drop chain=forward comment="...

jaclaz

@ConradPino Yep :) , but this is (good) advice for when you need to post (on the forum) your configuration. But the doubts are about the contents of the supout.rif, which cannot (and should not) be modified before sending it to Mikrotik support. @mkx Don't forget the lesson we learned form Doctor Ho...

jaclaz

I would first thing try a traceroute from PC1 to PC2 and from PC2 to PC1 and from router1 to router2 and viceversa.
Results should tell you where the connection is broken.

jaclaz

You didn't do anything wrong, is what you did not do (downgrading to the wanted version).

jaclaz

Very good

, another (little) piece of electronics saved from going to the trash.

jaclaz

The route for 1.1.1.1/32 is Xs, like if it was manually disabled? When you actually disconnect the cable It should not becomes X, only s. Anyway in this case the "narrow" route to 1.1.1.1 doesn't exist (it is disabled) and the router tries to reach 1.1.1.1 via the route it finds that is Ac...

jaclaz

/ means "start from root" or "start from top level" and look there for the following path
interface is the path where to execute the following command
find is the command

jaclaz

If you use a DHCP client,besides the configuration you need to post also the output of commands: /ip address print and /ip route print so that we can see also the Dynamic part of the configuration. What you posted till now seems fine, with the exception of the firewall, I would advise you to start f...

jaclaz

If I get your configuration right, the groove is set up as a bridge between the wlan and an ether interface, then the hap is set up as a "normal" router between the thus bridged WAN and the local LAN (i.e. with ether1 as WAN and all the other ports in a bridge as LAN and a nat masquerade r...

jaclaz

Try calling Master (Bridge) and slave (Station-Bridge) as Access Point (Bridge) and Client (Station-Bridge).

The Access Point transmits at a given frequency, the Client wants to connect to it, so it cannot but use the same frequency (decided by the Access Point).

jaclaz

The terminology - as often happens - is misleading. What is called a backup in Mikrotik corresponds (loosely) to what in the (windows) PC world is usually called cloning, you make an image of a system and when you deploy this image to: 1. the same PC, in order to recover from - say - a failed hard d...

jaclaz

The original should be one of these:
https://it.aliexpress.com/item/1005005531615480.html?

probably #5 or #6.

jaclaz

If 7.17.2 doesn't change anything, follow these instructions and post your config:
viewtopic.php?t=203686#p1051720
and post also the log (a few lines before and after when the diisconnection happens will be enough)

jaclaz

Also, unless you did it on purpose, you set /32 addresses. Normally those would be /24 (a network of 256 addresses of which 254 are usable, netmask 255.255.255.0 in the "other" notation, these networks have the last number as 0) /ip address add address=192.168.88.1/24 comment=defconf inter...

jaclaz

I think that an exact replacement Is not easy to find, usually smd push buttons are horizontal, the vertical ones tend to be with pins/through the hole (as they are more robust). And finding one with the right pins/pitch may be even worse. See also here: https://forum.mikrotik.com/viewtopic.php?t=19...

jaclaz

Only as a curiosity, and only if you wish to share this information, what "role" will have the RB5009?
In your network layout that place seems more suitable for a switch than for a router.

jaclaz

10.1.10. 0 ? :? In /24 networks .0 and .255 are not usable, valid are .1 to .254. In smaller networks, the first and last one should as well not be usable. It should be a usable host address only on larger than/24 networks i.e. /23, but the /23 Is 10.1.8.0/23 (that ends before 10.1.10.0) or 10.1.10....

jaclaz

With all the devices you have in play, a splitter, which is essentially passive has (IMHO) very low probabilities of being a point of failure, and - even if it fails - it is the least expensive item to replace. Even if the original Mikrotik Is 8$ list price, similar "no-name" ones can be f...

jaclaz

Check these (you don't likely have a carrier as professional photographer :wink: but on the PCB there should be even a sketch of the contacts where the push-button should be) it is quite common that these are pressed too hard and are simply detached from their soldering points: https://forum.mikroti...

jaclaz

PoE (active, 803.3af/at, two pairs) has power limits. the max power a PSE can provide: af=15.40 W at=30 W and current: af=350 mA per pair at=600 mA per pair This means for the higher spec at that 30 W / 57 V= 526 mA max The Mikrotik reduces this (on PoE out ports) to 440mA. These same PoE out ports ...

jaclaz

@Josephny
If you remove the double quote from the end of this line:

/interface wireguard add disabled=no listen-port=51880 mtu=1420 name=wireguard1 private-key=XXXXXUdzhtaQWe9tDnPmv94g/QtGM="

the board parser will render better your config.

jaclaz

You don't have /system gps menu?:
https://help.mikrotik.com/docs/spaces/R ... 901890/GPS

jaclaz

Leave me the time to check and finish the post...

You are not as fast as you used to be ...

jaclaz

I'll start by saying that ...

... and how are you going to conclude ?

jaclaz

Wondering how this could help, you mean reinstall ROS from the scratch? The theory (not only in this case) is that when doing a normal upgrade *something* in the configuration (invisible or however very difficult to be found) can remain "sticky" and create the problem. Starting from fresh...

jaclaz

If i get it right - there is discussions about poe in + dc. My case is dc + dc. yes and no. This is Poe+dc: https://forum.mikrotik.com/viewtopic.php?t=187711 and as said doesn't apply to your case, but if you read it attentively this post by mkx, it is "general": https://forum.mikrotik.co...

jaclaz

Interface lists are vital if you use the default firewall and nat rules, as they make use of them. /ip firewall filter add action=accept chain=input connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add act...

jaclaz

You'd be surprised how many PCs still run XP ... that was ended (extended support) in 2014. Well, I am posting right now from an XP originally installed in 2008 (and Service Pack2, with a few tricks to make some apps that *need* SP3 believe it is Service Pack 3), but I don't think it is common nowa...

jaclaz

Try with print without the where condition.
It should "refresh" the list and re-number the items.

Or maybe it has changed in the whatever (recent) version of Ros you are running?

jaclaz

So basically you want a "main" WAN and a "failover" one. The simplest method is (IMHO) this one: https://forum.mikrotik.com/viewtopic.php?t=198999 further simplified in this post: https://forum.mikrotik.com/viewtopic.php?t=198999#p1102129 If you have difficulties in following it,...

jaclaz

All Mikrotik devices with multiple power inputs accept voltage on all of them, the one that "wins" and powers the board is the one with the higher voltage. When the one in use fails/is disconnected, the next one will be used. https://forum.mikrotik.com/viewtopic.php?t=101159 There is no re...

jaclaz

Yes, the problem must be somewhere else.

I don't understand the bridgexx's they all seem empty (with no real interfaces added to them), all interfaces but ether1 are added to the bridge "bridge".

jaclaz

Yes, you are right, one needs a print, the loop must be #2 and #3:
1. /ip/firewall/mangle

2. remove 0
3. print

jaclaz

I am not sure to understand the questions. The RB5009UPr+S+IN accepts (per specs) 18-57 V so 57 V is OK. The Mode A vs. Mode B is one of the mysteries of Mikrotik, generally and specifically for this device. Specs are: "PoE-in: 802.3af/at (ether1), Mode B (ether2-ether8)" which - translate...

jaclaz

I would add that issuing "enough":
/ip/firewall/mangle remove 0
until you get an error like "no such item" you effectively make the the mangle list empty.

EDIT: not really, see following posts

jaclaz

Yes, if you just put the IP without the /xx as netmask, it will assume /32, but this implies that the entry has been typed/added, and if you didn't do that, it remains strange that the upgrade process created it.

jaclaz

But the issue that you do not get the internet is your masquerade rule. It is set to Out-Interface-List=WAN, but you have a DHCP client set on ether1, but you do not have ether1 under WAN interface list. But there is an entry alright :? : /interface list member add comment=vejaconf interface=bridge...

jaclaz

the default setting specification is confusing: thr-tcp-conn-time (Default: 00:05...00:30) Fail threshold for tcp-connect-time, the configuration uses microseconds, if the time unit is not specified (s/m/h), log and status pages display the same value in milliseconds. You probably have it set to 8s ...

jaclaz

And this is another way using netwatch: https://forum.mikrotik.com/viewtopic.php?t=198999 the further simplified method here: https://forum.mikrotik.com/viewtopic.php?t=198999#p1102129 has been tested and it is working, but is intended for static addresses/routes, if you *need* to use the DHCP on th...

jaclaz

The first one is "wrong".
address=10.1.10.0/32 with netmask=24 makes no sense, but it is strange that it is the result of an upgrade, or, if it is, there may well be other things you have not noticed.

jaclaz

But mine is different that what I see as RB750 here on forum . . .

There are several versions of that board, yours seems like this one:
viewtopic.php?t=86366
(so it exists)

jaclaz

... and, plugs with key (port lock)

https://it.aliexpress.com/item/1005007003324168.html?

jaclaz

Instructions from Mikrotik (for hap lite, but case is the same).

jaclaz

That contact is the same as the (possibly defective) reset button, use a cross (Philips) screwdriver to make the short. https://forum.mikrotik.com/viewtopic.php?t=45590 Check the behaviour of your device against this: https://forum.mikrotik.com/viewtopic.php?t=137663 https://forum.mikrotik.com/viewt...

jaclaz

Some more details on the meaning and some horror stories (about needing to delete the routing rule and recreate it to really emove the min-prefix if needed) are here:
viewtopic.php?t=212420#p1108833

jaclaz

Before anything else, search in your configuration for "*" (asterisk). Entries like this: /ip route add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=x.x.213.193 routing-table=*1 suppress-hw-offload=no add check-gateway=ping disabled=no distance=15 dst-address=0.0...

jaclaz

The Mac address of port1 different from that of port2 is normal, usually ether1 is WAN and the other ports are LAN (in a bridge), and it is entirely possible that ether3 and ether4 have been disabled, if the thingy was used to "convert" a connection to IPTV only, but that might mean that y...

jaclaz

Maybe also turning off/on (disabling and re-enabling) the ethernet port on the Mikrotik and might do to "reset" the NIC.

jaclaz

It's not a couple of degrees, so first thing Is checking whether those readings are real. There are reports of devices that have false temperature readings because of failed/defective components. Ideally you should use a contactless thermometer, but as a first approximation you can feel them with yo...

jaclaz

What happens with :global content [/file get wol.txt]; :put $content local on command line needs to have the whole stuff enclosed in curly brackets. { :local content [/file get wol.txt contents]; :put $content } should do. This said, if you control the web server you could probably have it send a di...

jaclaz

The way I read the route you posted is:
to reach the IP address 10.1.10.106/32 you have to go through gateway x.y.z.1
But 10.1.10.106 is assigned to ether2?

jaclaz

Try again with netinstall.
Your settings seem correct, but there are reports that putting a (dumb) switch between the PC and the Routerboard can help in detecting the device (timing problems or whatever).
I would add that for such an old board I would try a 10/100 switch, just in case.

jaclaz

This is an invalid entry:

/interface list member
...
...
add interface=*9 list=WAN
...

and it should be removed, but I doubt it is connected to the issue you are having.

jaclaz

Try one of the common credentials for digi, maybe - just maybe - they are the same:
https://19216811.uno/digi-router-login/
https://www.digi.com/support/knowledge- ... -passwords

jaclaz

The other day cable-test features of Mikrotik/Ros happened to be mentioned here: https://forum.mikrotik.com/viewtopic.php?t=214457 and I remained with the curiosity about what each cable pair line/entry meant (the order they are shown could be either by wire colour/twisted pair or couple of pins on ...

jaclaz

Something I said? Something I didn't say?

Cannot say!

jaclaz

Time to post your config:
viewtopic.php?t=203686#p1051720

jaclaz

3.0 RC6 Is from 2015, so maybe still too new?
Can you try to connect with v2.x via MAC? (of course It cannot connect via IP to 0.0.0.0)

jaclaz

If you hover over the data in the column with the little flag It should tell you what the letters mean. DAC means Dynamic Active Connected, these routes are automatically (dynamically) created the moment an interface has an IP address, and they are only for the network of the interface IP and networ...

jaclaz

Maybe you need an older (possibly very old) version of Winbox?

viewtopic.php?t=141809

jaclaz

Maybe the S in IOT does not stand for Security, but for Stability.

jaclaz

viewtopic.php?p=1114928#p1114928

Yes, I'm sure (again)

... where it came out that the Wap Ax runs just fine on 24 V, but that the L009 doesn't negotiate correctly the auto on and you need forced on to power the Wap AX.

jaclaz

Meh, this shows how old (and grumpy) I am getting , personally I don't feel particularly excited, the whole stuff appears to be at the moment more wishful thinking than anything else, and anyway it all sounds to me like, to make the usual automotive comparison: "Hey! We added round wheels, an e...

jaclaz

But installing 16MB instead of 128MB flash in millions of devices must have made them so much money that it was all worth it. Well IMHO, 32MB would have been enough with a BOM cost difference so small that I presume *any* customer would have happily paid for with whatever premium surcharge MIkrotik...

jaclaz

If the "matching condition" for the mark/routing table is in-interface and/or src-address, maybe using a routing rule instead of mangle is simpler?

https://help.mikrotik.com/docs/spaces/R ... cy+Routing

jaclaz

My personal, not necessarily good, approach Is to add to a script all policies. Then, IF the script runs, start removing them one by one until It fails to run. Then re-add last removed policy and test removing next one ...

jaclaz

You could maybe get away with proxy-arp and separate interfaces/bridges, something similar to:
https://gregsowell.com/?p=5236
viewtopic.php?t=191652
but YMMGV.

jaclaz

Said another way, pasting a full RSC should be done to a device with no config set up. Even partial RSC, the risk of duplication of items Is always there. Simple math: Empty+full=full :D Empty+partial=partial :) then: Partial+full= Full+partial= Full+full= partial+partial= A POSSIBLE MESS :shock:

jaclaz

Everyone has his/her own requisites and approaches, but if you remained for so long on an old version, not even latest 6.x version, It should mean that there is not that much need to update to 7.x. The fact Is that 7.x needs more resources than 6.x, or if you prefer It Is usually slower on limited r...

jaclaz

Well, you cannot anyway go straight to recent v7 releases.. You need to go through 7.12.1. https://help.mikrotik.com/docs/spaces/ROS/pages/115736772/Upgrading+to+v7 But BEFORE anything else, check the devices you are using, if there are any with 16 Mb storage, MAKE SURE that you have enough space fo...

jaclaz

This app has a mode called "Prioritization Engine" or something similar. This must've been working ok at the beginning but at some point it must've fucked up, because as soon as I turned it off (per the post instructions) it worked like a charm! Likely you have to thank Windows Update for...

jaclaz

A possible approach :-? in twelve (easy? :?: ) steps: 1. reset a router 2. run default configuration AND DO NOT modify anything 3. export the configuration as .rsc file 4. export the configuration of an identical, already configured, router 5. open a new spreadsheet (excel, libreoffice calc or simil...

jaclaz

Your setup seens almost, but not quite, completely unlike the one specifically recommended for the 2011, here: https://help.mikrotik.com/docs/spaces/ROS/pages/103841826/Basic+VLAN+switching in the part titled: Other devices with a built-in switch chip Maybe you should start from that example (and/or...

jaclaz

Hard to say anything without knowing your settings. semi-random questions: Could it be the browser or the OS? Could it be a https vs. http problem? Could it be www. prefix missing or included in DNS name? Could it be that two different DNS servers are queried when logged in vs. logged out? If you wa...

jaclaz

The RB2011 has also a particular internal setup: https://cdn.mikrotik.com/web-assets/product_files/Block-RB2011UAS-2HnD_130546.pdf with two separate bridge chips, one for the Gb ports and one for the 10/100 ones, mixing them in a single bridge may be part of the issue, it is usually advised to bridg...

jaclaz

To explain, there are two "sets of drivers", which one to use depends on the specific device model/processor, some devices only have the old drivers, some can use both, new devices only have the new one. To make things simple the good Mikrotik guys managed to call the menues for them in di...

jaclaz

In such situations when I want physically "block" port I put an unclamped RJ45 connector into it :) You like wasting resources, don't you? :shock: Being cheap , I used already clamped connectors cut out from defective cables. :wink: :lol: BUT, while buying something on aliexpress I needed...

jaclaz

Yep, once It Is taken out of the bridge, what happens in ether3 stays in ether3

.

jaclaz

Generally speaking, in a simple configuration like yours, a (wrong) mangle rule is the only thing that may slow down something, other issues in configuration tend to be on/off, packets either go/through or they don't, interface Is either natted or It Is not, routes are either active or they are not....

jaclaz

Yep, sure. The original issue in this thread Is about having to recover a corrupted device. The only way out in these cases, if a reset is not enough, Is to netinstall, that is only possible on the only etherboot port, i.e. ether1. If that specific port doesn't work it is game over (unless directly ...

jaclaz

You made a new interface list, called it WAN2 and added to it ether3. This only adds an entry to a new list (that you don't want and don't need). You only want the (default) LAN and WAN lists as they are referenced to in other parts of the configuration (firewall) and without changes this may preven...

jaclaz

Which mangle rules?
I mean, the two that are both disabled=yes?

jaclaz

I guess that part of PoE-in, there are capacitors on each line between PoE-in power "ejector" and ethernet transformers. And broken capacitor (not shorted but burned) would effectively isolate that particular line. Or maybe a diode, to make PoE in one way only :? . The problem should howe...

jaclaz

Thanks for the hint, now we are getting somewhere. Yes, but unfortunately not where we wanted to go. :( It is not particularly clear how the pairs are called/to which pin they correspond, I have to assume that: 1st pair=1,2 2nd pair=3,6 3rd pair: 4,5 4th pair: 7,8 mkx's theory, that makes a lot of ...

jaclaz

And what happens connecting to that port a (say) 2 m cable with nothing connected at the other end?

Then, if you "force" 1 Gb on that port, you should have no link

even with the other device connected, what does the cable test pairs show then?

jaclaz

Yep, that is exactly the kind of mess I was talking about, the specs: PoE in 802.3af/at PoE in input Voltage 18-57 V say first 802.3af/at, but anything below 37 or 44V is not 802.3af/at, and the 18-57 V below means that it can also use the "old" 24V PoE. The drawback (unlikely in your case...

jaclaz

Dont' worry. :) The cap Ax itself uses 11W: Max power consumption without attachments 11 W that is the absolute max, in real world you will see more like 6-7 W. But you can daisy chain to it another device (i.e. using the PoE out of the cap Ax), this device can be roughly another 20 W, and this make...

jaclaz

1 Watt = 1 Joule / second = 3.41 BTU / hour i.e. energy per unit time. Can we say, 1 BTU per hour per cubic feet = 10 ° F increase in temperature per hour? Yep, it's a very approximate the rule of thumb, the 1 to 1.5 is a range that depends on the characteristics of the "envelope", often ...

jaclaz

Usually the max power stated by Mikrotik (without attachments) is more than twice the actual average one, if a device like a PC, a router or a switch runs at 100% all the time it means that it is the wrong device (too underpowered). A 4 feet by 4 feet (and I presume 10 feet of height) is 160 cubic f...

jaclaz

Essentially, set aside the accidental blackouts, you are saying that if you remove power from those switches and re-apply it, on only one of them the SFP doesn't get connection correctly. The need to power off again that switch, and keep It off for some ten minutes could be due to two different issu...

jaclaz

You have one excess space (you were tricked by the font used on the device), it is a RB2011: https://mikrotik.com/product/RB2011UiAS-2HnD-IN#fndtn-specifications Configuring it needs some minimal knowledge of RouterOS. That particular device has besides the SFP, 5 Gigabit/1000 ports and 5 100mbit on...

jaclaz

I see this whole stuff more as "damned if I do it, damned if I don't". In my understanding: 1. auto-mac=yes <- can cause issues when adding other interfaces to bridge and probably in a number of other "advanced" setups 2. auto-mac-no AND MAC duplicated from first ether port on th...

jaclaz

So it would be a bad thing to plop an antenna like this on my roof, attach it to ANT2 and call it a day? https://www.pctel.com/antenna-product/wlq-4g-directional-cellular-antenna-2g-3g-4g-5g-nb-iot-m2m-smart-city-smart-metering-sma/ Because the receiver hardware expects a certain signal from the bu...

jaclaz

The "generic/theoretical" issue (by - stupid BTW - design) is that the nano is slightly less thick than the micro, 0.67 instead of 0.76 mm. The multi mini/micro/nano SIMs may be either thickness, I believe (even if they shouldn't) A socket "properly" made should not have these is...

jaclaz

You can save the log to file:
/log print file=myfile

You can narrow with something like:
/log print where topics=<topics> && message=<message> file=myfile

jaclaz

@Josephny I didn't mean anything, I only repeated what EdPA wrote here: https://forum.mikrotik.com/viewtopic.php?t=190747#p966670 This is the reason why we recommend setting bridge MAC manually, and all default configurations with bridge involved come out with the "admin-mac" set. It means...

jaclaz

Could it be protected routerboot set?
viewtopic.php?t=187742

jaclaz

Is it really that bad to just allow the device to pick/assign it's own mac address? Yet another thing to setup and remember is another thing to go wrong. Of course it isn't, until it becomes so and bites you. Resistentialism is a thing when dealing with Mikrotik: https://en.wikipedia.org/wiki/Resis...

jaclaz

Would you mind explaining what this rule means? Or point me to a thread that explains is. https://forum.mikrotik.com/viewtopic.php?t=214219 https://forum.mikrotik.com/viewtopic.php?t=209850 https://forum.mikrotik.com/viewtopic.php?t=190747 The only possible issue of carving the MAC in stone is that...

jaclaz

Do you remember if it was a "proper sized" SIM or a smaller one with an adapter? There are reports (not only on Mikrotik hardware) of issues with the latter, see: https://forum.mikrotik.com/viewtopic.php?t=211182&hilit=sim#p1099231 https://forum.mikrotik.com/viewtopic.php?t=211182&...

jaclaz

... and it is not so casually Rule #4 of the (unofficial) Mikrotik Club Rules: Rules of the Mikrotik Club: You do not use VLAN1 You DO NOT use VLAN1 You remove default user admin and set a strong password before connecting to the internet. You do not use Quickset. You do not use detect internet. You...

jaclaz

Feb 3 11:42:56 mikrotik1 v4_drop_4r437_fwdlast forward : in:ether1_gw out:bridge1, connection-state:new,dnat src-mac 20:83:f8:a2:74:f2, proto UDP, 204.76.203.80:2842->192.168.241.190:123, NAT 204.76.203.80:2842->(x.y.z.a:123->192.168.241.190:123), len 36 Feb 3 11:43:03 mikrotik1 v4_drop_4r409_in_TC...

jaclaz

No, they are different.
JFYI, on this forum:
https://confusedbird.com/thread-280.html
there is a link to a google drive with some photos of the internals of the LTE18:
https://drive.google.com/drive/folders/ ... drive_link

jaclaz

Are you sure that when booted in SwOS you actually can use CLI to issue the command system/device-mode/update routerboard=no?
AFAIK SwOS is GUI only, maybe there is a checkbox somewhere for that.

jaclaz

Maybe it is just a coincidence, and unrelated to temperature. The -6.6° C are the outside environment or the inside of your enclosures? Which kind of enclosures? If it is sealed, how is the heat dissipated? Which other devices are inside the same enclosure? The CCR2004 is a 35W device, it is hard to...

jaclaz

You posted (by mistake) twice the same speedtest.

jaclaz

I am not understanding. :? The photo you posted is of another device, RBD53G-5HacD2HnD is the Chateau LTE12 , the LTE18 AX should be S53UG+5HaxD2HaxD. The image, coming from this site: https://mikrotikon.pl/mikrotik-chateau-pierwsze-urzadzenie-z-lte12-i-routeros-v7/ is even called MikroTik-Caterau- ...

jaclaz

I don't know, but the math sounds similar to the way some of the enterprise SSD's or HD's drives are made (many of these are formatted with 520 or 528 bytes instead of the usual 512). The actual "cell" (or sector group) size on the device should be anyway 4096 bytes or a multiple, and thes...

jaclaz

So, there are two "layers".
1024+16=1040
63*1040=65520
65520+16=65536
Interesting.
It would make sense to have these extra 16 bytes at the end of a group of "sectors" to "get even" to a multiple of 1024, 64*1024=65536.

jaclaz

If the 1 Gb is on the horizon but not too near I would go for the hex refresh, you will find other ways to re-use it or however it will likely be easy to resell. If nothing more than 1 Gb is expected maybe you could consider an Ax3 as "main router" (whether you use or not its wi-fi as one ...

jaclaz

I don't think that there will be issues (but you never know). Of the two the reset might be (in theory) more prone to failure if a blackout occurs while doing it (because of possible write errors on the flash chip). The netinstall essentially is telling the Ros bootloader to boot from an external se...

jaclaz

Reality check: https://mikrotik.com/product/RB3011UiAS-RM#fndtn-testresults Routing 25 Filter rules 107.6 1306.7 110.5 452.6 I think it is simply time to get a faster router, capable of managing 1 Gb internet, even if you get your 3011 work as best as it can, it won't probably go over 500 Mb. And ye...

jaclaz

IS there a way to place netinstall files on USB drive (FAT I assume), plug into hAP AC Lite and then set it to default install from there (I have no communication to issue any commands as yet).

No.

jaclaz

The idea of a 100m (300') roll fo black pipe is very nice indeed. I assume some type of rigid snake would be use to feed a pull wire through? They use AFAIK a "normal" (of course long/stiff) glass fibre cable puller directly, *like* (example): https://www.batna24.com/en/p/extralink-pilot-...

jaclaz

The default configuration for these devices is essentially: 1) ether1 out of the bridge and classified as WAN, with a dhcp client running on it 2) ether2-4 (or 2-5) and wlan into the bridge and classified as LAN 3) mac winbox allowed on LAN 4) firewall rule preventing access from anything different ...

jaclaz

@tdw Yes, that sounds like the only possible explanation As mentioned in the other thread the RBFTC11 comes with the RBGPOE: https://mikrotik.com/product/RBGPOE which is declared as mode B (4,5+ and 7,8-). A crossover cable would not cross 4,5 and 7,8, only 1,2 and 3,6 so it can convert only from &q...

jaclaz

I actually have large and small equipment to dig trenches (and move dirt) and have been wondering about playing with some fiber. I don't have experience with terminating it, and I have no idea if fiber can be put direclty in soil, and if there is an issue with freezing (and the resulting heaving) o...

jaclaz

Yep, the most likely cause is that the new chip has something different from the original one, only a guess, but if the original one has a "unique ID", at every boot this ID is the same and the license sticks, while IF the new chip has not such unique ID, a new one is somehow generated at ...

jaclaz

Rethinking about it, it would make more sense to use a toggle/latch relay. The mechanical ones are not suitable because they remember the last state they were on when power goes out (battery broken or exhausted), but I believe that electronic ones that default to either on or off at boot do exist. E...

jaclaz

Possibly of interest:
viewtopic.php?t=174182
The chip seems like having a unique ID, so no way to replace one without re-generating the soft ID or licence.

jaclaz

The hap lite has only 4 ports :? : https://mikrotik.com/product/RB941-2nD So, maybe it is a hap ac lite? https://mikrotik.com/product/RB952Ui-5ac2nD Not that it changes much. The Err:Connection refused is normally the firewall not allowing MAC Winbox connection from the port. I saw hAP saying it had...

jaclaz

Try simplifying things first. Disconnect the old hap lite from your network. Connect to it (try ports 2-4) directly connected to your computer, disable the wifi on your computer . Still same MAC connection error? Try with a dumb switch between the hap lite and your computer. Your old router will be ...

jaclaz

No idea, but from what you posted it seems that in one case, just after reading at 0x57a1e4: squashfs: read_bytes: reading from position 0x57a1e4, bytes 8 it "skips" to : squashfs: read_bytes: reading from position 0xffffffffffffffff, bytes 2 so the issue is probably in the 8 bytes @0x57a1...

jaclaz

Well, that is definitely "too much" power, not that it will make any problem, but a 2.75 A / 90 W power supply will run mostly at 22/90=24.5% which is outside the usual optimization range for efficiency (in other words you will consume slightly more electricity than needed). How much more ...

jaclaz

Sure :) , I don't think that you are running with 100% CPU on the three devices, of course It should be measured in total, but I would not be surprised if your real power needs are around 50-60% of the max specced. So 20-24W, below the 28.8W of the Power supply. From your screenshot, the two ax2's u...

jaclaz

Valid remark. But maybe not really that much of a problem with mipsbe version of wap ac ? You can't use wave2 drivers. Wouldn't the 5 GHz radios be capable of saturating the 100 Mbit cable connection? :? In any case the injector should be RBGPOE, so that the devices can be updated. It would also be...

jaclaz

@JhnMtrx
The ax2 power supply is 24V 1.2 A, so 28.8 W.

RB5009UPr+S+IN 16 W
Ax2 12 W
Ax2 12 W
that makes a round 40W.

Even if devices in reality use much less power than specs, it doesn't sound like a safe setup.
you want a 24V 2A power supply. or at least a 24V 1.5A one.

jaclaz

Values need to be corrected, but final result doesn't change. The wAP ac : https://mikrotik.com/product/RBwAPG-5HacT2HnD has 12W max power. They will work just fine with passive poE at 24V (the device accepts range 11-57V , Mikrotik devices do work with passive PoE, when their specs indicate 802.3af...

jaclaz

Define the exact models you intend to use, hAP or wAP? The hex poe lite can output up to 1 A per Port ( but max 2 A on all four PoE out ports), so you can have as much as 24W per device using 24V Power adapter. The hAP Is 5 W. The wAP Is (was) 4 W. The hex poe lite itself Is 3 W. So you have plenty ...

jaclaz

So, all in all we can have a power supply ( or a splitter/converter) that does not actually deliver the current on the label but that can power a device just fine because the device actually needs less than expected. Yes, we are saying the same things, numbers in these matters are in the best cases ...

jaclaz

Yep, but in this particular case it could be that a correcting opposite factor exists. TP-Link doesn't state the actual power consumption for this EX230V things, it says that it ships with a power supply 12V 1.5A. If you check (say) the Mikrotik hex lite, It has a stated power consumption of 2W, the...

jaclaz

Only as a side note, anav's suggestion (if you really can use some existing coaxial cables) is for MOCA adapters (search for MOCA 2.5), there is a new, faster 3.0 standard, but seemingly not (yet) consumer level devices available, avoid MOCA 2.0 devices: https://en.wikipedia.org/wiki/Multimedia_over...

jaclaz

JFYl, there are el-cheapo splitters around with 802.3af/at that include a step down converter, the voltage on the ethernet cable is the 38-57 V, that is split and then converted down to 12V. They are common to power non-Poe devices, typically security cameras. So the more common ones are 12 V 1 or 1...

jaclaz

I wouldn't count too much on Mikrotik changing the behaviour of the boot sequence. You can probably get around with a more sophisticated circuit, or, simpler, use a "time delay" relay. I have seen el-cheapo ones (low power, but you don't need that much current) on sale on Aliexpress for a ...

jaclaz

Don't misunderstand me, functions are fine, but GOTO's while ugly are not the root of all evil as many people seem to like to say on the internet.

jaclaz

Yep, but we are talking of RouterOS scripting, not of the next-generation, real-time, object-oriented, mega-fanta-para-efficient language.

jaclaz

Only as a side note, you seem like attempting to access that hap lite via IP (possibly using your browser to access its web interface aka webfig). If you are not using It, now It Is the right moment to start using Winbox. The old 3.x version Is Windows only ( but can run in Linux under wine), the ne...

jaclaz

GoTo is obsolete way of taking parts of code for reusability or skipping parts of commands for execution, inherited from assembly jump ( jmp ) instruction, much less readable and most modern languages doesn't have support for it because it is just not needed on higher level of coding. Now I know wh...

jaclaz

My brain farted im sorry, can we speak in terms of noob level? *_* You want a plumber comparison? :?: Imagine that in your house there are 9 bathrooms :shock: , a kitchen, an outdoor tap in the garden and one in the garage. That makes roughly 30 taps, each 1/2". If you want to have all of them...

jaclaz

So you are using the NC contacts of the relay on the (connected to mains) power supply to power the mAP. Then, when you set the device on "forced on", you open the contact and power to the mAP comes from the battery (in parallel or enabled from the NO contact?). When the voltage becomes to...

jaclaz

The "key" is IMHO your ISP connection speed more than anything else. If it is below 1 Gb speed, you can get a hex refresh (or even a hap ax lite) as a first device on the cheap (with 5 or 4 ports) around 60$. If it is 1 Gb the "right" device is the hap Ax3 (5 ports) 140$. If it i...

jaclaz

... and I think I have Rule #7: Rules of the Mikrotik Club: You do not use VLAN1 You DO NOT use VLAN1 You remove default user admin and set a strong password before connecting to the internet. You do not use Quickset. You do not use detect internet. You keep routerboard firmware upgraded to the same...

jaclaz

And what is the output of:

/ip hotspot print

Compare with the one in the Wiki:
https://wiki.mikrotik.com/Manual:IP/Hot ... Spot_Setup

jaclaz

Only to keep things as together as possible:
viewtopic.php?t=194596

It seems like "cross" translated from Mikrotikish means crossover (maybe).

jaclaz

Yes, it remains not clear at all.
Only to keep things as much together as possible:
viewtopic.php?t=214021

jaclaz

3. get a perforated tray and put the L009 on it, this way you can move It back and front as much as you like, and if needed fix It with ties or similar or screws, example:
https://www.thomann.de/it/flyht_pro_rac ... _mount.htm

jaclaz

Oh, that is the frame of the picture on the wall. Cable is white and running along door frame

Then, mission accomplished

.

Search found 2374 matches