MikroTik

jaclaz

jaclaz

Curiosity of the day :) (only for the record and for future memory). After quite a few tests, it seems that a good way to (momentarily) switch off the user led and have it back on is the following (completely crazy IMHO BTW): 1) set the pwr-line1 interface to disabled (so that there is no risk whate...

jaclaz

A RB5009 is around 220 $. If the built in storage wears out, you need - besides the cost of replacing the chip, some 40-45 $ for a new licence, all in all 100 $, not counting the costs effects of the downtime.. A small USB stick of re-known/reliable brand is what? 5$ or so. Even if you have less tha...

jaclaz

You used webcams (plural). Mikrotik devices tend to have very low PoE output (Amperes are limited), so determining the needed power budget Is anyway important. Powering: 1 webcam, OK. 2 webcams, maybe. 3 webcams, improbabile. This said, you might want to explore the possibility of using a multi-port...

jaclaz

You are welcome. :) I an attaching an Excel file with my comments. The idea is: 1st device is AP with a single bridge, bridge2, with both ether1 and wlan1 interfaces in it, with a static IP of 192.168.20.245/24 2nd device is Station with a single bridge, bridge1, with both ether1 and wlan1 interface...

jaclaz

Just an out of the box idea

https://www.printables.com/model/896841 ... ule-cooler

90-100 €/$ difference between a 2.7 W one and a 1.8 W might be a good investment, but sure it is hard on the budget.

jaclaz

Yep.

jaclaz

You put the grommet on the antenna and you fold It upside down (or in/out). You put a thin layer of vaseline grease on the exterior (thread) of the connector. You screw in the antenna over the connector. You apply normally the self-sealing tape around the connection, wrapping It from the base upward...

jaclaz

Well, just in case: https://i.imgflip.com/68y3a1.jpg If you still insist on doing that, you should IMHO: 1) use some good auto-bonding tape around the connectors 2) put a thin layer of vaseline grease (yes really) on the tape 3) cover the whole stuff with a grommet/gasket like these: https://barbier...

jaclaz

What Is borderline with fraud :shock: for a newcomer Is that a "template" Is a sort of .ini or definition file, basically a few parameters for the virtual environment where the "payload" will run. For Mikrotik the payload is always and only a CHR image. You can make a copy of (sa...

jaclaz

GNS3 is a PITA to configure and install. (but if you succeed it is handy and "fun"). Yes, you need either Virtualbox or VMWare (but for the latter the player would do), but if you have the GNS3 server running, you surely have one of the two installed and running. Virtualbox has been more o...

jaclaz

.... and replaced by The Dude AI with the prompting "start by assuming the user is wrong, and go from there".

The particular model trained exclusively on anav's posts?

jaclaz

No, I don't know.
I just know that's the command for getting the license file from the device.
And that file can be used with netinstall-cli to flash the device.

... but seemingly only the same device, with the same flash chip (and same unique ID) ....

jaclaz

I ordered the CCR2004-1G-12S+2XS. If it arrives this week I'll take a day or two off to learn and configure it.

I can't wait .

You are an optimist (which is good)

.

But unless you are part of the Matrix and can upload "Mikrotik fu" those will likely be very looooooong days.

jaclaz

Has anybody else upgraded the flash storage on any of RouterBOARD devices? Were there any problems (in addition to the cost of a new license)?

viewtopic.php?t=214381

@patrikg
Are you sure sure that it works if the chip (and its "unique" ID) is changed?

jaclaz

@Amm0
"purported" employees?

Is there the risk that all these years those people (Normis, mrz, etc.) tricked everyone impersonating Mikrotik employees?

jaclaz

I see, ok, then it is settled, using HPBW it is almost exactly 90°.

(maybe even a little less)

jaclaz

What doesn't apply? Take maximum power (in wAP ax diagram that's upward direction), draw a circle with 3dBi less power and see where it intersects power diagram. I'm not drawing the circle, but it is somewhere between +-30° and +-45°. The circle you've drawn is the maximum value ... make circle of ...

jaclaz

It still (IMHO) remains debatable. Try applying the 0.5 circle on that pattern image, and you will see that (according to the half power definition) it is apparently an omnidirectional (which it isn't). https://www.test-and-measurement-world.com/.netlify/images?url=_astro%2FAntenna-FNBW-HPBW.BiKib9_...

jaclaz

The w stands for wall. The conclusions were already made. The antenna pattern of the wap Ax is toward the front of the device. It is debatable whether is 90° or more like 120*. And you know, or did anything new radically subverted the contents of this? :?: : https://forum.mikrotik.com/viewtopic.php?...

jaclaz

Good news. Mikrotik released software with eSIM. Just open winbox and go interfaces-->LTE and you can see there eSIM option. Soft. release 18.2

JFYI:
viewtopic.php?t=214977

jaclaz

Points #17and #18:
viewtopic.php?t=215018

jaclaz

well, there's since been 3 revision updates, now at 7.18.2. still see about 6% loss, but improved on the 7.16 10% average seen. downgrading to the suggested 7.14 tree got me down to 0.0167% loss over 5500 pings. I'll accept that and move along with my life. Thank you for the help Yep, it seems that...

jaclaz

@Josephny Anyway, since you mentioned home assistant, I'll give you a few hints. I am - generally speaking - cheap/thrifty, and I cannot resist some things. I was looking for a single smallish 2.4 GHz access point, and thought that a hap lite (price new some €22+9.99 shipping) would have done nicely...

jaclaz

Yes, the two set can stay on a same line (after all they are part of the same set of commands), but something like this: /system leds find [ :if ($leds=[:toarray "user-led"]) do={ set $".id" type="on" disabled=(!$disabled) <insert here another command> <insert here anot...

jaclaz

(no space between do= and {) Fixed. :) I think this suffice... on same set you can set more... ;) I know, but with one set per line it seems to me more readable. I am always thinking about the future me finding an old script and struggling to understand what (the heck) it was intended to do. /syste...

jaclaz

Ok, so this should be it

:

/system leds
find [:if ($leds=[:toarray "user-led"]) do={
[:if ($"disabled".$"type" !=trueon) do={
set $".id" disabled=yes
set $".id" type=on}]
set $".id" disabled=(!$disabled)}]

jaclaz

Karnaugh

The English translation of Carnèade (Chi era costui?)

Seriously, I always thought that Karnaugh started at 4 variables and a 2x2 was simply a "truth table":
https://en.wikipedia.org/wiki/Truth_tab ... _operators

jaclaz

I need some time to digest this new approach, it may become useful also for something else, no idea what yet. If we limit the type to either on or off, we have four possible setting combos leading to the two possible states, but with ratio 1:3: 1. (disabled=no)+(type=on)=LED ON 2. (disabled=yes)+(ty...

jaclaz

Nice.

Anyway I don't see it as a race, or, maybe better, it is a boat race, and we are in the same boat, we'd better start rowing.

jaclaz

yes like hypotetical if is true/false "set $uledid ![get $uledid type]" Exactly :). in your case you do 3 separate searches. To be picky, 2 :wink: as there is the else, but I get the point, generally speaking is better to limit the number of searches and use a variable as reference. In th...

jaclaz

Good.

Sometimes it is useful to open the script in the terminal editor as it includes a syntax parser that may (or may not) highlight inconsistencies.

jaclaz

Thanks rextended. The essence is the same :) , bummer :( , I hoped there was a clever way to invert the status of a boolean *somehow* without needing to check the current one with if, something loosely *like* (pseudocode): set [find where leds="user-led"] type= NOT $currtype The add leds w...

jaclaz

Maybe you can lower the timeout, but 90 minutes should already be not the default (should be 24 hours), see:
viewtopic.php?t=19729
or (more complex, and only if the dst addresses remain the same):
viewtopic.php?t=134089

jaclaz

Bump #1.

jaclaz

It is TI 54 1 60, AKA TPS54160, aka TPS54160DGQ: https://www.ti.com/product/TPS54160 it is a fairly common voltage regulator/converter. The 6B is irrelevant, it is the production date code, seems 2006-November (or maybe 2016-November?) You can find them on professional sources like RS, Digikey or Mo...

jaclaz

Maybe you can log the returned http code, but have you checked the log ? (fetch commands should create an entry in it) But it depends also on how logging is configured: https://forum.mikrotik.com/viewtopic.php?t=211270 And it becomes a "more advanced" scripting topic, see:: https://forum.m...

jaclaz

You need to use the fetch RoS command, likely with a GET (which is default) request, see:
viewtopic.php?t=129644

jaclaz

Thank you very much, very good reference to study.

jaclaz

Most of our towers house equipment in 18x18x6 sealed boxes, 18*18*6 inches? In first approximation should need a 30W or so heater to have a 10° C difference: https://www.calculator.net/btu-calculator.html?roomwidth=0.46&roomwidthunit=meters&roomlength=0.15&roomlengthunit=meters&ceil...

jaclaz

Regarding pppoe, it's not a must, but would be a nice addition for when I add security cameras. You are intending to use strange cameras :shock: , maybe you mean PoE :? (pppoe is another thing).. What other models would you recommend? I'm open to new ideas :) Right now there are basically only the ...

jaclaz

Yes I'm an engineer and capable of configuring any router, but I would like to not work for the router. Not a full job, but maybe part time? :wink: :lol: RB5009 is reported as being a very good device, SFP issues, generally speaking, depend on the SFP, in the sense that Mikrotik is picky with SFP's...

jaclaz

The HGO antenna is a common antenna, definitely OMNIdirectional.
The idea is that you put the Netmetal on top of a pole in the middle of an area and you cover that area with a circle.

For a PtP link you want directional antennas, the more directional (narrow) they are, the better.

jaclaz

Hi dears! im new to this forum, i hope your doing well. im currently working in an ICT as IT and in need to lock the reset button of mikrotik devices, is there any way you would know? The reset button cannot be really-really locked, but you can make it EXTREMELY difficult to activate it by using pr...

jaclaz

@CGGXANNX Very interesting. :) Can you post the text export of the relevant settings for your VLAN 312, both the "bridge" and the "switch" settings, so that I can maybe understand how the "normal" bridge ones are translated into the switch ones? I am trying to help a us...

jaclaz

Check this:
https://confusedbird.com/thread-119.html

The Chateau Ax Is also talked about and there are actual photos.
The external antennas are needed, there is also a yellow sticker to that effect.

jaclaz

Mac Winbox connection sometimes Is "strange" I have seen something like you describe in the Winbox VM in GNS3, but not always, It may depend on the IP4 coming out as 0.0.0.0, but I am not really sure, It could be connected to the APIPA address you are getting (169.254.x.y). Just assign a s...

jaclaz

Yes, it seems fine (in the sense that it does what it should do). Ether 1 is WAN, ok, and on VLAN3, so it is connected to ISP-LAN. Ether2 and ether4 are LAN, ok, (because they "belong" to AC2-LAN) and VLAN 88 and PC connected to them get an IP from the Mikrotik internal DHCP server 192.168...

jaclaz

Yep, I understand :) but a Mikrotik configuration, generally and a VLAN based one more specifically, depends on a zillion settings spread around as if they were shot by a shotgun, you cannot expect anything to partially work with partial settings. See the attached, in RED are the differences that mu...

jaclaz

Post your whole export, there may be something else somewhere else interfering.
Your settings (minus wlans) should be substantially identical to the .rsc I posted.

jaclaz

** my office room has 2 ethernet ports on the wall 1 is for my computer and second one is for my wife's computer. my computer adapter settings shows " Link Speed (Recieve/Transmit): 1000/1000 (Mbps) but my Wifes computer adapter shows " Link Speed (Recieve/Transmit): 100/100 (Mbps) "...

jaclaz

Which means it needs to be regulated 100%

Yep

, so we can tax it

:
https://www.marriedtothesea.com/040709/ ... dillos.gif

jaclaz

I am testing this on a hap lite running Ros 6.49.17. The idea is to have something that can flip/toggle the status of the user led (the ONLY programmable led on hap lite) at each run. For the moment I am using it as the script connected to Mode button, so at each press of the mode button the user le...

jaclaz

@optio It would be nice if you could post the exact complete set of command lines used/needed. I still do not understand how the route setup works. The routing rule sends all traffic to the nordvpn table (since it is based on src-address filtering, ALL traffic, ipsec or non-ipsec), OK. The nordvpn t...

jaclaz

Yep, it is a problem as old as the computer, now MIkrotik is said to have changed something, both in font and in excluding easily confused characters, but there are no reports that I could find about this new approach having been implemented and how effective it is. The 0/O is actually IMHO the leas...

jaclaz

LAST time I ask you to do this test and report: To test the Nat, It would be easier in GUI, open in Winbox a ip firewall nat Window and a ip ipsec peer Window, arrange them so that you can see both and try enabling/disabling the peer and watch what happens in the Nat Window (if nothing changes try ...

jaclaz

N.10.

jaclaz

So the issue Is that some (all) SFP's from Mikrotik do not "fit" or do not "lock" properly on other manufacturers sockets or plugs?

jaclaz

Which standard?

(I love standards, there are so many of them)

jaclaz

Re-read - slowly - optio's post, I guess that below fasttrack rule (what he suggested) is not the same as above fasttrack rule (where you put It).
Try placing It EXACTLY where It was suggested.

jaclaz

Check also this seemingly unrelated thread (in a nutshell, it is not exact science):
viewtopic.php?t=215337

jaclaz

Small correction:

add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=pppoe-out1

jaclaz

Now back to your question - sounds like those rules allow the IPsec communication. Are you trying to tell me, that I should insert the new firewall rule AFTER these two rules ? I will give that a try as soon as I can... Exactly. :) Actually this is what optio originally advised and that I tried to ...

jaclaz

No they are beasts!! .... and should they be too d@mn fast for internet :shock: , you can still use the 1Gb (intended for management) ethernet port as WAN :lol: . Of course CGGXANNX is very correct in the analysis of the real world performance, but with those two beasts of routers it is unlikely th...

jaclaz

I was trying to say something slightly different and generic :oops: . On low power devices such as the L009 settings need to be optimized to reach higher speeds in routing than what is represented in the 512 byte test result. On beasts like the CCR2216 the throughput, even in the worst possible cond...

jaclaz

/ip firewall filter add chain=forward action=drop in-interface-list=LAN out-interface-list=WAN place-before=0 Maybe it is placed a bit too early in the firewall? What optio posted: /ip/firewall/filter/add chain=forward in-interface-list=LAN out-interface-list=WAN action=drop Place it below fastrack...

jaclaz

Anyway the L009 specs have: https://mikrotik.com/product/l009uigs_rm#fndtn-testresults 323.6 Mbps as routing speed for 512 bytes with 25 filter rules (this is the value that happens to be the most similar to real world usage). I believe that at the most, maybe, in a lucky day, with no or very little...

jaclaz

You have It in the config you posted: /ip ipsec peer add address=xx999.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN NordVPN It Is easier in the Winbox GUI selecting the entry and click on disabled (the Red cross). Or - alternatively - you can issue: /ip ipsec peer print And then disab...

jaclaz

To test the Nat, It would be easier in GUI, open in Winbox a ip firewall nat Window and a ip ipsec peer Window, arrange them so that you can see both and try enabling/disabling the peer and watch what happens in the Nat Window (if nothing changes try closing the Nat Window and re-,open It, usually t...

jaclaz

Since you changed the network 192.168.3.x (which in the example was connected to VLAN 3) DO NOT be tempted, now that you have 192.168.1.x to use VLAN 1 (use any other number BUT 1), in case of doubt, check the first few Rules of the Mikrotik Club :wink: : https://forum.mikrotik.com/viewtopic.php?t=2...

jaclaz

Never mind, wrong post.

jaclaz

That copilot syntax is for version 6, Ros7 is slighty different, but converting to it is easy. The first I can understand, the last two ones I cannot, it seems to me like it will block any communication from Lan to Wan (but it is entirely possible that IPsec/IkeV2/whatever does automatic/dynamic rep...

jaclaz

Only a word of warning (if needed).
Using a USB-C connector does not necessarily mean that a device is USB-C compatible (in the sense of capable to draw all available USB-C power), see:
viewtopic.php?t=203231

jaclaz

All leds off may or may not be supported by a given board model. I found that (for wireless devices, hap lite in my case) to be handy setting the usr-led to "wireless status" on wlan1, the led will start blinking when the radio is on/has a connection, then disable temporarily that radio to...

jaclaz

The address must go on the bridge, but all the bridge/port config is obsolete. /ip address add address=192.168.1.1/24 interface=ether01-master-local-vince network=192.168.1.0 You assigned an IP address to an ether interface (ether01-master-local-vince), but then you included it in a bridge: /interf...

jaclaz

we need a load balancing router for a IT SME company with 2 ISP leased lines Good to know. :) What was the question (if any)? :?: Any Mikrotik router can do load balancing, but without knowing the amount of expected traffic/number of connections, ISP connection speed and type, etc., it is hard to g...

jaclaz

1. and 2. All ports can be whatever you want them to be, It Is a limitation ( by design) of Quickset. The Quickset covers one or more "common" configurations, It Is intended as a Quick set :wink: , and It should not be used for anything but those basic configurations, in any case only once...

jaclaz

Is creating a firewall rule the canonical way to turn off internet detection? How do I do this? I’m not familiar how to stutter a firewall rule. No, you just set the interfaces to none: /interface detect-internet set detect-interface-list=none internet-interface-list=none lan-interface-list=\ none ...

jaclaz

Well I am pretty sure that if you can report/explain the principles on how It Is done in OpenWrt, some members will be able to translate It in Mikrotikish. On second thought, I would try anyway to disable the current /ip firewall nat rule and see what happens, no idea if it is true that the new dyna...

jaclaz

I think VLAN 1 is the default LAN for most routers supporting VLAN's. Besides, if I try not to use it (as in not assigb any bridges to VLAN1), I get locked out.

Well, you can do whatever you see fit, as long as you don't lock yourself out and your router or switch configuration works.

jaclaz

Not that I really know what I am talking about, but from what (the little that) I understand the Ikev2 (or IPsec or whatever) creates a dynamic nat rule. Right now you have a generic (default) nat rule: /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec...

jaclaz

I could also open a new thread with that question, if you advise me to do so. Thanks! Naah, this thread has already your export and the context around your configuration, it is fine to continue here, you might want to change the title of the thread to something more meaningful *like* "First ti...

jaclaz

That is the PoE version, is it needed?
It is some 80-100€ more expensive. than the normal one.
But also getic spain seemingly has either in stock.

jaclaz

...but VLAN1 is usually the main LAN. VLAN1=LAN without presence of other VLAN's. Not using it means MikroTik requires at least one other VLAN, which is silly... Sure, it is the Mikrotik default, MIkrotik (not you) made those settings, you leave them alone, do not make any new settings involving VL...

jaclaz

The referenced thread (and the other linked to from it) has seemingly a different scope. In that thread it is about: 1. marking traffic to a given IP (through mangle) so that it uses a second table 2. add a second table with a "narrow" rule to that IP 3. add a routing rule to force (actual...

jaclaz

If I tried to translate it into English it would be "Come on, I don't believe it!" Yep, but it all depends on the tones, and how they can be rendered with punctuation, that would probably be: Maremma cinghiala ? your: Maremma cinghiala ... sounded to me more like "o tempora o mores&q...

jaclaz

No worries, it was gibberish, I didnt understand the meaning of the Italian translation either '=) That's ok, also many Italians not born in Tuscany would have troubles understanding It, they would of course understand the words, but not fully appreciate the meanings (that sentence can have more th...

jaclaz

The "issue" may be the Dam route to the whole internet, 0.0.0.0/0. But It has distance 2, so you can insert a blackhole rule with a lower distance that will prevail, but It has to be seen (cannot really help you on this as I have no experienced with IPsec) what other "narrow" rou...

jaclaz

Well, another confirmation that at least the first two rules are to be followed:
viewtopic.php?t=215004

jaclaz

Yep . You have no added (by DHCP) address and the only router you have Is DAC, created by the static address you have on the bridge, everything Is LAN side. But this is with the SIM not inserted, the address and route print should change once It Is inserted and LTE interface Is Active. If this gener...

jaclaz

A Sandisk USB Stick by any chance?
viewtopic.php?t=203217

jaclaz

configuration=script Not really, configuration = tiny subset of scripting language (without variables, conditional execution, etc.). It even misses (it would be IMHO very useful) the equivalent of a REM statement, or - if you prefer - a way to keep # lines in a section/directory and make item/line ...

jaclaz

Take this info with a grain of salt, but there is this reader: https://www.estk.me/product/estkme-red/ and this howto, both for Windows and Linux: https://docs.estk.me/manual/quickstart/pc/index.html But, even if that approach works, it doesn't solve the actual problem that e-sim should solve. I per...

jaclaz

It must be the outcome of some confused science fiction/meme nightmare after too much Riga Black Balsam

.
We are CAPS, you will be assimilated, resistance is futile. All your access point are belong to us.

jaclaz

All future products will have the eSIM chip integrated. ... 3rd party modems should also be supported as we have implemented a generic low level sim access interface to manage the eSIM. Most of these modules have multiple SIM slots, and the eSIm card is not the default slot. This slot can be change...

jaclaz

Only to show how old I am, something very similar to this AI thingy was once called an "expert system". You feed the system with correct data, and then it can make every kind of cheatsheets, digests and provide correct answers to correct questions. The approach works just fine. Most of the...

jaclaz

Follow this:
viewtopic.php?t=203686#p1051720
and post your configuration, so that It can be checked.

You will need to post also the output of:
/ip address print
and of:
/ip route print
so that also Dynamic entries (coming from the LTE DHCP) can be checked.

jaclaz

No, there Is something else. Once you will have regained access to the device via Winbox, open a new terminal, issue only: /interface bridge port [ENTER] the above will only change the current path of the CLI, the prompt should now include that path. Then issue just the command: export [ENTER] Then ...

jaclaz

No, meaning yes, but it won't be the re-netinstalling that will trigger it, unless you do it on the same device, on a continuous loop, for weeks, months or years. The storage installed (of course it depends on devices) is typically a Hinix or Samsung or WInbond nand flash chip, very similar if not t...

jaclaz

@anav
v6,x -> v7.x
routing-mark -> routing-table

jaclaz

4. Can I upgrade the RouterOS version to 7.18 for hAP ac lite ? Yes. Should you? It is debatable, the issue is that the hap ac lite has a very little amount of storage space, only 16 Mbyte, and it will be almost completely used by the RoS 7.18. With simple configurations, no or few scripts, etc. th...

jaclaz

Maybe a general explanation is needed. "Professional" Mikrotik devices come with no configuration at all. "Soho" Mikrotik devices come with a default configuration (the relative settings are usually commented as "defconf") This default configuration is (slightly) differ...

jaclaz

The AP neds to be cleaned, you have two bridges (and one is unused) in it. Bridge2 is used (it has ether1 and wlan1 inside it), bridge1 can be deleted. You should also disable or delete the dhcp client, it is not running because it is attached to an interface that is now slave to the bridge, in any ...

jaclaz

It seems to me like there is the usual confusion with terminology. What you asked for is more commonly referred to as Wi-Fi repeater, possibly a special one since it uses two distinct radios/bands, one as access point and one as station. You are asking for soemthing similar to these, right?: https:/...

jaclaz

People have different experiences. Yep, and - as I see it - that is actually the base problem, in a perfect world everyone should have exactly the same experience (whether good or bad doesn't matter). We are talking of a mass-produced device, with (set apart some crazy configuration) a fairly basic...

jaclaz

That .rsc is "huge" (it is usually a handful of Kb). Your next attempt is to reset the router, but then you will need to re-import the configuration. And unless the issue was caused by a (rare but possible) hiccup in the update process that does not repeat when you re-apply that configurat...

jaclaz

or mark II or e-sim edition or whatever name the marketing department of Mikrotik will come out with in order to better confuse customers Ohh harsh but probably true :-) Not that Mikrotik is alone is confusing rebrands. I came across an entire website dedicated to the Microsoft's renaming of the M3...

jaclaz

why do you think it is necessary a different subnet ? I've different IP addresses for router and Ont. Usually a router routes between different subnets. DIfferent IP for router and ONT 192.168.1.2 and 192.168.1.1, but both seem like being in the same subnet, from your description it seems like the ...

jaclaz

Support for e-sim is in the works, but it will only work on the new hardware with an added dedicated chip, see: https://forum.mikrotik.com/viewtopic.php?t=214977 So, maybe there will be a hap Ax lite LTEx refresh (or mark II or e-sim edition or whatever name the marketing department of Mikrotik will...

jaclaz

Besides adding the fib tables manually, in v7, these in /ip route add distance=1 gateway=192.168.6.1 routing-mark=ISP2-IP add distance=1 gateway=pppoe-Fiber routing-mark=ISP1-Fiber should be: add distance=1 gateway=192.168.6.1 routing-table=ISP2-IP add distance=1 gateway=pppoe-Fiber routing-table=IS...

jaclaz

Well, about the doubling the cables, since you are anyway using a 100 connection, you are using only 4 wires, so you can use the other 4 for a second connection, far from being "perfect" but it works. From the scheme you posted I still believe that there is no VLAN involved at the moment, ...

jaclaz

There are quite a lot of reports related to Ax (devices or drivers) but they are mostly about issue with dropped connection or failure to roam properly, I don't remember any about packets dropped. There are also a few issues about updating the Ros slightly changing *something* in configuration when ...

jaclaz

Not at all a network expert (let alone wi-fi), but in a nutshell your config is just this: /interface wifi set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5260-5720 .secondary-frequency=disabled .width=20/40/80mhz configuration.chains="" .country="United States" ....

jaclaz

Would the first address leased by a Mikrotik device be the same when using the "superpool" and the "next-pool" approach? We know that normally, with a normal pool like 192.168.88.2 - 192.168.88.254 (the default Mikrotik one) the first leased address is from the bottom, i.e. 192.1...

jaclaz

While the phrase "Mikrotik MAC signature" (MMS) is new to me, the idea and usefullness of it stood out from near first-encouter. That is, I like the ease of identifying MT devices. Perhaps, then, the question is comparing (1) the real-world usefulness of the MMS with (2) the real-world di...

jaclaz

Seeing as I qualify on all (and not just any 1 of those conditions, which would be sufficient), and do not fully understand the above MAC address discussion, then this topic or rule should not be included in the RoMC (Rules of Mikrotik Club). :D Well, it seems to me like - notwithstanding your othe...

jaclaz

Yep, but loosely at the end you want to have both interfaces in a bridge, (configured as station, yours is now in ap-bridge), i.e. something like: /interface wireless set [ find default-name=wlan1 ] band=2ghz-b country=japan disabled=no \ frequency=auto installation=outdoor mode= station-pseudobridg...

jaclaz

From what I understand of your reported setup, right now you are connecting the Mikrotik as a router (to have wi-fi work) and as a switch (to have IPTV working) and it has no VLANs set. In the first case the ether1 is (relative to Mikrotik) a WAN port, it has a DHCP client running on it (on ether1) ...

jaclaz

A network definition like:
src-address=192.168.90.0/24

has the same meaning as:

src-address=192.168.90.0-192.168.90.255

See, using address lists it is even automatically translated:
https://wiki.mikrotik.com/Manual:IP/Fir ... dress_list

jaclaz

You have: /interface list add comment=defconf name=WAN add comment=defconf name=LAN and: /interface list member add interface=ether1 list=WAN add interface=wlan1 list=LAN and: /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN i.e. you have two...

jaclaz

[11] You don't behave as a jerk on the forum. "Google is your friend: search before posting." "Use code tags around configuration and commands." "Mark a topic as 'solved' when the original question has been answered." ... "If you ask LLM for help then be consisten...

jaclaz

In the context of a /23 subnet, specifically 10.0.0.0/23. the two addresses 10.0.0.255 and 10.0.1.0 are valid and not in any way different from any other of the 510 usable addresses in that subnet: https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=23&cip=10.0.0.0&ct...

jaclaz

I know AI it not looked upon favorably, but so, sometimes, is asking basic and/or stupid questions. So I asked claude.ai and here is what he said: he? :shock: Let's not antropomorphize too much what essentially remains a (very large) number of bits juggled in some kind of (very fast) machine. The p...

jaclaz

Checklist: #1 # to download: /tool/fetch url=https://tikoci.github.io/scripts/lsbridge.rsc #2 # to install as script /system/script/add name=lsbridge source=[/file/get lsbridge.rsc contents] #3 # to load script into CLI /system/script/run lsbridge #4 # to run just use: $lsbridge #1 check #2 check #3...

jaclaz

Maybe you need to install the appropriate "external" package wifi-qcom-ac wireless package.
Starting from 7.13.x it is a separate package:
viewtopic.php?t=202578
viewtopic.php?t=202423

EDIT: post corrected.

jaclaz

As rextended explained in the given thread, in this post: https://forum.mikrotik.com/viewtopic.php?t=186204#p937427 Some devices/OS might interpreter the 10.0.0.255 and the 10.0.1.0 as non-valid addresses (believing that a .0 is always network address a and .255 is always broadcast, which they are n...

jaclaz

Yes, this is as old as fans, is it better to blow air or suck it? :?: And the answer - as often happens - is "it depends" (but it costs nothing or very little to try the fan flipped over). If the fan is in contact or very near to the surface to be cooled, sucking should be in theory more e...

jaclaz

You'll need two pools, as some devices won't like the two "border" addresses (that are correct in theory), the last .255 of the first /24 and the first .0 of the second /24, or you will need to assign them statically to dummy MAC's, see:
viewtopic.php?t=186204

jaclaz

A known recommendation when setting up a Mikrotik device is to NOT have the bridge(s) configured with auto-mac=yes, but rather assigning manually a MAC and set auto-mac=no. The "default-default" (i.e. no configuration like after a reset or netinstall and on devices that have not a default ...

jaclaz

I do understand this is a user forum. And I appreciate the help greatly. I do not understand why I am being accused of not making an effort or not being able to learn. I have gone from zero knowledge of ROS to being able to set up and maintain almost 20 devices. Not with the level of excellence of ...

jaclaz

Thanks for pointing this out - it will be fixed.

Good.

jaclaz

@BartoszP #6 There are a few posts by mkx and rextended that go rather deep on the matter, I'll see if I can understand the written or non-written implications and produce something easy to understand and replicate. https://forum.mikrotik.com/viewtopic.php?t=209850 https://forum.mikrotik.com/viewtop...

jaclaz

Yes. Once a port is part of a bridge It doesn't really "exist" anymore, it Ioses some of its dignity and so adding ether2 to either LAN or WAN has little effect (actually none). Same goes for ether1 the actual interface is either the pppoe one or the vlan one. And while we are at it, you m...

jaclaz

The include=all in /interface list Iooks strange to me.
You should have only two simple lists, LAN and WAN, and two interface list members in them, bridge and pppoe respectively.

jaclaz

Depends how lucky attacker is, just mentioned as possible edge case, from 7.18 without possibility of user enumeration it is even lesser probability for brute force. A lucky attacker should play the lottery, much more to gain in case of success... Surely 1/(∞-1) is bigger than 1/∞, but not much, an...

jaclaz

The Comtrend PG-9182 PoE have explicit VLAN support:
https://us.comtrend.com/pg-9182poe/
https://us.comtrend.com/wp-content/uplo ... M_A1.0.pdf

jaclaz

1. you need a plan

... it gives a lot of satisfaction when a plan comes together ...

jaclaz

... when admin user is compromised, after performing API request with its credentials which only admin user can perform and API fails, it mark admin user as invalid and can continue with brute force users detection. ... but when that will happen, around year 2047, the unit will probably have been r...

jaclaz

This topic leads nowhere. It's disccusion on "sparkling water vs. still water".

Allow me to disagree, strictly speaking it seems to me more like a discussion on the "best technique to cork sparkling water bottles (containing still water) to avoid thiefs stealing all the CO2".

jaclaz

If you are paranoid, to always assign 192.168.88.1/30 to the MGMT port, labeling it or using always the higher port number is introducing a vulnerability anyway by artificially limiting the range of possible connections. Using a random number generator for the /30 subnet in the 10.0.0.0/8 much large...

jaclaz

Added, including a note about restoring binary backup on different models.

jaclaz

I have found a report that Devolo models 8254 and 8504 (of the newer 2400 Magic 2 series) do let VLAN's pass through: https://forums.overclockers.co.uk/threads/psa-devolo-magic-2-next-does-not-pass-tagged-vlan-traffic.18908918/ but it has to be checked, maybe it is not a "by design" featur...

jaclaz

Added/included in corollary #18, thanks

.

jaclaz

For a mere 16 bucks

you can have 50 of these:
https://www.amazon.com/RJ45-Cover-Label ... B071GW537F

(or you can make something very similar reusing old, defective patch cables)

jaclaz

There won't be any rule 0, 13, 14 or 15, the twelve rules are 12, numbered from 1 to 12.

GP and CSA list items #17 and #18, JFYI:
viewtopic.php?t=215018

jaclaz

I'd add a distinct point on that as corollary #7 suggest "safe mode" beeing strongly linked with rule #7 what is IMHO not good as it should be a general advice. However it's your list so you decide :) I am a bit dubious on this one, the present Rules are (in my perverted mind) recommendat...

jaclaz

That device can be booted in both RouterOS and in SwitchOS (you can decide which one to use). RouterOS is (essentially) command line (but there is Winbox and the webfig http interface, both are GUI "overlays"). SwitchOS is GUI only (and overall more similar on how you would configure other...

jaclaz

You should draw a plan of the hotel or procure one from the architects. Then use a wifi planner (there are a few from some other maker that are free) to make a rough estimation of where to place the AP's. Examples: https://tools.dlink.com/wifiplanner/ https://design.ui.com/ https://wfd.cloud.xirrus....

jaclaz

I just found a 0

that probably fell down from anav's post

, the suggested link should be:
viewtopic.php?t=143620

jaclaz

Why? Very good question :D , several possible answers come to my mind :wink: , OP may: 1) have a setup working too well and reliably (boring) and wants to introduce some variations. 2) like to be woken in the middle of the night or early in the morning to cries of "there is no internet!" ...

jaclaz

From specs 1.5A max: https://mikrotik.com/product/rb5009ug_s_in USB slot type USB 3.0 type A Max USB current (A) 1.5 5V*1.5A=7.5W If you need more (and you don't need to switch it on and off programmatically) you may want to use a Y cable on the power supply line (and a buck converter for lowering t...

jaclaz

Preamble and disclaimer: The following is a numbered list of what is usually considered good practice or common sense advice when choosing, using, setting up or maintaining a Mikrotik router. It is my personal take on the matter, and in no way approved, endorsed or recommended, officially or unoffi...

jaclaz

OMG ... there is no rule:

Nth. Remember that "Safe mode" is your all time & forever friend. Use it.

[Nth] There is no CISCO-like running and stored configuration. Changes are applied and stored immediately that is why [7] happens.

Added in corollary to #7.

jaclaz

Disconnect/block internet/untrusted network to the router when performing netinstall until proper firewall rules are created (if netinstall is done without config) and admin user strong password is set or admin replaced with other user. For LTE routers disconnect means remove SIM or netinstall with...

jaclaz

Very likely it is one of the cases listed here: https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/cannot-access-shared-folder-file-explorer https://www.qnap.com/en/how-to/faq/article/what-cant-i-access-nas-shared-folders-with-windows-file-explorer-smb These kind of issues are ...

jaclaz

Still waiting for the solution jackaz proposed. The idea has been posted, including its GNS3 CHR test configuration. So you are waiting for something else, whatever it is. The OP problem has been solved :) with the "right" added route solution, if I were you I wouldn't wait for something ...

jaclaz

Amended corollary to Rule #7 including mac-winbox settings. Whether buying or not 16 Mb devices is out of the scope of the basic rules, though it is a generic good advice. That when an entry commented as "defconf" is changed also the comment should be changed is also extremely good advice,...

jaclaz

Preamble and disclaimer: The following is a set of Rules that are intended as advice useful to avoid the most common errors observed in configuration posted on this forum. It is my personal take on the matter, and in no way approved, endorsed or recommended, officially or unofficially, by Mikrotik ...

jaclaz

From the little I know on the matter, IPTV is tricky. There is more than a single way the service can be provided by your ISP, you should first thing see if there is some (official or unofficial) documentation on how the service is provided. Generally speaking if it is using a VLAN, it will only wor...

jaclaz

Hmmm. It seems to me like you have exhausted all "normal" ways. From the error you get it sounds like the board is not sending the *whatever* allows netinstall to select the "appropriate" boot image. Semi-random thought (and YMMGV) could it be that it is possible to "force&q...

jaclaz

Since you are trying to install 7.9.1, I would try with the same release of netinstall: https://download.mikrotik.com/routeros/7.9.1/netinstall-7.9.1.tar.gz (it might not change anything, still it is worth a try). Why is the packet you are trying to install called "enp6s0 routeros-7.9.1-mipsbe....

jaclaz

Only to keep things as together as possible, I tested in GNS3 the solution suggested by anav, adapted to a similar situation and it seemingly works:
viewtopic.php?t=214817
viewtopic.php?t=214817#p1127037

jaclaz

Very likely there are more than two ways, I understand how the one(s) you suggest is/are the right one(s) and any other one not proposed by you is wrong, by definition. Only as an example, likely the solution you provided here (making use of VLANs) could be adapted as well: https://forum.mikrotik.co...

jaclaz

I would expect the same way it knows about the existence of 192.168.1.134.

I don't know how the OP network is configured in detail, but there must be a LAN (192.168.1.0/24) where ethernet ports and wi-fi are bridged.

jaclaz

Happy you succeeded

jaclaz

The WAN port of the Mikrotik has BOTH the IP address 192.168.1.134 AND the 192.168.1.252. Being on the same network the device with 192.168.1.116 can connect to 192.168.1.252 just fine, no routing involved, everything remains on the LAN side of the ISP router. A connection with destination 192.168.1...

jaclaz

As in the referenced thread, the "real" target gets a sort of "alias" in the "main" network. But it all depends on the rest of configuration, in a "normal" setup of the Mikrotik the 192.168.1.0 would probably be WAN and the 192.168.88.0 the LAN, so likely ther...

jaclaz

@Amm0 The qr-code decodes into two values, SM-DP+ Address and Activation Code (plus in some cases a Confirmation code): https://www.esim.net/helpdesk/knowledge-base/how-do-i-enter-esim-dp-and-activation-code-manually/ https://forums.quectel.com/t/esim-at-command-set/13313 The leading LPA:1$ is a pre...

jaclaz

I am not looking at this in a "negative" way, rather in a factual way, it seems like the direct opposite of Tesla Autopilot (the hardware is already on the car, the software will come soon), it is mocking/teasing customers about something that doesn't (yet) exists.

jaclaz

Isn't this a case where one can use netmap or dst-nat to remap the 192.168.88.252 to (say) 192.168.1.252?

Loosely like done here:
viewtopic.php?t=213056

jaclaz

But it does. Simply that nobody except internal Mikrotik has HW to use it on (yet). How do you know? :shock: Unless you are internal Mikrotik, that is. For all we know it could be (another) anticipated 1st April joke/empty teaser. :lol: It makes no sense to have released (and documented) a command ...

jaclaz

it is compatible, there is "tube" attachment included https://cdn.mikrotik.com/web-assets/rb_images/1445_hi_res.png Which is not listed in the brochure, let alone on the dimensions drawing ... https://cdn.mikrotik.com/web-assets/product_files/quickMount_pro_190516.pdf https://cdn.mikrotik...

jaclaz

Support told me that mikrotik doesn't has any device with e-sim chip yet, so the esim feature is only for testing

Wow, so we have lots of undocumented or mis-documented commands that do something somehow , and now also at least one fully documented command that does nothing.

jaclaz

I think VPN-Remote (or more generally "this side" of a wireguard tunnel) should be LAN, otherwise there might be some issue with firewall, but of course it depends on firewall rules.

Happy it is now workiing

.

jaclaz

Not that I know anything about this new command, but in the string the separator(s) seem to be the dollar sign: LPA:1$sm-v4-009-pla-gtm.pr.go-esim.com$O001-someNumbersAndLetters$$1 So it seems it has to be parsed as: LPA:1 <-unuesed/prefix $ <-separator sm-v4-009-pla-gtm.pr.go-esim.com <- sm-dp-plus...

jaclaz

For omnidirectional you probably want a single dual band antenna with two connectors. Hard to suggest a make/model, being a simple dual band omni I don't think that there is so much difference between one and the other, I would look for something *like* (examples only): https://www.wlan-shop24.de/qu...

jaclaz

I meant: /interface list member add comment=defconf interface=bridge list=LAN add interface=PPPoE list=WAN add interface=sfp1 list=WAN add interface=VPN-Local list=LAN Ok :) , but what is VPN-Remote, LAN, WAN or something else? :?: Then, in IP route, you have only two routes with VPN-Remote as gatew...

jaclaz

add address=10.184.203.4 interface=VPN-Remote network=10.184.203. 4 [/i] <--- this is not really an ip address It surely looks strange, it is very likely intended as /32 address and in the print output it shows that ros sees it as such, but in the export should be: add address=10.184.203.4 /32 inte...

jaclaz

So it is these two mangle rules: add action=mark-connection chain=prerouting connection-state=new \ new-connection-mark=remote-vpn-traffic-mark src-mac-address=\ [mac_address_of_target_device] add action=mark-routing chain=prerouting connection-mark=\ remote-vpn-traffic-mark dst-address-type=!local ...

jaclaz

Dear Senior Consultant / senior IT specialist, a good idea could be sending this letter to the appropriate recipients, namely sales@mikrotik.com and/or support@mikrotik.com (as opposed to posting it on a users forum). Best regards, jaclaz SAFR, TUROM, RKSP [1] [1] Self Appointed Forum Responder, Tot...

jaclaz

Yep, now you have the DHCP server (actually two of them) on the CRS326. I would rethink this: /ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface=GUEST name=dhcp1 add address-pool=dhcp_pool2 disabled=no interface=LOCAL name=dhcp2 /ip pool add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.254 ...

jaclaz

Post also the output of : /ip route print and of /ip address print Review your configuration, look for "*" (asterisk), whenever you find one, like here: add address=10.184.203.4/24 interface=*D network=10.184.203.0 it means that *something* was deleted/removed/renamed and ROS left a paceho...

jaclaz

@anav Doesn't a Starlink provide anyway something in the 100 to 200 Mb range? The CRS326 should be capable of routing those (if used as router, but right now it seems like all interfaces are into a bridge). @Startmoon Your configuration is not the typical home setup, 14 Access Points, your house mus...

jaclaz

are you telling me that if I have the TCP/IP reachability of the remote ltap I can configure it and reach it with this software that creates a virtual serial interface that communicates in TCP/IP with ltap without using the socket? I can find the DE311 for 25 euros, I have already heard of moxa and...

jaclaz

Did you find any solutions for this? I have the same need/problem. Which problem? SSH in a script? SSH is in itself interactive, you need ssh-exec for use in scripts: https://help.mikrotik.com/docs/spaces/ROS/pages/132350014/SSH but if you don't ask the exact question you need an answer to, it is i...

jaclaz

OK, so the idea is: 1) have an 8-port router (let's say a RB5009) 2) have ether1 and ether 2 as WAN, each connected to a different ISP 3) have ether 8 (advised) as a standalone port (LAN and/or TRUSTED) for emergency local access (normally unused/unconnected) 4) have ether 3-7 as LAN (or a subset of...

jaclaz

Typically those devices are mounted externally, on poles. Two antennas are also mounted higher on the pole and they are connected with a (short) coaxial cable that is inserted on the connectors and then makes a small loop downwards, sitting in the sort of grooves/gaps in the cover. See: https://foru...

jaclaz

Besides the usual advice that you will get about how on most devices it is better to have a single bridge, I don' t understand what is the use of a bridge that has only one port in it. :-? If we assume that a bridge is something that connects two or more roads, your bridges connected on one side onl...

jaclaz

I think it depends on the actual requirements, a SCADA system may want or need thousands of readings per second, keeping an eye on a solar panel system should be not very demanding and one might do on the (Windows) PC side with a software solution: https://www.hw-group.com/software/hw-vsp3-virtual-s...

jaclaz

7 checkboxes for "usable channels": U-NII-1 5160-5240 (32-48) U-NII-2A 5260-5340 (52-68) U-NII-2C 5480-5700 (96-140) U-NII-2C/3 5720 (144) U-NII-3 5745-5825 (149-165) U-NII-3/4 5845 (169) U-NII-4 5865-5885 (173-177) +1: all of them and a note *like*: U-NII-1 up to U-NII-2C/3 are compatible...

jaclaz

Only for the record, jaclaz has no idea about "why" it works :shock: , my logic has only been that it didn't seem possible to me that the only way to reference a script would have been enumerating it with print as such mechanism would have been too prone to possible errors (think of a comp...

jaclaz

As always I may be wrong, but adding firewall rules just because they look cool

is not a good habit.
I would run the setup with the rule for some time, then check the counter/log for that rule, if it is not hit, it is better to remove it, as it just clutters the firewall.

jaclaz

.id?
https://gist.github.com/elico/9110bc2a7 ... 1b3e4f8c69

{".id": "ScriptName"}
should work

jaclaz

Here:
viewtopic.php?t=214751
viewtopic.php?t=214751#p1127084

jaclaz

I am not sure to understand the problem. From the CHR point of view, ether1 and 192.168.88.0/24 is WAN, ether2 and 192.168.20.0/24 is LAN. You can (probably you already have) set a 0.0.0.0/0 route with gateway 192.168.88.1 and then add in /ip firewall nat a masquerade rule with out-interface ether1....

jaclaz

... or more simply some really bad coffee?

jaclaz

The default configuration of an Ax3 (and most other Mikrotik Soho devices) has 1st port (ether1) as WAN and all other ethernet and wanports in a bridge as LAN So a wlan interface (either wlan1 or wlan2) should have exactly the same behaviour of ether 2-5. Can you describe exactly the connection erro...

jaclaz

Ok, so I managed to get the setup suggested by anav :) on the other thread working (on a CHR in GNS3), there were a couple typos and a missing setting (the vlan filtering enabled on the bridge, obvious, but it took me a lot of time to find it :oops: ), and it is now adapted to the present thread add...

jaclaz

Well, you did not state whether your switch is using 24V or 48V as output PoE. Loosely (and empirically) the max power stated in specs for Mikrotik devices is much more than needed, you can approximately consider that real world power needed is 60-70% of the specs, but there can be peaks of 30-40% d...

jaclaz

There is this thread here that seems very similar to your intended setup: https://forum.mikrotik.com/viewtopic.php?t=208072 but the proposed solution has not been tested (and it uses VLANs[1]) and it should anyway be modified because of the switch chip of your device. Using two bridges. let's say br...

Search found 2575 matches