MikroTik

jaclaz

Not that it changes anything, but if you decide that the emergency management port is ether1, you should have ether1 as mgmt also on the router. The "usual" convention in Mikrotik is the opposite (the reserved emergency management port is the last one and ether1 or SFP1 is the one "to...

jaclaz

You are welcome :) , happy you found a way out. Only thinking aloud, but I would try to change the distance of the routes (as opposed to disabling them). This way you would have another matcher (the distance). In the down-script you would change the distance from 1 to 10 (or from 5 to 50), and in th...

jaclaz

I don't think that there is that much choice, when the eSIM support was announced: https://forum.mikrotik.com/viewtopic.php?t=214977 it seemed that there were only two eSIM provider in EU: https://forum.mikrotik.com/viewtopic.php?t=214977#p1130907 to which you can add 9esim https://www.9esim.com/ (t...

jaclaz

I have no experience actually using a fusion splicer, when I needed some splices I called an electrician I knew and he made the four fusions for 100 € (with the fiber and pigtails I provided) but I believe that it is not too difficult, we have this nice report of someone documenting a DIY job: https...

jaclaz

Yep, being locked out Is one of the common mistakes when starting with Mikrotik devices, it is part of the learning experience.
But there should not be the need of doing a netinstall, a simpler reset should be enough.

jaclaz

Winbox3 or Winbox4?
(the latter has been reported as having sometimes issues with MAC connections)
IP access ( if available) should be more reliable.

Time to get familiar with the rules of the Mikrotik Club?
viewtopic.php?t=215004
Namely #7.

jaclaz

Assuming that you have already tried both bootloaders (one with reset button pressed/shorted before applying power, the other with reset button pressed/shorted immediately after applying power), there is not much else you can try if not attempting a complete reset and then netinstall. Should be 300 ...

jaclaz

A Camera is connected to ether2 and sometimes, for some obscure reasons stops video streaming. What happens in the "other" direction? I.e. does the camera: 1) respond to pings when it is working 2) stops responding to pings when it stops streaming If both the above are true, you can use a...

jaclaz

Yep, now what is happening is clear, how to change this behaviour is another thing. Pairing the routes in /ip route export with those in /ip route print (simplified) and matching them with the netwatch script lines (see the attached image) it seems to me clear that each time the down-script is run t...

jaclaz

Well, you should post the output of "/ip route print where static" (without the disabled=no) TWO times. Once after the up-script has run and once after the down-script has run. Post also the plain: /ip route export Set aside the change of address, the script disables and enables (should di...

jaclaz

Gibbs' Rule #39: There is no such thing as coincidence.

It seems like a serious bug, both of you should ASAP open a ticket with support.

jaclaz

65° is what I would call "crazy hot" if it was any other electronic device, but SFP's do run very, very hot. Fiber ones run cooler than copper ones, I would say some 10-15° less, but it is not rare to have copper SFP's at 80° or even more. (the operational limit for "standard" gr...

jaclaz

The word picked from the dictionary for today is " complete ". adjective 1. having all the necessary or appropriate parts. 2. (often used for emphasis) to the greatest extent or degree; total. The configuration in post #19 has only ether1 port :shock: , and additional routing tables and ma...

jaclaz

I don't think (but I may well be wrong) that two different ISP connections are actually *needed* for VRRP. :? From what I understand the whole stuff revolves around the concept of redundancy and transparent or almost transparent transition from the normally "master" router to the normally ...

jaclaz

yes the sim card was tested using a smartphone

There is a known issue (actually a non-issue if you know about it) about the settings for network APN, they are somewhat counterintuitive, check
viewtopic.php?t=210031#p1090732

jaclaz

I’m sorry to say I don’t understand the ‘recursive next hop search’ approach, but I hope that’s something I’ll learn in time. No need to be sorry, the matter is a bit complex and not really well explained in an accessible language, the usual given reference is this: https://forum.mikrotik.com/viewt...

jaclaz

@BartoszP With all due respect :) , if you confuse J with 1 or I :shock: , you should be visited by an optometrist or - better - an ophthalmologist. This said, I often use XKCD random generator :wink: : https://imgs.xkcd.com/comics/random_number.png Noone will ever guess my 44444444 password! :lol:

jaclaz

Only seemingly unrelated, many years ago I learned from an electrician who had worked for a long time in Switzerland (which at the time had more advanced safety standards, that were actually followed) that when working on an electrical plants you: 1) first switch mains off 2) then put a (mechanical)...

jaclaz

To be picky, more than "a bad habit" having not a proper firewall on a router directly connected to the internet is what we highly specialized technicians

call "a recipe for disaster"

, Rule #8:
viewtopic.php?t=215004

jaclaz

Sure you cannot short the bottom right side pad in your photo (as it isn't there anymore) but you should be able to understand to what the now missing pad was connected. On the Ac2 it seems like the contacts are the 1 and 2 in the picture here (and you miss the 1): https://forum.mikrotik.com/viewtop...

jaclaz

Are you sure of this:

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=Lan
set [ find default-name=ether1 ] disable-running-check=no name=Wan

It seems like ether1 is BOTH LAN and WAN?

jaclaz

Please be aware that a Cap device (intended for Ceiling mount, but that can also mounted on a wall) has a shape of the emissions that can be imagined as a spherical cap (when mounted on a ceiling omnidirectional in the horizontal plane and downwards only in the vertical plane, see: https://forum.mik...

jaclaz

Wouldn't that be a VRRP setup?

https://help.mikrotik.com/docs/spaces/R ... 62945/VRRP

jaclaz

Check:
viewtopic.php?t=207577
viewtopic.php?t=207318
Different devices but most reset buttons work the same way.

jaclaz

Which speed do you expect from the LTE connection? And which kind of reliability does the primary connection you have? As always I may be wrong, but It seems to me like you are a bit overthinking it. I mean, it is not like your two connections are equivalent, if we (for the sake of the example) say ...

jaclaz

Well, you have to imagine the second AX2 as a "concentrator of clients". Simplified you have (say) 10 clients (phone, tablet, PC's, etc.) all in the range of the old AX2, each *draws* 10 Mbytes, total 100 Mbytes. Then you move 5 devices out of the range of the old AX2 and connect them to t...

jaclaz

Side note, unrelated to firewall, and unlikely to cause any issue, but you have a *B interface, point #21 here:
viewtopic.php?t=215018

jaclaz

... cause I checked all what is possible :( Surely you did, but sometimes a teeny-tiny mis-configuration escapes anyway. You should start a new thread, describing your setup and posting the configuration of the devices involved, from what you write the issue appears to be on the cAP, so start by po...

jaclaz

I don't think that a device in the configuration you want/need can be managed via c AP sman, the radio of the Ax lite won't be an AP (as seen by the main router Ax2), it will need to be configured as station (please read as "client") to connect to your current Ax2, then a slave interface w...

jaclaz

If you don't really *need* the tiny size and portability of the Map (standard or lite) you'd better get a device using the same kind of wi-fi as your Ax2, which in this case would mean an Ax Lite, a little more expensive than Maps, but this way you will have (besides a much faster transmission and m...

jaclaz

There's also a native Linux version of Winbox

Yep

, but still, since it may be derived by source code that may have been stored in the same folder directory where the Windows files were, it may have been contaminated.

jaclaz

Sorry, I have to ask, as I don't understand.

If you have "normal" Winbox/terminal access, why did you choose to go for ssh RoS update?

jaclaz

It depends on the actual hardware involved but I suspect more the configuration.
To allow some of the more expert members to comment on the issue, you should post your complete configuration, follow these instructions:
viewtopic.php?t=203686#p1051720

jaclaz

My apologies. I wasn't aware of that. But that wasn't my point, the rest still stands.

Sure

, no need to apologize.

jaclaz

I see, we were lucky then here in Italy, up to 1960's or so we had external electric cables, then for a short period in the 1970's plants like yours were common, afterwards they were all made with conduits, though often using very small diameter tubes (very difficult to refit/replace cables) by the ...

jaclaz

Yep, I have the same doubts about the possibility of duplication, expressed and discussed here, JFYI:

viewtopic.php?t=215082
but there isn't yet a definite answer/recommendation.

jaclaz

The WAPs (It may depend on the exact model) are rather different from "generic" AP's, they tend to be rather directional with signal projected mainly in a sector 60 to 90 degrees as opposed to the omni-directional (360 degrees) emissions of the internals antennas of most AP's and of the st...

jaclaz

... some testing done by some random person on another forum.

To be fair, SiB is a well known and esteemed member here on Mikrotik forums, so not so random.

jaclaz

Besides the ( BTW surely interesting and useful) discussione on the details of a VLAN and OSPF (complex) configuration It seems to me that you are (seriously) over-estimating the capabilities of a single access point for the wi-fi part. There Is no way an Ax3 in the basement will cover anything besi...

jaclaz

I see :) , though Cat6 is a relatively recent product, the standard should be early 2000's, but AFAICR it took a few years before coming in common use, it is strange that it was not "properly" passed in conduits. I did not understand that it was connecting different buildings, make sure th...

jaclaz

There are basically three "groups" of people on Mikotik forum with diverging opinions regarding firewall rules, let's see if I can explain how I see the situation. The first one, that we will call for simplicity "the rextenders" :wink: believe that the default firewall rules that...

jaclaz

So, most of the issue is the cable, which then can be demoted from "slightly questionable" to "definitely bad". Only for the record, many, many years ago, Jerry Pournelle had a column on Byte (the magazine) where he tested lots of new hardware that at the time was at the edge of ...

jaclaz

Well, if you have (or can have) direct line of sight, and you don't need particular speed in the connection, you could get away even with a (good ol') mAP: https://mikrotik.com/product/RBmAP2nD it is really tiny, so very portable. There is also the map Lite: https://mikrotik.com/product/RBmAPL-2nD t...

jaclaz

solved...! ( how to close this thread?) You should have, top right of posts an icon *like* a green check mark. If you hover over it you will see "accept this answer". Click on the check mark of the post by rextended that put you on the right track. That post will get a green border and th...

jaclaz

SFP's (copper) become VERY hot, 52° is like "warming up", there are reports of people running SFP's in the 80°-90° range, while there may be issues with the SFP, it is not overheating.

jaclaz

What's the length of Cat6 cable connecting both switches? Though length is still unknown, the cable has been described on the other thread "slightly questionable quality cable": https://forum.mikrotik.com/viewtopic.php?t=216643 @ Luk5566 Cat6 cable at 10 Gb speed is usually considered via...

jaclaz

Can you give me an example? I tried to drop packets from 192.168.20.0/24 to 192.168.10.0/24, but without success.

Try blocking by interface list, instead of by IP:
viewtopic.php?t=207289#p1073188

jaclaz

/ip firewall nat add action=masquerade chain=srcnat Usually a masquerade in src-nat is configured for a given interface or interface-list, i.e. either: /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 or: /ip firewall nat add action=masquerade chain=srcnat out-interface-list...

jaclaz

Interesting. I cannot confirm this behavior on my RB5009 (RouterOS 7.18.2, auto-mac=yes). When the Ethernet interface that provides the bridge MAC address goes down, the bridge MAC address does not change. The Mikrotik documentation does not mention the behavior you describe either. On what hardwar...

jaclaz

Not that I am really sure about this, but from what I understand there are three "modes" in which an AP can be configured: 1) stand-alone 2) pure CAP under external Capsman 3) a mix of the two above I believe that Capsman at the end of the day commands only the wi-fi part or little more. E...

jaclaz

You have a couple *'s (asterisks) in your configuration /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=Stadtwerke list=WAN add interface=ether2 list=LAN add interface=*10 list=LAN and: /interface wireguard peers add allowed-address=192.168.10.5/24 ...

jaclaz

Your link for code tags isn't valid anymore...

Well, it works from here.

Anyway, edit your previous post.
Add before the configuration this:
[ code ]
without the spaces
and after the configuration this:
[ / code ]
again without the spaces.

jaclaz

here it is: Perfect. (and PLEASE, learn to enclose it in "code" tags, see the instructions here: https://forum.mikrotik.com/viewtopic.php?t=203686#p1051720 ) (configuration posted in code tags are easier to scroll and the board parser does a good work in colorizing the text so that comman...

jaclaz

On a properly configured device detect-internet either: a) does nothing or b) may - in some cases - create isssues on a configuration like yours it may actually do something useful (i.e. allow connection from the outside, this is actually the reason why the good Mikrotik guys made it) but at the sam...

jaclaz

Per documentation, to use station-wds both ends of the connection should be Mikrotik: https://help.mikrotik.com/docs/spaces/ROS/pages/122388518/Wireless+Station+Modes So, it is not surprising that you are having issues with it, I thought that it wouldn't work at all, not that it works until you add ...

jaclaz

so correct logic in mikrotik v6 you must remove then re add the port ... *LoL gonna try your example script tomorrow... thanks rextended and jaclaz Yep, but it is not specific to v6, it is the "add" command that assumes that you cannot (re-) add something that already exists.. Conversely,...

jaclaz

If these interfaces are ALREADY in the bridge, you will get an error even if you try to add one manually. I.e. what happens if you run on terminal just: /interface bridge port add bridge=ether2.br1.switch interface=ether2.br1.79.0/24 You should remove all those interfaces before running your script ...

jaclaz

How many devices do you have under capsman? You could have the (new) Wap (AC) LTE set self-standing, or am I missing something? BTW, I presume you want/need both the 2.4GHz and the 5GHz, so your new device would be a WAP AC LTE kit which is not-so-cheap at $169 (for a device with only 16 Mb storage ...

jaclaz

ok i can downgrade the main router also to 7.18.2 if that's make sense. Naah, it is unlikely that the problem is related to the OS version, wait for some more qualified assistance, but in order to get it you should: 1) post the full configuration of your RB760 following instructions here: https://f...

jaclaz

Typo?

:local lrttavg ($"rtt-avg" / 100)

:

should be:

:local lrttavg ($"rtt-avg" / 1000)

jaclaz

None of pictures from previous post are visible to me. OP used the "img" tag for links to images on ibb.co, the urls are visble when you quote the message: https://ibb.co/b5qNMYfQ https://ibb.co/QvGrJRdC Not that they tell much. However the rb760 is running 7.19 beta 8 :shock: and the oth...

jaclaz

Just thinking aloud, but the "risk" (in a lmited number of cases) is that one might not be able to easily find the culprit of a "down" if caused by these "-avg" or -stdev" thresholds. I mean, let's say that the thr-avg is left as default to 100 ms. <- so this setti...

jaclaz

Well, at $21,500.00, it better puncture preambles, postambles and possibly the space-time continuum: https://www.wavonline.com/Tarana-Wireless-35-0171-001

To be fair, that is the base, the remote node is only $1,062.00:
https://www.wavonline.com/Tarana-Wireless-35-0128-001B

jaclaz

/interface detect-internet set detect-interface-list=all Rule #5: https://forum.mikrotik.com/viewtopic.php?t=215004 A couple related threads: https://forum.mikrotik.com/viewtopic.php?t=167850 https://forum.mikrotik.com/viewtopic.php?t=167850 /interface bridge add dhcp-snooping=yes name=Loopback por...

jaclaz

Yep, almost all correct :) , to be picky you forgot here the deciimal separator (dot if we use the English notation): 5) Concatenate the whole unit variable ("integer") , the decimal separator and the 3 character variable ("decimal") to form the rtt-avg shown is xx.xxx ms but thi...

jaclaz

But do check that the power supply is working as it should, ideally testing the device with another surely working power supply. This is not Mikrotik specific, any device power supply may fail "completely" (no power at all or evidently too low voltage output, easy to check) but also "...

jaclaz

@xsentinel
You'll have to take some time to go through this loooong thread:
viewtopic.php?t=214608
to better understand the two different usual approaches in firewall.

jaclaz

Check this script by jotne (you might need/want to adapt It to your specific requirements, but It Is a solid base):
viewtopic.php?t=147251

jaclaz

A practical (though doing very little) example here:
viewtopic.php?t=215401

jaclaz

Yes, there are several devices that would do in your case, selecting a pair of them depends on several factors: 1) which connection speed you have form ISP at work 2) which connection speed do you *need* at home 3) how much money are you willing to spend for the Mikrotik hardware 4) if there are any...

jaclaz

If you are going to fiddle with the firewall, remember that rules are applied in the order they come within the same chain , so it is a good habit to keep firewall rules by chain, usually first input, last forward (a standard firewall has only input and forward chains) so that the settings are more ...

jaclaz

And no, you cannot use v6. I guess you haven't bought a MikroTik product since the first CCR2004, for which you could apparently accept a downgrade in functionality (ie v7) for it to just work without crashing every two minutes. In that sense if you squint your eyes enough, v7 maybe superior to som...

jaclaz

Isn't this issue the same of this (old) one?
viewtopic.php?t=130547

The workaround of putting ether1 into a bridge (by itself) should still be working.

jaclaz

And, to add some context, these are the default firewall rules (for Soho devcices): https://forum.mikrotik.com/viewtopic.php?p=856824#p856824 This one: add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN" uses the ! to select as in-interface AL...

jaclaz

If you do a math operation in RoS, you are using integer math. The result is the same as you would use INT in a spreadsheet. Or the same (with other limits) as you can have in Windows command line/batch. The examples rextended posted (set apart some little typos with 21565 that is not changed in a f...

jaclaz

1. interface list Is a categorization, you are telling that (say) ether1 belongs to "group" WAN and that bridge belongs to LAN. These interface lists are used - as an example - in /ip firewall filter and /ip firewall nat to apply the same rule/commands to all members of the list (or "...

jaclaz

I believe that the 500 or so speed in routing (25 firewall rules 512 bytes packet) had been confirmed to be reflective of real world usage also for this device.
But maybe the hex refresh Is an exception also in this.

jaclaz

Very likely unrelated to the issue at hand but there are a couple of possible problems in your Ax2 configuration. 1. don't use vlan 1 unless you really know what you are doing https://forum.mikrotik.com/viewtopic.php?t=215004 2. you have a few places where *something* has been replaced by an * (aste...

jaclaz

Then the mode A vs. Mode B would explain everything. The camera very likely is: 1) PoE 802.3af 2) with an ethernet port 10/100 Mb By definition in 802.3af/at a PD (the camera in this case) MUST accept PoE power BOTH as Mode A (pairs 1.2 and 3,6) AND Mode B (pairs 4,5 and 7,8). Still by definition in...

jaclaz

So the effect of having VLANs makes it 1-363/498=almost 30% slower than routing with 25 ip filter rules?

jaclaz

Ethernet cables (actually their plugs RJ-45) don't work as you might think. In theory they are all the same, in practice it is common enough that a plug works in a socket but doesn't in another. So you haven't (yet) proved much. It is also not clear in your last post/report WHICH device is providing...

jaclaz

Of course I may be wrong, but it seems to me like this "but ether1 is different" - while something to take into consideration - won't have that much an effect in practice when used as a switch port. The test results are seemingly not very different between bridging and routing (fast path):...

jaclaz

Ok, there are three branches or lines from the PowerBox Pro: 1. 40 m long CAM1-5m-box1-30m-box2-5m-Powerbox 2. 1 m long CAM2-1m-Powerbox 3. 9 m long NVR-1m -box3-8m-Powerbox #1 doesn't work #2 works just fine #3 works just fine What was working yesterday, or even one minute ago is not that much rele...

jaclaz

Ah, ok thanks.
Then it Is my fault, the rtt-min (wrong thr-min) wasn't there, I must have derived It from your status screenshot and the discussione about those parameters.

jaclaz

Sure, you can set the DHCP server to always assign a given IP to a certain MAC, or you can assign those IP's to non existing MAC's and set the device to a static IP. See: https://forum.mikrotik.com/viewtopic.php?t=179909 Or you could make holes in the IP pool, by setting non contiguous ranges, leavi...

jaclaz

The curiosity Is not that the page has been edited, It Is that an item has been removed from the list/table, while keeping the other parameters with the wrong names. It Is not like they did not touch that list/table (as if they had forgotten it). I seem to remember you had some ways to link to the ...

jaclaz

Since It Is an average, it is possible that for *some reason* they are using 1/1000 precision in the math operations used to calculate this average, but it makes little sense, since the corresponding thr-avg is set in "whole" milliseconds. Curiosity of the day: The netwatch help page has b...

jaclaz

Well, before I was thinking that I wasn't capable of understanding your cabling setup, now I am definitely sure that you simply cannot describe It, It seems like It Is a moving target.
Post a meaningful sketch of the layout if you need suggestions, this way It Is only lost time.

jaclaz

And, the rtt-avg of 24516 actually means 24.516ms.

Hmmm.

That would imply that inside the router there Is a clock (or some other high precision technology marvel ) capable of 1 millionth second (microsecond) resolution.

jaclaz

I would have expected an error of 5-10% or so, maybe 15% in the distance, 48/35 is more like 40%. Maybe that 30 MT cable is one of those newish thinner ones that probably is characterized by a slightly higher resistance. You can still test from the cam side the stretch 5m+box1+30m up to box2 (discon...

jaclaz

Unfortunately I cannot see how your cables are arranged, but if you try with another (tempoorary) cable and it works, then it is the cable. Since the cable test (even if as said it is not a precise instrument) can be run with just a device on one side, you can move the device at the other end of the...

jaclaz

Well, you don't have extremely long cables, 40 m max? You can try the built -in RoS cable checker, cannot say if it is available on the powerbox[1], though it is not an exact measure instrument it may point out the issue and the distance from the port. /interface ethernet cable-test ether2 https://h...

jaclaz

I don't understand your layout. It seems like the fortigate is a LAN device like any other (with IP 3.3.3.254, belonging to the 3.3.3.0/24 network) that is "fed" from the mikrotik via a public IP 2.2.2.66 (but is it the fortigate ip or the mikrotik one?) the whole thing seems a loop, I had...

jaclaz

:foreach i in=[/user-manager session find where active=no] do { /user-manager session remove $i; }

This remove only inactive sessions

While the one previously posted by rextended, which is much simpler :

/user-manager session remove [find where active=no]

did something different?

jaclaz

Well, if you also have an Ax3, the Hex refresh will use the same OS, if you can manage VLANs on the AX3, you can also on the Hex.
SwOs has less control (but is easier to configure) but can do VLANs just fine.

jaclaz

Wrong as in "it won't work and I should not do it" or "it's not the best way to do it"? Wrong as in "if I didn't say that they would be trying to convince me on how good VLANs are instead of trying to convince you ". :roll: More seriously, I don't think that it won't w...

jaclaz

Yep, much better now. Using two bridges is the logical (and simple) solution, though making the two bridges not talk to each other might be more complex than you would expect. BUT it is the "wrong" approach. Anav (and all the other members that actually know how to configure VLANs) will ex...

jaclaz

I thought that by this time we had established that the thing that surely doesn't work is :local myhost $host rextended BTW just explained that host is anyway not a good selector as there could be more than one netwatch instances aimed to a same host. Since netwatch has a "name" property, ...

jaclaz

@buckeye I am not sure to understand the math that leads to 7. Op wants to have 4 devices on that switch +1 uplink to existing network=5. Of course there must be a free port on the other side of the uplink on the existing network. Of the 4 added devices: 1. Ethernet security camera (5 MP) 2. Raspber...

jaclaz

Good :) , so you have a DAd route (Dynamic Active dhcp) towards the internet, this one comes from the DHCP server on your network gateway and three DAc routes (Dynamic Active connected), these three are made automatically by the router when you assign IP addresses to interfaces, of the three address...

jaclaz

I may be old fashioned, but before learning to script better there is IMHO the needed step of learning to script. As I see it (non-working) scripts should be divided between those that do not work because they are "wrong" (conceptually) and those that do not work just because of some mista...

jaclaz

Open terminal in Winbox.
In It issue:

/ip route print

and:

/ip address print

and post their output.

jaclaz

I would try seeing what happens changing this:
:local mystatus [get [find where host=$myhost] status]
to:

:local mystatus [get [find where host=8.8.8
8] status]

(8.8.8.8 or whatever host Is your netwatch for)

jaclaz

Imagine a common (old) router. Typically it has: 1 port (usually Blue) that is WAN (or outside/internet/danger) 4 ports (usually Yellow) that are LAN (or inside/safer) these 4 ports are assembled together in a switch or bridge. Between the two above there Is a separation, i.e. Nat and firewall. The ...

jaclaz

Yep, "in the script" does not mean "in terminal". Curly brackets are needed (in terminal). @Amm0 It's not like I have more patience, more simply you are way more experienced and knowledgeable than I am in Mikrotik scripts, so you automatically give for reknown basic things that a...

jaclaz

So, in the script, if you replace
:local myhost $host
with
:local myhost 8.8.8.8
(or whatever host you are using in the netwatch)
what happens?

jaclaz

If there is no output, I would suspect that $myhost is empty/not defined or not found.

Simple test:

{
:local myhost Pippo
:put $myhost
}

and/or:

/tool netwatch 
:local mystatus [get [find where host=] status]

does it give the same or a different error?

jaclaz

On the product page it is referring to this "SFP compatibility list": https://help.mikrotik.com/docs/spaces/ROS/pages/220233794/MikroTik+wired+interface+compatibility Which contains 4 tables, titled: 1G SFP 10G SFP+/25G SFP28 40G QSFP+ 100G QSFP28 So you have to search for Netmetal ax and...

jaclaz

Can you just post the output of:

{
:local myhost $host
:put $myhost
}

jaclaz

Is actually

:local myhost $host

working?

or, what happens with:

{
:local myhost $host
:put $myhost
}

jaclaz

Yep, by "it" I meant the generic "RB3011 device", sorry for the confusion/misunderstanding. There is *something* in the first RB3011 device that makes it behave differently from the second RB3011 device. This *something* is seemingly the 3.27 bootloader, but as you say the way it...

jaclaz

Yep, but was using dark mode prescribed by your doctor?

Seriously, that may well be a feature request, that you should ask Mikrotik support:

https://mikrotik.com/support

not here on the forum.

jaclaz

Well, I have no different way to write "the issue is not about updating RoS".
And you have a strange way of disagreeing, by stating:

Not correct. The issue is not with updating ROS.

jaclaz

... we can't provide a public administration or government with equipment that doesn't work.

Sure, devices used in productive environments should be absolutely reliable.

jaclaz

Is this accurate? Yes , it seems accurate to me , in the sense of accurate representation of how we have understood it works, not necessarily accurate in an absolute way. What is missing is (very likely irrelevant in practice, still ...) is the actual time the ping takes, while it is likely a very,...

jaclaz

Still, even with a high conversion rate of 95%, it would be 3.3*2.5/0.95=8.7W so 8.7/5= 1.74 A.definitely more than 1A at 5V.

jaclaz

If I got paid a nickel every time you typed that.......................... Well, it doesn't work that way, I write the posts, I get the pennies. :lol: One day you too will see the light of a sandbox for new users.................... Maybe one day ... https://c.tenor.com/AkV47FRnjHIAAAAd/tenor.gif

jaclaz

I have just tried setting my home wireguard client peer to 53 and and nothing happend, not even connection to winbox broke and all works fine.

Did you actually check that port UDP 53 is used BOTH by DNS and Wireguard?

jaclaz

@mkx As I see it, the issue is not about updating the Ros (which has been solved with the tested workarounds), it is about updating it in such a way that the device after the update behaves like the other one If you prefer OP has two devices, belonging to two series/batches that behave differently B...

jaclaz

Yep :) , not so casually the main setting to experiment with in the table of the provided spreadsheet is "interval". I imagine the values for interval that are actually useful as a Bell curve, with values that range from 0 :shock: to 120 or so, hence the 60 seems to me a good value to star...

jaclaz

Right now the 2pin voltage from the battery bank is at 27.0V and the jack voltage is at 24.3V. There hasn't been a time in the last few months that the 2pin battery bank voltage would be anywhere close to 24V as the overnight voltage generally won't dip below even 25V this time of year at least ......

jaclaz

Yep, VLAN 0 would be an issue. Also avoid using VLAN 1. Some devices treat VLAN 1 as something special - often with unpredictable results.

Just in case, the first two of the twelve rules of the Mikrotik Club are relevant

:
viewtopic.php?t=215004

jaclaz

Maybe there is a ISP device converting from fiber to ehernet, as ethernet cable is mentioned. If this is the case, the procedure is the same, only instead of sfp you make sure that ether1 is out of the bridge, categorized as WAN and has a DHCP client running. Anyway it would be much better/easier if...

jaclaz

But what does actually happen if the "randomizer" comes out with (say) port 53 (that is already in use by DNS? This can be manually tested setting intentionally the Wireguard port to 53. Either: 1) Wireguard will take possess of the port or: 2) the pre-existing DNS wins If the latter, then...

jaclaz

I would first try with a suitable powered USB hub between the devices. If the issue is power, it should work. 1.8A or 2.5A is however a lot, cannot say if USB hubs capable of putting out that amount of current are easily found. Maybe using a USB Y cable (the kind was sometimes used in the (good?) ol...

jaclaz

It's almost like the EAP was stuck in some kind of abnormal PoE state out of the box, which caused it to not play nicely with the RB5009, but connecting it to a different PoE source somehow reset something, and now everything is working perfectly. It's bizarre! Some sort of breaking in? :shock: Or ...

jaclaz

And now, for no apparent reason

, a spreadsheet with a (nice?) table of values to play with.
I am attaching also a screenshot so that one can preview the thingy.

jaclaz

OK doesn't really mean "correct", it is more like "NOT WRONG". :wink: I am still not convinced of the default (or of yours) settings, a machine that goes ping: https://www.youtube.com/watch?v=VQPIdZvoV4g should do so at regular intervals. The graph would be something *like*: |___...

jaclaz

Maybe related, maybe not, /31 support has been added only recently in 7.18.2:
viewtopic.php?t=215048
so its implementation has not been widely tested.

jaclaz

If it is a recurring (periodical) event, I would try to (temporarily, until the actual problem is found and hopefully solved) put up a scheduler script to run every night at (say) 3:00 AM to disable and re-enable the interface unconditionally. If it is an office, you can maybe have it run twice dail...

jaclaz

A.2 Right now you have your SFP added to bridge. If you want to set it as WAN you have first to remove it from bridge (thus making it self-standing). /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment...

jaclaz

As I read it, your last settings have these three relevant parameters: 1) interval=2m 2) packet-count=400 3) packet-interval=200ms #1 means that the probe will run every two minutes (or 120 seconds) #2 means that at each run 400 packets will be sent #3 means that the packets will be sent one after t...

jaclaz

It would be easier if you could post your full configuration, following this:
viewtopic.php?t=203686#p1051720
The output of /ip firewall print, and/or of /interface ethernet print besides being partial is less readable than the output of /export.

jaclaz

To me it still looks like hammering. :shock: 400 packets sent at 200 ms interval every 2 minutes? The defaults end up being 6 runs per minute x 10 packets/run=60 packets/minute (which already seem to me a lot). Your last settings come up as 1/2 run per minute x 400 packets/run=200 packets/minute.

jaclaz

Today i tried another POE splitter from TP-Link(TL-POE10R) and it was success. AX3 works with 12V 1A output from the TL-POE10R. Good, so the problem is solved :) , though 12V 1A are (in theory) not enough to power an Ax3, the device is rated for 15W, and though those will likely rarely be needed (i...

jaclaz

The failover configuration looks good to me, and it is coherent with the pic you previously posted of the route list. The ether2 route is only S (static) whilst the "good" ones via pppoe-out1 and 8.8.8.8 are AS (Active Static). The result of speednet must be an artifact (or could it be bro...

jaclaz

The Chateau LTE 12 is among the devices with only 16MB of storage. Usually troubles with updating the RoS on these devices is connected with not enough available space. It may be possible to free enough storage, or it may not, it depends on how big your configuration is and if you have files on it t...

jaclaz

Configuration i have posted before. But then you reported changing some settings, so the posted configuration is not the one currently running (or you lied :shock: when you said you changed it :wink: ) , anav wants to see the current one. There is always the concrete possibility that EITHER: 1) the...

jaclaz

Teams does not eat much bandwidth, and 300-400 Mbps are anyway a lot, it is good to find someone that uses cables when needed and can live happily with a good enough wifi, in these times of wifi 6 and 7 crazyness.

jaclaz

Hi! Based on the description, the problem could be in several places.

Not really, as already explained the L009 is NOT providing PoE out if powered by PoE in, by design.
The general troubleshooting steps you listed which would otherwise be good ones are in this specific case unneeded.

jaclaz

Which kind of internet connection (speed/bandwidth) do you have? And which kind of devices (clients) do you have? The RB4011 is a quite powerful/fast device while the Ax lite is 2.4Ghz only, so not a very fast wireless access point, it has to be checked if they can represent ( now or in the near fut...

jaclaz

But I would never have figured out with your help ...

Talking of double negations .. I presume there Is an "out" that slipped from your fingers ... (I would try putting It after the "with").

jaclaz

Yep, then it is normal, as the pppoe-out1 is "standing on the shoulders" of ether1, if you disable ether1 you disable also pppoe-out1, so that devices loses the connection to the DHCP server (and the DHCP client on the Mikrotik waits forever). What is connected physically to eher1 ? A fibe...

jaclaz

Yep, but you managed to choose like the second worst antenna in the world :shock: (seriously, that one is for interior use only). If the netmetal goes outdoors (as it should), you want outdoor antenna(s). Devices that go outside must be weather/waterproof as much as possible. In a perfect world anyt...

jaclaz

I am sure noted, I doubt the understood.

You chose ... poorly

, those are like the worst possible antennas to mount (if the device is to be put outdoors, but a Netmetal indoors makes little sense), try reading again the given links.

jaclaz

Yes, you NEED antennas, powering the device without antennas connected might result in damage to the device, the transmitter needs a given minimum impedance on the connector, if you want to fiddle with the device without antennas, you need to use either common wi-fi antennas or terminators on the an...

jaclaz

Hard to say with just the routes. Post your whole configuration, instructions here: https://forum.mikrotik.com/viewtopic.php?t=203686#p1051720 and also twice (once when ISP1 is used and once when it has failed over to ISP2) the output of: /ip address print How exactly are you simulating the loss of ...

jaclaz

Nice finding about the rtt- prefix instead of the thr- one, now it starts making sense. (and confirms that proofreading is a lost art), but Amm0, with all due respect :) , you need to use more linear English if you want to explain something (or maybe you also got the Latvian virus that make affected...

jaclaz

Yes and no. In the sense that the way Mikrotik sets the MAC of the bridge is during the running of the default configuration script, and it does so by assigning to the bridge (and setting auto-mac=no) the MAC of the first interface it finds among the ports in bridge. So, since: 1) the default config...

jaclaz

Yes. One of the actual issues with backup (not export and manually restored in snippets like you did) is that it "brings over" the old MAC and sometimes this is not advised because it can create conflicts, but in your case you are replacing the device and you never have the two devices con...

jaclaz

Still it is not at all clear (to me :oops: ) the difference between the previously listed ICMP probe options and the ICMP properties: sent-count ICMP packets sent out response-count Matching/valid ICMP packet responses received thr-loss-count number of lost packets thr-loss-percent number of lost pa...

jaclaz

Converter is 802.3af/at PoE-in, so it implies IMHO 802.3af/at PoE-out therefore L009 is properly powered but AX3 gets wrong type of PoE-in Not really. it may or may not imply anything, but surely not PoE 802.3af/at as it CANNOT be 24V, only 48V (or so). Min voltage for 802.3af is 37V (range 37.0–57...

jaclaz

The way I read the docs, it is a "or", i.e. there are 6 different thresholds: thr-max (Default: 1s) Fail threshold for round trip time-max (a value above thr-max is a probe fail) thr-avg (Default: 100ms) Fail threshold for round trip time-avg thr-stdev (Default: 250ms) Fail threshold for r...

jaclaz

Are you sure that the 24V/1A are there "no question asked"? (the device may do some controls. like resistance check before providing the 24 V out) In theory it should work, but you never know. You can try using an injector/splitter and a male-male jack cable to power the Ax3 taking the pow...

jaclaz

You night want to post your whole configuration, there may be some misconfiguration elsewhere, but why do you have check-gateway on those two routes?
I believe you can use check-gateway only if the gateway is an IP, not when it is an interface.

jaclaz

Vlan 1 and Fritzbox ?

The origin of the twelve rules:
viewtopic.php?t=208061

The twelve rules of the Mikrotik Club:
viewtopic.php?t=215004

jaclaz

Great minds think alike.

jaclaz

Is there an obviousness scale?
Maybe:
1) 12:34:56:78:90:AB
2) aa:bb:cc:dd:ee:ff
3) FF:FF:FF:FF:FF:FF
4) ...

jaclaz

That route seems like D (i.e. Dynamic) besides A (Active), other flags, if any, are not visibile in the screenshot you posted, likely It Is also C (Connect). Dynamic routes cannot be deleted. If It Is C, It Is generated automatically when you add an address in the 192.168.89.0/24 subnet to the bridg...

jaclaz

You are short of a reboot: /system routerboard settings # Firmware upgraded successfully, please reboot for changes to take effect! but that should only be relative to firmware. I don't understand what you mean by alias, you have: /ip address add address=192.168.88.1/24 comment=defconf interface=bri...

jaclaz

I see

.
Undoubtedly v7.x with interface list is easier and much more intuitive, thanks.

jaclaz

@rextended
While you are at it, and of course only if you feel like it, could you also post a v7.x approach?

I have seen here and there references to vrf's in 7.x having the possibility to use interface lists, but have not seen any practical example on how exactly to implement and manage them.

jaclaz

I have a configuration as shown below. Not really-really. You have a configuration of which you posted a tiny snippet believing that it is the only relevant part that could cause the issue. That may (or may not) be enough, as there may be many other places where a wrong setting may cause the issue....

jaclaz

Well, if the frequency this is happening is months, and if the USB power reset works, it would be easier (even if not "proper" or "elegant") to put on scheduler a script that resets it every day at (say) 5:00 ( rebooting daily the router could be "too much" and be not s...

jaclaz

Doesn't /system/watchdog do the same thing? From what I understand watchdog has less tweakable options, the number of failed pings that trigger the function is fixed as 6, while you can set ping-delay (i.e. the time interval in which the check is run) and the ping-timeout (i.e. the global time for ...

jaclaz

For next time, the code block sometimes is not rendered correctly because it is too "near" to a preceding one, in these cases, add a return or two after the previous block code. To keep thing as together as possible, the thread, containing some very relevant info and the post by Sob, that ...

jaclaz

Interestingly, 7.13 came out before 7.12.2 did, but 7.13 does not work.

So not only device naming

:
viewtopic.php?p=1140598#p1140598
also numbering of versions is the third worst in the universe.

jaclaz

Well, I can well take the blame, no problem, for omitting the need for double quotes if non-letter and non-number characters are used for variable names. BTW coming from the (good?) ol' times where variables could only be called A, B, C, D, etc., the RoS limitations (while completely absurd in these...

jaclaz

Do the cameras move? Does the NVR move? Does the Power box Pro move? If not, they are static. As such using static addresses on them Is appropriate. DHCP and more generally Dynamic ip address is appropriate for mobiles and laptops, not only wifi. Once upon a time when desktops (or workstations), ser...

jaclaz

Only for the record, I never said "all jumbled", I said "scattered" which (at least in my perverted mind) is slightly different, it was intended with the meaning of dispersed or spread.

jaclaz

If you think an export of the config would help you I'm happy to do it. Yep, likely it is the only way to check holistically everything. The way RoS settings are organized is extremely (to my eyes) scattered all over the config, and it takes a lot of time to create mental models on how to parse the...

jaclaz

Seriously, which parameters lead to 19s620ms?
interval=10s packet-count=50 packet-interval=380ms

And timeout=1s, OK.

(interval is not used in the formula, it is just the reference).

jaclaz

Try rebooting. If you are still stuck at 3.27 it should mean that that particular device belongs to a series or batch that cannot be upgraded this way. You might then try asking support if there is another method/file/whatever to bring that particular machine to a "better" firmware, otherw...

jaclaz

@Amm0 I guess that writing that formula in the documentation was just too much work? :shock: Seriously, which parameters lead to 19s620ms? @Josepny Using in scripts variables with the same name of ROS parameters/values/commands/etc. is usually not a good idea. point #16 here: https://forum.mikrotik....

jaclaz

Here's all the relevant configs I can think of. Yep, but the issue may lie in the irrelevant (according to you) parts of the configurations, this is why generally the whole configurations should be posted. Only as a side-side note, it is good practice to keep chains in firewall rules separated, i.e...

jaclaz

Yep, but the idea is just something more like a mnemonic:
Minus times minus is plus The reason for this we need not discuss

jaclaz

The goal for me here, BTW, is to not wake up to a screen full of notifications about down hosts when the ISP does some 1 minute flapping in the middle of the night.

That is rather easy, suggested "down" script contents:

#DO NOTHING

jaclaz

It did not accept some of the set commands: syntax error. I entered these one at a time, did not paste the whole set. [admin@MikroTik] /system/routerboard/settings> set preboot-etherboot=disabled expected end of command (line 1 column 5) [admin@MikroTik] /system/routerboard/settings> set preboot-et...

jaclaz

Okay - two nights later, we found the problem (bug?) in the RouterOS WebGIU: /ip neighbor discovery-settings set discover-interface-list=all lldp-med-net-policy-vlan=1 lldp-med-net-policy-vlan must be " disabled ". But if you go to the WebGUI, it always set the value to "1", eve...

jaclaz

Yep :) , since what probably 99% of people need is one recursive route (or maybe two), one can simply bypass the extensive, but complex, explanation on how it works and why it works and just remember three steps with 10, 11 and 12 and implement them as an act of faith: I.e., easily condensed in a 12...

jaclaz

is it normal that the port led on the power box is red?? If you are using PoE out, the red should mean that PoE out is ON. https://help.mikrotik.com/docs/spaces/ROS/pages/19136769/PoE-Out PoE-Out notifications PoE-Out LEDs Models with dependant voltage output PoE-Out LED behavior can differ between...

jaclaz

Well, it's a typo, I wrote it quickly. It's clear to a fool that : instead of $. What's the difference? Why find fault with this? The principle and solution are shown. Yep, if it is a typo, now that it has been noticed, please correct it, this way there won't be any doubt. In this particular case u...

jaclaz

Not that I understand much of what you (and rextended and optio) posted

, but let's disambiguate this not-so-trifling detail, it is
EITHER:
if ([$len $0]!=0) do={ }
OR:
if ([:len $0]!=0) do={ }

tertium non datur https://en.wiktionary.org/wiki/tertium_non_datur

jaclaz

I have no idea whether there is problem in my configuration (entered over cli) or something else in hex..

We also have not any idea until you post your configuration, after, maybe.

jaclaz

How exact?
Should be 1 m, but I believe that different batches of devices come with slightly different power adapters so this may be not necessarily true for all of them.

jaclaz

Ok, so very likely the issue is connected to: factory-firmware: 3.27 (bad) vs: factory-firmware: 3.41 (good) Now the question is whether the bad router will take the factory frmware upgrade (after having been downgraded to 7.6, following the instructions by rextended): https://forum.mikrotik.com/vie...

jaclaz

Do I need to try updating the factory firmware using that .npk file that was posted? Can we start over from this point? yes, yes. Start from this post: https://forum.mikrotik.com/viewtopic.php?t=216303#p1140332 Post again that info as it is now. Then try updating the factory firmware and post again...

jaclaz

Well, if the device is connected to the internet and has no firewall properly set, it might soon become a problem if it is not already. You shouldn't even THINK of connecting a Mikrotik device to the internet without a firewall configured. But the default configuration of Mikrotik SoHo devices, such...

jaclaz

Yep, but which different ones? There must be a pattern of some kind. :? From your device: 8.8.4.4 is hop #7 and ttl 1 to 6 work BUT NOT 4 1.1.1.1 is hop #10 and ttl 1 to ? work BUT NOT ? 8.8.8.8 is hop #? and ttl 1 to ? work BUT NOT ? .... Maybe one could have a script to traceroute to the destinati...

jaclaz

If you want 802.1x (dot1x) then the most affordable MikroTik device is the old hEX RB750Gr3. It can act as a fully L2 (with Bridge VLAN Filtering) hardware offloaded 5-port wire speed switch and is better as a switch than the hEX refresh (which has only 4 hardware offloaded ports). Well, but for th...

jaclaz

Yep - just to give you some context - Sandisk is one of the few (only?) USB stick manufacturer that uses "own, proprietary" USB controller chips (which are actually very good), most (if not all) the other manufacturer use chips manufactured by third parties ( Phison, Alcor, SMI, USBest, et...

jaclaz

What reallly confuses me is that upon every reboot, the disk I created on the USB stick changes between "usb1" and "usb2" so I have to change the settings ... Why isn't the name persistent? That issue may be connected to the USB storage device you are using, as an example some S...

jaclaz

Take a look at the block diagram, to see that the eth1 uses it's own port. Yep, but it should have 1 Gb capability, not 1/14 of that (and in one direction, while in the other it is fine). The configuration Hiutale posted seems like a very "normal" default one, so where is the bottleneck (...

jaclaz

Yep, if you want to stay all Mikrotik (though SwOS) I also think that the rb260g is the cheapest suitable device with 1 Gbit ports. But there are cheaper alternatives of fast enough 5 port managed switches, Tp-link or Zyxel, the Zyxel GS1200-5 should be around 20-25 $/€, it is "limited" to...

jaclaz

What not using the old way with pre-made templates? A good half or possibly 3/4 of these kind of websites are anyway more or less a copycat of the other, and it is not like there is that much content in them, if you link to a booking portal like Airbnb, the houses/apartments/whatever are pretty much...

jaclaz

Gibbs' Rule #18?

jaclaz

I didnt get past the first para where your world has apparently ended, but ... Hopefully in the several months (roughly 8 ) since the OP started venting, the issue has been either solved or forgotten. :roll: I wouldn't count too much on the OP ever going to update the thread, post relevant info or ...

jaclaz

@ benibilme2 What real world speed do you get from the powerline adapters? Older generation devices with only 10/100 ports like - say - the hap lite used (or even new at 20-25 $ each) would maybe come out as fast enough. Maybe even a hap mini would do, I have seen them from time to time on e-bay for...

jaclaz

Try looking here:
https://fcc.report/FCC-ID/TV7SXTSQ2ND/
sometimes in the FCC documentation there are results of tests and diagrams.

jaclaz

Called (fantasy must not be one of the good Latvian guys point of strength) "The Dude", so that it can be more easily confused with the Mikrotik management software. The good thing is that at least on paper rectius screen it is - unlike many other AI bots - quite modest: Hi there! 👋 I'm a ...

Search found 2934 matches