MikroTik

mrmut

Thanks for re. We use 4 channes, as we have two additional ones (EU). I checked some papers on the issue, and there should be no significant overlap. The APs are spaced relatively far apart (at least 15 meters), and I have turned the power down significantly. - I have it set to 4-6 db on capsman TX ...

mrmut

/interface wireless registration-table print stats ... and extract the value with script and put it in the log /interface wireless registration-table print oid .... use OID to collect information with SNMP. (I use DUDE as SNMP collector and history recorder and graph presentation) Thanks. The corre...

mrmut

Sounds like your clients are somehow locked to an AP (through channel and/or MAC) once they've successfully established a connection with it. As the Mikrotik access lists generally work as expected, can you change the clients' config? What are your clients, anyhow? Clients are handheld devices with...

mrmut

I am trying to pinpoint signal level issues in a warehouse, as I am getting a lot of "disconnected, extensive data loss" messages. Is there way I could make log show the signal level before the client dropped? Or maybe a way to log client signal strengths constantly + time and pinpoint dro...

mrmut

I have a very annoying issue with clients not switching from AP to AP in a warehouse. We have 12 APs with hand-set frequencies (1,5,9 and 13) and the clients are constantly remaining logged onto the AP they catch up during night when they are recharged. They force that poor AP and don't want to swit...

mrmut

Thank you. I thought SSTP will be slower, but not that much. With several users online that will feel quite slow. Heh. I should probably implement L2TP/IPSec too. :-) The only thing about SSTP is that it works really well and everywhere. Haven't heard before about Soft-Ether. Will take alook into it...

mrmut

I am just implementing a VPN for some 20-30 users to work from home. I decided for SSTP as it is standard in Windows and very secure. L2TP/IPsec with PSK is also great, but can have some issues and is often blocked by mobile providers, etc. I am wondering is there a practical speed difference betwee...

mrmut

I also tested CAP AC. It has much more sensitive radio in it, which allows for better transfer speeds with weaker signal.

mrmut

I did some testing on all three devices. When I took them apart, it was obvious that cAP and cAP lite are virtually the same. However, cAP seemed faster when I worked on it, and it had *much* better antennas. On paper all looks similar, but when you try to test it the difference is dramatic. I got 5...

mrmut

I wanted to recheck if I turned off B/G modes on CAPsMAN 2.4 ghz network. First I tried enabling 2ghz-onlyn in profile, but I noticed g/n in the status on CAP, and I also noticed Current rate and Basic rates have OFDM turned on. Then I tried turning off G rates (B were turned off allready) and OFDM ...

mrmut

Testing with the built in tools should not be used a true measure of performance as it uses the cpu for both the test and connectivity. Only use iperf (or similar) between 2 capable PCs as a true measure of performance. Connect the 2 PCs directly and test first to see what they are capable of. Than...

mrmut

Hello,

hac anyone compiled BTEST for MAC OSX?

Thanx

Hi,

HERE is the original btest.exe packed as MAC APP with WineSkin , works fine to me... To use is only unpack the zip file and run...

BR

Mauricio

Would you happen to have the new version?

mrmut

Testing with the built in tools should not be used a true measure of performance as it uses the cpu for both the test and connectivity. Only use iperf (or similar) between 2 capable PCs as a true measure of performance. Connect the 2 PCs directly and test first to see what they are capable of. I am...

mrmut

You can use the iperf tool on two PCs attached to your router/switch and then do some calcs.... If you have 2 MikroTik devices then you could use other methods, like: https://wiki.mikrotik.com/wiki/Manual:Tools/Bandwidth_Test https://wiki.mikrotik.com/wiki/Manual:Tools/Traffic_Generator https://wik...

mrmut

Is there a way to measure and track performance from MikroTik AP to a Mac computer?

I need to do some surveying; it would be great if there is a tool on mac to utilize Speed Test that is native from mac?

Thanks!

mrmut

I ordered all three CAPs yesterday. Will open them up and test them later on to see how they perform in real life. Can't say I am overly happy about MikroTik not being very clear about differences... Here is comparison (didn't know I could do that) between the three: https://mikrotik.com/products/co...

mrmut

Working of an antenna has reciprocity. The antenna gain works in both directions: send and receive. But 0.5dBi is indeed small, not to say negligible (12%) Differences? 1Gbps ethernet versus 100 Mbps. Dimensions of the unit. If I compare the specs. Thanks. I am not concerned very much about antenna...

mrmut

Could someone please clarify the difference between cAP lite and cAP? It is RBcAPL-2nD and RBcAP L -2nD links: https://mikrotik.com/product/RBcAP2nD https://mikrotik.com/product/RBcAPL-2nD-307 If I understood correctly, the devices are essentially the same, it is only that cAP has better power manag...

mrmut

As aI really shouldn't break stuff remotely, I am testing this on my home router. Will post back if all worked.

Thanks for help!

mrmut

If you masquerade then basically you perform NAT and the packet that leaves the Bridge has the Address of the Bridge interface... So the SSTP client will be seeing the routers Bridge Address and not the Client's who is behind the Router... All depends on your whole config... Since it didnt work bef...

mrmut

You should add a route on the VPN client for the local subnet... I tried, but that didn't help (or I did it wrong). Then I tried adding a masq and everythign worked: /ip firewall nat add action=masquerade chain=srcnat comment="MASKA ZA VPN" out-interface=bridge Is this the right way to do...

mrmut

I have a Mikrotik device for local WiFi. As we have Coronacrap now, I tried to configure VPN. I made server and root certificates, configured SSTP, and forwarded the port 443 to the MikroTik. Users can connect, but I they don't see local network and can't connect to NAS over IP. I tried turning off ...

mrmut

I would appreciate if someone could clarify what exactly Tx and Rx relate to in CAPsMan registration table. I am not sure for what "side" is this relevant? Is Tx transmit to client from CAP, or reception from client to CAP? Analogous: is Rx receive from client to CAP or receive on the side...

mrmut

I did some practical measurements to see how will signal fall with Antenna Gain setting. I tested these for implementation in a CAPsMan network using RB2011 that I had on hand and WiFi Signal application 4.2.2. There was essentially no noise around and the AP vas close measuring computer. The idea w...

mrmut

I suppose the problem here is that the current copper cabling infrastructure is so old and causing lots and lots of problems. To make that worse, the copper cabling theft here is huge, Telkom or the electricity companies will replace a cable, and a week later, it will be stolen again This is probab...

mrmut

So they are choosing wireless pollution and high latency?

Latency on 5G and NV2 is trivial. As for pollution, it is what it is. We need speed.

mrmut

It could be the PPPoE.

Nop. I netinstalled the router, killed eveything off, literally no setting in, except few likes to enable basic functionality. The router was literally naked.

EDIT:

I just got 147 MBit on mu 5Ghz WiFi on the modem.

mrmut

I just tested the barebones router: Direct connectio to DSL model: 147 mbit Naked router in bridge mode: 147 mbit Naked router in routing mode with fastpath: 139 mbit Naked router in routing mode without fastpath: 132 mbit Maybe it is limited by performance. But in that case what about all those guy...

mrmut

The RB2011 is an old and slow router. It will have no problem with switching 1Gbit/s between interfaces, but when routing you will quickly hit limits when not everything is configured in a minimalist way. E.g. those shaping queues can have some effect even when they are not actually throttling traf...

mrmut

Have you tried with:

/interface bridge settings
set use-ip-firewall=no

Just tried it = 12MBit difference.

Did you try deactivating fasttrack, as illogical as it may sound?

Just tried it. Without Fasstrack CPU load is up to 65% and speed is about 22 MBit lower.

mrmut

Are you sure that you have 1000Mbit link on ETH1 (and on the port you connect your speedtest-running PC on) ? Your configuration sets port 1-5 (the gigabit ports) to SPEED=100M . The other ports (ETH6-10) is 100Mbit only on the RB2011. 100% sure about link, also for PC. 100mbit is weird a bit, but ...

mrmut

Are you sure that you have 1000Mbit link on ETH1 (and on the port you connect your speedtest-running PC on) ? Your configuration sets port 1-5 (the gigabit ports) to SPEED=100M . The other ports (ETH6-10) is 100Mbit only on the RB2011. 100% sure about link, also for PC. 100mbit is weird a bit, but ...

mrmut

When you test what is the status of the CPU? I see you have a few mangle rules. Did you create those and can you disable those for a test? I just have disable Mangle. The measurements are consistently 10-15MBit slower than direct link. Ping is about the same. CPU peaks at about 30-40%, but is usual...

mrmut

Did you update the firmware too?

Yes. Both current and upgrade firmware.

mrmut

@Vortex Here: ip settings print ip-forward: yes send-redirects: yes accept-source-route: no accept-redirects: no secure-redirects: yes rp-filter: no tcp-syncookies: no max-neighbor-entries: 8192 arp-timeout: 30s icmp-rate-limit: 10 icmp-rate-mask: 0x1818 route-cache: yes allow-fast-path: yes ipv4-fa...

mrmut

This network is mostly trivial. I use it for home office, and there are only a few hosts connected. After tweaking the rotuer a bit, I got the speeds up to 130 MBit, but there is still about 10 MBit of loss, which is completely unacceptable. As for firewall rules there are only a few general ones. H...

mrmut

The gigabit switch has a gigabit connection to the CPU, it is normal to have to avoid software. The fast switch might be similar. Don't bridge between switches or the WAN. This means some hosts may need to be connected to the same half. I read the article, but I am not sure if it applies, mainly be...

mrmut

I Will try, but I still don't get this. - If a CPU is powerful enough, and it is and I have tested that practically both by throttling and by using NAS with full 1GBit speeds, there should be no need for hardware switching.

mrmut

Use hardware bridge.

How and where??

Thanks!

mrmut

I have a RB2011UiAS-2HnD-IN in my home. There is a N WiFi LAN, a Mac and NAS connected to it. Nothing much, yet the router looses 40 MBits ! :-( I just tested direct connection with the same cable to my DSL modem and the speed was 146 MBit. When I connect to the MikroTik the speed is 106. What can I...

mrmut

Thanks!

mrmut

You want them to put their CPE router in bridge mode. No idea whether your ISP supports that; not all do. Another possibility is replacing their router with your own and terminating the link directly yourself, but even fewer ISPs will let you do that (mine happens to). Telephony is on their router,...

mrmut

My assumption is they want to configure what they call these day "DMZ", i.e. forward all ports to the private IP of your router (In my view, term DMZ in this config is not the correct terminology) That is what it seems to me too. What should I tell them (not sure about terminology)? I jus...

mrmut

I have a router behind the ISP router that provides internet over DHCP to the router. I wanted to take up the public address so I wouldn't have to ask them for port forwarding, so I asked them to provide me with IP/network and gateway so I can enter that in IP/Address and Routes. They replied asking...

mrmut

I need to create a WiFi network with an distinct SSID, on which all request should return one website (ie.google) on which users can normally surf. Any other website or request should go back to one destination site. No issues on creating the network, but I don't know how to do redirection part. Not...

mrmut

0.5DB better gain is what, 15% better? That doesn't seem warranted for the price hike.

Did anyone actually compared the two, are there photographs of boards themselves somewhere? I worked extensively with cAP lite and those little things are powerful.

mrmut

What is the practical difference between cAP lite and cAP?

Specifically:

RBcAPL-2nD vs RBcAP2nD

https://mikrotik.com/product/RBcAPL-2nD-307

https://mikrotik.com/product/RBcAP2nD

I can see no practical difference between the two??

mrmut

I know one example then person go to his ISP to change SIM card... and 3G start working. Strange but this happens ones. maybe this is the last way of hope. Hm. This is a new one. Another telecom offered a trial on their own service 3G/LTE so we will probably try that, but before we have to test eve...

mrmut

Maybe there is some kind of incompatibility with some of the base stations. I have these issues for a while, but I opened a thread only after I tested this carefully.

mrmut

I just did. Thanks.

mrmut

OK I had to test this myself as I know I have both LTE and 3G coverage where the router is located and I cannot connect to 3G. Now I have not waited for a long time but in the logs I can see it connect then I get this error: 09:03:35 lte,debug I_WAN: network access technology: 3G HSDPS & HSUPA ...

mrmut

@Kindis https://forum.mikrotik.com/viewtopic.php?t=146857 Please post at this thread. Be sure your have firmware v13 /interface lte firmware-upgrade lte1 @mrmut Similar situation to SXT LTE 3-7 who have simply bad signal. Please check the modem firmware to be latest and try ROS v6.46 (from 6.44.6 i...

mrmut

Here is the config and test data! # dec/19/2019 09:26:31 by RouterOS 6.44.6 # software id = NLIW-GDHR # # model = RBwAPR-2nD /interface lte apn set [ find default=yes ] add-default-route=yes apn=internet default-route-distance=2 name=default use-peer-dns=yes /interface lte set [ find ] apn-profiles=...

mrmut

I have a wAP LTE with the same modem. My modem is running "MikroTik_CP_2.160.000_v013" as the modem firmware and ROS is 6.46.1 I have a option under LTE and Network Mode. There I can select GSM, 3G or LTE. Now I do not have a issues with LTE where this device is placed so I have never tes...

mrmut

I have some issues with LTE signal on premises, and was told to switch to 3G. WhenI do that 3G doesn't seem to work? The model is wAP R / RBwAPR-2nD. I am not sure if it has 3G or not. https://mikrotik.com/product/RBwAPR-2nD If it doesn't have 3G option, what modem would be the best option for an up...

mrmut

Is you setup using capsman forwarding or local ? What is your config on the capsman and the cap ? CAPSMAN: Ros version ? Forwarding is on capsman. Router OS is: 6.44.5 LT CAPSMAN: /caps-man channel add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled frequency=2412,2437,2462 n...

mrmut

I have a weird situation: when I enable CAP mode on WiFi card on 951Ui-2HnD, it connects and then the Capsman server (also a router) reports: https://i.ibb.co/R0WHHm4/Screenshot-2019-12-05-at-10-41-53.png I don't have a clue how that happens. I checked MAC addresses, and they are different on ether3...

mrmut

Thank you very much, the guide is excellent.

mrmut

Good thinking. Are there any screenshorts of WInbox to see?

mrmut

Did you do any updates to these scripts recently?

Any changes in a year or so, due to ROS changes?

Thanks

mrmut

What is the reasonable SSTP key size? Given that SSTP uses certificates for connections, I was wondering do I need to set the key to very large, or make it relatively simple, say: "laughingmonkey69"? Currently I have sausages like this: 3vnG1d!aoZ!o10Jw78i4G9XS9I4r8MWGfNZWEjz8yonkDI0U1NyNt...

mrmut

Cap lite has a 1.5 dbi antenna... if you set it to 16 dbi then you increased the Gain and as a result the Tx power was decreased... Exactly. The more signal there is, the more interference occurred, so I decided to kick the signal down to the bare minimum. It worked. But I am still getting some iss...

mrmut

I had to reduce signal gain significantly to make things work, tho. I ended up with gain set to 16db.

mrmut

I have no trouble creating additional SSID, but was considering the simplest solution for the actual guest. I ban guest SSID from accessing anything local, or each other. I was thinking something in the line of maybe enabling them to be connected only for a specified amount of time, or maybe kicking...

mrmut

I would appreciate some guidelines on the best approach how to enable guest WiFi. We have Capsman isntallation with some 5-6 APs and two wlan networks for internal use. I was thinking that GUESTS link would be nice, but don't really like open networks (which are the easiest to use for actual guests)...

mrmut

I think it is less than that. Also, it counts special chars as more than 1.

mrmut

I confirm issues with BW testing server; TCP test doesn't connect at all, and UDP connects, but doesn't show let anything through.

mrmut

No biggie. Altho I spent four full days on this issue, I doubt I would be able to fix this so fast. I presume I would be still testing there if weren't for that document, so I wanted to help someone else practically. I would appreciate if you can ping me back when you solve your issue. I am really i...

mrmut

I have had this several times. Usually fixed by restarting CAPsMan.

Don't know what causes it.

mrmut

As erlinden said, cut down the Rx power as much as yuou can. I think you can safely reduce it to 21-22. As for channels, the 1, 6 and 11 is definitely the only way to go. I had channels set to automatic in my installation, and the situation wasn't good at all. Just create three channel values one be...

mrmut

OK, so I have managed to solve my issue. This document is probably the most helpful practical document on specific issues that I have ever read. That said, this is what I have done to fix my issue; I have made rates profile and set basic rate to 12mbps, and supported rates from 12-54 I have created ...

mrmut

Thanks, this looks fantastic. I just played a bit with my local wifi, and throughput actually improved immediately by fiddling settings.

What issue did you have?

mrmut

Hope someone could shed some light and point me in the right direction! I have a working CAPsMan installation which controls about 15 units. WiFi generally works very well, but I came to the wall in a large storage area. I have a situation where devices seem to have very high signal levels, yer fall...

mrmut

Thanks. To set CAP details (which override all) I would have to set CAP manually? Mine are all dynamic, and locked out from setting them.

mrmut

Indeed, you will find useful to configure the specific settings as the work like "profiles" you can override under interface tab. I usually create all the settings separately (channels, datapaths, security, rates, and all together into configuration), then I set the interfaces. If I want ...

mrmut

I have a CAPsMan installation, and multiple settings confuse me. For example n CAPs Configuration I have Channel main tab where I can set channel, and then underneath Channel selector I have the common Frequency, Secondary Frequency, Control Channel Width, etc. Am I supposed to set the channel in ch...

mrmut

Hi all; I have a CAPsMAN server on RB3011 and all works great. As I have another RB3011 as interconnection router, I was wandering if I could employ it to be a backup CAPsMAN router? The issue I see is that CAPsMAN is configured on the main router where the bridges are defined over which wlan traffi...

mrmut

Thank you very much!
Altho this kind of programming practice seems logical, most log files written by programs are infinite.

mrmut

I'd say nothing from you list requires extra flash space, perhaps except graphing. But even graphing does not usually occupy too much of a disk space. So, if a particular router model satisfies you requirements otherwise, flash size should not really be an issue. Thanks, that's what I presumed. Do ...

mrmut

What kind of configuration would eat out memory?

mrmut

I was wondering if 16MB onboard flash is enough for normal router functioning?

I generally use the usual set, dns, dhcp, routing, etc + CAPsMan and usage graphing.

Thanks

mrmut

I apologize for not responding, the notify by mail is not automatically set, so I missed this one completely.
Please close/delete this post, I can not remember what it was about.
Again, sorry.

mrmut

Wow, what an in-depth knowledge. Thanks for taking the time to help. :-) Will also block talk between WiFi networks in firewall, thanks for a tip. It is actually logical what happens, but I will have to admit that I never thought about it. My primary concern was to protect LAN, however phones are no...

mrmut

Well... as this response silently admits that you were running the machine on a public IP for a while with remote access to management ports open, I would strongly recommend to do a complete export of the configuration (without hide-sensitive) into a file, download that file to your PC, and then ne...

mrmut

I read what I could for MikroTik, but as this is not my primary focus it is hard to grasp it all. Mikrotik or networking as a whole? Well I guess both? I read several books on MikroTik and networking, and did a lot of pondering thru the system. I probably (certainly) was not very clear I to je to z...

mrmut

Thank you very much for you help. I read what I could for MikroTik, but as this is not my primary focus it is hard to grasp it all. I probably (certainly) was not very clear; I have CAPsMAN that is routing WiFi to the internet on separate bridges (two of them), and I wanted to filter them out. If I ...

mrmut

I am using specific bridges for MikroTik CAPsMan WiFi and LAN, and the idea is to block traffic between the two. I tried /interface bridge filter add action=drop chain=forward in-bridge=WiFi out-bridge=LAN And nothing. I the rule doesn't see any traffic thru the bridge, while I can clearly see traff...

mrmut

Heh.. I am not sure I have anything with that one. It is not my router, just checked the public IP??
Might be ISP? But the rule does look like a problem with something blocking.

Any way I could probe this somehow?

mrmut

I am getting error when I try to connect to SMB server through VPN; my mac says server doesn't exist or is unavailable, and wyhen I try to ping IP in local lan I get: 36 bytes from 188.252.172.1: Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 bcff 0 0000 ...

mrmut

I am truly amazed by MikroTik. These two are fantastic devices! Thanks! OT; The other day I was thinking about MikroTik approach, and it was always interesting to me that their devices are white, in comparison to generally black for all other. The other thing is the ease with which one can learn to ...

mrmut

Thanks. Maybe it is a stupid Q, but is there a way to do the same on normal Mac ethernet port (in macOS)?

Other soltuion is to cary a small ROS device with me to check - are there any battery powered?

mrmut

It is easy to scan for anything on the same subnet, but is there any way to see if there is *any* lan device connected to the interface? I am generally thinking about small LAN environments, where I sometimes can have weird or rogue devices for which it would be nice to know they exist.

mrmut

Is there a way to make mikrotik report to me when I have another smartass DHCP on the LAN?? Yes, see the documentation (and the rightmost tab on the DHCP server panel) Alert section. I presume I need to add bridge MAC as a valid server? Than with script I do something? I found this: ###############...

mrmut

I literally thought I will go crazy. Apparently, the old DHCP got reactivated on restart even if it was disabled, so the two concurrently provided addresses. Luckily good part of the pointers were the same, but that still made me completely bamboozled because DNS and actual IP topology differed (I h...

mrmut

I have a situation where I am offered to log in into SwOS over ip/browser, but in actuality the RouterOS is active for management. Is normal? I have this happen on CSS-1G-4P-1S I have also seen logging in into SwOS, but when I click update, I suddenly see RouterOS web interface. Thi occurs on CRS328...

mrmut

I have a very weird situation, where I have several of routers having a same address. I don't know how that happened, and looking at the DHCP server, everything is OK. 3011 gives out addresses. How is it possible that I have MicroTik devices occur with same IP as others devices on the LAN? And how t...

mrmut

Thanks. Seems like a good value, tho I must say that the guy's mannerism on his site is unneededly brash.
It can be but I have chatted with him through email and he is very sincere and patient.

That is nice to hear. Will probably give it a try to test.

Thanks for help!

mrmut

Thanks. Seems like a good value, tho I must say that the guy's mannerism on his site is unneededly brash.

mrmut

Yes the axiom scripts ran just fine on my small hex and on my more powerful RB450gx4. You should also check out MOAB it does probably everything axiom does minus layer 7 rules but is far far more cost effective. Im glad to see you understand the logic. I too also understand there may be cultural no...

mrmut

I understand your logic. What I am trying to do is make the issue not possible to happen, and usually the simplest approaches are the best. (Also, I really don't want to have to report anyone.) Currently there is browsing content filtering in place, and that works nice. You wouldn't believe this, bu...

mrmut

If people are using p2p on your network (it is not forbidden), then put that person on the VLAN with only access to the internet. Also by putting them on vlan you can schedule them such that they are limited by number of sessions during the work period. Well, that is the thing - this is a company, ...

mrmut

some of mentioned ports are known to be used for hacking purposes by infected devices. For example: - port 22 (SSH) can be misused for reverse tunneling . - port 80 is very common for DDoS because nobody filters it. I recently saw an issue where home user had infected device, which was opening thou...

mrmut

Here is what I have as for now: 80 8080 443 22 53 5930 (teamviewer) 993 465 I also have some special ports for services, etc., would include that too. NTP is local, as are other sercvices. General idea is to allow general internet access to needed services, but prevent special local servers fro talk...

mrmut

Hope if someone could point me to a list of commonly used outgoing ports for internet access. I intend to block everything else.

What I mean is allow normal traffic, but block everything outside of it to reduce possible attack surface from inside.

Thanks!

mrmut

I hope someone could provide clarification on somethign I read here: https://mum.mikrotik.com/presentations/AU18/presentation_5299_1526854099.pdf It says; Maintain layer 3 address. Changing on layer 3 address (ex. renew dhcp-client ip address) will make disconnection time longer. ● Can use flat laye...

mrmut

OK, managed to solve this.

Created "capsman" directory using filezilla SFTP connecting with admin privileges, and passed the config to CAPs. All seem to have updated correctly!

mrmut

I would like to update CAPs with CAPsMan. I set suggest same version in manager settings, and understand I would need to set the src for file? As I can't create directory, can I add "/" as a source, and just upload "routeros-mipsbe-6.42.12.npk" to root? The router is arm, I suppo...

mrmut

The culprit is probably Firewall. I set the rules to protect the INPUT from non-LAN ip range, however that also blocks some services the devices need. The issue is probably with DNS requests.

So, the real question is how to configure INPUT firewall blocks for wireless CAPSMAN server?

mrmut

CAP: set [ find default-name=wlan1 ] ssid=MikroTik /interface list add name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /interface bridge port add bridge=bridge1 interface=ether1 /interface list member add interface=ether1 list=LAN /interface wirel...

mrmut

The problem is on 2.4 GHz, but not on all setups. I have one setup where WiFi links directly into the wired network, where DNS server is Windows Server. There everything works swell. However, on three other WiFi networks which are isolated (own bridges and ranges), it sometimes work, and sometimes d...

mrmut

Thanks!

mrmut

I have one switch with a device constantly generating Tx traffic. How can I see what device (IP) is connected to that port?

Thanks

mrmut

I have a very weird issue of choppy WiFi performance in some cases. I have 6 APs done with CapsMan, and when set everything works nicely. However, when I restart one of the CAPs, and when it reboots, the WiFi performance goes out of the window. It is plain terrible, I get internet connection in patc...

mrmut

UPDATE: I tested hAP ac with my Mac, and there is indeed a speed increase. In that router I get 14-15 MB/s normally, with some jumps to 19 MB/s. I get 120 Mbit/s, transfer speeds, which is in line with one additional chain (80 to 120). Is it worth it? I am not sure, but less waiting is always good. ...

mrmut

I am having issues setting identity of RB260GS. I wanted to set:
LOCATION - OFFICE - DEVICEn

However, I get cut out, and SwOS version is added after the name. Is this normal, or a bug? Or maybe a browser thing? Tried to the switch, but it didn't work.

mrmut

Apple notebooks usually have great WiFi capabilities. Mine has three chains, and hAP ac is also three chain device. As per mikrotik site on 2.4 Ghz 2011 gives 300 Mbits hAP ac give 450 Mbits I get some 80 Mbit/s now, so with another chain I would bump that to 120, which seems reasonable, and is also...

mrmut

Yes, it is 10-11 megabytes per sec :-) I was thinking that I could increase that for about 30-40 with hAP AC, as it has three chains vs 2 on RB2011. I am not sure if I should turn on 5GHz - did you measure that option reliably increase speed? From whatever I read, I will loose range with 5GHz. EDIT:...

mrmut

Thanks!

mrmut

Just to check; I use RB2011 in N mode 2.4 ghz for home networking, and get about 10-11 MBps on my N mac. Is that OK speed?
Is there Mtik router that can provide higher speed on N band?

mrmut

Thanks a lot, I appreciate it!

I have 3011 as a router, and a number of CRS 24p RB switches with RB active. (Cant recall exact model, maybe 326).

As currently is, I am inclined to remain at current config, exactly because it is simple.

Would you mind pointing me to some documentation on the issue?

mrmut

Thanks guys. If I understand well, generally, if I add more interconnections I get more bandwidth? I have two site single subnet LAN. The network is bottlenecked by 1gbps interconnection between two routers, and I have 3 switches on each location that are connected directly into the server. Looking ...

mrmut

I have one 3011 router and need to connect it to three switches. How to do it best?

Currently I have connected each switch to the router directly.

Thanks

mrmut

Interesting that filtering is done on HW support, and not on other factors. I expected more filtering on function than on actual hardware.

Also, you specify GN protocols - do I really need to have G enabled at all? That is ages old now.

Thanks.

mrmut

I have exactly this problem on 6.42.11 on live network. Did anyone got to the bottom of this?

mrmut

Just to check; I make two configurations with same settings, one for 2Ghz and one for 5GHz?
(Maybe it is a stupid Q, but should I apply those manually, or it will work automatically?)

mrmut

How can I have mixed WiFi protocols on on the same CapsMan profile?

I have several APs with 2 Ghz N standard, but would need to add one access point with 5Ghz for one connection. How to do that? I see I can select only one channel per configuration, and no way to select one for mixed AP network.

mrmut

Apparently, no. Whatever is defined within MikroTik own DHCP server, seems to integrate well with the ROS, NTP server and Capsman included.

mrmut

Do I have to configure NTP client manually, if I define the address over DHCP and have a local server?
I see that it is associated and added correctly in client, however I can not remove the addresses.

Thanks

mrmut

Well, I did, but it is rather big.

mrmut

Decided for NetSpot in the end. Worked well.

mrmut

That is perfect, thanks.

mrmut

When I configure Country in CAPsMAN CAPs configuration, does that also turn on regulatory domain on transmit power?

There is a a significant drop in signal quality when I do that on my 2011 (about 10 db signal drop), so would really want to avoid that if at all possible.

mrmut

Thanks. Do I have to cancel the command afterwards?

mrmut

I have some PoE APs, and I don't really know which one is which - is there a way to make a RB device blink all of its LED lights, so I can recognize it?

Thanks

mrmut

Thank you; I really haven't find the free version before, tho I did online. I haven't been sure about it, thus I asked.

mrmut

Is there some kind of trial? I don't have a clue what to expect from it? Any tips?

mrmut

I would need to measure and create WiFi coverage heat-map for an area with multiple APs. - What software would be best for doing that on a Mac or Windows notebook?
I prefer Mac, but can use wither PC laptop or VM for testing.

Thanks

mrmut

Will do!

Thanks a lot Pea, I really appreciate the help.

mrmut

OK, I got it, it works on auto

What about WiFi standard? To leave it on BGN? Or select just N only? I am not sure how WiFi behaves when connectivity start to deteriorate - does it persist in, say, N, or reduces standard?

mrmut

Maybe a stupid Q, but do I have to lock to a specific channel when I use WDS, or I can select auto?

mrmut

Thanks a lot Pea!

What about security? I presume I can use normal WiFi security (psk2, etc)?

I am just going to power up everything and first update and prepare everything before trying this.

mrmut

I have some printers in the hall that I need to connect over WiFi, so they would appear they are connected to the local wired lan.

I got RB2011UiAS-2HnD-IN and three cAP lite, but I don't know what to do now; I only have a general idea how to do this.

Any points appreciated!! Thanks!

mrmut

I think we would all love it. Quick setup is like a doom button in a ROS box.

Would have loved a WinBox solution also. Oh well.

mrmut

What would be the best naming pattern for network devices? I am having issues with my forrest of stuff. Homer, Marge and such are OK for a server or two, but not very useful for large LAN.

Thanks!

mrmut

I would agree with this. Quick set is practical, but can be quite dangerous. Maybe instigate autobackup on config change and/or double "Are you sure". Ok that is indeed nice and I did not know that! However it is not what I meant. On the QuickSet screen for a wireless device there is a tab...

mrmut

I had to google VRF to see what it is, so I guess the current implementation is just fine by me

mrmut

Thank you very much for the updated script! It looks great, and is exactly what I needed. It seems that the message on update was some kind of glitch. I updated all other routers, and everything was OK. It might be that I erroneously left the router on wrong channel. command /system package update c...

mrmut

So you should look at how to mass upgrade on commando, not auto upgrade. Read carefully all release notes. Wait some days after a new OS is released and see if some gets into trouble. The do the upgrade. Thanks. In the end, I set up all the routers with auto upgrade scripts on schedule, but disable...

mrmut

Thank you very much.

mrmut

Maybe they will release v13 out of joke.

Numbering doesn't matter, I am happy with them as it is.

mrmut

I am configuring some WiFi APs in CAP mode, and I wonder what happens when I configure bigger ROS devices in that mode? For example, RB2011UiAS-2HnD-IN that has excellent reception, but is also a great router - is CapsMan exclusive to WiFi functionality, or it takes entire router hostage? (Maybe it ...

mrmut

Thanks.
What happens when there is discrepancy between two sources, given they both work? It takes first as authoritative?

mrmut

I am setting up NTP Server/Client environment - how should I configure the local client ROS devices? ROS requires 2nd NTP server in client settings, so I was thinking to just enter 1st local client, and 2nd one external client. (Or should I simply just forget about this, and configure all to update ...

mrmut

Thanks!

mrmut

I am logging everything, but from I understand the logs are essentially truncated after a day/week/month, up to a year. That means that entire database might be measured in few hundred kilobytes (that is at least my estimate). The OS is not open source, so I can't check, thus I ask.

mrmut

Thank you very much for a nice write up, I was confused with documentation on this.

EDIT: This forum is a real saver. I spent hours reading stuff about this.

mrmut

I don't understand Switch chip functionality well, or more precisely - how to turn it on.

Is it, by any chance, turned on by default now? I am just configuring some CR326 switches in ROS mode, and would very much like to get maximum switching speed from them.

mrmut

I am setting up graphing on my ROS devices; what kind of disk usage I can count on? Can I just set everything up leave it be?

Thanks

mrmut

I think subset of packages above is ideal for what I need! Thanks!

mrmut

I am building a network of about 20 Mikrotik devices, so was thinking that setting up auto upgrade is prudent. However, I would like to skip regular versions, and have the system update only to long term versions of ROS. I found this upgrade script here: https://wiki.mikrotik.com/wiki/Manual:Upgradi...

mrmut

Thansk. I currently have:
adv-tools
dhcp
security
system

Do I understand well that security is needed? (Regarding tools, I like to have those.)

mrmut

I have 8 CRS326 for LAN I am building, and took them as they have ROS on them for easier management. Currently I am working on them to trim them down a bit, so I am turning off some packages. I have disabled the following as of now: hotspot ppp wireless What else can I turn off? The switch will serv...

mrmut

I need to install 8 CRS326-24G-2S+RM, and they come with RuterOS. That makes them quite nice for management, but I thought it would be practical to turn off services that are not needed. Can anyone provide a nice list of stuff I should turn off and/or block? Thanks!

mrmut

I think anav defined this well; I understand the options now. Thanks!

mrmut

I was able to access one mikrotik device over two such bridged and firewalled networks (wifi and local, main mikrotik router from wifi).

mrmut

I have 4 cAP lite APs, how far away should I put them in one line for the WiFi coverage in office (mainly empty) to be good?

Thanks!

mrmut

What is the best way to separate two networks on the same router? What I did before is make two separate bridges and use IP Firewall to block stuff, but works only for IP, not MAC stuff as it seems. Other option is to create separate subnet and block subnet to subnet only. But that is the same like ...

mrmut

Out of curiosity, how did you configure the fan? Is it automatic? Over the router?
What are the internal temperatures of the router itself?

mrmut

No issues, no drops nothing, the 2011 is a little workhorse

Thanks for answers, I appreciate it.

mrmut

Thanks. Did you notice any issues re reliability? Drops in WiFi performance or DNS issues, etc.?

mrmut

I have RB2011UiAS-2HnD-IN WiFi router for home network in a closed. It is not actively ventilated, but it does have grilles on bottom and on top. Now, the system seems to work fine, but from experience I know there might be some problems if temperatures are consistently high. The temperature on the ...

mrmut

OK, so I put some elbow grease in it, and reworked the rules. The ipsec/l2tp rules are from: https://github.com/Onoro/Mikrotik/ (However I don't use the bruteforce scripting, only ruleset. I had issues witht he scripts, they are too rigid, especially when normal connections start triggering the brut...

mrmut

I needed some time to digest all answers, thanks all I appreciate it. In essence, what 2frogs says in his first post seems OK. However, from other comments it seems that I do bulk of things wrong, regardless if they work or not. I will try to rework the rules, and post back to see if I finally got i...

mrmut

Thanks! Appreciated!

mrmut

I have a very weird situation in which 3389 port goes through the routers, even if not forwarded / enabled. I have had to make a specific firewall rule to block the port! Can you please take a look what I did wrong? add action=accept chain=input comment="defconf: accept established,related,untr...

mrmut

How would I proceed to block all traffic towards internet from a specific IP, bar several ports? From what I understand, I should select forward chain, src address (local PC IP address) and set the rule to block? I also have two TCP ports that I need to work, so I should set the allow rule to forwar...

mrmut

I have been asked to implement some kind of way to see what users visit what websites while at work. (The management is worried by Facebook, but don't want me to block it completely, only that it is used in moderation.) So I was wandering can I implement something like that on appropriate Mikrotik d...

mrmut

It's in the "wireless" menu

Dude...

thanks

mrmut

I am trying to set up CAPsMAN with two 2011UiAS devices, but I stumbled into a strange issue - I don't have all options in the menu. I have set up one of the routers as manager (found a guide), but I can't find CAP button on either router (both the manager and the managed one). Here: Screen Shot 201...

mrmut

I'm not sure about the user password; as for the shared secret, a 128-byte random string (i.e. 256 hexadecimal characters) is the best one you can have.

Tested it, and it works. 128 bit key, Aa#.

Also tested user password; 128 bit key Aa# works.

mrmut

I set up a L2TP/IPsec VPN for remote users.

What is the max length / preferred length for IPsec secret?

(Also, what is the user password length I should aim for?)

Thanks

mrmut

I figured it out. I made a mistake that I put the local address in PPP profile to wrong subnet. I fixed it by putting both local and remote to VPN IP pool.

mrmut

I know this is a Q asked many times, but I am stupefied, thus asking for help. I have enabled a VPN server, with several protocols (PPTP, OpenVPN and L2TP/IPsec) all working OK (more or less, OpenVPN is a handful). When I connect with PPTP or L2TP I am given out an address from a pool. I've defined ...

mrmut

PPTP is very unsecure, use other more secure tunnels, for example sstp, ipsec.

I enabled OpenVPN and L2TP/IPsec. Second one seems more practical for use, as it is simpler to set up and both Mac and Windows have client built in. OpenVPN seems like a hassle to use.

Am I OK using L2TP/IPsec?

mrmut

I am about to implement PPTP for a few users, so have a few Q; 1. the users will connect to their network, so they could work from home. Is there any reason I would need to look away from PPTP? 2. how would I firewall brute force login tries? I know there is a way to count tries, but it is easier if...

mrmut

Thanks!

mrmut

ip firewall filter add chain=forward src-address=XXX.XXX.XXX.XXX/X dst-address=YYY.YYY.YYY.YYY/Y action=drop ip firewall filter add chain=forward src-address=YYY.YYY.YYY.YYY/Y dst-address=XXX.XXX.XXX.XXX/X action=drop XXX.XXX.XXX.XXX/X - Bridge1 Subnet example 192.168.1.0/24 YYY.YYY.YYY.YYY/Y - Bri...

mrmut

Thank you guys.

mrmut

I have a network with several WiFi access points. They are in bridge mode, which is fine currently, but I am thinking of making WiFi users completely isolated from rest of the network. What is the best way to do it? My idea is to set some kind of Firewall rule that will allow communication only betw...

mrmut

Hello all, I am puzzled currently; the configuration is as follows: eth1 - wan eth2-6 bridge1 eth9-10 bridge2 Each bridge has different IP and there are two DHCP servers working on each bridge. Everyone gets to internet, and DHCP works, etc. I have default Firewall rules. What gets me is that device...

mrmut

Thank you!

mrmut

I need to put an old 2003 Terminal Server behind a Mikrotik router. The idea is to enable VPN in, thus securing the old server.

What I would like to do is to enable clients to use RDP protocol over VPN, so they don't leach on my rather weak 20MBPS link.

Any ideas what should I do? Thanks!

mrmut

I have a wired lan in a building, and I need to put several MikroTik APs there. Currently I have put all of the APs in the bridged mode, so they just serve as an WiFi Ap with direct tap in to the local network. I was wandering there a better, more secure, robust? way to configure the APs? Currently ...

mrmut

I have the following setup: aDSL modem that connects to the internet and has a Fwall. aDSL modem is configured to let 3389 from outside to inside. MikroTik is configured to have [eth1-public (92.168.20.20) / bridge / eth-private (192.168.10.1)]. The server is 192.168.10.2 I can connect to the intern...

mrmut

Hello everyone,

can someone please instruct me how to reset configuration settings on MikroTik router to factory default settings, and is there a way to print out complete configuration settings on one screen? - This would be very practical for me, as I sometimes get lost around.

Thanks!

mrmut

Thanks a lot guys, I've maged my MikroTik.

I do like it features, tho it is very hard to dive in at first, + I still don't know much about it, but it works.

I would say that learning MikroTik has a lot to do with learning how TCP/IP standards work.

mrmut

I usually don't say that, but a compliment "You are the bast!" came to my mind. Thank you for your effort Hilton.

I am finally digging in some solutions after considerable amount of wandering through the wastes.

Will post success/failure/questions.

mrmut

Thanks a lot,
I still haven't figured it out, will get back to this thread with more specific questions.

mrmut

Hi people, a friend suggested Mikrotik 493 for a small network I am building, and I've got it, tho configuration seems a bit complicated. Could you please point me what to do? Here is what I would like to do: 1. ETHER1 -> PPPoE dialing connection to the internet over DSL modem and DynDNS static host...

Search found 199 matches