MikroTik

carl0s

The only purpose for the 5ghz is A) Marketing wank to sell more units B) Management traffic backup B can be ever so slightly useful if the 60ghz link goes down and you need to mac-telnet in etc. But don't for a second believe its actually useful for actual traffic failure, its total rubbish and not...

carl0s

In the examples they give, they are configuring the VLAN on the CAPsMAN datapath - but on the cap they are configuring the datapath without. Doesn't make sense to me. https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-WiFiCAPsMAN I believe this functionality came later, to pass along the VLAN id ...

carl0s

Yes there is no tunneled mode anymore in v2. For adding slaves to bridge at CAP, I think you need to create a datapath on each CAP, pointing to whichever bridge, and then under WiFi -> CAP, set 'slaves datapath' to that datapath. Then the slaves will be added to that bridge. I think so anyway.. I am...

carl0s

You don't have to use VLANs for a guest network. Here is an example configuration that I put together today on a hAP ax2. This box is added to an existing network with Draytek router, and acts as WiFi access point for private network, a switch for till in coffee shop, and guest-wifi that is firewall...

carl0s

I am trying to create an export of a working hap AX capsman/wifi2 setup.

even with 'verbose', the /export does not include:
configuration.manager
for the wifi interfaces.

Any idea why?

version 7.14.1

carl0s

It's a big one. Thank you. I've been waiting for 7.14 to release. I think I am ready to spend some time on wifi-qcom and wifi-qcomac now with capsman

carl0s

I have approx 34 Yealink SIP-T31P phones here, connecting to a hosted VoIP provider in the UK. The provider is running the SIP over TCP. I am more familiar with SIP over UDP but nonetheless this is what they use. Router in office is a CCR2004-16G-2S+ and it is being 'router on a stick' for the LAN/V...

carl0s

Is there any chance that the Cube 60Pro AC might get to use WiFi-qcom just for the wifi side of it, and leaving whatever is needed to keep the 60G working?
Since it is ARM.
and might be nice to have wave2 performance on the backup ac-wifi.

carl0s

Sorry if dumb question. I have multiple CAP AC devices. Before this would run with capsman, multiple SSIDs with each SSID on their own vlan. Practically different datapaths, security, etc configured in capsman. So far i've just managed cap AX devices individually, and kept cap AC devices under caps...

carl0s

I'm not too sure about this though. With another vendor's gear, I found that some clients do not want to roam from ax to ac device (a client side issue of course). So i'm not sure mixing is a good idea. I'll try it soon anyway, maybe when Mikrotik release a wAP or a cAP that isn't the size of a fri...

carl0s

Though, this release is great. WifiWave2 (renamed to WiFi) was brought to 802.11ac devices (ARM only). It allows people to upgrade/expand old network and keep everything under one (new) CAPsMAN. True and I agree, very excited to upgrade the many cap AC and AC XL that I have installed for customers ...

carl0s

I have a pair of these that I am intending to put up. I have two buildings just about 10 meters apart - opposites sides of the road, yet they are linked through leased-lines and VPN through the internet :shock: Anyway, I did do my usual Mikrotik research (search forums..) and I think the Clients Fla...

carl0s

What I don't really understand is why I have to add the lan-bridge itself into the list of vlan tagged interfaces. I would have thought I would just need the ethernet interfaces, and then the virtual vlan interfaces that the DHCP server and IP address is bound to. but that doesn't work. This works: ...

carl0s

Hmm, I got it working. Seems that on the CAP, you have to make sure you create the datapath and add it to bridge, but without specifying VLAN. Create another datapath for slave config for other vlan/guest wifi, add to the same bridge, again no need to specify actual VLAN ID Turn off vlan filtering o...

carl0s

I can't make this work :-( Am I supposed to do the VLAN ID in the datapath on the cap itself? And set up Bridge VLANs on the cap itself and add the wifi interfaces into the bridge on the cap itself? Shouldn't capsman take care of the full Cap configuration? What about on the Capsman though. Do I add...

carl0s

7.11.2 on hap ax2 capsman and cap ax cap. I've spent 2 hours on this. caps were connected to capsman, but interfaces disabled and no activity when Provision button was pressed. I did the usual 'radio mac = 00:00:00:00:00:00' which is how you specified 'all' in capsman previously. I also tried leavin...

carl0s

It's so bloody small.
I took a photo and zoomed in with my phone to read it.

Could you consider making the font bigger in future?

carl0s

Pretty cool. I do still buy Hex (RB 750gr3) though. They're good spec, dual core, SD slot, IPsec acceleration, so feels like they should not be left behind. I'm not sure there is a direct replacement for that model? Maybe hap ax2 is close but they have different uses Maybe something like hAP ac2, i...

carl0s

Pretty cool.

I do still buy Hex (RB 750gr3) though. They're good spec, dual core, SD slot, IPsec acceleration, so feels like they should not be left behind. I'm not sure there is a direct replacement for that model? Maybe hap ax2 is close but they have different uses

carl0s

For follow up, the 3x AX2s that I have bought and installed at different companies, are all on 7.8 now. The problem stopped as soon as it was downgraded to 7.8. I see in the 7.11 beta thread that the issue still isn't fixed, so I won't be buying any more for now, and will just check back every few m...

carl0s

I have a pair of Cube 60 Pros that I will use to connect two buildings that face each other across a road. At a guess, it's probably about a 50 - 60 meter link. One of the buildings is metal-clad. Do you think it would be sensible to put them at offset angles? It is an industrial estate so I can eit...

carl0s

Thanks for the help Normis ! All 3 units upgraded and I can confirm that they working properly with 7.10b5. Update, I stand corrected. Same thing is happening with 7.10beta (maybe in lesser extent). What helped (and is helping) is daily reboot. yeah, same.. https://forum.mikrotik.com/viewtopic.php?...

carl0s

I bought 3, I can't remember where the third one was installed, but they all have an automatic firmware updater script running, so that one will be on 7.9.2 as well and probably having the same problems. I have cap lites sat around everywhere, don't tend to use them much, but it was all I had on ha...

carl0s

Oh, I am very well aware but that specific problem about password not being accepted anymore, was effectively fixed in 7.10 chain. And yes, not yet stable version. So either one goes back to 7.8 (with other problems) or sit things out on 7.9 (and accept the problems) or move to 7.10 (yes, rc3, I kn...

carl0s

Well, how about this. I installed another hap ax2 the other week. it upgraded to 7.9.2. I was just trying to get a Cap lite running 6.47.10 to connect to it, and I had exactly the same problem! I think that should be pretty easy for you Mikrotik guys to test out. and at the same time, my laptop (win...

carl0s

That's not very reassuring.

I had hoped it was an acknowledged problem.

carl0s

There are dozens of examples throughout the forum, even on other occasions, where posting the configuration made the difference. There are dozens of examples throughout the forum, even on other occasions, where the user who doesn't care to collaborate, especially after certain replies, is ignored. ...

carl0s

There is no interesting config to post. Just basic interfaces in bridge to act as an access point, as well as standard NAT routing. WiFi works, until an hour later, then get all the key-exchange timeouts like in the reddit screenshot. Sat there for an hour messing around turning off WPA3-PSK, PMKID,...

carl0s

This should be pulled as a release. What a friggin' joke. I have just been burned badly by this. Set up AX2, updated to latest 'stable', wifi seemed good. Left site to sort other bits remotely. This morning find no users can connect - exactly like in the reddit post. Eventually gave in and rebooted ...

carl0s

For last 4 months I am battling whit WiFi stability issues in our school...cap acs, hap ac2s, wap acs + other cool switching stuff. Firstly, I appreciate you taking the time to document this, since it's worthwhile getting more visibility on some of these issues. I too have been having a challenging...

carl0s

I see now, it's slimmer, flatter. Apologies. I'll get a few from Getic when they get stock.

carl0s

cAP XL and cAP AX have completely different enclosures, carl0s

Oh. I will keep quiet until I've bought one then

carl0s

Seems lazy, and a missed opportunity, using that same crappy housing. I felt uncomfortable installing cap ac XL all the time. I was always apologising and explaining the big ugly smoke alarm thing. Shouldn't have to do that. Had no problem with the original cap ac. Thankfully these were only under t...

carl0s

There is a reason why this was called the "cap ac XL"

So this must be the "cap ax XL"

Give me a nudge when the regular cap ax is released. Or the "cap ax mini" if it has to be.

I got my hands on some hap ax² finally today. Feels and looks nice. Compact and solid.

carl0s

I would have waited for wifiwave2 kit before putting in the Mikrotik stuff. I have been reluctantly putting in Mikrotik Wi-Fi in coffee shops and some offices over the last few years, but for the bigger job (multiple industrial units / factory / offices over an industrial estate), I have delayed and...

carl0s

I think I may have made a mistake... hex gr3 doesn't have POE out... should have been hex poe (not lite). Also, the PoE 'out' is never 802.3af/at, so that would not work anyway. The PoE out is always 'passive poe', which is sometimes all that they support on PoE-in as well (some devices support 're...

carl0s

I apologise for starting the fire. It is quite an ugly device though, compared to pretty much every competitor device.

carl0s

So are these safe to buy now?

(when stock available !)

carl0s

That you are one of those who believe that distance and sensitivity are only made by the power of the radio? Cant' be slimmer for cooling inside, and can't have smaller diameter because "the free space" are reflectors for antennas. I'm just asking if they are really needed, if the end res...

carl0s

Do we need 5.9dBi antenna since the tx power is reduced with them?

carl0s

https://i.mt.lv/cdn/rb_images/1161_hi_res.png These comments about the size are ridiculous. You want one dual ax device with 2x2 5.9dBi antenna gain to the same size of the mAP lite??? No we want it slimmer and ideally a smaller diameter. The option of a square housing again would be nice too, like...

carl0s

It just looks like a "DIY project box" rather than a professional product.

carl0s

It's a shame about the design - I am not sure my wife will allow that on the ceiling here, and that is where I would be testing my first one. The original CAP AC, with the optional square housing, is tidy (both with round and square housing) The "big ugly smoke alarm thing" as I call it to...

carl0s

Just to let you know, if anyone else has had a similar situation, I discovered the cause of the problem quite by accident, it's the "fasttrack-connection" firewall rule. After I disabled this rule, the 5GHz upload speed "skyrocketed". Even if I disable the "fasttrack-connec...

carl0s

Field termination? It's not too difficult to field-terminate MM with anaerobic adhesive and polishing. I haven't tried SM, but I understand it's harder, and best not done in the field. Which only really leaves fusion splicing or pre-terminated cables.

carl0s

CAPsMAN is being worked on. By the time we have cAP ax, we will also have CAPsMAN.

Excellent. Looking forward to this. Thanks :-)

carl0s

So, as well as the CRS354 being firmly on the avoid list, the CCR2004 is as well?

Is there any high end Mikrotik kit that is safe to buy? I would like a high end router with at least two SFP+ 10G ports (I had to go elsewhere for the switches

)

carl0s

Short answer Yes, you can. I have capsman setup with 5ghz out of the controller so I can use it for my own purposes :lol: But as indicated by erlinden, why use capsman ? For only 2 APs ? And yes, Audience allows usage of wifiwave2, so another reason not to use capsman. Because... He doesn't know ho...

carl0s

I know Normis only released a wifi6 version so that I would have to learn capsman! Why would you assume it is supported in Caps-Man? It has WAVE2 drivers and AX. What about that says Caps-Man to you? Plus the video claims that Nomis is using it as a router... In the YouTube comments, Mikrotik said ...

carl0s

Yes I use the RB750gr3 Hex as a router and capsman controller in a few places, for Mikrotik APs. I like it because it's quite fast. Also it has the SD slot for routeros images for capsman upgrade policy.

carl0s

I use cAP lite with normal PoE switch, no problem. I had 1 out of ~15 faulty/dead, and another had dodgy ethernet. Apart from that they worked OK.

carl0s

Is it certain that there is a problem indeed ? That is not fixed on recent ROS releases ?
Anyone made a support ticket ?

I read every post in this thread, and it looks like the only working solution is to use SwOS.

carl0s

This is terrible. Why is there no response from Mikrotik or acknowledgement to this problem and the switch is still for sale?
I am researching switch choices for a large network and thought I had better search the forums here before deciding.

carl0s

Yes there is.

You need to change your provisioning profile and remove 'dynamic'.
So change it from 'create dynamic enabled', to just 'create enabled'.
Then remove the interfaces and re-provision.

Now you can edit anything you want on the interfaces after they are created.

carl0s

Still not fixed. Setting Channel Width on WLAN3 to 20/40/80/160MHz XXXXXXXX and it selects Channel 5500/20-Ceeeeeee/ac/DP(23dBm) after waiting 10 minutes of listening for radar.

that is 160MHz isn't it? 8 x 20MHz channels

carl0s

I'm playing around with CapsMan in my lab. One question I have is how to differentiate between the different APs? Suppose I have an exsting setup with a CapsMan and 2x CapXLs. When I connect a third CapXL (in CapsMAN mode), how do I differentiate between the old and new APs other than already knowi...

carl0s

>Just a shame the WiFi drivers are outdated Hence the interest in RouterOS 7 because I assume the drivers/kernel have been updated? Yes, wifiwave2-driver support for more devices (existing hardware), and support for capsman, is what I am waiting for. Right now you can move to rOS v7, but you can't ...

carl0s

etc. But then again, that might be actually easier than CAPsMAN - don't you have to start assigning configurations by radio MAC? No. What you need to do, is make sure your provisioning conf is not set to Dynamic. Change it from create dynamic enabled, to just create enabled. Then you can tinker wit...

carl0s

I still love the fact that CAPsMAN can run on an any existing equipment - no extra controller hardware required. It can run on a router, or you can run it on one of your two or three APs.
If possible, please keep that functionality, hopefully with the new wifi drivers.

carl0s

Yes I also won't/can't look at wifiwave2 package until capsman supports it.

carl0s

Well anyway, the point was, the OP's question was about the rOS v7 alternate-wifi driver packaged named 'Wifiwave2'. Simples.

carl0s

Had to reduce the WiFi channel to 20MHz,

You should only be using 20MHz anyway, on 2.4GHz band.

Do not use 40MHz on 2.4GHz. There is already not enough space in normal circumstances - never mind in your apartment blocks. Don't try to use twice as much channel space as normal.

carl0s

I've had / installed about 20 cAP AC XLs. Yes they are out of stock now, but they were available..
Certainly not 'advertised before being available'.

carl0s

5160 is in the full channel list and is allowed (https://en.wikipedia.org/wiki/List_of_WLAN_channels) but it does not show up in the drop down list of ROS And cannot be used in ETSI regulatory domains. Maybe some other countries can use it. Klembord-2.jpg It's strange. IR 2030 lists Nominal Centre ...

carl0s

5160 is in the full channel list and is allowed (https://en.wikipedia.org/wiki/List_of_WLAN_channels) but it does not show up in the drop down list of ROS And cannot be used in ETSI regulatory domains. Maybe some other countries can use it. That's interesting, and it's possible that it was 5180 tha...

carl0s

>I did find that both of my APs were put on 5160 until I told capsman to reselect channel mind you.. probably easier to choose channels manually. The CAPsMAN interface is a little clunky isn't it around setting up multiple channels. The debate about "auto" is an interesting one. In the UB...

carl0s

Hi Rob. If you are happy with ~20mbps then maybe try using 20MHz wide (no extension channel) on 5GHz and only putting in the non dfs channels as options. 5160, 5180, 5200, 5220. Set up one channel configuration with all those listed in the same conf (you can add multiple rows in the conf). This setu...

carl0s

what made no sense though is that querying the Mikrotik showed the same spurious dns responses. The cache was not caching. Oh well.

carl0s

What an absolute idiot I am.

I restored a backup of a previous site's config to the draytek.
I forgot to update the broadband DSL username.

I had both routers logging in to the same ISP account (fighting over the same public internet IP).

carl0s

You know, I think the problem may just be Google's DNS throttling the requests.
using the Mikrotik as a cache to the ISP's DNS seems to be OK.

carl0s

Here is the config: /caps-man channel add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled name=2GHz-20mhz /caps-man channel add band=5ghz-onlyac extension-channel=Ce name=5GHz-40MHz /interface bridge add name=Private_wifi /interface bridge add name=Guest_wifi /interface bridge a...

carl0s

It is double-nat, of course.

capsman AP is doing NAT out of of lan_bridge, and the Draytek does NAT to the internet

carl0s

I have a cAP AC XL which is doing capsman (for itself and a cap lite), two separate datapaths and bridges (public and private wifi). It is doing NAT to its ether_bridge which comes from a Draytek router (VDSL / PPPoE). I am seeing slow dns responses with nslookup from a client (windows), and it is t...

carl0s

No capsman, therefore. To get CAPsMAN running you need: One Routboard device acting as CAPsMAN One or more Routboards acting as CAP Up till now it's a bit fuzzy wether you have both. And please read the replies of @sindy and me. AP can also be its own CAPsMAN. I set up CAP AC as AP with itself as C...

carl0s

As soon as I try to use btest with this server on ipv4 (23.162.144.120) the test starts, then just sits 'running' but with no numbers coming through, and then it looks like I am firewalled - I no longer receive ICMP ping replies. Have tried from two different routers at different locations / IP addr...

carl0s

If you do not install the wave2 package, capsman will work just like before.
Wave2 package is optional and only for a few devices.

Excellent thank you Normis.

carl0s

Can I upgrade cAP AC boxes to 7.1 and wifi and capsman and everything will still work? It's only wave2 package that doesn't work with <256Mb, and doesn't work with CAPsMAN ?

So I could still upgrade them to 7.1, and benefit from cake queueing on my speed-restricted guest-WiFi and stuff maybe?

carl0s

Anyone?

carl0s

Note that by not specifying a queue type, the queue was set as a pfifo queue of 10 packets. Could that cause what I was describing? I am just exploring reasons why throughput was intermittently very bad (~0.9mbps). I could be the queue, or it could have been radio interference. I have now changed th...

carl0s

I have a configuration where the router is doing guest WiFi and Office WiFi. It is CAPsMAN, but that doesn't matter. The guest wifi and office wifi are different subnets. I have a simple queue targetting the guest WiFI's subnet/24 with just a max-limit=12M/60M This appears to work fine for what I wa...

carl0s

I haven't been able to do the cAP AC vs cAP AC XL comparison yet because we had storms and power outage last weekend.
Maybe next weekend

carl0s

Exciting.
It's a shame wifiwave2 is not ready to be default on all devices yet though. I have wap AC and cAP AC and cAPAC XL everywhere, and I use cAPSMAN as well.

carl0s

Very sorry that it is still not be fixed. I bought a new mikrotik router and my family android phones don't work with it in the 5 GHz band. At the same time, there is no such problem with the Huawei LTE modem router.

Is country set correctly? Also, allow ~5 mins for radar scan sometimes.

carl0s

Somebody on YouTube made a comparison and found much weaker coverage with the XL I am not sure, if he tried to test both APs with the same channel at the same time. It's true, there are some doubts over his testing. I will do my own comparison this weekend and post the results. I also have a wareho...

carl0s

I still use Mikrotik because of capsman and because, for now, none of my customers expect to see >200mbps over Wi-Fi because none of them have >200mbps Internet connections. But they are coming - more FTTP and more leased lines. Wave2 needs to come soon. I have used Ubiquiti recently for the first t...

carl0s

I'm not sure about the XL. I just installed them in some coffee shops. 1 per shop in the till / counter area. Very close to this area (about 5 meters from the AP, other side of the till area), I saw a surprisingly weak signal on 5GHz (~-65 - -68dBm if I recall) The power output is reduced from 20dBm...

carl0s

To keep it simple... It's ROUTEROS. The wifi in long-term, current, and development routerOS uses wifi 5 ACv1 drivers. Wifi5 V2 is just PARTIALLY supported in the development branch. Only on some devices. Only on standalone. And multiple features are still not implemented... On Wifi5 V2... A 2016 p...

carl0s

There is no "button that somebody could press to gain access to the network". I simply want to click "WPS Accept" in Winbox when I configure the printer, simple as that. Also I do not want to debate the merits/lac of merits of WPS. This is a simple feature request for something t...

carl0s

Please implement "WPS Accept" on capsman. It's a royal pain in the arse connecting wifi printers at the moment. especially remotely when the only option is to remove a wifi interface from capsman, set up manually, do wps accept, then put back under capsman control. This is difficult when y...

carl0s

seems like it might work if sntp client is used instead of cloud-time ? Sounds like a bug?

carl0s

I have firewall rule with extra-> time/day. problem is the clock isn't set until after bootup (ip -> cloud -> update time) the firewall rule is not realising that the clock has changed. shouldn't it check maybe every minute to see what the time really is? I can disable and then enable the firewall r...

carl0s

LACP Partner: No - LACP is enabled on the switch, but either LACP is not enabled or the link has not been detected on the opposite device. On the linux host cat /proc/net/bonding/bond0 may shed some light on what's going on. Having distinct IP addresses on the members of the bond is not a usual set...

carl0s

I'm not actually sure the 802.3ad between Linux and the HPE 2810 switch is working.
The switch says 'LACP Partner: No' for the 4 ports that are connected to Linux.
Yet it is happily creating a dynamic configuration for the 4 ports linking both switches, and also the 4 ports that go to Windows.

carl0s

HPE 'dynamic trunk' is dynamic LACP / 802.3ad. There are limitations as detailed in the documentation, 'static LACP' or 'trunk' are the other options. NIC Teaming has several MAC address use methods and caveats as detailed in the Microsoft documentation. Inconsistent use of MAC addresses can lead t...

carl0s

Not without /export hide-sensitive and a sketch of the network connections. I will get some more info, but I think it is resolved now. Some things I noticed and changed There are two switches - [1] a Procurve V1910-48G and [2] a HP Procurve 2810-48G. They are linked with 4x1GbE 'dynamic trunk', wha...

carl0s

Even despite turning off that CAPs interface, 1hr22 into running the backup again, the network grinds to a halt and I see 100mbps on eth1-LAN for 192.168.1.34 -> 192.168.1.50. Arghh. Any ideas folks?

RouterOS 6.48.4

carl0s

This is very weird. There is a Panasonic smart TV in the boardroom, which, when connected to WiFi (the Boardroom CAP has been turned off for the last year during lockdown, until last week), seems to be doing some sort of broadcasting. I guess this has something to do with device discovery on Windows...

carl0s

OK, I can see that one of the CAPS interfaces is being blasted with all the data. The CAPS interfaces are part of a bridge with LAN1. hmm

carl0s

The bond was down because the interface names had changed after the quad-port NIC was moved to a different PCIe slot some time ago, meaning the network-scripts had incorrect interface names in them enp4s0f0 instead of enp2s0f0 Still don't understand why this pushes all the packets through the router...

carl0s

I think I see the problem.

bond0 is not 'running'

yet the machine is accessible via 192.168.1.50, and has been being used via that IP address for... months and months. oops.

What do you all think?

carl0s

Hi. Strange problem this morning. Remote working users complained everything is slow. Early this morning I had a new backup running. It is Veeam on the LAN which takes data from another server, and stores to a Linux SMB server. The backup was very long-running and slow, but I left it going anyway. T...

carl0s

upgraded my mAP2n, hAP lite, hEX 750gr3, capAC, and mANTBox 2 12s (RB911G) no problem. Nice to see some wifi attention :)

carl0s

No, do not want cloud managed. Happy with capsman and controller running within routers, even controlling itself sometimes.

Do want reliable and good performance though.

carl0s

If you want to power this device from 802.3af/at, you can use GPON-CON:
https://mikrotik.com/product/rbgpoe_con_hp

Thank you Elans. That will work nicely.

carl0s

How many pennies did that save off the manufacturing cost? Mikrotik only gives you what you need, but if you need 802.3af/at then get the mANTbox 52 15s which has the 12s and 15s combined into one thing with all the good features you want. No, the mANTBox 2 12s is 120 degree beam width.. The 52 15s...

carl0s

Just wanted to come here to say how lame it is that the mANTBOx 12s only supports passive PoE. For this sort of application, seems stupid. How many pennies did that save off the manufacturing cost?

carl0s

No mention of this fixing the SIP / IP Neighbor problem from 6.48 ? The issues can be frustrating, and 6.48 looks to have been abominable. I heard people refer to it as a bad release, but I only just read about each individual new problem. I have been fighing with SIP registration issues on a Gigase...

carl0s

of course, the slash is escaping the dot so that it doesn't mean what a dot usually means in a regular expression (any char, any number of preceeding chars, whatever it is).
Makes sense now.

carl0s

I bought a book specifically about regular expressions. I found it rather too difficult to absorb by about page 5!

carl0s

Better use these two for philipcarroll.local and *.(*.(*.(...))).philipcarroll.local:

^philipcarroll\.local$
\.philipcarroll\.local$

That's a good point. With Active Directory there are many hierarchies in the DNS.. I missed that with my *.phillipcarroll.local

carl0s

Your tld is .local, not .local$. Don't escape the last $ in the regex. In fact you should unescape the CLI syntax, e.g. \\. => \. when pasting directly in Winbox. Omitting the slashes will make it match with other characters as well. E.g. philipcarrollBlocalWhateveryoulike would match. Better use t...

carl0s

Your tld is .local, not .local$. Don't escape the last $ in the regex. In fact you should unescape the CLI syntax, e.g. \\. => \. when pasting directly in Winbox. Why does the Wiki say: It is also possible to forward specific DNS requests to a different server using FWD type. This will fordward all...

carl0s

I got it to work :) I have no idea what the regexp stuff is about in the Wiki, but that would not work for me. a simple *.domain.local was enough then another one for the domain itself. I needed to fix the routers outbound traffic over the IPSec link (pref-source on a routing table entry). There's n...

carl0s

Although, it could be the IPSec tunnel. The router itself has no routing table to it, and there's no src-address= for the DNS FWD record. hmm.

carl0s

it doesn't bloody work at all!

That is exactly like the wiki example!

carl0s

I just connect to the device via default wifi. Open winbox. Select system Reset-configuration Skip backup Caps-mode I will try that way when I return to fit the second AP in the next week. Usually the first thing I would do is upgrade the firmware. Maybe that's where I'm going wrong. I don't know w...

carl0s

It seems like I did need to count to 11 instead. I was getting very frustrated. It was midnight and I already said I was leaving to come home 1 hour earlier. But.. Both the '11 second' reset (yes, I know, it's just my bad timing of seconds), and the QuickSet 'caps' mode did not work. It looks like t...

carl0s

So frustrating

the 10 second reset doesn't put it into cap mode.

choosing CAP from the QuickSet doesn't either, although it does leave the wifi not active and still eth1 firewalled so you have to go and physically reset.

6.47.8

carl0s

How about hackRF with sweep mode and gr-fosphor ? It's a while since I did it, but even my old Thinkpad X1 Carbon with 5th-gen Intel-core could do the 'realtime spectrum analyzer' style stuff thanks to the basic OpenCL in the GPU of this old laptop. I had been hoping to put an LimeSDR or XTRX into a...

carl0s

OH.MY.GOD.

carl0s

In 2 weeks, the SIP and RDP honeypot has captured 1336 addresses. I think it would be nice to have some tool or script that runs through the list and consolidates anything that can be consolidated into a CIDR notation, to make the list smaller. Any ideas ? I have a similar SIP & RDP honeypot set...

carl0s

Other is you need to connect using start->settings->VPN->the VPN you want to connect and click on connect there

Yes I agree it is this. Common Windows 10 problem. Usually after connecting once this long-winded way, you can connect again via the network connections popup in the corner.

carl0s

Anybody see this before? I have a ~5200 entries in address lists (sip and rdp honeypots), and I don't check CPU usage very often, but I don't think these large lists have been a problem before. Also, I just disabled the firewall rule that utilised those address lists, and it made no difference. http...

carl0s

please allow 'failed authentication' -> 'add to address list' it could cover SSTP, PPTP, Winbox, Telnet, etc. We could choose what to do with the address lists, the expiry, whether to put them to a stage-2 address list or something. But please it's an important missing feature from all of the Mikrot...

carl0s

well no, they work just fine for many many years...
I'm up to my third now in the past few months :-/

All from the same batch though, maybe I got unlucky.
Or something burns it...

I guess... maybe. I'm using the supplied PSU with the wapAc though.

carl0s

well no, they work just fine for many many years...

I'm up to my third now in the past few months :-/

All from the same batch though, maybe I got unlucky.

carl0s

I have about 35 wapAc boxes at Coffee shops.

I seem to be getting frequent failures of the RBGPOE poe injectors now that they have been in service for a year or more.

Anybody else getting similar?

carl0s

anyone?

carl0s

Hi. Using Capsman. I've noticed this before, but just wanted to ask.. when the internet is being used, and the Tx for the WiFi (virtual i/f from capsman v2) is showing 10Mbps to a laptop, and the PPPoE Internet on eth1-gateway is Rx for the same connection @10Mbps, then why does the bridge, which co...

carl0s

I'm sorry, I just noticed in the release notes for 6.44.1 there is a fix!

carl0s

Hi. I have set up email with a FROM: inside winbox. I have tried both an email address, and <an email address>, and have enabled debugging. I have set it to alert me of Account actions, so that I get a notification if somebody logs in. This seems like a good idea! but always, routeros is sending MAI...

carl0s

Does this have anything to do with the weird DNS problem I had on a wapAC during this period? It would not resolve a .net domain name, but would resolve a .co.uk that is on the same public DNS servers (ns.123-reg.co.uk) I had to put a static entry into the DNS on the routerboard, because the hostnam...

carl0s

Like I said, did anyone reported these problems to support? Only now, with this thread to you. Hopefully you can put it on the agenda 😊 Write to support, specify what configuration you had on the router when you created backup (preferably generate supout file) then restore backup and generate anoth...

carl0s

Regardless of whatever the official stance is from Mikrotik, some sort of useful backup/restore which doesn't require a plain-text config export, and/or have vital pieces missing, would be a very useful feature to help in disaster recovery. Instead, it seems like the best option is to keep a pre-con...

carl0s

No? Still No, Mikrotik??

FFS it would be able 3 lines of code for your developers

carl0s

Like I said, did anyone reported these problems to support?

Only now, with this thread to you. Hopefully you can put it on the agenda

carl0s

Another important check is:

check if you have static entrien on IP/DNS/Static

i found DNS A Record and CNAME to fake mikrotik download site

maybe for download an altered version of routeros

That's a really interesting one. I hadn't thought to check that!

carl0s

Just check in System -> Schedule. There will be a schedule to run a script every minute that continues to allow the hackers in. Remove the script from System -> scripts too. SOCKS proxy has probably been enabled. turn that off. check there are no new users added under System -> users change the pass...

carl0s

Define "same type of device"? Backup was never intended to work between different HW models. You can restore backup reliably only on exactly the same HW model. I've used the word 'identical' a few times here. I even ensured the routerOS was the same version too. Identical model hardware -...

carl0s

But when old HW is broken, fired or drowned in water problem is more complicated. Exactly. I starting taking backups of my customer's Mikrotik boxes some time ago. I was also hit with the RB450G capacitor failures ~5 or 7 years ago.. but.. these backups are basically useless aren't they. If the res...

carl0s

Define "same type of device"? Backup was never intended to work between different HW models. You can restore backup reliably only on exactly the same HW model. wAPac to wAPac. They look the same to me but who knows what goes on inside! I guess the backup has the interface configs tied to ...

carl0s

this is turning into a really bad day for me now :( I restore the config - from same type of device running same firmware. It has hotspot enabled. when the new device boots, wlan is down, and ethernet I guess is blocking everything. I know it has an IP from my other router, but I can't get into it. ...

carl0s

I have lots of hotspots to set up on wAPac Why does backup/restore never work :( They are both on the same version, I have even put an 'accept all' at the top of the configuration before doing the backup. I guess it's because interfaces don't match up, but that's really bad :( last time I had to do ...

carl0s

Actually this would put the mikrotik in the middleman role. It has to be considered as unsafe. I understand that some people do not care about it, but I rather build my own management network instead of rely on services that I cannot control and that can do whatever I do not know what above what th...

carl0s

Received the EdgeRouter ER-X today. It's a tidy little box :-) the O/S looks nice. Quite a lot less power than Mikrotik / Winbox. However, there's the added flexibility of a full Linux bash shell! I have resisted 'the other side' even though everywhere I see a point-to-point wan (wireless ISP in the...

carl0s

Yes, some low end chinese phones have such issues. I suggest for now to use better phones, since we can't solve this issue quickly. These phones are known to have issues. We have checked this issue, and there is incompatibility with these chips and the RouterOS driver. We can't easily solve it, it ...

carl0s

I have had this problem a lot too. It seems like the communication doesn't happen. Never used to happen, but happened to me frequently in the past year when setting them up. You can see "Managed by capsman", but you will see no channel selected or any configuration settings retrieved. I th...

carl0s

Really? Isn't it just a fancy sounding putting of cloud word everywhere? Nothing against, just asking what is it above a vpn? Yeah I don't get this either. SDR I get - software defined radio. And it makes sense too. Very powerful and useful. Sofware Defined WAN ? Well of course, it's always softwar...

carl0s

I have an ER-X. The GUI is definitely more "whiz bangy" and you use the web gui (or cli of course), not something like Winbox. MikroTik seems to do a lot more for your money software wise, but hey, if it doesn't support something that this one does, get it. It's a nice little machine. It'...

carl0s

The above is an Intel 8260 card in my Thinkpad x1. My phone (Lg G5) was Ok. I altered some driver settings on my laptop (enabled U-APSD support, and enabled Throughput Booster, which were both disabled before), and now everything is back to normal. The thing is though, i'm not sure if they have real...

carl0s

Any ideas what's going on here? When I did my surveying and testing yesterday everything was great. Now today, no matter what I do, selecting channels, bandwidths manually (including superchannel for testing), I can not get tx rate above 54mbps. So my maximum bandwidth from internet is ~24mbps :( tx...

carl0s

It does do hw crypto offload for ~400mbps IPsec, and DNS conditional forwarders. That's all I need. They do udo openvpn but it's slow (25mbps) and I've never actually used openvpn anyway so that's not of interest to me. I just need IPsec and conditional DNS forwarder for the remote active-directory ...

carl0s

It looks like this will do what I need (with a simple dnsmasq cli option). I think it'll do openvpn UDP if you want too. It looks like an rb750gr3 with a different operating system. That hardware has AES acceleration. Not sure if this non-mikrotik o/s supports it yet though. https://www.eurodk.com/e...

carl0s

You probably know this thread . With its 10th anniversary drawing near, it would be nice present from MikroTik, if they finally implemented it. Otherwise I'll probably start losing hope. And no, you can't make your own packages. There are some tools to unpack .npk files, but not to create them. The...

carl0s

Mikrotik: can I build my own package and install that on RouterOS? I need conditional DNS forwarders.

carl0s

You also need to exclude the IPSec subnets from the masquerade natting rule. there's a few articles about that. in my instance here, I have just set !192.168.88.0.24 in the destination address of my standard internet-masquerade src-nat rule. The preferred way though is to add an entry into the Firew...

carl0s

Thank you carl0s, I see, so I don't have to worry if I don't see a route to that network in the routing table. I have one more thing that I can try to fix the issue. At the moments my ping to the dst-net time out. If you are pinging from the Mikrotik itself, make sure you set src-address so that it...

carl0s

With the Mikrotik, IPSec does not create a virtual interface (many people requested it, but have to use IP in IP, L2TP, PPTP, etc instead), and you don't need to add any routes.

The packets head for the default route, but the IPSec policy matches the source/dst subnets, and does what it needs to do.

carl0s

I'm completely bemused why there's no support (after many requests) for this: You enter a domain name in the DNS configuration, and then enter the ip address(es) of DNS servers to forward the requests for that domain to. The Mikrotik can cache it. What's the problem? Surely this could be coded in an...

carl0s

I am experimenting with throttling the UK side, where we have 100mbps Internet and where the SMB server is located. I am trying to throttle it back to the ~5mbps that the far end can usually receive. i.e. packet pacing. What I am seeing is that Server 2016 is barely unusable, Server 2008 is OK but s...

carl0s

Hi. We have 220ms R.T.T. between Malaysia and England. Any tips for VPN passing SMB? We're using pure IPSec (no l2tp or other tunnel). It's working, but on SMB in particular, it seems to transfer, then stall, then pick up again, then stall. Never getting more than ~3mbps out of a 10mbps line (in Mal...

carl0s

actually, now it is all working..

but I don't think I have changed anything

carl0s

weird.. yes it works from the Mikrotik itself! [admin@MikroTik] > /tool traceroute 192.168.1.1 src-address=192.168 # ADDRESS LOSS SENT LAST AVG BE 1 100% 10 timeout 2 192.168.1.1 0% 9 255.4ms 244.4 215

carl0s

If you run traceroute from router itself, make sure you specify correct source-address. Otherwise in most cases trace is not matched by policy and sent via WAN interface with public src-address Thank you yes I was just going to say, the policy will only match LAN. It's strange that this has been wo...

carl0s

Thanks I will look further. The trace route is from the Mikrotik itself though. Does this make a difference?

carl0s

For additional clarification.. We have: Malaysia: [LAN] 192.168.88.0/24 Malaysia [WAN] 1.2.3.4/29, gateway 1.2.3.1 (provided by building manager) UK [LAN] 192.168.1.0/24 UK [WAN] x.x.x.x.x (our own subnet) if I try to ping 192.168.1.x from the Malaysia LAN, nothing works.. does not go through. Mikro...

carl0s

Hi. Strange one. i sent a Hexgr3 over to Malaysia and we have a nicely working IKEv2 IPSec vpn between there and here in the UK. Over the weekend, it looks like the Internet provider (actually the business centre) in Malaysia, has added a class-C 192.168.1.0/24 network onto the upstream router that ...

carl0s

I think I see the same problem...

I thought it was a bridge problem, but disabling that fasttrack rule makes it start working again.

I've been here ages.. arrgh.

carl0s

from 6.39 changelog: *) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes; So yes, CHR will have increased AES performance if v6.39 is installed, but this only works with IPSec, not SSTP. It would be super cool if you guys would work on rebuilding the SSTP stuff to use the hardware c...

carl0s

Hi. I know the Omnitik 5 (poe) AC has only a single radio - QCA9892 I read somewhere that this chip can do simultaneous 5GHz and 2.4GHz. Is this supported in the Omnitik 5 AC ? I am looking for a good AP for the middle of a building. This looks to have better antenna gain than the hAP AC, and same s...

carl0s

Yes I did wonder the same. The hardware does encryption and usually with VPN types you can specify the encryption type, so long as we find one that is common between SSTP and what the hardware offers.. Anyway, yes, the Future... lots of things take a long time around here don't they :-) It's just th...

carl0s

Hi. The new affordable routers with 'IPSec hardware encryption acceleration' (RB750Gr3).

.. can the hardware acceleration work for SSTP as well? or only IPSec?

carl0s

What does 'distance' actually change anyway?
ACK

Thanks.

carl0s

Oh look, the 5GHz has almost the same weird setting! it says 255Km!!

I think the firmware upgrade has done this ?

What does 'distance' actually change anyway?

Screenshot from 2016-11-24 22-52-48.png

carl0s

OK I found the problem, but I don't know how it happened.

'distance' was set to 250Km.

I changed it to indoors, and all is well.

Any idea how this would change? chrome auto-fill cockup while using webmin? a bug during upgrade to -rc ?

carl0s

Hi. I seem to be having terrible trouble with 20MHz 802.11 "only N" from my hAP AC. It's like there is extreme interference, but I am using a HackRF to look at the spectrum, and I don't think there is any interference, although I am quite new to it so some of the peaks I am seeing may inde...

carl0s

I have tried mAP2n-lite now as well. This is dual-chain or whatever (300mbps on 802.11n).
It also finally supports proper PoE.
It's also tiny.

I have some issues with compatibility but I think I need to experiement with channel setup. I'm using CAPsMANv2.

carl0s

The new hAP AC doesn't support 802.3af? Are you sure?

I know Mikrotik only usually works with passive PoE, but I have the new mAP2n-lite, and this does indeed support proper 802.3af PoE, so I was thinking this might finally be the norm for Mikrotik? About time if so.

carl0s

Thanks for the info.

2 chain means it will do 300mbps 802.11n ?

I may wait for HAP AC. I know the "lite" is available now, as an International version or something, but I can wait longer.

carl0s

I managed to get the Broadcom a/b/g to connect at 40MHz as well now, and it works good.

Here are the settings (in the attached image) - I had already changed the first one, but didn't see the second option until later.

broadcom 40MHz.png

carl0s

actually, my other laptop with Intel wifi, does connect at 40Mhz, 135mbps, and is a lot better.
but the Broadcom in my Dell XPS 13 2015 doesn't.

carl0s

I love CAPsMAN, but I wish it was clearer that the map2n is only single chain 2.4ghz, and won't give more than 44mbps throughput (65mbps link). I'm not mistaken am I? It doesn't work with "40mhz" (is this the same as 20mhz with an extension channel? which would require another chain.. or a...

carl0s

Hi.

USB Huawei E392 from EE/Orange in the UK.

RouterOS 6.1 on rb751 series.

Is detected as a USB device, but there is no USB serial ports showing up.

Any way to make this work? Have tried reboots, power down, etc.

Thanks,
Carl

carl0s

could you try to unplug the usb device, shutdown the routerboard and remove the power. Then plug the usb device back and only then plug the power back to the board. Then check again. WOW!!!! I downgrade ruter back to 5.23 and today I make upgrade to 5.24... In first it did not work as usual, but, t...

carl0s

I had the same problem on an RB2011 today. I put a 5 port switch in between, but this isn't ideal for various reasons.

carl0s

For an update: This has nothing to do with the Mikrotik. After returned to previous equipment / broadband, the problem remains. Its an ITSP or PBX problem.

carl0s

pref. source is still ignored on static routes!! This has been going on for years, and Mikrotik staff never respond. Workaround might be src-nat, but why?? It's not good enough. I have a pppoe interface which receives a dynamic WAN IP. My ISP gives me a subnet (/29) which is routed through this dyna...

carl0s

Have you turned off the SIP alg? (ip -> firewall -> service ports). You should.

carl0s

Hi. I'm not sure if this problem is caused by the BT connection, or what. It's a new BT DSL line (16mb down, 1.1mb up), and to use this line I decided to try an RB450G with a Draytek Vigor 120 PPPoE modem. I started with a single WAN IP, and performing NAT. I tried with and without SIP helper, and I...

carl0s

Same question! I need src_mac and dst_mac. Any ideas? I see these fields: Template (Id = 256, Count = 16) Template Id: 256 Field Count: 16 Field (1/16) Type: LAST_SWITCHED (21) Length: 4 Field (2/16) Type: FIRST_SWITCHED (22) Length: 4 Field (3/16) Type: PKTS (2) Length: 4 Field (4/16) Type: BYTES (...

carl0s

I agree. It's a pain.
I will need to find a half-bridge, or 1:1 NAT capable router in order to use a routerBOARD for a customer I have in mind.
+1 for xDSL interface modules, or integrated routers.

carl0s

Same problem on two green capacitors of RB450G bought about a year ago from Lin-ITX.

Search found 192 matches