MikroTik

vasilaos

yes, back up now. Lasted about 1 hour.

yes it was back up and its down again now

vasilaos

same problem here

vasilaos

I tried in 7.2rc3 and was not fixed yet but in 7.2rc4 it is working. Port is showing correctly after connected to usb on first try and ups is connected.

vasilaos

I bought a RB5009 and I have to address some problems with RouterOS 7 1. There is no routin-table parameter in the ping option (scripts for monitoring wan's depend on that in order to monitor same host's with different routing mark and in order to make a nice working script) 2. Packet marks in mangl...

vasilaos

I have redeployed the old device since ros 7 is still far from being stable. Ups package was not the only problem. It would have been perfect if was able to downgrade to ros 6 at this moment but for now RB5009 is waiting into the shelves.

vasilaos

It is wise to make a backup before the upgrade

vasilaos

I need ups package also. I got a new RB5009 today that can't be downgraded. I avoided getting RB4011 for this case because didn't have usb interface. After getting RB5009 i noticed that the new stable version of ros 7.1.1 didn't have ups package at all in extra packages.

vasilaos

If you configure something in the dns entry on the dhcp network settings then will force clients to get those dns servers No, clients will get what configured in dhcp network. Router can have any other dns server configured for it self queries and also the option allow incoming requests its not nec...

vasilaos

Yes in firewall a rule in input chain from WAN interfaces to drop everything on port 53 TCP/UDP is necessary if a general default rules are removed. If default rules are present no additional rules are necessary because those that are not accepted by an accept rule are droped by default. To force tr...

vasilaos

I am using multiple site-to-site and road warrior setup with x-auth on the same. Since some sites are over dynamic ip or behind nat i have configured a main branch site with real ip address in passive mode. Sites aren't connected only to the main branch but also with other sites when possible in a m...

vasilaos

Setting your dns servers in the dns settings will tell RouterOS to resolve anything that it needs to those servers. If no entry configured in dhcp network settings the dhcp client will get the router ip as dns server if allow incoming requests is enabled or will get the dns server adresses you confi...

vasilaos

I would suggest RB4011iGS+RM for long term solution. Compared to hex poe i think hex S is a better option but have to consider that will have 5MB of free space with clear configuration out of the box. Definitively space is an issue on these devices. You could load images and other large files or scr...

vasilaos

In the case of IKE2 tunnels no routes are generated and no nat rules are necessary. Instead traffic directed to the remote network follows the default route or 0.0.0.0/0 with the default gateway. Ipsec policy tells to ecrypt the data and send it over the tunnel. When you configure a static route to ...

vasilaos

I cant tell for sure about L2TP/IPsec but i have achieved 600-800Mbps over IPsec IKE2 tunnels with cheaper router capable of hardware encryption. Is your bandwidth up/down symmetric or you have slower upload? Check your cores utilization while doing bandwidth tests. Is one core going at 100% ?

vasilaos

You can't. Queue tree isn't meant to put each target ip separately as a child in a queue tree. You could rather put a queue tree child for an ip range with a limited pcq-rate and put clients on separate ranges manually or by radius authentication.

vasilaos

Have you done netinstall previously with another device or is the first time? I would suggest to retry netinstall with each step carefully https://wiki.mikrotik.com/wiki/Manual:Netinstall Deactivate any windows firewall and directly attach an ethernet cable from ethernet 1 to your pc instead of 30-3...

vasilaos

You should select station-bridge on the cpe and enable bridge mode on the ap if not enabled. If you want to use station mode you have to set an eoip tunnel from the cpe to the concentrator, leave wireless interface out of the bridge with client ip on wireless interface in order to establish the tunn...

vasilaos

Agree totally with @bpwl and also add the only method to bridge transparently is with wds that is compatible with different vebndors if the device supports it. Other methods usually fall into compatibility issues. These devices will use the same chip to recieve and transmit data to the client and wi...

vasilaos

The router should aquire real ip address in order to be reachable from the internet. Ip cloud net name will translate to public ip address

vasilaos

A workaround that you can do is to kick automatically active peers that have responder status by script to avoid manually until you find the root of the problem

vasilaos

Apart from the initial dhcp negotiation the router will not involve in the internal communication of the hosts that are directly connected with each other if you use local ip address. If you use domain name that is translated to some ip address public or local then there may be something related to ...

vasilaos

If you try to reach the rdp server by local ip and still experience latency it is not something related to the above configuration. Since the client and server pc are on the same broadcast domain /24 their ip are directly connected and the router is not involved in the communication. I notice that y...

vasilaos

If you rdp with the local address rather than the domain name do you experience latency?

vasilaos

yes since you don't specify an in-interface or dst-address or some other specifier it should kick from outside networks also

vasilaos

I am not very sure but i have noticed mikrotik will respond anyway if the other peer will try to reestablish the connection so the setting should be set on the remote peer to as Passive only maybe. Why do You have to delete the entry after connection is reestablished? You shouldn't loose connectivit...

vasilaos

L2 bridge is difficult to accomplish since it needs interoperability form the provider and must be the same provider. PPC is the best and obvious way to go and RB4011 is good choice. It doesn't matter in this case if interfaces are pppoe clients or ethernet interfaces. Usually you should group wan a...

vasilaos

There may be various reasons behind this. You can start to look wich services eat more resources. It can be masquerade or mangling or something other. Hopefully you can find clues in this video wich is one of my prefered ones https://youtu.be/3LmQYIQ5RoA?t=13m53s

vasilaos

You could exclude some destinations from the mangle rule with address lists

vasilaos

I don't remember exactly default configuration on cAP ac but ether1 may be filtered by the default rules in firewall because it may be considered as external interface. Usually that is the default configuration on devices with more than one ethernet port, try connecting with ethernet port 2 temporal...

vasilaos

There is a script approach of what you describe to want to accomplish: :do { :local dns1 "8.8.8.8"; :local dns2 "8.8.4.4"; :do { [:resolve dns.google server=$dns1]; :if ([/ip dns get server] != $dns1) do={ /ip dns set server=$dns1 } } on-error={ :if ([/ip dns get server] != $dns2...

vasilaos

Use crontab

vasilaos

Add an ip address to the bridge interface and use the DHCP setup instead. Probably you are missing some steps while adding the dhcp configuration manually

vasilaos

There are a some reasons why high load of cpu on pppoe server can happen. Use tool profile to see wich process is eating cpu resources first.

vasilaos

There are many things to take in consideration. The info supplied is not enaugh. Take a look at system resources of each device to see if there is high cpu usage for example.

vasilaos

This setup and wds might have various problems. One is the network self interference because aps must be in same channel for wds to operate. The other is wds itself having problems. Also sending and receiving from the same wireless interface will drop performace. The other is that bridging the netwo...

vasilaos

What I do is set up mangle rules to mark packets and do the routing decision. I use per connection classifier. A script monitors each isp by pinging 3 different hosts on the Internet and if 2 of them fails then disable respective mangle rules. Not real quality test but quite effective. Also traffic ...

vasilaos

The router R1 will distribute all routes learned from routers of the same area by default. That is what OSPF is about. The redistribute-other-ospf=no is if you want to distribute or not routes of other areas. So you have to specify ospf-out filter to discart those routes in R1 in order to not distri...

vasilaos

Sxt's maybe missconfigured. Post export configuration of both sxt's

vasilaos

Post result of /ip dns print

vasilaos

Attach Meraki MX to CRS and forward all to incoming traffic from public ip to meraki to save time with confoguration. Or even better get a real ip adress pool from the isp and distribute real ip to each device behind the CRS

vasilaos

Is your uplink used at 100% at peak hours or at majority part of the time? Is your device cpu high at peak hours? Whats the physical datalink of pppoe clients? How much users are getting served? What is the device that is running the pppoe server? To answer to your question first need to know if you...

vasilaos

I had this problem after i upgraded to some newer version. Netwatch scripts and all subscripts are run from system user and not from admin user. When you run the script manually you create the global variable from the admin user wich is loged in at the moment but the variable is not visible for the ...

vasilaos

I would connect all sites to a central location so there is no need to forward ports for all sites. Usually i do a vpn connection from a remote site to my office that has public ip temporarily or permanently.

vasilaos

https://wiki.mikrotik.com/wiki/Manual:C ... ng_Hotspot

You have (link-orig)

vasilaos

There is not an exact definition of leased line in mikrotik. Depend on how you plan to provide leased line. It can be with pppoe also. Most depends on the physical data link that is capable provide bidirectional or symmetric speeds. In case you want to provide static ip entry you need to make a simp...

vasilaos

You can create different ppp profiles with your desidered limitation. When user is loged in a dynamic simple queue is created with the rate set in ppp profiles you have to asociate the ppp secrets with the desidered profile. In case you use radius for authentication you can set limitation on the rad...

vasilaos

Ok 1k/1k is too low or equivalent of not having connection at all but that may not be your problem. In case of dsl pppoe connection is encapsulatedand you cant send full size packets without fragmentation. Some dynamic rules in firewall mangle should be created automatically based on the configurati...

vasilaos

Yes its possible to create 1 connection mark for all connection and then create different packet marks based on destination source address protocol port etc. In fact you can create new packet marks without having connectin marks at all but you have to be careful where using pasthrough and where not ...

vasilaos

Are you using certificate? If so i ncase of non local forward it will encrypt passing data also that will affect performance. With local forward it will encrypt only managment data. Try setting certificate to none and see if that makes a difference

vasilaos

Just an idea because i never tried. Try lowering keep-alive-timeout. If more sessions are created try rising.

vasilaos

Try login in with telnet or ssh or web and first take a look in system resources for high cpu usage. Then upgrade to a newer version of routeros and retry to login with winbox. Sound is not a feature that all routerboards have. Two beeps mean that system has booted. Along with the beeps simultaneous...

vasilaos

(I set the max-limit to 1k/1k on a queue that my PC was not in and lost all connectivity

What this mean

vasilaos

Reset configuration to default and use ethernet 1 for upstream. If u use ethernet 2 you risk to have 2 dhcp servers in same physical layer. One from the upstream connection and one from the MikroTik hAP lite and devices will get ip from a random one dhcp server. If your device has been compromised y...

vasilaos

First you have to set different pool for vpn and different local adress. Vpn adresses are virtual and can not be part of the local level 2 broadcast domain. pptp is considered unsecure. I can't see your /ip route configuration also. There maybe other wrongs in your config but that was what i noticed...

vasilaos

Without local forwarding a tunnel between the cap and capsman is created. Maybe there is limmited connectivity between the cap and capsman devices that is causing low speeds. Whats your network topology? Port speeds etc.

vasilaos

My radius dosent fail due to many users trying to login at same time. Thats not normal. Authentication should be done without a porblem for more than 1 user at same time and alredy autheticated users shouldnt be affected. Maybe you are kicking autheticated users too at same time. My script looks lik...

vasilaos

You can apply this rule to the hotspot bridge depending on how your network is designed. you may need to apply this rule to any hotspot point or to the core router where all interface are bridged depending on your design. this way the mac adress range will not have not any communication with the rou...

vasilaos

/system scheduler add name=TelnetON start-time=startup on-event="/ip neighbor discovery-settings set discover-interface-list=all \
    \n\r\
    \n/tool mac-server set allowed-interface-list=none"

vasilaos

Have you thought of using ping to monitor if the device is active or not? Also if the device is directly connected to an interface of mikrotik you can check with a script if the interface on witch the device is attached is running or not with the command: /interface ethernet get "interface_name...

vasilaos

Using wildcard entries for MAC addresses is not possible. Adding many entries with a script is possible but other problems may happen like blocking wrong mac addresses and it may not be a solution at all because MAC addresses can be spoofed to another range anyway. Explain what the unwanted user is ...

vasilaos

You haven't explained how you are trying to map ports yet. The IP addresses on your wan interfaces are private ip adresses and are not routable throught internet so you must be behind another router. Are you mapping ports on the edge router that has a real ip address reachable from the internet?

vasilaos

Along with TCP port 1723 that allow PPTP tunnel maintenance traffic you also need to o allow PPTP tunneled data to pass through router so you need open Protocol ID 47 (GRE) but consider that PPTP is no longer considered secure

vasilaos

a solution is to run scripts this way

/system script run "script_name1"

/system script run "script_name2"

vasilaos

I guess you can't turn off a security profile but you can set mode to none if that is what you mean. Please provide more information on your wireless security profile configuration. Have you selected both wpa psk & wpa2 psk. Have u specified tkip or aes ccm chipers or both or none of them. Try s...

vasilaos

Make max udp packet size 4096

vasilaos

You may not want to masquerade traffic form your connected subnets. In order to do that best approach is to add an accept rule between your connected subnets above the main masquerade rule in firewall nat like: MT1 /ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.2.0/...

vasilaos

To me it looks like you are running into mtu issues. Depending on the encapsulation of your internet connection you may add a rule to clamp to pmtu via mangle

vasilaos

Hello guys. Today i started a traffic generator on a remote location with quick start and i lost connection with the remote location. I can't stop the traffic generator my self now at the moment. I wanted to know if there is any default duration of the test?

vasilaos

i refer to this https://wiki.mikrotik.com/wiki/Manual:Interface/Ethernet disable-running-check (yes | no; Default: yes) Disable running check. If this value is set to 'no', the router automatically detects whether the NIC is connected with a device in the network or not. Default value is 'yes' becau...

vasilaos

Hi guys! where is the disable running check in latest RouterOS?

vasilaos

i will do this later but i can not guarantee it will work 100% with simple queues since i use queue tree for marked packets and simple queues in a few cases

vasilaos

traffick mark i mean mark packet

vasilaos

yes sorry you have specified in title now that i see. it isn't that easy task you have to be familiar with Layer7 Protocol, Filter rules, Mangle, Queue Types. the right direction to this is to: 1. create a Layer 7 protocol to detect facebook.com traffic regexp: ^.+(facebook.com).*$ 2. create a filte...

vasilaos

do you use simple queues or queue tree?

vasilaos

only fcb?

vasilaos

i think is up to FWBuilder developers but what is the real advantage of this?

vasilaos

i done same configuration on a mt device to test and the file showed just immediately. idk what you are missing exactly. try a

/system logging print

also and post it here again please.

vasilaos

it is the masquerade rule because will masquerade everything from the selected range and the replying machine will reply to your mikrotik address instead of your pc Your out interface of masquerade rule in mt includes your other local subnet because out interface is bridge1. if you want to keep the ...

vasilaos

/file print

or if u use winbox go to files use drag and drop file to desktop

vasilaos

Disable masquerade.

vasilaos

file should be created automatically under mikrotik files and you shouldn't see it work on system log. probably log action has not been created successfully and and you are logging to memory instead. see if logging action have been created by print command /system logging action print and if logging...

vasilaos

Yes it is possible. As i understand you want to save connections log to disk file inside your mikrotik device. This is not that much recommended scenario because it may use a lot of memory and processing depending on how many connections there are. there are some limits for the created file like num...

vasilaos

G/N option is available in newer versions of routeros

vasilaos

Yes you should know the all the dns names or hosts the site uses to connect and upload first. you can not use *.hubic.com. Then with a script resolve dns names to ip addresses and add them to an address list for later use. Also I'd like to upload from multiple PCs so marking/routing tcp/443 connecti...

vasilaos

take a look https://youtu.be/3LmQYIQ5RoA?t=13m55s

vasilaos

you can bock something by knowing the protocol or port it uses to connect or you can block everything and allow only some ports like port 80 http or 443 https etc.

vasilaos

what u can do is forward ports from public ip to local ip with dst nat

vasilaos

But anyway, I suppose mikrotik should anyway rotate the queries to all dns-servers and get the answer from some of them? At least when the query-server-timeout is like 1s and query-total-timeout 10s, it should have time to ask from 10 dns-servers before timeout. There is no timeout but instead an i...

vasilaos

mikrotik reach the dns based on routes in routing table. if you have default route active primary isp then will query the dns of the second isp through the active route that might be your primary isp. add routes to the dns ip manually to select proper path. /ip route add dst-address=192.19.223.230 g...

vasilaos

So I set the address 217.153.XXX.13 on the computer with the gate 217.153.XXX.12 to move through the microtic.

what subnet have you set for the computer? can u do a tracert from the computer to see if you are being routed from 217.153.XXX.12?

vasilaos

if u have dual wan link and one of them fails then you are querying the dns server from the other link. usually isp dns servers are not public. you can query them only from inner network. what is happening in your case is that you can still ping the server from outside isp network so their status is...

vasilaos

Well would be even more awesome if a device can send and receive simultaneously to more than 1 physical ap considering it a single ap. something like synced ap placed in different locations working as 1

vasilaos

lol. Simpler way would be to enter the key into the right field

vasilaos

you can block communication to wan interface for example if your wan inteface is ether1 then: /ip firewall filter add action=drop in-interface=ether4 out-interface=ether1 or you can block traffc other than your lan network for example if your lan network is 192.168.0.0/24 then: /ip firewall filter a...

vasilaos

I am not very familiar with OpenVPN but i think you can make a tunnel directly from your CCR1036. There is another post explaining how to: https://forum.mikrotik.com/viewtopic.php?t=92546 then route traffic with connection mark through the tunnel otherwise you can connect the wan of your R7000 to a ...

vasilaos

You should be able to connect to any WPA2 secured network by configuring the profile correctly otherwise the UniFi is using some proprietary protocol u cant connect to it. But if you can connect with other devices like smartphone or laptop then you should be able to connect with mikrotik too. First ...

vasilaos

Hello! Idk if i understand what u want to achieve but first WPA2 is not a connection but an authentication method for secured wireless.

My question is u want to connect to any unsecured 2.4ghz around or to a specific secured network using WPA2. If is the second option then i assume u have the key.

vasilaos

i think your problem is your route for route mark OpenVPN. 0.0.0.0/24 dosent make any sense. should be 0.0.0.0/0 and you need to add 192.168.5.1 gateway for that route with no interface selected for that route. router os will select interface based on gateway. like this: /ip route add dst-address=0....

vasilaos

Thanks Elliot. 1. There are no obstacles but a lot of interference i guess since it is urban area. I think there might be a problem with noise detection on routeros or on wlan chipset itself since noise floor threshold is showing always around -116 and i dont think mine is a perfect environment for ...

vasilaos

Elliot can i ask you why use nstreme (exact size - 3600+). what is the purpose to it? i was thinking what could fix the disconnecting issue

vasilaos

I switched already another ap to nstreme with some tweaking and is working a lot better. even though other antennas connected to it disconnect sometimes, throughput is a lot better compared to nv2. nv2 seem to be a disaster on point to multi point maybe in noisy environments.

vasilaos

Yes i just tried now with station bridge and its the same result.

vasilaos

I am experiencing low bandwidth test from a single tcp connection over nv2 protocol. This problem is not present over nstream protocol. since nstream has some disconnecting problems i have preferred using nv2. Or should i not use nv2 and nstream at all? i seen many posts in the past about this but n...

vasilaos

I know how to set up a hotspot. what hotspot configuratin has to do with my question?

vasilaos

What would you like to achieve by this? Why cannot users put in a one time password?

No, users can not put in a one time password. Actually i don't have to know the costumers. I just want to provide free wireless access on a secured wireless connection.

vasilaos

Is it possible to set a Wireless Access Point open for anyone to connect without having to input a pass key and at the same time have the wireless connection encrypted over the air?

vasilaos

can i use elif statement in mirkotik scripts?

vasilaos

Nv2 should give you better speed. Nstreme in some cases could have better latency.

nv2 does not give better speed in my case and nstreme is disconnecting because of pool timeout.

vasilaos

I have set Frequency Mode to manual-txpower not to regulatory domain. on the other side those with the long distance are SEXTANT G 5HPnD. those far away have better throughput with nstreme protocol but when i change the protocol another cpe that is located close keeps disconnecting and associating.

vasilaos

I have the same problem with 2011UAS-2HnD-IN. i do not buy them anymore

vasilaos

I am having some problems with one of my omnitiks. One of my problems is that working withi higher frequencies i get lower signal. Is this normal? 3 of my client cpe-s that are 5km distance away from the omnitik does not connect because of low signal when i use higher frequencies. Is it possible tha...

vasilaos

yes its RB951Ui-2HnD sorry routeros is 6.10 firmware is 3.12 what is poe firmware? the power supply is the original supplied with this device. 24v 0.8A regular shaped if i cant power a sxt lite 5 with this port whats the purpose mikrotik made it for? i had to make a jumper to power my sxt in this ca...

vasilaos

I am having problems with poe out feature. i have connected a sxt lite5 to a RB951G-2HnD and it randomly restarts most with traffic. how can i fix this?

vasilaos

can you add some usb ethernet drivers to. I have some USB To LAN i can not connect. Also some cheap usb wifi device would be great. i can use only TP-Link TL-WN722N for the moment but the price is relatively hi compared to some other adapters. i can give more information if you want. i need the othe...

vasilaos

Hello IP>>HotSpot>>Active Users>> Users Tx Rate , is not active on this Version. It was not active on RC11 also. Any suggestion ? Regards Do you use Bridge ? I had this problem in v6rc11. i was waiting for this fix. It seem has not been fixed http://forum.mikrotik.com/viewtopic.php?f=2&t=70207

vasilaos

did RouterOS v6rc12 resolve this?

vasilaos

i downgraded to v6rc9 and works fine now. So it was related to the v6rc11. but now the router restarts randomly and i don't understand why. waiting for v6rc12

vasilaos

Omnitik has a great performance and i like the dual polarization very effective. I like to modify this ap with some diodes to give power to the other ports so i can connect an 2.4 ghz ap and other ptp links. 2.4 ghz variant would be a great solution for me since i am very satisfied with Omnitik 5.8 ...

vasilaos

after updated to RouterOS v6rc9 then to RouterOS v6rc11 i see in the hotspot hosts and active clients that there is no tx traffic and the radius server is not getting information about the tx traffic. http://www.ozoone.net/share/txrate.jpg what is this related to? have i to downgrade to the previous...

vasilaos

hello! i have a simple question. I want to reset the user counters. there is a reset all counters button. even when i open a single hotspot user the button says reset all counters. i have clicked by mistake this button twice loosing all the user counters. i need to know how can i reset a single user...

vasilaos

I have a RB600A with 3 wireless adapters R52H. now i want to replace a the main TrendNet access point with this one and connect to it some TrendNet access points acting as client/repeater. the problem is that wen TrendNet tew-453apb acting as client/repeater try to connect the first time it does not...

Search found 121 matches