MikroTik

Guscht

Is the color-change implemnted? If you change a value, the line turns blue in WB3.
Biggest missing feature in WB4!!

Guscht

After upgrade to 7.19.1 (from 7.19) one PC in LAN could not connect to my Reolink camera via RTSP (VLC shows 0 video frames). Disbaled Win-Firewall, reset VLC to defaults, rebooted Win, rebooted Cam, disabled/enabled RTSP service in cam... nothing! All other PCs in LAN or WLAN were able to connect. ...

Guscht

This could be possible, "published" is a "flavour" of proxy-arp not local-proxy-arp and therefore it looks for the queried IP against the source-IP somehow... Thank you! My intension was to reduce broadcast traffic, Win should use unicast (IMHO) if it has a MAC resolved. Silent i...

Guscht

Hi, I have my LAN (VLAN101) and in this VLAN is my PC and my printer. The printer is usually offline, which results in permanent ARP queries from Windows, because it tries to connect and retrieve data from the printer (SNMP, toner, etc...) My idea was to add an ARP entry with the IP of the printer, ...

Guscht

Nothing new? Last version was from 2025-Apr-04 13:24.
I got mails weeks ago for my reported bugs, that a new version will show up soon.

The doomed 7.18.2 has f*cked up a lot LTE-devices. Not even a RC...

Guscht

So many moves on Bridging, Switching, ARP, and other very fundamental layers. I think(I hope) this can be happening for a good reason! Compared to other vendors and even to the standards, the bridge implementations, the nomenclature, and etc, were so weird! I dont think so. The names are almost ide...

Guscht

Thank you guys! This SSH remote/local tunneling stuff seems to me quite complicated and not really good controlable. In a sense "which SSH-user is allowed to reach which server in my LAN" and I think I cannot control this via firewall/filter either. I will let it disabled, seems safest to ...

Guscht

Hi, can someone clarify what is the difference between: IP -> SSH -> Forwarding and the normal IP -> Filter -> NAT DNAT-forwarding? Also the MT does not help: forwarding-enabled (both | local | no | remote; Default: no) Allows to control which SSH forwarding method to allow: no - SSH forwarding is d...

Guscht

Why do you guys make this so overcomplicated?! That's a Layer2 issue, not Layer3 (routing/IP...) issue.

Create a LAG (Bonding) on Device1 and on Device2 -> thats all

Forget that nonsense with .2 and .3 IP, the IP-Interface is tied to the LAG.

Guscht

Can't help, but a notice:
It's 2025, IPsec is an old, outdated overcomplicated, error-prone dinosaur.
If possible, use a modern technology like Wireguard.

Guscht

Still no colour change for edited fields (4.beta17).
Still useless software!!

Guscht

In firewall -> filter (forward-chain): create new rule: in interface "G4", source ip: 172.16.24.8, destination ip: 172.16.23.4, destination port: 3493 (I assume tcp, but could be udp as well). action: accept place this rule logically above any rule, that would prevent this connection. The ...

Guscht

Hi, I tried to export my managed devices out of Winbox via: File -> Save as... (stored as "Addresses.CDB" on my Desktop, Win11 (24H2)). Winbox is v3.41 Now I wanted to delete this file, but the next time I start Winbox, the file is re-created. How can I disable this permantely? I thought &...

Guscht

Upgarded one of our core-router, a CCR1072 and it got stuck in "rebooting" (LCD). The only option was to go on-site, remove power, re-power and it booted up (after reboot still with the old version 6.49.17). After another Upgrade-attempt, it rebooted normally and had 6.49.18. Another reboo...

Guscht

Still no color-change for changed values...
Winbox4 is useless without this feature!

Screenshot 2025-01-31 203614.jpg

This is a edit, how I wish changed values would show up:

edited.png

Guscht

Hi, with ROS v7.17 MT enforced a strict device-mode regime: !) device-mode - after upgrade, mode "enterprise" is renamed to "advanced" and traffic-gen, partition (command "repartition"), routerboard and install-any-version features will be disabled; In my opinion, there...

Guscht

I miss a LOT, that the name of a value I changed does not change color!

For example, if I rename a bridge, the value "Name" got blue the moment I changed something.
This is such an important feature:

color.png

no_color.jpg

Guscht

What is:

*) route - added /ip/route/check tool;

Guscht

Arggg it seems like there are too many bugs in this version ...

Yeah and some random guy here dreamed *THIS* will be a long-term, because it took so long... LOL
This is a typical MT point-zero release, 3 steps forward and 5 back... The long-term is as far away as with the v7.0 release.

Guscht

What is this field (Netwatch)?

Screenshot 2025-01-17 173006.jpg

Screenshot 2025-01-17 173021.jpg

Guscht

Due to a chip issue which reports board temperature MikroTik decided to remove this parameter from health.

Sad - it gave me good, plausible and reliable reading.
Opened a ticket (SUP-176683), because I can not relate.

Guscht

Smol homenet updated: Zwischenablage_01-17-2025_02.jpg Works good so far :) QUESTIONS: *) firewall - added support for random external port allocation; What means this? A bugfix or something we can configure? What is "random" now and what works now what has not worked before? *) snmp - add...

Guscht

I was not happy to have a "all-in-one" ROSv7 package.
Because it is a long proven best practice to disable unused features. And with ROSv7 everything is installed/enabled by default.

+1 for a separation in different packages

Guscht

Thank you sukram! I wonder why it is to hard for MT to write the fundamental things clear in their help-documentation... For me 2 things were no set: Firewall -> Filter -> Input-Chain TCP Port: 5246-5247 UDP Port: 5246-5247 Why are such fundamental things not mentioned in their help-documentation: h...

Guscht

Hi, I would like to provision my cAPs via the Address (I assume IP-Address?). But the Address-Field is empty and therefore any provisioning-rule does not match. How can I get the cAPs IP to the CAPSMAN? Screenshot 2025-01-03 204217.jpg Screenshot 2025-01-03 204303.jpg In the documentaion it is not s...

Guscht

Hi, I have a CRS328 as my "main" switch in my home(lab). On port has an orange (top) PoE-LED. But orange is not mentioned in the manual: Triangle LEDs (top row) indicate PoE out status. Green LED indicates that the respective port uses low voltage, a red LED indicates high voltage. Flashin...

Guscht

Hi, I wonder why the (new) wAP ax has a directional antenna? It comes with a desktop stand and it suggest it's an omni. Any real-world experience how the wAP ax perfroms in regards with the desktop-stand and 360°? Compared to the cAP ax? cAP ax (wtih semi-omni): https://fccid.io/TV7CPG52X/Test-Repor...

Guscht

I tested and it works! :D I cut off the end of the RBGPOE (https://mikrotik.com/product/RBGPOE) and connected to DC2 as shown here: https://www.reddit.com/r/mikrotik/comments/x8edes/rb5009_poein_to_poeout_hack/?rdt=51148 The "barrel DC-input" is empty, only because I had no male-male-gende...

Guscht

I will let you know

How was the Reddit-guy able to do this:

...it sucessfully powers RB5009 + hAP AX² + hAP AX² + cAP AX

Thats even more I would need.

Guscht

Hi, I have seen the RB5009 (https://mikrotik.com/product/rb5009upr_s_in) has PoE-IN and PoE-OUT but not at the same time :/ If you’re using PoE-out to power other devices, the board will choose the source with the highest voltage (DC jack or the 2-pin connector) to power those. They say DC jack, 2-p...

Guscht

Thank you, unfortunately is the Switch/Mirror-thing to stupid to do this correctly... You can mirror frames, but only on one port and I use LAGs with at least 2 ports. LAGs are not under the switch menu visible. Worked not good/predictable for me :/ I have 2 VLANs: LAN = VLAN101 (main MGMT for MT de...

Guscht

Hi Mikrotik, I wanted to say I bought the L009 because I needed the 8 ports. Previous device was a hexS. I powered the hexS via my central CRS328 and the hexS powered my cAPax. Worked great and everything was supplied via my central UPS. I hoped the same for the L009... But unfortunately the L009 do...

Guscht

Hi, due to MTs outage of mynetname, I want to update my Cloudflare DNS-records alternatively. But how can if find via scripting the current WAN-IP? I have multiple 0.0.0.0/0 routes (distance, 1, 2, 3...) and they failover via a recursive-lookup which works good. But how can I get the IP of the curre...

Guscht

Can the router itself ping outside? Maybe also a Telekom issue... Edit: /ip route add disabled=no distance=1 dst-address=192.168.176.0/24 gateway=ether2 routing-table=main scope=30 suppress-hw-offload=no \ target-scope=10 add disabled=no distance=1 dst-address=192.168.178.0/24 gateway=192.168.176.1 ...

Guscht

Hi, I have a LAN (VLAN11) and a WLAN (VLAN12). All MT devices are in the LAN (VLAN11) for management. But it would be handy, if I could see the MNDP-frames in VLAN12 (WLAN), Winbox, too. Of course, I could create on each device an addition VLAN12-interface, but this is inconvenient. A smol reflector...

Guscht

If I understand you correctly, you want to intercept DNS-requests and redirect them to another DNS-server? This can be don with a DNAT-rule under: IP > Firewall > NAT > DSTNAT-chain Edit: With Mangling you could intercept DNS-traffic and place this client in another routing-table (routing-mark). 1. ...

Guscht

It's time..
7.16.2 -> long-term
7.17 -> stable

I think you had to much Pizza and Vino :D
V7 is stil sooooo far away from a "long-term" aka production-ready!!

Guscht

smol home-net upgraded to v7.16.2, everything works for me:

Zwischenablage_11-27-2024_01.jpg

Guscht

Wireguard is a service which runs on "all" interfaces. You can't "bind" it to a specific VLAN. You have to filter it via the Firewall/Filter/INPUT-chain and allow Wireguard only on your desired VLAN(s). Have you configured the return-routes on the endpoints? Your Wondows/Android ...

Guscht

I just wanted to say I really hope MT

is planning to release a Christmas-Speical on their YT-channel

I missed this video in 2023 a lot and I was really sad and disappointed

Guscht

It's still unclear to me, on which side and in which peer-definition I set responder=yes? Let's assume I have a central router with a static-IP (which should act as the server "responder"). And we have a few "road warriors", who have dynamic-IPs and must initiate the connection. ...

Guscht

Hi,
I powered my hexS with its supplied PSU. Now I changed it to PoE from another switch and saw it got +20°C hotter:

chart.png

Is this a normal behaviour? The hexS is powered by PoE now, it does not power other devices!

Guscht

Hi, what does this checkbox? Screenshot 2024-09-28 223330.jpg If on or not, the Interface shows up with the comment "added by vlan on bridge": Screenshot 2024-09-28 223459.jpg The documentation reads: mvrp (yes | no; Default: no) Specifies whether this VLAN should declare its attributes th...

Guscht

RB912R-2nD is not showing Identity and Board anymore (3rd from top)...

Edit: After another reboot, it shows up correctly...

Zwischenablage_09-24-2024_01.jpg

Guscht

@MT, I was using Winbox4 now for a few days and I can give the follwoing feedback: BRING BACK TABS!!! This little drop-down list is terrible in it's useablility. Tabs are maybe not as beautiful, but in the end Winbox is only a TOOL and it has to useable. I will revert back to Winbox3 for now. And th...

Guscht

Like it. Just for my taste, important things should not be in a list. Like "Filter Rules" and if I want "Mangle" i have to open a smol drop-down list/window. And enable / disable / remove should also be on top with the status line. Thats stuff at the bottom is just weird. But aft...

Guscht

And please, create the Long-Term chain on v7 also. I had to use PIM in a v7-device, it is so stable as a house of cards. Every few days a "autosupout.rif" is generated, because something crashed internally. The Multi-WAN Wireguard-route-selection was fixed only in last 7.15.3. For easy se...

Guscht

Is the training material still on 6.49.x ?

I hope so, v7 is still far away from a production-ready replacement.

Guscht

IPsec is outdated, EOIP is Layer2 over VPN.
Modern and todays standard is Wireguard.

Everything else is simple IP-Routing.
Establish VPN form sites to center (if sites have dynamic/public IPs). Or use a dynamically updated DNS-A-Record.

Guscht

I tested it now, DSL has distance 1, LTE has distance 2.

During normal operation (DSL), I connected via LTE to the Wireguard-server. From there I can reach my network. This was not possible in earlier versions.

Guscht

Hi, I have seen, if I stream Multicast over WLAN, it works good via the old CAPsMAN-CAPs and "Multicast Helper = full". With clients connected to CAPs on the new CAPsMAN, Multicast over WLAN works awful with "Multicast Enahnce = enabled". Its not possible to watch the stream, eve...

Guscht

I am using 7.15.3, I cannot install an "Alpha-Version" on my Edge-Router.

Guscht

Got response: Hello, Thank you for contacting MikroTik Support. There is alpha74 version in this download link, https://box.mikrotik.com/d/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx/ Please use it on your device and see if the behavior of Wireguard is different. Let us know your findings. Best regards, I testet ...

Guscht

As an advise, don't use Mikrotik WLAN! It's completely screwed with their Wireless, WiFi, CAPsMAN old, CAPsMAN new. This feature works only with that on this hardware, with this package, that feature works only on that hardware but with this, this, this limitation... It's a completely mess, never se...

Guscht

Digged a bit more, this happens only with "PIM SM", not with "IGMP Proxy". Client1 sends a "Leave Group" message when stopping VLC and in this second the stream-traffic stops flowing to Client2 (seen via Wireshark). In my opinion this is a bug or a not fully implemented...

Guscht

Hi, I have the following setup, Sender is a VLC-Player streaming to a Multicast-Group: VLAN2/Multicast-Sender <-> ROSv7/PIM <-> VLAN1/Multicast-Client1 and VLAN1/Multicast-Client2 Client 1 and 2 use VLC to show the stream. If I end VLC on Client1, the stream stops for Client2 too. Is this the normal...

Guscht

remove the loop

Guscht

That is because the "ip routes" display is effectively a "filter" showing only the IPv4 routes out of all routes (including IPv6). Holy fck... Winbox/Mikrotik/ROS is still surprising me after almost 20 years... IP/Routes is only a "Filter"... Next mental breakdown is c...

Guscht

Disappointed not to see a router fix for wireguard coming in on WAN2 when WAN2 is secondary WAN and mangling this traffic does not work.

Me too, me too....

Guscht

Found the problem, "password" in this case refers to the LOCAL "ssh"-user-account. My session is not made under the ssh-user. But with the option "Always Allow Password Login" disabled (= default setting), MT prevents here to enter the password they demand itself... Adv...

Guscht

Hi, I want to connect via R1 to R2 (ROSv7.14.3 to ROSv7.14.3). After watching this video: https://www.youtube.com/watch?v=8tt7fSvdFRM I did the follwoing: R1: - created user ssh - gave user ssh "full" rights - IP->SSH->Export Host Key - System->Users->SSH Private Keys->imported the ssh_rsa...

Guscht

Opened a case with SUP-152005 describing this issue.

MT answer was:

Thank you for contacting MikroTik Support.
We will see how to improve this.

I hope they fix it, "Routing Rule" has nasty side effects!

Guscht

Same problem here, Dual-WAN and the Mangling isnt marking the answerk from WG correctly. SSTP works as intended.

With a Routing-Rule, it works, but the WAN-connection is DHCP and I would need to script here something that the Routing-Rule is always up-to-date.

Guscht

Hi, I want to do the following: CCR = Main Router, connected via PPPoE/DSL as main line LtAP = LTE-backup How can I implement that: - the the CCR checks if DSL is offline and switches over to LtAP automatically - the LtAP itself should be a normal client and go out via CCR (DSL) unless DSL fails Is ...

Guscht

Any good reasons to increase from 10 to 30 seconds: *) firewall - increased default "udp-timeout" value from 10s to 30s; All deployed devices - v6 and v7 - are configured for 10 seconds. But I'd like to stay consistent with new deployments. What are the thoughts/background about this step?...

Guscht

Maybe it would be even possible to create a "RouterOS Package Builder" I liked the ROSv6 way, when you were able to deselect different modules. In my opinion it's also a security risk to have "everything" enabled by default. If you don't do dynamic routing, why BGP, OSPF, RIP......

Guscht

The keepalive configuration was the "trigger". Removing that keepalive stopped the messages. I dont have a Keepalive configured, but a Gateway-Check "Ping" under routes for a few Wireguard-Peers. Was never a problem till now... Log is flooded with SA Query timeouts. Clients have...

Guscht

7.14 runs good, but WUS DIS????
Endless log-spam

wireguard.jpg

Guscht

Thanky you! I know the concepts behind it. But I still dont understand, why is the Router the bottleneck? Why can it push UDP with 850 Mbps, but TCP with only 280 Mbps? Yes, TCP ACKs everything, but we are FDX, why is the way in affecting the way out here? And it is the Router, not the clients, they...

Guscht

Hi, after my issue with the 287 Mbps TCP (single stream) throughput (CCR1072) was clear to my: https://forum.mikrotik.com/viewtopic.php?t=204905 I testet with UDP (single stream) and it reached almost 850-900 Mbps throughput. The questiosn is - and what I want to understand -, why has TCP vs. UDP su...

Guscht

I understand, 15552 Mbps / 16 cores = 972 Mbps vs. 287 Mbps.
That would be excellent! I personally consider the 287 Mbps of the 1072 in the mentioned complex confiuration quite good too, I dont complain. But I had no reference, thank you!

Guscht

On the CCRs single stream = single core. And the TILE cores aren't very fast; the CCR1072 just has a lot of them. Dividing the 20691 Mbps by 72 gets you 287 Mbps per core, matching your result. If you want better single stream performance, get something with beefier cores, like a CCR2xxx. Thats a g...

Guscht

Hi, I am sitting in front of a CCR1072 (1000MHz clocked), running on ROS 6.49.13 which is used a company edge-router. With around 120 firewall-rules (in different chains), 50 NAT-rules, 130 Mangle-rules, 220 routes, 200 Simple-Queues and 1 Bridge with 40 VLANs. But I would say one third of everythin...

Guscht

1. No
2. own: my perfectly arranged and opened windows appear / none: default
3. never used, no glue
4. Google "mikrotik winbox session" finds nothing useful -> too lazy to fiddle in help and/or wiki -> dont know
5. what?!

Guscht

Hi,

I surfed YT today and was seeking the yearly Christmas-Video... but NOTHING?!

No cookie recipes, no swamp-stories, no Latvian customs.

Guscht

I have not tried it myself, but I think there have been user reports that you need a dedicated CA for each CAPsMAN to make them co-exist. Is that true for you? I run "old" CAPsMAN for my cAP-ac with VLAN config and the "new" CAPsMAN for my cAP-ax with VLAN config in one CCR. Bot...

Guscht

Tell me please, what are the advantages of a "exposed lo" interface over the old way?

Guscht

Any news regarding this issue? Fired up my cAPax after ROS 7.13 came up, works for a random time really good. Than the game with "connected" / "disconnected" every few seconds came up. Only whit my Samsung S22, a old Samsung S8 works fine... After a reboot it works again. Should ...

Guscht

It's not useless, it can be used as Capsman to manage devices using new wifi driver.

Like on 1 out of 100 devices its useful and on 99 useless? Useless codestuff imho...

Guscht

To my understanding:
1- yes.
2- correct, consequence from having (wave2) wifi in base package now.
3- yes. See also 2.

Thanks!

Guscht

@Mikrotik, please update the Menu-Name from WiFi Menu to WiFi NOT Wireless!!!!!!!
This is totally confusing o_O

Screenshot 2023-12-15 140941.jpg

Guscht

Works so far: Screenshot 2023-12-15 134327.jpg But for clarification regarding "Wireless" and "WiFi": Can I uninstall the old "Wireless" package on devices without WLAN-interface (like Switches), or will this break something (like CAPsMAN-management traffic or something...

Guscht

AFAIK a key element in ROSv7 is/was the ability to update kernels.
They said in ROSv6 this is not possible due to endless constraints but in ROSv7 it should be possible.

Guscht

You need an IGMP-Querier (to discover the Multicast-Groups). If you enable IGMP-Snooping but have no Querier, nothing works. IGMP-Snooping disabled is like Multicast behaves like Broadcast. Only the combination IGMP-Snooping enabled with a Querier works.

Guscht

Why you guys always write in such a confusing way...

Like 8.8.8.8 to 1.2.3.1:8080 > 192.168.1.10:80 works?
But 1.2.3.10 to 1.2.3.1:8080 > 192.168.1.10:80 doesnt works?

Firewall rule allowing this DNAT action?
Has 192.168.1.10 a route to 1.2.3.0/??, it wont go back via the router?

Guscht

Regarding MLAG: MT is an excellent Router vendor, but they make lousy Switches. Use another vendor (like FS, D-Link...) for device-overlapping aggregation-groups. MT screwed that in such an overcomplicated way up, it seems they (itself) are unabled to fix it. Same with the "Loopback Detection&q...

Guscht

Thats the normal IEEE 802.1Q behaviour. For your goal, you need to enable "Ingress Filtering" on every port you want (not just the bridge's interface itself). With that enabled, an ingressing frame is checked against its VID and if the port is member of this VID. If no tag is there, the PV...

Guscht

Question about this totally messed up VLAN-thing: I am right, if I have both, cAP-ac and cAP-ax and I have to configure SSIDs/VLANs in a centralised way, I have to run both CAPsMANs? CAPsMAN-old "Wireless" for VLANing with cAP-ac and CAPsMAN-new "WiFi" for VLANing with cAP-ax?? T...

Guscht

What about routerboard upgrades, i always need to log into cap and turn automatic routerboard upgrades on reboot I have automated this step via a smol script. Shame on MT for not offering this as an option for decades... And shame on MT for making everything so incredible overcomplicated. Every ven...

Guscht

I would read it this way: /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=eth11-WAN-A1 new-connection-mark=MARK-WAN-A1 passthrough=yes /ip firewall mangle add action=mark-routing chain=prerouting connection-mark=MARK-WAN-A1 new-routing-mark=WAN-A1...

Guscht

Without a "meshed" network or a total messed up network, Id suggest to disabled STP completely.
Sometimes this settings breaks someting else. I always wonder why MT has enabled this by default...

Guscht

Just to clarify:

I am using a CCR as CAPSMAN-device and have a bunch of cAPac-devices - no wifiwave2 stuff.
If I upgrade to 7.13, I am able to use cAPax-devices under the same CAPSMAN, on the same CCR?

Guscht

*) firewall - added "nat-pmp" support;

oh god no!! I am still recovering from nat-ein, which gave me severe depression and life-crisis...

Guscht

AFAIK MLAG was never working in a predictable and reliable way. A typically overcomplicated MT nonsenese-feature. If you need to bound hardware-devices as a "big logical device", MT is definitely not your vendor. MT is good in routing, but switching - OH GOD NO (unless you want a severe de...

Guscht

my smol homenet works fine, but Im doin not DoH and BGP, OSPF stuff...

Screenshot 2023-11-10 152316.jpg

Guscht

7.12 not working with CCR2004-1G-12S+2XS and RJ45 SFP-GB-GE-T , very sad thing, you fix one thing and break another.

Yeah true, BUT never install a .0-version from MT in production ;)
They call it "stable" but in real words its more a "public beta".

Guscht

Please explain this, Mikrotik: !) ethernet - changed "advertise" and "speed" arguments, and removed "half-duplex" setting under "/interface ethernet" menu; I read this, you remove half-duplex capabilities?! And if yes, WHY on earth do you do this? AFAIK HDX is...

Guscht

I have never seen "Private VLAN" in any organsation.

Guscht

I can understand the TO, I have spend more than 15 years with Mikrotik. And the first years gave me a permanent mix of frustration and depression. But at some point I was able to understand (at least a tiny bit) of the sense behind it. Its hard, really, but its worth, not because of MT, but because ...

Guscht

You can always do the "manual" way, configure one port untagged egressing with old VLAN and another port untagged ingressing (PVID) with the new VLAN. Connect with a patch-cable both pirts.

Guscht

How to stop?

Script:

/tool traffic-generator quick stream=UDP1,UDP2,UDP3 pps=1
:delay 1s
/quit

The "quit" is not executed

Same with:

/tool traffic-generator quick stream=UDP1,UDP2,UDP3 pps=1
:delay 1s
/tool traffic-generator stop

Guscht

Hi, I built a small traver-router which connects to my home-router via multiple VPNs. Works great! But I dont know the public (source) IPs of the Hotels I am in. So, I could create random-ports for the VPNs (and hope no bad guy is doing a full port-scan) or I could use my (already implemented and wo...

Guscht

You cannot have 2 PVIDs for a single port. The PVID classifies packets without VLAN-tag to the set VID. The IEEE 802.1q mentions a PPVID, but most vendors do not implement the PPVID cocept. This would allow to define a single PVID + multiple PPVIDs (per protocol). But I have never seen that on MT ha...

Guscht

The first thing I heard in my MTCNA was "long-term is stable, stable is beta"! Unfortunately I have to say thats so 100% true. ROSv7 is sooooooooooooooo far away from a production-ready stable. Its like they fix 2 bugs and introduce 10 new bugs with each release. A real nasty thing is, the...

Guscht

Updated da smol homenet to 7.11.2, today as well "Little Butterfly" 🦋❤️ (I call the mAP-lite so) - no issues:

Screenshot 2023-09-01 185429.jpg

Guscht

Da smol homenet was updated - no issues :)

Screenshot 2023-08-31 221451.jpg

Guscht

Hi, Id like to implement to send the Voice-VLAN via DHCP to the Unify phones (OpenStage 40). This is described here: https://wiki.unify.com/images/e/e1/Administration_Manual_OpenStage_Asterisk.pdf Page page 26 to 28. Example dhcpd.conf # General configuration for all clients in the subnet subnet 192...

Guscht

Please use only and ever CRS3xx as switches! ROS is a ROUTING-OS, not a Switching-OS (their SWOS is unfortunately like a bad/old/buggy netgear OS). I have spend hours over hours over hours configuring RB and CRS1xx devices as switches (in ROS). After reading hundreds of posts and endless long wiki/h...

Guscht

Well Normunds, thats a bit vague: [...]or manually add/edit the api.json file to have the above contents, for Hotspot detection to work. Wehre do I have to place the file? Anywhere, a special location or folder? Which filename is used? Which DHCP-Option "a special DHCP option will be sent"...

Guscht

PIM is non-functional on RouterOS v7.

Is this sill the case? I did a lot PIM-routing stuff around 2018/2019 with ROSv6 and it worked really good.
Cant believe they still werent able to fix an alredy good working (in v6) feature...

Guscht

Yes, possible, I'd use the CRS317 and run it with ROS. Do it as described here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_#3_(InterVLAN_Routing_by_Bridge) BTW: 192.0.1.0/24 is NO RFC1918 compliant private network. I think you maybe meant 192.168.1.0/24 192.168.4.200/24 will...

Guscht

everything that comes from 10.10.10.10 and goes to 192.168.35.10 translate it to 192.168.1.10

Thats a simple DNAT-rule.

Source IP: 10.10.10.10
Desination IP: 192.168.30.10
Action: 192.168.1.10

Guscht

*) firewall - added "ein-snat" and "ein-dnat" connection NAT state matchers for filter and mangle rules; @Mikrotik, will be there a dedicated Flag in the Connection-Tracking for EIN-Flows too? At the moment I see for the outgoing flow(s) Cs and for incoming flow(s) Cd . If there...

Guscht

I tested now with "Packet Sender" and Wireshark. I can conclude it works that way (using the two rules provided in the MT-Help): If I send a UDP packet (from my LAN) to a random IP on the WAN, like 8.8.8.8:12345 the Source-Port of this packet (eg. a random Highport like 54321) is now open ...

Guscht

I see "Full Cone" even if I have no EIN rules created (also with a ROS v6 tested too), if pressing the button twice within a few seconds.
Which leads me to a point, that this software is maybe not as good?!

Guscht

*) bridge - prevent bridging the VLAN interface created on the same bridge;

Even after reading this a few times, I dont know what this means?

Guscht

Very nice upgrade, *) netwatch - added "src-address" property; Please add the option to be able the ping IP for failover in route. example: check gateway ping 1.1.1.1 that would help +1 this would solve the whole brainfck with the recursive route lookup target-scope-with-undocumented-incr...

Guscht

Just da smol home-network:

smol-net-1.jpg

Found no issues.

Guscht

You give no real details, are the VPN seen as to the Router to does the Router connect to some other server? Its hard to build your network (given by the less details and a config-file) in the imagination. So, my only advice is, exclude all VPN-traffic from LB or force all VPN-traffic to some dedica...

Guscht

@Mikrotik: Could you please describe IN DETAIL how the EIM-Implementation works? I wonder how: - For outgoing connections, always the same SOURCE PORT is used for the same internal IP:Port-combination to an external host? Or Iam wrong? - What if 2 (or more) internal hosts connect to the same externa...

Guscht

Strangest release I have ever seen, just to fix someting on the RB4011.
Normally all they say is "downgrade or wait"... never seen such a "intermediate" release...

Guscht

Hi,

as the title says, are custom chains considered as forward or input chains?
Or how is it determined?

Thanks

Guscht

Ask that in the topic about "Full-Cone NAT"... those people seem to have a use for it.

I remember that topic, this was a very specific use-case.
I was unaware that "Full-Cone" is a synonyme for "endpoint-independent-nat"...

Guscht

Hi, what is the gain of the new "endpoint-independent-nat" from the practical point of view? And does "endpoint-independent- nat " means mapping or filtering ?! I know the definition of the mappings: Endpoint-independent mapping: The NAT uses the same IP address and port mapping ...

Guscht · Re: v7.9.1 [stable] is released! workx Screenshot 2023-05-22 184826.jpg

workx

Screenshot 2023-05-22 184826.jpg

Guscht

write such stuff to support@mikrotik.com

Guscht

Hi, a few questions regarding Wifiwave2 I couldnt figure out. I run a few cAPac as default-installed CAPs with a default-CAPSMAN. Now I want to replace the cAPac step-by-step with cAPax. My CAPSMAN runs on a CCR2004 with ARM64. This sentence is not clear to me: Builds for x86, ppc, mmips and tile ar...

Guscht

simply works :)

Screenshot 2023-05-02 172026.jpg

Guscht

Normally you use both, prerouting (for everthying the router routes) and output for traffic the router itself produces. With 2 rules (prerouting and output) you catch everything. If you want to route traffic from the router itself (eg. DNS requests from the routers DNS-Clinet) you qould need the out...

Guscht

Move the 2nd rule in your 3rd code-snippet to the prerouting-chain.

The output-chain is for traffic the router itself produces. You cant conn-mark in prerouting and route-mark this in the output-chain. There is simply nothing which will match, which correlates with your observation

Guscht

If the counter doesnt increase, simply nothing matches agianst your rule.

But why do you frst the routing-mark and then the conncection-mark?
Id set it up, match the connection and then use the connection-mark as a matcher for the routing mark.

Guscht

You wrote a lot but missed imporatant information! Simple solution, put the device (your HUNAHUNA-stuff) in another VLAN - problem solved, because cleint und server are in different VLANs. More Complex solution: chain=dstnat action=dst-nat to-addresses=192.168.1.122 to-ports=38888 protocol=tcp dst-a...

Guscht

I tested this in my lab and it worked as (you) expected.
Maybe your "general" SNAT rule is simply above your custom-SNAT-rules?

Guscht

Is this limitation (master = ap bridge) not running solved? I tried to configure a travel router and in default config (no default configuration), the salve connects without the master running: Screenshot 2023-04-27 121650.jpg In this setup I can connect via my phone to the wlan1 (ap bridge) interfa...

Guscht

Oh come on, the worldwide "USB port-shortage" hits us :/ Mikrotik, oh Mikrotik, Your CCR2004-16G-2S+ now ships without the USB port trick. USB ports are scarce as they can be, But that doesn't stop you, still a king in the industry. The world may be without enough USB ports, But your route...

Guscht

Hi, is it possible to use the Packet Sniffer with an CRS112-8P-4S? I receiver no traffic, I assume I have to deselect "Hardware Offloading" under Bridge -> Ports. But by doing this, the switch stops switching between the - now - Hardware Offloaded deselected ports. I will receive a few fra...

Guscht

Ok, now I am completely lost :D I want to configure through Winbox a connection via TLS - no STARTTLS-carp. Which options is this? For my undestanding, Winbox says "Start TLS" (which is ambiguous, does "Start TLS" refer to STARTTLS or Start [implicit] TLS): yes = do the STARTTLS-...

Guscht

Hi, in the Wiki is stated: tls (no|yes|starttls; Default: no) Whether to use TLS encryption: yes - sends STARTTLS and continue without TLS if a server responds that TLS is not available; no - do not send STARTTLS; starttls - sends STARTTLS and drops the session if TLS is not available on the server....

Guscht

just my smooll home-network, no issues so far :) Screenshot 2023-02-27 182517.jpg Chat-GPT did this for you <3 Oh Mikrotik, we sing your praise For the gift of ROS v7.8 released today Your routers and switches, they work so well With your firmware updates, they'll never fail Your powerful features a...

Guscht

Hi, I implemented a L7 filter to drop all DNS AAAA-queries (since I dont use IPv6 and they are about 1/4 of all DNS traffic). The Regex is: ^.?.?.?.?.?.?.?.?.?.?.?.?([\x01-\?][a-z0-9\-_]+)+\.?\x1c\.?\x01 It seems this is too complex for ROS, the log says in blue: layer7 match failed, regexp too comp...

Guscht

AFAIK you can use a transpranten IDS/IPS. Eg. put a Sonicwall in as a "transparent" Layer2-Bridge in front of the Mikrotik. Like: WAN <-> Sonicwall <-> Mikrotik <-> LAN https://www.sonicwall.com/support/knowledge-base/comparison-of-l2-bridge-mode-to-transparent-mode/170504277832289/ But I ...

Guscht

I want to understand whats is the difference between MTs NAT implenation and the "Full Cone" Implentation? From here: https://www.networkacademy.io/ccie-enterprise/sdwan/tlocs-and-nat A full-cone is one where all packets from the same internal IP address are mapped to the same NAT IP addre...

Guscht

Thanks!

Guscht

Hi,

does anybody know on what kind of event the DHCP "Last seen" value is triggered?
Any packet from that IP which traverses the router or only DHCP-realted packets?

Thanks

Guscht

We get things like a disk manager, instead of some long awaited fixes in the basic functionality of a router.

Thats is a development I dont really like. There are TONS of bug in basic stuff and they come up with docker and some kind of strogae manager.

Guscht

Hi, if I specifiy a MAC-Address in the Access-List with Action=Accept, will this override the WPA2-Authentication and a Client can connection without further authentication (only with the MAC specified)? I found nothing clear in the documentation, but if thats true, I assume this is a big security r...

Guscht

Hi, I tried with ROS 7.7 to create multiple SSIDs, separated with VLANs as decribed here: https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless Here is stated: Note: It is important to set wlan1,wlan2 vlan-mode to "use-tag". And: /interface bridge add fast-forward=no name=bridge1 vlan-fi...

Guscht

PoE is there

Screenshot 2023-01-17 182227.jpg

Guscht

because I find such rules unnecessary cosmetics

I agree with you! Unfortunately we use other routing-vendors too and they behave this way (and they cant changed).
So we prefer a consistent behaviour throughout all vendor-hardware.

Guscht

Hi, is it possible to restrict pings to the router, so that only the the interface respondes to which the clients belongs? Example: Router: VLAN1: 192.168.1.1/24 VLAN2: 192.168.2.1/24 A client from VLAN1 should not be able to ping 192.168.2.1 (VLAN2-Interface). How can I achieve this in a setup with...

Guscht · Re: v7.7 [stable] is released! Works: Screenshot 2023-01-12 174409.jpg

Works:

Screenshot 2023-01-12 174409.jpg

Guscht

Thank you sindy!
Sometimes its hard to find a confirmation for the assumptions which arise to some topic... And a lot wiki/help/man-pages left a lot room for interpretation.

Guscht

Hi, played today with NAT. Are my assumptions correct: - NAT-Rules match only against connection-state New packets? Thats maybe the reason there is no connection-state matcher within NAT-rules? - user-defined NAT-Rules are applied only on the initial way to the destination, not on the returing packe...

Guscht

A question which is still not clarified for me.
We need IP/Firewall/Filter, NAT, Mangle, RAW + Bridge/Filter, NAT + Simple Queues. I assume from what I have read so far, L3 HW-Offload ist not achievable with this needs?

Guscht

Hi, is there a way to get the ARP-Publish feature (which works like a selective Proxy-ARP) to work in the local subnet? In other words, is there a way the router responds to an ARP-request for a specific IP in the same subnet. Example: Router: 192.168.0.1/24 Client: 192.168.0.11/24 ARP-Request: 192....

Guscht

We use another vendor which supports r/k/v but we had to disable this whole "seamless" stuff, because a lot end-devices were unable to connect. In opinion, dont use it, it sounds good, but only in a 100% controlled enviroment, like a company network where only tested deviced are connected ...

Guscht

Id recommend to create a DMZ with VLANs. So you can connect to a device in the DMZ and the answer coming to from the DMZ to the LAN (belonging to the LAN to DMZ connection) is allowed. But no new connection form the DMZ to the LAN is allowed.

Guscht

yes its down, maybe Swamptaclause pulled the plug

Guscht

So I still think you misled us. From the technical perspective it doesnt matter, a VLAN or a LAN. Both are a single Layer2-Broadcast domains. But you are right, my drawing is in this way misleading (a bit ;) ) @sindy, thats exactly the point! 🙏🙏 From your answer I assume L2-Broadcasts are being for...

Guscht

And, BTW, having VLANs ... your topology is far from "flat", so the title of this thread misleads us :wink: You missed this part :) : VLAN2 = the "home-network" VLAN2 is not a special "WAN-transfer-VLAN". Everytihng is in this VLAN, printer, PCs, Laptops... and the DSL...

Guscht

I meant such a topology, the Router (PPPoE-Client) is not in the same room where the DSL-Modem is located: Zeichnung1.jpg VLAN2 = the "home-network" Will Layer2-Brodcasts "leak" via the Modem to the ISP? Remeber these Broadcasts are normal stuff (like ARP...) without a PPP-Header...

Guscht

Hi, I am thinking about the following situation. In a flat topology (no VLANs, a simple home-network), will LAN-Broadcasts (and Multicasts/Unknown Unicasts) "leak" to the WAN if the client is via PPPoE connected? I think they will, because the regualr PPPoE/PADI is a L2-Broadcast too and w...

Guscht

AFAIK, the "single bridge method" is the preferred way of setting up VLANs with ROS. For simpler settings, you can create a VLAN-interface and "bind" this to a physical interface. Via this interface you can communicate ingress/egress with this VLAN-Tag. But your are not able to d...

Guscht

Who is that idiot who fed bad data or badly programmed the AI? Just for example: /interface wireless set [ find default-name=wlan1 ] mode= ap-hotspot I scolded AI: It looks like the issue you are experiencing is that the "mode" property of the wireless interface is set to "ap-hotspot...

Guscht

I think you have "extended" someones lifespan, and the cat remains with 9 lives. May AI leave us alone a bit longer. For you, what the AI says: To our dear anav, We are pleased to present you with this MTUNA certificate in recognition of your dedication and contributions to the Mikrotik-F...

Guscht

AI? Say: "write a mikrotik-script to convert IPv4 address to binary value"... # Set the IPv4 address to be converted :local ipv4Address "192.168.0.1" # Split the IPv4 address into its octets :local octets [:toarray $ipv4Address] # Initialize the binary string :local binaryString...

Guscht

Thats new to me... I said: wirte a fancy mikrotik-script, so i can impress the guys in the mikrtoik-forum! AI said: Sure, here's a fancy script that demonstrates some advanced features of MikroTik RouterOS scripting: It came up with this stuff :lol: :lol: :lol: :lol: (dont know if it works) # This s...

Guscht

I have realized WiFI-Setups up to 2500 End-Devices. This seems not problematic, a CCR1036/1072, a Captive Portal (like MTs build-in or another vendor, like HSNM), a well structured building wiring with switches on each floor, a good internet-connection and you are good to go. But I dont like your &q...

Guscht

... create a new CRS with the following specs: 8-10 RJ45 1GBit-Ports 4 SFP-Cages with at least 2 of them SFP+ (10GBit) PoE af/at Out on all RJ45-Ports fanless Desk-Housing ROS So to say a new version of the CRS112-8P-4S-IN with at least 2 SFP+ (10GBit) ports - and please as CRS 3 xx - the CRS1xx are...

Guscht

IMO there is ZERO need for VLAN with routers, especially not in home environment as well not in a corporate LAN. VLAN might be maybe good for carriers, ie. ISPs with L2 switches only... VLANs are an integral, fundamental component of any network, in which a segregation between layer2 domains is nec...

Guscht

Not the way I see it. Its OK, you see it worng, but "a man's mind is his kingdom". For all other, thats exactly the behaviour without a SNAT rule: Screenshot 2022-11-25 215211.jpg Outbonud: 10.88.10.1 -> 8.8.8.8 Inbound: 10.88.30.21 -> 10.88.10.1 The answer form 10.88.30.21 is invald, bec...

Guscht

I disagree, one only needs the dst-nat rules, what IS NEEDED that should be noted is firewall forward chain rules. Assuming the client tries to contact 8.8.8.8, the DNAT-rule catches the frame and forwards it to 192.168.10.4. The DNS-server will process the request and ... what will happen, my dear...

Guscht

[...]there should be no need for your extra sourcenat rules!

Without the SNAT-rules, the whole concept wont work (assuming the DNS-Server is in the same (V)LAN as the DNS-Client)!!

Guscht

Have you set the routes to the internal-network in the end-device (to go via the VPN)? Du musst im VPN-Client/Betriebssystem des Endgeräts die Netzprefixe des Firmennetzes eintragen, die über das VPN geroutet werden sollen. Oder du legst gleiche ein Defaultroute an, dann geht alles, auch Internettra...

Guscht

Seems 100% correct to me!

The only thinkable way they are no using the rules (are the counters going up?) is, they are not using this router for DNS. At least not for DPort 53 (do they use some DoH stuff)?

Guscht

Try adding: /interface bridge add ... mtu=1500 to your bridges and see if it works. Reducing the MTU too much results in fragmentet packets. Each part of the connection has to know it have to send smaller packets, thats signalled via ICMP. If ICMP is somewhere blocked/droped, at least one side of th...

Guscht

It sounds to me like a MTU issue. This random "this website works, this not..." is typically for that kind error.

Guscht

Hi, I played a bit with the "redirect" rule. If I configure a redirect rule for DNS and shoot from a Windows-PC a nslookup abc.om 8.8.8.8 I see a correct answer coming from 8.8.8.8 (it comes from the MT, not from Google-DNS). The source IP is 8.8.8.8 but I comes form the MT, so a source-NA...

Guscht

We now are in the situation where many routers cannot be upgraded from v6 to v7 and that is not good, neither for the customer nor for MikroTik. Why would you want to update an in-production router to V7? V6 is perfectly stable, there is absolutely no reason to do this step. V7 is still a (more or ...

Guscht

Any examples how this works with VLAN-Interfaces and Bonding-Interfaces? Lets say we have a Bonding eth1+eth2 as LAG0 and a 100 VLANs. Is all we have to create 2 MACsec Inteface (eth1 and eth2) and thats it? Or do we have it the cascading way: create MACsec-Interfaces -> create the Bond with the MAC...

Guscht

where can I find macsec settings in winbox?

A "tab" under Interfcaes:

Screenshot 2022-10-18 175142.jpg

Guscht

Those two changelog entries don't mention anything about WinBox, from which you provided the screenshots. Look for them in CLI. Normally, they write "CLI only" if so, and if not, its referred to Winbox and CLI?! So far is my understanding of their changelog-nomenclature. Like in: *) dns -...

Guscht

Findings: *) ethernet - added "5Gbps" option for speed setting; NOPE: Screenshot 2022-10-18 153547.jpg -------------------- *) l3hw - added "l3hw-settings" sub menu under the switch menu; NOPE again: Screenshot 2022-10-18 154011.jpg -------------------- *) sfp - improved QSFP/SFP...

Guscht

So far, no issues with 7.6:

Screenshot 2022-10-18 132051.jpg

Guscht

OK, no one, which means such a tool is not available within ROS.
Then MT, see this as a feature request

Guscht

Works good on all our routers in the production networks.
But to be honest, its a sad upgrade, no extra thread and not even the new NetWatch was implemented.

Thats by far the saddest upgrade I have ever seen.

Guscht

Hi, is there a tool like the "diag network-path" avialable in Mikrotik? Example (other vendor): > diag network-path 1.2.3.4 1.2.3.4 is located on the X3 It is reached through the router at 192.168.0.5 It is reached through Ethernet address fe:01:00:00:00:01 A handy tool. How can I see this...

Guscht

Good point, the other RBs are not ROSv7.5!

Guscht

Hi, I tested my Woobm with a bunch of hexS. Via PoE or direct power. The Woobm flashes in random order and show up sometimes as AP, sometimes not. A successful connection was not able. Reset was done -> no effect. The Woobm works with my other RBs as intended. Is there problem a with the combination...

Guscht

It do not say they have to ROUTE (IP-Routing at Layer3). IANA says: Multicast routers should not forward any multicast datagram with destination addresses in this range, regardless of its TTL. MT is a Multicast-Router, so MT will never FORWARD mDNS. This applies to "Proxy" or "Reflect...

Guscht

My 2 cent: Stop asking MT to do a non-RFC thing. MT will most likely not implement such a tool. MT as a router manufacturer will always obey RFCs, and your wish is to forward/feflect/proxy local frames. mDNS uses the follwing multicast address: 224.0.0.251 mDNS IPv4 Multicast Address Space Registry ...

Guscht

Run your VPN over an unblocked port, like 443. If they block 443, the have blocked almost everything. In such cases, use starlink. I assume they do not deep-packet-inspect the traffic from a whole country. Maybe China does such sutff, but not Iran. To wait for your requested feature is inappropriate...

Guscht

Hi, does anybody know how ROS handels overbooked guaranteed speeds (limit-at) in Simple Queues? Example: - Parent Queue: 10/50M -- Child1: limit-at 10/50M -- Child2: limit-at 10/50M AFAIK both "childs" have now a guaranteed bandwith of 50M download - 100M in total. But the parent and the p...

Guscht

After watching: https://www.youtube.com/watch?v=-hdLsXd9OgE there are more questions then answers. Why is there something like a VRF? I see no real difference to Routing Tables? Can someone point out what are the differences? What are the benefits of VRF over Routing Tables? When not to use VRF? In ...

Guscht

Hi, I am trying now for 2 hours to understand the MSTP wiki: https://wiki.mikrotik.com/wiki/Manual:Spanning_Tree_Protocol Can somebody please explain the follwing: In this case for VLAN 10,20 to reach the third device from the first device it would choose between ether1 and ether2, one port will be ...

Guscht

I would assume a IVL/SVL change would result in a complete flush of the FDB.

Guscht

If the ports are not bridged together, the ports are isolated by itself. If you do NOT have the requiremnt to tag the frames with an IEEE802.1Q-tag (or if ingressing to understand tagged-frames), there is no need to create a VLAN-Interface. All you need is to block the inter-network communication by...

Guscht

Either you use capsman and then this is the consequence. Or you do not use capsman. There is no option to keep the devices in operation, unlike every other vendors WAPs? OK, thats a point, I would advise every customer againts Mikrotik regarding WAPs. But on the other hand, that stuff is really CHE...

Guscht

Hi, is there an option, which keeps my cAP's working, if they loose the connection to the CAPSMAN server for a short time? They are configured for a local breakout ("Local Forwarding"), they do NOT send everything to the CAPSMAN. But if they loose the connection the CAPSMAN for a few secon...

Guscht

Without incident my homenetwork:

Screenshot 2022-08-31 235114.jpg

Search found 374 matches