Community discussions

MikroTik App

Search found 316 matches

  • 1
  • 2
by Guscht
Thu May 30, 2024 4:40 pm
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 345
Views: 78764

Re: v7.15 [stable] is released!

Disappointed not to see a router fix for wireguard coming in on WAN2 when WAN2 is secondary WAN and mangling this traffic does not work.
Me too, me too....
by Guscht
Sun May 19, 2024 1:39 pm
Forum: General
Topic: SSH - what I am doing wrong?
Replies: 2
Views: 415

Re: SSH - what I am doing wrong?

Found the problem, "password" in this case refers to the LOCAL "ssh"-user-account. My session is not made under the ssh-user. But with the option "Always Allow Password Login" disabled (= default setting), MT prevents here to enter the password they demand itself... Adv...
by Guscht
Sun May 19, 2024 12:34 pm
Forum: General
Topic: SSH - what I am doing wrong?
Replies: 2
Views: 415

SSH - what I am doing wrong?

Hi, I want to connect via R1 to R2 (ROSv7.14.3 to ROSv7.14.3). After watching this video: https://www.youtube.com/watch?v=8tt7fSvdFRM I did the follwoing: R1: - created user ssh - gave user ssh "full" rights - IP->SSH->Export Host Key - System->Users->SSH Private Keys->imported the ssh_rsa...
by Guscht
Wed May 15, 2024 12:03 pm
Forum: General
Topic: Output route selection - Wireguard
Replies: 21
Views: 4097

Re: Output route selection - Wireguard

Opened a case with SUP-152005 describing this issue.

MT answer was:
Thank you for contacting MikroTik Support.
We will see how to improve this.

I hope they fix it, "Routing Rule" has nasty side effects!
by Guscht
Sun May 05, 2024 1:42 am
Forum: General
Topic: Output route selection - Wireguard
Replies: 21
Views: 4097

Re: Output route selection - Wireguard

Same problem here, Dual-WAN and the Mangling isnt marking the answerk from WG correctly. SSTP works as intended.

With a Routing-Rule, it works, but the WAN-connection is DHCP and I would need to script here something that the Routing-Rule is always up-to-date.
by Guscht
Thu May 02, 2024 1:36 pm
Forum: General
Topic: CCR + LtAP LTE as backup
Replies: 1
Views: 286

CCR + LtAP LTE as backup

Hi, I want to do the following: CCR = Main Router, connected via PPPoE/DSL as main line LtAP = LTE-backup How can I implement that: - the the CCR checks if DSL is offline and switches over to LtAP automatically - the LtAP itself should be a normal client and go out via CCR (DSL) unless DSL fails Is ...
by Guscht
Tue Mar 12, 2024 10:10 am
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 671
Views: 210799

Re: v7.14.1 [stable] is released!

Any good reasons to increase from 10 to 30 seconds: *) firewall - increased default "udp-timeout" value from 10s to 30s; All deployed devices - v6 and v7 - are configured for 10 seconds. But I'd like to stay consistent with new deployments. What are the thoughts/background about this step?...
by Guscht
Wed Mar 06, 2024 12:56 am
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 133268

Re: v7.15beta [testing] is released!

Maybe it would be even possible to create a "RouterOS Package Builder" I liked the ROSv6 way, when you were able to deselect different modules. In my opinion it's also a security risk to have "everything" enabled by default. If you don't do dynamic routing, why BGP, OSPF, RIP......
by Guscht
Sat Mar 02, 2024 10:13 am
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 671
Views: 210799

Re: v7.14 [stable] is released!

The keepalive configuration was the "trigger". Removing that keepalive stopped the messages. I dont have a Keepalive configured, but a Gateway-Check "Ping" under routes for a few Wireguard-Peers. Was never a problem till now... Log is flooded with SA Query timeouts. Clients have...
by Guscht
Fri Mar 01, 2024 3:10 pm
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 671
Views: 210799

Re: v7.14 [stable] is released!

7.14 runs good, but WUS DIS????
Endless log-spam

wireguard.jpg
by Guscht
Fri Feb 23, 2024 1:03 pm
Forum: General
Topic: UDP faster than TCP - why?
Replies: 4
Views: 801

Re: UDP faster than TCP - why?

Thanky you! I know the concepts behind it. But I still dont understand, why is the Router the bottleneck? Why can it push UDP with 850 Mbps, but TCP with only 280 Mbps? Yes, TCP ACKs everything, but we are FDX, why is the way in affecting the way out here? And it is the Router, not the clients, they...
by Guscht
Fri Feb 23, 2024 12:12 pm
Forum: General
Topic: UDP faster than TCP - why?
Replies: 4
Views: 801

UDP faster than TCP - why?

Hi, after my issue with the 287 Mbps TCP (single stream) throughput (CCR1072) was clear to my: https://forum.mikrotik.com/viewtopic.php?t=204905 I testet with UDP (single stream) and it reached almost 850-900 Mbps throughput. The questiosn is - and what I want to understand -, why has TCP vs. UDP su...
by Guscht
Thu Feb 22, 2024 2:21 pm
Forum: General
Topic: CCR1072 - ROSv6 - TCP single-stream performance
Replies: 5
Views: 531

Re: CCR1072 - ROSv6 - TCP single-stream performance

I understand, 15552 Mbps / 16 cores = 972 Mbps vs. 287 Mbps.
That would be excellent! I personally consider the 287 Mbps of the 1072 in the mentioned complex confiuration quite good too, I dont complain. But I had no reference, thank you!
by Guscht
Thu Feb 22, 2024 1:38 pm
Forum: General
Topic: CCR1072 - ROSv6 - TCP single-stream performance
Replies: 5
Views: 531

Re: CCR1072 - ROSv6 - TCP single-stream performance

On the CCRs single stream = single core. And the TILE cores aren't very fast; the CCR1072 just has a lot of them. Dividing the 20691 Mbps by 72 gets you 287 Mbps per core, matching your result. If you want better single stream performance, get something with beefier cores, like a CCR2xxx. Thats a g...
by Guscht
Thu Feb 22, 2024 10:58 am
Forum: General
Topic: CCR1072 - ROSv6 - TCP single-stream performance
Replies: 5
Views: 531

CCR1072 - ROSv6 - TCP single-stream performance

Hi, I am sitting in front of a CCR1072 (1000MHz clocked), running on ROS 6.49.13 which is used a company edge-router. With around 120 firewall-rules (in different chains), 50 NAT-rules, 130 Mangle-rules, 220 routes, 200 Simple-Queues and 1 Bridge with 40 VLANs. But I would say one third of everythin...
by Guscht
Thu Jan 18, 2024 11:59 am
Forum: General
Topic: User poll about using Winbox
Replies: 107
Views: 100989

Re: User poll about using Winbox

1. No
2. own: my perfectly arranged and opened windows appear / none: default
3. never used, no glue
4. Google "mikrotik winbox session" finds nothing useful -> too lazy to fiddle in help and/or wiki -> dont know
5. what?!
by Guscht
Wed Dec 27, 2023 1:59 pm
Forum: General
Topic: No Christmas video from MT?
Replies: 4
Views: 765

No Christmas video from MT?

Hi,

I surfed YT today and was seeking the yearly Christmas-Video... but NOTHING?! :shock: :shock: :shock: :shock:

No cookie recipes, no swamp-stories, no Latvian customs. :cry: :cry: :cry:
by Guscht
Fri Dec 22, 2023 10:42 am
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 276323

Re: v7.13 [stable] is released!

I have not tried it myself, but I think there have been user reports that you need a dedicated CA for each CAPsMAN to make them co-exist. Is that true for you? I run "old" CAPsMAN for my cAP-ac with VLAN config and the "new" CAPsMAN for my cAP-ax with VLAN config in one CCR. Bot...
by Guscht
Thu Dec 21, 2023 9:30 am
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 159347

Re: v7.14beta [testing] is released!

Tell me please, what are the advantages of a "exposed lo" interface over the old way?
by Guscht
Sat Dec 16, 2023 8:51 pm
Forum: Wireless Networking
Topic: Persistent Wi-Fi Disconnection Issues with Mikrotik ax2
Replies: 62
Views: 16393

Re: Persistent Wi-Fi Disconnection Issues with Mikrotik ax2

Any news regarding this issue? Fired up my cAPax after ROS 7.13 came up, works for a random time really good. Than the game with "connected" / "disconnected" every few seconds came up. Only whit my Samsung S22, a old Samsung S8 works fine... After a reboot it works again. Should ...
by Guscht
Fri Dec 15, 2023 3:30 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 276323

Re: v7.13 [stable] is released!

It's not useless, it can be used as Capsman to manage devices using new wifi driver.
Like on 1 out of 100 devices its useful and on 99 useless? Useless codestuff imho...
by Guscht
Fri Dec 15, 2023 3:14 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 276323

Re: v7.13 [stable] is released!

To my understanding:
1- yes.
2- correct, consequence from having (wave2) wifi in base package now.
3- yes. See also 2.
Thanks!
by Guscht
Fri Dec 15, 2023 3:13 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 276323

Re: v7.13 [stable] is released!

@Mikrotik, please update the Menu-Name from WiFi Menu to WiFi NOT Wireless!!!!!!!
This is totally confusing o_O

Screenshot 2023-12-15 140941.jpg
by Guscht
Fri Dec 15, 2023 2:52 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 276323

Re: v7.13 [stable] is released!

Works so far: Screenshot 2023-12-15 134327.jpg But for clarification regarding "Wireless" and "WiFi": Can I uninstall the old "Wireless" package on devices without WLAN-interface (like Switches), or will this break something (like CAPsMAN-management traffic or something...
by Guscht
Wed Dec 13, 2023 10:00 am
Forum: Announcements
Topic: v7.13rc [testing] is released!
Replies: 178
Views: 53856

Re: v7.13rc [testing] is released!

AFAIK a key element in ROSv7 is/was the ability to update kernels.
They said in ROSv6 this is not possible due to endless constraints but in ROSv7 it should be possible.
by Guscht
Fri Dec 08, 2023 3:34 pm
Forum: General
Topic: Multicast not working for ISP TV BOX (Vodafone)
Replies: 17
Views: 4249

Re: Multicast not working for ISP TV BOX (Vodafone)

You need an IGMP-Querier (to discover the Multicast-Groups). If you enable IGMP-Snooping but have no Querier, nothing works. IGMP-Snooping disabled is like Multicast behaves like Broadcast. Only the combination IGMP-Snooping enabled with a Querier works.
by Guscht
Fri Dec 08, 2023 3:12 pm
Forum: General
Topic: How to setup NAT in this case
Replies: 3
Views: 1596

Re: How to setup NAT in this case

Why you guys always write in such a confusing way... :D

Like 8.8.8.8 to 1.2.3.1:8080 > 192.168.1.10:80 works?
But 1.2.3.10 to 1.2.3.1:8080 > 192.168.1.10:80 doesnt works?

Firewall rule allowing this DNAT action?
Has 192.168.1.10 a route to 1.2.3.0/??, it wont go back via the router?
by Guscht
Thu Dec 07, 2023 1:15 pm
Forum: Announcements
Topic: v7.13rc [testing] is released!
Replies: 178
Views: 53856

Re: v7.13rc [testing] is released!

Regarding MLAG: MT is an excellent Router vendor, but they make lousy Switches. Use another vendor (like FS, D-Link...) for device-overlapping aggregation-groups. MT screwed that in such an overcomplicated way up, it seems they (itself) are unabled to fix it. Same with the "Loopback Detection&q...
by Guscht
Thu Nov 30, 2023 2:23 pm
Forum: Beginner Basics
Topic: CRS106-1C-5S: Vlan is forwarded, but no VLAN is configured
Replies: 9
Views: 1627

Re: CS108: Vlan is forwarded, but no VLAN is configured

Thats the normal IEEE 802.1Q behaviour. For your goal, you need to enable "Ingress Filtering" on every port you want (not just the bridge's interface itself). With that enabled, an ingressing frame is checked against its VID and if the port is member of this VID. If no tag is there, the PV...
by Guscht
Thu Nov 30, 2023 2:05 pm
Forum: Announcements
Topic: v7.13beta [testing] is released!
Replies: 467
Views: 96686

Re: v7.13beta [testing] is released!

Question about this totally messed up VLAN-thing: I am right, if I have both, cAP-ac and cAP-ax and I have to configure SSIDs/VLANs in a centralised way, I have to run both CAPsMANs? CAPsMAN-old "Wireless" for VLANing with cAP-ac and CAPsMAN-new "WiFi" for VLANing with cAP-ax?? T...
by Guscht
Thu Nov 23, 2023 7:40 pm
Forum: Announcements
Topic: v7.13beta [testing] is released!
Replies: 467
Views: 96686

Re: v7.13beta [testing] is released!

What about routerboard upgrades, i always need to log into cap and turn automatic routerboard upgrades on reboot I have automated this step via a smol script. Shame on MT for not offering this as an option for decades... And shame on MT for making everything so incredible overcomplicated. Every ven...
by Guscht
Sat Nov 18, 2023 11:56 am
Forum: General
Topic: Problems with mangle-rules on RouterOS 7.12
Replies: 15
Views: 2362

Re: Problems with mangle-rules on RouterOS 7.12

I would read it this way: /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=eth11-WAN-A1 new-connection-mark=MARK-WAN-A1 passthrough=yes /ip firewall mangle add action=mark-routing chain=prerouting connection-mark=MARK-WAN-A1 new-routing-mark=WAN-A1...
by Guscht
Sat Nov 18, 2023 11:44 am
Forum: Beginner Basics
Topic: Long identyfing network in Win
Replies: 11
Views: 2353

Re: Long identyfing network in Win

Without a "meshed" network or a total messed up network, Id suggest to disabled STP completely.
Sometimes this settings breaks someting else. I always wonder why MT has enabled this by default...
by Guscht
Tue Nov 14, 2023 9:41 am
Forum: Announcements
Topic: v7.13beta [testing] is released!
Replies: 467
Views: 96686

Re: v7.13beta [testing] is released!

Just to clarify:

I am using a CCR as CAPSMAN-device and have a bunch of cAPac-devices - no wifiwave2 stuff.
If I upgrade to 7.13, I am able to use cAPax-devices under the same CAPSMAN, on the same CCR?
by Guscht
Mon Nov 13, 2023 9:04 pm
Forum: Announcements
Topic: v7.13beta [testing] is released!
Replies: 467
Views: 96686

Re: v7.13beta [testing] is released!

*) firewall - added "nat-pmp" support;
oh god no!! I am still recovering from nat-ein, which gave me severe depression and life-crisis...
by Guscht
Sun Nov 12, 2023 2:20 pm
Forum: General
Topic: VRRP + MLAG
Replies: 7
Views: 1801

Re: VRRP + MLAG

AFAIK MLAG was never working in a predictable and reliable way. A typically overcomplicated MT nonsenese-feature. If you need to bound hardware-devices as a "big logical device", MT is definitely not your vendor. MT is good in routing, but switching - OH GOD NO (unless you want a severe de...
by Guscht
Fri Nov 10, 2023 4:25 pm
Forum: Announcements
Topic: v7.12.1 [stable] is released!
Replies: 252
Views: 99065

Re: v7.12 [stable] is released!

my smol homenet works fine, but Im doin not DoH and BGP, OSPF stuff...

Screenshot 2023-11-10 152316.jpg
by Guscht
Fri Nov 10, 2023 9:25 am
Forum: Announcements
Topic: v7.12.1 [stable] is released!
Replies: 252
Views: 99065

Re: v7.12 [stable] is released!

7.12 not working with CCR2004-1G-12S+2XS and RJ45 SFP-GB-GE-T , very sad thing, you fix one thing and break another.

Yeah true, BUT never install a .0-version from MT in production ;)
They call it "stable" but in real words its more a "public beta".
by Guscht
Sun Oct 08, 2023 1:12 pm
Forum: Announcements
Topic: v7.12rc is released!
Replies: 225
Views: 95735

Re: v7.12rc is released!

Please explain this, Mikrotik: !) ethernet - changed "advertise" and "speed" arguments, and removed "half-duplex" setting under "/interface ethernet" menu; I read this, you remove half-duplex capabilities?! And if yes, WHY on earth do you do this? AFAIK HDX is...
by Guscht
Fri Sep 29, 2023 1:36 pm
Forum: Beginner Basics
Topic: Is client isolation worth it? How much does it increase security?
Replies: 3
Views: 1322

Re: Is client isolation worth it? How much does it increase security?

I have never seen "Private VLAN" in any organsation.
by Guscht
Sun Sep 17, 2023 6:03 pm
Forum: General
Topic: Mikrotik SUCKS
Replies: 89
Views: 15765

Re: Mikrotik SUCKS

I can understand the TO, I have spend more than 15 years with Mikrotik. And the first years gave me a permanent mix of frustration and depression. But at some point I was able to understand (at least a tiny bit) of the sense behind it. Its hard, really, but its worth, not because of MT, but because ...
by Guscht
Sat Sep 16, 2023 3:18 pm
Forum: SwOS
Topic: CSS 610 swOS Lite VLAN Translation
Replies: 3
Views: 3067

Re: CSS 610 swOS Lite VLAN Translation

You can always do the "manual" way, configure one port untagged egressing with old VLAN and another port untagged ingressing (PVID) with the new VLAN. Connect with a patch-cable both pirts.
by Guscht
Sun Sep 10, 2023 10:30 am
Forum: Scripting
Topic: Traffic-Generator not stopping
Replies: 1
Views: 1801

Traffic-Generator not stopping

How to stop?

Script:
/tool traffic-generator quick stream=UDP1,UDP2,UDP3 pps=1
:delay 1s
/quit
The "quit" is not executed :(

Same with:
/tool traffic-generator quick stream=UDP1,UDP2,UDP3 pps=1
:delay 1s
/tool traffic-generator stop
by Guscht
Sat Sep 09, 2023 10:18 pm
Forum: General
Topic: Port-Knocking initiated by ROS
Replies: 2
Views: 962

Port-Knocking initiated by ROS

Hi, I built a small traver-router which connects to my home-router via multiple VPNs. Works great! But I dont know the public (source) IPs of the Hotels I am in. So, I could create random-ports for the VPNs (and hope no bad guy is doing a full port-scan) or I could use my (already implemented and wo...
by Guscht
Wed Sep 06, 2023 7:31 pm
Forum: General
Topic: Bridge Ethernet1 Port can set 2 pvid
Replies: 6
Views: 1385

Re: Bridge Ethernet1 Port can set 2 pvid

You cannot have 2 PVIDs for a single port. The PVID classifies packets without VLAN-tag to the set VID. The IEEE 802.1q mentions a PPVID, but most vendors do not implement the PPVID cocept. This would allow to define a single PVID + multiple PPVIDs (per protocol). But I have never seen that on MT ha...
by Guscht
Sat Sep 02, 2023 5:16 pm
Forum: Announcements
Topic: v7.11.2 [stable] is released!
Replies: 348
Views: 168790

Re: v7.11, 7.11.1 and more [stable] are released!

The first thing I heard in my MTCNA was "long-term is stable, stable is beta"! Unfortunately I have to say thats so 100% true. ROSv7 is sooooooooooooooo far away from a production-ready stable. Its like they fix 2 bugs and introduce 10 new bugs with each release. A real nasty thing is, the...
by Guscht
Fri Sep 01, 2023 7:55 pm
Forum: Announcements
Topic: v7.11.2 [stable] is released!
Replies: 348
Views: 168790

Re: v7.11, 7.11.1 and more [stable] are released!

Updated da smol homenet to 7.11.2, today as well "Little Butterfly" 🦋❤️ (I call the mAP-lite so) - no issues:

Screenshot 2023-09-01 185429.jpg
by Guscht
Thu Aug 31, 2023 11:15 pm
Forum: Announcements
Topic: v7.11.2 [stable] is released!
Replies: 348
Views: 168790

Re: v7.11 and 7.11.1 [stable] are released!

Da smol homenet was updated - no issues :)

Screenshot 2023-08-31 221451.jpg
by Guscht
Sat Aug 26, 2023 1:25 am
Forum: General
Topic: DHCP Option Set (Unify)
Replies: 1
Views: 2146

DHCP Option Set (Unify)

Hi, Id like to implement to send the Voice-VLAN via DHCP to the Unify phones (OpenStage 40). This is described here: https://wiki.unify.com/images/e/e1/Administration_Manual_OpenStage_Asterisk.pdf Page page 26 to 28. Example dhcpd.conf # General configuration for all clients in the subnet subnet 192...
by Guscht
Fri Aug 25, 2023 9:26 am
Forum: Beginner Basics
Topic: VLAN not working with hw=yes
Replies: 22
Views: 4043

Re: VLAN not working with hw=yes

Please use only and ever CRS3xx as switches! ROS is a ROUTING-OS, not a Switching-OS (their SWOS is unfortunately like a bad/old/buggy netgear OS). I have spend hours over hours over hours configuring RB and CRS1xx devices as switches (in ROS). After reading hundreds of posts and endless long wiki/h...
by Guscht
Tue Aug 22, 2023 4:06 pm
Forum: General
Topic: RFC8910 Captive Portal
Replies: 20
Views: 6902

Re: RFC8910 Captive Portal

Well Normunds, thats a bit vague: [...]or manually add/edit the api.json file to have the above contents, for Hotspot detection to work. Wehre do I have to place the file? Anywhere, a special location or folder? Which filename is used? Which DHCP-Option "a special DHCP option will be sent"...
by Guscht
Tue Aug 22, 2023 3:57 pm
Forum: Beginner Basics
Topic: Cross VLAN Multicast / PIM Config
Replies: 30
Views: 8869

Re: Cross VLAN Multicast / PIM Config

PIM is non-functional on RouterOS v7.
Is this sill the case? I did a lot PIM-routing stuff around 2018/2019 with ROSv6 and it worked really good.
Cant believe they still werent able to fix an alredy good working (in v6) feature...
by Guscht
Tue Aug 22, 2023 3:46 pm
Forum: Beginner Basics
Topic: Configuring VLANs and Routing on CRS317, CRS106 and CRS260GS - Technical Support [SOLVED]
Replies: 4
Views: 2362

Re: Configuring VLANs and Routing on CRS317, CRS106 and CRS260GS - Technical Support [SOLVED]

Yes, possible, I'd use the CRS317 and run it with ROS. Do it as described here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_#3_(InterVLAN_Routing_by_Bridge) BTW: 192.0.1.0/24 is NO RFC1918 compliant private network. I think you maybe meant 192.168.1.0/24 192.168.4.200/24 will...
by Guscht
Sun Aug 20, 2023 2:23 pm
Forum: General
Topic: IPSEC NETWORK NAT
Replies: 2
Views: 1189

Re: IPSEC NETWORK NAT

everything that comes from 10.10.10.10 and goes to 192.168.35.10 translate it to 192.168.1.10
Thats a simple DNAT-rule.

Source IP: 10.10.10.10
Desination IP: 192.168.30.10
Action: 192.168.1.10
by Guscht
Fri Aug 18, 2023 7:56 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 128158

Re: v7.12beta [testing] is released!

*) firewall - added "ein-snat" and "ein-dnat" connection NAT state matchers for filter and mangle rules; @Mikrotik, will be there a dedicated Flag in the Connection-Tracking for EIN-Flows too? At the moment I see for the outgoing flow(s) Cs and for incoming flow(s) Cd . If there...
by Guscht
Thu Aug 17, 2023 9:26 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44511

Re: FEATURE REQUEST: full cone NAT

I tested now with "Packet Sender" and Wireshark. I can conclude it works that way (using the two rules provided in the MT-Help): If I send a UDP packet (from my LAN) to a random IP on the WAN, like 8.8.8.8:12345 the Source-Port of this packet (eg. a random Highport like 54321) is now open ...
by Guscht
Thu Aug 17, 2023 5:37 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44511

Re: FEATURE REQUEST: full cone NAT

I see "Full Cone" even if I have no EIN rules created (also with a ROS v6 tested too), if pressing the button twice within a few seconds.
Which leads me to a point, that this software is maybe not as good?!
by Guscht
Wed Aug 16, 2023 2:52 pm
Forum: Announcements
Topic: v7.11.2 [stable] is released!
Replies: 348
Views: 168790

Re: v7.11 [stable] is released!

*) bridge - prevent bridging the VLAN interface created on the same bridge;
Even after reading this a few times, I dont know what this means?
by Guscht
Tue Aug 15, 2023 9:06 pm
Forum: Announcements
Topic: v7.11.2 [stable] is released!
Replies: 348
Views: 168790

Re: v7.11 [stable] is released!

Very nice upgrade, *) netwatch - added "src-address" property; Please add the option to be able the ping IP for failover in route. example: check gateway ping 1.1.1.1 that would help +1 this would solve the whole brainfck with the recursive route lookup target-scope-with-undocumented-incr...
by Guscht
Tue Aug 15, 2023 7:55 pm
Forum: Announcements
Topic: v7.11.2 [stable] is released!
Replies: 348
Views: 168790

Re: v7.11 [stable] is released!

Just da smol home-network:

smol-net-1.jpg
Found no issues.
by Guscht
Sun Aug 13, 2023 8:35 pm
Forum: Beginner Basics
Topic: Multi WAN Recursive route issue with VPNs
Replies: 4
Views: 1276

Re: Multi WAN Recursive route issue with VPNs

You give no real details, are the VPN seen as to the Router to does the Router connect to some other server? Its hard to build your network (given by the less details and a config-file) in the imagination. So, my only advice is, exclude all VPN-traffic from LB or force all VPN-traffic to some dedica...
by Guscht
Thu Jun 29, 2023 1:37 am
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44511

Re: FEATURE REQUEST: full cone NAT

@Mikrotik: Could you please describe IN DETAIL how the EIM-Implementation works? I wonder how: - For outgoing connections, always the same SOURCE PORT is used for the same internal IP:Port-combination to an external host? Or Iam wrong? - What if 2 (or more) internal hosts connect to the same externa...
by Guscht
Sun Jun 04, 2023 7:40 pm
Forum: Announcements
Topic: v7.9.2 [stable] is released!
Replies: 72
Views: 27062

Re: v7.9.2 [stable] is released!

Strangest release I have ever seen, just to fix someting on the RB4011.
Normally all they say is "downgrade or wait"... never seen such a "intermediate" release...
by Guscht
Wed May 31, 2023 12:42 pm
Forum: General
Topic: Custom Chains - Forward or Input?
Replies: 2
Views: 452

Custom Chains - Forward or Input?

Hi,

as the title says, are custom chains considered as forward or input chains?
Or how is it determined?

Thanks
by Guscht
Tue May 30, 2023 5:25 pm
Forum: Announcements
Topic: v7.10rc is released!
Replies: 183
Views: 55419

Re: v7.10rc is released!

Ask that in the topic about "Full-Cone NAT"... those people seem to have a use for it.
I remember that topic, this was a very specific use-case.
I was unaware that "Full-Cone" is a synonyme for "endpoint-independent-nat"...
by Guscht
Tue May 30, 2023 12:13 am
Forum: Announcements
Topic: v7.10rc is released!
Replies: 183
Views: 55419

Re: v7.10rc is released!

Hi, what is the gain of the new "endpoint-independent-nat" from the practical point of view? And does "endpoint-independent- nat " means mapping or filtering ?! I know the definition of the mappings: Endpoint-independent mapping: The NAT uses the same IP address and port mapping ...
by Guscht
Mon May 22, 2023 7:49 pm
Forum: Announcements
Topic: v7.9.1 [stable] is released!
Replies: 59
Views: 19090

Re: v7.9.1 [stable] is released!

workx

Screenshot 2023-05-22 184826.jpg
by Guscht
Sat May 06, 2023 11:21 pm
Forum: RouterOS beta
Topic: Update Timezone Iran
Replies: 7
Views: 2753

Re: Update Timezone Iran

write such stuff to support@mikrotik.com
by Guscht
Wed May 03, 2023 12:08 am
Forum: Wireless Networking
Topic: WifiWave2 - questions
Replies: 1
Views: 1087

WifiWave2 - questions

Hi, a few questions regarding Wifiwave2 I couldnt figure out. I run a few cAPac as default-installed CAPs with a default-CAPSMAN. Now I want to replace the cAPac step-by-step with cAPax. My CAPSMAN runs on a CCR2004 with ARM64. This sentence is not clear to me: Builds for x86, ppc, mmips and tile ar...
by Guscht
Tue May 02, 2023 6:24 pm
Forum: Announcements
Topic: v7.9 [stable] is released!
Replies: 242
Views: 56808

Re: v7.9 [stable] is released!

simply works :)

Screenshot 2023-05-02 172026.jpg
by Guscht
Sun Apr 30, 2023 7:00 pm
Forum: Beginner Basics
Topic: Firewall Mangle: mark conn/routing not working as expected [SOLVED]
Replies: 13
Views: 1778

Re: Firewall Mangle: mark conn/routing not working as expected [SOLVED]

Normally you use both, prerouting (for everthying the router routes) and output for traffic the router itself produces. With 2 rules (prerouting and output) you catch everything. If you want to route traffic from the router itself (eg. DNS requests from the routers DNS-Clinet) you qould need the out...
by Guscht
Sun Apr 30, 2023 6:27 pm
Forum: Beginner Basics
Topic: Firewall Mangle: mark conn/routing not working as expected [SOLVED]
Replies: 13
Views: 1778

Re: Firewall Mangle: mark conn/routing not working as expected [SOLVED]

Move the 2nd rule in your 3rd code-snippet to the prerouting-chain.

The output-chain is for traffic the router itself produces. You cant conn-mark in prerouting and route-mark this in the output-chain. There is simply nothing which will match, which correlates with your observation :D
by Guscht
Sun Apr 30, 2023 6:19 pm
Forum: Beginner Basics
Topic: Firewall Mangle: mark conn/routing not working as expected [SOLVED]
Replies: 13
Views: 1778

Re: Firewall Mangle: mark conn/routing not working as expected [SOLVED]

If the counter doesnt increase, simply nothing matches agianst your rule.

But why do you frst the routing-mark and then the conncection-mark?
Id set it up, match the connection and then use the connection-mark as a matcher for the routing mark.
by Guscht
Sun Apr 30, 2023 6:01 pm
Forum: Beginner Basics
Topic: Endpoint-Independent NAT when applying Hairpin NAT
Replies: 16
Views: 2277

Re: Endpoint-Independent NAT when applying Hairpin NAT

You wrote a lot but missed imporatant information! Simple solution, put the device (your HUNAHUNA-stuff) in another VLAN - problem solved, because cleint und server are in different VLANs. More Complex solution: chain=dstnat action=dst-nat to-addresses=192.168.1.122 to-ports=38888 protocol=tcp dst-a...
by Guscht
Sun Apr 30, 2023 11:45 am
Forum: General
Topic: NAT rules to and from
Replies: 2
Views: 380

Re: NAT rules to and from

I tested this in my lab and it worked as (you) expected.
Maybe your "general" SNAT rule is simply above your custom-SNAT-rules?
by Guscht
Thu Apr 27, 2023 1:30 pm
Forum: Beginner Basics
Topic: travel router
Replies: 20
Views: 8506

Re: travel router

Is this limitation (master = ap bridge) not running solved? I tried to configure a travel router and in default config (no default configuration), the salve connects without the master running: Screenshot 2023-04-27 121650.jpg In this setup I can connect via my phone to the wlan1 (ap bridge) interfa...
by Guscht
Wed Apr 05, 2023 9:44 pm
Forum: Announcements
Topic: Newsletter #112 | April 2023
Replies: 66
Views: 12693

Re: Newsletter #112 | April 2023

Oh come on, the worldwide "USB port-shortage" hits us :/ Mikrotik, oh Mikrotik, Your CCR2004-16G-2S+ now ships without the USB port trick. USB ports are scarce as they can be, But that doesn't stop you, still a king in the industry. The world may be without enough USB ports, But your route...
by Guscht
Wed Mar 22, 2023 12:12 am
Forum: General
Topic: CRS112-8P-4S with Packet Sniffer
Replies: 1
Views: 337

CRS112-8P-4S with Packet Sniffer

Hi, is it possible to use the Packet Sniffer with an CRS112-8P-4S? I receiver no traffic, I assume I have to deselect "Hardware Offloading" under Bridge -> Ports. But by doing this, the switch stops switching between the - now - Hardware Offloaded deselected ports. I will receive a few fra...
by Guscht
Wed Mar 01, 2023 7:02 pm
Forum: General
Topic: E-Mail / STARTTLS option not there?
Replies: 5
Views: 1250

Re: E-Mail / STARTTLS option not there?

Ok, now I am completely lost :D I want to configure through Winbox a connection via TLS - no STARTTLS-carp. Which options is this? For my undestanding, Winbox says "Start TLS" (which is ambiguous, does "Start TLS" refer to STARTTLS or Start [implicit] TLS): yes = do the STARTTLS-...
by Guscht
Wed Mar 01, 2023 1:48 pm
Forum: General
Topic: E-Mail / STARTTLS option not there?
Replies: 5
Views: 1250

E-Mail / STARTTLS option not there?

Hi, in the Wiki is stated: tls (no|yes|starttls; Default: no) Whether to use TLS encryption: yes - sends STARTTLS and continue without TLS if a server responds that TLS is not available; no - do not send STARTTLS; starttls - sends STARTTLS and drops the session if TLS is not available on the server....
by Guscht
Mon Feb 27, 2023 7:25 pm
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 143492

Re: v7.8 [stable] is released!

just my smooll home-network, no issues so far :) Screenshot 2023-02-27 182517.jpg Chat-GPT did this for you <3 Oh Mikrotik, we sing your praise For the gift of ROS v7.8 released today Your routers and switches, they work so well With your firmware updates, they'll never fail Your powerful features a...
by Guscht
Sat Feb 18, 2023 11:38 pm
Forum: General
Topic: layer7 match failed, regexp too complex
Replies: 10
Views: 1571

layer7 match failed, regexp too complex

Hi, I implemented a L7 filter to drop all DNS AAAA-queries (since I dont use IPv6 and they are about 1/4 of all DNS traffic). The Regex is: ^.?.?.?.?.?.?.?.?.?.?.?.?([\x01-\?][a-z0-9\-_]+)+\.?\x1c\.?\x01 It seems this is too complex for ROS, the log says in blue: layer7 match failed, regexp too comp...
by Guscht
Thu Feb 16, 2023 10:26 pm
Forum: RouterOS beta
Topic: IDS / IPS Package
Replies: 4
Views: 18724

Re: IDS / IPS Package

AFAIK you can use a transpranten IDS/IPS. Eg. put a Sonicwall in as a "transparent" Layer2-Bridge in front of the Mikrotik. Like: WAN <-> Sonicwall <-> Mikrotik <-> LAN https://www.sonicwall.com/support/knowledge-base/comparison-of-l2-bridge-mode-to-transparent-mode/170504277832289/ But I ...
by Guscht
Tue Feb 14, 2023 10:20 am
Forum: RouterOS beta
Topic: FEATURE REQUEST: full cone NAT
Replies: 293
Views: 44511

Re: FEATURE REQUEST: full cone NAT

I want to understand whats is the difference between MTs NAT implenation and the "Full Cone" Implentation? From here: https://www.networkacademy.io/ccie-enterprise/sdwan/tlocs-and-nat A full-cone is one where all packets from the same internal IP address are mapped to the same NAT IP addre...
by Guscht
Mon Feb 13, 2023 11:50 pm
Forum: General
Topic: DHCP "Last seen" based on what?
Replies: 2
Views: 468

Re: DHCP "Last seen" based on what?

Thanks!
by Guscht
Mon Feb 13, 2023 4:53 pm
Forum: General
Topic: DHCP "Last seen" based on what?
Replies: 2
Views: 468

DHCP "Last seen" based on what?

Hi,

does anybody know on what kind of event the DHCP "Last seen" value is triggered?
Any packet from that IP which traverses the router or only DHCP-realted packets?

Thanks
by Guscht
Tue Jan 24, 2023 3:17 pm
Forum: Announcements
Topic: v7.8beta [testing] is released!
Replies: 307
Views: 78971

Re: v7.8beta [testing] is released!

We get things like a disk manager, instead of some long awaited fixes in the basic functionality of a router.

Thats is a development I dont really like. There are TONS of bug in basic stuff and they come up with docker and some kind of strogae manager.
by Guscht
Mon Jan 23, 2023 7:21 pm
Forum: Wireless Networking
Topic: CAPsMAN - Access-List -> Accept = Override Authentication?
Replies: 0
Views: 530

CAPsMAN - Access-List -> Accept = Override Authentication?

Hi, if I specifiy a MAC-Address in the Access-List with Action=Accept, will this override the WPA2-Authentication and a Client can connection without further authentication (only with the MAC specified)? I found nothing clear in the documentation, but if thats true, I assume this is a big security r...
by Guscht
Thu Jan 19, 2023 8:35 pm
Forum: Wireless Networking
Topic: VLAN-Filtering enabled + use-tag -> no connection
Replies: 2
Views: 698

VLAN-Filtering enabled + use-tag -> no connection

Hi, I tried with ROS 7.7 to create multiple SSIDs, separated with VLANs as decribed here: https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless Here is stated: Note: It is important to set wlan1,wlan2 vlan-mode to "use-tag". And: /interface bridge add fast-forward=no name=bridge1 vlan-fi...
by Guscht
Tue Jan 17, 2023 7:23 pm
Forum: RouterOS beta
Topic: Anyone else missing POE on v7.7? [SOLVED]
Replies: 3
Views: 7279

Re: Anyone else missing POE on v7.7? [SOLVED]

PoE is there
Screenshot 2023-01-17 182227.jpg
by Guscht
Mon Jan 16, 2023 7:59 pm
Forum: General
Topic: Ping: Router from different VLAN -> drop
Replies: 3
Views: 635

Re: Ping: Router from different VLAN -> drop

because I find such rules unnecessary cosmetics

I agree with you! Unfortunately we use other routing-vendors too and they behave this way (and they cant changed).
So we prefer a consistent behaviour throughout all vendor-hardware.
by Guscht
Mon Jan 16, 2023 11:27 am
Forum: General
Topic: Ping: Router from different VLAN -> drop
Replies: 3
Views: 635

Ping: Router from different VLAN -> drop

Hi, is it possible to restrict pings to the router, so that only the the interface respondes to which the clients belongs? Example: Router: VLAN1: 192.168.1.1/24 VLAN2: 192.168.2.1/24 A client from VLAN1 should not be able to ping 192.168.2.1 (VLAN2-Interface). How can I achieve this in a setup with...
by Guscht
Thu Jan 12, 2023 8:55 pm
Forum: Announcements
Topic: v7.7 [stable] is released!
Replies: 357
Views: 116593

Re: v7.7 [stable] is released!

Works:
Screenshot 2023-01-12 174409.jpg
by Guscht
Sun Jan 08, 2023 11:48 pm
Forum: General
Topic: Assumptions about NAT correct?
Replies: 4
Views: 559

Re: Assumptions about NAT correct?

Thank you sindy!
Sometimes its hard to find a confirmation for the assumptions which arise to some topic... And a lot wiki/help/man-pages left a lot room for interpretation.
by Guscht
Sun Jan 08, 2023 6:45 pm
Forum: General
Topic: Assumptions about NAT correct?
Replies: 4
Views: 559

Assumptions about NAT correct?

Hi, played today with NAT. Are my assumptions correct: - NAT-Rules match only against connection-state New packets? Thats maybe the reason there is no connection-state matcher within NAT-rules? - user-defined NAT-Rules are applied only on the initial way to the destination, not on the returing packe...
by Guscht
Fri Jan 06, 2023 5:22 pm
Forum: General
Topic: how does L3HW actually works?
Replies: 128
Views: 34299

Re: how does L3HW actually works?

A question which is still not clarified for me.
We need IP/Firewall/Filter, NAT, Mangle, RAW + Bridge/Filter, NAT + Simple Queues. I assume from what I have read so far, L3 HW-Offload ist not achievable with this needs?
by Guscht
Tue Jan 03, 2023 9:15 pm
Forum: General
Topic: "mimic" ARP-Publish as local-proxy-arp?
Replies: 0
Views: 339

"mimic" ARP-Publish as local-proxy-arp?

Hi, is there a way to get the ARP-Publish feature (which works like a selective Proxy-ARP) to work in the local subnet? In other words, is there a way the router responds to an ARP-request for a specific IP in the same subnet. Example: Router: 192.168.0.1/24 Client: 192.168.0.11/24 ARP-Request: 192....
by Guscht
Tue Jan 03, 2023 8:25 pm
Forum: Wireless Networking
Topic: Seamless roaming
Replies: 13
Views: 6686

Re: Seamless roaming

We use another vendor which supports r/k/v but we had to disable this whole "seamless" stuff, because a lot end-devices were unable to connect. In opinion, dont use it, it sounds good, but only in a 100% controlled enviroment, like a company network where only tested deviced are connected ...
by Guscht
Fri Dec 30, 2022 8:51 pm
Forum: Beginner Basics
Topic: Mikrotik port isolation [SOLVED]
Replies: 2
Views: 971

Re: Mikrotik port isolation [SOLVED]

Id recommend to create a DMZ with VLANs. So you can connect to a device in the DMZ and the answer coming to from the DMZ to the LAN (belonging to the LAN to DMZ connection) is allowed. But no new connection form the DMZ to the LAN is allowed.
by Guscht
Thu Dec 29, 2022 10:53 pm
Forum: General
Topic: Documentation site down?
Replies: 1
Views: 362

Re: Documentation site down?

yes its down, maybe Swamptaclause pulled the plug :lol:
by Guscht
Thu Dec 29, 2022 4:40 pm
Forum: General
Topic: Flat Topology / Broadcasts leak to WAN (PPPoE)
Replies: 14
Views: 1156

Re: Flat Topology / Broadcasts leak to WAN (PPPoE)

So I still think you misled us. From the technical perspective it doesnt matter, a VLAN or a LAN. Both are a single Layer2-Broadcast domains. But you are right, my drawing is in this way misleading (a bit ;) ) @sindy, thats exactly the point! 🙏🙏 From your answer I assume L2-Broadcasts are being for...
by Guscht
Thu Dec 29, 2022 1:53 pm
Forum: General
Topic: Flat Topology / Broadcasts leak to WAN (PPPoE)
Replies: 14
Views: 1156

Re: Flat Topology / Broadcasts leak to WAN (PPPoE)

And, BTW, having VLANs ... your topology is far from "flat", so the title of this thread misleads us :wink: You missed this part :) : VLAN2 = the "home-network" VLAN2 is not a special "WAN-transfer-VLAN". Everytihng is in this VLAN, printer, PCs, Laptops... and the DSL...
by Guscht
Thu Dec 29, 2022 1:34 pm
Forum: General
Topic: Flat Topology / Broadcasts leak to WAN (PPPoE)
Replies: 14
Views: 1156

Re: Flat Topology / Broadcasts leak to WAN (PPPoE)

I meant such a topology, the Router (PPPoE-Client) is not in the same room where the DSL-Modem is located: Zeichnung1.jpg VLAN2 = the "home-network" Will Layer2-Brodcasts "leak" via the Modem to the ISP? Remeber these Broadcasts are normal stuff (like ARP...) without a PPP-Header...
by Guscht
Wed Dec 28, 2022 11:59 pm
Forum: General
Topic: Flat Topology / Broadcasts leak to WAN (PPPoE)
Replies: 14
Views: 1156

Flat Topology / Broadcasts leak to WAN (PPPoE)

Hi, I am thinking about the following situation. In a flat topology (no VLANs, a simple home-network), will LAN-Broadcasts (and Multicasts/Unknown Unicasts) "leak" to the WAN if the client is via PPPoE connected? I think they will, because the regualr PPPoE/PADI is a L2-Broadcast too and w...
by Guscht
Wed Dec 28, 2022 2:45 am
Forum: Beginner Basics
Topic: VLAN Configuration without Bridge
Replies: 3
Views: 1856

Re: VLAN Configuration without Bridge

AFAIK, the "single bridge method" is the preferred way of setting up VLANs with ROS. For simpler settings, you can create a VLAN-interface and "bind" this to a physical interface. Via this interface you can communicate ingress/egress with this VLAN-Tag. But your are not able to d...
by Guscht
Thu Dec 22, 2022 10:18 am
Forum: General
Topic: NO WAY?! AI writes Mikrotik-Scripts...
Replies: 23
Views: 3716

Re: NO WAY?! AI writes Mikrotik-Scripts...

Who is that idiot who fed bad data or badly programmed the AI? Just for example: /interface wireless set [ find default-name=wlan1 ] mode= ap-hotspot I scolded AI: It looks like the issue you are experiencing is that the "mode" property of the wireless interface is set to "ap-hotspot...
by Guscht
Thu Dec 22, 2022 10:12 am
Forum: General
Topic: NO WAY?! AI writes Mikrotik-Scripts...
Replies: 23
Views: 3716

Re: NO WAY?! AI writes Mikrotik-Scripts...

I think you have "extended" someones lifespan, and the cat remains with 9 lives. May AI leave us alone a bit longer. For you, what the AI says: To our dear anav, We are pleased to present you with this MTUNA certificate in recognition of your dedication and contributions to the Mikrotik-F...
by Guscht
Thu Dec 22, 2022 10:06 am
Forum: General
Topic: NO WAY?! AI writes Mikrotik-Scripts...
Replies: 23
Views: 3716

Re: NO WAY?! AI writes Mikrotik-Scripts...

AI? Say: "write a mikrotik-script to convert IPv4 address to binary value"... # Set the IPv4 address to be converted :local ipv4Address "192.168.0.1" # Split the IPv4 address into its octets :local octets [:toarray $ipv4Address] # Initialize the binary string :local binaryString...
by Guscht
Wed Dec 21, 2022 11:28 pm
Forum: General
Topic: NO WAY?! AI writes Mikrotik-Scripts...
Replies: 23
Views: 3716

NO WAY?! AI writes Mikrotik-Scripts...

Thats new to me... I said: wirte a fancy mikrotik-script, so i can impress the guys in the mikrtoik-forum! AI said: Sure, here's a fancy script that demonstrates some advanced features of MikroTik RouterOS scripting: It came up with this stuff :lol: :lol: :lol: :lol: (dont know if it works) # This s...
by Guscht
Mon Dec 19, 2022 8:50 pm
Forum: Wireless Networking
Topic: 20 floors hotel WiFi scenario
Replies: 18
Views: 2588

Re: 20 floors hotel WiFi scenario

I have realized WiFI-Setups up to 2500 End-Devices. This seems not problematic, a CCR1036/1072, a Captive Portal (like MTs build-in or another vendor, like HSNM), a well structured building wiring with switches on each floor, a good internet-connection and you are good to go. But I dont like your &q...
by Guscht
Thu Dec 15, 2022 1:16 pm
Forum: General
Topic: Mikrotik, clould you please...
Replies: 1
Views: 443

Mikrotik, clould you please...

... create a new CRS with the following specs: 8-10 RJ45 1GBit-Ports 4 SFP-Cages with at least 2 of them SFP+ (10GBit) PoE af/at Out on all RJ45-Ports fanless Desk-Housing ROS So to say a new version of the CRS112-8P-4S-IN with at least 2 SFP+ (10GBit) ports - and please as CRS 3 xx - the CRS1xx are...
by Guscht
Mon Nov 28, 2022 9:28 pm
Forum: Beginner Basics
Topic: DNS not resolving domain names
Replies: 11
Views: 12447

Re: DNS not resolving domain names

IMO there is ZERO need for VLAN with routers, especially not in home environment as well not in a corporate LAN. VLAN might be maybe good for carriers, ie. ISPs with L2 switches only... VLANs are an integral, fundamental component of any network, in which a segregation between layer2 domains is nec...
by Guscht
Fri Nov 25, 2022 10:57 pm
Forum: Beginner Basics
Topic: Force all devices to use local Adguard DNS
Replies: 23
Views: 11435

Re: Force all devices to use local Adguard DNS

Not the way I see it. Its OK, you see it worng, but "a man's mind is his kingdom". For all other, thats exactly the behaviour without a SNAT rule: Screenshot 2022-11-25 215211.jpg Outbonud: 10.88.10.1 -> 8.8.8.8 Inbound: 10.88.30.21 -> 10.88.10.1 The answer form 10.88.30.21 is invald, bec...
by Guscht
Fri Nov 25, 2022 7:19 pm
Forum: Beginner Basics
Topic: Force all devices to use local Adguard DNS
Replies: 23
Views: 11435

Re: Force all devices to use local Adguard DNS

I disagree, one only needs the dst-nat rules, what IS NEEDED that should be noted is firewall forward chain rules. Assuming the client tries to contact 8.8.8.8, the DNAT-rule catches the frame and forwards it to 192.168.10.4. The DNS-server will process the request and ... what will happen, my dear...
by Guscht
Fri Nov 25, 2022 2:25 pm
Forum: Beginner Basics
Topic: Force all devices to use local Adguard DNS
Replies: 23
Views: 11435

Re: Force all devices to use local Adguard DNS

[...]there should be no need for your extra sourcenat rules!
Without the SNAT-rules, the whole concept wont work (assuming the DNS-Server is in the same (V)LAN as the DNS-Client)!!
by Guscht
Fri Nov 25, 2022 12:05 am
Forum: Beginner Basics
Topic: Can't access the internal network with SSTP VPN road-warrior connection
Replies: 8
Views: 2381

Re: Can't access the internal network with SSTP VPN road-warrior connection

Have you set the routes to the internal-network in the end-device (to go via the VPN)? Du musst im VPN-Client/Betriebssystem des Endgeräts die Netzprefixe des Firmennetzes eintragen, die über das VPN geroutet werden sollen. Oder du legst gleiche ein Defaultroute an, dann geht alles, auch Internettra...
by Guscht
Wed Nov 23, 2022 2:42 pm
Forum: Beginner Basics
Topic: Force all devices to use local Adguard DNS
Replies: 23
Views: 11435

Re: Force all devices to use local Adguard DNS

Seems 100% correct to me!

The only thinkable way they are no using the rules (are the counters going up?) is, they are not using this router for DNS. At least not for DPort 53 (do they use some DoH stuff)?
by Guscht
Wed Nov 23, 2022 2:20 pm
Forum: Beginner Basics
Topic: WireGuard Router not all Websites Work
Replies: 9
Views: 2958

Re: WireGuard Router not all Websites Work

Try adding: /interface bridge add ... mtu=1500 to your bridges and see if it works. Reducing the MTU too much results in fragmentet packets. Each part of the connection has to know it have to send smaller packets, thats signalled via ICMP. If ICMP is somewhere blocked/droped, at least one side of th...
by Guscht
Wed Nov 23, 2022 1:49 pm
Forum: Beginner Basics
Topic: WireGuard Router not all Websites Work
Replies: 9
Views: 2958

Re: WireGuard Router not all Websites Work

It sounds to me like a MTU issue. This random "this website works, this not..." is typically for that kind error.
by Guscht
Sun Nov 13, 2022 6:14 pm
Forum: General
Topic: DNAT Redirect-Rule / Source-IP
Replies: 2
Views: 411

DNAT Redirect-Rule / Source-IP

Hi, I played a bit with the "redirect" rule. If I configure a redirect rule for DNS and shoot from a Windows-PC a nslookup abc.om 8.8.8.8 I see a correct answer coming from 8.8.8.8 (it comes from the MT, not from Google-DNS). The source IP is 8.8.8.8 but I comes form the MT, so a source-NA...
by Guscht
Sat Nov 05, 2022 12:41 am
Forum: Announcements
Topic: v7.7beta [testing] is released!
Replies: 322
Views: 126671

Re: v7.7beta [testing] is released!

We now are in the situation where many routers cannot be upgraded from v6 to v7 and that is not good, neither for the customer nor for MikroTik. Why would you want to update an in-production router to V7? V6 is perfectly stable, there is absolutely no reason to do this step. V7 is still a (more or ...
by Guscht
Tue Oct 18, 2022 7:08 pm
Forum: RouterOS beta
Topic: 802.1AE MACsec Progress or Examples ?
Replies: 46
Views: 20487

Re: 802.1AE MACsec Progress or Examples ?

Any examples how this works with VLAN-Interfaces and Bonding-Interfaces? Lets say we have a Bonding eth1+eth2 as LAG0 and a 100 VLANs. Is all we have to create 2 MACsec Inteface (eth1 and eth2) and thats it? Or do we have it the cascading way: create MACsec-Interfaces -> create the Bond with the MAC...
by Guscht
Tue Oct 18, 2022 6:52 pm
Forum: Announcements
Topic: v7.6 [stable] is released!
Replies: 279
Views: 144830

Re: v7.6 [stable] is released!

where can I find macsec settings in winbox?

A "tab" under Interfcaes:
Screenshot 2022-10-18 175142.jpg
by Guscht
Tue Oct 18, 2022 4:58 pm
Forum: Announcements
Topic: v7.6 [stable] is released!
Replies: 279
Views: 144830

Re: v7.6 [stable] is released!

Those two changelog entries don't mention anything about WinBox, from which you provided the screenshots. Look for them in CLI. Normally, they write "CLI only" if so, and if not, its referred to Winbox and CLI?! So far is my understanding of their changelog-nomenclature. Like in: *) dns -...
by Guscht
Tue Oct 18, 2022 4:44 pm
Forum: Announcements
Topic: v7.6 [stable] is released!
Replies: 279
Views: 144830

Re: v7.6 [stable] is released!

Findings: *) ethernet - added "5Gbps" option for speed setting; NOPE: Screenshot 2022-10-18 153547.jpg -------------------- *) l3hw - added "l3hw-settings" sub menu under the switch menu; NOPE again: Screenshot 2022-10-18 154011.jpg -------------------- *) sfp - improved QSFP/SFP...
by Guscht
Tue Oct 18, 2022 2:22 pm
Forum: Announcements
Topic: v7.6 [stable] is released!
Replies: 279
Views: 144830

Re: v7.6 [stable] is released!

So far, no issues with 7.6:
Screenshot 2022-10-18 132051.jpg
by Guscht
Thu Oct 13, 2022 11:28 pm
Forum: General
Topic: "diag network-path" tool in MT?
Replies: 1
Views: 402

Re: "diag network-path" tool in MT?

OK, no one, which means such a tool is not available within ROS.
Then MT, see this as a feature request 😅
by Guscht
Thu Oct 13, 2022 11:25 pm
Forum: Announcements
Topic: v6.49.6 [stable] is released!
Replies: 56
Views: 86469

Re: v6.49.6 [stable] is released!

Works good on all our routers in the production networks.
But to be honest, its a sad upgrade, no extra thread and not even the new NetWatch was implemented.

Thats by far the saddest upgrade I have ever seen.
by Guscht
Thu Oct 13, 2022 2:12 pm
Forum: General
Topic: "diag network-path" tool in MT?
Replies: 1
Views: 402

"diag network-path" tool in MT?

Hi, is there a tool like the "diag network-path" avialable in Mikrotik? Example (other vendor): > diag network-path 1.2.3.4 1.2.3.4 is located on the X3 It is reached through the router at 192.168.0.5 It is reached through Ethernet address fe:01:00:00:00:01 A handy tool. How can I see this...
by Guscht
Tue Oct 11, 2022 3:25 pm
Forum: General
Topic: Woobm does not work with hexS
Replies: 5
Views: 1162

Re: Woobm does not work with hexS

Good point, the other RBs are not ROSv7.5!
by Guscht
Tue Oct 11, 2022 2:45 pm
Forum: General
Topic: Woobm does not work with hexS
Replies: 5
Views: 1162

Woobm does not work with hexS

Hi, I tested my Woobm with a bunch of hexS. Via PoE or direct power. The Woobm flashes in random order and show up sometimes as AP, sometimes not. A successful connection was not able. Reset was done -> no effect. The Woobm works with my other RBs as intended. Is there problem a with the combination...
by Guscht
Tue Oct 11, 2022 2:15 pm
Forum: RouterOS beta
Topic: mDNS repeater feature
Replies: 330
Views: 104907

Re: mDNS repeater feature

It do not say they have to ROUTE (IP-Routing at Layer3). IANA says: Multicast routers should not forward any multicast datagram with destination addresses in this range, regardless of its TTL. MT is a Multicast-Router, so MT will never FORWARD mDNS. This applies to "Proxy" or "Reflect...
by Guscht
Tue Oct 11, 2022 12:05 pm
Forum: RouterOS beta
Topic: mDNS repeater feature
Replies: 330
Views: 104907

Re: mDNS repeater feature

My 2 cent: Stop asking MT to do a non-RFC thing. MT will most likely not implement such a tool. MT as a router manufacturer will always obey RFCs, and your wish is to forward/feflect/proxy local frames. mDNS uses the follwing multicast address: 224.0.0.251 mDNS IPv4 Multicast Address Space Registry ...
by Guscht
Wed Oct 05, 2022 1:11 pm
Forum: General
Topic: urgent help
Replies: 49
Views: 13821

Re: urgent help

Run your VPN over an unblocked port, like 443. If they block 443, the have blocked almost everything. In such cases, use starlink. I assume they do not deep-packet-inspect the traffic from a whole country. Maybe China does such sutff, but not Iran. To wait for your requested feature is inappropriate...
by Guscht
Wed Oct 05, 2022 12:20 am
Forum: General
Topic: How handles ROS overbooked guaranteed speed (limt-at)?
Replies: 0
Views: 413

How handles ROS overbooked guaranteed speed (limt-at)?

Hi, does anybody know how ROS handels overbooked guaranteed speeds (limit-at) in Simple Queues? Example: - Parent Queue: 10/50M -- Child1: limit-at 10/50M -- Child2: limit-at 10/50M AFAIK both "childs" have now a guaranteed bandwith of 50M download - 100M in total. But the parent and the p...
by Guscht
Mon Oct 03, 2022 11:43 pm
Forum: General
Topic: VRF vs Routing-Tables
Replies: 2
Views: 1274

VRF vs Routing-Tables

After watching: https://www.youtube.com/watch?v=-hdLsXd9OgE there are more questions then answers. Why is there something like a VRF? I see no real difference to Routing Tables? Can someone point out what are the differences? What are the benefits of VRF over Routing Tables? When not to use VRF? In ...
by Guscht
Tue Sep 06, 2022 11:55 pm
Forum: General
Topic: MSTP - Wiki confuses me
Replies: 0
Views: 454

MSTP - Wiki confuses me

Hi, I am trying now for 2 hours to understand the MSTP wiki: https://wiki.mikrotik.com/wiki/Manual:Spanning_Tree_Protocol Can somebody please explain the follwing: In this case for VLAN 10,20 to reach the third device from the first device it would choose between ether1 and ether2, one port will be ...
by Guscht
Tue Sep 06, 2022 4:01 pm
Forum: SwOS
Topic: IVL - Independent VLAN Lookup [SOLVED]
Replies: 22
Views: 10287

Re: IVL - Independent VLAN Lookup [SOLVED]

I would assume a IVL/SVL change would result in a complete flush of the FDB.
by Guscht
Tue Sep 06, 2022 3:35 pm
Forum: General
Topic: Question about VLAN in Ros [SOLVED]
Replies: 4
Views: 1207

Re: Question about VLAN in Ros [SOLVED]

If the ports are not bridged together, the ports are isolated by itself. If you do NOT have the requiremnt to tag the frames with an IEEE802.1Q-tag (or if ingressing to understand tagged-frames), there is no need to create a VLAN-Interface. All you need is to block the inter-network communication by...
by Guscht
Sun Sep 04, 2022 2:14 am
Forum: Wireless Networking
Topic: if cAP loosing connection to CAPSMAN - they stop working
Replies: 10
Views: 2149

Re: if cAP loosing connection to CAPSMAN - they stop working

Either you use capsman and then this is the consequence. Or you do not use capsman. There is no option to keep the devices in operation, unlike every other vendors WAPs? OK, thats a point, I would advise every customer againts Mikrotik regarding WAPs. But on the other hand, that stuff is really CHE...
by Guscht
Fri Sep 02, 2022 7:44 pm
Forum: Wireless Networking
Topic: if cAP loosing connection to CAPSMAN - they stop working
Replies: 10
Views: 2149

if cAP loosing connection to CAPSMAN - they stop working

Hi, is there an option, which keeps my cAP's working, if they loose the connection to the CAPSMAN server for a short time? They are configured for a local breakout ("Local Forwarding"), they do NOT send everything to the CAPSMAN. But if they loose the connection the CAPSMAN for a few secon...
by Guscht
Thu Sep 01, 2022 12:52 am
Forum: Announcements
Topic: v7.5 [stable] is released!
Replies: 219
Views: 71114

Re: v7.5 [stable] is released!

Without incident my homenetwork:
Screenshot 2022-08-31 235114.jpg
by Guscht
Sun Aug 28, 2022 3:03 pm
Forum: General
Topic: SIP-ALG / RTP-streams RELATED?
Replies: 3
Views: 1371

Re: SIP-ALG / RTP-streams RELATED?

I never bothered to check that because switching SIP helper off is one of the first settings I do on every new router.[/i] But you have to do then the DNAT stuff manually? UDP/TCP 5060, the RTP-Range...? I am using the SIP-ALG only in my homenetwork and it worked out of the box. I found it quite ni...
by Guscht
Sun Aug 28, 2022 12:35 pm
Forum: General
Topic: pptp client is connected but we cannot ping remote ip [SOLVED]
Replies: 8
Views: 2166

Re: pptp client is connected but we cannot ping remote ip [SOLVED]

we have a pptp server that has public ip address...
PPTP and public-IP - enough information, simply dont do this!!
Dont invest your time in such a "solution".
by Guscht
Sun Aug 28, 2022 12:24 pm
Forum: General
Topic: SIP-ALG / RTP-streams RELATED?
Replies: 3
Views: 1371

SIP-ALG / RTP-streams RELATED?

Hi, one question, if Mikrotiks SIP-ALG (SIP Helper) is enabled, I dont have to create a DNAT-Rule to open the RTP-Port-Range of my PBX. I assume: 1) the ALG will catch these information (RTP-Ports) form the SIP-packets and will create "hidden" DNAT-rules or 2) the RTP-streams are RELATED (...
by Guscht
Fri Aug 12, 2022 9:59 am
Forum: Beginner Basics
Topic: Is MikroTik a good start for a complete noob?
Replies: 10
Views: 2588

Re: Is MikroTik a good start for a complete noob?

Is MikroTik a good start for a complete noob? To answer this part, is depends! If you want to dive deep(!!) into networking, then yes - its one of the best starting points. If you want a very flexible setup, without the constrains of most of the other vendors, then yes! But if you want a fast + eas...
by Guscht
Mon Aug 08, 2022 11:48 pm
Forum: Announcements
Topic: Re: v7.4.1 [stable] is released!
Replies: 99
Views: 33073

Re: v7.4.1 [stable] is released!

All updated from 7.4 without issues:

Zwischenablage01.jpg
by Guscht
Sun Aug 07, 2022 1:14 am
Forum: RouterBOARD hardware
Topic: Number of CPU cores on CRS3xx
Replies: 13
Views: 5782

Re: Number of CPU cores on CRS3xx

Interesting, same CPU (98DX3236) https://wifimag.ro/pdf/Prestera_98DX3336_pb.pdf
same ROS, different cores...

CRS326
326-1.jpg
326-2.jpg

CRS328
328-1.jpg
328-2.jpg
by Guscht
Sat Aug 06, 2022 1:36 pm
Forum: General
Topic: CRS328 / high CPU-Lod SPI
Replies: 7
Views: 1548

Re: CRS328 / high CPU-Lod SPI

The question is, what is SPI at first? MT does not clarifiy? https://wiki.mikrotik.com/wiki/Manual:Tools/Profiler Normally SPI stands for "Stateful Packet Inspection" but this device is configured as a simple switch, no NAT, no filter, no mangel... So SPI must be something different. Maybe...
by Guscht
Sat Aug 06, 2022 10:32 am
Forum: General
Topic: CRS328 / high CPU-Lod SPI
Replies: 7
Views: 1548

CRS328 / high CPU-Lod SPI

Hi,

does anyone know why the process "SPI" creates such a high CPU-Load? Sometimes it goes up to 100%
I have read this is LED related, but the CRS328 does not have a LED screen.

The config is 1:1 the same as on a replaced CRS326, this never showed SPI.

Zwischenablage01.jpg
by Guscht
Fri Aug 05, 2022 5:44 pm
Forum: General
Topic: Block MNDP via a Firewall-Rule
Replies: 3
Views: 731

Re: Block MNDP via a Firewall-Rule

My need is to block outgoing MNDP traffic via a Firewall-Rule. To be more specific, I want do drop all MNDP traffic except if a pre-defined IP-Network is the source IP of the frame. Only if an IP out of this net is the source IP of the MNDP-frame, it should pass. The MNDP-frame must be dropped if th...
by Guscht
Fri Aug 05, 2022 5:12 pm
Forum: General
Topic: Block MNDP via a Firewall-Rule
Replies: 3
Views: 731

Block MNDP via a Firewall-Rule

Hi, I want to block MNDP via a Firewall-Rule The follwing does NOT work (for testing purposes action = passthrough): /interface bridge filter add action=passthrough chain=output dst-port=5678 ip-protocol=udp mac-protocol=ip nor /ip firewall filter add action=passthrough chain=output dst-port=5678 pr...
by Guscht
Fri Aug 05, 2022 4:24 pm
Forum: Wireless Networking
Topic: mAP lite / no connection when virtual
Replies: 5
Views: 1201

Re: mAP lite / no connection when virtual

Awesome, it works! :D

Sidenote, I tested with my homenetwork which has a hidden SSID. Connection-List does not apply to hidden-SSIDs.
by Guscht
Fri Aug 05, 2022 3:10 pm
Forum: Wireless Networking
Topic: mAP lite / no connection when virtual
Replies: 5
Views: 1201

Re: mAP lite / no connection when virtual

Interesting approach! I will check it.
by Guscht
Thu Aug 04, 2022 8:47 am
Forum: Wireless Networking
Topic: mAP lite / no connection when virtual
Replies: 5
Views: 1201

mAP lite / no connection when virtual

Hi, I am trying to do the following with my mAP, to create a simple extender, eg. in hotel rooms: wlan1 = ap-bridge (for the managmenet of the device) wlan2 (virtual) = station-pseudobridge (for connecting to the hotel-network as WLAN-client) wlan3 (virtual) = ap-bridge (for connecting my enddevice ...
by Guscht
Wed Jul 27, 2022 5:29 pm
Forum: Announcements
Topic: v7.5beta [testing] is released!
Replies: 138
Views: 48138

Re: v7.5beta [testing] is released!

*) dns - added "match-subdomain" option for static entries (CLI only); Please explain this function! Do I understand it correct w/o this, test.com will match only, but site1.test.com not. If I enable this all under "test.com" will match. Like: site1.test.com, site2.test.com. abc...
by Guscht
Mon Jul 25, 2022 10:14 pm
Forum: Announcements
Topic: WinBox v3.37 released!
Replies: 110
Views: 143822

Re: WinBox v3.37 released!

The bulit-in updater fails...
Screenshot 2022-07-25 211025.jpg
Screenshot 2022-07-25 211422.jpg
by Guscht
Fri Jul 22, 2022 8:07 am
Forum: Announcements
Topic: v7.4 [stable] is released!
Replies: 224
Views: 57281

Re: v7.4 [stable] is released!

Never had to do with that MPLS, BGP stuff. So, no glue what VPN4 is nor if it works.
by Guscht
Thu Jul 21, 2022 10:54 pm
Forum: Announcements
Topic: v7.4 [stable] is released!
Replies: 224
Views: 57281

Re: v7.4 [stable] is released!

Updated without incident the following router:

Screenshot 2022-07-21 215330.jpg
by Guscht
Thu Jun 09, 2022 7:19 pm
Forum: Beginner Basics
Topic: Is MikroTik good for home use?
Replies: 28
Views: 9012

Re: Is MikroTik good for home use?

It depends, but Id say for 99% of all home user is ROS way to complex and will frustrate the end-user. For the classy home-setup without VLANs, DMZ, multi-WAN, multi-SSID, a cheapo 50 to 100 Euro router with a colourful and nice GUI is much better. Most of these devices provide much more than MT, li...
by Guscht
Thu Jun 09, 2022 3:23 pm
Forum: Announcements
Topic: v7.3 and v7.3.1 [stable] is released!
Replies: 269
Views: 83189

Re: v7.3 [stable] is released!

@MT, have you worked on the PIM-Routing? I see nothing in the cangelog. In a random Wireshark-Scan, I see the IGMP-Querier is working (from the ROS7.3 device) and sending IGMP Membership Queries. This happended also with <=ROSv7.2.x but after a few minutes it totally hang up... Have not tested yet i...
by Guscht
Wed Jun 08, 2022 9:56 am
Forum: Announcements
Topic: v7.3 and v7.3.1 [stable] is released!
Replies: 269
Views: 83189

Re: v7.3 [stable] is released!

Two questions, *) dhcpv4-server - added "age" parameter for dynamic leases; What will I be able to do now that I was not able to before?? *) profile - added "wireguard" process classificator; Same what does this provide? "Age" shows me (in a quick test lab) the time ho...
by Guscht
Tue Jun 07, 2022 11:40 pm
Forum: Announcements
Topic: v7.3 and v7.3.1 [stable] is released!
Replies: 269
Views: 83189

Re: v7.3 [stable] is released!

Screenshot 2022-06-07 223630.jpg

One CRS326 hang up on the second boot (Firmware-boot). The LEDs were lit but no blinky-blinky. After a physical power-reset (unplug/plug), it came back.
So far no issues here, but thats my home network, no real fancy stuff configured.
by Guscht
Sun Jun 05, 2022 12:56 pm
Forum: General
Topic: Serial to USB - Problem
Replies: 5
Views: 1126

Serial to USB - Problem

Hi, I bought a Serial (RS232 to USB) cable: https://cdn.shopifycdn.net/s/files/1/0592/1521/6811/files/PL2303-Chipset-_-CD0477_CD0478_CD0479_CD0488_CD0489_CD0490_CD0491_CD0493_CD0739_CD0740_CD0741.pdf?v=1639401799 Under System -> Resources -> USB it shows up under Ports -> nothing. Screenshot 2022-06...
by Guscht
Tue May 31, 2022 12:01 am
Forum: Announcements
Topic: MikroTik Devices Controller
Replies: 353
Views: 246193

Re: MikroTik Devices Controller

I like the idea, but I use Ansible for such stuff already. And a note to MT: Why no solving unfinished things, like Queueing >4,3GBit is still not possible (beacuase thats a limit for 32Bit). Why is PIM-Routing still broken up to this day in your "stable" V7? Why is the ROSv7 documentation...
by Guscht
Thu May 26, 2022 1:36 pm
Forum: Scripting
Topic: edit netwatch up-script
Replies: 3
Views: 861

Re: edit netwatch up-script

Thanks!
by Guscht
Thu May 26, 2022 12:20 pm
Forum: Scripting
Topic: edit netwatch up-script
Replies: 3
Views: 861

edit netwatch up-script

Hi,

I need to change (clear) the up-script of a Netwach-Action by scheduler.

I tried this:
/tool netwatch edit [/tool netwatch find comment~"DNS1"] up-script=""

But this does not work:
expected end of command (line 1 column 70)
Any suggestions?
by Guscht
Sun May 08, 2022 8:37 pm
Forum: General
Topic: Connection State New vs. Invalid
Replies: 4
Views: 3933

Re: Connection State New vs. Invalid

Thats interesting! Is this somewhere written? Even in the iptables manpage, it is decribed very vague. Your argumentation makes sense to me. I tried the follwing, Router pings 8.8.8.8, in the RAW/Output-Chain, I set ICMP to action=notrack. So the outgoing ICMP echo request is not tracked. The return...
by Guscht
Sun May 08, 2022 7:50 pm
Forum: General
Topic: Connection State New vs. Invalid
Replies: 4
Views: 3933

Connection State New vs. Invalid

Hi, can someone please explain the difference between the two connection states? MT states: NEW - The NEW state tells us that the packet is the first packet that we see. This means that the first packet that the conntrack module sees, within a specific connection, will be matched. For example, if we...
by Guscht
Sun May 08, 2022 7:30 pm
Forum: General
Topic: Nth vs PCC
Replies: 7
Views: 3978

Re: Nth vs PCC

This makes sense!

With Nth a seconds connection for the same session clould go through ISPb, even when connection1 goes through ISPa. So a matcher which takes into account the SRC-IP is needed (afaik Nth cannot do this).
by Guscht
Sat May 07, 2022 12:56 am
Forum: General
Topic: Set SSTP through a different gateway
Replies: 1
Views: 474

Re: Set SSTP through a different gateway

We did a similar set-up but for End2Site devices.

You need mangling (routing-mark), where you specifiy which ISP is used for SSTP LAN2WAN (output-chain). And dont forget to specifiy in mangling, if something from the WAN enters through ISP1, it will go back through ISP1 too (not ISP2).
by Guscht
Sat May 07, 2022 12:41 am
Forum: General
Topic: Nth vs PCC
Replies: 7
Views: 3978

Nth vs PCC

Hi, can someone please explain me the difference between Nth and PCC in regards of using the two? For a Multi-WAN Load-Balancing scenarion I can say Nth, every 1st packet (connection-state new) matches with an connection-mark. And in the next rule, translating this connection-mark to a routing-mark....
by Guscht
Wed May 04, 2022 10:13 pm
Forum: Announcements
Topic: v7.2.2 [stable] and v7.2.3 [stable] are released!
Replies: 401
Views: 83787

Re: v7.2.2 [stable] and v7.2.3 [stable] are released!

My main reason for going to v7 was wireguard und udp-openvpn! At home, I run everything v7. No problems so far, but I am not doing fancy stuff as @ work, like PIM-Routing. @ work, we run everything v6, *except* 1 device with v7 for WireGuard. In my opinion, you could have easily best of both worlds...
by Guscht
Sun Apr 24, 2022 8:43 pm
Forum: General
Topic: when to use "pref-src"?
Replies: 3
Views: 6634

when to use "pref-src"?

Hi, I have read a lot about the pref-src (preferred source) field under IP -> Routes. But what are reasons I shoud set it? I still dont know? My only thinkable use-case was which IP should NAT -> SNAT -> Masquerading use (in a multi-WAN-IP scenario)? But this does exactly NOT use the pref-src. The M...
by Guscht
Fri Apr 22, 2022 12:18 am
Forum: General
Topic: Bonding useless on Mikrotik CCR2004-1G-12S+2XS?
Replies: 6
Views: 1468

Re: Bonding useless on Mikrotik CCR2004-1G-12S+2XS?

This CCR2004 has no hardware-switch chip, so all L2-Features have to be CPU-emulated. It seems this is the best the CPUs can do. In the test-results (https://mikrotik.com/product/ccr2004_1g_12s_2xs#fndtn-testresults), 25 Firewall-Filter-Rules will also decrease the througput to ~4,5GBit. But as of t...
by Guscht
Thu Apr 21, 2022 5:19 pm
Forum: General
Topic: Traffic Flow - which Interface is what?
Replies: 1
Views: 528

Re: Traffic Flow - which Interface is what?

I tried interface print: Screenshot 2022-04-21 160953.jpg No luck, Interface 39 does not show up. It ends at 38. Next, I did an SNMP-walk for OID 1.3.6.1.2.1.2.2.1.2 : .1.3.6.1.2.1.2.2.1.2.1 = STRING: "ether1" .1.3.6.1.2.1.2.2.1.2.2 = STRING: "sfp-sfpplus1" .1.3.6.1.2.1.2.2.1.2.3...
by Guscht
Thu Apr 21, 2022 1:35 am
Forum: General
Topic: Traffic Flow - which Interface is what?
Replies: 1
Views: 528

Traffic Flow - which Interface is what?

Hi,

I am using Grafolean for Traffic Flow-Monitoring.
Unfortunately MT sends an Interface-Number (instead of the name):

Screenshot 2022-04-21 003314.jpg

Any chance to get the relation: Interface-Number <--> Interface-Name??
by Guscht
Tue Apr 19, 2022 10:24 pm
Forum: Announcements
Topic: v7.3rc [testing] is released!
Replies: 452
Views: 106335

Re: v7.3beta [testing] is released!

You missed this in the documentation I think: lacp-user-key: Specifies the upper 10 bits of the port key. The lower 6 bits are automatically assigned based on individual port link speed and duplex. So what you are seeing is correct and is the expected behavior. The lower 6 bits getting automaticall...
by Guscht
Mon Apr 18, 2022 11:49 pm
Forum: Announcements
Topic: v6.49.6 [stable] is released!
Replies: 56
Views: 86469

Re: v6.49.6 [stable] is released!

Updated soft- and firmware on these models without any issues:
CCR2004-1G-12S+2XS
Did you a downgrade beyond the factory-firmware?
Our CCR2004's came with a pre-insalled V7...
by Guscht
Mon Apr 18, 2022 11:33 pm
Forum: Announcements
Topic: v7.3rc [testing] is released!
Replies: 452
Views: 106335

Re: v7.3beta [testing] is released!

It is perfectly fine to use the same key for multiple LACPs. We received a feature request asking for this option, I guess it was up to their network policy to use unique keys for each LACP. It was fairly easy to implement it in RouterOS, so here you go. :wink: Sure this works? I entered 5: Screens...
by Guscht
Wed Apr 13, 2022 10:13 pm
Forum: Wireless Networking
Topic: BGP over WLAN?
Replies: 0
Views: 637

BGP over WLAN?

Hi,

I found this question and wonder why BGP is not possible?
It uses TCP/163...

why-bgp.jpg

A and B are OK, F, G, H, well OK too...
USB and Firewaire is carp, but BGP, why not BGP?
by Guscht
Mon Mar 28, 2022 9:00 pm
Forum: General
Topic: DMZ in mikrotik router
Replies: 9
Views: 7242

Re: DMZ in mikrotik router

A DMZ is basically a isolated VLAN. Its easy to built this...
by Guscht
Sat Mar 26, 2022 6:21 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 294
Views: 446043

Re: Using RouterOS to VLAN your network

Not an engineer or IT trained but I like rule of thumbs and I thought it was ---> use RTSP for MT devices, & use MTSP when using mixed devices??? MSTP is a highly complex protocol with a lot of traps if you do not fully understand it. Id say, avoid it if you can! RSTP is good and fast w/o the c...
by Guscht
Tue Mar 22, 2022 11:54 pm
Forum: Announcements
Topic: v7.1.4 and v7.1.5 is released!
Replies: 202
Views: 41169

Re: v7.1.4 and v7.1.5 is released!

CRS326 -> took long -> no problems
CRS309 -> took even longer -> 1 came back online, 1 was dead, after 2 power-off/on it came finally back, but forgot its IP...
hexS -> no problems
mAP lite -> no problems
cAPac -> no problems

in the end, one CRS309 has cost me almost an hour...
by Guscht
Sun Mar 06, 2022 7:08 pm
Forum: General
Topic: WOL + Bonding / force Frame to Interface?
Replies: 2
Views: 682

Re: WOL + Bonding / force Frame to Interface?

Hi there, I found the solution myself. I added this to Netwach: /tool netwatch add down-script="/interface disable ether2" host=10.0.0.11 \ interval=30s up-script="/interface enable ether2" This checks if the QNAP is alive (pinging 10.0.0.11 every 30 seconds) and if its down, it ...
by Guscht
Sat Mar 05, 2022 11:51 pm
Forum: General
Topic: WOL + Bonding / force Frame to Interface?
Replies: 2
Views: 682

WOL + Bonding / force Frame to Interface?

Hi, I am using a QNAP-NAS which I start via WOL. I recently created a Bond in the QNAP and ROS (2x 1Gig, XOR via Hash L3+4). Everything works as expected, the only problem is, if I want now to start the QNAP via WOL (via my AVM-Router), it doesnt work... After debugging, I found out the Mikrotik sen...
by Guscht
Sun Feb 27, 2022 5:43 pm
Forum: General
Topic: Bridge Filtering / In-Interface - why has the Out-Interface to be HW-Offload-disabled?
Replies: 0
Views: 372

Bridge Filtering / In-Interface - why has the Out-Interface to be HW-Offload-disabled?

Hi, I am trying to filter 0x88E1 Ether-Type, this stuff is ingressing via ether4. My hexS does unfortunately not support Switch-rules... Screenshot 2022-02-27 163103.jpg My idea was to configure a Bridge/Filter-Rule with action DROP: Screenshot 2022-02-27 163200.jpg I know, we have to disable HW-Off...
by Guscht
Sun Feb 27, 2022 12:05 am
Forum: RouterOS beta
Topic: Does PIM work AT ALL on 7.1?
Replies: 12
Views: 6902

Re: Does PIM work AT ALL on 7.1?

Have they fixed it?
by Guscht
Sat Feb 26, 2022 2:47 am
Forum: Wireless Networking
Topic: CAPsMAN / Local Forwarding + VLAN-Filtering + dynamically created VLANs
Replies: 3
Views: 979

CAPsMAN / Local Forwarding + VLAN-Filtering + dynamically created VLANs

Hi, I set up an CAPsMAN (CAPac) with Local Forwarding and VLAN-Filtering. For my VLANs, dynamically entries are created, which map to the corresponding virtual-wlan-interfaces (SSIDs): Screenshot 2022-02-26 014144.jpg But the wired ether-interface (vlan-trunk) will not get inserted as tagged which p...
by Guscht
Wed Feb 16, 2022 12:27 am
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 86
Views: 29312

Re: RouterOS bridge mysteries explained

@Guscht, the "CPU port" is an oversimplification, based on an assumption that CPU is equivalent to the router process and that the bridge process runs somewhere else than on the CPU. If this simplification helps you understand the concept, stick with it, but actually the "port of the...
by Guscht
Sat Jan 08, 2022 4:52 pm
Forum: General
Topic: Recursive Routes in RoS 7.x
Replies: 35
Views: 19333

Re: Recursive Routes in RoS 7.x

In ROSv6, everythig was easy and logical: Screenshot 2022-01-08 153040.jpg Now, MT came up with V7 and made everything overly complicated... The same config doesnt work anymore: Screenshot 2022-01-08 153109.jpg Thats because they invented a hidden +1 for each recursive route, you can see this under ...
by Guscht
Wed Jan 05, 2022 9:35 pm
Forum: General
Topic: Bridging different VLANs and apply filtering rules
Replies: 11
Views: 3335

Re: Bridging different VLANs and apply filtering rules

Actually no: This is the traditional way of doing so, before vlan-aware bridges were introduced into the linux kernel (which was indeeded looong ago already). I still dont get to point to create two VLANs and bridge both together with some kind of ACLs... This is from the point of a modern network-...
by Guscht
Tue Jan 04, 2022 10:21 pm
Forum: General
Topic: Bridging different VLANs and apply filtering rules
Replies: 11
Views: 3335

Re: Bridging different VLANs and apply filtering rules

Honestly, I dont get what you are trying to accomplish... You have 2 VLANs and you are trying to "bridge" both VLANs together? Like connecting two switches together with an ethernet cable? Why bridging and not routing? But OK... I see to following: /interface vlan add interface=ether1 name...
by Guscht
Sun Jan 02, 2022 10:48 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 86
Views: 29312

Re: RouterOS bridge mysteries explained

AFAIU the CPU-Port is called the same as the bridge. This is very confusing, MT should have named this "CPU-Port" or something. Short explanation: - If the CPU-Port is set untagged, this is the only way to communicate with the Bridge Interface (itself) and services "behind", like...
by Guscht
Sun Jan 02, 2022 4:09 pm
Forum: General
Topic: Q-in-Q / no S-Tag strip required?
Replies: 3
Views: 1120

Re: Q-in-Q / no S-Tag strip required?

OK, that makes sense, but leads to another question. Lets assume SW-3 send out an ARP-request (DST-MAC: FF:FF:FF:FF:FF:FF). This gets S-tagged with VID400 at CRS-3 and will arrive at CRS-1. How does CRS-1 "know" how to forward this frame to SW-1? The only refernece SVID400 <-> CVID200/eth1...
by Guscht
Sun Jan 02, 2022 3:47 pm
Forum: General
Topic: Q-in-Q / no S-Tag strip required?
Replies: 3
Views: 1120

Q-in-Q / no S-Tag strip required?

Hi, I am reading this article (section "VLAN Tunneling (Q-in-Q)"): https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#VLAN_Tunneling_.28Q-in-Q.29 As far as I understand, it is described how the customer frames (C-Tag) get an S-Tag: 1. /interface ethernet switch ingre...
by Guscht
Sat Jan 01, 2022 7:02 pm
Forum: RouterOS beta
Topic: VXLAN / MT-Help wrong...
Replies: 3
Views: 3973

VXLAN / MT-Help wrong...

Hi, according to: https://help.mikrotik.com/docs/display/ROS/VXLAN The commands for a simple VXLAN-setup are: /interface vxlan add name=vxlan1 port=8472 vni=10 # Router1 /interface vxlan vteps add interface=vxlan1 remote-ip=192.168.10.10 # Router2 /interface vxlan vteps add interface=vxlan1 remote-i...
by Guscht
Fri Dec 31, 2021 11:25 am
Forum: General
Topic: Display Filter - "or" possible?
Replies: 1
Views: 808

Display Filter - "or" possible?

Hi, can I create a display filter with an "or" argument? Like show me all DHCP-leases from DHCP-Server 223 or 224: No: Screenshot 2021-12-31 102207.jpg nope: Screenshot 2021-12-31 102240.jpg nope as well: Screenshot 2021-12-31 102253.jpg come on MT... Screenshot 2021-12-31 102309.jpg njet:...
by Guscht
Thu Dec 30, 2021 11:02 pm
Forum: RouterOS beta
Topic: PIM SM / Querier stops working...
Replies: 0
Views: 3843

PIM SM / Querier stops working...

Hi, when enabling the PIM SM Module (Instance + Interface) for a given VLAN (or ETH-interface), the IGMP Querier works a few times and then disappears simply from the "Interface" tab: Screenshot 2021-12-30 215854.jpg Screenshot 2021-12-30 215920.jpg Screenshot 2021-12-30 220058.jpg I found...
by Guscht
Thu Dec 30, 2021 11:16 am
Forum: General
Topic: Routing Filter / holy crap...
Replies: 1
Views: 973

Routing Filter / holy crap...

v6 Routing Filters: Screenshot 2021-12-30 101307.jpg v7: Screenshot 2021-12-30 101318.jpg Whats that? Why do we now have to fiddle with this syntax thing?! Come on MT, why do you everything so complicated on v7... I mean, are yu serious: https://help.mikrotik.com/docs/pages/viewpage.action?pageId=74...
by Guscht
Thu Dec 30, 2021 11:09 am
Forum: General
Topic: v6 PIM / v7 PIM SM - everything gone
Replies: 2
Views: 2741

v6 PIM / v7 PIM SM - everything gone

Hi,

why is everything gone?

V6
Screenshot 2021-12-30 100706.jpg

V7 (nothing converted, where to start???)
Screenshot 2021-12-30 100723.jpg

There is even no documentation: https://help.mikrotik.com/docs/pages/vi ... d=61767728
by Guscht
Wed Dec 29, 2021 10:25 pm
Forum: RouterOS beta
Topic: ROSv7.1.1 - STP wrong Port Priority with default-value (0x80)
Replies: 1
Views: 2338

ROSv7.1.1 - STP wrong Port Priority with default-value (0x80)

Hi, with ROSv7.1.1 and with the default Port-Priority of 0x80, the port-priority is transmitted as "00" insted of "80": Screenshot 2021-12-29 212120.jpg Screenshot 2021-12-29 212142.jpg Non-Standard (other than 0x80 values) priorities show correctly up. See the 0x40 for my primar...
by Guscht
Wed Dec 29, 2021 7:53 pm
Forum: General
Topic: Connection-State: established
Replies: 5
Views: 3870

Re: Connection-State: established

connection oriented or connectionless protocols have nothing to do with this, this only comes in between the two end devices. This is only relevant to firewalls, connection tracking uses both src and dst addresses with the src and dst ports to decide of it is a new connection, established, etc Plea...
by Guscht
Wed Dec 29, 2021 7:38 pm
Forum: General
Topic: Connection-State: established
Replies: 5
Views: 3870

Re: Connection-State: established

But does: When ROS sees first packet, it creates connection tracking entry with state new. Means the "C" confirmed-flag is set in Connection Tracking? And further: When it sees first packet from B to A [**], it updates "connection" state to established. Does this mean the "S...
by Guscht
Wed Dec 29, 2021 7:27 pm
Forum: Announcements
Topic: v7.1.1 is released!
Replies: 443
Views: 227949

Re: v7.1.1 is released!

Please explain what: backup - added "force-v6-to-v7-configuration-upgrade" option on backup load to clear RouterOS v7 configuration and trigger reimport of RouterOS v6 route configuration (CLI only); means? You write v6-to-v7 and in the explanation you write something v7 to v6... unclear w...
by Guscht
Wed Dec 29, 2021 6:09 pm
Forum: RouterOS beta
Topic: Disable Unused Packages
Replies: 14
Views: 9887

Re: Disable Unused Packages

IPv6 can be disabled from /ipv6 settings menu. MPLS, DHCP, hotspot, and dynamic routing protocols must be explicitly configured to make them work. None of these features work by default. Is considered "best practice" to uninstall/disable unused features. This is even stated by the German ...
by Guscht
Wed Dec 29, 2021 1:47 pm
Forum: General
Topic: Connection-State: established
Replies: 5
Views: 3870

Connection-State: established

Hi, its unclear to me what connection-state "established" means exactly? Its very confusing to me, because there is a TCP-Connection State "established" but not everything is TCP... I can create Firewall-Filter-Rules: UDP + Connection State = established -> Action Passthrough ICM...
by Guscht
Tue Dec 07, 2021 7:52 pm
Forum: RouterOS beta
Topic: v7.1 "STABLE" Cosmetic Bug - MNDP - Neighbor Version Hardcoded - Forgotten [SOLVED]
Replies: 14
Views: 6975

Re: v7.1 "STABLE" Cosmetic Bug - MNDP - Neighbor Version Hardcoded - Forgotten [SOLVED]

Hi, ROS v7.1 is released as "stable" but it shows itself as "testing"... And even this sounds not really "production-ready" stable: [...]note that RouterOS v7 is still actively being developed in most parts and is not a direct replacement for RouterOS v6 yet.[...] Id no...
by Guscht
Fri Dec 03, 2021 11:21 pm
Forum: RouterOS beta
Topic: Recursive Routes
Replies: 16
Views: 17376

Re: Recursive Routes

Could you explain the "logic" behind? Why do I have to enter a Target Scope of 12? As far as I understand it goes this way (from top to down): Dst.Address: 0.0.0.0/0 -> GTWY: 10.0.0.1 -> Target-Scope: 12 Dst.Address: 10.0.0.1 -> GTWY: 8.8.8.8 -> Target-Scope: 11 [at this point happens the ...
by Guscht
Thu Dec 02, 2021 11:56 pm
Forum: RouterOS beta
Topic: Recursive Routes
Replies: 16
Views: 17376

Re: Recursive Routes

I cant express my feelings how much I hate Mikrotik for doing such stuff, which makes everything so overly complicated!! For everyone who wants/needs to cheat, this works: Single WAN-Check: single-check.jpg Multiple WAN-Check: multiple-check.jpg Still missing a notification "recursive via...&qu...
by Guscht
Tue Nov 30, 2021 10:08 pm
Forum: General
Topic: Confused about DHCP server
Replies: 15
Views: 2360

Re: Confused about DHCP server

With MT one never knows what is or isnt connected,.........well Sindy and Sob know, but I dont. :-) MT (ROS in particular) is comparable to women in general. If you think you understand them, they will show you, your knowledge about them is - maybe - 5%... The MT Switch -> VLAN menu (in particular ...
by Guscht
Tue Nov 30, 2021 4:13 pm
Forum: General
Topic: Confused about DHCP server
Replies: 15
Views: 2360

Re: Confused about DHCP server

Please make sure, you havent somewhere in your network a cable, bridging your both LANs together.
It could be the case, because the "wrong" DHCP answers sometimes faster as the right DHCP...
by Guscht
Sun Nov 28, 2021 11:18 am
Forum: General
Topic: Mesh + CAPsMAN
Replies: 0
Views: 1234

Mesh + CAPsMAN

Hi, I created a CAPsMAN-Network, which works great. Now Id have to add another CAP to which I unfortunately cant run a cable. Is it possbile to run a Mesh together with CAPsMAN? In CAPsMAN I can choose as mode only "AP": Set operational mode. Only ap currently supported. But I think Id nee...
by Guscht
Tue Nov 23, 2021 7:02 pm
Forum: Announcements
Topic: v6.49.1 [stable] is released!
Replies: 138
Views: 82060

Re: v6.49.1 [stable] is released!

Is there an OID for the "flagged" status? Id love to monitor it... Its still unclear to me what triggers a flagged state and how I can resolve the situation. The only thing I understand, If the device gets flagged some things wont work. And I would say a OID to monitor the flagged state is...
by Guscht
Tue Nov 23, 2021 6:40 pm
Forum: General
Topic: netinstall not compatible with Windows 11?
Replies: 3
Views: 2985

netinstall not compatible with Windows 11?

Hi, I had to do a netinstall (6.49.1) via a Latop with Windows 11 (21H2). When opening the netinstall-program, nothing appears under "Routers/Drives". Normally you see the at least the drives (c, d...). But with Win11 nothing, no drives no PXE-Client!! win11.jpg I opened Wireshark and saw ...
by Guscht
Mon Nov 22, 2021 6:43 pm
Forum: General
Topic: CRS326 stops responding
Replies: 6
Views: 1896

Re: CRS326 stops responding

Hi, just for information, I found the root issue. My backbone consists of a 1Gig and a 10Gig link. I block the 1Gig via RSTP, so it will come up only if the 10Gig link fails. Unfortunately, you cant configure in ROS which ports are sending out (R)STP BPDUs. Mikrotik recommends a Birdge -> Filter rul...
by Guscht
Mon Nov 22, 2021 6:13 pm
Forum: General
Topic: Bridge port egress stop STP/BPDU
Replies: 11
Views: 7373

Re: Bridge port egress stop STP/BPDU

I have found instead the following filter does the trick: /interface bridge filter add 802.3-sap=0x42 action=drop chain=output comment="Filter STP" mac-protocol=length out-interface=sfp-sfpplus1 The keys there are mac-protocol=length which means an 802.3 frame where the bytes that normall...
by Guscht
Sun Nov 21, 2021 9:08 pm
Forum: General
Topic: CRS326 stops responding
Replies: 6
Views: 1896

Re: CRS326 stops responding

Nope, as Switch but with ROS, because it has more features. Id say the config is not special in any way... /interface bridge add admin-mac=11:22:33:44:55:66 auto-mac=no frame-types=\ admit-only-vlan-tagged ingress-filtering=yes name=BR0 priority=0x4000 \ vlan-filtering=yes /interface ethernet set [ ...
by Guscht
Sun Nov 21, 2021 7:06 pm
Forum: General
Topic: CRS326 stops responding
Replies: 6
Views: 1896

CRS326 stops responding

Hi, my CRS326 stops sometimes responding to Winbox and http. After a few hours or a day, I cant connect anymore. Sometimes I can it ping, sometimes not. After a reboot (power disconnected), it will work for a few hours (or minutes), then the same happens. I have now created a scheduled task to reboo...
by Guscht
Sat Nov 20, 2021 2:02 am
Forum: Announcements
Topic: v6.49.1 [stable] is released!
Replies: 138
Views: 82060

Re: v6.49.1 [stable] is released!

Will MIPSBE devices continue to randomly die on routerboot upgrade with this release? Have CCR long boot issues been fixed? Hi, for the CCR and long boot issue: I can confirm the issue is gone!! I was the first one reporting this after 6.49 came out, I had a long discussion with MT regarding this i...
by Guscht
Sun Nov 14, 2021 5:44 pm
Forum: General
Topic: MSTP / Port Override / Priority not working as expected
Replies: 2
Views: 874

Re: MSTP / Port Override / Priority not working as expected

And its getting better, the behaviour is other after a reboot: PRIOR the reboot: 0x80 is configured: Screenshot 2021-11-14 163919.jpg Transmitts 0x0 instead of 0x1000.0000: Screenshot 2021-11-14 164015.jpg NOW we reboot the device... Same config: Screenshot 2021-11-14 163919.jpg But now 0x40 (0b0100...
by Guscht
Sun Nov 14, 2021 5:33 pm
Forum: General
Topic: MSTP / Port Override / Priority not working as expected
Replies: 2
Views: 874

Re: MSTP / Port Override / Priority not working as expected

Is this a bug in ROS or in my head?? The Wirshark-Output is from the salve-bridge (NOT the root-bridge), the received frames are FROM the root-bridge. ROS transmitts always the sequence: 0b 0100 .0000 0b0100 = 0x4 = 0b0100.0000 = 0x40 Screenshot 2021-11-14 162055.jpg Reagrdless of what is configured...
by Guscht
Sun Nov 14, 2021 2:18 pm
Forum: General
Topic: MSTP / Port Override / Priority not working as expected
Replies: 2
Views: 874

MSTP / Port Override / Priority not working as expected

Hi, I try to setup a simple MSTP and it works not as expected. I have set-up two router with the same VLANs (11 and 21) and created a MSTP instance. Root: root_1.jpg root_2.jpg The salve bridge behaves as expected: salve_1.jpg slave_2.jpg So far everything works as expected, VLAN 11 and 21 go throug...
by Guscht
Sat Nov 06, 2021 3:02 pm
Forum: General
Topic: Switch ACL - ingress or egress?
Replies: 0
Views: 888

Switch ACL - ingress or egress?

Hi,

to which direction do Switch ACLs apply on CRS3xx devices? Ingress or egress of a packet?
Screenshot 2021-11-06 135903.jpg

On CRS1xx-devices I can choose:
Screenshot 2021-11-06 135921.jpg
by Guscht
Fri Nov 05, 2021 4:02 pm
Forum: Announcements
Topic: v6.49 [stable] is released!
Replies: 219
Views: 98525

Re: v6.49 [stable] is released!

Is there anyone with long boot delay issue on CCR1036 (or any other Tile)? After flashing firmware 6.49 (RouterOS 6.49) we have very long boot time with our router. Check installation is OK. Router boots but it takes about 8minutes or so. Same here, all our CCR 1036 and 1072 (Tile) Routers are affe...
by Guscht
Sun Oct 17, 2021 12:45 pm
Forum: General
Topic: System -> Profile -> SPI?
Replies: 0
Views: 960

System -> Profile -> SPI?

Hi, does anyone know what "spi" under profile means? Referring ROS is a routing operating system and in the context of routing "SPI" stands for "stateful packet inspection". But this device has no (zero, 0 , null) firewall rules and the Firewall -> Connection table empt...
by Guscht
Tue Oct 12, 2021 5:06 pm
Forum: General
Topic: Is 6.49 buggy? [SOLVED]
Replies: 7
Views: 2966

Re: Is 6.49 buggy? [SOLVED]

A downgrade from 6.49 tp 6.48.4 performs without issues.
Make sure you will loose connectivity for a short period and the router hast to re-esablish to connection by itself.
by Guscht
Tue Oct 12, 2021 1:59 pm
Forum: Announcements
Topic: v6.49 [stable] is released!
Replies: 219
Views: 98525

Re: v6.49 [stable] is released!

I saw the same issue with my 1072 and came here to see. Going to downgrade until the next version I guess...Thanks for doing the testing for us! Thanks for reporting! I hope Mikrotik will react, if more user will report this problem. User fedorovic spend 7 hours to isolate the problem and he found,...
by Guscht
Mon Oct 11, 2021 12:25 am
Forum: Announcements
Topic: v6.49 [stable] is released!
Replies: 219
Views: 98525

Re: v6.49 [stable] is released!

The problem with rebooting is connected with Queues. Spent 7 hours with that! :-( Simple rules are broken and causing problems. Tested on CCR1036 r1. Does this refer to "my" problem with the long reboot sequence? My next step for the coming week was to do a full reset and then - step by s...
by Guscht
Sun Oct 10, 2021 7:45 pm
Forum: General
Topic: SFP / Rate Select?
Replies: 5
Views: 9453

SFP / Rate Select?

Hello, can somebody please explain what the selector under Interfaces -> Ethernet -> SFP -> Rate Select -> high/low does? A Google search was not successful and - as usual - the MT Wiki was a fail too: sfp-rate-select (high | low; Default: high) Allows to control rate select pin for SFP ports. It ha...
by Guscht
Fri Oct 08, 2021 1:49 am
Forum: Announcements
Topic: v6.49 [stable] is released!
Replies: 219
Views: 98525

Re: v6.49 [stable] is released!

Did further investigation regarding the long-boot issue. ROS 6.48.4 + Firmware 6.48.4 -> no issue -> booting takes around 1:30 minutes ROS 6.49 + Firmware 6.48.4 -> no issue -> booting takes around 1:30 minutes ROS 6.49 + Firmware 6.49 -> issue -> booting takes around 10 minutes! I have done now a f...
by Guscht
Thu Oct 07, 2021 10:57 pm
Forum: Announcements
Topic: v6.49 [stable] is released!
Replies: 219
Views: 98525

Re: v6.49 [stable] is released!

What version is your routerboot(firmware) at?
ROS 6.49
Firmware: 6.49

Reproducable on all CCR1072 and CCR1036 devices...
by Guscht
Thu Oct 07, 2021 10:18 pm
Forum: Announcements
Topic: v6.49 [stable] is released!
Replies: 219
Views: 98525

Re: v6.49 [stable] is released!

FCK MIKROTIK!!!! https://yoursmiles.org/ssmile/wonder/s1003.gif https://yoursmiles.org/ssmile/wonder/s1016.gif https://yoursmiles.org/ssmile/wonder/s1003.gif https://yoursmiles.org/ssmile/wonder/s1016.gif https://yoursmiles.org/ssmile/wonder/s1003.gif https://yoursmiles.org/ssmile/wonder/s1016.gif h...
by Guscht
Sat Sep 25, 2021 1:12 pm
Forum: General
Topic: CRS and wire-speed?
Replies: 2
Views: 855

Re: CRS and wire-speed?

Thanks for clarification!
by Guscht
Fri Sep 24, 2021 9:14 am
Forum: General
Topic: CRS and wire-speed?
Replies: 2
Views: 855

CRS and wire-speed?

Hi,

just a small question, I plan to use a CRS 326-24G-2S+RM, when using ROS and creating a Bridge (adding all Ports to the Bridge), will I get Wire-Speed between the ports (the small "H" is present)?

Thanks
by Guscht
Fri Aug 27, 2021 5:08 pm
Forum: Announcements
Topic: WinBox v3.29 released!
Replies: 113
Views: 36594

Re: WinBox v3.29 released!

WHAT THE F*CK MIKROTIK?!?!?!?!

HOW CAN ANYONE BE SADISTIC IN SUCH A WAY?? START -> CLOSE
I CLICKED "CLOSE" NOW 1000000000 TIMES INSTEAD OF STOP.

ping.png
by Guscht
Tue Aug 24, 2021 11:31 pm
Forum: General
Topic: How to configure a CCRXXXX as router with VLAN trunk ports ?
Replies: 3
Views: 2066

Re: How to configure a CCRXXXX as router with VLAN trunk ports ?

How to configure a CCRXXXX as router You dont have to configure a router as a router. It will router, like a switch will switch ;) If it knows the routes (destination networks), it will work. VLAN trunk ports ? Do you refer "Trunk" as a Link Aggreagtion? Thats called "Bonding" i...
by Guscht
Tue Aug 24, 2021 1:16 pm
Forum: Announcements
Topic: WinBox v3.29 released!
Replies: 113
Views: 36594

Re: WinBox v3.29 released!

Still transparent Menus, if filtering is enabled and you scroll, as reporter here.

Zwischenablage01.jpg
by Guscht
Tue Aug 24, 2021 10:22 am
Forum: Announcements
Topic: v6.48.4 [stable] is released!
Replies: 68
Views: 73848

Re: v6.48.4 [stable] is released!

Wrong voltage in our CCR1036 (the drop shortly after 08:30, after the update):
Zwischenablage01.jpg

No problems with our CCR1072.
by Guscht
Sat Jul 31, 2021 1:29 pm
Forum: General
Topic: NAT: Masquerade can leak private IP, why&how?
Replies: 25
Views: 5747

Re: NAT: Masquerade can leak private IP, why&how?

One thing about the Mikrotik Wiki: /ip firewall nat add chain=srcnat src-address=10.0.0.0/24 action=masquarade out-interface=WAN Every time when interface disconnects and/or its IP address changes, the router will clear all masqueraded connection tracking entries related to the interface, this way i...
by Guscht
Sat Jul 31, 2021 12:26 pm
Forum: General
Topic: NAT: Masquerade can leak private IP, why&how?
Replies: 25
Views: 5747

Re: NAT: Masquerade can leak private IP, why&how?

Hi, just a few thoughts.... What would be the effect of simply setting multiple masquerading rules, like: Out-I/F ETH1 (Main-WAN); Action: Masq Out-I/F ETH2 (Backup-WAN); Action: Masq In this case the masquerading is interface specific and should not stop on ETH2 if ETH1 comes back...? And is this r...
by Guscht
Sat Jul 24, 2021 1:23 pm
Forum: General
Topic: iPhone not resolving static dns entries [SOLVED]
Replies: 10
Views: 3810

Re: iPhone not resolving static dns entries [SOLVED]

Is there a special DNS configured for ad-protection or something?
I could imagine, Apple does here their own thing...
by Guscht
Tue Jul 20, 2021 11:02 am
Forum: General
Topic: RouterOS Rule tester?
Replies: 18
Views: 2582

Re: RouterOS Rule tester?

+1!!

I wished there would be such a report-like tool for years.
Including Filter, NAT, Mangle...
by Guscht
Sun Jul 18, 2021 2:17 pm
Forum: General
Topic: Simple Queue - Total?
Replies: 3
Views: 1902

Re: Simple Queue - Total?

Hi, thanks, yes I played with it, but its not clear to me. MT writes (in their wiki) about the total-stuff: And corresponding options for global-total HTB queue : I know, the global queue stuff is related with Queue Trees - not Simple Queues. This is stated here too: Zwischenablage01.jpg and: Zwisch...
by Guscht
Sun Jul 18, 2021 1:58 am
Forum: General
Topic: Simple Queue - Total?
Replies: 3
Views: 1902

Simple Queue - Total?

Hi, does anyone know what the "Total" tab under a Simple Queue does exactly? Zwischenablage01.jpg I can set limits here as well. But to what does the "Total" refer? And I can set this for each simple Queue - "multiple totals" seem strange to me... MT wiki is not clear: ...
by Guscht
Mon Jul 05, 2021 12:56 am
Forum: General
Topic: BOOTP servers
Replies: 1
Views: 1080

Re: BOOTP servers

The BootP-Server is specified in the "Next Server" field (under DHCP -> Networks)
by Guscht
Mon Jul 05, 2021 12:47 am
Forum: General
Topic: Resetting a "branded" board
Replies: 15
Views: 3997

Re: Resetting a "branded" board

I asked MT the same question, their answer was as well "do a netinstall". But I think, you could create a "Mikrotik.dpk" too. All you need is their Logo, thier ASCII-Logo, thier URL and their manual URL... Still wondering, why they do not have a "default-option" for the...
by Guscht
Mon Jul 05, 2021 12:43 am
Forum: General
Topic: 2 VLANs and DHCP only for 1
Replies: 2
Views: 651

Re: 2 VLANs and DHCP only for 1

1. Set-up the ISP as the gateway for your router 1a. create a bridge, create the VLANs, create VLAN interfaces and bind these to your bridge 2. create a VLAN for your home-LAN, including a DHCP which points the clients to your router (as their gateway). 3. create on your bridge (step 1a) another VLA...
by Guscht
Mon Jul 05, 2021 12:17 am
Forum: General
Topic: NAT, masquerading, src, dst? Confused (picture) [SOLVED]
Replies: 5
Views: 1656

Re: NAT, masquerading, src, dst? Confused (picture) [SOLVED]

Home Assistant: Request to 192.168.20.100:502 (mAP Lite) mAP Lite does: DNAT: 192.168.20.100:502 to 192.168.200.1:502 SNAT: 192.168.20.194 to 192.168.200.2 Assuming: 192.168.20.100 = mAP Lite in your .20 LAN 192.168.200.2 = mAP Lite in the Inverter-LAN The Inverter will see a packet: Source: 192.168...
by Guscht
Mon Jun 21, 2021 10:36 pm
Forum: General
Topic: IPFIX stopped working
Replies: 0
Views: 821

IPFIX stopped working

Hi, today at 5am, both IPFIX-sensors of our monitoring system (PRTG), stopped showing data. We figured out, that the timestamps, transmitted from the routers, were wrong (offset was around 16 hours). After a reboot of both router, both sensors showed the data again - the timestamps were correctly tr...
  • 1
  • 2