MikroTik

docmarius

Actually, the CCR1009-7G-1C series supports 100M fiber links on the combo port. But I think these are the only MT devices doing so.

docmarius

It seems there is an issue with multicast routing in the the last 2 releases of ROS (on a CCR-1009). PIM, after working for ages with my multicast setup (upstream on a vlan, clients on a regular bridge) stopped working in 6.47. IGMP proxy was still working ok and I switched to it. But after upgradin...

docmarius

Yes, it is possible, and there is a compileable user space daemon available. But for the "best" solution you have possible other options, depending on your use case. For internal use, in a secure network, you can use other simple tunelling protocols, like IPIP (if you only need IPv4 traffic) and GRE...

docmarius

An export - delete configuration - import (in pieces) did the trick. But I still think this is an actual bug and should be addressed.

docmarius

I have a strange issue: I had some HE IPv6 addresses used in the past, which worked as expected. I added them to several pools and assigned them to different interfaces. Now I deleted those assignments and pools. Everything is fine, just after a reboot, the old addresses appear again, this time with...

docmarius

It seems the inability to get a full Dude installation comes from the fact that 'dude/files/default' is hidden (and is automatically hidden by the dude process).

docmarius

Wow, that's an interesting topic... Some questions: - Do you really need EOIP (L2 level connectivity) or would a TCP/IP tunneling also do? - Do you need a secured/encrypted connection or could a regular firewall do the job? Because, depending on the answer on these questions, there could other solut...

docmarius

I needed to reboot my CCR1009-7G-1C-1S+ with the card plugged, before the microSD was properly recognized. No issues since, running the dude on it.

docmarius

Sorry, that was a bad wording... I meant the interface by which the connection was made through...

docmarius

I'm pretty sure it means the parent device' setting if there is one, otherwise yes.

docmarius

... i don't really understand however, why they have this on a P2P unit. you can easily have TDD media access on a P2P just by using wireless synchronisation. the GPS based stuff only excels in multipoint scenarios... GPS sells. It is one of the "magic bullets". And maybe they are planning a P2MP s...

docmarius

What you want is security through obscurity. This is a bad idea, giving you a false sense of added safety, which is not the case. Probing and exploiting a vulnerability is fast, and doesn't rely on those details to select a target. You should set up your network in such a way that it should not matt...

docmarius

Probably some experimental stuff. AA55 is binary 1010101001010101 - so this is used to get alternating 1/0 bits which makes development/testing even more probable...
But as r00t has written, if it doesn't bother anyone...

docmarius

And your "useful user article" is where?

This is a place to publish your articles. Please put question in the appropriate sections.

docmarius

The bug preventing multicast RIP announcements over IPIP tunnels in 6.45.3 is solved. Not in the changelog, but anyway, tnx...

docmarius

I can not receive RIP multicast announcements via ipip tunnels anymore on 6.45.3.
The UPD port 520 packets via tunnel don't even hit the firewall.

Downgrading to 6.45.2 restores full functionality (no configuration change).

Hw iis tile RB1009

docmarius

I have a basebox 2. While other brands of PCIe modems work as expected, I neve managed to get it started with a RB11e-LTE International version. It never passes reading the serial number on the modem. Support has no solution, so that information is correct. In a RBM33, the modem works perfectly.

docmarius

Those are only comments in your export and will be ignored... There are some default template entries in IPsec which the system probably expects NOT to be missing (e.g. the default policy template, default proposal, default group, default profile, default mode-profile), and can not be normally delet...

docmarius

How exactly did you try to filter the RIP messages? RIP uses the 'Prefix Lists' for incoming/outgoing messages, not the 'Filters'. Note that filtering is done in order of the filters (sort by #). Also take care, the prefix length needs to be matched, too. e.g. to filter everything from 10.1.1.0/24, ...

docmarius

Riccochet did that in the late 1990's and early 2000's somehow successfully.
But at some point you hit a speed limit due to internal interference and multiple hop latency. Think of something like 1/8'th of a P2P link.

docmarius

Between physical ports you can not exceed 1Gbps/port and direction, because the ports are 1Gbps :-). The CPU ports have a total forwarding capability of 2 Gbps in each direction... So, cross the switch groups you could get somewhere between 1Gbps with no other load and 400Mbps on full switch load (a...

docmarius

Hmmm, after about one day, on my CCR1009, all static routes configured for connected PPtP and SSTP clients (I have no other types to check) disappeared, and connectivity to the client's subnets was lost. Disconnecting the clients and allowing them to reconnect restored the routes... As if those rout...

docmarius

*) discovery - detect proper slave interface on bounded interfaces; If this means reporting the neighbor on each interface of the bond, then it works as expected. It is just not correct, since the neighbor should appear only once because it is a single logical interface. And some of them show the I...

docmarius

That has a perfect good reason: DST-NAT is a prerouting feature, which is located on the ingress path of the router (because the redirected packets need to be properly routed to the correct destinations). It is impossible to apply it on an an output, postrouting or forward chain, which have their ro...

docmarius

Updated my RBM33G with a RB11E-LTE.
- Modem firmware update - OK
- New LTE additions like cell info - OK
Everything working as expected.

docmarius

Or replace the hap ac lite with something supporting 802.3af/at, which is cheaper than buying a $400 switch, and throw out an existing $250 one? The AF adapter solution comes with a price tag at around 30$. A RBPOE adapter costs $5 and allows, if needed, POE for the hAP, from a separate power supply...

docmarius

That means that either one, or both devices don't play according to standards. But there could be a workaround: place a passive POE injector at the hap end, without powering it, or even power the hap via that injector. It has a separating transformer inside, that will prevent DC to flow between the ...

docmarius

You can not downgrade below the ROS factory version, in this case 6.39. Unless MT has some workaround.

docmarius

I assume you refer to 802.3af/at as POE+. In this case, the power supplied by a POE+ switch is negotiated, meaning that it will not supply power to devices which are not able to negotiate it according to that standard (like the hap lite). So it is safe to assume that you can connect your hap lite to...

docmarius

2 PPPoE connection work happily together. To force a specific interface for L2TP connection, you could use routing marks. In your main table you have one default gateway, on your secondary (marked) routing table, the other gateway. Mark your L2TP outgoing traffic in the output chain as needed and it...

docmarius

There are no untagged "vlans" on an interface, only THE untagged vlan (singular, only one, assimilated to vlan 1). For a packet to make use of vlans, it has to have vlan info in it, and that info is called a tag. A port could be virtually associated to a vlan by the router or switch, so that its tra...

docmarius

I think there is a confusion going on here. On one hand, it does not report the discovered info to an interface. It reports it to RouterOS, and you need to use Winbox/Webfig/API to read that information. So, unless your users have access to your router, they can not see the list. On the other hand, ...

docmarius

dB readings work the other way around. The bigger the number, the weaker the signal (37 dB is more than 2 times stronger than 41 dB).
Try to lower the power on the AP to get the client around 50 dB...

docmarius

I converted a network to static routing for similar reasons... Everything worked fine from minutes to days (rarely, but yes), and then it just stopped. Disabling an enabling a OSPF instance resurrects the whole stuff for some time. One thing I noticed was the following: One of my subnets was fragmen...

docmarius

That's what happens when you put restrictions on people: Le Chatelier's principle. The system changes to escape the constrain.
I would look for the "hacker" on the inside. But if they are your employees, this could rather trigger personnel fluctuations instead of increased productivity.

docmarius

Yes, you are right. It has nothing to do with ROS. As Sob said, it's probably a preparation for later actions. Sorry for the bump in.
But an actual PE release for Winbox could be a nice step

docmarius

What are you talking about? What are USB U3 programs? Please stop posting such posts. U3 is a portable execution medium developed some years ago, and pushed by Sandisk. It allows the installation of a PE (Portable executable) on an USB stick which creates an automatic launch environment in Windows,...

docmarius

I have a UFiber UF-SM-1G-S pair between a CCR1009-7G-1C-1S+ and a 260GS (CSS106-5G-1S). It work as expected.

docmarius

True, I wanted to learn it, and I keep the complicated things for my job :-). So running a few streams is easier to follow, like one streamed transponder, and it should scale knowledge wise. But I think the topic here was a home setup, not IGMP snooping, which is quite new in the MTK world (since 6....

docmarius

Please don't test IGMP snooping still doesn't work. ... Believe me, I read the forums, since 4.17, that's some 8 years... But you ask "don't test IGMP snooping". That's what I am talking about. What is the logic behind this? If YOU don't want to test, that's your own problem. If someone else does, ...

docmarius

Still no joy for RG11e-LTE with RB912UAG

docmarius

ITs possible to force a device to specific power level. But remember - in noisy environment - You will also amplify the noice. Now this needs a little explanation since it makes no sense. IMHO the noise gets amplified on supplemental Rx amplification, not on Tx, where only the S/N ratio gets booste...

docmarius

Maybe instead of bragging, you could inform Mikrotik about the issue so it could be solved?
Write a mail to support, open a ticket, describe the issue in detail, provide hacking means, methods and descriptions to them. This is not solvable in an user forum.

docmarius

Are you talking about client or server connections? It's problematic to give you an advice without detailed information.
If you are the client, first ask your ISP about this.

docmarius

If everyone would adhere to the principle "block all and allow only what you need", which is considered best practice, none of these discussions would be necessary. Start with: - allow all from (management) LAN - allow established/related - drop all and work your way up from there on an "as needed" ...

docmarius

You can freeze the torch window content by pressing "Stop", at least in winbox.
But that "copy" is needed.
And the same goes for the log.

docmarius

I think the easiest way is to describe bridges as software switches, allowing you to "switch" between its assigned ports (interfaces). Some could be ethernet interfaces and SFP ports, which allow the help of a real hardware switch chip if available (and this is named hardware offload), others could ...

docmarius

If you have different subnets for your computers, browsing via SMB is not possible across those subnets, because broadcasts packets are not forwarded.
To achieve this, you need a WINS server and register all clients to it.

docmarius

... As a comparison the ubnt edgeswitches, even the older rough models do provide 24/48 options being set manually. Now this is new. On my Edgeswitches I only have POE+ (802.11af/at) and 24V passive. No 48V passive option. Maybe you mean the defunct ToughSwitch Pro, which only supported passive PoE...

docmarius

AFAIk, You need to use RA for address hand-out. The ROS DHCPv6 only hands out prefixes for PD, not individual addresses.
https://wiki.mikrotik.com/wiki/Setting_up_DHCPv6

docmarius

192.168.0.255 is the broadcast address of network 192.168.0.0/24...
Disabling neighbor discovery is easy: on newer than 6.41 ROS go to IP->Neighbors, click "Discovery Settings" and select "none" from the dropdown box.

docmarius

From your description, you only placed a SIM card in its slot. What LTE modem did you put into the miniPCI express slot?

docmarius

Can't you just use 2x1G SFP (not SFP+) MM fiber transceivers for this task?
SFP fiber transceivers are usually cheaper than RJ45 modules., SFP+ slots also accept SFP devices.

docmarius

The 260gs is a switch, running SwOS, the 1100 is a router running ROS. So there is no way to migrate your config: - the switch has only a single IP for administrative purposes, not multiple interface with individual IPs - the switch ca not run dhcp servers - the switch can not do NAT (masquerade) - ...

docmarius

...Please advise when will the iOS one be available for use?

You mean the Apple or the Cisco IOS?

docmarius

Except the fact that it would break the standard restricting a broadcast domain to its own subnet, this could be a useful feature.
It would enable e.g. workgroup/SMB browsing across subnets without using a WINS server. But this tends to become kind of obsolete.

docmarius

@Muhammadilyasmunir: Don't you think you should open another topic because your problem is not related to the one discussed here?

docmarius

According to CEPT it is ok for indoor use.

http://www.erodocdb.dk/Docs/doc98/offic ... 1483EU.pdf

Check points 74/75 in the annex.

docmarius

What do the counters on these rules say? action=accept chain=forward out-interface=LAN src-address=10.1.0.0/24 action=accept chain=forward dst-address=10.1.0.0/24 in-interface=LAN Any traffic going on? Optionally try add action=accept chain=forward protocol=icmp so all icmp is allowed for the beginn...

docmarius

Only a few, but that is not the issue. The issue is you asking us not to test a feature because it does not work for you. How do you expect to raise feedback if we do not test it? Just wait for someone at MT to fix something they do not know is broken? The idea is to test it as much as we can, and s...

docmarius

Exactly. In the ports section there is this remote access option that allows you to create a virtual serial port over TCP/IP on a remote machine and attach your router's local serial port to it. AFAIK, drivers exist for Windows (3-rd party) and Linux (socat is your friend )... (check RFC2217) You ca...

docmarius

Good point. You need the proper routes on the client machine, or use the VPN as the default gateway.

docmarius

There is also an option to create a virtual serial port over TCP/IP (Ports->Remote Access). You could send the raw NMEA stream to a remote machine for processing.

docmarius

A basebox2 offers you a similar board, L4 license , outdoor housing, mount, power supply and PoE injector at a decent price, and a potential upgrade later because of the mini PCIe slot (e.g. a second Wifi interface or a LTE/3G modem). All you need is 2 of the presented antennas. Wouldn't this be a b...

docmarius

A pair of cheap pair of 3km single fiber transceivers and a fiber should do a better job at a lower price.

docmarius

NAT/Masquerade 10.0.0.x users to your 192.168.1.x interface address.
Most desktop machine firewalls (especially Windows) expect all others to be on the same LAN to access their services.
And make sure to have forward rules in both directions between the two networks.

docmarius

Please don't test IGMP snooping still doesn't work.

Why not test it? Just because it does not work on your setup?
I have it enabled on a hex and seems to do its job as expected.

docmarius

Tnx Normis. I did. I have issues with it on a RB912 Basebox2 board and a brand new R11e, that's why I asked. [Ticket#2018041522001201]

docmarius

Upgraded also the Firmware of the R11e-LTE from v007 to v008...

Some details on how you got/did that update?

docmarius

For 3rd party uses of the R11e-LTE, could you at least provide the AT commands disabling the unsolicited status/progress messages?
These may be interfering with chatscript. e.g. after a AT+CFUN=1 the modem puts out a lot of responses, including some of them after the "OK" response.

docmarius

[support ticket sent Ticket#2018041522001201] Rant: It is lovely to sell a device that does not work with your own products, and sell it without providing a user manual, and here I mean a documented AT command set. So that at leas we can use these LTE modems in other devices, because we payed money ...

docmarius

Because unifi switches drop some BPDUs. On the EdgeSwitch, this can be disabled. Can not tell if this is possible on unifi (aparently not).
This thread discusses exactly this issue:
https://community.ubnt.com/t5/EdgeSwitc ... -p/1313979

docmarius

If you use the interface number, that's faster. But then this number changes if the interface goes down and up again, depending on the system.
If it stays the same, you can use something like 3:public@192.168.1.1: (you need to find it via a snmp walk...)

docmarius

Adapt fields to yout needs... Interface name (ppoe_interface in the example), IP's(interface is assumed on 192.168.1.1), speeds. localhost_11 is just a label and needs to be unique in the config. Target[localhost_11]: #pppoe_interface:public@192.168.1.1: SetEnv[localhost_11]: MRTG_INT_IP="192.168.1....

docmarius

Same thing on this side, too (RB11e-LTE, non-US): Couldn't start - modem is not configured yet (6) In interface/status I get: http://www.yo2loj.ro/files/LTE_failed.jpg RB is 912UAG-2HPnD (BaseBox 2) Tried on ROS 6.40.7 and 6.41.4 Installed the extra LTE package. No change. I tried to set "ignore dir...

docmarius

And there is another option: You can run a virtual AP on an interface while doing a WDS connection at the same time... The downside is it has to be on the same channel.

docmarius

All variants based on the RB9x2 boards (NetMetal, BaseBox) can be upgraded to 2 WLANS by adding a second mini PCIe wlan card.
You can also order the board itself (RB912, RB922, RB953, maybe even RB433 - depending on your needs) and build your own custom design...

docmarius

I provision a Nortel phone via TFTP from the router. Works flawless.

docmarius

There are unsolved issues with the DHCP server on VLANs and bridges in 6.41.x.
Downgrade to the bugfix version (6.40.7) and everything will probably work flawless.

docmarius

The assigned mask is actually correct. The network mask tells your network interface which IPs are DIRECTLY connected to that interface. Since a VPN has only 2 directly connected endpoints, this gets shown by 1 endpoint getting a IP/32, the other endpoint being its gateway IP. If you put that IP int...

docmarius

There is also 6.40.6 - The old paradigm but with bugsfixes. This should work 1:1.

docmarius

The reason i said that is doe to the fact that, at the moment, any stored configuration is static, with a few exceptions in the address lists. That means that variables names are resolved to their values when set (and not on use). e.g. for a route using a dns name for its gateway, that will be resol...

docmarius

Yes, you are right. Maybe that should be changed

e.g. to have the ability to place some $GLOBAL_VARIABLE_NAME as command parameters.
It works in CLI as a one time substitution, but it would be nice to have it dynamic. Unfortunately this seems IMHO to need a radical core redesign...

docmarius

Have a script initializing the needed variables on startup is not enough?
This would give you a solution to your problem and leave Ros uncluttered for users not needing that.

docmarius

Where is it written that you should have 256M of RAM? You got a 233Mb chip, live with it

docmarius

docmarius - Are you referring to one of the fixes in 6.42rc version or some other problem which you have resolved/reported to support? I had issues with the DHCP server not handing out addresses after some time of proper functioning in 6.41.2 if the interface is a bridge. This was reported by some ...

docmarius

Any fix for the DHCP server stopping on bridge after some time?

docmarius

On my CCR1009 this version is unstable. After an unpredictable time, the DHCP server stops responding, and routing seems to go amok (routes are there, but it is like connection tracking is not working). A reboot restores functionality for a time (from minutes up to a day). Downgrading to 6.40.6 "cur...

docmarius

Since IoT is a big topic at the moment, maybe a look on LTE CAT M1/NB1 is interesting (U-Blox has some nice modules like the Sara R410M with promises for global band coverage...). And regarding 2G/3G, please be aware that while the US drops 3G, the general deployment of LTE in the EU has been postpo...

docmarius

...
Current Tx Power 2GHz - empty
...

FYI: 0 dBm does not mean "empty"/zero power. It is a valid value and means 1 mW. Still odd though, if it changed by itself.

docmarius

Ok. That makes sense. So actually key remove on user delete is a valid option. Tnx.

docmarius

There is a bug in the DHCP lease list in the RouterOS device setting tabs. All DHCP leases are grayed out and show an X (disabled) in front of them, even though they are up and running on the devices. Dude is 6.41.2 running on a CCR1009-7G-1C-1S+ (Can not check earlier versions since i just found it...

docmarius

Let me just put some questions: - Since you added the keys in a separate step, how do you expect you the router to guess you want to remove them or not together with the user? Just because you assigned them to a user at a later time? What if you want some key shared between multiple users? - What if...

docmarius

I can confirm the DHCP behavior described by Splash. Having a DHCP server on a (SW only - CCR1009) bridge interface stops the DHCP server from handing out leases, with all just in the waiting state. Adding accept firewall rules for UDP port 67 on the input chain for the needed interfaces gets it up ...

docmarius

https://tools.ietf.org/html/rfc5340

docmarius

For ROS to install a RIP route via multicast, the source address of the RIP packets need to be inside the subnet of the interface they are received on. e.g. Interface: 192.168.1.0/24 from 192.168.1.5: 10.1.2.0/255.255.255.0 will install the route but from 192.168.2.5: 10.1.2.0/255.255.255.0 will not...

docmarius

After the conversion on my CCR1009, the DHCP server failed to work if connected to a bridge interface (it worked dough on a single vlan interface). For static IP hosts, everything seemed running normal. I traced this back to the fact that STP/RSTP was not enabled. After enabling, it worked as expect...

docmarius

Found a first anomaly:
Neighbor discovery does not work with the generated 'discover', 'mac-winbox' or 'mactel' interface lists. Other lists seem to work.
After list deletion and recreation by hand, it works.

docmarius

It is not that simple. First, you can ONLY substitute an GPON ONT, not someting else like a GEPON ONT or regular fiber connections. Second, your provider needs to register your module to his OLT (central equipment) instead of the one provided to you. They will probably refuse it. Third, you will loo...

docmarius

Exactly. Only the media interfaces are grouped by the fact that they use octal interface chips. The actual switching is done in the central switch chip and the hole thing works at wirespeed and there is no data shortcut inside those PHYs. Everything still flows through the MII buses to the switch ch...

docmarius

I think you misread those diagrams. It is not a controller for each port group. It is a octal PHY (physical interface transceivers to MII converters, 8x1Gb eth to 2x4Gb MII in this case) for each group, and it has no user relevance unless one gets blown out and knocks out the whole group. The contro...

docmarius

In addition to the IP address problem, you have 2 supplemental issues. 1. NAT is wrong, you need only do nat for the WAN interface: /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 2. You need a default route for your uplink using an ip address not an interface name (IF names...

docmarius

If texmeshtexas already has the 100m SM fiber in place, that could be a problem, since the module you mentioned is MM. I have SM modules running on short MM OM4 fibers (10 m), but never tried the other way around (and this could be a problem because of the much smaller aperture on the SM fiber and t...

docmarius

You just need to add a firewall filter rule on chain input, incoming port WAN (use the proper name from you system), protocol 6 (tcp) port 8291. /ip firewall filter add action=drop chain=input comment="Winbox on WAN" in-interface=WAN dst-port=8291 protocol=tcp But the best approach on the WAN would ...

docmarius

There are attenuators on the market.
Just an example:
https://www.fs.com/c/optical-attenuator ... ors#matrix

docmarius

You should assume any connection on any open port possible on your system, because you can not control what people do on the internet. Actually you should expect them to do it and there is nothing you can do except secure your equipment (e.g. closing ports you don't need, restricting access to certa...

docmarius

... First time powered up just know. No changes made to configuration. Winbox - Hit "OK" when powered up & MAC connected. New Terminal - typed in "tool bandwidth-test direction=transmit interval=00:00:05 protocol=udp user=admin address=127.0.0.1 duration=20" ... Tom, It's not ok at all. You are hit...

docmarius

I can confirm, RDS needs the service name to be empty.

docmarius

A CCR, e.g. CCR1009-7G-1C-1S+ would also do if you need less than 9 copper Gb interfaces. A big boost and you get a nice LCD, too.

docmarius

I have not seen the new model for real, but the old cAP looks like a fire sensor. And sorry, but this one looks at first glance like an air intake of a ventilator with all those holes or dots. But anyway, much better than the old ones

.

.

docmarius

I've chosen Unifi APs (first LR and then later AC Pro) primary for their looks when mounted on the wall. cAPs and wAPs are just ugly.
And sadly, MT has nothing to offer on the PoE switch side that comes near to ES and US (yet, I hope)...

docmarius

... The "R" in CRS326-24G-2S+ stands for "Router" ... Tom, I think that's not entirely correct and out of context: CRS stands for Cloud Router Switch, meaning a switch for the "cloud router". It si not "cloud router and switch". The routing capabilities are just a side effect of ROS as a unified OS...

docmarius

I have exactly the same use case: I want to use a HE provided gateway with a server, and a native dynamic IPv6 subnet from my ISP for the actual LAN. A no go for the moment due to missing routing tables for IPv6 (marks are there, but of no use).

docmarius

Tnx. Cyril for the explanation. Now I got it, and have to support your suggestion.
But I think that has also to be implemented for ROS DNS lookup functions, not only for the cache.

+1

docmarius

Now i got really curious about this :-) So what you are saying is that MT's DNS is actually case sensitive when it should not? Let's get an example. Let's say we have: Test.com A 1.2.3.4 Mail.Test.com A 1.2.3.4 1.2.3.4 IN PTR Mail.Test.com Test.com MX 10 Mail.Test.com 1 - a DNS request for Test.com ...

docmarius

This same src/dest MAC request I assume it is done to update MAC tables and switching tables in potential switches on the network. Or some other more obscure reason on devices which do ARP sniffing...

docmarius

It depends only on your needs. GRE actually can transport whatever you want. And EoIP is also GRE, with the addition of 2 bytes in the header defining a tunnel ID, so one can run more than one tunnel between 2 endpoints, and it transports ethernet frames only. The actual overhead for GRE is 22 to 26...

docmarius

Have you tried going to System->Routerboard->USB and select "Mini PCIe" instead of "USB Type A"?

docmarius

Yes, right. I actually forgot about MX checks.
But then again, shouldn't the mail system be case insensitive on the MX check?
Of course, if the DNS returns the MX as written in the zone, this would be great.

docmarius

Domain name lookups according to RFC4343 are case insensitive, and in DNS replies the capitalization MAY be kept but must be ignored by the client. https://tools.ietf.org/html/rfc4343 Since this affects reverse DNS and CNAMES only (address resolution responses being in dotted quad format), I would a...

docmarius

Have you rebooted the router after setting that forward? Or deleted the connection list? Because of connection tracking, a NAT rule doesn't kick in immediately if there is an existing tracked connection on that port, from a previous connection attempt, until that initial it times out (which sometime...

docmarius

If you use a different subnet on your tunnel and your PBX there could be an issue. For added security, it is possible that the PBX does not accept management connections from hosts outside its LAN. In this case you need to set up some src-nat/masquerading on the LAN port, so that the PBX sees your c...

docmarius

Doesn't a classic
/ip route add gateway=<pptp interface name>
work?

docmarius

AFAIK all the routing is classless in ROS, since you are free to use whatever netmask you like on any IP. The same goes for the implemented routing protocols except RIP v1.
Anyway, not implementing classless routes on any modern router makes it completely obsolete and a joke, not a router

docmarius

Switching always happens at wire speed, so you can count on the 1000mbps no matter what.

docmarius

For official Mikrotik support you need to contact support@mikrotik.com.
Although MT people mingle with the crowds on this forum and support us, it is not the official channel.

docmarius

... In menu Interfaces -> VLAN vlan2-> VLAN ID:2 -> Interface:bridge2 ... You need to add vlan2 to interface eth4, not to the bridge! The interfaces hierarchy: eth1 - untagged/no vlan eth2 - untagged/no vlan eth3 - untagged/no vlan eth4 - untagged/no vlan | -- vlan2 tagged/vlan id 2 the bridges: br...

docmarius

@Naglya Put a diode on the wire, so that there is only current flowing from the batteries:

mUPS --------|<------- battery

docmarius

Maybe it is to simple :-) - add a VLAN interface with VLAN ID 2 to eth4, call it vlan2 - create 2 bridges - add ports eth2 and eth4 to bridge1 - add ports eth3 and vlan2 to bridge2 done. To allow routing, treat each bridge as your actual inside interfaces: - configure eth1 to your liking (dhcp) - as...

docmarius

For this to happen, you will need to run some kind of proxy. Since there is no such thing available on MT, you need a machine on your network to do it (even a Pi would work, using e.g. haproxy). I use such a setup to give IPv6 access to IPv4/TCP only services without issues. BTW, a port of haproxy w...

docmarius

Hurricane Electric, he.net.
DNS is free for a reasonable amount of domains, has an easy management and setup interface, and it even provides the update scripts for Mikrotik.
And you could also get an IPv6 tunnel for free.

docmarius

The constant streaming idea is referring to stream once the receiving device subscribed to a multicast group. Before that, the stream has no meaning for it and is just consuming bandwidth on that network segment. And of course the multicast source needs to be capable to deliver a constant stream to ...

docmarius

But there is a switch menu on the LHG 5, which has only a single ethernet port and no switch chip

I assume it is a glitch. Anyway, I understand that the functionalities of the switch menu will be migrated into the bridge part starting with 6.41.

docmarius

On the newer 16M flash devices, if you do not write your files into the flash folder, they will be erased on reboot, since the file root is a ram drive.
You can do this in winbox after doing the backup in the file window, by drag and drop of the file onto the flash folder.

docmarius

Default untagged VLAN is 1, not 0. VLAN 0 is an invalid VLAN ID. VLAN identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs. The hexadecimal values of 0x000 and 0xFFF are reserved. All other values may be used as VLAN identifiers, allowing up to 4,094 VLANs. The reserved va...

docmarius

deleted.

docmarius

Why wireless package is inserted into main, when device dont support wireless? its funny.

Because you might want to use CAPsMAN on the device? So it is actually not that funny.

docmarius

Marking packets and connections is an router internal feature and have no consequences "on the wire".
IPv4 TOS/DSCP fields on the other hand could be used. But for this to happen, I think the Phone itself needs to be able to set the TOS/DSCP field, since it is a L3 feature, while switches work at L2.

docmarius

To trace the tunnel hops and to be visible to the tunnel traffic, this would mean that ALL routers along the way need to support EoIP, unpack the packet inside, decrease its TTL, repack it and send it to the destination. To expect something like this is hilarious at best, and totally inefficient. If...

docmarius

There is a question bothering me with all this BGP single core issue. So it takes a longer time to get full BGP tables because of this single core. But after that, where comes this single core issue into play since there are only updates beyond that point which I assume do not saturate that core? Af...

docmarius

Also my report:
CCR1009-1C-7G-1S-1S+ including Dude on SD, 922UAGS-5HPacD (NetMetal5) + R11e-5Hnd, LHG5, 960PGS (hEX POE), OmniTIK UPA-5HnD, 921GS-5HPacD r2 (mANTBox), 951G-2HnD, 450G, 750GL and 911G-5HPnD (QRT5)
all upgraded from 6.40.4 without incidents.

docmarius

Your requested file name and real file name is not 'yes' as shown in your tftp configuration.
So in order to get "tftp 192.168.102.1 GET Drums1.raw" working, you need:

/ip tftp
add real-filename=disk1/Drums1.raw req-filename=Drums1.raw

docmarius

According to the product description yes, it can. Assuming your TV supports DLNA, of course.
The router doesn't need to support anything. Just put the TV together with the NAS on your local LAN. No need for routing between them (actually DLNA UPNP discovery will not work if you do routing).

docmarius

And of course, all of you realize that not every torrent download is illegal. It is just a protocol, nothing more. Even some software distributions and updates are offered as torrents (e.g. Debian). The content may be illegal, but so is the content of any download. So IMHO, while blocking an offendi...

docmarius

That actually depends on your TV. You could get some small Linux board supporting e.g. SATA (Cubieboards are an example), or at least USB (Raspberry) and share the content either via some network file system (NFS, SAMBA - your TV needs to support this), or put some DLNA server on this device (e.g. T...

docmarius

The only conclusion I draw from that table is that MT equipment his NOT involved. At least this is what those "-" signs suggest. The mere fact that it appears in that table just shows that MT is important enough to be mentioned, not that it is vulnerable.

docmarius

The GPON system is meant to connect multiple clients to a central provider using a single optical connection and passive splitters. It uses a time division approach to multiplex the user traffic to achieve this. You need to have a central equipment (called OLT) providing the central management syste...

docmarius

Also remember that multicast are sent at 6Mbps if multicast helper is not set to full.

docmarius

Maybe no one has a solution? Or maybe the firewall solution which does not need pppoe still works and you could use it? Pppoe was only one solution out of 3. On the other hand, you insist 2 times in the only 2 posts of yours on getting a quick answer and how important "sharing knowledge" is. Maybe n...

docmarius

Eoip also uses GRE, just with an additional 2 byte addon in the header (the tunnel ID). This allows multiple eoip tunnels between the same hosts, while there is only a single GRE tunnel possible between them.

docmarius

You can run a CHR ROS image in a virtual machine. It supports the Dude server and will not interfere (unless configured to do so

).

docmarius

Except the loss of the user name in one pptp server binding on tile (out of 10), everything went smooth on NetMetal, LHGs, hEX POE and Omnitik and others.

docmarius

If SBC should mean Single Board Computer, then yes, according to the pictures it is built on a single board.
If you actually mean SoC (System on a Chip), then no, the QorIQ P2020 has external RAM and Flash, with a dual core e500v2 architecture on chip.

Why is this relevant?

docmarius

docmarius

Actually, the answer is right in the product description: It is just a SWITCH.

docmarius

There certainly is no 35LC20D with a 850nm laser, so you probably have either a wrong identification, or a defective part... Best direct this issue to support.

docmarius

No, you can not. Both fiber modules need to use the same optical wave length and the same fiber type. So if you choose a 85/05 SFP, it uses 850nm laser on a multimode fiber (OM3 or OM4) and uses 2 fiber strands (dual LC connector) for a 500m distance. The 35LC is a single mode transceiver that works...

docmarius

The device is a switch already out of the box. Ports 2-5 are switched. Just plug your cables into ports 2-5 and it will work as a switch. thanks for the reply, i've plugged in the ISP cable on ether1 and the tenda on ether5 ( i haven't configured anything my self, all were default settings came wit...

docmarius

I would expect the reverse situation: ROS will provide full functionality, with additional SW supported functions, while SWOS will be a kind of "light" OS providing more basic HW supported switching-only functions, with a more easy to use management interface.

docmarius

You have to understand that radio waves are not selectively addressed and can be received by anyone in the range of that AP, and there is no way around this. Everyone can sniff an AP's full traffic, no matter what (and some time the client's traffic, too, but this is not relevant in this discussion)...

docmarius

the question here is why should it must be that easy to discover the clients mac addresses by hackers so that they can copy them ???????? there must be away that we could hide them from everybody That's how an open system is supposed to work: Open. And there is no way to hide them as long the syste...

docmarius

Please define "powerful". Usually devices having switch chips inside run at wire speed. You can not get more switching power than that. It depends on what features you need in your particular case. Hybrid devices provide some additional switching and routing functions, too. But don't expect miracles...

docmarius

Another issue (CCR1009):
After the update from 6.39.2, one of my PPTP server binding entries lost the user name set for it.
Correction by hand solved it. All other similar entries where fine.

docmarius

Yes, add a src-nat rule on the internal interface with the matching you like. Take care that after dst-nat, the dst address is not the original one anymore, it is the one you set in dst-nat. So if you have e.g. public IP 1.2.3.4, incoming connection from 2.3.4.5 and a dst-nat to 192.168.1.2, on the ...

docmarius

You can always do a src-nat on the outgoing interface (in your case the internal interface) on a specific packet, which happens as the last step before sending it out to the network. How you decide on which one, depends on what you want. You could use ip matching, connection or packet marks, your im...

docmarius

Or a better fix, maybe adding setting where if the physical reset button on the router is held for 15 or 20 seconds during power up, then the RB resets to /sys reset-config no-defaults=yes (ie longer than the standard 5s press which resets to def. config) - this is something we as admins can easily...

docmarius

Don't you think that the need to keep not so proficient users safe from possible security breaches outweighs your need for commodity on device deployment? On the other hand, the need to do a preliminary bench pre-configuration before deployment to the customer (a simple reset without default config ...

docmarius

But why? It is a user forum, as you always say, not a dedicated RB1100AHx4 Dude Edition advertisement site for that page to be the home page.
And we already have MT hardware, and are informed about it, so we are no target for those advertisements anyway.

docmarius

I think there could be a misunderstanding here. By local server you mean a machime on your local network or a way to run a webserver on the router? While a local machine on the network can be reached by using simple dst-nat (a.k.a. port forwarding), seting up a web server with php on the router itse...

docmarius

And then again, in our case one could unsolder the flash chips, scrape the top layes and do a destructive reading cell by cell :D But seriously,, movig data between devices usually involves a read/write/delete operation, not moving the device itself. I know its just semantics but it dazzled me when ...

docmarius

That is if you want to physical move the data.

Physically move the disk, not the data....

docmarius

fat32 if you need to move data between the router and a PC. What's the logic behind this? The router has to read the file into RAM and send it, and the other way around on writing. And this has nothig to do with the undelying file system. So unless you want to move that SSD physically to a Windows ...

docmarius

If you run your DHCP server on a bridge, try to disable STP/RSTP on that bridge...

docmarius

The switch will work flawless with your 2011. And of course you will be able to upgrade to 10Gbps later. The only issue is that you will need 1Gbps SFPs for a start, since the 2011 doesn't support 10G modules (assuming you want to use the SFP port for the link. If not, a copper link will do fine unt...

docmarius

Delete all your connections in /ip firewall connections or restart your router.

docmarius

If you need official information on a specific topic you should mail support@mikrotik.com. Maybe they have an answer for you. But somehow I suspect the data ports are still there in a possible non-dude version since a M2 SSD or SATA device could serve other purposes, too, so its only the M2 card tha...

docmarius

You can actually disable/uninstall the dude on the "dude version" and optional plug out the SSD, you know?
Good luck with the new Edge Pro 4 if that's what you like better. Since this is a user forum nobody is holding a grunge at you but isn't impressed either.

docmarius

i doubt consumers would have that option to run mikrotik alongside a PC running linux. That's true, but on the other hand, I doubt consumers need all those full services. They actually need minimal but sufficient service support for regular tasks. Advanced services are out of the "consumer" scope. ...

docmarius

i know, but when i say important i mean you wouldnt be able to function without it. You dont need DNS for routing to work but you cant live without it either. You can't live without it on your network, but you certainly can live without it on your router. And this is an important distinction, meani...

docmarius

Ok, now it's clear. The issue I am pointing out is the fact that TDMA implementations solve the hidden client problem and give a better throughput, under the condition to have a clean channel. If 2 different wireless protocols are co-located on a channel, they will just interfere and there's nothing...

docmarius

Even if I agree on your points, I have to ask: who is "we" and "all Google users" ? I am a Google user an no one asked for my opinion. And I don't remember electing a representative to speak for me, as a Google user, in this forum. Probably the same goes for the other some 1 billion Google users. So...

docmarius

Really, could you please stop changing the forum "Home" link to something else than the forum home? That link is exactly for that, to reach the forum's home, and is used for that specific goal in virtual any phpBB forum on this planet. To be substituted with the 1100AHx4 specs, which probably everyo...

docmarius

It might be an inductor (3.9 uH) but if the noise is the only problem I wouldn't be worrying much about it. https://www.eevblog.com/forum/projects/hissing-inductor-cores/ After seeing the picture, it is certainly a 3.9 uH inductor, and that module looks like a switching DC/DC converter... Check on ...

docmarius

They probably will be released together with ROS 7

docmarius

From the notation, that is a 3.9 Ohm resistor.

docmarius

If I understand correctly, this board features POE in. If this is on eth1 and is blown so that there is a current leak through the POE circuitry on that port, connecting a cable to peripherals that create a short circuit between the POE pins will get the power supply to overload and the router to sh...

docmarius

How to Preference IPv4 over IPv6 on Dual stack ... That you have to set in your client machine. The router will serve both IPv4 and IPv6 if asked for it, with no discrimination. There is no such thing as a protocol "preference" concept in a router. The client decides what to ask for, not the router.

docmarius

since in vanilla linux nothing like this exists Yes it does. Have you ever issued a command like "ip route list table local" ? You will find a /32 host route for each network, interface and broadcast address of all the IPs assigned to your interfaces. Just that /32 routes in Linux don't have the /3...

docmarius

This is someone trying to access a FTP directory, non-existent or without permissions using your web proxy.

docmarius

I have UF-SM-1G-S (3km BiDi) working flawless on my CCR1009-7G-1C-1S+ in the combo port connected to an old gen. RB260GSP.
It does NOT work in the SFP+ slot though (module is recognized, but no link).

docmarius

Make router racks great again

docmarius

Those lists are the result of filtering the interface list.
So the 8 is your total number of interfaces, of which 0 are ppp.

docmarius

Is the 24 port CRS with PoE not enough for you guys?

What is the aversion to running in 2 CRS226's and sticking an SFP+ direct cable between them?

Where's the PoE out in the CRS226?

Anyway, MT announced the CRS328-24P-4S+RM at the MUM, with 802.3af/at. Time will tell.

docmarius

Exactly. It accepts 802.3af and puts out passive PoE.

docmarius

Having a web server, isn't it easier to set up virtual hosts on it and proxy www2.example.com to the destination you want by the web server? Even a page that just redirects to port 3000 would do. Then you only need to forward port 3000 to server:3000 on your router using simple port forward. Your cl...

docmarius

Hmmm, you are right, since there is no outgoing interface matching. I think I just had a bad idea :? but something like this could work: if1 (10.0.0.1) ------- server1 (10.0.0.2) - virtual (192.168.2.1) if2 (10.0.1.1) ------- server2 (10.0.1.2) - virtual (192.168.2.1) Check gateway by ping on 10.0.0...

docmarius

LE: Disregard the text below. Bad idea/it won't work. You can put your servers on a separate link with different subnet and assign 2 IPs to each, so you will need to reach e.g. 192.168.2.1 via 10.0.0.1. 192.168.3.1 via 10.0.0.2. In this case you would need to add a static route, which has the optio...

docmarius

It is not only an voltage and power issue. With 802.2af/at, the device negotiates its power level, following a specific protocol. With passive PoE, it just gets power over the pairs 4-5 and 7-8 (24V in most of the MT and UBNT devices). Because the device does not do power negotiation, your switch wi...

docmarius

Your switch provides 802.3at/af PoE, the hAP expects passive PoE, so it will no work. One option would be to use https://routerboard.com/RBGPOE-CON-HP. Or return your switch if possible and get one that supports 24V passive PoE like the ES-24. If 5 ports are enough, you can use the RB260GSP. Mikroti...

docmarius

Take the untagged port out of the switch, and put it in a bridge with the VLAN port. (In your example let's say VLAN10 hanging on ether4 and ether6 itself). On receive, you need to see a VLAN interface as a filter, extracting tagged traffic from the parent interface (the VLAN traffic will not be see...

Search found 1225 matches