MikroTik

Kindis

Anyone has issues with VRRP and connection sync? After upgrade to 7.17.x this no longer works for me. In a VRRP setup between a 3011 and 4011 I cannot get the sync to work anymore. It states Connections Tracking Inactive and I have to go to firewall > Connection and change tracking from Auto to Yes ...

Kindis

Finally, ordered mine via SHL in Sweden. What is SHL, a webshop? I can't find any distributor that has the device available for order. Waiting mainly for the Getic to have it in stock, since they also carry the mtik mugs, broke my previous mug and want to order the mug at the same time with the wAP...

Kindis

I have 3 cAP AX and I have very little to zero issues with them. The issues with SA Query timeout went away (I have no Intel card connected). So what is the issues mentioned here?

Kindis

Finally, ordered mine via SHL in Sweden.

Kindis

Looks very nice I must say. First thing however is that under interfaces the VRRP interfaces does not indicate if they are running master or backup. This means you have to open the interface to see the status, but this is a very very small complaint :-)

Kindis

Do you use capsman or run config on each ap?
also any reason why you have set G and not N for the 2 Ghz network.

Kindis

I use NextDNS for all this. Means I do not have to manage the dns and it's setting myself.
So I point all Dhcp to NextDNS and also perform dstnat on any port 53 traffik that is not going to NextDNS so that goes to NextDNS.
Work very well for my setup at least.

Kindis

Are your hap ac moving or why I'd this needed? Genuinely interested in the use case.

Kindis

So in the start in the switch to vendor supplied drivers vlan tagging did not work with new CapsMAN. So you could not enable vlan filtering on the bridge because then it did not work. For example dynamic interfaces did not get the assigned vlan in the bridge config. This was corrected in, I think, 7...

Kindis

Aha so the group-key-update changed when moving from Wireless to Wifi. So 5 min apply for "old" wireless" and 24 hours is default for "new wifi".

Kindis

Why did you use "group-key-update=1h" instead of the 24h default? Default for group-key-update if you leave it empty is 5 min. This for me breaks a few IoT devices as they do not have the process power to calculate the key before it needs to be recalculated. I set mine to 60 min as well. ...

Kindis

*) wifi-qcom - updated driver;

Is there a why to find out what this does? New version from the vendor and if so what does it fix/add/break?

Kindis

Now I'm no expert here but 200+ on a single AP sound like trouble if you ask me.

Where is this to be used? large room or outside? Regardless of this having so many users on one (or in this case two radios) is a lot I would claim.

Kindis

Yes, I have several cAP AX and also wAP AC (arm) and for ax devices I select AX and for ac devices I select 5GHz-AC.
This mean you have to build different configuration and provision based on MAC address.

Kindis

Well I would love to help but need to see the config to do so.
I also think there is something strange in config but as you have devices that work I do not know. Want to look into the config as some things you can do should not be passable with manager at to capsman.

Kindis

Late to the party here but can you do a full export of interface/wifi both on capsman and cap (both a hap ax2 and cap ax) I have 3 cAP AX and I do not have this issue at all. One thing that I wonder is you say that you can configure each wifi interface on the cap and that is the only way to get it t...

Kindis

Did you download the X86 version and tried to upgrade?
you should use arm 64 for cap ax.

Kindis

Build different configurations for AC and AX devices. Set AC on the AC and AX on the AX.

Kindis

VLAN do work but you need to configure them manually on the bridge on each CAP.
Check this thread out: viewtopic.php?t=202565

Kindis

I have a Pixel 7 Pro and it work with roming well. Roaming between different ap's (cap ax) that are capsman controlled means I now can have a Teams call and walk in the building without having the call cut and reconnected once phone switched ap. Works great on my iPhone as well. For AC interfaces th...

Kindis

I have asked support and answer I get is "It is currently not supported"
My guess is that not enough AC interfaces where running the wave2 package with capsman (too few complained) but 7.13 will change that so i hope it will be fixed.

Kindis

Great new!! I also hope they will fix this VLAN and AC interface issue. I have asked multiple time and the response I get is "This currently does not work" Does this mean they will fix it? I do not know but I think it has not been a priority as not that many has used AC interfaces with new...

Kindis

I leave the datapath empty on CapsMAN configuration. You then add the correct VLAN on the CAP to the correct PVID in bridge settings. As the Slave interfaces becomes static you just add them as ports in bridge and provide the PVID to the correct VLAN you need. So more or less you push config for all...

Kindis

On the cAP AC enable Static Slave (/interface/wifi/cap> set slaves-static=yes) This means each interface will stay permanent and you can add them to the bridge as ports and set PVID. I have this on a wAP AC and it works like a charm. Edit: Should also say I do not have any VLAN config in datapath fo...

Kindis

That is true but you cannot set the interface to capsman like you could before. So you cannot run it via capsman but use same config but manually and locally controlled.

Kindis

New CapsMAN and qcom-ac do not support VLAN set under datapath for AC interfaces so this will affect hAP AC3 as well. I asked support what I should do the the reply was to on the CAP set Static Slave = True and assign each interface to the bridge and give correct PVID. The static Slave means the int...

Kindis

I have Create Dynamic set on CapsMAN so the interfaces goes away on the CapsMAN machine but the interfaces stays on the CAP. I then add each wifi interface, both real and slave, as a bridge port and give the PVID that it should be on and then VLAN works for me. So far I have updated the CAP and rest...

Kindis

@glet On each CAP you need to set slaves-static: yes. If you do this each slave interfaces will be permanent and not dynamic so you can configure them. This is what support told me and I did so and it works. It is good? No I would not say so but this means slave interfaces does work and can survive ...

Kindis

@glat I have always used the bridge to manage VLAN so this was not a problem for me but I do need to add each WIFI interface, main or slave, as a port in the bridge. I agree if we want to migrate in large scale I think getting it to works like the AX interfaces would be great. Not sure this will hel...

Kindis

I have a wAP AC running 7.13rc2 and I have no issues but I do use bridge with VLAN filtering on and have made the dynamic interfaces static on the wAP AC so I could add them to the bridge and they do not disappear every time I reboot the device. Works like a charm. All this under new CapsMAN working...

Kindis

@sp670 I do not think the MIPSBE chipset supports wave2 as this is needed.

Kindis

This I would love to know as well. The vlan.id is till in the wiki for wifi (new) and in old for wifiwave2 but I wonder now that a hell of a lot more devices can run new CapsMAN if this will not be fixed especially as forwarding is no longer present and vlan is needed. I have emailed and asked and h...

Kindis

So they issue that AC interfaces do not get VLAN assigned on the bridge is still present in this release? If so is there a plan to fix this?

Kindis

Yes only ARM devices will get it no MIPSBE

Kindis

this is not true. -ac in this case is legacy (old) compatibility package. we don't plan to make -be packages, it will always be wifi only Well I do not think this is a hill to die on I agree with previous statement. My understanding is that management software ie. CapsMAN, is built into the bundle ...

Kindis

As there is no forward mode anymore in V2, which I used before, I had to change my setup. Before all VLAN management was done in CapsMAN and the APs only had an access port without any tagging etc. This has changed now so I need to have VLAN on each AP, I hope this change in the future, and for this...

Kindis

I do not get your config either and do not understand the untagged thing nor the VLAN interface you have but as I started I do not fully understand what you are trying to do either. I have 3 cAP AX and untagged on them is the management VLAN to which they access the CapsMAN server and, and there are...

Kindis

Why do you have a VLAN interface under the Bridge? In my setup they all report as tagged into the Bridge which is what I want. Then the bridge has a trunk port to the switches to manage the VLAN so it finds it's way back to the firewall/router to be processed. I can be wrong here but if they where u...

Kindis

@Kaldek, I moved all my Cap AX to be managed by CapsMAN a few weeks ago and have no issues. Running 7.11.2 right now and all interfaces, both main and slaves are added to bridge and correct VLAN, even if there is a bug that add PVID 1 right now, fixed in 7.12, everything works great and I LOVE that ...

Kindis

Test to change the group key update to 30 min or perhaps even 60 min. IoT devices like cannot calculate the group key in time when set to 5 min like default is here.
I suggest you set it to 60 min and test without a password. If this works add password and see.

Kindis

I know I have complained in the past about how security updates have been announced. In this case it have been flawless. Many thanks for this!

Kindis

Updated 3 cAP AX running without CapsMAN but with VLAN. Killed the dataflow for all VLAN tagged networks. Had to remove all the wireless interfaces in the bridge so the dynamic interfaces could be created for the VLAN to start running again (tagged). Apart from this no issues. With bridge ports now ...

Kindis

No but banks have something I do not, a crapton of money

Kindis

... as I avoid exposing VPN to internet. This comment I do not understand ? The whole point of VPN is to be completely safeguarded from whatever intermediate step there is. But no internet = no VPN. Or do you mean something else ? The more service exposed to internet the more can break or be hacked...

Kindis

I disagree! I would love to have it in the same tool to be part of the Winbox. So you can check have it perform the portknock while connecting. For me this makes sense so avoid different tool this feature would not have to be used if you do not to. Would solve this issue of making sure to have the s...

Kindis

Perhaps not relevant to your setup but this is in changelog for release 7.5
*) vrrp - added "sync-connection-tracking" compatibility with preemption-mode;

So now they should work together. I have not tested this however.

Kindis

Is this over a VPN tunnel?

Kindis

Can we add this on a HTTPS link as well so I can download it. Work do not allow PDF download over HTTP.

Kindis

I have a netatmo weather station as well and I do not have this issue. I wonder if this is related to changes in IP at the service level? Do they all stop working at the same time? Have you tested to send 1.1.1.1 as secondary DNS server via Dhcp so they can go external in case of inte internal issue...

Kindis

Do you use the services in any way provided by the web server? If do not then disable it. If you only use it for admin purpose then make sure it is only accessible from specific networks or hosts where the scanner is not part of that. Then ask for a rescan and problem should be solved from a report ...

Kindis

At this point I would do a full export of the config, review it in full so you don't have any bad stuff in there. Then netinstall to the same version you have, secure the router and import the same config. My guess at this point it will be quicker and hopefully works if there are issues with the ins...

Kindis

I assume that this only happens during high traffic over the pptp connection? I maintain the idea that this is they way pptp works. The interface will only run over one CPU core and that is the effect you see now. I can be wrong but think this is the way it work. So not a bug but by design. Still t...

Kindis

There are no changes since rc2. How can you not test the RB3011 SFP bug before releasing this into " stable "? Very fun downgrading routers at remote sites today! How can I go from 6.x to 7.2.x? If I set channel=upgrade it will chose 7.3 as of now. Should I just manually upload 7.2.x NPK ...

Kindis

All you do is useless, nowaday (near) all sites use HTTPS and http(not S) web proxy can't do anything.

True for MT perhaps but not universal. If you break TLS inspection can be done. We do this with squid which works great.

Kindis

I assume that this only happens during high traffic over the pptp connection? I maintain the idea that this is they way pptp works. The interface will only run over one CPU core and that is the effect you see now. I can be wrong but think this is the way it work. So not a bug but by design. Still th...

Kindis

I may be wrong here but does pptp spread over cores or is it only one core for all traffic?

Kindis

What device do you have?
It is a big step to jump but should be fine I think.
If you can partition your device then rollback will be simple.

Kindis

hola amigos del grupo, a alguno le a pasado que han actualizado una RouterBOARD 750G r3 a la versión 6.49.6 y deja de guardar configuraciones, es decir cuando se apaga o reinicia vuelve atrás los últimos cambios después de la actualización..Por favor alguna solución??? NY guess is out of storage. H...

Kindis

Well my guess is there that somehow hardware offload is not active on a port somehow. If you run the following: /interface bridge port print Do you then get an H marked before all ports? My guess is that some port is not and for this reason traffic hits the CPU. Bonding and LACP should provide hardw...

Kindis

Great news and on a Friday as well

Kindis

Must be the switches I assume. What brand are they?

Kindis

Post your firewall config on both routers. If both go into RM it means they cannot see Vrrp traffic between each other.
Do you approve Vrrp in firewall to input?

Kindis

Holly Molly what a changelog. Great work but I need a day just to ingest the changelog :-)

Kindis

Ok so I have upgraded two 3011 now. One acting as redundancy unit for WAN and the second one as a redundancy LAN router, so totally different config between them. All went well. Both ROS upgrade and firmware upgrade. Upgraded from 7.1.1 (both ROS and firmware). So it is possible to upgrade a 3011 wi...

Kindis

Kindis, eworm, timnis - currently we have not managed to reproduce such an issue, however, we are trying to gather information in order to find a root cause of the problem. Most likely the issue is related to the version from which the router is upgraded, not the version to which it is upgraded; Ar...

Kindis

@strods: Many thanks! I run 7.1.1 and will try to upgrade tonight to see what happens. I will create supout files before just in case I need to create a case.

Kindis

So the issues with 3011 that was reported on the forum (bootloop etc) for 7.1.2 is that a confirmed issue that has been solved here? Looked to be more related to firmware then ROS.

Kindis

Hello, - HAP AC - update OK 7.1.2 from 6.49.3 - CAP AC - update OK 7.1.2 from 6.49.3 - CAP AC XL - update OK 7.1.2 from 6.49.3 - WAP AC - update OK 7.1.2 from 6.49.3 - RB951G-2HnD - update OK 7.1.2 from 6.49.2 (routerboard firmware 6.47) - RB3011UiAS on friday dead after update to 7.1.2 from 6.49.3...

Kindis

Just a bit worrying that more then one said their 3011 dies after upgrade and specifically firmware (router boot).
I just did not feel like netinstalling today so if someone know that 7.1.2 with same firmware do not cause a issue I might try this out this weekend.

Kindis

A bit worried about 3011 reports here. Anyone who have updated a 3011 including the firmware as well without issues?

Kindis

Post your config on both devices.
What does the 1 node say in the logs during these issues?

Kindis

Fits the model of only seeing 2 GB perfect and I'm not sure modern systems activate or support this. Have seen this before, on Linux, where have had appliances where we cannot see the full 4 GB but that have always been done to PAE not enabled in the Linux as part of the appliance software. If the h...

Kindis

Now that we have 64 Bit systems we have forgotten how it use to be :) The 2 GB limit is a real limit for systems running 32 Bit as is a limitation from the 32 Bit address space. https://en.wikipedia.org/wiki/2_GB_limit So my assumption here is that PAE is not used thus limiting the memory to 2 GB ht...

Kindis

If you have check everything, including that CAPMan is turned on I suggest you do a upgrade, create supout files and create a case with MT.
I had issues with OSPF not working and got rather quick reply to solve my issue.

Kindis

Normis wrote the following on Reddit yesterday about this issue:

Power related issues have caused a chain of events in our internal server system, we are working on it.

https://www.reddit.com/r/mikrotik/comme ... &context=3

Kindis

I got back info from MT. It was a MTU issue. Now I use default which results in 1422 on both sides but OSPF claimed to get MTU of 1432 so something is strange. I still claim that something is wrong but in this case more related to MTU of GRE and L2TP tunnels. Regardless setting MTU to 1400 solved th...

Kindis

Me to but I get this on some GRE and L2TP interfaces. Not on all just some. Cannot find anything different with config so I suspect a bug somewhere.
I'm the LAN it works like a charm.

Kindis

Are you stuck at ExStart on the state? I had this issue and did a rollback to get it working again. Created supout and reported it today.
I think OSPF still needs some love to get to a good state.

Kindis

So after some testa I had to do a rollback to V6 due to issues with OSPF. It gets stuck in ExStart state on some links. Had the same issue on two diffrent routers. Same config but had diffrent results. Also interfaces that run over a L2TP (or anything PPP) do not convert over to a Interface Template...

Kindis

What's new in 7.1rc7 (2021-Nov-25 16:35): *) ipsec - fixed hardware acceleration support for ARM and ARM64 devices; Not sure what is fixed, but my RDP sessions to Windows 2012 R2-instances are still dropping out about every minute. RDCMan_DYG87BsyBf.png This has been the case since v7 with multiple...

Kindis

So how about a new strategy? Buy NextDNS and point all DNS, Dot and Doh to them and your config. I use to do something similar but worked like crap. In NextDNS I can do DNS rewrite and I have added the things I want a internal resolve for. By doing this I moved the issue to someone else who support ...

Kindis

I agree with what is written above. I have no routers that are flagged but if I did what should I do? And how do I see it is flagged? Do I need to run a command every time to see it?
Great Idea but more info would be good.

Kindis

I still this the issue apply even for you. In this case you ask for the domain aaa.exmaple.com and that does not exist in public DNS. Now I cannot be sure but the issue I see is that the question I send for a CNAME is not managed within the device but is sent to the external DNS resolved you have. D...

Kindis

Adding CNAME to ROS does not work as it should. I have a case with MT where they have confirmed this issue. What I see is that a CNAME I add does not work at all. Now I use network.local as the suffix for the CNAME Key but a "real" FQDN as value. This only works if I resolve the value firs...

Kindis

RouterOS version 7.1rc4 has been released in public "development" channel! What's new in 7.1rc4 (2021-Sep-20 13:18): *) improved filesystem and configuration storage stability; *) show "expired password" prompt for users with blank password; *) other fixes and improvements; All ...

Kindis

Lost access to a CHR after reboot. Turned out that the CHR had lost all config including users so I needed to login with admin and blank password.
So losing config is still an issue. I will see if I can reproduce the problem again but this happens after it had been running for a few days.

Kindis

A big battery with a solar power should work for the router as they do not draw much power but the camera is a big unknown. There must be ready made battery and solar cells for use in off grid areas that should work. If memory serves me right you live in Canada and there should definitely be somethi...

Kindis

No issues here currently. I can connect using *,.sn.mynetname.net names.

Kindis

I have a similar issue with the addition of Window button. This added button messes with my musclememory so when I want to start a new Winbox I now click Exit instead.
Can we not move the Exit button further down?

Kindis

The problem I have is that if I add a CNAME that does not exist externally, for example test.example.local, and then add the value to a URL that does esist, for example www.google.com. This does not work. I get a domain does not exist and the reason is that the DNS resolver sends this CNAME question...

Kindis

I have given up on static entries in the DNS. CNAME does not work at all for me. I see that all CNAME's I have are resolved externally and as they do not exist publicly, only internally, it does not work. As I pay for NextDNS and they have a static DNS entry I have added all my DNS entries there. Wo...

Kindis

I think the bug described by pe1ch is dependent on large updates in the GUI. I cannot replicate the issue either but I use fasttrack meaning GUI does not update that much. However if I do a large address list import I can sort of experience the issue but not with the same outcome.

Kindis

@pe1chl: I cannot replicate this per say but I think the key here is traffic volume. As I use Fasttrack and do not have crazy number of session I do not see that much updates in the GUI. But I tested to reload a blocklist I have with over 80 000 entries which removes them and then reloads them and w...

Kindis

@pe1chl can you describe the issue in more detail as I want to test as well. I have not sizing issues of columns but I might not use the functions as you.
I know you wrong once here but I do not understand what the bug is.

Kindis

*) added "Windows" menu for list of all currently opened windows
*) allow changing column order by using drag and drop

Love this. Many thanks!

Kindis

I agree the filter should be in the head but tell that to the 99 year old IT manager of a government branch that still wonder why his fax is not used more

But in this case having this solved in a product on the client / linked to the client is the best option.

Kindis

This should mean you control the client's. I would look at a service like Cisco umbrella or zScaler. That will fix this for you + provide extra security + move the blocking from the network.

Kindis

So this is a hard one. You can buy a DNS service, I use NextDNS, where you can force the clients to use it and block other service via blocking the DNS name. For example blocking dns.google.com meaning it will not resolve and will not work. But this will be a constant struggle to maintain. What is t...

Kindis

Do an /export hide-sensitive and post here (remember to clean out stuff you don't want on internet.

Kindis

What you can read above but here is a link to the wiki for this.
https://wiki.mikrotik.com/wiki/Manual:C ... s_switches

Kindis

DNS won't work right either unless you control the config of the connected clients. Reason is DNS over HTTPS. It is more or less default on now and that means that the client will only one unencrypted question and that is to the DoH service unless you use cloud flare which is based on IP. If you als...

Kindis

I'm also very interested in what is going on with V7 but more from a wireless perspective and how this may or may not affect me.
Perhaps V7 is left out to have it's own announcement #wishfulthinking

Kindis

Do a /export hide-sensitive and post here.
If you plan to use it as a switch, not a router, this should not be a problem.

Kindis

Do you use FastTrack?
If so once a connection is marked is does not pass the firewall filter again. Turn off FastTrack, and restart and see of the issue is still present.
I also think you can create a rule in raw as I think fast tracked connections do hit raw so you should be able to block it there.

Kindis

If you use DoH uncheck Verify DoH Certificate. This should solve the issue until MT fixes the issue.

Kindis

Nope did not solve the CNAME issue I have (and have a case for at MT).

Kindis

Perhaps that is related to the fact that type=FWD does not work if DoH is enabled... I hope Mikrotik will look into this and fix this/both issues. I wonder if this is part of CNAME issues I have. If you add a CNAME with a public A record it does not resolve. When you query the CNAME it does not loo...

Kindis

So I have a similar setup using NextDNS. I have added a few static DNS records that end in network.lan so I can assess network assets by name instead of IP. Clients can ONLY use MT or NextDNS as DNS resolver. Everything else is blocked. So I did a quick look in the NetxDNS GUI and found nothing. I h...

Kindis

Looks like one core is running at 100%. The RB750Gr3 have 2 cores and 4 threads. Guess this is single threaded so it would explain the drops. Also verify that you run hardware offload. CCR and RB750Gr3 does not support all the same things for hardware offload. https://wiki.mikrotik.com/wiki/Manual:I...

Kindis

Now I can be wrong here but I had a simular issue with GRE tunnels. The issue is most likely that the endpoint that did not restart have not understood that the router rebooted and this flushed all the SA. Test to lower the timeout value of the tunnel and also retries so that the tunnel goes down if...

Kindis

Silently removed 66960 Mhz channel support. Why?
No info in the changelog just nothing :-(

Have a look at this: viewtopic.php?f=7&t=176086

Kindis

It has been rock solid and only started with newest build. Solved by adding external resolution to clients as well.

Kindis

I had a strange issue tonight. All DNS resolving stopped. The log said Doh time issues and if I removed Doh did not solve the issue. The DNS cache was empty and I could not resolve anything. Only after a restart did things start to work again. Funny thing is that every unit had the same issue at the...

Kindis

meensb could you please check your CAPsMAN logs if cAP ac joined it after the upgrade to 6.48.3? If anyone else has experienced an issue with cAP ac not booting after the update to 6.48.3 please write to support. https://mikrotik.com/support You are referencing RBcAPGi-5acD2nD here? I am running tr...

Kindis

I'm not good at explaining, English is not my mother language. What I wanted to explain is that these so-called vulnerabilities are nonsense in comparison to other past and actual problems. (Non-RouterOS related) Here we are in full agreement. The issues are not that bad at all, especially the desi...

Kindis

Kindis, what is missing from the blog? All serious security issues are in there. We will add Frag, but in my opinion, it is not serious at all. It's like discovering that your front door can be opened in a few minutes with the right lockpick, or it's like putting a security door in the main entranc...

Kindis

Kindis, what is missing from the blog? All serious security issues are in there. We will add Frag, but in my opinion, it is not serious at all. Well it is up to you but I follow many vendors and I do not really care if the risk is low to high but I would like an update to see if a security update h...

Kindis

Also also please please please update the blog you have with new details about Security
or
Shut it down as you clearly are not using it they way you presented it.

Kindis

This means you also have the implementation issues and not only the design flaws.
Many thanks for quick reply

Kindis

---------------------- !) wireless - fixed all affecting 'FragAttacks' vulnerabilities (CVE-2020-24587, CVE-2020-24588, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147); ---------------------- Does this have an expected performance hit? In the tests conducted so far, no meaningful differences in CPU...

Kindis

---------------------- !) wireless - fixed all affecting 'FragAttacks' vulnerabilities (CVE-2020-24587, CVE-2020-24588, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147); ---------------------- Does this have an expected performance hit? In the tests conducted so far, no meaningful differences in CPU...

Kindis

I know you can probably not answer this but I'm gonna ask any way :-)

Do you have a release timeline for Stable and Long-Term? Can we expect anything this week or is most targeted further ahead?

Kindis

You should remove this file from here and send to support@mikrotik.com.
This file contains passwords etc so you should not post it in the forum here.

Kindis

Interesting, changed to next dns (downloaded cert and enabled verification) New https://45.90.28.0/dns-query Old https://1.1.1.1/dns-query Will in some hour see if memory goes up. So here is a difference and now my perhaps poor skills of DoH will popup. But if you use the IP in the HTTPS how can th...

Kindis

Yes: SUP-47171 That is great! I did however activate DoH certificate verification on my 4011 (main resolver) and interestingly I do not have the same issue. So I have been running with this enabled a few days and I do not have the same trend your routers display. I followed the guide of NextDNS and...

Kindis

I always restart my equipment twice after a upgrade. First ROS then firmware. I think that in many cases a second restart solves many issues. So perhaps the reboot solved the issue?

Kindis

What's new in 6.49beta38 (2021-Apr-23 10:31): Changes in this release: *) system - improved resource allocation (improves several service stability e.g. HTTPS, PPPoE, VPN); If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be ...

Kindis

When I read stuff like this I get a little mad with myself. Why oooo why did I not think of this! I will implement this on the main resolver at once. That will just be like pee in the pants to get worm. Short term solution. You do not know what other stuff may go wrong due to the memory leakage. I ...

Kindis

At the end the graph jumps down. Is that just disabling verification or a reboot? So would a scheduled disable and enable work around the issue?

When I read stuff like this I get a little mad with myself. Why oooo why did I not think of this! I will implement this on the main resolver at once.

Kindis

The new update fix the RB3011's port flapping?

No not this one but the previous one 6.48.1 fixed that issue if we are talking about issues that where added into 6.48 release.

Kindis

How's it going with the doh? I'm also waiting for a leak fix to drag this function to the router. Does not look to good. It may be to short, but as seen below DoH enabled around 12:00 and sine then it has raised around 1%. Will report back after some days. Before I added DoH the memory was around 2...

Kindis

Upgraded an RB3011 to 6.48.2 and log started filling up with OSPF errors and no OSPF routes were being distributed. Ignoring Link State Acknowledgment packet: wrong peer state state=2-Way Other OSPF routers distributing routes on the same backbone include 3 CHRs and an RB750Gr3. I wasn't planning t...

Kindis

So I just moved my DNS queries to my MT units and use DoH to NextDNS and I do not have a issue resolving this. > ssl.gstatic.com Server: UnKnown Address: x.x.x.x Non-authoritative answer: Name: ssl.gstatic.com Addresses: 2a00:1450:400f:804::2003 142.250.74.131 But I'm not using Google DNS service to...

Kindis

Now I do not know this for a fact but my understanding is that the switch does not have a transformer so it cannot step the voltage up or down. It can just relay what it get from the power supply.

Kindis

Many thanks for quick reply.

Kindis

Hello, I'm just curios if CVE-2021-3450 has any impact on ROS? Thinking primarily for SSTP and so on but I guess it is not a major issue regardless but would like to know if ROS is affected and in that case I guess we can expect a release to fix this as well. Edit: Forgot the link https://www.openss...

Kindis

Wow interesting. What happens if you log everything for a min. Is it all different IPs?

Kindis

Have you seen last 6.49Beta?

What's new in 6.49beta22 (2021-Mar-08 09:07):

Changes in this release:

*) crs3xx - improved 1Gbps Ethernet port group traffic forwarding for CRS354 devices;

Do not know if this is related but might be?

Kindis

So VRRP the dead minimum is 3 IP's and they need to be on the same network and they use broadcast. So I would say no this will not work. With that said perhaps you can use scripts etc to move the IP between devices. For example if you create a VRRP on the internal network you can add UP and Down scr...

Kindis

We need more info. I run my connection over (500/500) and I have no issues working from home with other family members using internet at the same time. I also have a 4011 (none wireless).

How are you connected? If wireless I bet that is the problem.

Kindis

Upgraded the following units from 6.47.8
Two 3011
One RB750Gr3
One cAP AC

No issues and full production has been moved to these units. Will see during the weekend how all looks.

Kindis

What about RB3011 port flapping re-introduced in 6.48?

It's this one

) switch - fixed interface toggling for devices with multiple QCA8337, Atheros8327 or RTL8367 switch chips (introduced in v6.48);

Kindis

Will be there no further V6.48.XX versions?
From the doomed V6.48 straight to V6.49?

I would guess we will get a 6.48.1 today.

Kindis

Haha. Many thanks for this.

Kindis

Also please MT update the Security blog
https://blog.mikrotik.com/security/

*) hotspot - fixed special character parsing in "target" variable (CVE-2021-3014);

Either keep this blog up to date (which is not what is happening now) or shut it down.

Kindis

Great news but is there a fix for the interface issues with 3011 in here but 3011 is not just mentioned in the changelog?

Edit: I'm just blind. It is this one!

*) switch - fixed interface toggling for devices with multiple QCA8337, Atheros8327 or RTL8367 switch chips (introduced in v6.48);

Kindis

roadblock Does the developer Team fell into wintersleep? I'm wondering if perhaps they do not intend to release a 6.49 (moving to v7 instead as the next stable release after 6.48) and their existing build process is forcing them to release a 6.49 beta X in order to add the fixes to 6.48, like they ...

Kindis

I will be honest and say I had not thought about Add and Set but I guess Add is adding and Set is changing something already added. I however do most of this via Winbox as I lile the visual presentation and think that it makes for easier understanding of the configuration. So I would have used Winbo...

Kindis

So having a quick look while between meetings :) I can see that SFP1 is currently specified as a Tragged only port add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp1 You need to change this to add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingr...

Kindis

So in first part of post spf1 is under tagged for vlan 1005 but in later output it is under untagged. It should be under untagged and PVID for the port is correct.
Can you do a full export under interface bridge?

Kindis

3011 and port flapping is a known issue on 6.48 and MT said next release will fix this.

Kindis

If you need anything MORE stable - go to Zyxel with their zyfwp. but keep in mind that you share your admin account with anyone on the internet https://nakedsecurity.sophos.com/2021/01/06/zyxel-hardcoded-admin-password-found-patch-now/ zyfwp is the hard coded account so I think a joke was made here 😁

Kindis

What version are you running of ROS?

Kindis

Ok so this might be a stupid question but have you tested other speed testing sites? I mean just because you get crap speed on one speed test site/connection does not mean you connection is bad. If you download a ISO file or something else that is big can you get the proper speed then? I use to have...

Kindis

Export config and we can see but I had a simular issue when I started using CapsMAN. I use local forwarding so the AP do not tunnel the traffic to the router. What solved my issue was that I had forgotten to add the Bridge in CAP config on the AP. Once I added the bridge in the config on the ap it a...

Kindis

Read in this thread about SIP and workaround.. All is written here.

Kindis

So you have 2 Bridges. One named Bridge and one named VLAN2. Hardware offload only works for one bridge. You have to move the config from VLAN to bridge to the Bridge named Bridge (This became confusing :)) to get this to work. Then delete other Bridge Read more here https://wiki.mikrotik.com/wiki/M...

Kindis

It's not the Mikrotik's fault.
The Marvell chip manufacturer is responsible for this.

So it may be but we are not marwell customers but Mikrotik customers so we are affected how MT handle this.

Kindis

So you have bought a switch and not a router, but a switch that can act as a router (Cloud Router Switch, stupid name I know) So you should only use these for switching and perhaps light routing tasks so primarily L2. Read more here on how to make sure you use correct config in ROS. https://wiki.mik...

Kindis

Ethernet test results I think is routing not switching.
Switching result with 1500 bytes is as you write 43,427.8 Mbit which is around 40 Gbit. So there should be no issue as long as it is correctly configured for hardware offload.

Kindis

Really hope they fix the RB3011 finally. Mine has been flapping for years, I have 2 years of logs to prove it. Some updates ware better some worse, but none fixed it truly. set X cpu-flow-control=no name="Switch x" does help a bit, but never really went away, just went from many flaps a d...

Kindis

To someone having problems with SIP phones: Could you please check log of the router with ROS 6.48, whether there are unexpected flapping events (link down/up) or not? Since the linkdowns last between 1 and 2 seconds (as observed in my lab), it could cause "Lagged" state in Asterisk when ...

Kindis

They are and this you should be able to do. Never done this so cannot help there but they operate independently of each other.

Kindis

Great. As wiki states doing this removed hardware offload which explains the CPU Use split horizon bridging to prevent bridging loops. Set the same value for group of ports, to prevent them from sending data to ports with the same horizon value. Split horizon is a software feature that disables hard...

Kindis

Export your config with hide-sensitive option and post your output here.
Also have a look at tools>profile to see what process consumes the CPU.
And finally verify hardware offload is active on the ports

Kindis

I have an RB1100AHx4 running on 6.47 for about 185 days now, which is when that version was released. I'm currently not experiencing any issues, bugs or any other problems yet. I checked change logs and there doesn't seem to be any security fixes since then. Should I leave it as is or upgrade? Rout...

Kindis

Almost every device out there based on ipq4018/4019 has atleast 256MB of RAM. With a few exceptions, like RT-AC58U which struggles to not throw errors because of the very limited memory available out of the 128MB total. So I wouldn't keep my hopes up to see it running in the future on lower require...

Kindis

So in this case I agree and disagree at the same time. If I compare this to other routers I meet at work like Cisco or Juniper a upgrade of the version thus upgrade both OS and firmware at the same time, even if the upgrade process is way way worse sometimes. The way I see this is that ROS is a OS r...

Kindis

So if you have 2 * 8 cores I think you have to provide a Max of 8 cores per virtual socket.

Kindis

This does not make sense to me. I mean if you use VPN Disney+ should not see your original IP address but only your VPN address. So how did they get your IP?
What VPN service was used?

Kindis

What happen if you put a Gbit switch between? Just to see if the switch can get at 1 Gbit link. So I tested with a gigabit switch, and it didn't work. (some cheap tp link) I also set 2 bridge ports on the IPS router (the one they gave to me), and used it as a gigabit switch - the HAP links at 1gbps...

Kindis

What happen if you put a Gbit switch between?
Just to see if the switch can get at 1 Gbit link.

Kindis

I would remove the above file as this contains a little bit more then I would suggest you share. Run /export hide-sensitive instead and post the output here. However I have a all Mikrotik core at home and run 6.47.7 on all routers and do not have this issue. I also reside in Sweden and all my units ...

Kindis

So each socket has 64 cores and each CPU is it's on NUMA node if my memory is correct. So if you want to use more then 64 cores you have to use more then one socket.

How have you configured CPU on the VM the CHR is running on?

Kindis

Updated one wAP R and one CRS326-24G-2S+RM all without issues.

Kindis

Is the company going to correct this error? Did you write to support with that problem? This is not a problem of a single device but a stable branch 6.47.X At 6.46.X works correctly 951Ui-2HnD models - cyclic reboot SUP-32199 RB2011UiAS-2HnD - show "ether boot" on LCD Regardless you shoul...

Kindis

The defconf issue is already resolved. Fix will be included in the next RouterOS release. It has been resolved before! I would hope that when such mistakes are made, they are added to the regression testing done before releasing a new version, especially in [stable]. Yes I agree how does this not g...

Kindis

If the issue is THAT specific I agree with You, but after all said above, I'm guessing that the Support team is aware what it is and working on fix, but not successful obviously. At least for now. As I stated I do not think there is one issue I think there are multiple. The more cases we pile on to...

Kindis

I know it has been said before here but I also think that there is not 1 issue here but several. Might be hardware for some and software for some users. So to fix I think it is important to generate a supout file during the issue and email support@mikrotik.com to get your own case for your issues. O...

Kindis

I think you are misunderstanding IP on the bridge. This is the vlan that the bridge itself is on. So when you add a IP to the bridge you put that IP on that vlan. View this as the MGMT VLAN. Now according to the example the last thing you do is to set a rule for vlan 1 that is tagged for Bridge but ...

Kindis

As you see the router can you connect using MAC address instead?

Kindis

https://wiki.mikrotik.com/wiki/Manual:IP/Settings

From the Wiki: Disable or enable Linux route cache. Note that by disabling route cache, it will also disable fast path.

Kindis

I said this in DM but I noticed that UPnP is disabled. So test to enable it would be a good start.
Also agreed ports are confusing as hell but hopefully UPnP would solve this.

Kindis

If you run the code in CLI the rules will be placed last and below the drop rules so they will not work. You have to move them so they are above the drop rules which are last.

Kindis

Hello, So the NAT rules should be like this: /ip firewall nat add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=tcp to-addresses=192.168.88.246 add action=dst-nat chain=dstnat dst-port=88,500,3074,3544,4500,5730-5731,5739 in-interface=ether1 protocol=udp to-addresses=192.168...

Kindis

Ok so you can forward and open these port or use UPnP. Now I'm no fan of UPnP but in this case it might be the best option for you. Can you do a export hide-sensitive and paste the output. Could be UPnP that needs tweaking. If not we can help with NAT rules as we can se interface names and so on th...

Kindis

Ok so you can forward and open these port or use UPnP. Now I'm no fan of UPnP but in this case it might be the best option for you. Can you do a export hide-sensitive and paste the output. Could be UPnP that needs tweaking. If not we can help with NAT rules as we can se interface names and so on tha...

Kindis

Thanks all. I have managed to have a sort out and so should be able to fit the IN version in the cabinet. Just one more quick question, would there be a noticeable improvement in general performance leaving the 4011 for routing duties only and adding the separate switch? I have 2 4011 (acting as LA...

Kindis

When I said that this is outrageous and miktotik did a horrible job, all users told me I am a troll and mikrotik is the best.... This is more than a 5 months old issue and still no fix. CRS354 sucks big time and mikrotik doesnt give a sh*t about it ! We should ask for refund for this garbage hardwa...

Kindis

Run this and post the output (and remove public IP addresses if you use those

/export hide-sensitive

Also explain from which port to which port are you copying. If Bridge is correctly configured you should get wire speed.

Kindis

I upgraded a new 328-24P-4S+ to this release. When setting a bridge VLAN in Winbox the new window shows a VLAN ID of 4294967295 and 'VLAN IDs' is red (since number is invalid). I change it to the VLAN ID I want and it seems to be fine. It shows this each time I add a new VLAN. I confirmed this happ...

Kindis

So I do not perhaps understand the question fully but if we compare AMD Epyc and Intel I9 I would say that Intel is better depending on workload. AMD still have more CPU latency due to their architecture and that is most lightly a benefit in network operation but that is also down to load and what y...

Kindis

Upgraded my home hAP ac^2 and I had a problem that I saw for the first time. It seems like router only preserved 200-something address list entries, and many were gone completely or only partially preserved, breaking access to the router itself and internet access (because I use those as NAT out ad...

Kindis

Currently only the long-term version channel (v6.46.7) has all the necessary fixes for this CVE. We are working on getting them published in stable and testing channels as well. Sorry for any inconvenience.

Thanks for the clarification.

Kindis

So what has be stumped here is what is vulnerable and what is not. The Github repro says this: Affected Versions(tested) 6.41.3 (long term release) 6.45.8 (long term release) 6.45.9 (long term release) 6.46.4 (stable release) 6.47.2 (stable) 6.47.3 (stable) 7.0beta5 (beta) 7.1beta2 and below So if t...

Kindis

I've Winbox 3.27 on Wine (ubuntu) and I can't log in to any device after upgrading them to 6.47.3. It stays at "Logging in" and nothing is happening. Of course, devices are accessible by in.ex. SSH but winbox is missing. From windows I still can log in. Trying older winbox didn't work. St...

Kindis

Thanks for the hears up but what should I do on my lunch and afternoon break now? ;)

Kindis

I have CRS354-48G-4S+2Q+ switch and no traffic problem on ports 1-8. You must add each port to Marvell chip so add "hw=yes" Now I do not have this switch, I have different models, but from what I read this is traffic based. Those that report issues must have hw=yes otherwise they could ne...

Kindis

You had the same issues with 6.47.2 if I remember correctly? I wonder if this is more for you setup. I have a couple of these switches and I do not have this problem but I run them on Long-Term. I keep all my switches on this release to not have to patch as often. @Kindis If you read my post proper...

Kindis

Switch CRS326-24G-2S+ Software upgrade successful from v6.47.2 TO v6.47.3 but after upgrade no longer able to login using Winbox to upgrade the firmware -- showing the following error message: ERROR could not connect to 192.168.10.88 When using Mac Address to login returns error message: ERROR coul...

Search found 516 matches