MikroTik

*) ipsec - added SHA384 hash algorithm support for phase 1 (CLI only); Strange effects when attempting to edit ip ipsec profile created with sha384 hash in Winbox 3.27 - the hash is shown as MD5. That "CLI only" remark means setting this up is not currently supported in either WinBox or W...

I am sure that 16MB flash nonsense is not so much about money as it is about technology. I've recently posted my thoughts about it here . Now I just wanted to add that the reason all Mikrotik devices with SPI flash chips are limited to 16MB might be the relatively old kernel in v6. Though should it ...

This is clearly off-topic gone wild, but let me add my 2¢ anyways. :) That 16MB flash thing is not only economical, but also technical. If you take a close look on the different RotuerBOARDs you'll notice that all those 16MB flash devices use SPI Flash chips, whereas devices with a larger amount of ...

Sounds like the DFS (radar detection) in action to me. Search the forum, there is plenty of information about it here.

The reset button is a multi-function thing and needs to be operated properly. You can read about it here:
* Wiki page: https://wiki.mikrotik.com/wiki/Manual:R ... set_button
* Device-specific quick-start guide: https://i.mt.lv/cdn/product_files/rb301 ... 190656.pdf

5ghz backup is useless because:

When the first 60G devices were introduced there were a lot of folks asking for a combined devices with 5G backup. Now that the first such device is introduced there are other guys saying the opposite...

Screenshots are useless. Post full configuration export instead.

But in general, what I wrote in the previous post still applies. Make sure those two requirements are satisfied, and then everything you described should just work.

Would help of course, if ARM was officially supported.

I think they just forgot to update the wiki page. Partitioning works just fine on ARM devices with enough storage.

What is it?

It should be as simple as satisfying the following two requirements:

1. Make sure you do not block traffic between Stream and LAN subnets.
2. Make sure computers on Stream subnet only use your ADCs as DNS servers.

I saw a similar behavior with broken IPsec configuration recently. My issue appears to be partially resolved in 6.48beta48. So one thing you can try doing is upgrade to that beta check if your IPsec configuration can be accessed/exported again in case it can remove everything from /ip ipsec and then...

Do you know that an export command exists on RouterOS?
Check this page out: https://wiki.mikrotik.com/wiki/Manual:C ... figuration

This is already supported, see this: https://wiki.mikrotik.com/wiki/Manual:Partitions

The AP mode is not allowed on my device.

You should use bridge mode instead. For more details please check this page out.

What nonsense.
why do they put USB in it at all.

Guess, 3G/LTE dongles, serial communication, etc. Mikrotik produces routers, not NAS devices, after all, so SMB/FTP/etc functions are purely supplementary (firmware update, backup download/upload, hotspot customization, etc.).

Have a look at RoMON.

Only the reception of the access point may improve, not the signal strength. I was thinking about this lately. I believe better reception (higher rx sensitivity) also means higher sensitivity to the interference. So you are getting better coverage, but can only enjoy it in quiet areas, whereas in t...

Is this the best place to report bugs?

Nope. This is NOT a place to report bugs at all. Bug reports should go to https://mikrotik.com/support.

Do not mix up the antenna gain and the signal strength. When using a high gain antenna your router has to reduce tx power to stay withing the legal boundaries, so the max signal strength you get is the same. However the effective coverage is usually better, thanks to a better sensitivity on reception.

I noticed the PM is now disabled again. Was it that bad being enabled?

Are you sure this is a 7.1beta specific problem? I.e. can you confirm there's no such problem with v6? Also please check you cables. From my own experience, these old HP 2810 series switches are very sensitive to even slight cabling problems, and fallback to 10M half-duplex (or does not work at all ...

If it's just 3 month old, is RMA an option?

When a packet with destination 10.10.10.0/24 gets in the mikrotik router, ECMP computes a hash based on Source Address, Destination Address, Protocol, Source Port, Destination Port, and that decides whether the packet is sent to gateway 10.20.20.2 or 10.20.20.3, right? Not quite. According to this ...

Certificate is OK

Wrong certificate, erlinden was asking about the certificate from download.mikrotik.com, i.e. the one from the page giving the error.

P.S. This is getting pretty off-topic, I'm going to move this whole conversation into a separate thread... Done!

@Delsey Downloads work fine for me. I specifically tried the link from your screenshots, it works as expected, no certificate errors whatsoever.

This may be either a CDN problem in your region, or a sing of an ongoing attack (like MITM, DNS poisoning, etc).

OpenWRT on Mikrotik as a MetaRouter

Metarouter is not supported on hEX S (as well as any other model with SPI flash).

mikrotik.com/dowload

Perhaps because you missed N in dowNload?

Are you asking about Chateau LTE12? Beware that it is only compatible with RouterOS7, which is still beta (and will likely remain in beta for quite some time). Otherwise, I cannot think of any major drawbacks.

I assume you are asking about hEX S (RB760iGS). That is a full-featured router running RouterOS. You can read more about the software here and here. It is pretty powerful and will likely cover most (if not all) your needs.

Is there any difficulties to implement an external link and provide access to a routerOS through API? Nothing too fancy. The API description is here . At the bottom of that page there is a list of third party clients in different languages. You should enable the API first in the /ip service menu, s...

And to your original question. Have you seen the Customizing Hotspot page on the wiki? Specifically, the "External authentication" section may be of interest to you. And if you don't feel like passing a (temporary) username/password pair in a redirect back to the router, you can consider d...

I tried to open the link in Yandex with a VPN - eventually it's been opened. Well, Ukraine blocks a range of Russian's IP addresses who knows it might be the reason. Just checked, works fine for me. Tried opening that page via several ISPs here in Kharkiv, no problems at all. It's probably the brow...

Please check the /system package menu, the package may be installed, but disabled.

The Block Diagram for this device says the switch chip is QCA8327.

1. routing
2. firewall
3. NAT
4. IPSec policy

This is a pretty incomplete sequence. Please see the packet flow diagrams

All I am saying is, that those who have enough switches that will benefit from a single management plane, will almost certainly need HA features to go with it. My friends have an office here with 200+ client ports, with all cable runs going into a single rack with five 48-port access switches (some...

And once you do anything outside of QuickSet never attempt to use QuickSet again- that has a great potential of ruining your running configuration.

As far as I understand packets belonging to a single TCP stream are always bound to a single CPU core, no matter if it's routing or bridging. This is done to avoid packet reordering (which used to be a huge problem when CCR series devices were first introduced several years ago).

Screenshots are (almost) useless, please post configuration export (run /export hide-sensitive from the command line) instead.

btest itself is very heavy on CPU, this is a well known issue, which has nothing to do with the actual routing performance of your devices. Search the forum again, this has been discussed tons of times.

What do I use then to get traffic data from each client that I do use in Splunk for MikroTik?

NetFlow is an obvious choice for that kind of data.

Sounds like a DFS (radar detection) in action. Check your logs to check if that is the case.

This will be a deal-breaker for MANY people, I'd go so far as to say for the majority of people. Not sure about the majority, we successfully use CAPsMAN in the office, where 24x7 is not a requirement, so that's not a deal breaker for us at all. But you are right, in some cases (like hotel installa...

Please read carefully https://forum.mikrotik.com/viewtopic.php?f=7&t=161563&p=796943#p796661 Right, I've read it again. Please find my comments on it below. So its either Beamforming or Spatial Multiplexing .... normally part of the wireless driver packaging Well... Yes, spatial multiplexin...

Nowhere did I state that Spatial Multiplexing is Beamforming .... grrrr

Then what was your reference to 802.11 and MIMO about?

Beamforming began to appear in routers back in 2008, with the advent of the 802.11n Wi-Fi standard. 802.11n was the first version of Wi-Fi to support multiple-input multiple-output, or MIMO, technology, which beamforming needs in order to send out multiple overlapping signals. Nope. Spatial multipl...

OP was asking specifically about 60G devices, where beamforming IS available (at least on some devices like wAP 60G).

On a broader term, MIMO neither implies nor requires beamforming. Only MU-MIMO does. And none of the Mikrotik devices currently support MU-MIMO, that is a well-known fact.

I am running winbox (32-bit) under wine on a Debian system.
Maybe it behaves differently on a native Windows system?

Sounds plausible. I run Winbox (64-bit) natively on Win10. And (simply out of curiosity) I have just tested 32-bit version, which also works fine for me.

open a window like "IP firewall filters" in a router that is in active use, and make sure the hit-counts of firewall rules are being displayed (and changing all the time). Now, position the mouse over a header separator and keep mouse button pressed to attempt to move the separator to set...

Au contraire. MK has a superior QC department. They created the "obsessive compulsive TRAP".
Looks like it found a victim already.

I like these a lot! Please keep posting!

Interesting!!! I have to dig deeper in this WMM. WMM priority when received over WLAN how is it marked? DSCP (TOS) or MKT priority? Have you seen this article on the wiki: https://wiki.mikrotik.com/wiki/Manual:WMM ? If the priority is maintained in the MKT, then with the default config only priorit...

I struggled to find a Support section or separate Support forum

This is a community forum, for support please look here: https://mikrotik.com/support.

Connection was plug-and-play, 10Gbit link speed is up, however winbox bandwidth test shows speeds lower than gigabit (500-750mbps). Your device is a switch. It can work as a router, but that router is pretty weak. Basically, while switch hardware is powerful enough to forward L2 traffic between all...

With Log window opened, minimize WinBox, then Restore. Log is always reverted to the beginning. Anyone else seeing this? Yes, the same here Just tried it on several routers, but only see this behavior on a single device. A differentiating factor appears to be the number of records kept in the log. ...

30 minutes sound like failed rekeying.

OP says phase 2 SA lifetime is 8h. Why would it rekey after just 30 minutes at all?

No, you should not ignore them. They most likely indicate a problem, but the reason is elsewhere.

What's in the log?

What you want is not possible. In CAPsMAN it is manager that always handles client authentication, no matter what forwarding mode is in use. That's by design.

I found something on the second devide. On that bridge and ether1 got the same MAC-Adress.

That is normal, as expected, and is not the cause of your problem.

I need access to Linux for running own code written in C/C++ to implement the low-level part for an own high-performing advanced central firewall on switch devices (not router).

Good luck!..

just 7 days uptime, free memory down from 80Mb to 65Mb

That is not an indication of memory leak on its own. Does the memory usage keep growing? How does it look over time? Do you have a graph to show?

I don't know if it is possible to strip the priority tags on your switch, but am very curious why do you need to do that at all?

Provided I understood what you mean by "remotely" correctly, you cannot in general do that. Addressing any device by its MAC address is only possible within its own broadcast domain (i.e. "local network"). Having said that, if you have another RouterOS powered device in the same ...

However I suppose that my question still stands though, about why adding a bogus default gateway to main routing table, corrects the timeouts? Sorry, what I wrote above describes rp-filter=strict , not loose . I have just edited my message to correct this. For loose to pass packet it is only necess...

Ok, it's pretty clear what's going on now. Your routing works as expected. It is not your outgoing ICMP echo-request packets (pings) that are being mis-routed and/or discarded, but rather incoming ICMP echo-reply packets get rejected by your rp-filter . The rp-filter=strict works by checking if the ...

I would like an official answer from the mikrotik support This is a community forum, please write to support@ directly if you need an "official answer". From the product description it would seem a simple passtrought of the power supply, therefore the conversion does not take place and it...

I have no time or interest dog this dead horse (my Cap AC) at the moment, but I'll keep monitoring this forum, as maybe some posts their helpful findings Yes, just keep monitoring. Your other message (now removed) has been reported as a personal assault, and I find that report legitimate. So now yo...

1. Package upgrade and install on all SPI-flash devices is always done in RAM. You should always upload all .npk files to the root directory, not /flash. 2. What's the point in installing The Dude server on your switch? It has only 16MB flash and no options for external storage (like USB port or SD ...

Please reset your wlan2 interface to defaults with /interface wireless reset-configuration wlan2 , then change just two parameters- set country to the proper value and frequency to 5180 (due to DFS requirements, when frequency is set tot 5260 or higher you will have to wait for at least 1 minute [an...

Almost any Chinese device cost less then Mikrotik and performs better.

Please, please, please, go buy one and stop complaining here! It is cheaper and works better for you, so what's the point in doing what you are doing?

I'm wondering are these success stories false or why in this forum and also other forums contain more problems than praises? You do understand that happy users do not generally spend their time writing to forums how satisfied they are, don't you? They just use their devices. Unhappy ones come here ...

I'd use log-prefix as a differentiator, then do the actual filtering of the messages on the syslog server.

Since the model of my Metal is missing the 2 (5SHPn and not a 52SHP-n) can I safely assume it is not capable of 2.4Ghz?

Yes, that's correct. Your device is 5GHz only.
More product specs here: https://mikrotik.com/product/RBMetal5SHPn

What's in the log after reboot?
Also are you installing The Dude client or The Dude server?

Players on the same Wi-Fi can always see each other.

Can you elaborate on this "same Wi-Fi" thing please? Do you mean associated with the same CAP in your CAPsMAN?

Did you happen to disable the default-forwarding property on your wireless interface? Or forwarding property for a particular client via access list? Just guessing...

What are your speed requirements? The easiest way to configure what you want is to use two bridges, but you device can only have one hardware-accelerated bridge. If your WAN is relatively slow I'd say go this way, with LAN bridge with hardware acceleration and WAN bridge in software. Another way wou...

There are plenty of other devices (including pretty powerful ones) with a small 16M flash. The problems with upgrading hAP lite are due to its RAM size, not flash.

Those are general routing and firewall facilities, not really related to wireless. In case you are satisfied with the (wired) routing performance, I don't think tweaking those will make any difference for you. But you can try, of course, and see/decide for yourself.

This seems work in some conditions only, at least for me the 20/40 Ce gives better speed than 20 only.

You wrote in another thread, that you don't have neighbors nearby and that the spectrum is free from other networks at your place. So, of course if does!

I did not state that you could not use 20MHz channel with MIMO .... You did, actually. Let me cite you: To get performance the MIMO client and MIMO server must talk MIMO and that means at minimum 2 x 2 streams .... not 1x2 or 1x1 ... but 2x2 .... in MikroTik speak streams = chains. so if you want b...

so my contribution here is to state that 2.4Ghz 20Mhz channel width is absolutely wrong WRONG wrong from a performance perspective and from a MIMO perspective. How does one relate to another? :) You can use 20MHz channel and still use MIMO. All those spatial streams operate in the same channel(s).

Lastly, are you able to upgrade firmware on your wAP ac normally.

Absolutely. Upgraded RouterOS on all 8 units from CAPsMAN, and once they all came back online rebooted once again to upgrade RouterBOOT (they all have /system routerboard settings set auto-upgrade=yes). All went smoothly.

MTeeker That must be something specific to your particular unit. We have 8 wAP ac units here also running as CAPs, successfully upgraded all of them to 6.45.9 from 6.45.8 two days ago (both RouterOS and RouterBOOT), no problems so far. You wrote "Back down to Stable V6.46.6", so I guess y...

CRS305-1G-4S+IN ?

Looking at the registration table, which client should I look at? At the one you use for testing. For example my phone which is quite far away from the router has: -60dbm Signal Strength and RX rate 585Mbps Tx rate 351Mbps, but still speedtest shows around 150Mbps speed. - Analyze the whole TX/RX-r...

It reappeared later on after a reboot and then disappeared again.

Sounds like a DFS (radar detection) in action. What's the interface status?

What's your client device? It is possible that the speed is limited by the capabilities of your client, not the AP.
Can you show what's in the registration table (/interface wireless registration-table print stats) during the test?

Or does it re-send every broadcast/multicast packet to every connected client? Yes, it does. I thought that the "convert multicast to unicast" thing that some other manufacturers do will only handle multicast in conjunction with the IGMP snooping that they do As far as I know, Mikrotik im...

How much traffic (including inter-VLAN communication) are you going to route?

The only thing that I would add to what pe1chl already said is that broadcast traffic in wireless networks is always sent using the basic data rate (i.e. the slowest allowed data rate for the given network), so sending a lot of broadcast traffic will significantly degrade the performance of the whol...

In my cause my country Not Found with list, So i selected the Installation "indoor" Those two (country and installation type) are complementary, meaning that installation type does not work at all without country being specified. I guess when running your AP without CAPsMAN your obvious c...

You don't need to put anything in there, the max allowed is used by default.

Just a couple of messages above you said you are not an expert in wireless and complained that WiFi does not work as expected out of the box. And now you complain about advanced configuration options no being available. Are you just trolling? Edit: PS. And, by the way, band steering is an ugly hack,...

*) chr - fixed graceful shutdown execution on Hyper-V (introduced in v6.46);

How comes 6.45.9 contains a fix for something introduced in 6.46? In case the bug was "backported" from 6.46 it would be good to know what 6.45.x versions are affected.

Check your cables.

Anyone know why gigabit ethernet would not work with auto-negotiate disabled? My understanding is that for 1G (and faster) copper links it is not only connection speed that needs to be negotiated, but also the line needs to be tested and some other TX/RX parameters then needs to be negotiated and/o...

IIRC, VLAN tagging is a software-based operation.

Not necessarily. Lots of switches out there do in hardware.

These devices don't have switch chips.

Which devices?

The rules defining the simple queues are matched like firewall rules, one by one from the top until first match, for every single packet, so it may slow down the packet processing significantly. It used to be the case in RouterOS v5, but since early v6 it is not the case anymore. Simple queues are ...

2. The only Winbox facility on the MikroTik webpage I downloaded was software

What software? WinBox itself? WinBox is just a configuration tool for RouterOS powered devices. You cannot use it for anything else.

I believe it is normal. I've just check a CCR1009-8G-1S-1S+-PC of mine, it is also reported to be CCR1009-8G-1S-1S+ in RouterOS.

When searching for the network, make sure you are using wlan2 interface on you hAP ac².

Faulty unit, perhaps.
I have two, tested one (see results above), works as expected. My environment is moderately crowded.

but link is free, and I'm the only user.

It's wireless. I.e. it uses shared medium and is pretty susceptible to interference. So, you never know when it is really free...

@miloxdan, You do not configure wireless interfaces on either of your devices. You first configure CAPsMAN (the manager) on one of them, then enable CAP mode for all wireless interfaces on both. SSID, security profile, channels, etc. - everything is configured in a single place (on the manager). Hav...

so how do seamless roaming work

SCA (Single Channel Architecture). Basically the whole network "pretends" to be a single AP, so there's no roaming from the wireless client point of view at all.
And it has nothing to do with "enterprise wifi networks".

Is that possible to Access Webfig with HTTPS Get yourself a certificate for your domain, import it on your Mikrotik device, then enable "www-ssl" service with the following command: /ip service set [ find name="www-ssl" ] disabled=no certificate="<cert_name>" You may a...

that is, the access list to delete? I also have a delay of 3-5 seconds without an access list. Roaming is always a client's responsibility. If your client devices are old and cannot roam nicely there's nothing you can do on the AP side to improve that (except, possibly, switching to another brand t...

in your setup, probably worth trying to setup access list on the APs, so it actively disconnect the client , instead of waiting for the client device to disconnect This is the worst ever advice, but people still keep suggesting it over and over again... When you forcibly disconnect a client you are...

I can put the config up here if the problem is not obvious.

Please, do it.

That pic is pretty useless, as it hides too many of the essential bits of configuration. If you want/need to share your configuration you should post the output of the /export hide-sensitive command instead.

If anyone is still interested, I had some free time today, so I got one of my cAP ac s off the shelf and did some tests. The device was updated to 6.46.6, configuration was reset, then I configured it as an AP (not router) and ran some tests. I am consistently getting about 90/90 on my mobile and ab...

This is really confusing b/c my device is in Bridge Mode (all interfaces in same one bridge), and I have the said use-ip-firewall setting not enabled, and I have placed my firewall stuff under "/ip firewall filter", but the firewall is still functioning (!), (although not that perfect, or...

You have two bridges, and currently only a single bridge can be hardware-offloaded on CRS3xx series devices. This is clearly documented here.

Why do you need two separate bridges?

Andriys i've tried your advice but it doesn't anything.

Please confirm you placed your new policy before/above the old one. The order of policies is important.

The source and destination networks in your IPsec policy overlap. That does not look good to me, and also explains why you cannot ping gateway. The easiest solution will be to exclude your local network from the tunnel with the following command (make sure this new policy is placed above your existi...

My telepath is not available right now, sorry.

Please post your current configuration (/ip ipsec export hide-sensitive), otherwise nobody will be able to help you.

@andriys, you have got the terminology of client wrong No, I have not. You were talking about RADIUS client . That has nothing to do with supplicant and other IEEE 802.1X stuff. Strictly speaking, RADIUS is not even a requirement for 802.1X, any other protocol capable of encapsulating EAP can theor...

The authentication procedure changed significantly in 6.43. That change affects everything, including MAC-server. I am not aware of any third-party MAC-telnet clients that are compatible with the new versions of RouterOS.

i'm not that expert on this "low level" networking stuff as i'm not doing it for a living. it's quite complicated. Well, you insisted on something that's impossible in reality being "the core operation mode for wifi". I tried to explain why that assertion is not true. in the mea...

You are getting it wrong. RADIUS is just a protocol, RADIUS server is (to a great extent) just a special credentials database. Is it possible with RADIUS to authenticate with these 2 or 3 credentials: MAC and/or IP plus a password for the device/interface itself, but without involving/managing/using...

is this some new limitation with new ac devices? No, it is a fundamental limitation of the whole set of 802.11 protocol suite. it's the core operation mode for wifi equipment. No, it is not. of course we can bridge interfaces, and use wifi in station mode. Bridging is essentially a way to forward t...

That's why i tryed to delete tho whole Thread. Obviously without any luck.

Would you like me to delete it for you?

We haven't seen the actual configuration that OP uses, so the following is just a wild guess. Some packets are still going slow path even for fasttracked connections, that's why documentation says that an explicit "accept" rule for otherwise fasttracked connections is a requirement. Potent...

Do you use certificates in your CAPsMAN and VPN configuration? Certificates are not part of the exportable configuration and should be copied separately.

What you want is already possible via both WinBox and CLI. I'm a bit surprise you cannot do that in WebFig. As a workaround, I'd suggest you switching to a Terminal view in WebFig and adding your IPsec profiles and proposals from there.

Have you tried connecting by MAC?
Can you see your device on the "Neighbors" tab on Login dialog in WinBox?

This does not change the fact that the DHCP Client should get an IP address without problems... Have a look at the screenshots posted- DHCP client is on the bridge interface, so (provided DHCP server is only accessible over wireless) there's no way it will work. As for the station-pseudobridge, sho...

it's station mode
...
all interfaces are in bridge.

You cannot bridge wireless interface in station mode. You can configure that, obviously, but it won't work. Try using station-pseudobridge (or station-pseudobridge-clone), but beware of the limitations.

On the Audience in the united states3 country setting, the only available frequencies for WLAN3 are 5745-5825. Audience has two separate 5G radios. One can only operate in 5180-5320, whereas the other can only operate in 5500-5825. You cannot use 160MHz on wlan3, but you may have better luck on wla...

Same behaviour observed in CCR1072 and a few dozen IPsec tunnels in a road warrior configuration Your case is apparently different. The original problem reported here was about GRE+IPsec combination (and it was even mentioned later that EoIP+IPsec is unaffected). Yours is road-warrior case, and so ...

but the catch was CPU would hit 40% and sometime higher on my RB4011.

What's the problem with that?

Hey, man, don't you have nothing else interesting to do but "nerving" people with such IMO childish nitpickings? :-) You posted to this thread cross-referencing your other thread. They have similar topics, but otherwise are completely unrelated. Before posting here you even failed to noti...

+10dBm means 10x more (and -10dBm means 10x less).
That's logarithmic scale, so +3dBm approx means twice as much (-3dBm approx twice as little).
Conversion tables and online calculators can be googled easily.

Check the "Wireless specifications" table on the product page out. You are asking about the values in the "Transmit" column (27dBm == 500mW).

1) I am unable to ping device from a terminal session on the Mikrotik, I am unable to work out what the profess of routing packets from within the Mikrotik to have then directed to the VPN. I have created a NAT run to accept the packets as routed and thus not NAT them. But I am getting nowhere. IPs...

This is not Mikrotik-specific stuff, you could have just google before asking. Even wikipedia knows what RADIUS interim updates are. And it is not applicable to authorization, by the way, it is purely accounting-related.

However, the fetch command does not wait for "OK".

It does. You don't see it in console because the result goes to file by default. RTFM here, please: Tools/Fetch.
As to checking what was returned, read this section specifically: Return value to a variable.

Please have a look at this thread: https://forum.mikrotik.com/viewtopic.php?f=2&t=159475. I believe that should be a good starting point in understanding the basics. For your situation, however, it is going to be more like a traditional road-warrior, not lan-to-lan VPN. So in comparison to what'...

The p2p matcher is no longer supported. It had not been really working for a long time and was finally completely removed in RouterOS 6.39 (almost 3 years ago).

Also have look at IP Accounting.

Don't try to change network, instead you should change your address to 192.168.88.1/24 (note /24 instead of /8 at the end).

Faulty unit, perhaps. You wrote previously that it's firmware had previously "gone belly up". That incident and the unit's current slowness may as well have common roots.

Any quick easy set up guide for a generic IKEv1 setup? Good luck finding one! IKEv1 is so versatile it's impossible to write a guide that would cover all and every case possible. Once you know how IPsec works, it becomes pretty straightforward to configure an arbitrary tunnel. But you need to spent ...

Hey Mikrotik guys, where are you?

This is user forum. Support replies in some topics occasionally, but there's not guarantee they reply to your particular message. If you are looking for an official reply you should contact support@ and/or you supplier/distributor directly.

RB260GS ?

Well, there cannot be other way how it works. For proper bridging to work your AP and your station bridge should exchange frames with 4 MAC addresses (source, destination, sender, receiver), whereas the standard frame for station to AP communication contains only 3 MACs (because source and sender ar...

So, what would it be the Mikrotik equivalent? Station-bridge mode? No. Your ISP router is not a RouterOS-powered devices, as far I understand, so station-bridge won't work for you as expected. The only viable option is station-pseudobridge. I'm sure DD-WRT does the same, unless it talks to another ...

Have a look at the following two threads, you may find answers to your question there:
viewtopic.php?f=1&t=152314
viewtopic.php?f=1&t=154149

https://www.linksysinfo.org/index.php?threads/diffrence-between-client-and-client-bridge-mode.13563/ It seems that a DD-WRT router can do what a Mikrotik can't. Really? Your link talks about wireless in "client" mode vs wireless in "client-transparent-bridge" mode on DD-WRT. And...

Ofcorse you can add a wireless interface in Station mode inside your Bridge in case lets say you want to assign the address to the Bridge and not to just your wireless interface...

Why would one need to do that? What's the point?

You cannot bridge wireless interface in station mode. You can, however, do that if you change the mode to station-bridge or station-pseudobridge . Please be aware, though, that these modes have their own limitation. You can read more about various wireless station modes on the wiki here: Wireless St...

Is that all? Yep, that should be it. The new IPsec Policies - Status SA Src. Address: 0.0.0.0 Not to pay attention ? For a newly create policy that's normal. It should be changed to the real address once an SA for that policy is established (and that won't happen until the first packet matching tha...

Does your PBX write logs? Is there anything interesting in the logs?
What is the indicated termination cause for the dropped calls in question?

[*]Unable to see skip DFS. Looked in wireless but where is it hiding? It is available in command line only, no support in WinBox nor WebFig yet. And next time you post something, would mind reading the whole thread to check if you question has already been answered , please? [*]At least on 5.8, whe...

NAT Traversal do not need to set? Is the dynamic IP on your Mikrotik routeable (i.e. "real")? In case it is NAT traversal is not needed. It stood for 5 minutes and earned. Now I'm trying to understand why. Probably was waiting for the first outgoing ESP packet from your Mikrotik. Check yo...

It seems to me that the NO NAT rules on Mikrotik are missing. Yep, that's what I meant when I wrote "make sure you have NAT-exempt rules in place". In terminal run the following: /ip firewall nat add place-before=0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168...

I don’t know how to change the level of detail through WinBox. I turn it on. On command line it would be /system logging add topics=ipsec,!packet,!debug action=remote . Should not be difficult to figure out how to do that in WinBox. host(send ping) - mikrotik ==== inet==== asa - host (answer ping) ...

In my country, in Ukraine, the U-NII-3 range is allowed, but there is no U-NII-3 range in the frequency list

It seems to be marked for outdoor use only here. Please change installation parameter to outdoor or any and see if those frequencies reappear.

Log attachments. ASA log looks good. Mikrotik log looks weird. First, please turn ipsec debug logging off, it's too noisy to be useful. Second, I noticed timestamps differ dramatically in ASA and Mikrotik logs. Why is that? IPsec Policy Status PH2 State: established Looks good. Ping to a remote net...

Well, that explains. That "software connections" dynamic-map entry does not have "match address" specified, so it matches everything. And it is of higher priority because of a lower sequence. So your ASA picks this dynamic map and expects ESP-3DES-SHA to be proposed, which does n...

Have you checked what's in the logs? Mind sharing it here?

Yes, I have other lan-to-lan tunnels to different static addresses and I can see how they get through. It seems to me that there is a search for subnets 192.168.x.0 192.168.88.0. But why not see: I'd interpret your ASA logs as "I see you have a matching dynamic map, but none of the proposals c...

The question still remains the same: is HAP Lite (or HAP ac Lite) worth the while for my needs? And, mostly, will this small devices handle with no hassle my connections? With some rather basic configuration hAP lite will cope with your 100M connection without problem (and the number of users does ...

I looked at both HAP Lite and HAP ac (which prices just double of HAP Lite). Double? It is actually about 6x more expensive. Are you sure you wrote the model names correctly? Anyways, in case you are looking for the cheapest device then hAP lite (or hAP lite TC ) should be fine. Otherwise I'd sugge...

Is something like this going to go?

Yep

Repeater mode is not supported for 60G, I believe.

Simply block port 25/tcp for all customers, only whitelist it for specific customers upon request. Nobody needs it nowadays, except a few people still running mail servers on premises.

How does your RADIUS server stores the accounting information? Is there an option to store it in a relational DB? You would then be able to use simple SQL queries for aggregation and reporting.

I would use RADIUS accounting to collect such statistics.

Thanks, you may be right. But I'd be glad if @support will comment on this too...

Well, you should write to support then.
This is a user forum, consider yourself lucky if you get a response from them here on the forum.

Yes, correct.

Please post the full /ip firewall filter export output. The order of the rules is important. The traffic you are watching may match another rule that is placed earlier than the one you are watching.

Can I do without it? I thought that NAT was necessary to separate my LAN (192.168.4.0/24) from ISP router's (192.168.0.0/24) Yes, you can. But you need to add a static route on your ISP router so it knows where to forward traffic destined to your 192.168.4.0/24 network to. Can I bridge the wireless...

So, if I have more than one client, station mode is the only reliable way to go in my case. Did I get it right? Yes, you got it right. What if I want just one client being connected to the ISP router via WIFI? In this case station-pseudobridge or station-pseudobridge-clone will work for you just fi...

Provided you have more then one client behind your Mikrotik router, you cannot really do that, unless your ISP router is also a Mikrotik product (in which case station-bridge mode is what you are looking for). Well, the station-pseudobridge mode may appear to work for you, but I doubt that MAC addre...

What would you like to achieve in the end?

The easiest thing you can do is to configure Watchdog to reboot your device when ping to a specific host stops working. Depending on what IP you choose to ping, however, that has a potential disadvantage of producing a lot of false positives. A somewhat more sophisticated way is to use Netwatch inst...

In short- you cannot.

Thats what a good source has told me... Am i wrong? Yes, you are. Release 6.35 wireless-rep - initial support for station roaming for station mode in 802.11 protocol; That has nothing to do with 802.11r. That was just the initial implementation of the ordinary roaming for mode=station. Before that ...

Mikrotik does support IEEE 802.11r-2008, fast Roaming, since 6.35 or something...

Really?

Can I do some additional tweaks/config or this is the expected bandwidth for this device?

This is kinda expected for a repeater, no matter what kind of device you are using.

Shared passwords (group passwords) are used for both L2L and RA IPsec VPNs (unless you are using certificate-base authentication for IKE, which you are not). On Mikrotik that's secret under /ip ipsec identity . Group name goes to my-id under the same menu. If you are configuring this from WinBox the...

Please learn how to use search on the forum. Your question has been asked and answered multiple times already.

I understand that you must use the mode Aggressive on Mikrotik. <snip> Therefore, the tunnel initiator can only be Mikrotik. This mode is called Aggressive. Well, yes, yes and no. You are right in that that Aggressive mode is a requirement and that your Mikrotik box should always be initiator. Howe...

This is wrong: tunnel-group MT type ipsec-l2l For tunnel group of type ipsec-l2l the group name must be the peer's IP address. Check ASA's command reference for details. As I said in my previous message, since your another endpoint has dynamic IP address you have to use a road-warrior-like tunnel co...

Yep, the default mode is "station", see here.

I need Combined Two Speed , I Read about that but all solutions just load balancing. That's because load-balancing is the only thing you can do with your 2 channels, really... I mean you cannot use your two channels as a single "fat" channel, the only thing you can do is to distribute you...

Auto-negotiation is mandatory in 1000BASE-T, various weird things are expected to happen if you try to turn it off.

isakmp policy is just half of the phase1 configuration, please show your cryptopmap configuration from ASA as well. Also please post the output of /ip ipsec export hide-sensitive from your Mikrotik. On a general note, since IP address on one side of you channel is dynamic (may change) you will have ...

I can hardly read your Runglish... Try using proper Russian without any traces of slang before feeding it to Google translate (or whatever else you are using). Anyways. You wrote the firmware is current, however your screenshot says you are running RouterOS version 6.30.4. That is very far from bein...

I don't wanna to see that message again.

Try blocking those connections using firewall filter rules instead.

Your screenshot says connections were denied. So what's the problem?

I need guide how to configure this and where (in bridge section, in swich)

For your device this will be in both bridge and switch menus. Check out examples here: https://wiki.mikrotik.com/wiki/Manual:B ... witch_chip.

If you only need to connect your two units together, then use bridge mode instead of ap-bridge . The former is limited to a single associated client, but they are the same otherwise (read more here ). In case you need to connect more than one client, however, you should buy proper hardware. The cost...

Or maybe, why is the legacy mode insecure? In legacy mode server identity validation is not implemented, thus making MITM attacks possible even if "Secure Mode" is enabled. The current implementation of the WinBox protocol was reported to use a flavor of SRP, so identity validation is now...

All major web servers support TLS 1.3 already. Browsers too. It is NOT in the future. It's already being rolled out. It has started since 2018. You keep talking about TLS 1.3 whereas you really mean ESNI. TLS 1.3 is a requirement for ESNI, but not the other way round. Enabling ESNI for a particular...

@ErfanDL, it looks like you still need a "conventional" DNS server for bootstrapping...

emils What's new in v3.22: *) added Legacy Mode (disabled by default) to allow using older, less secure connections to RouterOS older than v6.43; I still must run WinBox 6.4 for manage old ROS v5.26 who cannot be upgraded to v6.x family. What is WinBox 6.4? Anyways, RouterOS 5 requires WinBox DLLs ...

HAP AC2 with 802.3af poe-input support (as cap ac does)

And at least one pass-through poe-out port please.

cAP ac? Almost the same hardware (well, without USB and with only 2 Ethernet ports), but with 802.3af/at and PoE pass-through. And has already been available for a while...

Search found 1376 matches