MikroTik

Moved to "General" as "RouterOS v7 BETA" section is only for problem reporting.
See viewtopic.php?f=1&t=152006.

https://wiki.mikrotik.com/wiki/Manual:W ... d_Channels

@scampbell, Wireless Advanced Channels feature has a rather limited applicability, meaning just a small number of (mostly outdated) boards support it. Just check this out: Wireless hardware table.

I installed some of these CRS328's on a site that already had wAPACs. They OVERHEATED and crashed a lot on 802.3af/at I have 4 wAP ac units powered by CRS328-24P-4S+RM which have been running just fine for months already. As of this writing the uptime of all the units is over 82 days, and the switc...

If I read the documentation correctly, the DNS servers that are statically configured under /ip dns are never used by DHCP server, however dynamic ones (i.e. those set by DHCP client, PPPoE client, etc) are. And this behavior can also be suppressed by setting dns-none option for a particular /ip dhc...

CRS3xx series devices differ a lot from the rest of CRS series devices. Here are some references to read:

Bridge Hardware Offloading
CRS3xx series switches manual

@Zacharias, station-bridge does not work with CAPsMAN controlled APs, that's the main problem OP is facing here. @genesispro, When the CAPsMAN was first introduced several years ago, I do remember multiple people asking about support of WDS, station-bridge, etc. here on the forum. If I understood th...

/export the existing configuration to a file, edit it if needed, then apply it to the new device. Read this: RouterOS Configuration Management . PS. If you have anything configured in the /switch menu on CRS125, you will not be able to transfer that to CRS326 automatically. Instead, you will have t...

What you described is indeed how station-pseudobridge works. These limitations are fundamental for the underlying wireless protocol stack. The station-bridge mode, on the other hand, should not have such limitations, however it only work when AP also runs Mikrotik RouterOS, and is not compatible wit...

Isn't this what you are looking for: Wireless / VLAN tagging?

Post you current configuration. Also check what /tool profile shows at the time you test the speed.

where it says "and priority tagged", what does that means?

That means a packet with 802.1Q header that has VLAN ID field set to 0 (a reserved value that means VLAN ID is unspecified); however PCP and DEI fields are still in effect specifying priority, hence the name of the option.

Well, the error message clearly says that it's license that prevents the upgrade. And the only license preventing the upgrade is the expired trial. I'd suggest checking the license status and then writing to support@.

after installing the latest beta to a RBM33G the RB is stuck in a reboot loop.

Such reports are kinda useless, unless you also specify what RouterOS version you were using before the upgrade.

The error message says it all. Once your trial period is over you can no longer upgrade your instance. You should have bought a suitable license (or switched to the free license, in case you are fine with its limitations) before the trial ends. See CHR Licensing.

I'm almost certain it's not possible. Certainly not possible with passive adapters.

TrafficFlow does not produce anything human-readable. You need a separate specialized software, usually called NetFlow Collector or NetFlow Analyzer, to collect, aggregate and display traffic flow data.

As a much simpler alternative, you can also consider using /ip accounting.

I usually monitor the Announcements section of this forum for information about new releases. This is one of the first places the announcements are posted to most of the time. Another reason to monitor the forum for release announcements is it is usually a good idea to wait for possible regression r...

An obvious alternative is some kind of tunneling protocol (like GRE) over IPsec.
But I still usually prefer to use pure policy-based IPsec whenever possible. What kind of software/hardware do your clients use?

Renamed and moved to "General" as "RouterOS v7 BETA" section is only for problem reporting.
See viewtopic.php?f=1&t=152006.

AFAIK, it is not possible when using built-in authentication, however should be possible with some external RADIUS servers.

cAP ac has only 16MB of flash, and has no means to extend the storage (there are no USB, SD or M.2 slots). So while technically you should be able to install and run the Dude server on cAP ac, you will not have enough space for even a minimal Dude DB, and so it will be effectively useless.

You are not listening. Caching HTTPS traffic is not possible. Period.

most complex router and overall the most crappy designed user interface that I have encountered. It is complex. But it is also very versatile/flexible. And the interface is actully pretty well-thought, though everything beyond QuickSet is primarily meant to be used by network pros, or at least peop...

Superchannel won't work unless you have country set to no_country_set.

If you Reed my answer Then you See i die test From Wap.60G and not from the Omnitik

mistry7, If you were careful enough, you would see I was replying to mfr476, and not you. And looking at his/her screenshots I'd rather suggest he/she runs btest straight on the device being tested.

Not sure I understand your last question about "signal tuning".

The very first thing you should do is to stop using built-in btest tool (bandwidth test). It is known to be CPU hungry on its own. When testing bandwidth, always do it through device you test, and never to/from that device. Disclaimer: I am just pointing to an obvious mistake here. I'm not in any wa...

I'd do in at least several step, making sure none of the steps introduces more than one major change like wireless packages consolidation, master-port removal, etc.

OK, I see, makes sense. We are mostly using wAP acs in CAPsMAN setups, and those work great for us, so I didn't even considered a case with 5GHz radios failing on their own.

There is no "one solution suits all" approach possible here. I personally do what you basically described as option1: use the same SSID with reduced power. The only difference is I use reduced power for both 2GHz and 5GHz bands- coupled with a reasonable overlap between neighboring APs this gives us...

So I was wondering if CONSOLE port is same like serial port and can be used for talking to APC UPS ....

Yes, it is the same. Not sure if it can be safely used for talking to UPS though.

Moved to "General" as "RouterOS v7 BETA" section is only for problem reporting.
See viewtopic.php?f=1&t=152006.

2.8.9? Really? Why don't you upgrade?

MQS looks interesting. Newsletter says the following:

Power it with a USB power bank and it will power your CPE over PoE, while you configure it

The question is, when MQS is power with a USB power bank only, what voltage can be expected on PoE output?

I am new to networking and I’ve learned on the field ... is mikrotik is a good choice ... ? I'd say it is, but that's pretty subjective. :) where learn everything I need ? Official documentation may be a good starting point. Also, I was wondering if the GUI is complete or if I’ll need to get my han...

You don't need to do anything about it. Just make sure you do not blindly block the ICMP traffic so PMTUD over your tunnels works.

Fasttrack works for firewall with connection tracking enabled. Which is pretty much default for routed traffic and it doesn't care about underlying interface types. As far as I understand FastTrack is built on top of FastPath and requires that the underlying interface supports it. And I guess FastP...

Should the Bridge Local also include the eth1 port?

No, it should not. Everything else looks correct.

Strange decision from Mikrotik to bundle 24V with PoE router, but ...

It is not surprising at all. I expect most people to be using this device to power other Mikrotik devices, and those are fine being powered by 24V Passive PoE.

Read here: CHR Licensing.

Yes, I guess it is to be expected. Dude appears to be a heavy and resource-demanding service.

Create a new bridge, add Ethernet ports 1 and 24 do this bridge. At his point your STB should already start working. Now change the configuration to use newly added bridge as your WAN interace instead of ether1 (this should be changed literally everywhere- IP address assignment, if any, DHCP client,...

2 months??? wAP ACs took nearly a year to get stable numbers. In that specific case, a special situation is presented, which was the incorporation of a new ipq4xxx platform and a massive support for the ARM architecture Are you sure you are talking about wAP ac and not cAP ac ? The wAP ac is MIPSBE...

Just finished converting a setup with 2x HAP AC with latest stable firmware from Switch VLAN setup to new bridge VLAN setup. Why did you do that? HW accelerated bridge VLAN filtering is only supported on CRS3xx series switches. For the rest of the the routerboards you should keep using the /switch ...

No, with the more expensive systems that do "seamless roaming" it is the AP/controller that decides where the client is served. What you are referring to here is technically not a roaming, because in this case clients do not really roam, but are rather constantly talking to a single huge AP with sp...

Is this device even able to switch VLANs?

It is (see this page in the wiki). However the Bridge VLAN Filtering is currently only supported on CRS3xx series devices, and on hAP ac you are limited to Basic VLAN switching.

I am looking for what is essentially meant to be a powerful 2.4 and 5ghz router for a somewhat large-ish home, the materials of which don't let wifi signals through very well. I'm ok working with repeaters if I have to, but would rather explore single-device solutions first. Based on this descripti...

Depends on your client device. Roaming is always a function of client. AP may assist, but it always up to the client to do the switchover.

WDS over ethernet ?

Huh?

Or just the same SSID on a different channel ?

Go this way. There's absolutely no need to do anything more complicated than this in your case.

EOIP is based on the GRE protocol, and there were some GRE-related firewall fixes in 6.45. As a result (1) an invalid firewall config that used to work before the upgrade will no longer work; and (2) a new bug was introduced that incorrectly classifies GRE connection state as invalid in some cases (...

I have it in auto.
I believe it tried to find a free channel and it was delayed.

In this case the delay is most certainly caused by DFS (radar detection). When a DFS-enforced channel is selected, a delay (before you see your SSID on air) of at least 10 minutes is always to be expected.

The proper way to deal with the PMTUD issues is not to change MTU on either side, but rather to make sure you do not drop (block) ICMP messages that should not be dropped. A rather widespread workaround is to use TCP MSS clamping on the router (which some people consider an ugly hack- and for a reas...

I didn't see the 5GHz wireless.
Now work perfect, without any changes.

What channel do you use? Perhaps, "now" means "once radar detection is complete"? Just guessing.

Feels like a potential PMTUD issue.

As far as I know WAN and LAN interface lists are meant to be used by the Detect internet feature. Which is supposed to be interface type agnostic.

I always assumed it inherits it from the packet being encapsulated. Not sure this assumption is correct, though.

I will assume you are using a Mikrotik router (otherwise why would you post here). In case your router was compromised, the only reliable way to recover is to reinstall the RouterOS using netinstall.

Yes it is capable of running routers but the main functionalities of a manageable switch are lost

This is plain wrong. Can you name at least one switch feature that is available in SwOS but not RouterOS?

The 'ad' in the name may refer to the "real 802.11ad", not the proprietary protocol stuff like the current 60GHz product line. Hence the wall-mountable (indoor) AP form-factor with limited power. Just guessing.

Or we need one wAP 60G AP in Remote Location 1,
and two wAP 60G in other 2 locations?

That's correct. In general for PtMP you need to use a device with license level 4+ as an AP (CPEs can be on license level 3). This is also true for 60G.

How I can make sure that my firewall restrictions is applied even when user use VPN client

You cannot do that in general. At least not when the corresponding traffic has already entered the VPN tunnel.

One question I asked myself multiple times is why MikroTik doesn't use the drivers from chipset vendors.

I believe the main reason was the ability to implement protocols like nstream and nv2.

Did you happen to get Protected RouterBOOT enabled?

Both your devices are rated for the ambient temperature up to +60°C.

On the diagram, the queues are under the (1) [Interface HTB] - Queue Tree with parent=some_interface_queue (2) [HTB Global] - Queue Tree with parent=global (3) [Simple Queues] - Simple Queues The (2) and (3) are in [POSTROUTING] and in [INPUT]. When bridging, packets only hit [POSTROUTING] if use-ip...

Mikrotik does not currently support VTI style of IPsec tunnels. And GRE over IPsec is not VTI compatible either. If you can reconfigure you ASA then you can of course build GRE over IPsec tunnel. Another option is to use classic policy-based IPsec tunnel (ASA does support multiple policies per peer ...

Simple queues are perfectly usable on cAP ac , but for them to work you need to actually route traffic, i.e. to use your cAP ac as a router, not just AP. Alternatively, you may try enabling use-ip-firewall option on the bridge (see the manual ). Again, please consult the packet flow diagram (followi...

So you are saying you are just bridging interfaces together... I do not think you can use Simple Queues in this case. And if you decide to try Queue Trees instead, make sure you specify one of the interface queues (not global!) as a parent to your queues. For a better understanding, please take a lo...

You should disable Fasttrack for any traffic you want to queue.

Talking about the bandwidth and the number of users virtually any device from the current Mikrotik product line should fit (even the cheapest one). However 55 users also means you may need more than one device to cover the area where these 55 users reside. If a device says it has 3 chains, does that...

But as I keep saying, I want some actual information on this. Not just 'it should work' HOW does it work? I would like information on how all devices detect hotspot in the first place. This question has nothing to do with Mikrotik, all vendors do it in their own unique way (and also change those wa...

Now here's another question, i'm not typing https://www.google.com I'm simply typing www.google.com or google.com and it fails. Why? Google uses HSTS . Once you visited an HSTS enabled site your browser will force you into using HTTPS any time you access that domain. HSTS expiration period for goog...

That does not mean it is correct. Older devices (or older RouterOS versions) may have just silently ignore the invalid settings, that's why it worked (I'm just guessing here). Anyways, no client is supposed to be able to register to an AP if it cannot negotiate a supported set of basic rates. Disabl...

af/at requires at least 48V to function correctly, so you need to buy a proper PSU separately. The standard 24V PSU is only suitable for Passive PoE. More info in the official product brochure: https://i.mt.lv/cdn/rb_files/hEX__poe-190722120922.pdf.

I think "Multi-PSK" is what you want to be available on a MikroTik device, see page 44-47 from https://zivindico.uni-muenster.de/event/7/attachments/4/4/Hochschulen-NRW_Rahmenvertrag-Kick_Off_Day-Aruba_Overview_compressed.pdf It says it bounds MAC address to PSK. You can easily do the same on Mikro...

None exists for your hardware.

Well, your question is about QuickSet... The usual advice from any experienced community member is "don't use QuickSet, ever". And I'd rather second that advice. So... Do not expect anyone to answer your question, unless someone from the actual Mikrotik staff looks here in the topic. Simply because ...

Your device does not support dual boot and can only be used with RouterOS.

Well, on Mikrotik this has been possible like for ages now. It could be done either via wireless access list or RADIUS MAC authentication. This is supported for both regular AP and CAPsMAN setups.

Yep, the required voltage to power hAP ac² via PoE-in is 18-28V, so a passive PoE injector with 24V PSU should work just fine. When in doubt, the product page is your best friend: https://mikrotik.com/product/hap_ac2. Edit: You can actually get yourself just a proper injector, as you should be able ...

hAP ac² only supports Passive PoE, so it's not compatible with the type of injector you've bought.

Yes, it should be possible. But since you are running 5.x you will have to do that manually: https://wiki.mikrotik.com/wiki/Manual:U ... g_RouterOS.

Well, we have a small CAPsMAN setup here in the office (12 access points 8 out of which are wAP ac). I did a small test and observed ~45% load on CPU of wAP ac at about 100Mbps transfer speed (one or two TCP streams, local file transfer; in our case the speed was limited by the client- we didn't hav...

I would rather expect the manager to be more CPU critical rather then individual CAPs... Have you tried looking at /tool profile (on both your CAP and manager boxes) while doing your tests? Also how exactly did you test (i.e. what tools did you use- simple file transfer, iperf, btest, something else...

Yes, it will only work if CAPsMAN manager forwarding is used. Why do you think 5G speed will suffer?

I would do it this way: Create a dedicated (physical) network for all your CAPs. Connect all your CAPs to this network only. Do not assign any IP addresses to any device here. Make sure MAC-winbox, MAC-telnet, etc. are not accessible from this network. Obviously, CAPsMAN will be using L2 transport, ...

PWR-LINE PRO looks interesting. However I'd love to see a version that is mountable in place of a standard power socket (in a case similar to wsAP ac lite). Possibly even with the power pass-through.

No such product exists. There are no Mikrotik devices with wireless and more then 1 PoE-out capable port at the same time. And even the wireless devices with a single PoE-out capable port only support Passive PoE-out, which almost guaranteed is not compatible with you cameras.

Yes, you can. No problem at all.

and again mostly fixes for bugs introduced in previous STABLE releases. excuse my harsh criticism but are you kindergarden business or do you want to be known as a serious software development company...? That is actually expected to work exactly like this. The "stable" release channel used to be c...

hEX S has MT7621 switch chip onboard. And according to Mikrotik's wiki it does not support VLAN table in hardware. Check this page out.

Well, take it this way. Mikrotik is marketing this as "passive" since they are trying to compete with various passive optical solutions here. The whole GPEN product line is just about that. But technically, none of the products in this line are really passive, IMO.

i've run the bandwidth test (Tools > Bandwidth Test) and used the details from the Bandwidth test forum, and turns out the unit caps at 30 mbps (2.7MB/sec) This tool is pretty old, and is known to be able to saturate CPU on its own. If you want to test the routing performance never test from/to dev...

SFP/SFP+ are Network INTERFACES and these network interfaces should work much like any other network interface. THAT is the whole point . No. An interface is the module that you put into your SFP/SFP+ cage, not the cage itself. The specification of the cage itself is (almost) purely mechanical. And...

1) at what OSI layer this device work? at L1 like hub, or at L2 like switch? Does that really matter for a two-port device? 3) why distance is limited to 1500 m? That's because of the power drop. Check the official brochure for the details. You can build a link up to 3000m long if you provide power...

Is it ok to have 7,4 MB available out of 16 total ? On 16M flash devices upgrade happens in RAM, so that should be fine. But you may occasionally need to reboot your device right before the upgrade to free some RAM. Also switching from bundle to individual packages should not be required, unless yo...

You should be able to apply a backup from one VM to another VM, provided the VM's configurations match. Regular backups, however, contain device/instance specific stuff (like interface MAC addresses), so this is not the best option in general. You'd better consider configuration export instead.

Try this:

:if ([/ip route get [find <your_search_criteria_goes_here>] distance] = 5) do={
    ...
}

I'd say nothing from you list requires extra flash space, perhaps except graphing. But even graphing does not usually occupy too much of a disk space. So, if a particular router model satisfies you requirements otherwise, flash size should not really be an issue.

@andriys. Sorry but I don't saw the official strods post answering a lot of posts of this threads with the info about GRE.

It was in a (rather long) post here.
And then a followup here.

I will try the temporal fix later when users are not working. Temporary? Please read the topic once again, carefully . This version fixes a bug that allowed GRE to work even when your device was configured improperly . So you do not need to apply a temporary fix, but rather permanently fix your con...

*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;

Will it also work for "rsa-signature-hybrid"?

SJB, please start a new thread and keep this one strictly for the 6.44.3 version related discussions.

doesn't work renaming the admin user 0 again.

Renaming users is not supported since 6.43 and Mikrotik clearly said that's not gonna be fixed.
From now on you should create a new user then delete the old one instead.

As soon as you attempt to create a new identity (on the 'identities' tab) with the 'Auth. Method' set to "rsa signature hybrid", the CPU spikes to 100% and the device becomes almost completely unresponsive! Only solution is a Configuration Reset (but as soon as I attempt to create the IPsec identit...

Tryed to downgrade from 6.44 stable to this release, but after reboot still show me 6.44 stable.. Seems like its not posible to downgrade to this longterm version.

What's in the log? What is the factory firmware version?

... and I want something that can distribute the signal through these container walls.

Sounds like you are trying to fight the laws of physics. You'd better consider putting an inexpensive AP in each container.

We use superchannel.

The country setting now has priority, so your superchannel won't work unless you have country set to no_country_set. The forum is full of discussions about this change...

What is actual dependency behind this?

Security package implements IKEv2 (among other things), which may now require DHCP in some configurations. Check this entry in ChangeLog:

*) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;

Well, we are getting a bit off-topic here... To be clear, I'm not saying that the documentation as it is now is perfect. You are right in that it may and should be improved in lots of rather reasonable ways. However complaining about the fasttrack page not telling about "lags when mangle activated" ...

This article doesn't have any mentions about lags when mangle activated. Should it? What you call "lags" are symptoms, not the problem itself. The main thing that article tells you is the following: Warning: Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will n...

Please read the documentation.
ok. where?

Here: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

Disabling fasttrack helps.Hope Mikrotik fix it soon

This is not a bug and cannot be fixed. This is how fasttrack works. Please read the documentation.

i4ko, EIRP is not so much about the power as about the density of radiation, so for directional antennas the gain may easily be much higher than 1.

This is normal ? It is. Absolutely. You have simply added a rule to a custom (user-defined) chain named 'perouting' that you can now jump to using 'action=jump' rules. And, by the say, this is in no way version-specific, so in the future please refrain from posting such questions to version-specifi...

Darman, how do you think an update will know what socks entries are legitimate and what are not?

Mutator , in a previous post you wrote yourself that the problem is also reproducible on an earlier versions of RouterOS (6.42.x), so it is NOT a 6.43.8 specific regression. The release topics are meant for version-specific issues only. Also you have already reported the problem in another thread, ...

why dont have WinBox + MAC WinBox button?

That's probably because WinBox has neighbor discovery capability builtin.

doush Nobody except you complains, which means it's either faulty hardware or a configuration specific issue. A couple of posts ago you said you are not willing to supply support@ with the info they asked you for. Being software developer myself, I can assure you this is a road to nowhere...

pranoy1083, the problem is likely in the queues themselves and not specific to this particular version. Please start a new topic for this and/or (better yet) report it to support@.

It would be useful if the matrix contains some information about the hardware-accelerated encryption support.

I get that. But the webfig torch NEVER shows more than the two lines to be seen in the screenshot, no matter what traffic is to be seen via winbox. Just tried it myself. Right after opening the Torch screen I can see the same two lines as shown on your screenshots, but after clicking on the "Start"...

roughly the same time.

I guess this likely is the point. Torch is a "right now" tool, not a "historical data" tool.

Just wondering why two versions have been skipped? Never seen that before

It has become a rather common situation lately.
The obvious reason might be the skipped releases not passing the QA.

When I set comment for PPTP client, it reconnect ! New feature ? It has always been like that. Changing comment on any interface brings that interface down and then back up. PS. The next time you post to a release topic please make sure you are reporting a problems that is specific to (was introduc...

Any chance of 6.42.10 with the IP Traffic Flow NAT fixes ?

Can you provide more details (or a link) of what's broken, please?

This IPsec bug still not fixed https://forum.mikrotik.com/viewtopic.php?f=2&t=136445 What is the purpose of writing this in all version-specific topics? This is clearly not a regression since the previous version, so please stop. Have you written to support, by the way? In case you have, did they a...

Ah, nice suggestion but, all my laptops are Pro type and I have real serial ports on them :-) The key here is that TTL serial and RS232 are somewhat different beasts- they differ at least in the voltage levels (while on the protocol level they must be compatible). You can easily damage TTL serial p...

I really hope that the new iPhone Xs/XsMax 5GHz AC problem is resolved before the 6.44 production release. https://forum.mikrotik.com/viewtopic.php?f=7&t=139608&sid=c812125039cd5699bb02c1cae5c96b71 Reading through the topic you've linked to makes me think it is an iPhone's problem, not Mikrotik's o...

After upgrading to 6.43.2 from 6.42.7 you can no longer have multiple IPsec peers to the same destination IP but with different source addresses. This regression is said to be fixed in 6.44beta14. Please check the change log in the post here . And I'd expect this kind fix to be merged to 6.42.x lat...

... that the plaintext password file was not replaced/deleted ... Sure it was not. Do you read the release notes? What's new in 6.43 (2018-Sep-06 12:44): ... *) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades) ;

The ROS is changing the actual MTU if I change the method, ... , but If a Mikrotik document doesnt write other (please link it for me if exists), It should work, but it doesnt. The IPIP wiki page says the default is 1500. Nothing is said about MTU being automatically/dynamically adjusted, so I assu...

It seems that bridge gets it's MAC automatically from the first port connected to it - dynamically changing this whenever the config change is made....

This is actually a documented behavior...

If I change the keying method from SHA1 to SHA256, the IPIPv6 reconnect and after thet the new TCP connections are broken, but ping works. What next now? Check if the MTU settings on your tunnel interfaces are correct. In case you rely on RouterOS to calculate it automatically try setting it to the...

Rather then doing MSS clamping you'd better fix your firewall to allow PMTUD to function properly across your tunnel...

Can you provide link to the documentation

Look at the very bottom of this wiki page (in the "Winbox" section).

Current TX Power = 0dBm

Current TX power readings are not supported for 802.11ac-capable wireless cards. That's a known (and documented!) limitation that has always been there.

ssbaksa, what is in /tool profile?

bugfix-only/long-term named 'stable' instead?

I have a theory that they may want to support 6.40.x line (the last release branch before the bridge overhaul) for an extended period of time, hence the "long-term". This does not justify, however, renaming "current" to "stable".

Perhaps "current" really was the correct name.

Indeed!

No it does not, unless you scheduled automatic restarts. It's getting a bit off-topic, but still. The default behavior of Windows 10 is to always install updates automatically as soon as they become available, and then force automatic reboot somewhen outside of a (somewhat) configurable "activity p...

Even your "beloved" Microsoft does not force reboots.

In Windows 10 it does, actually.

Where is bugreport page or bugtracker?

Write an email to support@mikrotik.com

!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);

Two questions:

Can this cloud backup be encrypted?
Since Mikrotik cloud services are bound to the device's serial number, is there any way to retrieve a backup when the original device is lost?

I want to confirm if Mikrotik has enabled in the RouterOS to leverage the HW encryption / decryption for AES algorithm used in IPSec Acceleration also applied to OpenVPN Acceleration (aside the issue that only TCP is supported and is slower). What's the point in asking the same question again and a...

I'll bet their market share in the WISP industry today is much smaller then it was 10 years ago.

There are lots of other markets other then WISP...

Hardware Acceleration for AES (OpenVPN protocol)?

As I understand, RouterOS only supports in-kernel HW crypto acceleration, which means it works for IPsec phase2 only. OpenVPN is currently out of luck no matter what board you have.

I have been using these switches

What switches? Please specify exact model(s).
Some small switches (like the RB260 series) are known to have a rather weak CPU which can easily be maxed out when being constantly monitored via ICMP.

What are you talking about?
v6.40.8 includes patches to fix known vulnerabilities including latest winbox port vulnerability.

We are talking about this: viewtopic.php?t=121039#p595087

No, it is not.

Even if you are right with this one it is still vulnerability which is known and is not applied in current/bugfix. Well, the fact that the previous versions of WinBox (even in secure mode) were susceptible to MITM attacks was well-known for years. Many users were concerned and raised questions here...

But that was done because there were bugs that allowed the retrieval of the unencrypted passwords (and thus the quick retrieval of valid user/password combinations as shown) That's correct. And I must admit this change had to be implemented years ago without waiting for bugs like this one to pop up...

in 6.43rc17, something was changed in winbox service (thats why every RC since then has to use Winbox 3.14) to prevent MITM attack. No. And the purpose of this change has been explained here on the forum somewhere, and it has nothing with preventing MITM attacks. RouterOS used to store local user c...

I decided to buy another cloud core and it continues with the same problem says:

Have you tried writing to support@ ? Just curious.

Why the router tries to connect to ip 224.0.0.22?

This is a multicast address that has something to do with IGMPv3. May be related to IGMP proxy or UPnP.

Ive been doing RCs for 8+ years. For 7+ years the RCs were as stable as the stable version. You are exaggerating "a bit". Mikrotik started releasing public RCs since mid-2015 (since v6.32 or 6.31, but definitely not earlier), which means you could not have been using RCs for more then 3 years. And ...

Do you respond to requests from the forum or bugfix create a new bug ?

This is a user forum. Mikrotik staff responds on forum occasionally, but in general all (potential) bugs should be reported to support@ via email.

msatter , another solution to your task would be introducing a separate custom chain for your dynamic rules, then jumping to this custom chain at the point where you currently insert your dynamic rules. In the script you then simply add your dynamic rules to the top of your custom chain not worryin...

Let's see how many client we can hook up.

Please note that it is currently limited to only 8 clients at a time. See page 16 of the 60G presentation from the MUM in Berlin.

Any official answer? I'm a bit tired repeating this again and again, but... This is a user forum. Period. Mikrotik staff may occasionally answer some questions here, but they do not have to. If you need an "official answer" you should write you question to support@. I'm afraid that's the only "offi...

As for scrolling with the mouse/trackpad within managed routers list - we can not reproduce such problem locally.

As Chupaka mentioned above

In Windows 10, the problem appears with disabled "Settings -> Devices -> Mouse -> Scroll inactive windows when I hover over them".

I, personally, find focus jumping to the Password field very handy.
Also I've just checked, scrolling works for me just fine with both mouse scroll-wheel and two-finger scrolling on touchpad no matter what field has focus (Windows 10 pro).

I suspect MT could put out a four-port weatherproof POE switch at nearly the same price point as UBNT. PowerBox Pro is essentially the RB960PGS (hEX PoE) board in an outdoor/weatherproof case. And the former is $20 more expensive ($99) than the latter ($79). Now it appears that a switch similar to ...

Updated: "*) bridge - fixed hw-offload disabling for Mediatek and Realtek switches when STP/RSTP configured;" upload speed through router is still 500 Mbit/s slower when STP/RSTP is activated on the Bridge That's as expected since hw-offloaded STP/RSTP is not supported on Realtek, Mediatek and ICPl...

*) tile - added "aes-ctr" hardware acceleration support;

Can someone explain to me?

https://wiki.mikrotik.com/wiki/Manual:I ... encryption

Is mikrotik affected by Spectre and meltdown bugs? To my understanding, RouterOS x86 and CHR are definitely affected, but since you cannot run your own binaries there they cannot be exploited (unless there are other vulnerabilities that allow one to execute arbitrary code on a router). ARM devices ...

Traffic capture on pe03 shows TCP SYN packet arriving with TCP options where MSS is set as 1312 bytes. Replies aren't visible on this router as they are MPLS switched to br01. Reviewing a packet capture on interface facing 'customer' on br01 or upstream interface on ccr1 shows pe03 sending back an ...

Does anyone know any other devices (routerboards or not) using this specific switch chip? I wonder if we can independently reproduce Mikrotik's claims. I have listed other RouterBOARDs where the same switch chip is used several posts above. They seem to be: hAP ac, OmniTIK 5 ac (including OmniTIK 5...

Hi, anyone any idea why the WebFig of 6.41 behaves different on two identical boards (RouterBOARD 952Ui-5ac2nD)?

Very likely a browser cache issue. Have you tried clearing the cache and/or using another browser.

It is documented here: https://i.mt.lv/routerboard/files/CRS32 ... S-qgv3.pdf.
And printed version of this document should have been shipped along with your router (included in the box).

Is this intended? Shouldn't hw-offload trigger for all of the eligible bridges and not just one at a given time?

It is likely a hardware limitation. It has never been possible to set more then one port as a master-port on any device with a "small" switch-chip on board.

pretty much useles untill You compare it to other mikrotik hardware results. And YES it reflects CPU efficiency utilization by ROS and that is what I wanted to know. It reflects CPU performance under a particular load- in this case bandwidth test application. Profile for other types of load may dif...

I wonder if other RouterBOARD models with the same switch-chip model (QCA8337) suffer from the same problem. According to this wiki page the models in question are: hAP ac, OmniTIK 5 ac (including OmniTIK 5 ac PoE), the old hEX model (RB750Gr2), hEX PoE and PowerBox Pro.

coverage at that power level you suggest is very poor Do you remember that wireless is a bidirectional thing? I mean not only your clients should hear your access point, but you access point should hear you clients too. And so "at that power level" you actually get the best coverage possible for or...

just run TCP bandwitch test to 127.0.0.1.

I'm wondering if you understand that this way you test how fast the btest itself works. And the results of such "test" has nothing to do with how fast your router can forward traffic, i.e. pretty much useless...

Your device is equipped with a so called "SPI flash", which means what you see in the /file menu is actually stored in RAM and is lost any time you reboot your router and only content of the /flash directory is persisted to permanent storage. A quote from here : Warning: If device has a directory na...

SXT Disc Lite5.

There's no such thing. There are SXT Lite5 (without "DISK" in the name) and DISK Lite5 (without "SXT" in the name) and those are two completely distinct products.

Yes, you can use external RADIUS server- that should work just fine (and UserManager is in fact just yet another RADIUS server, running directly atop RouterOS and with management interface built-in). You should also be able to create some local user accounts. There's a whole bunch of documentation h...

On a second thought, I wouldn't recommend disabling the higher data rates. Using lower data rates means using more air time, which in turn means more competition for air time with neighbor networks and worse user experience for both your and your neighbors' networks. This considerations, however, mi...

will i be able to create user logins??

That depends. One important thing to note is that UserManager is not supported on RB3011 (nor any other ARM-base RouterBOARD) yet.

Are your wireless clients allowed to talk to each other?

I set 5Ghz at 23db and 2.4Ghz at 17db. Those values a way too high. For the best user experience the tx-power of your APs should never exceed the max. tx-power of your wireless clients, which lies in the range from 13dBm to 17dBm (depending on the channel) for an average smartphone or tablet. thats...

I have not been able to understand it by reading the material and watching the videos. What materials have you read? The official documentation is here , and is rather detailed. Have you read it? Any specific questions? I have just one home network. One router has DHCP and USERMAN running and in AP...

or at least that should have been stated in the wiki page or product page A quote from the wiki ( link ): Currently MetaRouter can be used on * RB400, RB700 series except models with SPI flash , RB900 series except models with SPI flash , RB2011 boards * Listed PPC boards: RB1000, RB1100, RB1100AH ...

why RouterOS needs to shutdown by software first while other routers not, even routers with OPENWRT or other powerful firmware, we just unplug the power if we what to switch them off. You don't really need to do that. If you just power off your device when you need to you will see an annoying messa...

I set 5Ghz at 23db and 2.4Ghz at 17db.

Those values a way too high. For the best user experience the tx-power of your APs should never exceed the max. tx-power of your wireless clients, which lies in the range from 13dBm to 17dBm (depending on the channel) for an average smartphone or tablet.

in some cases you need to lower 2,4ghz to levels as low as 5dbm, sacrificing too much coverage, only suitable for high density setups

From my experience, the best working multi-AP setups is the ones where 2G coverage is as close to the 5G coverage as possible for each AP in the setup.

Since the M33G has lots of storage options and quite some "horsepower", will there be a dude-server package for the board? PDF says this board features a double-core 880MHz MediaTek CPU, so it is very likely the same ARM that powers hEXr3, for which TheDude server is already available. Still it'll ...

Bought Mikrotik 260GSP to power up my HikVision DS-2CD2020-I Camera.
...
Why the hell it doesn't work with POE switch?

Your camera requires 802.3af type of PoE, whereas RB260GSP only supports Passive PoE.

rogers3b2, what tx-power levels do you use? Making tx-power on 2.4G band lower then on 5G band may help a lot.

You can safely switch to full-featured configuration tools after using QuickSet, but not the other way round. I.e. there's nothing wrong in using QuickSet to do the initial configuration and then switching to a full-featured WebFig/WinBox/Console. However once you do any kind of configuration change...

My question: can I enable FastTrack on download side only, and have full processing on the upload side? To my knowledge, no, you cannot. What board do you use? 240/30 does not sound like too much, there are inexpensive boards now available that can cope with that amount of traffic with ease even wi...

- look in IPsec->Peers and IPsec->Policies what it created and write it down - remove the IPsec passphrase from the GRE tunnel - manually create the same Peer and Policy as you have seen before (and have now disappeared), changing what you want. There's a bit simple way to proceed. Double-click on ...

*) wireless - added support for CHARGEABLE_USER_ID in EAP Accounting;

What does this feature do?

Implements rfc4372, I guess.

*) capsman - use "adaptive-noise-immunity" value from CAP local configuration; I'd like to know a bit more about this change. I believe this is similar to how antenna gain setting is being handled. Simply set the desired value of the adaptive-noise-immunity option in your radio interface configurat...

Please add Metarouter

VM inside VM? Are you serious?

Has the routerboot firmware version naming changed in 6.41rc? Yes, it has. It happened in 6.41rc47 (see here ): !) routerboot - RouterBOOT version numbering system merged with RouterOS; If routerboot firmware now follows the ROS version, I would very much like it to automatically get upgraded too d...

The original problem was not related to MSS and/or packet fragmentation. The usual stream of non-fragmented TCP packets was also affected.

It does actually ... the attacker is replaying retransmissions of message 3 of the 4-way handshake ... so without this re-transmissions to replay the attack would not be possible ... Ok, got it. You're absolutely right here. Still none of the (even patched) APs now do what you suggested to mitigate...

Apparently AP can mitigate this by "bending" the standard 4-way handshake and instead of re-transmitting message 3...

It does not re-transmit anything during attack. It's an attacker who replays the message 3 that was originally transmitted by the real AP.

Search found 1161 matches