Community discussions

MikroTik App

Search found 1498 matches

by andriys
Thu Feb 22, 2024 7:18 pm
Forum: Announcements
Topic: v7.14rc [testing] is released!
Replies: 176
Views: 46650

Re: v7.14rc [testing] is released!

Isn't it recommended by Mikrotik documentation in the L3HW docs and the basic VLAN docs to not place a VLAN directly on top of a physical interface?
Only if that physical interface is a bridge port.
by andriys
Tue Feb 06, 2024 10:15 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253211

Re: v7.13.3 [stable] is released!

And for static routes linux doesn't need to run any daemons.
It still needs some user-land program to manage static routes, and I strongly suspect they put everything routing into a single binary.
by andriys
Thu Jan 25, 2024 11:31 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253211

Re: v7.13.3 [stable] is released!

Yeah, that's clear. But why should it have any effect on the client interfaces?
by andriys
Thu Jan 25, 2024 11:26 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253211

Re: v7.13.3 [stable] is released!

Upgraded Audience from 7.12.1 (with wifiwave2) to 7.13.3. Overall, upgrade went smooth, with the only exception that the wifi3 interface in the station-bridge mode refused to connect to my AP (running on channel 163, i.e., 5745/ac/Ceee) until I explicitly specified the country (on the station!) Why ...
by andriys
Wed Jan 24, 2024 4:11 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 147881

Re: v7.14beta [testing] is released!

Maybe not ... I guess that CAPsMAN initiated upgrades of CAPs are actually more or less handled by CAPs the same way as "manually initiated upgrades from within ROS" are ... only the kick to do it comes from CAPsMAN (instead of a GUI button click) and npks are downloaded from different so...
by andriys
Wed Jan 24, 2024 11:07 am
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 147881

Re: v7.14beta [testing] is released!

And this possibly requires change in netinstall as well
As well as the way CAPs are upgraded from CAPsMAN (both versions), I guess. And yet we might not see the whole picture...
by andriys
Mon Jan 22, 2024 2:16 pm
Forum: Announcements
Topic: WinBox v3.40 released!
Replies: 109
Views: 109465

Re: WinBox v3.40 released!

rextended you see more with one eye, than most with two eyes............
He will change the avatar again soon, and then nobody understands your message anymore.
by andriys
Mon Jan 22, 2024 1:13 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 147881

Re: v7.14beta [testing] is released!

Or one could go back to RouterOS v6 long-term, it is still supported and will be for some time as far as I can tell...
Nope. Mikrotik still sells devices with 16MB SPI flash onboard, and many (all?) of those are shipped with v7 from the factory, which makes downgrading them to v6 impossible.
by andriys
Fri Jan 19, 2024 8:44 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 147881

Re: v7.14beta [testing] is released!

I've heard that many chips used to require SPI of 16MB or less to boot from; and if you need more room you add NAND flash in addition to the SPI that is still needed to boot from.
by andriys
Thu Jan 18, 2024 11:55 am
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 35500

Re: Forum moderation volunteers

It's all about the expectations. When I opted in to being a moderator, the expected duties were pretty simple: delete spam and approve new posts . I can totally understand normis when he favors positive attitude towards new beginners over the technical expertise of senior jerks nerds members (me inc...
by andriys
Tue Jan 16, 2024 4:27 pm
Forum: RouterBOARD hardware
Topic: Mikrotik SXT LTE kit & IP camera PoE
Replies: 4
Views: 785

Re: Mikrotik SXT LTE kit & IP camera PoE

Google says your camera supports 802.3af POE only, which SXT LTE does not support.
You may have some luck if you power your SXT with a 48V power supply and then force the POE-out to be always on, but this may as well not work (or even burn your camera).
by andriys
Tue Jan 16, 2024 2:24 pm
Forum: Wireless Networking
Topic: Ethernet AP with DHCP disable don't give mikrotik IP
Replies: 7
Views: 974

Re: Ethernet AP with DHCP disable don't give mikrotik IP

You may have better luck asking this on the D-Link's forum/support/whatever.
Based on your description, I'd say that the "rogue" IP most likely comes from your D-Link.
by andriys
Tue Jan 16, 2024 1:41 pm
Forum: Wireless Networking
Topic: Fast transition with 2 hap ac2 not working
Replies: 4
Views: 781

Re: Fast transition with 2 hap ac2 not working

after that I've tried with a Dell laptop, a Fire tablet, and even a Surface, with no luck.
Regarding Windows laptops and roaming, check this message out.
by andriys
Tue Jan 16, 2024 11:51 am
Forum: Wireless Networking
Topic: Finally success - 802.11r/k/v fast roaming works reliably with WifiWave2
Replies: 53
Views: 13040

Re: Finally success - 802.11r/k/v fast roaming works reliably with WifiWave2

@S8T8 Whatever you set the connect-priority to, the duplicate MAC addresses should not be allowed withing the same connect-group . But you are probably correct in your assumption that the connect-priority=0/1 setting is less secure than whatever the default setting is. Please note that the 'MacStea...
by andriys
Tue Jan 16, 2024 11:26 am
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 147881

Re: v7.14beta [testing] is released!

!) rose-storage - moved SMB service in the RouterOS bundle; !) smb - removed legacy SMB service (replaced with newer and faster ROSE SMB service); I wonder how this change affects the bundle size. Compared to beta6, the beta7 ARM and MIPSBE packages seem to be 20K larger, and for the 16M-flash devi...
by andriys
Mon Jan 15, 2024 8:10 pm
Forum: Wireless Networking
Topic: Finally success - 802.11r/k/v fast roaming works reliably with WifiWave2
Replies: 53
Views: 13040

Re: Finally success - 802.11r/k/v fast roaming works reliably with WifiWave2

Windows only supports FT over the networks with 802.1X (i.e. when using WAPx EAP), it does not work in open networks or networks with WAPx PSK. That does not mean Windows laptops does not roam at all, it just meas Fast BSS Transition is not supported in those cases. When using the new CAPsMAN, howev...
by andriys
Mon Jan 15, 2024 11:52 am
Forum: General
Topic: User poll about using Winbox
Replies: 97
Views: 52901

Re: User poll about using Winbox

1) Yes, mostly to apply a nicely configured session from an existing device to a new one. 2) They store Winbox windows' layouts (windows positions and sizes, columns visibility, order and widths, etc.). 3) No idea (other than making the session file human readable/editable). 4) I've always believed ...
by andriys
Fri Jan 12, 2024 12:06 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 147881

Re: v7.14beta [testing] is released!

Do you want me to look up each kernel change log and flood this forum post with 500+ lines of networking stack change log? No, of course I don't! But I want you to validate specific pieces of evidence you post before actually posting them. Please note that I, personally, do not argue against the ne...
by andriys
Thu Jan 11, 2024 5:11 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 147881

Re: v7.14beta [testing] is released!

Which part of Not all features/data plane functionality is 100% L3HW. This is MikroTik, not Juniper MX/PTX. is unclear? I specifically quoted the part that is unclear. You posted a link to an articles that talks specifically about a TCP end-point optimization to prove your point that the kernel on ...
by andriys
Thu Jan 11, 2024 2:55 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 147881

Re: v7.14beta [testing] is released!

They should upgrade to Linux Kernel 6.8, read this for why:
https://www.phoronix.com/news/Linux-6.8-Networking
I fail to see how that may be relevant for a router.
by andriys
Mon Jan 08, 2024 4:22 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253211

Re: v7.13 [stable] is released!

where did you get that from? would like to bookmark that
https://help.mikrotik.com/docs/display/ ... ackagetype
by andriys
Mon Jan 08, 2024 4:17 pm
Forum: Announcements
Topic: WinBox v3.40 released!
Replies: 109
Views: 109465

Re: WinBox v3.40 released!

Please advise how I can get this resolved through official support.
By contacting the "official support" first, I guess.
https://help.mikrotik.com/servicedesk/servicedesk or support@mikrotik.com
by andriys
Fri Jan 05, 2024 10:16 pm
Forum: Wireless Networking
Topic: Copy to access list missing on hAP ax2
Replies: 5
Views: 1299

Re: Copy to access list missing on hAP ax2

Feels like yet another "missing feature" (albeit a rather minor one) in the new wireless (wave2) vs the legacy wireless.
by andriys
Fri Jan 05, 2024 11:36 am
Forum: Wireless Networking
Topic: CAPsMAN manager can't manage its own wireless [SOLVED]
Replies: 29
Views: 53446

Re: CAPsMAN manager can't manage its own wireless [SOLVED]

No. You first create a configuration profile and put all you settings in there: /interface wifi configuration add name=my-wifi-config ... Once done, use it for provisioning your remote CAPs and also set that profile for your local radios: /interface wifi set [ find default-name=wifi1 ] configuration...
by andriys
Fri Jan 05, 2024 10:54 am
Forum: Wireless Networking
Topic: CAPsMAN manager can't manage its own wireless [SOLVED]
Replies: 29
Views: 53446

Re: CAPsMAN manager can't manage its own wireless [SOLVED]

... (wifi menu for controlling the wifiwave2 devices) ... Just use the same configuration profiles for both CAPsMAN and local radios. For that, you don't need to join the local box as a CAP, everything (including the roaming protocols) will still work. P.S. Please note that this thread was original...
by andriys
Tue Jan 02, 2024 5:37 pm
Forum: General
Topic: L009UiGS-2HaxD broken POE-Out after update to 7.13
Replies: 1
Views: 564

Re: L009UiGS-2HaxD broken POE-Out after update to 7.13

It is just the "auto" setting that is no longer available (and it was removed in 7.12, not 7.13). You can still force it on or off, though.
by andriys
Tue Jan 02, 2024 10:30 am
Forum: Beginner Basics
Topic: Terrible wifi speed - L009UiGS-2HaxD-IN - Wifi 6 (Router OS 7.13) [SOLVED]
Replies: 27
Views: 4289

Re: Terrible wifi speed - L009UiGS-2HaxD-IN - Wifi 6 (Router OS 7.13) [SOLVED]

Makes me think you were connected to 2.4GHz radio ?
L009 does not have 5G radio.
by andriys
Tue Jan 02, 2024 10:23 am
Forum: General
Topic: Firmware upgrade check failing HTTP 404 [SOLVED]
Replies: 6
Views: 1441

Re: Firmware upgrade check failing HTTP 404 [SOLVED]

do I need to report this to MT support?
Reporting problems to support never hurts.
by andriys
Thu Dec 28, 2023 8:48 pm
Forum: Beginner Basics
Topic: hEX PoE lite default + vlan
Replies: 12
Views: 2626

Re: hEX PoE lite default + vlan

This tiny device does not support HW-offloaded bridge VLAN filtering, so enabling bridge-vlan-filtering may have a rather serious impact on performance. In case you really need to do anything VLAN-wise on the switch/bridge you should do that in the /interface ethernet switch menu instead. But, based...
by andriys
Thu Dec 28, 2023 2:14 pm
Forum: Wireless Networking
Topic: DFS on CAPsMAN
Replies: 4
Views: 1726

Re: DFS on CAPsMAN

I'm not quite sure how `disabled` is affecting the channel selection. Does it bypass the CAC requirements and use the channels without scanning them first or does it comply with regulations and uses DFS and CAC where requested by the law? The latter. I just want to know if there is any chance to by...
by andriys
Wed Dec 27, 2023 3:58 pm
Forum: Beginner Basics
Topic: VLan on L009
Replies: 5
Views: 736

Re: VLan on L009

Looking over your configuration real quick, I don't see the bridge-vlan-filtering being enabled.
by andriys
Tue Dec 26, 2023 6:48 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253211

Re: v7.13 [stable] is released!

Question: I have a network with two AC2s, one as a router and one as an access point via ethernet. If I want to finally have roaming between them, do I just need to install the new wifi driver or do I also have to use Capsman? For 802.11k/r/v CAPsMAN is a must. Do you recommend Capsman for two AC2?...
by andriys
Tue Dec 26, 2023 11:29 am
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253211

Re: v7.13 [stable] is released!

If i will upgrade to 7.13, the wireless packages of ac2 will be upgraded to the new drivers packages or i have to manually install them?
Manually.

do i have to reconfigure all my wifis from scratch?
Yes, you do.
by andriys
Sat Dec 23, 2023 10:12 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 147881

Re: v7.14beta [testing] is released!

The latest versions of 6 were all bundled.
No. Even on the very latest v6 (6.49.11 as of this writing) you can still install individual packages in place of a bundle, leaving anything you don't really need out. v7 is very different in this regard.
by andriys
Fri Dec 22, 2023 11:07 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 147881

Re: v7.14beta [testing] is released!

- "stable" means "no more fixes" :we moved on to new features Rather the opposite, "no new features", but fixes may still come (with the third version number increasing). - point release are "blocking" paths in upgrades Mikrotik is not the only vendor doing t...
by andriys
Wed Dec 20, 2023 7:09 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253211

Re: v7.13 [stable] is released!

News for you, I have many MIPSBE devices, and I use those "lost" features.... "Legacy" wireless package is still available for MIPSBE devices, is fully supported and (as I understand) will keep receiving security fixes. And there are no "lost feature" in the legacy wir...
by andriys
Wed Dec 20, 2023 3:48 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253211

Re: v7.13 [stable] is released!

Now my old devices are not supported, and will not have any security updates after 7.12.1
Why do you think so? That's simply not true.
by andriys
Tue Dec 19, 2023 10:31 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253211

Re: v7.13 [stable] is released!

Is there a guide on making both CAPSMANs work at the same time on the same MikroTik device?

I've tried but they don't seem to be able to coexist.
Check this out and see if it helps.
by andriys
Mon Dec 18, 2023 3:38 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253211

Re: v7.13 [stable] is released!

It should report: 7.13 and epoch date: 1702542240 approx. I suspect that URL was used by RouterOS itself to check for new versions. Now that they mandate the 7.12.x to be an intermediate stop on the upgrade path to 7.13 and newer, I believe they introduced a new URL, and the old one will point to t...
by andriys
Sun Dec 17, 2023 8:30 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 253211

Re: v7.13 [stable] is released!

Setting connect-priority=0/1 ensures connections to a new AP are immediately accepted and the old AP connection is dropped automatically. When using PSK authentication, this allows seamless roaming even without FT.
Thanks for the tip, man. You are a lifesaver!
by andriys
Fri Dec 15, 2023 11:02 am
Forum: Announcements
Topic: v7.13rc [testing] is released!
Replies: 178
Views: 49130

Re: v7.13rc [testing] is released!

@Santi70, do you have specific reasons to desire a kernel upgrade? Or is it upgrade for the sake of upgrade, just because a newer version is available?
by andriys
Thu Oct 19, 2023 12:11 pm
Forum: Announcements
Topic: v7.12rc is released!
Replies: 225
Views: 90084

Re: v7.12rc is released!

I don't really get all this tagged/untagged discussion. The 802.11 frame header has no place for a VLAN ID, so, technically, wifi interfaces are never tagged.
by andriys
Wed Sep 20, 2023 12:36 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 122451

Re: v7.12beta [testing] is released!

Well, to me, it actually sound logical. If there were a parameter named default I'd expect it to mean "return this if the input buffer is empty", whereas preinput sounds more like "pre-fill the input buffer with this string, please".
by andriys
Tue Aug 01, 2023 2:29 pm
Forum: General
Topic: IKEv2 routing issues
Replies: 8
Views: 3628

Re: IKEv2 routing issues

@Qalderu: being a MacOS limitation this cannot be fixed on the RouterOS side.
If you really need this fixed you should chase the Apple's support instead. :)
by andriys
Wed Jul 26, 2023 3:52 pm
Forum: Announcements
Topic: WinBox v3.39 released!
Replies: 96
Views: 57423

Re: WinBox v3.39 released!

...new Winbox has new exe signature.
Something's wrong with this signature:
2023-07-26_154929.png
2023-07-26_154843.png
by andriys
Fri Mar 17, 2023 11:17 pm
Forum: Beginner Basics
Topic: RB750gr3 on RouterOS 7.8 - IPSEC very slow
Replies: 2
Views: 850

Re: RB750gr3 on RouterOS 7.8 - IPSEC very slow

Hard to be sure without seeing the full config, but it feels like a PMTUD problem.
by andriys
Fri Mar 17, 2023 12:35 pm
Forum: General
Topic: Unstable IPSEC connection between MikroTiks and Forcepoint NGFW [SOLVED]
Replies: 9
Views: 1541

Re: Unstable IPSEC connection between MikroTiks and Forcepoint NGFW [SOLVED]

This traffic selector ("local 0.0.0.0/0 remote 0.0.0.0/0") is typically used for VTI, but does not make much sense for the classic policy-based IPsec. And Mikrotik does not support VTI.
by andriys
Wed Mar 15, 2023 1:30 pm
Forum: Announcements
Topic: v6.48.6 [long-term] is released!
Replies: 126
Views: 273616

Re: v6.48.6 [long-term] is released!

Some pretty off-topic posts have been split into a separate topic and can now be found here: viewtopic.php?t=194519
by andriys
Mon Mar 06, 2023 11:48 am
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 137421

Re: v7.8 [stable] is released!

Several posts above you wrote that you have a serial cable. Try entering the Netinstall mode from the RouterBOOT menu.
by andriys
Thu Mar 02, 2023 8:11 pm
Forum: General
Topic: Block IPv6 Portscans - Rule works for IPv4 but not IPv6
Replies: 10
Views: 1424

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

For IPv6 you have to define a separate set of firewall rules in /ipv6 firewall filter. It's not clear from your original post if you have those in place. The rules that work for IPv4 won't match the IPv6 packets.
by andriys
Thu Mar 02, 2023 7:21 pm
Forum: General
Topic: Repeater with capsman configuration
Replies: 6
Views: 609

Re: Repeater with capsman configuration

CAPsMAN can only control physical interfaces, not virtual.
And you cannot manually create a virtual interface if its parent is managed by CAPsMAN.
by andriys
Thu Mar 02, 2023 3:55 pm
Forum: General
Topic: Repeater with capsman configuration
Replies: 6
Views: 609

Re: Repeater with capsman configuration

No, at least not on the same interface.
by andriys
Thu Mar 02, 2023 3:12 pm
Forum: Beginner Basics
Topic: IPSec and ICMP
Replies: 10
Views: 912

Re: IPSec and ICMP

In the classic policy-based IPsec there is no such thing as "IPsec interface". But even if there were such thing, it would have been a peer-to-peer connection interface, and so MAC address would not make much sense there. The outgoing ESP traffic is originated from your VPN endpoint (your ...
by andriys
Thu Mar 02, 2023 1:06 pm
Forum: Beginner Basics
Topic: IPSec and ICMP
Replies: 10
Views: 912

Re: IPSec and ICMP

If I look in a packet trace though those ESP packets still have src and dst MACs. When an ESP packet travels across an Ethernet segment the encapsulating Ethernet frame will contain the source and destination MAC addresses, obviously. Those addresses will not survive crossing the segment's boundary...
by andriys
Thu Mar 02, 2023 12:49 am
Forum: Announcements
Topic: Newsletter 111
Replies: 24
Views: 19505

Re: Newsletter 111

if we are going to assign /64 then it will waste alot of ip addresses
Is that a problem?
(I mean, do you understand what the capacity of the IPv6 address space really is?)
by andriys
Wed Mar 01, 2023 7:19 pm
Forum: Beginner Basics
Topic: IPSec and ICMP
Replies: 10
Views: 912

Re: IPSec and ICMP

No, it is encapsulated in ESP, which is an L4 protocol.
by andriys
Wed Mar 01, 2023 4:39 pm
Forum: Beginner Basics
Topic: IPSec and ICMP
Replies: 10
Views: 912

Re: IPSec and ICMP

Basically a client has asked me what the src MAC address will be of any traffic going over this tunnel and I've come to the conclusion that it will either be the MAC of the "WAN" interface, or the MAC of the LAN interface that the IP range is configured on... WAT? IPsec (as even the name ...
by andriys
Mon Feb 27, 2023 3:28 pm
Forum: Beginner Basics
Topic: How to set up Wi-Fi Repeater after MikroTik hAP ac Router
Replies: 7
Views: 7534

Re: How to set up Wi-Fi Repeater after MikroTik hAP ac Router

I need just the basic setup steps with any brand of repeater, There is no such thing as a generic WiFi repeater configuration steps. if I can still use the multiple users and vouchers configured on the MicroTik Router for the users after the Wi-Fi Repeater ... ? No, you cannot, unless you use anoth...
by andriys
Mon Feb 27, 2023 2:56 pm
Forum: General
Topic: IPSec issue
Replies: 2
Views: 381

Re: IPSec issue

from the Mikrotik I cannot reach the devices behind the Cisco. ... When debugging the connection, it appears as if the interesting traffic is being NATTED out the WAN interface You have not shared your config, so I can only speculate here. Since you seem to be testing (pinging?) directly from your ...
by andriys
Wed Feb 01, 2023 7:12 pm
Forum: General
Topic: OpenVPN usage the kernel mode ovpn-dco
Replies: 1
Views: 608

Re: OpenVPN usage the kernel mode ovpn-dco

DCO is an implementation detail of the original OpenVPN software. As far as I am aware, Mikrotik does not use the original OpenVPN software, they have reimplemented the OpenVPN protocol handling themselves.
by andriys
Sat Jan 21, 2023 1:53 am
Forum: Announcements
Topic: v7.8beta [testing] is released!
Replies: 307
Views: 72180

Re: v7.8beta [testing] is released!

Bon appetit!
by andriys
Sat Jan 21, 2023 12:39 am
Forum: Announcements
Topic: v7.8beta [testing] is released!
Replies: 307
Views: 72180

Re: v7.8beta [testing] is released!

Zero Trust Cloudflare package option missing. :-P
https://www.youtube.com/watch?v=BbDnBxlBTdY
by andriys
Wed Jan 04, 2023 7:38 pm
Forum: Announcements
Topic: v7.7rc is released!
Replies: 259
Views: 88390

Re: v7.7rc is released!

... I cannot understand why Cisco had to invent the new nonstandard VTI protocol for something that was already covered (and implemented by them!) before as IPIP over IPsec transport mode (or GRE over IPsec transport mode).
The main reason was a few extra byte of MTU, I guess.
by andriys
Sat Dec 04, 2021 12:37 pm
Forum: Announcements
Topic: Newsletter 103
Replies: 32
Views: 92310

Re: Newsletter 103

wow a new high power CCR with 12 gigabit ports insetad of 12 sfp+ 10 gigabit ports..... nosense Mikrotik missing of fiber datacenter router (CCR2004 is not stable and has a lot problems with packets loss) CCR2116 is based on the CPU from the same family, so will likely be suffering from the same pr...
by andriys
Sat Aug 28, 2021 7:02 pm
Forum: RouterOS beta
Topic: v7.1rc1 [development] is released!
Replies: 344
Views: 75864

Re: v7.1rc1 [development] is released!

@Buster2, logging topics have always worked like that.
Next time you want to complain about something similar, please do that in a separate topic as it is in no way 7.1rc1 specific.
by andriys
Sat Aug 28, 2021 6:37 pm
Forum: RouterOS beta
Topic: v7.1rc1 [development] is released!
Replies: 344
Views: 75864

Re: v7.1rc1 [development] is released!

Log level should be either info or debug, but not both at same time. That's "topic", not "level". They are not equivalent. I don't think there's such thing as log level in RouterOS. You can only specify severity for a certain combination of topics when sending log records to a r...
by andriys
Sat Aug 21, 2021 7:27 pm
Forum: Beginner Basics
Topic: RB2011iL-RM Reset Button Doesn't Work
Replies: 1
Views: 795

Re: RB2011iL-RM Reset Button Doesn't Work

I don't think Netinstall is really necessary in your case. At lease not yet.
Here's a Quick Start Guide for your device: https://i.mt.lv/cdn/product_files/RB201 ... 191058.pdf
Read the "Buttons and Jumpers" section carefully, then follow the procedure to reset configuration.
by andriys
Sat Aug 14, 2021 8:18 pm
Forum: Beginner Basics
Topic: Optical ring setting
Replies: 11
Views: 2164

Re: Optical ring setting

If you look at the block diagram of your RB953GS-5HnT you may notice that only the first SFP cage is connected to the built-in switch chip, whereas the second SFP cage is connected directly to the SoC (CPU). That means all the transit L2 traffic goes through the CPU, which may be a seriously limitin...
by andriys
Thu Aug 12, 2021 8:01 pm
Forum: RouterOS beta
Topic: v7.1beta6 [development] is released!
Replies: 377
Views: 241128

Re: v7.1beta6 [development] is released!

how is the router supposed to know that certain traffic is to be routed to that L2TP connection unless it already is established
You can specify L2TP interface itself as a gateway in a static route (including default one).
by andriys
Thu Aug 12, 2021 1:57 pm
Forum: Scripting
Topic: RouterOS Script Package Manager
Replies: 10
Views: 2396

Re: RouterOS Script Package Manager

Reinventing the wheel continues...

Have you seen this MUM presentation?
https://www.youtube.com/watch?v=B9neG3oAhcY (Slides: https://mum.mikrotik.com/presentations/ ... 338589.pdf)
by andriys
Wed Aug 11, 2021 7:28 pm
Forum: RouterOS beta
Topic: Feature Request: Ignore any split-second lte link down state
Replies: 2
Views: 1558

Re: Feature Request: Ignore any split-second lte link down state

That's a result of using action=masquerade in NAT. Using action=srcnat instead is a solution. This will require manually specifying your public IP address, however.
by andriys
Tue Aug 10, 2021 3:54 pm
Forum: Beginner Basics
Topic: error of peer does not exist
Replies: 2
Views: 2434

Re: error of peer does not exist

That appears to be a cosmetic WinBox issue, you can simply ignore those messages.
by andriys
Tue Aug 10, 2021 1:20 pm
Forum: General
Topic: How to use one Identity for multiple Peers?
Replies: 2
Views: 806

Re: How to use one Identity for multiple Peers?

Are you talking about IPsec?
If yes, what you are asking for does not seem to be possible/supported...
by andriys
Sun Aug 08, 2021 11:15 pm
Forum: Wireless Networking
Topic: WDS between Mikrotik AP and OpenWRT client just doesn't work
Replies: 3
Views: 2058

Re: WDS between Mikrotik AP and OpenWRT client just doesn't work

While 802.11 defines the 4-address wireless frame format, it provides no guidelines on how to actually use it. So all vendors implements WDS in their own proprietary ways, which are generally incompatible with each other. Both Mikrotik's WDS and station-bridge mode support fall into this category.
by andriys
Sat Aug 07, 2021 3:53 pm
Forum: General
Topic: Is it possible to set WinBox defaults?
Replies: 8
Views: 1427

Re: Is it possible to set WinBox defaults?

Rextended, you are missing the point here. What OP is asking is a session settings that are used to bootstrap new sessions when you connect to some box for the very first time. Indeed, that would be a nice to have feature.
by andriys
Sat Aug 07, 2021 11:00 am
Forum: Beginner Basics
Topic: RB4011 PoE AP
Replies: 2
Views: 744

Re: RB4011 PoE AP

RB4011 only support Passive PoE (both -in and -out). Datasheet for your AX214 does not provide any information on what types of PoE it accepts, so I assume it is 802.3af/at only. Which means they are not compatible and you cannot power AX214 using RB4011.
by andriys
Thu Aug 05, 2021 11:37 pm
Forum: General
Topic: [Feature Request] ChaCha20-Poly1305
Replies: 10
Views: 3488

Re: [Feature Request] ChaCha20-Poly1305

Hence, it's not quite the same. All this noise about google is here because the original poster wrote this: Google uses this algorithm everywhere, it means that there is a future behind this algorithm. Whereas in fact it does not mean anything. So in this context "it is actually quite the same...
by andriys
Thu Aug 05, 2021 10:56 pm
Forum: General
Topic: Feature request: Force sending of DHCP options to clients
Replies: 71
Views: 21217

Re: Feature request: Force sending of DHCP options to clients

The point is, asking Mikrotik to implement something that would allow others to keep violating the standards means encouraging those others to keep doing what they are doing. One should rather ask people violating the standards to stop doing that. You always have choice. In case your ISP provides yo...
by andriys
Wed Aug 04, 2021 9:44 pm
Forum: General
Topic: Feature request: Force sending of DHCP options to clients
Replies: 71
Views: 21217

Re: Feature request: Force sending of DHCP options to clients

This sounds like "I would rather not use Mikrotik products because there is no way to workaround DHCP client bugs in some 3rd party products, but keep using those buggy 3rd party products..."
by andriys
Wed Aug 04, 2021 1:32 pm
Forum: RouterBOARD hardware
Topic: RB1200 CPU Speed -- Inconsistent info here and on the web. [SOLVED]
Replies: 4
Views: 3399

Re: RB1200 CPU Speed -- Inconsistent info here and on the web. [SOLVED]

Forum became so boring idle rextended decided to reply to a 5 year old unanswered question...
by andriys
Sun Aug 01, 2021 7:55 pm
Forum: RouterBOARD hardware
Topic: Add LTE SIM card to CCR1009-7G-1C-1S+
Replies: 2
Views: 2132

Re: Add LTE SIM card to CCR1009-7G-1C-1S+

Yes, via USB.
Check this page out to get an idea of what may be supported: https://help.mikrotik.com/docs/display/ROS/Peripherals
by andriys
Sun Aug 01, 2021 12:36 pm
Forum: General
Topic: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]
Replies: 13
Views: 1585

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

My guess is that many people would assume that the parameter is applied in the default config sourcenat rule with action=accept when reading the MT file. I don't think I understand what you meant here. I dont believe many would think If there is no action parameter then we should assume there is ac...
by andriys
Sat Jul 31, 2021 11:23 pm
Forum: General
Topic: Term/technique for local network lookup of CNAME/A record pointing to local network?
Replies: 5
Views: 1055

Re: Term/technique for local network lookup of CNAME/A record pointing to local network?

I can think of at least two approaches here.

The first approach is a so called split-horizon DNS. I don't think you can do this on a Mikrotik router, an external DNS server is required.

The second approach is "hairpin NAT". Search the forum, there are plenty of example here.
by andriys
Sat Jul 31, 2021 11:15 pm
Forum: General
Topic: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]
Replies: 13
Views: 1585

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

I didn't ask what the default action for action is, but if inserting a NO ACTION rule is a BUG or does something ... C'mon! You are playing on words, aren't you? And in case you are not, action in a firewall filter/NAT/mangle rule is nothing more than just another parameter. The default value of a ...
by andriys
Sat Jul 31, 2021 11:01 am
Forum: General
Topic: Feature request : udpxy
Replies: 3
Views: 2012

Re: Feature request : udpxy

which does this. Except, it does not... :) udpxy is a web server (proxy) that subscribes to multicast streams on behalf of its clients, then sends the contents of the received multicast streams back to clients over HTTP connections. Correct me if I am wrong, but I do not remember anything in the mu...
by andriys
Sat Jul 31, 2021 10:57 am
Forum: Beginner Basics
Topic: what is the shortest masquerade rule possible?
Replies: 7
Views: 1481

Re: what is the shortest masquerade rule possible?

Ah, I now see where the rextended's question on "useless NAT rules" came from!

The default NAT action is "accept", so that "shortest rule" will NOT do masquerading. Rather the opposite, it will exempt all traffic from NAT.
by andriys
Sat Jul 31, 2021 10:40 am
Forum: General
Topic: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]
Replies: 13
Views: 1585

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

The default action is "accept" (here's a documentation link), so those rules are not useless at all.
by andriys
Thu Jul 29, 2021 10:21 pm
Forum: General
Topic: Packet loss when using ipsec on the mmips platform [SOLVED]
Replies: 2
Views: 1342

Re: Packet loss when using ipsec on the mmips platform [SOLVED]

Make sure you do not fasttrack the inner-tunnel traffic. Perhaps just try disabling all fasttrack rules first and see if it helps.
by andriys
Wed Jul 28, 2021 1:56 pm
Forum: Beginner Basics
Topic: Dual wan
Replies: 10
Views: 1825

Re: Dual wan

Because nobody moderates the forum 24/7. Your post was approved when one of the moderators had time to do that.
by andriys
Tue Jul 27, 2021 6:59 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 202
Views: 91243

Re: MikroTik RB5009UG+S+IN

Assuming they don't improve it further, would that mean it's a false economy to get the RB5009 if the RB4011 is just as fast if you use v6?
If you watched the video introduction, there they said RB5009 will NOT be compatible with v6.
by andriys
Mon Jul 26, 2021 4:46 pm
Forum: Beginner Basics
Topic: layer 7 port forwarding
Replies: 17
Views: 4398

Re: layer 7 port forwarding

"how to do reverse proxy in mikrotik" You can NOT do that on Mikrotik itself, there is simply NO reverse HTTP proxy on RouterOS. The L7 hack is NOT a proxy. Also, a few posts back I wrote the following, I think this may be the best solution in your situation: I suspect you already have so...
by andriys
Mon Jul 26, 2021 4:37 pm
Forum: Virtualization
Topic: cant install purchased license on PC x86
Replies: 2
Views: 5206

Re: cant install purchased license on PC x86

This forum is not the best place for asking help with licensing problem. Please contact support instead: https://help.mikrotik.com/servicedesk/servicedesk
by andriys
Mon Jul 26, 2021 4:22 pm
Forum: RouterBOARD hardware
Topic: Powerbox Pro overload detection
Replies: 13
Views: 7411

Re: Powerbox Pro overload detection

but that would require that I add a 12V->24V boost converter Is adding another 12V battery in series an option? Also, the original question was about Powerbox Pro, but since in your case it is RB260GSP you have an option to disable/limit that overcurrent protection by enabling the "Port1 PoE I...
by andriys
Sat Jul 24, 2021 11:59 pm
Forum: Beginner Basics
Topic: layer 7 port forwarding
Replies: 17
Views: 4398

Re: layer 7 port forwarding

And so what? Ports are different. And while for SSTP there are good reasons to keep it running on 443/tcp, are there any equally good reasons to run WireGuard on, say, 443/udp?
by andriys
Sat Jul 24, 2021 11:49 pm
Forum: Beginner Basics
Topic: layer 7 port forwarding
Replies: 17
Views: 4398

Re: layer 7 port forwarding

Well, for SSTP that kinda makes sense. But not so much for WireGuard since it only uses UDP as a transport...
by andriys
Sat Jul 24, 2021 11:39 pm
Forum: Beginner Basics
Topic: layer 7 port forwarding
Replies: 17
Views: 4398

Re: layer 7 port forwarding

@Cablenut9, all your options suggest that you needed this for yourself only. In that case setting up some kind of a VPN would have been a much easier, cleaner and more flexible solution... @prisoner267, I suspect you already have some web server on you NAS, your other machine, or both. So one thing ...
by andriys
Sat Jul 24, 2021 11:13 pm
Forum: General
Topic: Pure IPSEC with ECMP
Replies: 10
Views: 1667

Re: Pure IPSEC with ECMP

could you tell me when it is usefull to setting 2 peers for the same policy?
It may be useful for failover.
by andriys
Sat Jul 24, 2021 11:01 pm
Forum: Beginner Basics
Topic: layer 7 port forwarding
Replies: 17
Views: 4398

Re: layer 7 port forwarding

@Cablenut9, I am 99% confident that in OP's case both MyNAS.XYZ.com and MyBlog.XYZ.com point to the same IP address. That's kinda obvious...
by andriys
Sat Jul 24, 2021 10:56 pm
Forum: Beginner Basics
Topic: layer 7 port forwarding
Replies: 17
Views: 4398

Re: layer 7 port forwarding

You need a so called HTTP reverse proxy to do this kind of redirect properly. RouterOS does not have that, so "L7 hack" is your only option in case you absolutely have to do that on Mikrotik itself.
by andriys
Sat Jul 24, 2021 3:09 pm
Forum: RouterBOARD hardware
Topic: Is the cAP ac a passive PoE or an active one?
Replies: 1
Views: 1330

Re: Is the cAP ac a passive PoE or an active one?

The unit accepts both 802.3af/at and Passive PoE on input, but only provides Passive PoE on output. The injector that ships with the unit is Passive only.
by andriys
Sat Jul 24, 2021 2:14 pm
Forum: RouterBOARD hardware
Topic: SXTsq 5 ac on CRS328-24P-4S+ POE switch 'Current too low'
Replies: 3
Views: 2284

Re: SXTsq 5 ac on CRS328-24P-4S+ POE switch 'Current too low'

Good work on the support Mikrotik, not.
Did you realize this is a user forum and not a support platform? I am not sure anyone from support saw this topic at all.
by andriys
Sat Jul 24, 2021 12:56 pm
Forum: General
Topic: iPhone not resolving static dns entries [SOLVED]
Replies: 10
Views: 3244

Re: iPhone not resolving static dns entries [SOLVED]

Do you happen to use the .local domain for your static entries? I saw someone mentioned in another thread that Apple only uses mDNS (but not "regular" DNS) to resolve names ending in .local.
by andriys
Sat Jul 24, 2021 11:53 am
Forum: Beginner Basics
Topic: Port 2 deletion in year 2021
Replies: 8
Views: 1374

Re: Port 2 deletion in year 2021

This only works if the bottom 2 bits in the top octet of the MAC are 0, but should they not be in any situation where you'd use this rule? I will assume "bottom 2 bits" means "least significant 2 bits" here. The two least significant bits of the first octet of a MAC address have...
by andriys
Tue Jul 20, 2021 2:33 pm
Forum: General
Topic: Pure IPSEC with ECMP
Replies: 10
Views: 1667

Re: Pure IPSEC with ECMP

Yes. On each side I have a dedicated edge device for each ISP line (those are three ASA boxes on one side and three RB4011 on the other). An IPsec tunnel is built between each pair of edge devices, three tunnels in total. All these tunnels share exactly the same policies (i.e. bridge exactly the sam...
by andriys
Tue Jul 20, 2021 1:31 pm
Forum: General
Topic: Pure IPSEC with ECMP
Replies: 10
Views: 1667

Re: Pure IPSEC with ECMP

I have an installation where I do similar thing, except I have three ISP connections on both sides, not two. It is easy in my case because I have 4 routers on each side. And I am not sure you can do that with just one.
by andriys
Mon Jul 19, 2021 8:42 pm
Forum: General
Topic: Site to site Layer 2 VPN with full ethernet MTU -- over IPv6
Replies: 11
Views: 2536

Re: Site to site Layer 2 VPN with full ethernet MTU -- over IPv6

Is there any point sending a supout to Mikrotik....?
Yes, there is. Please do.
by andriys
Sat Jul 17, 2021 12:20 pm
Forum: Beginner Basics
Topic: manage config with subversion
Replies: 8
Views: 1315

Re: manage config with subversion

Do you have any hints on the "restoring configuration from export" ? I do that rather rarely, mostly while changing/upgrading gears. What works best for me is /system reset-configuration keep-users=yes no-defaults=yes skip-backup=yes , then connect using MAC-WinBox or MAC-telnet and apply...
by andriys
Fri Jul 16, 2021 5:31 pm
Forum: Beginner Basics
Topic: manage config with subversion
Replies: 8
Views: 1315

Re: manage config with subversion

I've been doing exactly that (tracking configuration history by storing configuration exports in svn) for several years now, and it is working great for me. I would only encourage you to use /export terse - the output will be slightly less human-friendly, but much more diff-friendly, which I find to...
by andriys
Fri Jul 16, 2021 12:02 pm
Forum: Beginner Basics
Topic: Why does "Quick Set" only allow for Internet on Eth1 or SFP1 [SOLVED]
Replies: 6
Views: 1905

Re: Why does "Quick Set" only allow for Internet on Eth1 or SFP1 [SOLVED]

QuickSet is a tool for housewives with little to no knowledge in networking to quickly make their brand new gear up and serving WiFi in their kitchens. The number of configuration choices is deliberately limited to keep the damn thing simple. QuickSet is not meant to make trivial things more accessi...
by andriys
Thu Jul 15, 2021 11:23 pm
Forum: Scripting
Topic: Create an .exe for restarting the mikrotik
Replies: 14
Views: 2627

Re: Create an .exe for restarting the mikrotik

this method doesn't require that you leak your login credentials to anyone with a copy of the shortcut
Anyone "double-clicking that shortcut" should have read access to a copy of the private key and that automatically grant him/her full access to the router.
by andriys
Thu Jul 15, 2021 1:56 pm
Forum: General
Topic: Site to site Layer 2 VPN with full ethernet MTU -- over IPv6
Replies: 11
Views: 2536

Re: Site to site Layer 2 VPN with full ethernet MTU -- over IPv6

MTU of the EoIP interface itself should always match the MTU of the networks you are bridging, i.e. 1500 in most cases.

In-transit fragmentation is forbidden in IPv6 networks, packets may only be fragmented by sending parties. Functional PMTUD is vital in IPv6, so make sure you do not block ICMPv6.
by andriys
Wed Jul 14, 2021 12:58 pm
Forum: General
Topic: MTU-size for IPSec tunnel
Replies: 5
Views: 4340

Re: MTU-size for IPSec tunnel

@msatter, I don't see how you tip applies to the OP's situation. Your link basically describes a workaround for a specific case when tunneling all (also with NAT) through IPsec prevents PMTUD to work. That is not a problem for a regular IPsec use case when IPsec is used to interconnect specific subn...
by andriys
Wed Jul 14, 2021 12:39 pm
Forum: General
Topic: MTU-size for IPSec tunnel
Replies: 5
Views: 4340

Re: MTU-size for IPSec tunnel

MSS is a TCP thing, and RADIUS only supports UDP as a transport, so the rules you've mentioned will never work with RADIUS. Fragmenting large UDP datagrams should not be a problem. Unless DF bit set, of course, in which case fragmenting is forbidden. The latter usually happens during path MTU discov...
by andriys
Tue Jul 13, 2021 7:35 pm
Forum: Beginner Basics
Topic: RB1100AH - Blocked ports [SOLVED]
Replies: 5
Views: 2123

Re: RB1100AH - Blocked ports [SOLVED]

Try connecting with WinBox using MAC-address instead of IP. And if that does not work then the only option is serial console, I guess.
by andriys
Mon Jul 12, 2021 10:04 am
Forum: General
Topic: IKEv2 Bandwidth capped
Replies: 1
Views: 580

Re: IKEv2 Bandwidth capped

IPsec encoding of a single TCP stream (connection) is always tied (and thus limited) to a single CPU core to avoid packet reordering. If you run multiple TCP streams in parallel you should be able to get a much higher overall throughput.
by andriys
Sun Jul 11, 2021 10:17 pm
Forum: RouterBOARD hardware
Topic: hEX PoE RB960PGS does not power Netgear WAX214 [SOLVED]
Replies: 7
Views: 3165

Re: hEX PoE RB960PGS does not power Netgear WAX214 [SOLVED]

Does MikroTik have a recommended one? Mikrotik offers a couple of power supplies (see e.g. MT48-480095-11DG and MT48-570080-11DG ), but you can use literally any with suffucient power output. I wonder why it doesn't come with the appropriate power supply though, is a 24V one actually cheaper? I gue...
by andriys
Sun Jul 11, 2021 5:25 pm
Forum: RouterBOARD hardware
Topic: hEX PoE RB960PGS does not power Netgear WAX214 [SOLVED]
Replies: 7
Views: 3165

Re: hEX PoE RB960PGS does not power Netgear WAX214 [SOLVED]

You need to use a 48-57V power adapter when you need to provide power to 802.3af/at devices. The 24V power supply that comes with your hEX PoE unit is not sufficient. That is clearly documented on the product page.
by andriys
Sun Jul 11, 2021 5:14 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10114

Re: RB260GSP, short circuit error

Do you know there should be a "Port1 PoE In Long Cable" setting on the System tab? See: - https://wiki.mikrotik.com/wiki/SwOS/CSS106#System (for the current RB260GSP / CSS106 boxes) - https://wiki.mikrotik.com/wiki/SwOS/RB250_RB260#PoE_and_Health_.28RB260GSP_only.29 (for the older/original...
by andriys
Sat Jul 10, 2021 4:41 pm
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 10114

Re: RB260GSP, short circuit error

The power drop on (wire1) (actually any wire) depends on the current. So at peak times the power drop may be significantly higher than in a steady state. Now, the overcurrent protection is likely implemented by monitoring (rapid) voltage drops (instead of current peaks). Which means a long (relative...
by andriys
Fri Jul 09, 2021 1:01 pm
Forum: General
Topic: IPSEC Site-to-Site Routing
Replies: 13
Views: 2273

Re: IPSEC Site-to-Site Routing

NAT was just another way to solve your problem. And it was easy. And "universal", meaning you can implement it no matter what else you have configured and how. Your "route to bridge" solution works because you happen to have an interface (bridge) with an IP address that is covere...
by andriys
Fri Jul 09, 2021 12:55 pm
Forum: General
Topic: IPSEC Site-to-Site Routing
Replies: 13
Views: 2273

Re: IPSEC Site-to-Site Routing

It should be "src-nat". The "dst-nat" thing only works for incoming connections destined to your router.

P.S. IPsec is rather "advanced" topic, but the NAT is pretty basic, really. And your NAT-ing mistakes look so naive...
by andriys
Fri Jul 09, 2021 11:01 am
Forum: General
Topic: IPSEC Site-to-Site Routing
Replies: 13
Views: 2273

Re: IPSEC Site-to-Site Routing

"action=accept" in NAT means "do nothing". No wander nothing changed. :)
by andriys
Thu Jul 08, 2021 10:56 pm
Forum: Wireless Networking
Topic: Dual radio, same ssid , preferred 5GHz band
Replies: 17
Views: 10132

Re: Dual radio, same ssid , preferred 5GHz band

Nah, COBOL!
by andriys
Wed Jul 07, 2021 5:33 pm
Forum: General
Topic: IPSEC Site-to-Site Routing
Replies: 13
Views: 2273

Re: IPSEC Site-to-Site Routing

When DNS resolver (on your router) makes a request it uses one of the IP addresses assigned to interfaces of your router. Which one depends on what you have in the routing tables. In most cases that will just be your external address. I am confident that address is not covered by your IPsec policy. ...
by andriys
Sat Jul 03, 2021 10:37 pm
Forum: Wireless Networking
Topic: Range hap ac3 vs others - Coverage and antenna count
Replies: 5
Views: 3334

Re: Range hap ac3 vs others - Coverage and antenna count

Is there a significant difference in real WiFi coverage between the hap ac2 vs hap ac3 to justify the higher price of the latter? hAP ac³ (as compared to hAP ac²) has a slightly better CPU, more RAM and way more flash (and a decent amount of flash, for example, means better chances your WiFi will b...
by andriys
Fri Jul 02, 2021 10:42 am
Forum: General
Topic: Syslog to log NAT/CGN-Nat translations
Replies: 13
Views: 2802

Re: Syslog to log NAT/CGN-Nat translations

Can I and how do I , log ( syslog and/or syslog to a remote syslog server ) all NAT translations ? NetFlow is the answer here. It will export ("log") all the connection tracking statistics for you. Use NetFlow v9 as it provides a richer set of information, including full NAT details for e...
by andriys
Fri Jul 02, 2021 10:31 am
Forum: Announcements
Topic: SwOS Lite version 2.13 released!
Replies: 31
Views: 30143

Re: SwOS Lite version 2.13 released!

Indeed, SwOS Lite version 2.14 topic is here: viewtopic.php?f=21&t=175736
by andriys
Thu Jul 01, 2021 3:48 pm
Forum: General
Topic: MIkrotik Syslog New Format
Replies: 23
Views: 3663

Re: MIkrotik Syslog New Format

What you need is a NetFlow collector. You setup the collector, then configure you router to export the traffic flow information (see the Traffic Flow manual page). Once your traffic data is collected you can export it in whatever format you want. However, please note that: (a) you cannot run a NetFl...
by andriys
Thu Jun 03, 2021 11:47 am
Forum: Announcements
Topic: v6.47.10 [long-term] is released!
Replies: 148
Views: 65459

Re: v6.47.10 [long-term] is released!

In the vast majority of cases SMIPS upgrade problems are caused by RAM shortage and not flash shortage. The error message may be misleading, when it talks about disk space it is usually complaining about RAM drive. If you have problems upgrading SMIPS routers try rebooting the device first, then att...
by andriys
Thu Apr 08, 2021 3:46 pm
Forum: Announcements
Topic: SwOS version 2.12 released!
Replies: 90
Views: 87035

Re: SwOS version 2.12 released!

Saiks, SwOS has web interface only. The app is only for RouterOS.
by andriys
Mon Dec 07, 2020 6:17 pm
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 184
Views: 114195

Re: v6.48beta [testing] is released!

*) ipsec - added SHA384 hash algorithm support for phase 1 (CLI only); Strange effects when attempting to edit ip ipsec profile created with sha384 hash in Winbox 3.27 - the hash is shown as MD5. That "CLI only" remark means setting this up is not currently supported in either WinBox or W...
by andriys
Thu Dec 03, 2020 7:26 pm
Forum: RouterOS beta
Topic: v7.1beta3 [development] is released!
Replies: 261
Views: 78620

Re: v7.1beta3 [development] is released!

I am sure that 16MB flash nonsense is not so much about money as it is about technology. I've recently posted my thoughts about it here . Now I just wanted to add that the reason all Mikrotik devices with SPI flash chips are limited to 16MB might be the relatively old kernel in v6. Though should it ...
by andriys
Sun Nov 22, 2020 8:27 pm
Forum: RouterOS beta
Topic: v7.1beta2 [development] is released!
Replies: 385
Views: 152867

Re: v7.1beta2 [development] is released!

This is clearly off-topic gone wild, but let me add my 2¢ anyways. :) That 16MB flash thing is not only economical, but also technical. If you take a close look on the different RotuerBOARDs you'll notice that all those 16MB flash devices use SPI Flash chips, whereas devices with a larger amount of ...
by andriys
Wed Nov 18, 2020 1:34 pm
Forum: Beginner Basics
Topic: Routerboard RB3011 Reset
Replies: 2
Views: 8729

Re: Routerboard RB3011 Reset

The reset button is a multi-function thing and needs to be operated properly. You can read about it here:
* Wiki page: https://wiki.mikrotik.com/wiki/Manual:R ... set_button
* Device-specific quick-start guide: https://i.mt.lv/cdn/product_files/rb301 ... 190656.pdf
by andriys
Mon Nov 16, 2020 4:31 pm
Forum: Announcements
Topic: MikroTik newsletter November 2020 (#98)
Replies: 65
Views: 32463

Re: MikroTik newsletter November 2020 (#98)

5ghz backup is useless because:
When the first 60G devices were introduced there were a lot of folks asking for a combined devices with 5G backup. Now that the first such device is introduced there are other guys saying the opposite...
by andriys
Sun Nov 08, 2020 2:27 pm
Forum: General
Topic: Want traffic flow Between two bridges
Replies: 3
Views: 959

Re: Want traffic flow Between two bridges

Screenshots are useless. Post full configuration export instead.

But in general, what I wrote in the previous post still applies. Make sure those two requirements are satisfied, and then everything you described should just work.
by andriys
Fri Nov 06, 2020 5:55 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: Recovery Partition or Dual Boot Directory Structure
Replies: 3
Views: 1751

Re: FEATURE REQUEST: Recovery Partition or Dual Boot Directory Structure

Would help of course, if ARM was officially supported.
I think they just forgot to update the wiki page. Partitioning works just fine on ARM devices with enough storage.
by andriys
Thu Nov 05, 2020 12:49 pm
Forum: General
Topic: intrusion
Replies: 2
Views: 681

Re: intrusion

What is it?
by andriys
Wed Nov 04, 2020 6:42 pm
Forum: General
Topic: Want traffic flow Between two bridges
Replies: 3
Views: 959

Re: Want traffic flow Between two bridges

It should be as simple as satisfying the following two requirements:

1. Make sure you do not block traffic between Stream and LAN subnets.
2. Make sure computers on Stream subnet only use your ADCs as DNS servers.
by andriys
Wed Nov 04, 2020 4:07 pm
Forum: General
Topic: IPSEC stuck CPU on 100% [SOLVED]
Replies: 3
Views: 2002

Re: IPSEC stuck CPU on 100% [SOLVED]

I saw a similar behavior with broken IPsec configuration recently. My issue appears to be partially resolved in 6.48beta48. So one thing you can try doing is upgrade to that beta check if your IPsec configuration can be accessed/exported again in case it can remove everything from /ip ipsec and then...
by andriys
Mon Nov 02, 2020 6:39 pm
Forum: General
Topic: Feature request: easy to copy console rules from GUI
Replies: 2
Views: 767

Re: Feature request: easy to copy console rules from GUI

Do you know that an export command exists on RouterOS?
Check this page out: https://wiki.mikrotik.com/wiki/Manual:C ... figuration
by andriys
Thu Oct 22, 2020 3:20 pm
Forum: Beginner Basics
Topic: P2P on two Sxtsq lite 5 ! Ap mode not allowed
Replies: 1
Views: 575

Re: P2P on two Sxtsq lite 5 ! Ap mode not allowed

The AP mode is not allowed on my device.
You should use bridge mode instead. For more details please check this page out.
by andriys
Thu Oct 22, 2020 11:23 am
Forum: General
Topic: usb drive performance
Replies: 12
Views: 8294

Re: usb drive performance

What nonsense.
why do they put USB in it at all.
Guess, 3G/LTE dongles, serial communication, etc. Mikrotik produces routers, not NAS devices, after all, so SMB/FTP/etc functions are purely supplementary (firmware update, backup download/upload, hotspot customization, etc.).
by andriys
Thu Oct 22, 2020 10:53 am
Forum: Beginner Basics
Topic: connect to mikrotik by mac
Replies: 1
Views: 564

Re: connect to mikrotik by mac

Have a look at RoMON.
by andriys
Wed Oct 21, 2020 8:23 pm
Forum: Announcements
Topic: Newsletter 97 (September 2020)
Replies: 87
Views: 37826

Re: Newsletter 97 (September 2020)

Only the reception of the access point may improve, not the signal strength. I was thinking about this lately. I believe better reception (higher rx sensitivity) also means higher sensitivity to the interference. So you are getting better coverage, but can only enjoy it in quiet areas, whereas in t...
by andriys
Tue Oct 20, 2020 10:36 pm
Forum: General
Topic: station-pseudobridge-clone bug
Replies: 1
Views: 796

Re: station-pseudobridge-clone bug

Is this the best place to report bugs?
Nope. This is NOT a place to report bugs at all. Bug reports should go to https://mikrotik.com/support.
by andriys
Thu Oct 15, 2020 9:13 pm
Forum: RouterBOARD hardware
Topic: hAP ac³
Replies: 42
Views: 13731

Re: hAP ac³

Do not mix up the antenna gain and the signal strength. When using a high gain antenna your router has to reduce tx power to stay withing the legal boundaries, so the max signal strength you get is the same. However the effective coverage is usually better, thanks to a better sensitivity on reception.
by andriys
Thu Oct 15, 2020 1:14 pm
Forum: Beginner Basics
Topic: How to send PM to other user (ie. privately contacting a user)? [SOLVED]
Replies: 17
Views: 9262

Re: How to send PM to other user (ie. privately contacting a user)? [SOLVED]

I noticed the PM is now disabled again. Was it that bad being enabled?
by andriys
Thu Oct 15, 2020 12:19 pm
Forum: RouterOS beta
Topic: 7.1. betta 2 RB4011iGS + Procurve 2810-24G (J9021A) = 10Mbit on Ethernet port
Replies: 4
Views: 1402

Re: 7.1. betta 2 RB4011iGS + Procurve 2810-24G (J9021A) = 10Mbit on Ethernet port

Are you sure this is a 7.1beta specific problem? I.e. can you confirm there's no such problem with v6? Also please check you cables. From my own experience, these old HP 2810 series switches are very sensitive to even slight cabling problems, and fallback to 10M half-duplex (or does not work at all ...
by andriys
Sun Oct 11, 2020 4:06 pm
Forum: RouterBOARD hardware
Topic: Hex gr3 suddenly lost power
Replies: 5
Views: 1397

Re: Hex gr3 suddenly lost power

If it's just 3 month old, is RMA an option?
by andriys
Fri Oct 09, 2020 1:02 pm
Forum: General
Topic: ECMP balancing sometimes breaks TCP connection
Replies: 9
Views: 1846

Re: ECMP balancing sometimes breaks TCP connection

When a packet with destination 10.10.10.0/24 gets in the mikrotik router, ECMP computes a hash based on Source Address, Destination Address, Protocol, Source Port, Destination Port, and that decides whether the packet is sent to gateway 10.20.20.2 or 10.20.20.3, right? Not quite. According to this ...
by andriys
Thu Oct 08, 2020 1:02 pm
Forum: General
Topic: Why I can't download latest version RouterOS from mikrotik.com/download?
Replies: 8
Views: 1445

Re: v6.47.4 [stable] is released!

Certificate is OK
Wrong certificate, erlinden was asking about the certificate from download.mikrotik.com, i.e. the one from the page giving the error.

P.S. This is getting pretty off-topic, I'm going to move this whole conversation into a separate thread... Done!
by andriys
Thu Oct 08, 2020 12:41 pm
Forum: General
Topic: Why I can't download latest version RouterOS from mikrotik.com/download?
Replies: 8
Views: 1445

Re: v6.47.4 [stable] is released!

@Delsey Downloads work fine for me. I specifically tried the link from your screenshots, it works as expected, no certificate errors whatsoever.

This may be either a CDN problem in your region, or a sing of an ongoing attack (like MITM, DNS poisoning, etc).
by andriys
Thu Oct 08, 2020 11:27 am
Forum: General
Topic: Mikrotik routers - Firewall?
Replies: 9
Views: 1462

Re: Mikrotik routers - Firewall?

OpenWRT on Mikrotik as a MetaRouter
Metarouter is not supported on hEX S (as well as any other model with SPI flash).
by andriys
Thu Oct 08, 2020 11:09 am
Forum: General
Topic: Why I can't download latest version RouterOS from mikrotik.com/download?
Replies: 8
Views: 1445

Re: v6.47.4 [stable] is released!

mikrotik.com/dowload
Perhaps because you missed N in dowNload?
by andriys
Wed Oct 07, 2020 11:12 pm
Forum: General
Topic: Mikrotik routers - Firewall?
Replies: 9
Views: 1462

Re: Mikrotik routers - Firewall?

I assume you are asking about hEX S (RB760iGS). That is a full-featured router running RouterOS. You can read more about the software here and here. It is pretty powerful and will likely cover most (if not all) your needs.
by andriys
Tue Oct 06, 2020 5:32 pm
Forum: Scripting
Topic: Mikrotik hotspot is unfriendly with Node.js [SOLVED]
Replies: 14
Views: 3951

Re: Mikrotik hotspot is unfriendly with Node.js [SOLVED]

Is there any difficulties to implement an external link and provide access to a routerOS through API? Nothing too fancy. The API description is here . At the bottom of that page there is a list of third party clients in different languages. You should enable the API first in the /ip service menu, s...
by andriys
Tue Oct 06, 2020 4:26 pm
Forum: Scripting
Topic: Mikrotik hotspot is unfriendly with Node.js [SOLVED]
Replies: 14
Views: 3951

Re: Mikrotik hotspot is unfriendly with Node.js [SOLVED]

And to your original question. Have you seen the Customizing Hotspot page on the wiki? Specifically, the "External authentication" section may be of interest to you. And if you don't feel like passing a (temporary) username/password pair in a redirect back to the router, you can consider d...
by andriys
Tue Oct 06, 2020 4:01 pm
Forum: Scripting
Topic: Mikrotik hotspot is unfriendly with Node.js [SOLVED]
Replies: 14
Views: 3951

Re: Mikrotik hotspot is unfriendly with Node.js [SOLVED]

I tried to open the link in Yandex with a VPN - eventually it's been opened. Well, Ukraine blocks a range of Russian's IP addresses who knows it might be the reason. Just checked, works fine for me. Tried opening that page via several ISPs here in Kharkiv, no problems at all. It's probably the brow...
by andriys
Mon Oct 05, 2020 11:06 am
Forum: Beginner Basics
Topic: Installation of hotspot fails
Replies: 1
Views: 621

Re: Installation of hotspot fails

Please check the /system package menu, the package may be installed, but disabled.
by andriys
Thu Sep 24, 2020 10:47 am
Forum: RouterBOARD hardware
Topic: hAP ac³ switch chip?
Replies: 11
Views: 3942

Re: hAP ac³ switch chip?

The Block Diagram for this device says the switch chip is QCA8327.
by andriys
Wed Sep 23, 2020 12:27 pm
Forum: General
Topic: IPSec - routing problem
Replies: 9
Views: 3268

Re: IPSec - routing problem

1. routing
2. firewall
3. NAT
4. IPSec policy
This is a pretty incomplete sequence. Please see the packet flow diagrams
by andriys
Wed Sep 23, 2020 10:29 am
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 184
Views: 114195

Re: v6.48beta [testing] is released!

All I am saying is, that those who have enough switches that will benefit from a single management plane, will almost certainly need HA features to go with it. My friends have an office here with 200+ client ports, with all cable runs going into a single rack with five 48-port access switches (some...
by andriys
Mon Sep 21, 2020 9:49 pm
Forum: Beginner Basics
Topic: How to Setup hap ac2 are router w/o wifi
Replies: 3
Views: 703

Re: How to Setup hap ac2 are router w/o wifi

And once you do anything outside of QuickSet never attempt to use QuickSet again- that has a great potential of ruining your running configuration.
by andriys
Mon Sep 21, 2020 9:45 pm
Forum: General
Topic: CCR2004 poor bridge performance
Replies: 24
Views: 5746

Re: CCR2004 poor bridge performance

As far as I understand packets belonging to a single TCP stream are always bound to a single CPU core, no matter if it's routing or bridging. This is done to avoid packet reordering (which used to be a huge problem when CCR series devices were first introduced several years ago).
by andriys
Sat Sep 19, 2020 10:23 am
Forum: Beginner Basics
Topic: Port fowarding to unraid openvpn
Replies: 15
Views: 2234

Re: Port fowarding to unraid openvpn

Screenshots are (almost) useless, please post configuration export (run /export hide-sensitive from the command line) instead.
by andriys
Thu Sep 10, 2020 9:01 am
Forum: General
Topic: slow speeds according to btest
Replies: 1
Views: 1547

Re: slow speeds according to btest

btest itself is very heavy on CPU, this is a well known issue, which has nothing to do with the actual routing performance of your devices. Search the forum again, this has been discussed tons of times.
by andriys
Sat Jun 06, 2020 12:22 am
Forum: RouterOS beta
Topic: v7.0beta8 [development] is released!
Replies: 178
Views: 91938

Re: v7.0beta8 [development] is released!

What do I use then to get traffic data from each client that I do use in Splunk for MikroTik?
NetFlow is an obvious choice for that kind of data.
by andriys
Sun May 31, 2020 10:59 pm
Forum: Beginner Basics
Topic: Problems with hapac2 5ghz wifi is flapping
Replies: 7
Views: 4648

Re: Problems with hapac2 5ghz wifi is flapping

Sounds like a DFS (radar detection) in action. Check your logs to check if that is the case.
by andriys
Sun May 31, 2020 10:54 pm
Forum: General
Topic: capsman keep WiFi up when capsman unavailable?
Replies: 15
Views: 5634

Re: capsman keep WiFi up when capsman unavailable?

This will be a deal-breaker for MANY people, I'd go so far as to say for the majority of people. Not sure about the majority, we successfully use CAPsMAN in the office, where 24x7 is not a requirement, so that's not a deal breaker for us at all. But you are right, in some cases (like hotel installa...
by andriys
Sun May 31, 2020 10:44 pm
Forum: Wireless Networking
Topic: Any description of Beaforming occurrences debug information?
Replies: 11
Views: 4333

Re: Any description of Beaforming occurrences debug information?

Please read carefully https://forum.mikrotik.com/viewtopic.php?f=7&t=161563&p=796943#p796661 Right, I've read it again. Please find my comments on it below. So its either Beamforming or Spatial Multiplexing .... normally part of the wireless driver packaging Well... Yes, spatial multiplexin...
by andriys
Sat May 30, 2020 11:26 pm
Forum: Wireless Networking
Topic: Any description of Beaforming occurrences debug information?
Replies: 11
Views: 4333

Re: Any description of Beaforming occurrences debug information?

Nowhere did I state that Spatial Multiplexing is Beamforming .... grrrr
Then what was your reference to 802.11 and MIMO about?
by andriys
Sat May 30, 2020 10:03 pm
Forum: Wireless Networking
Topic: Any description of Beaforming occurrences debug information?
Replies: 11
Views: 4333

Re: Any description of Beaforming occurrences debug information?

Beamforming began to appear in routers back in 2008, with the advent of the 802.11n Wi-Fi standard. 802.11n was the first version of Wi-Fi to support multiple-input multiple-output, or MIMO, technology, which beamforming needs in order to send out multiple overlapping signals. Nope. Spatial multipl...
by andriys
Fri May 29, 2020 9:58 pm
Forum: Wireless Networking
Topic: Any description of Beaforming occurrences debug information?
Replies: 11
Views: 4333

Re: Any description of Beaforming occurrences debug information?

OP was asking specifically about 60G devices, where beamforming IS available (at least on some devices like wAP 60G).

On a broader term, MIMO neither implies nor requires beamforming. Only MU-MIMO does. And none of the Mikrotik devices currently support MU-MIMO, that is a well-known fact.
by andriys
Wed May 27, 2020 7:31 pm
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 103
Views: 88671

Re: Winbox v3.24 released!

I am running winbox (32-bit) under wine on a Debian system.
Maybe it behaves differently on a native Windows system?
Sounds plausible. I run Winbox (64-bit) natively on Win10. And (simply out of curiosity) I have just tested 32-bit version, which also works fine for me.
by andriys
Wed May 27, 2020 2:44 pm
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 103
Views: 88671

Re: Winbox v3.24 released!

open a window like "IP firewall filters" in a router that is in active use, and make sure the hit-counts of firewall rules are being displayed (and changing all the time). Now, position the mouse over a header separator and keep mouse button pressed to attempt to move the separator to set...
by andriys
Mon May 25, 2020 12:17 am
Forum: General
Topic: 35(!) FATAL ERRORS inside the "MikroTik News" web page https://wiki.mikrotik.com/wiki/MikroTik_News
Replies: 2
Views: 1291

Re: More than 40(!) FATAL ERRORS inside the "MikroTik News" web page ( https://wiki.mikrotik.com/wiki/MikroTik_News )

Au contraire. MK has a superior QC department. They created the "obsessive compulsive TRAP".
Looks like it found a victim already.
I like these a lot! Please keep posting! :)
by andriys
Sun May 24, 2020 12:09 pm
Forum: Wireless Networking
Topic: 4k over wifi
Replies: 35
Views: 9333

Re: 4k over wifi

Interesting!!! I have to dig deeper in this WMM. WMM priority when received over WLAN how is it marked? DSCP (TOS) or MKT priority? Have you seen this article on the wiki: https://wiki.mikrotik.com/wiki/Manual:WMM ? If the priority is maintained in the MKT, then with the default config only priorit...
by andriys
Thu May 21, 2020 1:37 pm
Forum: General
Topic: PPP - Active Connections - Old Connections Can't be Removed
Replies: 2
Views: 1828

Re: PPP - Active Connections - Old Connections Can't be Removed

I struggled to find a Support section or separate Support forum
This is a community forum, for support please look here: https://mikrotik.com/support.
by andriys
Thu May 21, 2020 1:32 pm
Forum: RouterBOARD hardware
Topic: CRS326--CRS326, SFP+ only ~700mbit via 10gbit link. Slow performance or bottleneck?
Replies: 7
Views: 3653

Re: CRS326--CRS326, SFP+ only ~700mbit via 10gbit link. Slow performance or bottleneck?

Connection was plug-and-play, 10Gbit link speed is up, however winbox bandwidth test shows speeds lower than gigabit (500-750mbps). Your device is a switch. It can work as a router, but that router is pretty weak. Basically, while switch hardware is powerful enough to forward L2 traffic between all...
by andriys
Wed May 20, 2020 11:36 am
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 103
Views: 88671

Re: Winbox v3.24 released!

With Log window opened, minimize WinBox, then Restore. Log is always reverted to the beginning. Anyone else seeing this? Yes, the same here Just tried it on several routers, but only see this behavior on a single device. A differentiating factor appears to be the number of records kept in the log. ...
by andriys
Mon May 18, 2020 8:46 pm
Forum: Beginner Basics
Topic: VLAN Bridge - Trunk with Wireless Wire "bridge port received packet with own address"
Replies: 15
Views: 3808

Re: VLAN Bridge - Trunk with Wireless Wire "bridge port received packet with own address"

No, you should not ignore them. They most likely indicate a problem, but the reason is elsewhere.
by andriys
Mon May 18, 2020 8:28 pm
Forum: General
Topic: capsman keep WiFi up when capsman unavailable?
Replies: 15
Views: 5634

Re: capsman keep WiFi up when capsman unavailable?

What you want is not possible. In CAPsMAN it is manager that always handles client authentication, no matter what forwarding mode is in use. That's by design.
by andriys
Mon May 18, 2020 8:24 pm
Forum: Beginner Basics
Topic: VLAN Bridge - Trunk with Wireless Wire "bridge port received packet with own address"
Replies: 15
Views: 3808

Re: VLAN Bridge - Trunk with Wireless Wire "bridge port received packet with own address"

I found something on the second devide. On that bridge and ether1 got the same MAC-Adress.
That is normal, as expected, and is not the cause of your problem.
by andriys
Mon May 18, 2020 1:21 pm
Forum: Announcements
Topic: v6.45.9 [long-term] is released!
Replies: 82
Views: 93079

Re: v6.45.9 [long-term] is released!

just 7 days uptime, free memory down from 80Mb to 65Mb
That is not an indication of memory leak on its own. Does the memory usage keep growing? How does it look over time? Do you have a graph to show?
by andriys
Sun May 17, 2020 8:59 pm
Forum: Beginner Basics
Topic: Removing VLAN 0 802.1p tags on CRS112?
Replies: 3
Views: 1690

Re: Removing VLAN 0 802.1p tags on CRS112?

I don't know if it is possible to strip the priority tags on your switch, but am very curious why do you need to do that at all?
by andriys
Sat May 16, 2020 6:11 pm
Forum: Beginner Basics
Topic: Access a device Mikrotik
Replies: 4
Views: 2208

Re: Access a device Mikrotik

Provided I understood what you mean by "remotely" correctly, you cannot in general do that. Addressing any device by its MAC address is only possible within its own broadcast domain (i.e. "local network"). Having said that, if you have another RouterOS powered device in the same ...
by andriys
Sat May 16, 2020 6:03 pm
Forum: General
Topic: No internet via non-main routing tables if missing default route on main [SOLVED]
Replies: 21
Views: 8250

Re: No internet via non-main routing tables if missing default route on main [SOLVED]

However I suppose that my question still stands though, about why adding a bogus default gateway to main routing table, corrects the timeouts? Sorry, what I wrote above describes rp-filter=strict , not loose . I have just edited my message to correct this. For loose to pass packet it is only necess...
by andriys
Sat May 16, 2020 3:23 pm
Forum: General
Topic: No internet via non-main routing tables if missing default route on main [SOLVED]
Replies: 21
Views: 8250

Re: No internet via non-main routing tables if missing default route on main [SOLVED]

Ok, it's pretty clear what's going on now. Your routing works as expected. It is not your outgoing ICMP echo-request packets (pings) that are being mis-routed and/or discarded, but rather incoming ICMP echo-reply packets get rejected by your rp-filter . The rp-filter=strict works by checking if the ...
by andriys
Sat May 16, 2020 2:23 pm
Forum: Beginner Basics
Topic: RB960PGS-PB output power conversion
Replies: 3
Views: 1266

Re: RB960PGS-PB output power conversion

I would like an official answer from the mikrotik support This is a community forum, please write to support@ directly if you need an "official answer". From the product description it would seem a simple passtrought of the power supply, therefore the conversion does not take place and it...
by andriys
Sat May 16, 2020 2:11 pm
Forum: Wireless Networking
Topic: Mikrotik AC Access Point cap ac
Replies: 38
Views: 9607

Re: Mikrotik AC Access Point cap ac

I have no time or interest dog this dead horse (my Cap AC) at the moment, but I'll keep monitoring this forum, as maybe some posts their helpful findings Yes, just keep monitoring. Your other message (now removed) has been reported as a personal assault, and I find that report legitimate. So now yo...
by andriys
Sat May 16, 2020 2:02 pm
Forum: The Dude
Topic: Issues installing The Dude
Replies: 8
Views: 4813

Re: Issues installing The Dude

1. Package upgrade and install on all SPI-flash devices is always done in RAM. You should always upload all .npk files to the root directory, not /flash. 2. What's the point in installing The Dude server on your switch? It has only 16MB flash and no options for external storage (like USB port or SD ...
by andriys
Sat May 16, 2020 1:05 pm
Forum: Wireless Networking
Topic: No 5GHz on cAP ac
Replies: 3
Views: 1970

Re: No 5GHz on cAP ac

Please reset your wlan2 interface to defaults with /interface wireless reset-configuration wlan2 , then change just two parameters- set country to the proper value and frequency to 5180 (due to DFS requirements, when frequency is set tot 5260 or higher you will have to wait for at least 1 minute [an...
by andriys
Sat May 16, 2020 12:56 pm
Forum: Wireless Networking
Topic: Mikrotik AC Access Point cap ac
Replies: 38
Views: 9607

Re: Mikrotik AC Access Point cap ac

Almost any Chinese device cost less then Mikrotik and performs better.
Please, please, please, go buy one and stop complaining here! It is cheaper and works better for you, so what's the point in doing what you are doing?
by andriys
Sat May 16, 2020 12:53 pm
Forum: Wireless Networking
Topic: Mikrotik AC Access Point cap ac
Replies: 38
Views: 9607

Re: Mikrotik AC Access Point cap ac

I'm wondering are these success stories false or why in this forum and also other forums contain more problems than praises? You do understand that happy users do not generally spend their time writing to forums how satisfied they are, don't you? They just use their devices. Unhappy ones come here ...
by andriys
Sat May 16, 2020 11:39 am
Forum: General
Topic: Custom --log-level in firewall rules or filtering on log file actions...
Replies: 2
Views: 1523

Re: Custom --log-level in firewall rules or filtering on log file actions...

I'd use log-prefix as a differentiator, then do the actual filtering of the messages on the syslog server.
by andriys
Fri May 15, 2020 9:21 pm
Forum: Beginner Basics
Topic: Metal5SHPn-US on a sailboat...
Replies: 3
Views: 1384

Re: Metal5SHPn-US on a sailboat...

Since the model of my Metal is missing the 2 (5SHPn and not a 52SHP-n) can I safely assume it is not capable of 2.4Ghz?
Yes, that's correct. Your device is 5GHz only.
More product specs here: https://mikrotik.com/product/RBMetal5SHPn
by andriys
Fri May 15, 2020 9:15 pm
Forum: The Dude
Topic: Issues installing The Dude
Replies: 8
Views: 4813

Re: Issues installing The Dude

What's in the log after reboot?
Also are you installing The Dude client or The Dude server?
by andriys
Fri May 15, 2020 6:05 pm
Forum: Wireless Networking
Topic: [SOLVED] Wi-Fi Broadcast ARP/UDP unexpectedly throttled/blocked
Replies: 15
Views: 6405

Re: Wi-Fi Broadcast ARP/UDP unexpectedly throttled/blocked

Players on the same Wi-Fi can always see each other.
Can you elaborate on this "same Wi-Fi" thing please? Do you mean associated with the same CAP in your CAPsMAN?
by andriys
Fri May 15, 2020 4:40 pm
Forum: Wireless Networking
Topic: [SOLVED] Wi-Fi Broadcast ARP/UDP unexpectedly throttled/blocked
Replies: 15
Views: 6405

Re: Wi-Fi Broadcast ARP/UDP unexpectedly throttled/blocked

Did you happen to disable the default-forwarding property on your wireless interface? Or forwarding property for a particular client via access list? Just guessing...
by andriys
Fri May 15, 2020 1:39 pm
Forum: Beginner Basics
Topic: [Swich + router] configuration
Replies: 7
Views: 1893

Re: [Swich + router] configuration

What are your speed requirements? The easiest way to configure what you want is to use two bridges, but you device can only have one hardware-accelerated bridge. If your WAN is relatively slow I'd say go this way, with LAN bridge with hardware acceleration and WAN bridge in software. Another way wou...
by andriys
Wed May 13, 2020 11:48 am
Forum: RouterOS beta
Topic: List of devices which will run v7?
Replies: 3
Views: 2386

Re: List of devices which will run v7?

There are plenty of other devices (including pretty powerful ones) with a small 16M flash. The problems with upgrading hAP lite are due to its RAM size, not flash.
by andriys
Tue May 12, 2020 6:31 pm
Forum: Wireless Networking
Topic: Wi-Fi performance bad on RB4011 - possible misconfig
Replies: 131
Views: 31386

Re: Wi-Fi performance bad on RB4011 - possible misconfig

Those are general routing and firewall facilities, not really related to wireless. In case you are satisfied with the (wired) routing performance, I don't think tweaking those will make any difference for you. But you can try, of course, and see/decide for yourself.
by andriys
Tue May 12, 2020 3:07 pm
Forum: Wireless Networking
Topic: Wi-Fi performance bad on RB4011 - possible misconfig
Replies: 131
Views: 31386

Re: Wi-Fi performance bad on RB4011 - possible misconfig

This seems work in some conditions only, at least for me the 20/40 Ce gives better speed than 20 only.
You wrote in another thread, that you don't have neighbors nearby and that the spectrum is free from other networks at your place. So, of course if does!
by andriys
Tue May 12, 2020 2:46 pm
Forum: Wireless Networking
Topic: Wi-Fi performance bad on RB4011 - possible misconfig
Replies: 131
Views: 31386

Re: Wi-Fi performance bad on RB4011 - possible misconfig

I did not state that you could not use 20MHz channel with MIMO .... You did, actually. Let me cite you: To get performance the MIMO client and MIMO server must talk MIMO and that means at minimum 2 x 2 streams .... not 1x2 or 1x1 ... but 2x2 .... in MikroTik speak streams = chains. so if you want b...
by andriys
Tue May 12, 2020 2:29 pm
Forum: Wireless Networking
Topic: Wi-Fi performance bad on RB4011 - possible misconfig
Replies: 131
Views: 31386

Re: Wi-Fi performance bad on RB4011 - possible misconfig

so my contribution here is to state that 2.4Ghz 20Mhz channel width is absolutely wrong WRONG wrong from a performance perspective and from a MIMO perspective. How does one relate to another? :) You can use 20MHz channel and still use MIMO. All those spatial streams operate in the same channel(s).
by andriys
Tue May 12, 2020 1:19 am
Forum: Announcements
Topic: v6.45.9 [long-term] is released!
Replies: 82
Views: 93079

Re: v6.45.9 [long-term] is released!

Lastly, are you able to upgrade firmware on your wAP ac normally.
Absolutely. Upgraded RouterOS on all 8 units from CAPsMAN, and once they all came back online rebooted once again to upgrade RouterBOOT (they all have /system routerboard settings set auto-upgrade=yes). All went smoothly.
by andriys
Tue May 12, 2020 12:03 am
Forum: Announcements
Topic: v6.45.9 [long-term] is released!
Replies: 82
Views: 93079

Re: v6.45.9 [long-term] is released!

MTeeker That must be something specific to your particular unit. We have 8 wAP ac units here also running as CAPs, successfully upgraded all of them to 6.45.9 from 6.45.8 two days ago (both RouterOS and RouterBOOT), no problems so far. You wrote "Back down to Stable V6.46.6", so I guess y...
by andriys
Mon May 11, 2020 7:14 pm
Forum: RouterBOARD hardware
Topic: 10 GIG version of HEX
Replies: 7
Views: 2955

Re: 10 GIG version of HEX

by andriys
Mon May 11, 2020 12:58 am
Forum: Wireless Networking
Topic: Wi-Fi performance bad on RB4011 - possible misconfig
Replies: 131
Views: 31386

Re: Wi-Fi performance bad on RB4011 - possible misconfig

Looking at the registration table, which client should I look at? At the one you use for testing. For example my phone which is quite far away from the router has: -60dbm Signal Strength and RX rate 585Mbps Tx rate 351Mbps, but still speedtest shows around 150Mbps speed. - Analyze the whole TX/RX-r...
by andriys
Sun May 10, 2020 11:33 pm
Forum: Beginner Basics
Topic: Hap ac2 second Wireless interface not working
Replies: 5
Views: 1851

Re: Hap ac2 second Wireless interface not working

It reappeared later on after a reboot and then disappeared again.
Sounds like a DFS (radar detection) in action. What's the interface status?
by andriys
Sun May 10, 2020 8:33 pm
Forum: Wireless Networking
Topic: Wi-Fi performance bad on RB4011 - possible misconfig
Replies: 131
Views: 31386

Re: Wi-Fi performance bad on RB4011 - possible misconfig

What's your client device? It is possible that the speed is limited by the capabilities of your client, not the AP.
Can you show what's in the registration table (/interface wireless registration-table print stats) during the test?
by andriys
Sun May 10, 2020 1:41 pm
Forum: Wireless Networking
Topic: [SOLVED] Wi-Fi Broadcast ARP/UDP unexpectedly throttled/blocked
Replies: 15
Views: 6405

Re: Wi-Fi Broadcast ARP/UDP unexpectedly throttled/blocked

Or does it re-send every broadcast/multicast packet to every connected client? Yes, it does. I thought that the "convert multicast to unicast" thing that some other manufacturers do will only handle multicast in conjunction with the IGMP snooping that they do As far as I know, Mikrotik im...
by andriys
Sun May 10, 2020 1:37 pm
Forum: Beginner Basics
Topic: Recommendation for CAPsMAN router device
Replies: 4
Views: 1665

Re: Recommendation for CAPsMAN router device

How much traffic (including inter-VLAN communication) are you going to route?
by andriys
Sat May 09, 2020 6:16 pm
Forum: Wireless Networking
Topic: [SOLVED] Wi-Fi Broadcast ARP/UDP unexpectedly throttled/blocked
Replies: 15
Views: 6405

Re: Wi-Fi Broadcast ARP/UDP unexpectedly throttled/blocked

The only thing that I would add to what pe1chl already said is that broadcast traffic in wireless networks is always sent using the basic data rate (i.e. the slowest allowed data rate for the given network), so sending a lot of broadcast traffic will significantly degrade the performance of the whol...
by andriys
Sat May 09, 2020 1:18 pm
Forum: Wireless Networking
Topic: CapsMan with mikrotik Vs Wireless mikrotik only?
Replies: 21
Views: 5590

Re: CapsMan with mikrotik Vs Wireless mikrotik only?

In my cause my country Not Found with list, So i selected the Installation "indoor" Those two (country and installation type) are complementary, meaning that installation type does not work at all without country being specified. I guess when running your AP without CAPsMAN your obvious c...
by andriys
Sat May 09, 2020 12:40 pm
Forum: Wireless Networking
Topic: CapsMan with mikrotik Vs Wireless mikrotik only?
Replies: 21
Views: 5590

Re: CapsMan with mikrotik Vs Wireless mikrotik only?

You don't need to put anything in there, the max allowed is used by default.
by andriys
Fri May 08, 2020 1:45 pm
Forum: Wireless Networking
Topic: Cap AC wifi speed is terrible bad.
Replies: 80
Views: 31795

Re: Cap AC wifi speed is terrible bad.

Just a couple of messages above you said you are not an expert in wireless and complained that WiFi does not work as expected out of the box. And now you complain about advanced configuration options no being available. Are you just trolling? Edit: PS. And, by the way, band steering is an ugly hack,...
by andriys
Thu May 07, 2020 6:51 pm
Forum: Announcements
Topic: v6.45.9 [long-term] is released!
Replies: 82
Views: 93079

Re: v6.45.9 [long-term] is released!

*) chr - fixed graceful shutdown execution on Hyper-V (introduced in v6.46);
How comes 6.45.9 contains a fix for something introduced in 6.46? In case the bug was "backported" from 6.46 it would be good to know what 6.45.x versions are affected.
by andriys
Tue May 05, 2020 10:03 pm
Forum: Beginner Basics
Topic: CRS112 traffic slow issue, with negotiation?
Replies: 8
Views: 3132

Re: CRS112 traffic slow issue, with negotiation?

Check your cables.
by andriys
Tue May 05, 2020 7:07 pm
Forum: Beginner Basics
Topic: CRS112 traffic slow issue, with negotiation?
Replies: 8
Views: 3132

Re: CRS112 traffic slow issue, with negotiation?

Anyone know why gigabit ethernet would not work with auto-negotiate disabled? My understanding is that for 1G (and faster) copper links it is not only connection speed that needs to be negotiated, but also the line needs to be tested and some other TX/RX parameters then needs to be negotiated and/o...
by andriys
Tue May 05, 2020 6:55 pm
Forum: General
Topic: VLAN Tagging CPU Load
Replies: 6
Views: 2524

Re: VLAN Tagging CPU Load

IIRC, VLAN tagging is a software-based operation.
Not necessarily. Lots of switches out there do in hardware.

These devices don't have switch chips.
Which devices?
by andriys
Tue May 05, 2020 1:58 pm
Forum: General
Topic: CCR1072 running out of CPU, what next for a PPPoE ISP?
Replies: 23
Views: 5815

Re: CCR1072 running out of CPU, what next for a PPPoE ISP?

The rules defining the simple queues are matched like firewall rules, one by one from the top until first match, for every single packet, so it may slow down the packet processing significantly. It used to be the case in RouterOS v5, but since early v6 it is not the case anymore. Simple queues are ...
by andriys
Mon May 04, 2020 9:19 pm
Forum: Beginner Basics
Topic: 'Lost' default MAC address
Replies: 47
Views: 10506

Re: 'Lost' default MAC address

2. The only Winbox facility on the MikroTik webpage I downloaded was software
What software? WinBox itself? WinBox is just a configuration tool for RouterOS powered devices. You cannot use it for anything else. :)
by andriys
Mon May 04, 2020 5:42 pm
Forum: General
Topic: RouterOS identifies CCR1009-7G-1C-1S+PC as CCR1009-7G-1C-1S+ [SOLVED]
Replies: 3
Views: 3632

Re: RouterOS identifies CCR1009-7G-1C-1S+PC as CCR1009-7G-1C-1S+ [SOLVED]

I believe it is normal. I've just check a CCR1009-8G-1S-1S+-PC of mine, it is also reported to be CCR1009-8G-1S-1S+ in RouterOS.
by andriys
Mon May 04, 2020 1:41 pm
Forum: Wireless Networking
Topic: hap AC2
Replies: 5
Views: 2331

Re: hap AC2

When searching for the network, make sure you are using wlan2 interface on you hAP ac².
by andriys
Mon May 04, 2020 12:35 pm
Forum: Wireless Networking
Topic: Cap AC wifi speed is terrible bad.
Replies: 80
Views: 31795

Re: Cap AC wifi speed is terrible bad.

Faulty unit, perhaps.
I have two, tested one (see results above), works as expected. My environment is moderately crowded.
by andriys
Mon May 04, 2020 12:03 pm
Forum: Wireless Networking
Topic: Cap AC wifi speed is terrible bad.
Replies: 80
Views: 31795

Re: Cap AC wifi speed is terrible bad.

but link is free, and I'm the only user.
It's wireless. I.e. it uses shared medium and is pretty susceptible to interference. So, you never know when it is really free...
by andriys
Sun May 03, 2020 9:44 pm
Forum: Beginner Basics
Topic: mikrotik x 2 - one address in the LAN
Replies: 24
Views: 5375

Re: mikrotik x 2 - one address in the LAN

@miloxdan, You do not configure wireless interfaces on either of your devices. You first configure CAPsMAN (the manager) on one of them, then enable CAP mode for all wireless interfaces on both. SSID, security profile, channels, etc. - everything is configured in a single place (on the manager). Hav...
by andriys
Sun May 03, 2020 9:23 pm
Forum: Beginner Basics
Topic: mikrotik x 2 - one address in the LAN
Replies: 24
Views: 5375

Re: mikrotik x 2 - one address in the LAN

so how do seamless roaming work
SCA (Single Channel Architecture). Basically the whole network "pretends" to be a single AP, so there's no roaming from the wireless client point of view at all.
And it has nothing to do with "enterprise wifi networks".
by andriys
Sun May 03, 2020 9:19 pm
Forum: Beginner Basics
Topic: WAN Access Webfig with HTTPS
Replies: 2
Views: 1438

Re: WAN Access Webfig with HTTPS

Is that possible to Access Webfig with HTTPS Get yourself a certificate for your domain, import it on your Mikrotik device, then enable "www-ssl" service with the following command: /ip service set [ find name="www-ssl" ] disabled=no certificate="<cert_name>" You may a...
by andriys
Sun May 03, 2020 6:58 pm
Forum: Beginner Basics
Topic: mikrotik x 2 - one address in the LAN
Replies: 24
Views: 5375

Re: mikrotik x 2 - one address in the LAN

that is, the access list to delete? I also have a delay of 3-5 seconds without an access list. Roaming is always a client's responsibility. If your client devices are old and cannot roam nicely there's nothing you can do on the AP side to improve that (except, possibly, switching to another brand t...
by andriys
Sun May 03, 2020 6:18 pm
Forum: Beginner Basics
Topic: mikrotik x 2 - one address in the LAN
Replies: 24
Views: 5375

Re: mikrotik x 2 - one address in the LAN

in your setup, probably worth trying to setup access list on the APs, so it actively disconnect the client , instead of waiting for the client device to disconnect This is the worst ever advice, but people still keep suggesting it over and over again... When you forcibly disconnect a client you are...
by andriys
Sun May 03, 2020 6:13 pm
Forum: General
Topic: Moving config from RB951G-2HnD to RB4011
Replies: 19
Views: 5408

Re: Moving config from RB951G-2HnD to RB4011

I can put the config up here if the problem is not obvious.
Please, do it.
by andriys
Sun May 03, 2020 3:24 pm
Forum: Beginner Basics
Topic: Slowness for the first few seconds then fast on download
Replies: 17
Views: 4849

Re: Slowness for the first few seconds then fast on download

That pic is pretty useless, as it hides too many of the essential bits of configuration. If you want/need to share your configuration you should post the output of the /export hide-sensitive command instead.
by andriys
Sun May 03, 2020 12:30 am
Forum: Wireless Networking
Topic: Cap AC wifi speed is terrible bad.
Replies: 80
Views: 31795

Re: Cap AC wifi speed is terrible bad.

If anyone is still interested, I had some free time today, so I got one of my cAP ac s off the shelf and did some tests. The device was updated to 6.46.6, configuration was reset, then I configured it as an AP (not router) and ran some tests. I am consistently getting about 90/90 on my mobile and ab...
by andriys
Sun May 03, 2020 12:22 am
Forum: Beginner Basics
Topic: Is there a "use-ip-firewall" setting also for non-bridge setup? [SOLVED]
Replies: 56
Views: 18925

Re: Is there a "use-ip-firewall" setting also for non-bridge setup? [SOLVED]

This is really confusing b/c my device is in Bridge Mode (all interfaces in same one bridge), and I have the said use-ip-firewall setting not enabled, and I have placed my firewall stuff under "/ip firewall filter", but the firewall is still functioning (!), (although not that perfect, or...
by andriys
Sat May 02, 2020 1:28 pm
Forum: General
Topic: Problem Hardware Offload on CRS326-24G-2S+
Replies: 6
Views: 2965

Re: Problem Hardware Offload on CRS326-24G-2S+

You have two bridges, and currently only a single bridge can be hardware-offloaded on CRS3xx series devices. This is clearly documented here.

Why do you need two separate bridges?
by andriys
Fri May 01, 2020 11:16 pm
Forum: General
Topic: VPN Tunnel [SOLVED]
Replies: 7
Views: 4936

Re: VPN Tunnel [SOLVED]

Andriys i've tried your advice but it doesn't anything.
Please confirm you placed your new policy before/above the old one. The order of policies is important.
by andriys
Fri May 01, 2020 8:30 pm
Forum: General
Topic: VPN Tunnel [SOLVED]
Replies: 7
Views: 4936

Re: VPN Tunnel [SOLVED]

The source and destination networks in your IPsec policy overlap. That does not look good to me, and also explains why you cannot ping gateway. The easiest solution will be to exclude your local network from the tunnel with the following command (make sure this new policy is placed above your existi...
by andriys
Fri May 01, 2020 7:35 pm
Forum: General
Topic: VPN Tunnel [SOLVED]
Replies: 7
Views: 4936

Re: VPN Tunnel [SOLVED]

My telepath is not available right now, sorry. :)
Please post your current configuration (/ip ipsec export hide-sensitive), otherwise nobody will be able to help you.
by andriys
Fri May 01, 2020 7:29 pm
Forum: Beginner Basics
Topic: What is the Best Practice for detecting/preventing unauthorized devices in LAN?
Replies: 25
Views: 6606

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

@andriys, you have got the terminology of client wrong No, I have not. You were talking about RADIUS client . That has nothing to do with supplicant and other IEEE 802.1X stuff. Strictly speaking, RADIUS is not even a requirement for 802.1X, any other protocol capable of encapsulating EAP can theor...
by andriys
Fri May 01, 2020 7:21 pm
Forum: General
Topic: MAC telnet from terminal stopped working in new versions
Replies: 12
Views: 10427

Re: MAC telnet from terminal stopped working in new versions

The authentication procedure changed significantly in 6.43. That change affects everything, including MAC-server. I am not aware of any third-party MAC-telnet clients that are compatible with the new versions of RouterOS.
by andriys
Fri May 01, 2020 7:13 pm
Forum: Wireless Networking
Topic: hap ac lite can't connect to another AP
Replies: 21
Views: 8313

Re: hap ac lite can't connect to another AP

i'm not that expert on this "low level" networking stuff as i'm not doing it for a living. it's quite complicated. Well, you insisted on something that's impossible in reality being "the core operation mode for wifi". I tried to explain why that assertion is not true. in the mea...
by andriys
Fri May 01, 2020 6:54 pm
Forum: Beginner Basics
Topic: What is the Best Practice for detecting/preventing unauthorized devices in LAN?
Replies: 25
Views: 6606

Re: What is the Best Practice for detecting/preventing unauthorized devices in LAN?

You are getting it wrong. RADIUS is just a protocol, RADIUS server is (to a great extent) just a special credentials database. Is it possible with RADIUS to authenticate with these 2 or 3 credentials: MAC and/or IP plus a password for the device/interface itself, but without involving/managing/using...