MikroTik

I don't really get all this tagged/untagged discussion. The 802.11 frame header has no place for a VLAN ID, so, technically, wifi interfaces are never tagged.

Well, to me, it actually sound logical. If there were a parameter named default I'd expect it to mean "return this if the input buffer is empty", whereas preinput sounds more like "pre-fill the input buffer with this string, please".

@Qalderu: being a MacOS limitation this cannot be fixed on the RouterOS side.
If you really need this fixed you should chase the Apple's support instead.

...new Winbox has new exe signature.

Something's wrong with this signature:

2023-07-26_154929.png

2023-07-26_154843.png

Hard to be sure without seeing the full config, but it feels like a PMTUD problem.

This traffic selector ("local 0.0.0.0/0 remote 0.0.0.0/0") is typically used for VTI, but does not make much sense for the classic policy-based IPsec. And Mikrotik does not support VTI.

Some pretty off-topic posts have been split into a separate topic and can now be found here: viewtopic.php?t=194519

@sc0ch viewtopic.php?t=190351#p967604

Several posts above you wrote that you have a serial cable. Try entering the Netinstall mode from the RouterBOOT menu.

For IPv6 you have to define a separate set of firewall rules in /ipv6 firewall filter. It's not clear from your original post if you have those in place. The rules that work for IPv4 won't match the IPv6 packets.

CAPsMAN can only control physical interfaces, not virtual.
And you cannot manually create a virtual interface if its parent is managed by CAPsMAN.

No, at least not on the same interface.

In the classic policy-based IPsec there is no such thing as "IPsec interface". But even if there were such thing, it would have been a peer-to-peer connection interface, and so MAC address would not make much sense there. The outgoing ESP traffic is originated from your VPN endpoint (your ...

If I look in a packet trace though those ESP packets still have src and dst MACs. When an ESP packet travels across an Ethernet segment the encapsulating Ethernet frame will contain the source and destination MAC addresses, obviously. Those addresses will not survive crossing the segment's boundary...

if we are going to assign /64 then it will waste alot of ip addresses

Is that a problem?
(I mean, do you understand what the capacity of the IPv6 address space really is?)

No, it is encapsulated in ESP, which is an L4 protocol.

Basically a client has asked me what the src MAC address will be of any traffic going over this tunnel and I've come to the conclusion that it will either be the MAC of the "WAN" interface, or the MAC of the LAN interface that the IP range is configured on... WAT? IPsec (as even the name ...

I need just the basic setup steps with any brand of repeater, There is no such thing as a generic WiFi repeater configuration steps. if I can still use the multiple users and vouchers configured on the MicroTik Router for the users after the Wi-Fi Repeater ... ? No, you cannot, unless you use anoth...

from the Mikrotik I cannot reach the devices behind the Cisco. ... When debugging the connection, it appears as if the interesting traffic is being NATTED out the WAN interface You have not shared your config, so I can only speculate here. Since you seem to be testing (pinging?) directly from your ...

DCO is an implementation detail of the original OpenVPN software. As far as I am aware, Mikrotik does not use the original OpenVPN software, they have reimplemented the OpenVPN protocol handling themselves.

Bon appetit!

Zero Trust Cloudflare package option missing.

https://www.youtube.com/watch?v=BbDnBxlBTdY

... I cannot understand why Cisco had to invent the new nonstandard VTI protocol for something that was already covered (and implemented by them!) before as IPIP over IPsec transport mode (or GRE over IPsec transport mode).

The main reason was a few extra byte of MTU, I guess.

wow a new high power CCR with 12 gigabit ports insetad of 12 sfp+ 10 gigabit ports..... nosense Mikrotik missing of fiber datacenter router (CCR2004 is not stable and has a lot problems with packets loss) CCR2116 is based on the CPU from the same family, so will likely be suffering from the same pr...

@Buster2, logging topics have always worked like that.
Next time you want to complain about something similar, please do that in a separate topic as it is in no way 7.1rc1 specific.

Log level should be either info or debug, but not both at same time. That's "topic", not "level". They are not equivalent. I don't think there's such thing as log level in RouterOS. You can only specify severity for a certain combination of topics when sending log records to a r...

I don't think Netinstall is really necessary in your case. At lease not yet.
Here's a Quick Start Guide for your device: https://i.mt.lv/cdn/product_files/RB201 ... 191058.pdf
Read the "Buttons and Jumpers" section carefully, then follow the procedure to reset configuration.

If you look at the block diagram of your RB953GS-5HnT you may notice that only the first SFP cage is connected to the built-in switch chip, whereas the second SFP cage is connected directly to the SoC (CPU). That means all the transit L2 traffic goes through the CPU, which may be a seriously limitin...

how is the router supposed to know that certain traffic is to be routed to that L2TP connection unless it already is established

You can specify L2TP interface itself as a gateway in a static route (including default one).

Reinventing the wheel continues...

Have you seen this MUM presentation?
https://www.youtube.com/watch?v=B9neG3oAhcY (Slides: https://mum.mikrotik.com/presentations/ ... 338589.pdf)

That's a result of using action=masquerade in NAT. Using action=srcnat instead is a solution. This will require manually specifying your public IP address, however.

That appears to be a cosmetic WinBox issue, you can simply ignore those messages.

Are you talking about IPsec?
If yes, what you are asking for does not seem to be possible/supported...

While 802.11 defines the 4-address wireless frame format, it provides no guidelines on how to actually use it. So all vendors implements WDS in their own proprietary ways, which are generally incompatible with each other. Both Mikrotik's WDS and station-bridge mode support fall into this category.

Rextended, you are missing the point here. What OP is asking is a session settings that are used to bootstrap new sessions when you connect to some box for the very first time. Indeed, that would be a nice to have feature.

RB4011 only support Passive PoE (both -in and -out). Datasheet for your AX214 does not provide any information on what types of PoE it accepts, so I assume it is 802.3af/at only. Which means they are not compatible and you cannot power AX214 using RB4011.

Hence, it's not quite the same. All this noise about google is here because the original poster wrote this: Google uses this algorithm everywhere, it means that there is a future behind this algorithm. Whereas in fact it does not mean anything. So in this context "it is actually quite the same...

The point is, asking Mikrotik to implement something that would allow others to keep violating the standards means encouraging those others to keep doing what they are doing. One should rather ask people violating the standards to stop doing that. You always have choice. In case your ISP provides yo...

This sounds like "I would rather not use Mikrotik products because there is no way to workaround DHCP client bugs in some 3rd party products, but keep using those buggy 3rd party products..."

Forum became so boring idle rextended decided to reply to a 5 year old unanswered question...

Yes, via USB.
Check this page out to get an idea of what may be supported: https://help.mikrotik.com/docs/display/ROS/Peripherals

My guess is that many people would assume that the parameter is applied in the default config sourcenat rule with action=accept when reading the MT file. I don't think I understand what you meant here. I dont believe many would think If there is no action parameter then we should assume there is ac...

I can think of at least two approaches here.

The first approach is a so called split-horizon DNS. I don't think you can do this on a Mikrotik router, an external DNS server is required.

The second approach is "hairpin NAT". Search the forum, there are plenty of example here.

I didn't ask what the default action for action is, but if inserting a NO ACTION rule is a BUG or does something ... C'mon! You are playing on words, aren't you? And in case you are not, action in a firewall filter/NAT/mangle rule is nothing more than just another parameter. The default value of a ...

which does this. Except, it does not... :) udpxy is a web server (proxy) that subscribes to multicast streams on behalf of its clients, then sends the contents of the received multicast streams back to clients over HTTP connections. Correct me if I am wrong, but I do not remember anything in the mu...

Ah, I now see where the rextended's question on "useless NAT rules" came from!

The default NAT action is "accept", so that "shortest rule" will NOT do masquerading. Rather the opposite, it will exempt all traffic from NAT.

The default action is "accept" (here's a documentation link), so those rules are not useless at all.

Make sure you do not fasttrack the inner-tunnel traffic. Perhaps just try disabling all fasttrack rules first and see if it helps.

Because nobody moderates the forum 24/7. Your post was approved when one of the moderators had time to do that.

Assuming they don't improve it further, would that mean it's a false economy to get the RB5009 if the RB4011 is just as fast if you use v6?

If you watched the video introduction, there they said RB5009 will NOT be compatible with v6.

"how to do reverse proxy in mikrotik" You can NOT do that on Mikrotik itself, there is simply NO reverse HTTP proxy on RouterOS. The L7 hack is NOT a proxy. Also, a few posts back I wrote the following, I think this may be the best solution in your situation: I suspect you already have so...

This forum is not the best place for asking help with licensing problem. Please contact support instead: https://help.mikrotik.com/servicedesk/servicedesk

but that would require that I add a 12V->24V boost converter Is adding another 12V battery in series an option? Also, the original question was about Powerbox Pro, but since in your case it is RB260GSP you have an option to disable/limit that overcurrent protection by enabling the "Port1 PoE I...

And so what? Ports are different. And while for SSTP there are good reasons to keep it running on 443/tcp, are there any equally good reasons to run WireGuard on, say, 443/udp?

Well, for SSTP that kinda makes sense. But not so much for WireGuard since it only uses UDP as a transport...

@Cablenut9, all your options suggest that you needed this for yourself only. In that case setting up some kind of a VPN would have been a much easier, cleaner and more flexible solution... @prisoner267, I suspect you already have some web server on you NAS, your other machine, or both. So one thing ...

could you tell me when it is usefull to setting 2 peers for the same policy?

It may be useful for failover.

@Cablenut9, I am 99% confident that in OP's case both MyNAS.XYZ.com and MyBlog.XYZ.com point to the same IP address. That's kinda obvious...

You need a so called HTTP reverse proxy to do this kind of redirect properly. RouterOS does not have that, so "L7 hack" is your only option in case you absolutely have to do that on Mikrotik itself.

The unit accepts both 802.3af/at and Passive PoE on input, but only provides Passive PoE on output. The injector that ships with the unit is Passive only.

Good work on the support Mikrotik, not.

Did you realize this is a user forum and not a support platform? I am not sure anyone from support saw this topic at all.

Do you happen to use the .local domain for your static entries? I saw someone mentioned in another thread that Apple only uses mDNS (but not "regular" DNS) to resolve names ending in .local.

This only works if the bottom 2 bits in the top octet of the MAC are 0, but should they not be in any situation where you'd use this rule? I will assume "bottom 2 bits" means "least significant 2 bits" here. The two least significant bits of the first octet of a MAC address have...

Yes. On each side I have a dedicated edge device for each ISP line (those are three ASA boxes on one side and three RB4011 on the other). An IPsec tunnel is built between each pair of edge devices, three tunnels in total. All these tunnels share exactly the same policies (i.e. bridge exactly the sam...

I have an installation where I do similar thing, except I have three ISP connections on both sides, not two. It is easy in my case because I have 4 routers on each side. And I am not sure you can do that with just one.

Is there any point sending a supout to Mikrotik....?

Yes, there is. Please do.

Do you have any hints on the "restoring configuration from export" ? I do that rather rarely, mostly while changing/upgrading gears. What works best for me is /system reset-configuration keep-users=yes no-defaults=yes skip-backup=yes , then connect using MAC-WinBox or MAC-telnet and apply...

I've been doing exactly that (tracking configuration history by storing configuration exports in svn) for several years now, and it is working great for me. I would only encourage you to use /export terse - the output will be slightly less human-friendly, but much more diff-friendly, which I find to...

QuickSet is a tool for housewives with little to no knowledge in networking to quickly make their brand new gear up and serving WiFi in their kitchens. The number of configuration choices is deliberately limited to keep the damn thing simple. QuickSet is not meant to make trivial things more accessi...

this method doesn't require that you leak your login credentials to anyone with a copy of the shortcut

Anyone "double-clicking that shortcut" should have read access to a copy of the private key and that automatically grant him/her full access to the router.

MTU of the EoIP interface itself should always match the MTU of the networks you are bridging, i.e. 1500 in most cases.

In-transit fragmentation is forbidden in IPv6 networks, packets may only be fragmented by sending parties. Functional PMTUD is vital in IPv6, so make sure you do not block ICMPv6.

@msatter, I don't see how you tip applies to the OP's situation. Your link basically describes a workaround for a specific case when tunneling all (also with NAT) through IPsec prevents PMTUD to work. That is not a problem for a regular IPsec use case when IPsec is used to interconnect specific subn...

https://download.mikrotik.com/routeros/ ... a4-arm.npk

MSS is a TCP thing, and RADIUS only supports UDP as a transport, so the rules you've mentioned will never work with RADIUS. Fragmenting large UDP datagrams should not be a problem. Unless DF bit set, of course, in which case fragmenting is forbidden. The latter usually happens during path MTU discov...

Try connecting with WinBox using MAC-address instead of IP. And if that does not work then the only option is serial console, I guess.

IPsec encoding of a single TCP stream (connection) is always tied (and thus limited) to a single CPU core to avoid packet reordering. If you run multiple TCP streams in parallel you should be able to get a much higher overall throughput.

Does MikroTik have a recommended one? Mikrotik offers a couple of power supplies (see e.g. MT48-480095-11DG and MT48-570080-11DG ), but you can use literally any with suffucient power output. I wonder why it doesn't come with the appropriate power supply though, is a 24V one actually cheaper? I gue...

You need to use a 48-57V power adapter when you need to provide power to 802.3af/at devices. The 24V power supply that comes with your hEX PoE unit is not sufficient. That is clearly documented on the product page.

Do you know there should be a "Port1 PoE In Long Cable" setting on the System tab? See: - https://wiki.mikrotik.com/wiki/SwOS/CSS106#System (for the current RB260GSP / CSS106 boxes) - https://wiki.mikrotik.com/wiki/SwOS/RB250_RB260#PoE_and_Health_.28RB260GSP_only.29 (for the older/original...

The power drop on (wire1) (actually any wire) depends on the current. So at peak times the power drop may be significantly higher than in a steady state. Now, the overcurrent protection is likely implemented by monitoring (rapid) voltage drops (instead of current peaks). Which means a long (relative...

NAT was just another way to solve your problem. And it was easy. And "universal", meaning you can implement it no matter what else you have configured and how. Your "route to bridge" solution works because you happen to have an interface (bridge) with an IP address that is covere...

It should be "src-nat". The "dst-nat" thing only works for incoming connections destined to your router.

P.S. IPsec is rather "advanced" topic, but the NAT is pretty basic, really. And your NAT-ing mistakes look so naive...

"action=accept" in NAT means "do nothing". No wander nothing changed. :)

Nah, COBOL!

When DNS resolver (on your router) makes a request it uses one of the IP addresses assigned to interfaces of your router. Which one depends on what you have in the routing tables. In most cases that will just be your external address. I am confident that address is not covered by your IPsec policy. ...

Is there a significant difference in real WiFi coverage between the hap ac2 vs hap ac3 to justify the higher price of the latter? hAP ac³ (as compared to hAP ac²) has a slightly better CPU, more RAM and way more flash (and a decent amount of flash, for example, means better chances your WiFi will b...

Can I and how do I , log ( syslog and/or syslog to a remote syslog server ) all NAT translations ? NetFlow is the answer here. It will export ("log") all the connection tracking statistics for you. Use NetFlow v9 as it provides a richer set of information, including full NAT details for e...

Indeed, SwOS Lite version 2.14 topic is here: viewtopic.php?f=21&t=175736

What you need is a NetFlow collector. You setup the collector, then configure you router to export the traffic flow information (see the Traffic Flow manual page). Once your traffic data is collected you can export it in whatever format you want. However, please note that: (a) you cannot run a NetFl...

In the vast majority of cases SMIPS upgrade problems are caused by RAM shortage and not flash shortage. The error message may be misleading, when it talks about disk space it is usually complaining about RAM drive. If you have problems upgrading SMIPS routers try rebooting the device first, then att...

Saiks, SwOS has web interface only. The app is only for RouterOS.

*) ipsec - added SHA384 hash algorithm support for phase 1 (CLI only); Strange effects when attempting to edit ip ipsec profile created with sha384 hash in Winbox 3.27 - the hash is shown as MD5. That "CLI only" remark means setting this up is not currently supported in either WinBox or W...

I am sure that 16MB flash nonsense is not so much about money as it is about technology. I've recently posted my thoughts about it here . Now I just wanted to add that the reason all Mikrotik devices with SPI flash chips are limited to 16MB might be the relatively old kernel in v6. Though should it ...

This is clearly off-topic gone wild, but let me add my 2¢ anyways. :) That 16MB flash thing is not only economical, but also technical. If you take a close look on the different RotuerBOARDs you'll notice that all those 16MB flash devices use SPI Flash chips, whereas devices with a larger amount of ...

The reset button is a multi-function thing and needs to be operated properly. You can read about it here:
* Wiki page: https://wiki.mikrotik.com/wiki/Manual:R ... set_button
* Device-specific quick-start guide: https://i.mt.lv/cdn/product_files/rb301 ... 190656.pdf

5ghz backup is useless because:

When the first 60G devices were introduced there were a lot of folks asking for a combined devices with 5G backup. Now that the first such device is introduced there are other guys saying the opposite...

Screenshots are useless. Post full configuration export instead.

But in general, what I wrote in the previous post still applies. Make sure those two requirements are satisfied, and then everything you described should just work.

Would help of course, if ARM was officially supported.

I think they just forgot to update the wiki page. Partitioning works just fine on ARM devices with enough storage.

What is it?

It should be as simple as satisfying the following two requirements:

1. Make sure you do not block traffic between Stream and LAN subnets.
2. Make sure computers on Stream subnet only use your ADCs as DNS servers.

I saw a similar behavior with broken IPsec configuration recently. My issue appears to be partially resolved in 6.48beta48. So one thing you can try doing is upgrade to that beta check if your IPsec configuration can be accessed/exported again in case it can remove everything from /ip ipsec and then...

Do you know that an export command exists on RouterOS?
Check this page out: https://wiki.mikrotik.com/wiki/Manual:C ... figuration

This is already supported, see this: https://wiki.mikrotik.com/wiki/Manual:Partitions

The AP mode is not allowed on my device.

You should use bridge mode instead. For more details please check this page out.

What nonsense.
why do they put USB in it at all.

Guess, 3G/LTE dongles, serial communication, etc. Mikrotik produces routers, not NAS devices, after all, so SMB/FTP/etc functions are purely supplementary (firmware update, backup download/upload, hotspot customization, etc.).

Have a look at RoMON.

Only the reception of the access point may improve, not the signal strength. I was thinking about this lately. I believe better reception (higher rx sensitivity) also means higher sensitivity to the interference. So you are getting better coverage, but can only enjoy it in quiet areas, whereas in t...

Is this the best place to report bugs?

Nope. This is NOT a place to report bugs at all. Bug reports should go to https://mikrotik.com/support.

Do not mix up the antenna gain and the signal strength. When using a high gain antenna your router has to reduce tx power to stay withing the legal boundaries, so the max signal strength you get is the same. However the effective coverage is usually better, thanks to a better sensitivity on reception.

I noticed the PM is now disabled again. Was it that bad being enabled?

Are you sure this is a 7.1beta specific problem? I.e. can you confirm there's no such problem with v6? Also please check you cables. From my own experience, these old HP 2810 series switches are very sensitive to even slight cabling problems, and fallback to 10M half-duplex (or does not work at all ...

If it's just 3 month old, is RMA an option?

When a packet with destination 10.10.10.0/24 gets in the mikrotik router, ECMP computes a hash based on Source Address, Destination Address, Protocol, Source Port, Destination Port, and that decides whether the packet is sent to gateway 10.20.20.2 or 10.20.20.3, right? Not quite. According to this ...

Certificate is OK

Wrong certificate, erlinden was asking about the certificate from download.mikrotik.com, i.e. the one from the page giving the error.

P.S. This is getting pretty off-topic, I'm going to move this whole conversation into a separate thread... Done!

@Delsey Downloads work fine for me. I specifically tried the link from your screenshots, it works as expected, no certificate errors whatsoever.

This may be either a CDN problem in your region, or a sing of an ongoing attack (like MITM, DNS poisoning, etc).

OpenWRT on Mikrotik as a MetaRouter

Metarouter is not supported on hEX S (as well as any other model with SPI flash).

mikrotik.com/dowload

Perhaps because you missed N in dowNload?

I assume you are asking about hEX S (RB760iGS). That is a full-featured router running RouterOS. You can read more about the software here and here. It is pretty powerful and will likely cover most (if not all) your needs.

Is there any difficulties to implement an external link and provide access to a routerOS through API? Nothing too fancy. The API description is here . At the bottom of that page there is a list of third party clients in different languages. You should enable the API first in the /ip service menu, s...

And to your original question. Have you seen the Customizing Hotspot page on the wiki? Specifically, the "External authentication" section may be of interest to you. And if you don't feel like passing a (temporary) username/password pair in a redirect back to the router, you can consider d...

I tried to open the link in Yandex with a VPN - eventually it's been opened. Well, Ukraine blocks a range of Russian's IP addresses who knows it might be the reason. Just checked, works fine for me. Tried opening that page via several ISPs here in Kharkiv, no problems at all. It's probably the brow...

Please check the /system package menu, the package may be installed, but disabled.

The Block Diagram for this device says the switch chip is QCA8327.

1. routing
2. firewall
3. NAT
4. IPSec policy

This is a pretty incomplete sequence. Please see the packet flow diagrams

All I am saying is, that those who have enough switches that will benefit from a single management plane, will almost certainly need HA features to go with it. My friends have an office here with 200+ client ports, with all cable runs going into a single rack with five 48-port access switches (some...

And once you do anything outside of QuickSet never attempt to use QuickSet again- that has a great potential of ruining your running configuration.

As far as I understand packets belonging to a single TCP stream are always bound to a single CPU core, no matter if it's routing or bridging. This is done to avoid packet reordering (which used to be a huge problem when CCR series devices were first introduced several years ago).

Screenshots are (almost) useless, please post configuration export (run /export hide-sensitive from the command line) instead.

btest itself is very heavy on CPU, this is a well known issue, which has nothing to do with the actual routing performance of your devices. Search the forum again, this has been discussed tons of times.

What do I use then to get traffic data from each client that I do use in Splunk for MikroTik?

NetFlow is an obvious choice for that kind of data.

Sounds like a DFS (radar detection) in action. Check your logs to check if that is the case.

This will be a deal-breaker for MANY people, I'd go so far as to say for the majority of people. Not sure about the majority, we successfully use CAPsMAN in the office, where 24x7 is not a requirement, so that's not a deal breaker for us at all. But you are right, in some cases (like hotel installa...

Please read carefully https://forum.mikrotik.com/viewtopic.php?f=7&t=161563&p=796943#p796661 Right, I've read it again. Please find my comments on it below. So its either Beamforming or Spatial Multiplexing .... normally part of the wireless driver packaging Well... Yes, spatial multiplexin...

Nowhere did I state that Spatial Multiplexing is Beamforming .... grrrr

Then what was your reference to 802.11 and MIMO about?

Beamforming began to appear in routers back in 2008, with the advent of the 802.11n Wi-Fi standard. 802.11n was the first version of Wi-Fi to support multiple-input multiple-output, or MIMO, technology, which beamforming needs in order to send out multiple overlapping signals. Nope. Spatial multipl...

OP was asking specifically about 60G devices, where beamforming IS available (at least on some devices like wAP 60G).

On a broader term, MIMO neither implies nor requires beamforming. Only MU-MIMO does. And none of the Mikrotik devices currently support MU-MIMO, that is a well-known fact.

I am running winbox (32-bit) under wine on a Debian system.
Maybe it behaves differently on a native Windows system?

Sounds plausible. I run Winbox (64-bit) natively on Win10. And (simply out of curiosity) I have just tested 32-bit version, which also works fine for me.

open a window like "IP firewall filters" in a router that is in active use, and make sure the hit-counts of firewall rules are being displayed (and changing all the time). Now, position the mouse over a header separator and keep mouse button pressed to attempt to move the separator to set...

Au contraire. MK has a superior QC department. They created the "obsessive compulsive TRAP".
Looks like it found a victim already.

I like these a lot! Please keep posting!

Interesting!!! I have to dig deeper in this WMM. WMM priority when received over WLAN how is it marked? DSCP (TOS) or MKT priority? Have you seen this article on the wiki: https://wiki.mikrotik.com/wiki/Manual:WMM ? If the priority is maintained in the MKT, then with the default config only priorit...

I struggled to find a Support section or separate Support forum

This is a community forum, for support please look here: https://mikrotik.com/support.

Connection was plug-and-play, 10Gbit link speed is up, however winbox bandwidth test shows speeds lower than gigabit (500-750mbps). Your device is a switch. It can work as a router, but that router is pretty weak. Basically, while switch hardware is powerful enough to forward L2 traffic between all...

With Log window opened, minimize WinBox, then Restore. Log is always reverted to the beginning. Anyone else seeing this? Yes, the same here Just tried it on several routers, but only see this behavior on a single device. A differentiating factor appears to be the number of records kept in the log. ...

No, you should not ignore them. They most likely indicate a problem, but the reason is elsewhere.

What you want is not possible. In CAPsMAN it is manager that always handles client authentication, no matter what forwarding mode is in use. That's by design.

I found something on the second devide. On that bridge and ether1 got the same MAC-Adress.

That is normal, as expected, and is not the cause of your problem.

just 7 days uptime, free memory down from 80Mb to 65Mb

That is not an indication of memory leak on its own. Does the memory usage keep growing? How does it look over time? Do you have a graph to show?

I don't know if it is possible to strip the priority tags on your switch, but am very curious why do you need to do that at all?

Provided I understood what you mean by "remotely" correctly, you cannot in general do that. Addressing any device by its MAC address is only possible within its own broadcast domain (i.e. "local network"). Having said that, if you have another RouterOS powered device in the same ...

However I suppose that my question still stands though, about why adding a bogus default gateway to main routing table, corrects the timeouts? Sorry, what I wrote above describes rp-filter=strict , not loose . I have just edited my message to correct this. For loose to pass packet it is only necess...

Ok, it's pretty clear what's going on now. Your routing works as expected. It is not your outgoing ICMP echo-request packets (pings) that are being mis-routed and/or discarded, but rather incoming ICMP echo-reply packets get rejected by your rp-filter . The rp-filter=strict works by checking if the ...

I would like an official answer from the mikrotik support This is a community forum, please write to support@ directly if you need an "official answer". From the product description it would seem a simple passtrought of the power supply, therefore the conversion does not take place and it...

I have no time or interest dog this dead horse (my Cap AC) at the moment, but I'll keep monitoring this forum, as maybe some posts their helpful findings Yes, just keep monitoring. Your other message (now removed) has been reported as a personal assault, and I find that report legitimate. So now yo...

1. Package upgrade and install on all SPI-flash devices is always done in RAM. You should always upload all .npk files to the root directory, not /flash. 2. What's the point in installing The Dude server on your switch? It has only 16MB flash and no options for external storage (like USB port or SD ...

Please reset your wlan2 interface to defaults with /interface wireless reset-configuration wlan2 , then change just two parameters- set country to the proper value and frequency to 5180 (due to DFS requirements, when frequency is set tot 5260 or higher you will have to wait for at least 1 minute [an...

Almost any Chinese device cost less then Mikrotik and performs better.

Please, please, please, go buy one and stop complaining here! It is cheaper and works better for you, so what's the point in doing what you are doing?

I'm wondering are these success stories false or why in this forum and also other forums contain more problems than praises? You do understand that happy users do not generally spend their time writing to forums how satisfied they are, don't you? They just use their devices. Unhappy ones come here ...

I'd use log-prefix as a differentiator, then do the actual filtering of the messages on the syslog server.

Since the model of my Metal is missing the 2 (5SHPn and not a 52SHP-n) can I safely assume it is not capable of 2.4Ghz?

Yes, that's correct. Your device is 5GHz only.
More product specs here: https://mikrotik.com/product/RBMetal5SHPn

What's in the log after reboot?
Also are you installing The Dude client or The Dude server?

Players on the same Wi-Fi can always see each other.

Can you elaborate on this "same Wi-Fi" thing please? Do you mean associated with the same CAP in your CAPsMAN?

Did you happen to disable the default-forwarding property on your wireless interface? Or forwarding property for a particular client via access list? Just guessing...

What are your speed requirements? The easiest way to configure what you want is to use two bridges, but you device can only have one hardware-accelerated bridge. If your WAN is relatively slow I'd say go this way, with LAN bridge with hardware acceleration and WAN bridge in software. Another way wou...

There are plenty of other devices (including pretty powerful ones) with a small 16M flash. The problems with upgrading hAP lite are due to its RAM size, not flash.

Those are general routing and firewall facilities, not really related to wireless. In case you are satisfied with the (wired) routing performance, I don't think tweaking those will make any difference for you. But you can try, of course, and see/decide for yourself.

This seems work in some conditions only, at least for me the 20/40 Ce gives better speed than 20 only.

You wrote in another thread, that you don't have neighbors nearby and that the spectrum is free from other networks at your place. So, of course if does!

I did not state that you could not use 20MHz channel with MIMO .... You did, actually. Let me cite you: To get performance the MIMO client and MIMO server must talk MIMO and that means at minimum 2 x 2 streams .... not 1x2 or 1x1 ... but 2x2 .... in MikroTik speak streams = chains. so if you want b...

so my contribution here is to state that 2.4Ghz 20Mhz channel width is absolutely wrong WRONG wrong from a performance perspective and from a MIMO perspective. How does one relate to another? :) You can use 20MHz channel and still use MIMO. All those spatial streams operate in the same channel(s).

Lastly, are you able to upgrade firmware on your wAP ac normally.

Absolutely. Upgraded RouterOS on all 8 units from CAPsMAN, and once they all came back online rebooted once again to upgrade RouterBOOT (they all have /system routerboard settings set auto-upgrade=yes). All went smoothly.

MTeeker That must be something specific to your particular unit. We have 8 wAP ac units here also running as CAPs, successfully upgraded all of them to 6.45.9 from 6.45.8 two days ago (both RouterOS and RouterBOOT), no problems so far. You wrote "Back down to Stable V6.46.6", so I guess y...

CRS305-1G-4S+IN ?

Looking at the registration table, which client should I look at? At the one you use for testing. For example my phone which is quite far away from the router has: -60dbm Signal Strength and RX rate 585Mbps Tx rate 351Mbps, but still speedtest shows around 150Mbps speed. - Analyze the whole TX/RX-r...

It reappeared later on after a reboot and then disappeared again.

Sounds like a DFS (radar detection) in action. What's the interface status?

What's your client device? It is possible that the speed is limited by the capabilities of your client, not the AP.
Can you show what's in the registration table (/interface wireless registration-table print stats) during the test?

Or does it re-send every broadcast/multicast packet to every connected client? Yes, it does. I thought that the "convert multicast to unicast" thing that some other manufacturers do will only handle multicast in conjunction with the IGMP snooping that they do As far as I know, Mikrotik im...

How much traffic (including inter-VLAN communication) are you going to route?

The only thing that I would add to what pe1chl already said is that broadcast traffic in wireless networks is always sent using the basic data rate (i.e. the slowest allowed data rate for the given network), so sending a lot of broadcast traffic will significantly degrade the performance of the whol...

In my cause my country Not Found with list, So i selected the Installation "indoor" Those two (country and installation type) are complementary, meaning that installation type does not work at all without country being specified. I guess when running your AP without CAPsMAN your obvious c...

You don't need to put anything in there, the max allowed is used by default.

Just a couple of messages above you said you are not an expert in wireless and complained that WiFi does not work as expected out of the box. And now you complain about advanced configuration options no being available. Are you just trolling? Edit: PS. And, by the way, band steering is an ugly hack,...

*) chr - fixed graceful shutdown execution on Hyper-V (introduced in v6.46);

How comes 6.45.9 contains a fix for something introduced in 6.46? In case the bug was "backported" from 6.46 it would be good to know what 6.45.x versions are affected.

Check your cables.

Anyone know why gigabit ethernet would not work with auto-negotiate disabled? My understanding is that for 1G (and faster) copper links it is not only connection speed that needs to be negotiated, but also the line needs to be tested and some other TX/RX parameters then needs to be negotiated and/o...

IIRC, VLAN tagging is a software-based operation.

Not necessarily. Lots of switches out there do in hardware.

These devices don't have switch chips.

Which devices?

The rules defining the simple queues are matched like firewall rules, one by one from the top until first match, for every single packet, so it may slow down the packet processing significantly. It used to be the case in RouterOS v5, but since early v6 it is not the case anymore. Simple queues are ...

2. The only Winbox facility on the MikroTik webpage I downloaded was software

What software? WinBox itself? WinBox is just a configuration tool for RouterOS powered devices. You cannot use it for anything else.

I believe it is normal. I've just check a CCR1009-8G-1S-1S+-PC of mine, it is also reported to be CCR1009-8G-1S-1S+ in RouterOS.

When searching for the network, make sure you are using wlan2 interface on you hAP ac².

Faulty unit, perhaps.
I have two, tested one (see results above), works as expected. My environment is moderately crowded.

but link is free, and I'm the only user.

It's wireless. I.e. it uses shared medium and is pretty susceptible to interference. So, you never know when it is really free...

@miloxdan, You do not configure wireless interfaces on either of your devices. You first configure CAPsMAN (the manager) on one of them, then enable CAP mode for all wireless interfaces on both. SSID, security profile, channels, etc. - everything is configured in a single place (on the manager). Hav...

so how do seamless roaming work

SCA (Single Channel Architecture). Basically the whole network "pretends" to be a single AP, so there's no roaming from the wireless client point of view at all.
And it has nothing to do with "enterprise wifi networks".

Is that possible to Access Webfig with HTTPS Get yourself a certificate for your domain, import it on your Mikrotik device, then enable "www-ssl" service with the following command: /ip service set [ find name="www-ssl" ] disabled=no certificate="<cert_name>" You may a...

that is, the access list to delete? I also have a delay of 3-5 seconds without an access list. Roaming is always a client's responsibility. If your client devices are old and cannot roam nicely there's nothing you can do on the AP side to improve that (except, possibly, switching to another brand t...

in your setup, probably worth trying to setup access list on the APs, so it actively disconnect the client , instead of waiting for the client device to disconnect This is the worst ever advice, but people still keep suggesting it over and over again... When you forcibly disconnect a client you are...

I can put the config up here if the problem is not obvious.

Please, do it.

That pic is pretty useless, as it hides too many of the essential bits of configuration. If you want/need to share your configuration you should post the output of the /export hide-sensitive command instead.

If anyone is still interested, I had some free time today, so I got one of my cAP ac s off the shelf and did some tests. The device was updated to 6.46.6, configuration was reset, then I configured it as an AP (not router) and ran some tests. I am consistently getting about 90/90 on my mobile and ab...

This is really confusing b/c my device is in Bridge Mode (all interfaces in same one bridge), and I have the said use-ip-firewall setting not enabled, and I have placed my firewall stuff under "/ip firewall filter", but the firewall is still functioning (!), (although not that perfect, or...

You have two bridges, and currently only a single bridge can be hardware-offloaded on CRS3xx series devices. This is clearly documented here.

Why do you need two separate bridges?

Search found 1455 matches