MikroTik

biomesh

A serial console cable is probably your best bet at this time. You should be able to get to the boot loader and choose routeros.

biomesh

The correlation between the small frame sizes and counts is probably correct as pause frames are generally small.

Cha0s mentored this is how flow control works. The numbers are not that high, but if you don't like it, just disable it on your devices (routers and switches).

biomesh

You might want to post your config on the crs210 devices. If you are hitting the cpu, then that would explain the ~300Mbps cap.

biomesh

I replaced this switch with a crs326-24g-2s+IN. I am using ros not swos. They definitely boot faster than the 5+ minutes it takes for the tp-link switch.

biomesh

My cap acs run between 3.5-4 watts during normal operation.

biomesh

Are these gigaset devices having issues with the lldp med options added?

My asterisk, grandstream, and obihai (polycom) devices all work fine.

biomesh

I upgraded the following without any issues:

Crs326-24g-2s+ (with lacp bond), crs317, ccr1009, cap ac, wap ac, hap ac2, hap mini, chr, rb921gs.

biomesh

In my experience, you don't need to forward any port if you have a sip trunk in asterisk that is registered. If your Nat settings are off in asterisk, then that is your real issue. An asterisk sip trace or a packet trace of the sip and rtp network traffic will help you identify what is being sent. C...

biomesh

While not the best solution, could you not set a scheduler script to pause kid control then re-enable it a minute(or two) later.

biomesh

Sometimes there is a hardware revision shown (if there is one). The documentation - from what I found - only showed the cpu temp sensor.

At this point you should contact mikrotik support to see what they say.

biomesh

Sounds like there could be a new hardware revision for the crs317. The current specs pdf does show operating temperature changes from September.

It would be best to confirm with mikrotik support.

What does /system/routerboard/print show?

biomesh

Some devices will have multiple sensors or sensor output. Both my ccr1009 and crs317 have cpu temp and device temp while my other crs devices have only cpu temp. My crs317 shows: Device temp Cpu temp Fan speed for each fan(if they are running) Psu status for each power supply If you do not see all o...

biomesh

I don't think it is a capsman issue, but I just wanted to mention that option in case it helped. I have client-to-client forwarding enabled. Per the wiki: client-to-client-forwarding -- controls if client-to-client forwarding between wireless clients connected to interface should be allowed, in loca...

biomesh

If you have client to client forwarding enabled in capsman then I am sure this is a tplink issue. I tried to duplicate everything you had but mine worked with no pings from the device at all. The firmware doesn't seem to be common between their products so it could be a defect on their side.

biomesh

You mentioned capsman - are you using local forwarding or capsman forwarding?

I am also guessing that you updated the firmware on the plugs as well. (it normally does this when you first set them up)

biomesh

You might want to use the tplink tools here to see if the plug is reporting anything odd:

https://github.com/softScheck/tplink-smartplug

biomesh

- Packet 2: I see a 10 minute lease time in the trace. Most devices will not operate well with such a low lease time. I suggest to make it at least a few hours or a day. - Packets 43 & 48: The device cannot ping 8.8.8.8. This could be due to your firewall settings or it could be your ISP. I can ...

biomesh

I am running the latest stable on all of my devices (routers/swicthes/APs) 6.47.8. I have been using these devices for a long time, so I doubt it is a firmware issue on the routeros side. If you can get a lan trace of one of the kasa devices of about 10-15 minutes it should give you a good idea. You...

biomesh

Also look at this post - the kasa devices don't like certain subnets:

viewtopic.php?f=2&t=165458#p813598

Stick with 192.168.x.x subnets.

biomesh

Do you have any firewall rules that restrict traffic for these devices and DNS traffic?

I have over 20 tp-link kasa devices(103/105) that work fine - but I don't restrict the devices. If my DNS servers are down, then the plugs will be in "local" only mode.

biomesh

This is going to be due to an issue with your cables between the devices. It could just be the rj45 connector or something else. If you can use a different cable and/or plug into another device (switch) - it can help narrow down the issue. There is a slim chance it is an issue with the physical port...

biomesh

Can you try without the key_mgmt option?

biomesh

I use the MCX311A-XCAT with 10Gtek SFP+ DACs on the CRS317 and CRS309 with no issues.

biomesh

The vlans should not be created on the caps(the only exception would be to create a management vlan interface). The capsman provisioning will tag packets on those SSIDs with the vlan tag based on your datapath config. You don't need to set the tx/rx chains - if you leave it at defaults both chains a...

biomesh

You can also require a peer certificate. This way only authorized devices can be provisioned.

biomesh

First off, I would get rid of the rates config. This is going to complicate things before you get the basics working. I would set the channels to only be band 5ghz-n/ac. You will rarely see any 5ghz a devices. You are also not using local forwarding on the datapaths, which means that the capsman dev...

biomesh

I think if you boot into caps mode with the reset button you have to login and confirm the default config for that mode. If you reboot, it goes back to the default AP mode. As for a default config, here is what I use: /interface bridge add admin-mac=C4:AD:34:EE:BB:AA auto-mac=no name=bridge1 priorit...

biomesh

You hold the reset button for 10 seconds (led will turn solid) to put the device into cap mode. Personally I would get a working generic config and copy that config to each of the caps - reset without default config and have it run your custom default config. The config would include your bridge, ca...

biomesh

I would just use another cable and plug it into another device close to your hap ac2 to see if it connects correctly. If it does, it is most likely a cable/rj45 issue.

biomesh

At least on my devices, you won't see the traffic go over the bridge other than management traffic. Especially with local forwarding, most of your traffic will be on ether1 and your wlan interfaces.

biomesh

a. bridge has vlans only and does not function DHCP itself, I dont see a conflict/ b. bridge has vlans AND IS ALSO giving dhcp itself............. What happens when I connect a computer to etherport 5?? Does it get DHCP from the 192.168.10.x subnet or the bridge subnet?? A request that is not tagge...

biomesh

My guess is low memory or disk space.

biomesh

It just means it can be powered by a switch or injector with sufficient power. If you do get passive poe out devices, injectors are generally less safe as they don't do as many checks (or none at all) on the connected devices, unlike switches. Switches normally default to checking the line before su...

biomesh

There is a ssid regex option that you can use to apply certain rules in the access list to certain networks. You don't have to specify a Mac address either. You could have an accept rule for all devices in your guest ssid and limit your main network with accept rules for that ssid with only defined ...

biomesh

10Gtek dacs work great between my crs326, crs317, and ccr1009.

They are not expensive at all.

biomesh

Comcast rolled out ipv6 to end users many years ago. They provide an address for the wan interface and a prefix. The default prefix size is a /64 since most users don't have multiple subnets or complicated networks. Comcast also offers a /60 for those who need it by use of a prefix hint. This is a g...

biomesh

SWOS in my experience, is different on every hardware platform. The crs3xx/css3xx series are the closest to "normal" switch config options/interface. I prefer routeros on the switches since many times swos has limitations and the releases are far and few between. I know that this specific ...

biomesh

I normally leave it to 10 seconds unless you want to give a client more time on that ap if they seem to drift in and out of range, or if they stay at the signal limit often.

biomesh

Capsman access lists are a bit different. The rules are always checked sequentially. I would not use overlapping ranges unless there is other criteria used. So for your example, the following should work. For capsman, it is easier to just add the allow rules first and reject rules at the bottom. You...

biomesh

The phone could disconnect and reconnect immediately if it meets the requirements in the access list. If it does not meet the requirements but had bad logic it could keep trying to connect and fail until the signal is within the access list range again. I have some 'smart' plugs that are anything bu...

biomesh

It worked for me a week or so ago when I deployed a new cap ac. You need to make sure the config is stored in the /flash directory to make sure it is available after the reset. I used 6.47.4. I confirm this no longer works. run-after-reset is now broken. Also flashfig is now broken and will not exec...

biomesh

Do the devices all share the same ISP?

All of my tests have been on Comcast, from various locations on their network.

biomesh

I just connected to a RB751G (8 years old) that had never had ip cloud enabled - running 6.47.3 and it updated fine.

biomesh

I have a CCR1009 which is almost 5 years old and it has been updating fine - I keep it current, so at one point was on 6.33 or earlier.

biomesh

I used the packet sniffer and when you enable ip cloud on a new device it sends one udp packet to one of the addresses resolved by cloud2.mikrotik.com on port 15252. In my case it is sending data to 159.148.172.251 and 159.148.172.201. I tried on two different cap ac devices. Once the request is mad...

biomesh

I have a new cap ac that was shipped with 6.44 and updated it to 6.47.4 before resetting the config into caps mode. I just ran the following and it worked fine.

/ip cloud set ddns-enabled=yes

biomesh

Devices without a console port can be tough - that is why if I can get one with a console port, I will get that - even if it costs more.

biomesh

Here are the key points of the config from the ref............. Base vlan = management vlan # Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN) set bridge=BR1 tagged=ether1 [find vlan-ids=10] set bridge=BR1 tagged=ether1 [find vlan-ids=20] set bridge=BR1 tagged=...

biomesh

I see where at one point I had a vlan interface - I must have been testing something on that cap - my other caps don't have that interface. Here is a better example. I set the pvid of ether1 to 70 to match the bridge where I actually have vlan 70 tagged on ether1 to avoid a ghost vlan1 since I allow...

biomesh

I also just tested enabling ingress-filtering=yes on all of my "static" interfaces: bridge, ether1 and ether2 and did not have any issues. I am the only one who configures my network, so I make sure the vlan config matches between the switch and the cap. The ingress-filtering would only im...

biomesh

Vlan 70 is my wifi management vlan. I don't use vlan interfaces as my bridge address uses dhcp and I set the bridge pvid ( to 70). My dynamic vlan from capsman is added to the config once provisioned. I don't use vlan 1 in my network at all. This is indeed for cap ac as this config is running on fiv...

biomesh

Is there something different with the switch port the new ap is connected to? Nothing obvious stands out to me, so I would personally check the switch next. I have a basic config I push to all of my cap acs - but it is meant for use by capsman. It uses a dhcp client on the bridge(which is untagged) ...

biomesh

Cap AC is really designed to be mounted on a wall or ceiling, and is only powered via POE - it also has POE out on ether2. It comes with extra mounting hardware and an extra cover along with the POE injector. The Hap ac2 has more ethernet ports and a usb port. It can be mounted on the wall, but is p...

biomesh

It is beneficial if you need redundant links between switches or to detect loops on the network. If neither of those apply to you - you can disable it.

biomesh

There is a known issue with swos 2.12 with flow control. Your ports can go into a paused state. The easiest fix is to just disable rx and tx flow control on all ports.

If the actual sfp is disappearing, this could be a different issue.

biomesh

What is the mtu on the client side?

biomesh

Are the bond interfaces in the bridge or are the slave ports? Only the bond interfaces and your one server port (6) should be in the bridge.

biomesh

Along with the previous suggestion, I would recommend a console cable (if the device supports it - which a crs326 does) or copy over the rsc file and do a resset-configuration and set it to no default config, no backup, and have it run the rsc after reset. It basically means you copy a file and run ...

biomesh

Can you see if disabling all flow control on the interfaces helps? 2.12 has an issue where flow control is not working correctly and can cause some links to remain "stuck" with pause frames.

biomesh

Those ports are only useful if the device boots. If it is stuck at the RouterBoot menu, you would really need a console cable.

biomesh

If you have a console cable, you should be able to see the Routerboot menu and use the backup bootloader or choose other boot options.

https://wiki.mikrotik.com/wiki/Manual:RouterBOOT

biomesh

If the port was flapping, it could be due to an issue with some rstp configs in swos 2.12 - you can try 2.11 to see if that helps.

biomesh

The mantbox includes an integrated router board and is all you would need for connectivity. The mant is only the antenna.

biomesh

I still use smtp.gmail.com with tls(port 587) a user with an app password and never have imported certs to get this to work. I have a scheduled script that emails me exports once a week and it works fine. I have a feeling this is due to 2fa or an incomplete user name. I have a service account that I...

biomesh

Most likely bad cabling or connections somewhere. I have this issue with one of my ports in my house, but it isn't limited to Mikrotik products.

In my case it is an rj45 connector that needs to be replaced. I can jiggle it and get it to stay at 1G, so not a priority to fix.

biomesh

I use this method all of the time - I am using the current versions of both. If your tzsp port matches between ROS and Wireshark it should decode everything normally. If you want to just get your traffic that is streamed, make sure you use a capture filter and not a display filter( i.e. "udp po...

biomesh

The default (from the default config from an rb931) is none. I don't think this is enabled default. If you use quickset or set it manually it is enabled.

biomesh

/interface detect-internet detect-interface-list=none

biomesh

It looks like you have some channels set to tx-power of 11. That isn't extremely high, but if you might want to try it a bit lower just to check performance and range.

biomesh

For those with the odd behavior of not being able to connect after some time you might want to set all detect-internet interfaces to none.

biomesh

First off the tx power should not be negative. Normally in capsman you would configure tx power on the channel config and that would be it. You have it set on the cap configuration as well which would override the channel config. So the value 25 is the one being used. It is pretty high though. You m...

biomesh

Bridge mode means that the router should get a dynamic address. If you have a static allocation your gateway would have to be in router/gateway mode. DHCP should work if the gateway device is actually handing out a DHCP address. Run the packet sniffer to see if dhcp requests are being sent and how t...

biomesh

The disc lite5 ac is a ptp cpe device, not deigned as an ap. If looking for dial band with gigabit interfaces stick with the wap ac, cap ac or hap ac2.

biomesh

If you do run into any issues, I would focus on your firewall rules. Disable the vlan restricting ones then enable one by one until you find the culprit.

biomesh

Are you connecting to the router ip for that subnet, or a different vlan? You have firewall rules blocking inter vlan traffic.

biomesh

I don't really see anything wrong with the config, but I would definitely see if capsman forwarding is your issue. Check the cpu on your ap and router while doing iperf speed tests. You might want to see if you have overlapping channels too close to one another since you are using 80MHz channels. Ma...

biomesh

In real life (no matter what hardware you use) you will generally get up to 1/2 the transfer speeds with regards to your link speeds.

As for your config, can you post an export from your capsman manager device? This provides more details to be able to help.

biomesh

If they do make a IN version, they should have the case large enough for 40mm fans instead of the 30mm space for the crs326-24g-2s+IN. Raspberry pi fans are pretty much the only common offering in that size.

biomesh

A crs318-16P-2S+ would be great. I would like it in an "IN" desktop form factor, although I am sure a RM version would be popular too.

biomesh

According to the quick guide they are power only:

https://i.mt.lv/cdn/product_files/hAP-m ... 190504.pdf

biomesh

Are you out of disk space? I see extra packages installed in the first screenshot and your export references user-manager (with errors) and it doesn't show the pool you created.

biomesh

If there is a dhcp server on the modem / combo box it should provide an address. You might want to also update to a current version as 6.42.11 is very old - it looks to be a dev build anyway. There have been dhcp client related fixes since then, so you could be hitting an old bug. Also be aware that...

biomesh

Update your dhcp server from /ip dhcp-server add add-arp=yes address-pool=pool1 delay-threshold=5m disabled=no interface=\ br_lan lease-script="" lease-time=10m name=server1 use-radius=no to /ip dhcp-server add add-arp=yes address-pool=pool1 authoritative=yes disabled=no interface=\ br_lan...

biomesh

For the switches if you use static addresses you need to make sure you use vlan interfaces assigned to the bridge and set those interfaces and the bridge as being tagged for the respective vlan. Add an ip to the vlan interface and set the route. I prefer to use dhcp on a management vlan that is rest...

biomesh

Sounds like a config issue as it works partially. Please post your config so we can see how it is configured.

biomesh

The problem with the station pseudobridge mode is that they don't work well with dhcp clients due to the Mac translation. Station pseudobridge clone mode will help if you only have one dhcp client on that device. It is best to statically assign ip addresses to client devices (the printers in your ca...

biomesh

It's probably not really in bridge mode then. On the dslreports forums in the past people have reported many issues with those devices (normally smc devices). You are better off buying/trying a standard modem on the business class supported modem list and get the modem activated on the account. This...

biomesh

Is the Comcast device a modem only or is it a business class modem/router combo device? If it is a combo device then you need to call Comcast support and put it in bridged mode. I looked at the config quickly and didn't see any reason to not get a valid address, so it looks like you might be dealing...

biomesh

Post your config. I have been using both ipv4 and ipv6 since Comcast began supporting ipv6(quite a number of years ago). The dynamic ip should be an ipv4 though and you should also get a ipv6 address and a prefix (/64 or /60). If you are switching between routers, be sure to reboot the modem as they...

biomesh

Your lease time is 10 minutes, so the plug is going to try and renew the least at the 50% time left mark - 5 minutes. Unless you have a lot of unique devices coming and going on that vlan/subnet you can dramatically increase the lease time for DHCP addresses. Perhaps there is a code issue with the p...

biomesh

I just ran a sniffer trace on the plug right next to me and I don't see the same results. You will need to look at the packet details/decodes in wireshark to see what request/response was made to help determine what the issue is. If you want to upload/post your packet capture then myself and perhaps...

biomesh

The only issues I have had with the TP-Link smart plugs have been due to the DNS server(s) being down. I don't have them on their own IOT vlan though. They only connect to 2.4G wireless so 5G wireless should have no bearing. I would configure the packet sniffer to forward traffic to wireshark on you...

biomesh

Looking at your config you are only switching 2 ports - the qsfp+ ports. Everything else is going through the cpu. The bond interfaces need to be added to the bridge as well. Any bonded slave interface will not be in the bridge but only the bond interface itself. Any other standard interface should ...

biomesh

Your config is way off. The config really needs to be mainly done via the bridge.

https://wiki.mikrotik.com/wiki/Manual:C ... s_switches

Here is the link for vlans with bonds on the crs3xx series.

https://wiki.mikrotik.com/wiki/Manual:C ... with_Bonds

biomesh

Make sure extension-channel=disabled. By default they are enabled.

biomesh

I have the same results as mkx. I have provisioning rules for all caps though. I set the identity on each cap to let capsman set the correct channel and config for each radio/cap instead of any manual creation or configuration on each cap.

biomesh

I would disable wpa2-eap, change the group and unicast ciphers to aes-ccm, and set the channel width to 20 mhz only. You might also want to specify a channel instead of auto.

biomesh

Hi all, unfortunately have to confirm major problems with 2.12. Updating 2 CS106-5G-1S nearly wrecked my network. Took me a day to figure out I had to turn off RSTP on all Ports to make it work again. I can confirm that rstp does not work with 2.12 on the cs106-1g-4p-1s as well. It works fine on th...

biomesh

You will generally have two provisioning rules at a minimum for a dual band radio. One for 2.4 and one for 5 GHz radiios. Just specify the correct settings for each radio and keep the ssid the same if that is what you want.

biomesh

To have the cable run out the side of the cap ac, there are two molded u shaped sections next to the Ethernet connections that can be removed (gently with needle nosed pliers).

I don't know if that counts to you as being modded, but that is what they are for.

biomesh

Enable wmm support, that should help. The link rate is locked to a max of 54Mbps if it is disabled.

biomesh

Can you explain why provisioning rules won't work in your config to provision the virtual APs? For each radio that is managed by capsman, you really need to manage it via capsman, otherwise you are defeating the purpose of using capsman.

biomesh

@k6ccc - You are right, just tested with my css326. In the past with other switches I have had to set it to active. I set mine to active or passive, either way it worked for my lacp based lag.

biomesh

For lag config you would set both sides to active to have them participate in the group. One of the changes in this version was to allow lag to work with only one member active. While there could be an issue with how much membership traffic is sent, this is really a config issue on your end.

biomesh

Have you tried to disable flow control Rx and tx on all routers/switches on the sfp+ interfaces?

biomesh

@mkx - My point was just going to have the hap ac2 as just a router (1 wan, 1 Lan) and have it only do the routing between vlans (and wan). This was to see if the performance was better than with the switch/bridge config.

biomesh

@mkx I agree with you 100%. The question is if the extra load from the bridging is causing the extra load. If he were to handle vlan tagging on the switch and just do a 'router on a stick' config would that get the performance where it needs to be?

biomesh

You have vlan filtering enabled on your bridge which disables hardware offloading on the hap ac2. https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading You should really be doing the vlan tagging/filtering on your css326. It is swos, so there is no bridge config, just vla...

biomesh

How about 30d 00:00:00

biomesh

For those having issues flushing the dns cache, from my experience, this is due to a winbox bug IMO. If I have a large cache (a few mb) then through winbox the cache will never clear. If I run a /ip dns cache flush, it works. I also tested with disabling remote requests, flush cache, and enabling re...

biomesh

Since you don't have any firewall rules enabled, I would disable remote access to dns.

/ip dns
set allow-remote-requests=no servers=172.16.10.10

biomesh

You might want to drop the power levels on the APs so the clients don't try to roam as much.

biomesh

I would suggest using unique local addresses vs link-local addresses at this point if you need to add a static address. It would be the fd00::/8 range.

biomesh

If you are getting supout.rif's, you should email that to mikrotik support (support[at]mikrotik.com:) - since this is a user based support forum, it does not help us. You can post your device's config export (/export) so we can see what could be the issue. I would start by emailing support directly ...

biomesh

You will have to provide more details - ROS version, post your config, etc. Myself and plenty others use a CCR1009 with no memory leak issues, so this must be a version/config issue.

biomesh

I have seen this, but it has never been an issue for me since I do not use quickset for this device.

If you have an urgent issue or would like something addressed by MikroTik, you should email support.

biomesh

The RB3011 series uses an ARM processor, which is still a work in progress. You are better off just using another CCR1009 model or better.

biomesh

Why not just use one of the other ccr1009 models?

They do have a passive cooling model which is probably the closest upgrade. The other two models (passive or active cooling) cost more and have extra features.

biomesh

Mine looks accurate - make sure you have updated firmware (/system routerboard upgrade). I am on firmware 3.27. /system health print cpu-overtemp-check: yes cpu-overtemp-threshold: 100C cpu-overtemp-startup-delay: 1m voltage: 23.7V current: 611mA temperature: 38C cpu-temperature: 45C power-consumpti...

biomesh

I may not be an expert, in what you are trying to do, but it sounds like you expect the router to be a voip SBC. These are specialized devices for voip which can handle the load you are giving them which also include some firewalling capabilities. The SIP ALG in most routers are very basic and shoul...

biomesh

Most of these configs that have been posted are for a standard docsis 3 modem, not one of the business gateways. The gateways have their own quirks and most of the time lots of bugs. Unless you need static IPs, I would ditch the gateway and buy your own modem.

biomesh

Here is my config. I changed the interface names to match yours. This also includes my firewall settings. /ipv6 address add address=::1 from-pool=comcast_ipv6 interface=bridge /ipv6 dhcp-client add add-default-route=yes interface= pool-name=comcast_ipv6 prefix-hint=::/60 request=address,prefix use-p...

biomesh

Juanvi, you can use the vmware provided tool vmware-vdiskmanager for the pre deployment resizing.

biomesh

Looks good - Now I am just waiting for the licensing to be enabled for purchase. Will there be any way to convert prepaid standard keys (level 4/5/6) to a CHR equivalent license?

biomesh

The 2011 should be able to handle up to ~200 Mbps depending on the config. The 6141 should really have not bearing on this, with the exception of what type of service you have with comcast. If you have residential, you will only get 1 IPv4 address, but you can get multiple IPv6 prefixes (limited by ...

biomesh

You don't need the /128 address to work with comcast. You will need to make sure you assign an address to your internal interface and you should set up ND too. Here is my IPv6 config that I have been using with comcast for probably a year. /ipv6 address add address=::1 from-pool=comcast_ipv6 interfa...

biomesh

You hit the cpu limit for nat/conntrack for this device. A ccr or RB1100AHx2 would be the device you would need to get gigabit speeds.

You might just want to let the at&t router do the nat unless you want to spend $350-$425 on a new MT router.

biomesh

Some good changes here, including the new "ip cloud" menu
What exactly is the point of "ip cloud" when you cannot remember your dns name?

If you have your own domain, just create cname records that point to your serial number dynamic dns records hosted by mikrotik.

biomesh

As for IPX, NCP (which is the only common protocol that was used with IPX/SPX) had TCP/IP support added almost 20 years ago.

biomesh

Here are my queues. They give voip traffic the highest priority, any regular traffic the next highest priority and crashplan traffic the lowest priority. You would need to adjust to your environment (limit, max-limit, parent, etc) /queue type set 0 pfifo-limit=500 add kind=pcq name=pcq-crashplan-upl...

biomesh

You would have to add a mangle rule to mark the packets like /ip firewall mangle add action=mark-packet chain=postrouting comment=crashplan dscp=2 new-packet-mark=crashplan passthrough=no You would then just need to set up queues to make the traffic low priority. The issue with QOS on windows is tha...

biomesh

Looks like you got a CPU bump as well. By default it have 300 mhz but you can overclock to 400 mhz. I have a few of the original ones, and you can only set them to 360 MHz (default) or 240 MHz. For a while, they had 400/300 and I think 240 options, but due to some stability issues with the original...

biomesh

Looks like you got a CPU bump as well.

biomesh

Comcast provides an ipv4 address on all connections and ipv6 on most. The person you talked to was incorrect. You need to reset the cable modem so that it will see the mac address of the new router. Residential comcast connections only provide one ipv4 address and it is restricted by the cable modem...

biomesh

Most likely it is a gateway device, not just a modem. It does a 1 to 1 NAT for the static IPs. I would check the settings on it to disable all firewall rules and ICMP handling so that way the 450G will see the traffic.

biomesh

https://www.wireshark.org/docs/wsug_html_chunked/ChCapInterfaceRemoteSection.html The Remote Packet Capture Protocol service must first be running on the target platform before Wireshark can connect to it. The easiest way is to install WinPcap from http://www.winpcap.org/install/default.htm on the ...

biomesh

If you have a request for a different implementation, it would be best to include the different options that would work better for you.
Personally, tzsp had worked fine for my needs.

Sent from my Nexus 7 using Tapatalk

biomesh

You can do this already.

http://wiki.mikrotik.com/wiki/Ethereal/Wireshark

Follow the directions in the wiki and set the display filter in wireshark to tzsp.

Sent from my Nexus 7 using Tapatalk

biomesh

Product presentation: http://mum.mikrotik.com/presentations/IT14/it14.pdf New brochure with mAP and others: http://download2.mikrotik.com/2014-Q1.pdf Why reduce NAND on RB850Gx2 compared to RB450G ?? JF. I hope the 400Mhz in the brochure is a typo. The MUM presentation lists the CPU as 500MHz. The ...

biomesh

The ones that pcunite mentioned are good along with anveo.com

Sent from my Nexus 7 using Tapatalk

biomesh

Dial on demand does not work on the RC that was released briefly this morning. A L2TP (and sstp) client that worked in previous releases (6.6 and earlier including 5.x) would not start. The interface did work if dial on demand was deactivated and was started manually.

biomesh

According to the brochures, the 12 core CCR devices have 512 mb of nand and the 36 core versions have 1gb of nand.

Sent from my Nexus 7 using Tapatalk 4

biomesh

I also did some testing with the sniffer. From what I see, if you have a lease, but release, and the router tries to renew, Comcast sends two advertisements back, the /60 you asked for, and your existing lease, in my case, a /64. What it does is set preference for the leases, the /60 you asked for ...

biomesh

Interesting. I actually was thinking about running a sniffer on it to see. The guy @ comcast I'm working with indicates their systems should accept a release, specifically I'll quote him as saying, "I can delete that PD for you, your client isn’t doing a full release\renew.. I see this a lot.....

biomesh

Fragmenting packets will always put an extra load on the system. UDP is also stateless. Can you set your application that generates the traffic to use a max size that will not cause the fragmentation to occur?

biomesh

Interesting. I actually was thinking about running a sniffer on it to see. The guy @ comcast I'm working with indicates their systems should accept a release, specifically I'll quote him as saying, "I can delete that PD for you, your client isn’t doing a full release\renew.. I see this a lot.....

biomesh

I have considered that, but frankly disabling IPv6 till the lease expires is a sorry excuse for a workaround to the router not releasing the lease properly. I expect the person I'm working with will be able to get it taken care of sometime tomorrow, and if not I'll try disabling IPv6. If you look a...

biomesh

If this is Comcast, just disable the client for four days then re-enable it. This worked for me since their lease time is four days.

Sent from my Nexus 7 using Tapatalk 4

biomesh

It was added in 6.5 and currently it is not in the wiki or changelogs.

biomesh

It looks like when the find command returns without data, it is evaluated as 0 so it would print the address on the interface with index 0.

It happens at least on 6.6 and 6.7 - I didn't test on any earlier 6.x versions. It works as expected on 5.25.

Looks like a bug to me.

biomesh

Looking at your router - the default gateway is unreachable.

Not sure if there is anything you can do - comcast will provide a /60-/64 prefix as well as a /128 for the external wan interface. It could be that your provider is doing something different than comcast.

biomesh

Have you tried a ping -6 ipv6.Google.com to see if that works?
You don't have to have a DNS server on ipv6 to actually resolve aaaa records.
Disable your firewall rules temporarily to see if things start to work then.

Sent from my SAMSUNG-SGH-I747 using Tapatalk

biomesh

Of course thank you for your effort on this :) Yea use peer DNS is default on the client. I played with it all again, still not handing out DNS. So does that mean the ISP is not handing out a IPv6 DNS server IP ? The DHCPv6 client does not seem to have a status that shows if it got DNS from the ISP...

biomesh

My script should work - it works on a few devices I have here.

As for DNS, you can set the option

use-peer-dns=yes

on the dhcp-client command.

biomesh

Try this first (adjust the interface to match your internal interface name)

/ipv6 address add from-pool=ipv6_pool interface=ether2 advertise=yes

This is using the method Janisk mentioned.

biomesh

If you have comcast (or another provider that supports prefixes larger than a /64) then you can add the prefix-hint option to the /ipv6 dhcp-client command like /ipv6 dhcp-client add add-default-route=yes interface=external pool-name=ipv6_pool prefix-hint=::/60 This option was added in ROS 6.5 and c...

biomesh

It was for personal preference, (to use a ::1/64 address as the router address) but I found that if I did use the from-pool option and removed that address, it also removed the pool. This is not good since it was a /60 pool handing out /64 prefixes. I will stick with my setup for now. I am running R...

biomesh

Try something like /ipv6 dhcp-client add add-default-route=yes interface=external pool-name=ipv6_pool /ipv6 firewall filter add chain=input connection-state=established add chain=input connection-state=related add chain=input dst-port=546 in-interface=external protocol=udp src-port=547 add action=dr...

biomesh

This was added in 6.5. The option is prefix-hint for the /ipv6 dhcp-client option. It is command line only at this point.

/ipv6 dhcp-client
add add-default-route=yes interface=external pool-name=ipv6_pool prefix-hint=::/60

Sent from my Nexus 7 using Tapatalk 4

biomesh

You need to have a "drop the rest" rule on both the input and forward chains.

biomesh

The screen shots look okay. What do your ipv6 routes look like?

biomesh

nope. mt 750gl is powerfull enough.

Do you get the same results through the 750gl without the bonding enabled?

If you are just doing routing, the 750gl might be able to handle this(not sure), but with the firewall enabled, I doubt it.

biomesh

Upgraded my 450G from 6.4 to 6.5 with no issues.

biomesh

10 mbit is very conservative. You can handle 30mbit easily with a basic config 951-2n which is less powerful then the 750GL. I think it depends if you use queues, proxy, etc which will use more cpu. The more complex you get, the less bandwidth the hardware will be able to handle. This bandwidth we a...

biomesh

I would change your content criteria and perhaps see if any traffic will work over your vpn connection. If you remove the content option and set the src-address to just one IP address, see if you can get it to work. This would just mean you need a better way to identify the traffic.

biomesh

Here is the wiki sample /ip firewall mangle add chain=prerouting src-address=192.168.150.0/24 content=facebook action=mark-routing new-routing-mark=Through_VPN /interface pptp-client add connect-to=My VPN Connection allow=pap,chap,mschap1,mschap2 name="My VPN" user=Reza Moghadam password=R...

biomesh

You should make sure your vpn connection works before trying the PBR. From your first post, it looks like you just copied from the wiki - which is just an example. You will need to replace a lot of information in the example with your VPN IP address, credentials, along with your subnet, packet marki...

biomesh

I received both with mine. You might want to check with your distributor if you did not get yours.

Sent from my Nexus 7 using Tapatalk 4

biomesh

I would take a backup of your config and run with the default rules that come with the device when using quickset. See if/how the performance differs.

biomesh

Are there plans to allow for different IPv6 DNS servers for each DHCP server network? With the way the feature is implemented right now, you cannot hand out only the address of your local caching nameserver(s). You could add the local nameservers to the list of the servers used as forwarders by the ...

biomesh

i dont want to use 3des, thats the point of this, the performance blows on that windows also supports aes-128 sha1, by default which im being told has much better performance i need this to work under aes 128, not 3des i already had that working The phase I encryption is only for the keys being pas...

biomesh

Change /ip ipsec peer add enc-algorithm=aes-128 generate-policy=yes hash-algorithm=sha1 \ nat-traversal=yes secret=1234 to /ip ipsec peer add exchange-mode=main-l2tp enc-algorithm=3des generate-policy=yes hash-algorithm=sha1 \ nat-traversal=yes secret=1234 This is only for phase I of the l2tp connec...

biomesh

Looks like you are missing a proposal. Try something like the following: /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\ aes-128 lifetime=30m name=default pfs-group=none /ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 di...

biomesh

What is your l2tp Server max mru set to? You might want to try 1420 instead of 1460. Post your config if it didn't help.

biomesh

Forget DHCPv6, in RouterOS it only supports prefixes so far, not individual addresses. To see RAs on Windows, you can use some packet capture tool, e.g. Wireshark with "icmpv6.type==134" filter. Edit: And since you can't use DHCPv6, you definitely want managed-address-configuration=no. Go...

biomesh

Yes I want to use DHCPv6 for my clients. In your config you had nd disabled=yes. My intention is simple. I want my clients to get IPV6 address so that they can browse over IPv6 web addresses. Which config should I follow? You misread my config - my default ND entry is disabled. I have a separate ND...

biomesh

Yes I want to use DHCPv6 for my clients. In your config you had nd disabled=yes. My intention is simple. I want my clients to get IPV6 address so that they can browse over IPv6 web addresses. Which config should I follow? You misread my config - my default ND entry is disabled. I have a separate ND...

biomesh

Still DHCPv6 not working on clients. My New Config: /ipv6 dhcp-server add address-pool=pool1 authoritative=after-2sec-delay disabled=no interface=\ LAN lease-time=3d name=server1 /ipv6 pool add name=pool1 prefix=2001:470:19:1292::/64 prefix-length=64 /ipv6 address add address=2001:470:18:1292::2/64...

biomesh

Try this: /ipv6 address add address=2001:470:18:1292::2/64 advertise=no interface=IPV6 add address=2001:470:19:1292::1/64 interface=LAN /ipv6 nd set [ find default=yes ] disabled=yes add advertise-dns=yes interface=LAN managed-address-configuration=yes mtu=1480 other-configuration=yes ra-delay=5s \ ...

biomesh

I followed your config, but no luck. Please see my changed config [admin@MikroTik] /ipv6 address> print Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local # ADDRESS FROM-POOL INTERFACE ADVERTISE 0 G 2001:470:18:1292::2/64 IPV6 no 1 G 2001:470:19:1292::1/64 WAN no 2 DL fe80::c...

biomesh

After the 5.25 update I got the following message and had to delete/reimport my certificates (and update the sstp server): 15:49:21 sstp,error server certificate change failed: could not load private key (6) 15:49:31 sstp,error server certificate change failed: could not load private key (6) No othe...

biomesh

You should have two default routes. One using policy based routing for your internal interfaces, one for your external interface. The wan interface will have the address from your ISP, and this will have the default route without the policy based routing. All of the ISP local traffic will be routed ...

biomesh

You might get more replies if this were in english. But if you want to force specific traffic to go over the pptp connection, you might want to look at the following: http://wiki.mikrotik.com/wiki/Policy_Base_Routing /ip firewall Mangle add chain=prerouting src-address=10.64.83.0/24 action=mark-rout...

biomesh

Then blame your distributor - in all official announcements MT informed that this is "pre-production batch for those who wanna try it before full production" You can't have RouterOS v5 , cause this is completely new CPU architecture that didn't exist before v6 Taken from : http://routerbo...

biomesh

I don't think that this device was designed to only be an AP only. It is being sold as a small office or home router and AP. The specs on this device are sufficient for most small buildings with limited wireless device access and moderate internet speeds. I have had one of these providing 16/3 inter...

biomesh

I would start off by specifying the wireless protocol to 802.11 and most likely you will also want to set the encryption to aes rather than tkip. I also don't see your ssid in the export, but that could be due to the unspecified protocol.

Sent from my Nexus 7 using Tapatalk HD

biomesh

I think the ideal solution would be SAML v2 service provider support on the ros devices so that way you could authenticate against any trusted SAML v2 identity provider. You would have to configure the trust relationship so unknown users would not be an issue.

biomesh

I use the AnyConnect client with no issues. You will most likely need to look at the vpn client logs as well as the client config and configured routes(while it is connected) to determine if some of the vpn client settings conflict with your network configuration.

biomesh

I thought every port needed an IP?

No, the ports can be slaved or bridged - so if every device is on one network, your internal ports only need one address. The wan port would also need one as well.

biomesh

What is wrong with this setup? I do get an IP address and the system time is updated so I know have some contact with the outside world but I cant surf the web? # feb/06/2013 15:31:33 by RouterOS 5.22 # software id = TQBA-3U8S # /interface ethernet set 2 name=WAN set 3 name=LAN set 4 master-port=LA...

biomesh

I have an Rb951-2n (with L4 license) that states it is upgradable to 7.x.

I would guess that it also would be upgradable to 7.x (due to the timeframe the hardware was released) but someone else with a RB2011L-RM should be able to verify for you.

biomesh

Once you netinstall it switch to port 2-5 then use winbox(via the mac) to configure it. When you set the IP via netinstall it sets that IP on port 1 which normally has all of the services firewalled.

biomesh

Can you try the tests again, connecting to the same speedtest server for all three tests?

biomesh

It looks like he added static A entries with html code.

To the original poster: DNS is only a name to ip address translation protocol - it has nothing to do with http, etc other than web browsers, etc use both protocols.

biomesh

IMO, ATA functionality cannot be implemented easily without a good deal of work. I would suggest Obihai or Grandstream devices and just use tftp/ftp/http provisioning to manage the devices for your customers.

biomesh

Works as expected on a 751G - I would have to agree with Chupaka and make sure the permissions are correct. If you are using an API to send these commands, they are probably being interpreted as being interactive. I would try to send the commands via the script interface. This could be done via a rs...

biomesh

I can try on a 751G tomorrow.

Sent from my Nexus 7 using Tapatalk 2

biomesh

/system reboot in 5.21 requires interactive confirmation as does /system upgrade /system auto-upgrade requires interactive password Using ROS scripting you cannot respond to these requests, rendering all scripts that use these commands useless. The right way to fix the problem is eliminate the inte...

biomesh

What does it mean?: *) dns - fix empty response; I'm asking about it, because I have problems with MikroTik DNS long time. Maybe this fil will repair it, but what do You mean "empty response"?? Please MikroTik - what does this mean? My guess is that it is related to the truncated flag wit...

biomesh

Sorry, not BIND, but dhcpd from isc.org. Bind is the dns server and dhcpd is the DHCP server. That was my typo.

The DHCP server from isc.org would only be used to hand out the DHCP option to the clients, not the actual addresses (if you want to use autoconfig).

Search found 249 matches