MikroTik

robertkjonesjr

Frankly I don't know *exactly* what is happening inside the Mikrotik switch chip (there are many in use across the product line, anyway), but there is a short discussion here https://community.cisco.com/t5/switching/single-switch-vlan-operation-are-frames-tagged/td-p/4080689 around what is happening...

robertkjonesjr

A likely explanation is that the port mirror or monitor function is applied BEFORE the VLAN tag operation. On Cisco, for example, they have a command to force this: For local SPAN, outgoing packets through the SPAN destination port carry the original encapsulation headers—untagged, ISL, or IEEE 802....

robertkjonesjr

Good news/bad news: good news is that my hAPax2 is failing to connect in station mode to a Cisco 11ax AP (9117) so it seems somewhat repeatable. Bad news is that my failure mode is slightly different: it gets through association but the AP immediately sends a deauth with Reason Code 0x002e. 2024-03-...

robertkjonesjr

Some more info, maybe: Frame 10: 107 bytes on wire (856 bits), 107 bytes captured (856 bits) on interface en0, id 0 Radiotap Header v0, Length 56 802.11 radio information IEEE 802.11 Association Response, Flags: ......... IEEE 802.11 Wireless Management Fixed parameters (6 bytes) Capabilities Inform...

robertkjonesjr

Progress! But not really good... so we see the client, the mikrotik device, probing for the SSID. In this selection, we do see a probe response - return signal strength is not very good so would check placement of devices - but the mikrotik does not commence with the next step: send an Authenticatio...

robertkjonesjr

What is more insightful is to see the packet flow when the client is trying to connect, but obviously fails. There is a sequence and reviewing what is expected vs what actually happens might indicate the problem. The beacon is good place to see what the AP is advertising, but my experience with this...

robertkjonesjr

If you have never done monitor mode capture before, it may be a steep learning curve. Here are Wireshark's instructions: https://wiki.wireshark.org/CaptureSetup/WLAN . Do you have a Macbook? That is likely the fastest way to get there for an external capture system. Mikrotik devices can do some capt...

robertkjonesjr

Packet capture could help. Can you get a monitor mode capture on that channel which is failing? Might indicate where the fault lies. No idea in this particular case, but certain settings can trigger this type of behavior - for example, if AP indicates to use PMF, or if multiple types of authenticati...

robertkjonesjr

Some ideas:
1. dot11 Powersave mode on the client
2. WiFi interference / high channel utilization / poor SNR

robertkjonesjr

Wireless snooper will provide this information but it depends on how you have your system configured: https://forum.mikrotik.com/viewtopic.php?t=194728 It may not be possible to serve clients, either, so either a dedicated Mikrotik configured for this or, as others have said, move to a third party p...

robertkjonesjr

Those configured rates get sent as part of beacons (and other frame types, like probe requests/responses, etc.). There has to be alignment of the supported rates between the client and AP (STA and DS in wireless nomenclature). If they are changed in ways that clients that don't support, the client w...

robertkjonesjr

This has come up before: viewtopic.php?t=182505

No known solution that I am aware of.

robertkjonesjr

I find the 4011 antennas get pretty loose over time. They don't handle a lot of movement well. I wish they were removable.

robertkjonesjr

Perhaps try sftp or scp to push the script.

robertkjonesjr

Comparing your first and last screenshots... not exactly sure what you are showing but it looks to me like it was cleaned up a lot. Prior, you have high bandwdith, roughly the same, on each interface. Now only one. But I may be missing something so please help and describe what isn't looking right f...

robertkjonesjr

robertkjonesjr

I have enabled IGMP snooping on bridge before I wrote this post. Is there anything else you would like to recommend. Yes, you did say that you enabled snooping; that was clear. But that does not mean you enabled the querier functionality. I would recommend that you enable this if you have not alrea...

robertkjonesjr

On newer version of RouterOS, there is a tab now under Bridge --> Bridge:

https://wiki.mikrotik.com/wiki/Manual:I ... P_Snooping

robertkjonesjr

For snooping to work properly, you need an IGMP querier. Do you have one configured?

robertkjonesjr

where fast fail over is needed

How fast is fast?

robertkjonesjr

Other WiFi systems can limit number of clients. I have seen flexible limits such as

Max per wlan (ssid)
Max per wlan per ap
Max per radio per wlan

If you need this type of control, these and other features should drive your product selection.

robertkjonesjr

No reason to think your OPC server or even your plc could be the problem based on the description.

robertkjonesjr

I would double check - DNP3 often uses TCP or UDP for transport, so it is a L3 protocol in your context. In that case, it looks like regular routing is required to cross VLANs so not sure why you need NAT unless you are trying to do something unusual. https://www.dnp.org/Portals/0/AboutUs/DNP3%20Pri...

robertkjonesjr

Firewall?

robertkjonesjr

Its well known in the network world to avoid tagging with VLAN 1. Different vendors treat this in different ways and causes all sorts of hassles so most just avoid it. Usually a tagged frame with vlan.id 0 is used for QoS - this allows the priority to come through without actually assigning a vlan. ...

robertkjonesjr

Is your capture interface in promiscuous mode?

robertkjonesjr

Traffic generator just sends frames - even if TCP template, there is no protocol state machine to manage connection setup, retransmissions, connection teardown, etc. I looked at your numbers for % loss and note that it is around 0.01%. So 'much worse' depends on what you need for your use and the pr...

robertkjonesjr

So all source multicast feeds on separate switches will always flood back to the main pim rp router, correct? Yes, sometimes called the mrouter port - which connects upstream to a multicast management system. Here is a reasonable overview: https://reaper81.wordpress.com/tag/mrouter/ It's based on C...

robertkjonesjr

Based on this description, this sounds like correct behavior based on IGMP. Your primary device would then be the querier - it needs all the streams so it can distribute it to other downstream switches or even its own ports. What’s the real problem? Traffic is flowing where you don’t expect? Is that...

robertkjonesjr

One difference between up and download is power save behavior of the client. Change clients, as someone suggested, or look at the config to see if you can disable it for a test. This can be evaluated through use of packet captures of the 802.11 traffic.

robertkjonesjr

https://carloalbertoscola.it/2019/netwo ... -eap-ttls/

robertkjonesjr

>>but with DHCP Mikrotik DHCP shouldn't have anything to do with this authentication problem. >> use my mac address as the password A MAC is public information so should not be used as a secure credential, i.e. password. Anyway, what are you trying to do? It sounds like some kind of MAC authenticati...

robertkjonesjr

Could be power save. Does an outbound ping, say from apple wireless client to something on the wired side, work OK? Packet capture would be a big help in root cause determination.

robertkjonesjr

See https://wiki.mikrotik.com/wiki/Manual:I ... eless#Scan

robertkjonesjr

Have a look at the various switch chip rulesets - https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Rule_Table One of the action options is to send traffic to new destination ports. I didn't test it, but the fields exist to match an incoming port and a dst IP address so coupled with action ...

robertkjonesjr

Wireless can't have "packet loss" unless your connection is lost

Can you explain this a bit more? There are many causes of packet loss, not just connection loss.

robertkjonesjr

There are no known unfixed vulnerabilities. This may be true, but my interpretation from the linked article is different - what safeguards have been put in place to avoid future vulnerabilities? I think the wording used here is good - no known unfixed vulnerabilities . This is very different differ...

robertkjonesjr

Typically, if you move the equipment to a specific vlan it needs to be addressed appropriately as a vlan usually represents a specific subnet. Why do you have to move the equipment to the daily visitor vlan? Can't you leave as-is and route to it? If you have DHCP for each vlan, proper default GW and...

robertkjonesjr

I run this using EAP-TLS from a Mikrotik hAPac device as wireless client with WPA2-Enterprise configured on a UBNT wifi system. It is on 6.44.3; on the hAP, choose station mode, assign the SSID, and the security profile: /interface wireless security-profiles set [ find default=yes ] supplicant-ident...

robertkjonesjr

As in this device, as well as others: >> RB962UiGS-5HacT2HnT-US (USA) is factory locked for 2412-2462MHz, 5170-5250MHz and 5725-5835MHz frequencies. This lock can not be removed. I see the US versions do not include UNII-2, or DFS channels. They are allowed in the US, so what is the reason of the lo...

robertkjonesjr

Can you determine really what WMM is doing with the wireless frames? An over-the-air capture will show what actual value is put into the Qos Control header, in both directions. Also, you are forcing the value at the AP. Can you try to use iPerf to force the DSCP value and see if that has any effect?...

robertkjonesjr

This config works for me. I found that version of software matters; we have seen some that just don't work, so upgrade/downgrade as appropriate. # RouterOS 6.40.5 /interface bridge add name=bridge1 protocol-mode=none /interface wireless security-profiles add authentication-types=wpa2-psk eap-methods...

robertkjonesjr

In that link they are using NAT which has specific limitations. It’s not a true bridge connection at layer 2, which I need for bidirectional multicast and unicast traffic. With NAT, this generally assumes the wireless clients on the router are clients only so only outbound traffic is important. Of c...

robertkjonesjr

I use both HAPac and GrooveA52ac. I suspect nearly any of the devices will work; it's more about the chipset and the software/driver. I think most (all?) Mikrotiks use Atheros chipsets. I use station pseudobridge clone or station pseudobridge as the radio mode, which isn't the same as station mode. ...

robertkjonesjr

I do this with Cisco APs but they are lightweight, I.e. using a controller. Works great.

robertkjonesjr

CRS109 w/ 6.35.4 - testing a wifi system so would like to adjust config of CRS device to see impact on overall system. When I set Band to 2GHz-B, based on the documentation, I expect certain results. I checked the wireless FAQ and WiKi page, and searched here for WMM but did not see any notes rela...

robertkjonesjr

What problem do you have that you need to solve this way? I suspect you did not find a solution because this is not a typical solution to any problem. A routing table is a host based concept, so your three interfaces all on the same subnet may not behave the way you want. A typical solution might be...

robertkjonesjr

I also note that there is no frame check sequence, nor do 802.11 ACKs show in the stream. Are there any other limitations? I suspect the radiotap header is never put on the frame prior to sending, though a TZSP header is present: TZSP: IEEE 802.11: Good Version: 1 Type: Received packet (0) Encapsula...

robertkjonesjr

Why only five copies? If you have 27 clients connected, I would expect 27 unless some other process exists to alter the forwarding of the multicast traffic, like IGMP. I don't know of anything that exists on Mikrotik to change the forwarding, so I would expect one multicast packet -> 27 unicast data...

robertkjonesjr

I don't know how to do this with a Mikrotik device directly. However, various other tools may be able to help: 1. tcpdump or Wireshark would definitely be able to do it 2. aircrack-ng suite of tools - I think the airodump-ng tool in particular displays probes 3. horst tool (http://br1.einfach.org/te...

robertkjonesjr

Thanks for the update - what is this option? multicast-buffering I looked but could not find it. I see multicast helper, but not an option for buffering. Edit - Answer my own question - it came in 6.34: winbox - added multicast-buffering & keepalive-frames settings to wireless interfaces; So was...

robertkjonesjr

Can you deduce, from the trace, that a power-save indication triggers the multicast frames to stop? Can you post a short trace of the whole channel where iperf is coming in and out? Have you tried enabled/disabling uapsd, if it is an option on the Mikrotik? I recall they recently added this. >>iw de...

robertkjonesjr

What is the Apple device doing during these periods? In between beacons, is it issuing a frame with P (power mgt) bit set? When you say Android and/or Apple is PSM, exactly what do you mean? There are multiple power save mechanisms - why would an Android not do powersave mode? What is the specific b...

robertkjonesjr

I suspect this is due to the listen interval of the power save client. Your trace is not complete, 1. Is it always 10 frames between beacons? 2. What is the listen interval in the association request for the power save client when it comes online? For my Samsung tablet: Listen Interval: 0x000a Depen...

robertkjonesjr

Something to check: verify the ttl of the multicast packets to be sure they are not being dropped at the router.

robertkjonesjr

But I find it quite interesting that 30Mbps is considered good for this router, considering there are many other routers out there that would allow me to get better speeds. This is an assumption without any data. There are many limitations as to the throughput; using 2.4GHz provides for generally l...

robertkjonesjr

frequency=2442 This is an unusual frequency selection; typically, channels 1/6/11 are chosen and this is channel 7. Since this is 2.4GHz, I am not sure how much more you expect to get. 40MHz is unusual for 2.4GHz as many devices and APs will not even do it (i.e. Cisco and Apple, for example), and e...

robertkjonesjr

I am seeing gratuitous 802.11 Disassoc (8) log messages. I have a guess to add to the list: the wireless client goes to sleep, then the group gets changed (GTK rekey) and when the client wakes up, it sends frames to the AP which are not encrypted correctly. The AP rejects them with a Disassociate f...

robertkjonesjr

I have not used the dedicated switches like this, but the regular RouterOS products do not really provide any type of Layer 2 multicast management, i.e. IGMP and the like. I would look elsewhere if you have a multicast-based system. Mikrotik has commented in the forums that IGMP is bad, but I think ...

robertkjonesjr

I did achieve 866 mbps with SXT 5 ac 802.11ac 3x3, 80MHz channel, SGI, VHT9 (http://mcsindex.com/) can give you more than that for connection rate. I am sure you are aware that connection speed does NOT equal throughput. Most users don't care what the connection speed is, but rather how much data t...

robertkjonesjr

If you add the port you wish to monitor to a bridge - and then add another port to the bridge the second port on the bridge will act like a mirrored port. It's not obvious why this would be so. Can you elaborate? If mac address learning was disabled somehow then yes - it would be a hub, not a bridg...

robertkjonesjr

REP is a Cisco proprietary sub-millisecond failover protocol that you use instead of spanning tree. REP is more like 50ms recovery ( http://www.cisco.com/c/en/us/support/docs/lan-switching/ethernet/116384-technote-rep-00.html ), not sub millisecond. That is typical; in a previous job, I designed te...

robertkjonesjr

Since having iPhones stay connected to the AP long term is something that I (and I think any iPhone user) regard as "mission critical", and iPhones are quite common these days, it means that Mikrotik APs are not usable. On this we agree. It's a showstopper. I will not deploy Mikrotik wire...

robertkjonesjr

Are you saying that an 802.11 deployment has to pick one of a) working power saving mode or b) resistance to key recovery attacks?? Surely that's wrong. No, it's not obvious why I would have to choose. I can set GTK rekey interval from 2min to 1day on other platforms and have no trouble. The issue ...

robertkjonesjr

Some options: 1. Disable bpduguard on the Cisco device. I don't recommend this, but it would keep from getting the access port put into errdisable. 2. Be sure there are no bridges on the CRS - the switch chip can't do STP (it needs to... but that is a feature request) as only the software bridge can...

robertkjonesjr

No AP that I'm aware of allows a key update interval longer than 1h to be configured Cisco WLC controllers allow 86400sec as group key update - which is one day. In older versions of software it is CLI configured, but in newer versions it is available through the GUI. Cisco has a large market share...

robertkjonesjr

493G upgraded via web interface System / Packages from 6.31 to 6.32 went to reboot loop and had to be recovered via netinstall. Now running 6.30.4 and works again. This is happening to me on my 493G. However, netinstall is not able to recover - it's never seen in the Routers window. My RB450G shows...

robertkjonesjr

When I import the xml file into cacti I get: Error: XML: Hash version does not exist. I get new templates, but none of them have names associated - I added the <blank space>, here is a partial example of the graph template list: Template Title** <blank space> <blank space> Cisco - CPU Usage Host MIB...

robertkjonesjr

WMM support should be evident in a wireless packet capture. Check the beacons and probes between the devices and look for the IE (information element) for WMM. I have observed with MikroTik products that when 802.11n is selected, WMM is enabled regardless of the configuration setting. If b/g is sele...

robertkjonesjr

I think it is a UBNT issue - this is what I posted over there: I just checked myself about 5 min ago - it's a special MAC address. It's almost certainly consummed by the switch, that's why it is not getting through. The MAC address on my test network in use for Mikrotik RoMON, I believe, is: Destina...

robertkjonesjr

I find MAC telnet quite flaky across the whole product line. With more than one NIC active on the host machine, I don't even bother. I have moved to IPV6 connection through Winbox so that I can configure without having to change my local IPV4 address to be compatible. Alas, IPV6 discovery does not a...

Search found 71 matches