Frankly I don't know *exactly* what is happening inside the Mikrotik switch chip (there are many in use across the product line, anyway), but there is a short discussion here https://community.cisco.com/t5/switching/single-switch-vlan-operation-are-frames-tagged/td-p/4080689 around what is happening...
A likely explanation is that the port mirror or monitor function is applied BEFORE the VLAN tag operation. On Cisco, for example, they have a command to force this: For local SPAN, outgoing packets through the SPAN destination port carry the original encapsulation headers—untagged, ISL, or IEEE 802....
Good news/bad news: good news is that my hAPax2 is failing to connect in station mode to a Cisco 11ax AP (9117) so it seems somewhat repeatable. Bad news is that my failure mode is slightly different: it gets through association but the AP immediately sends a deauth with Reason Code 0x002e. 2024-03-...
Progress! But not really good... so we see the client, the mikrotik device, probing for the SSID. In this selection, we do see a probe response - return signal strength is not very good so would check placement of devices - but the mikrotik does not commence with the next step: send an Authenticatio...
What is more insightful is to see the packet flow when the client is trying to connect, but obviously fails. There is a sequence and reviewing what is expected vs what actually happens might indicate the problem. The beacon is good place to see what the AP is advertising, but my experience with this...
If you have never done monitor mode capture before, it may be a steep learning curve. Here are Wireshark's instructions: https://wiki.wireshark.org/CaptureSetup/WLAN . Do you have a Macbook? That is likely the fastest way to get there for an external capture system. Mikrotik devices can do some capt...
Packet capture could help. Can you get a monitor mode capture on that channel which is failing? Might indicate where the fault lies. No idea in this particular case, but certain settings can trigger this type of behavior - for example, if AP indicates to use PMF, or if multiple types of authenticati...
Wireless snooper will provide this information but it depends on how you have your system configured: https://forum.mikrotik.com/viewtopic.php?t=194728 It may not be possible to serve clients, either, so either a dedicated Mikrotik configured for this or, as others have said, move to a third party p...
Those configured rates get sent as part of beacons (and other frame types, like probe requests/responses, etc.). There has to be alignment of the supported rates between the client and AP (STA and DS in wireless nomenclature). If they are changed in ways that clients that don't support, the client w...
Comparing your first and last screenshots... not exactly sure what you are showing but it looks to me like it was cleaned up a lot. Prior, you have high bandwdith, roughly the same, on each interface. Now only one. But I may be missing something so please help and describe what isn't looking right f...
I have enabled IGMP snooping on bridge before I wrote this post. Is there anything else you would like to recommend. Yes, you did say that you enabled snooping; that was clear. But that does not mean you enabled the querier functionality. I would recommend that you enable this if you have not alrea...
I would double check - DNP3 often uses TCP or UDP for transport, so it is a L3 protocol in your context. In that case, it looks like regular routing is required to cross VLANs so not sure why you need NAT unless you are trying to do something unusual. https://www.dnp.org/Portals/0/AboutUs/DNP3%20Pri...
Its well known in the network world to avoid tagging with VLAN 1. Different vendors treat this in different ways and causes all sorts of hassles so most just avoid it. Usually a tagged frame with vlan.id 0 is used for QoS - this allows the priority to come through without actually assigning a vlan. ...
Traffic generator just sends frames - even if TCP template, there is no protocol state machine to manage connection setup, retransmissions, connection teardown, etc. I looked at your numbers for % loss and note that it is around 0.01%. So 'much worse' depends on what you need for your use and the pr...
So all source multicast feeds on separate switches will always flood back to the main pim rp router, correct? Yes, sometimes called the mrouter port - which connects upstream to a multicast management system. Here is a reasonable overview: https://reaper81.wordpress.com/tag/mrouter/ It's based on C...
Based on this description, this sounds like correct behavior based on IGMP. Your primary device would then be the querier - it needs all the streams so it can distribute it to other downstream switches or even its own ports. What’s the real problem? Traffic is flowing where you don’t expect? Is that...
One difference between up and download is power save behavior of the client. Change clients, as someone suggested, or look at the config to see if you can disable it for a test. This can be evaluated through use of packet captures of the 802.11 traffic.
>>but with DHCP Mikrotik DHCP shouldn't have anything to do with this authentication problem. >> use my mac address as the password A MAC is public information so should not be used as a secure credential, i.e. password. Anyway, what are you trying to do? It sounds like some kind of MAC authenticati...
Could be power save. Does an outbound ping, say from apple wireless client to something on the wired side, work OK? Packet capture would be a big help in root cause determination.
Have a look at the various switch chip rulesets - https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Rule_Table One of the action options is to send traffic to new destination ports. I didn't test it, but the fields exist to match an incoming port and a dst IP address so coupled with action ...
There are no known unfixed vulnerabilities. This may be true, but my interpretation from the linked article is different - what safeguards have been put in place to avoid future vulnerabilities? I think the wording used here is good - no known unfixed vulnerabilities . This is very different differ...
Typically, if you move the equipment to a specific vlan it needs to be addressed appropriately as a vlan usually represents a specific subnet. Why do you have to move the equipment to the daily visitor vlan? Can't you leave as-is and route to it? If you have DHCP for each vlan, proper default GW and...
I run this using EAP-TLS from a Mikrotik hAPac device as wireless client with WPA2-Enterprise configured on a UBNT wifi system. It is on 6.44.3; on the hAP, choose station mode, assign the SSID, and the security profile: /interface wireless security-profiles set [ find default=yes ] supplicant-ident...
As in this device, as well as others: >> RB962UiGS-5HacT2HnT-US (USA) is factory locked for 2412-2462MHz, 5170-5250MHz and 5725-5835MHz frequencies. This lock can not be removed. I see the US versions do not include UNII-2, or DFS channels. They are allowed in the US, so what is the reason of the lo...
Can you determine really what WMM is doing with the wireless frames? An over-the-air capture will show what actual value is put into the Qos Control header, in both directions. Also, you are forcing the value at the AP. Can you try to use iPerf to force the DSCP value and see if that has any effect?...
This config works for me. I found that version of software matters; we have seen some that just don't work, so upgrade/downgrade as appropriate. # RouterOS 6.40.5 /interface bridge add name=bridge1 protocol-mode=none /interface wireless security-profiles add authentication-types=wpa2-psk eap-methods...
In that link they are using NAT which has specific limitations. It’s not a true bridge connection at layer 2, which I need for bidirectional multicast and unicast traffic. With NAT, this generally assumes the wireless clients on the router are clients only so only outbound traffic is important. Of c...
I use both HAPac and GrooveA52ac. I suspect nearly any of the devices will work; it's more about the chipset and the software/driver. I think most (all?) Mikrotiks use Atheros chipsets. I use station pseudobridge clone or station pseudobridge as the radio mode, which isn't the same as station mode. ...
CRS109 w/ 6.35.4 - testing a wifi system so would like to adjust config of CRS device to see impact on overall system. When I set Band to 2GHz-B, based on the documentation, I expect certain results. I checked the wireless FAQ and WiKi page, and searched here for WMM but did not see any notes rela...
What problem do you have that you need to solve this way? I suspect you did not find a solution because this is not a typical solution to any problem. A routing table is a host based concept, so your three interfaces all on the same subnet may not behave the way you want. A typical solution might be...
I also note that there is no frame check sequence, nor do 802.11 ACKs show in the stream. Are there any other limitations? I suspect the radiotap header is never put on the frame prior to sending, though a TZSP header is present: TZSP: IEEE 802.11: Good Version: 1 Type: Received packet (0) Encapsula...
Why only five copies? If you have 27 clients connected, I would expect 27 unless some other process exists to alter the forwarding of the multicast traffic, like IGMP. I don't know of anything that exists on Mikrotik to change the forwarding, so I would expect one multicast packet -> 27 unicast data...
I don't know how to do this with a Mikrotik device directly. However, various other tools may be able to help: 1. tcpdump or Wireshark would definitely be able to do it 2. aircrack-ng suite of tools - I think the airodump-ng tool in particular displays probes 3. horst tool (http://br1.einfach.org/te...
Thanks for the update - what is this option? multicast-buffering I looked but could not find it. I see multicast helper, but not an option for buffering. Edit - Answer my own question - it came in 6.34: winbox - added multicast-buffering & keepalive-frames settings to wireless interfaces; So was...
Can you deduce, from the trace, that a power-save indication triggers the multicast frames to stop? Can you post a short trace of the whole channel where iperf is coming in and out? Have you tried enabled/disabling uapsd, if it is an option on the Mikrotik? I recall they recently added this. >>iw de...
What is the Apple device doing during these periods? In between beacons, is it issuing a frame with P (power mgt) bit set? When you say Android and/or Apple is PSM, exactly what do you mean? There are multiple power save mechanisms - why would an Android not do powersave mode? What is the specific b...
I suspect this is due to the listen interval of the power save client. Your trace is not complete, 1. Is it always 10 frames between beacons? 2. What is the listen interval in the association request for the power save client when it comes online? For my Samsung tablet: Listen Interval: 0x000a Depen...
But I find it quite interesting that 30Mbps is considered good for this router, considering there are many other routers out there that would allow me to get better speeds. This is an assumption without any data. There are many limitations as to the throughput; using 2.4GHz provides for generally l...
frequency=2442 This is an unusual frequency selection; typically, channels 1/6/11 are chosen and this is channel 7. Since this is 2.4GHz, I am not sure how much more you expect to get. 40MHz is unusual for 2.4GHz as many devices and APs will not even do it (i.e. Cisco and Apple, for example), and e...
I am seeing gratuitous 802.11 Disassoc (8) log messages. I have a guess to add to the list: the wireless client goes to sleep, then the group gets changed (GTK rekey) and when the client wakes up, it sends frames to the AP which are not encrypted correctly. The AP rejects them with a Disassociate f...
I have not used the dedicated switches like this, but the regular RouterOS products do not really provide any type of Layer 2 multicast management, i.e. IGMP and the like. I would look elsewhere if you have a multicast-based system. Mikrotik has commented in the forums that IGMP is bad, but I think ...
I did achieve 866 mbps with SXT 5 ac 802.11ac 3x3, 80MHz channel, SGI, VHT9 (http://mcsindex.com/) can give you more than that for connection rate. I am sure you are aware that connection speed does NOT equal throughput. Most users don't care what the connection speed is, but rather how much data t...
If you add the port you wish to monitor to a bridge - and then add another port to the bridge the second port on the bridge will act like a mirrored port. It's not obvious why this would be so. Can you elaborate? If mac address learning was disabled somehow then yes - it would be a hub, not a bridg...
REP is a Cisco proprietary sub-millisecond failover protocol that you use instead of spanning tree. REP is more like 50ms recovery ( http://www.cisco.com/c/en/us/support/docs/lan-switching/ethernet/116384-technote-rep-00.html ), not sub millisecond. That is typical; in a previous job, I designed te...
Since having iPhones stay connected to the AP long term is something that I (and I think any iPhone user) regard as "mission critical", and iPhones are quite common these days, it means that Mikrotik APs are not usable. On this we agree. It's a showstopper. I will not deploy Mikrotik wire...
Are you saying that an 802.11 deployment has to pick one of a) working power saving mode or b) resistance to key recovery attacks?? Surely that's wrong. No, it's not obvious why I would have to choose. I can set GTK rekey interval from 2min to 1day on other platforms and have no trouble. The issue ...
Some options: 1. Disable bpduguard on the Cisco device. I don't recommend this, but it would keep from getting the access port put into errdisable. 2. Be sure there are no bridges on the CRS - the switch chip can't do STP (it needs to... but that is a feature request) as only the software bridge can...
No AP that I'm aware of allows a key update interval longer than 1h to be configured Cisco WLC controllers allow 86400sec as group key update - which is one day. In older versions of software it is CLI configured, but in newer versions it is available through the GUI. Cisco has a large market share...
493G upgraded via web interface System / Packages from 6.31 to 6.32 went to reboot loop and had to be recovered via netinstall. Now running 6.30.4 and works again. This is happening to me on my 493G. However, netinstall is not able to recover - it's never seen in the Routers window. My RB450G shows...
When I import the xml file into cacti I get: Error: XML: Hash version does not exist. I get new templates, but none of them have names associated - I added the <blank space>, here is a partial example of the graph template list: Template Title** <blank space> <blank space> Cisco - CPU Usage Host MIB...
WMM support should be evident in a wireless packet capture. Check the beacons and probes between the devices and look for the IE (information element) for WMM. I have observed with MikroTik products that when 802.11n is selected, WMM is enabled regardless of the configuration setting. If b/g is sele...
I think it is a UBNT issue - this is what I posted over there: I just checked myself about 5 min ago - it's a special MAC address. It's almost certainly consummed by the switch, that's why it is not getting through. The MAC address on my test network in use for Mikrotik RoMON, I believe, is: Destina...
I find MAC telnet quite flaky across the whole product line. With more than one NIC active on the host machine, I don't even bother. I have moved to IPV6 connection through Winbox so that I can configure without having to change my local IPV4 address to be compatible. Alas, IPV6 discovery does not a...