MikroTik

DanielJB

I believe this has been fixed 1 day after reporting it with the reproducer, wow!

What's new in 6.45beta22 (2019-Mar-29 08:37):
*) ssh - fixed multiline non-interactive command execution;

DanielJB

For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great! I see that feature on some systems but frankly I just find it irritating (session has been logged out when you come back to it after studying how to solve some issue), and frankly I don't s...

DanielJB

This has been impacting me for some time too. I found a way to reproduce it from Linux: $ while :; do ssh admin@demo.mt.lv /ip firewall filter print | wc -l; done 220 220 220 220 220 220 93 220 220 The block buffering in non-interactive mode exposes a bug which isn't seen in interactive SSH sessions...

DanielJB

For more security, automatically logging out after the SSH session was idle eg for 10 minutes would be great!

On my Unix systems, I set TMOUT for root in a similar way.

DanielJB

The issue is resolved in 6.45beta20.

DanielJB

Thanks lipo. Can you check on RouterOS 6.44.1? It may be that Mikrotik removed the updated WiFi driver as on 6.44.1, I still see: /interface wireless registration-table print stats 0 interface=wlan1 mac-address=B0:23:43:F0:CA:09 ap=no wds=no bridge=no rx-rate="526.5Mbps-80MHz/2S" tx-rate="36Mbps" pa...

DanielJB

It is extremely useful to use the 'wait' parameter in "/interface lte at-chat" eg wait=yes.

Please can it be added for "/interface ppp-client at-chat" also as is missing?

DanielJB

Yes, using RouterOS 6.44.

DanielJB

Does anyone else with a RB4011 WiFi variant on RouterOS 6.44 find stats shows only strength from only 3 out of 4 chains for the 5GHz radio, ie no signal-strength-ch3, despite rx-chains and tx-chains being set to 0,1,2,3? /interface wireless registration-table print stats 0 ... signal-strength-ch0=-7...

DanielJB

Chaps, When packets get a priority between 1 and 7, which maps to a WMM traffic class (eg with [1]), I can't get transmit more than 20-25Mbits/s UDP [2,3] shared to all clients. If I set the priority to 0 (or disable the rule), I get 440Mbits/s. I see the same to a range of 11ac clients, 5m from AP....

DanielJB

I find '/tool sniffer quick interface=ether1 port=!80,!443' doesn't exclude both port 80 and 443. Does anyone know the correct approach?

DanielJB

By default, RouterOS pings all idle wireless clients every 60s. With many associated clients over a larger area (therefore low bitrates) with 1-2 active at any given time, network efficiency is reduced and client battery life is reduced. Disabling keepalive-frames causes issues wherein clients are l...

DanielJB

Keep in mind that the 5GHz radio will go into radar-detection mode for ~60s once RouterOS is booted.

There is very likely some first-boot scripts that run that add to this, including SSH key generation; this was deferred until first SSH connection in later RouterOS versions.

DanielJB

1. where there is spectral congestion (eg 2.4GHz networks), I suggest using hw-protection-mode=cts-to-self and hw-protection-threshold=200 (to keep overhead low on TCP ack packets) 2. hw-protection-mode=rts-cts has higher overhead but may give better client->AP throughput if the AP transmit power is...

DanielJB

Owing to the lack of RouterOS band steering, I have consistently found the optimal solution is for the 2.4GHz radio to have SSID eg "Mikrotik" and the 5GHz radio to have SSIDs eg "Mikrotik" and "Mikrotik 5G", catering both for people who want simplicity and those who want 5GHz only. Making this defa...

DanielJB

there is a reason why RouterOS on x86 supports only 2GB - the speed of memory addressing. With high/low setups you would lose 5 to 10% of performance. The cost of PAE is way lower on modern x86 processors, since they have such large TLBs (as are optimised for much larger datasets with 4KB pages), a...

DanielJB

I have a project to create a free hotspot for approximately 1500 simultaneous users and would like to create it using Mikrotik but, can't find 2.4Gghz external AP to deploy using CapsMan. I don't want to use another vendor. The idea is to use about 10-20 ap (meshed) and use radius server with maybe...

DanielJB

One of the first steps I take when deploying Mikrotik kit, is generating a local certificate, signing it locally and enabling HTTPS with it, disabling HTTP. This gives the same level of protection that SSH affords. True, but that protection is absolutely zero. It only protects you against people sn...

DanielJB

One of the first steps I take when deploying Mikrotik kit, is generating a local certificate, signing it locally and enabling HTTPS with it, disabling HTTP. This gives the same level of protection that SSH affords. It would be a step forward if this was done at first boot. Clearly the chain of trust...

DanielJB

Anyone have any experience in isolating multiple APs in the same broadcast domain? Eg say you have two APs on an switch without port isolation capability, which also connects to the router I guess one could use bridge filtering in the forward chain with a MAC address whitelist, but this is difficult...

DanielJB

Does anyone know how to modify rules eg in /ip firewall filter: chain=forward action=accept connection-state=new dst-address=10.1.1.62 protocol=tcp port=500 src-mac-address=aa:bb:cc:dd:ee:ff to: chain=forward action=accept connection-state=new dst-address=10.1.1.62 protocol=tcp src-mac-address=aa:bb...

DanielJB

Chaps,

Does anyone else get whacky wireless link last up/down time with 6.38.1?

Last Link Down Time Dec/25/2035 21:34:28
Last Link Up Time Dec/25/2035 21:34:32

'/system clock print' shows the right date and time.

DanielJB

local-proxy-arp was added in RouterOS 6.38

DanielJB

I was trying to achieve the same. Packets coming in on a bridge port are prevented going out on the same port. On linux (which RouterOS is based upon), bridges support 'hairpin' mode [1] (don't confuse with hairpin NAT), which would allow filtering between devices on the same AP/interface, but Route...

DanielJB

I would say it's worthwhile trying to: - disable STP on all bridges (and hardware switch chip STP if enabled on certain models) - increase DHCP lease time to eg 4h - ensure group-key-update is eg 1h - disable keepalive-frames It's just a pity we can't adjust beacon frequency and DTIM: http://forum.m...

DanielJB

In Unix systems SSH sessions, I use Ctrl-W all the time to delete the last word; it is really practical, but not implemented in RouterOS.

Can Mikrotik implement this simple enhancement for RouterOS? It does save time in the CLI.

DanielJB

In noisy network environments with many clients, I generally enable RTS/CTS protection for packets larger than 500 bytes [1], and find it very beneficial. I believe because other stations and APs on other SSIDs sharing the same channel also wait. The probability of collision is smaller with smaller ...

DanielJB

I think it is reasonable to be able to tune the wireless beacon interval and DTIM.

I my case, a 200ms beacon interval and DTIM count of 1 would be more optimal than the defaults.

Anyone else missing this feature with other basic APs feature?

DanielJB

Dear Mikrotik specialists, Since Mikrotik routers are based on GNU/Linux, I would like to invite any specialists using Mikrotik or in related network or routing fields to join the next FOSSASIA Open Tech Summit which will take place at the Science Centre Singapore, from March 17 to March 19, 2017. T...

DanielJB

I get this output from netinstall: recv bytes: 300 opcode: 1 htype: 1 hlen: 6 hops: 0 xid: 6b6e15f0 secs: 40 unused: 0 ciaddr: 0.0.0.0 yiaddr: 0.0.0.0 siaddr: 0.0.0.0 giaddr: 0.0.0.0 chaddr: 4c:5e:c:96:23:c6: sname: (64) file: (128) cookie: 63538263 35 01 03 3d 07 01 4c 5e 0c 96 23 c6 ...

DanielJB

I've been consistently unable to netinstall a CRS125 with 6.35.4 or 6.36rc28. I see the DHCP packets from the CRS arrive on the only network interface, but even after all the usual tricks (disable firewall, IP address assignment etc), netinstall doesn't reply. I have tried on two Windows 10 systems,...

DanielJB

I am also waiting for IKEv2 support from MikroTik, but caught between deploying EdgeRouters with IKEv2 or L2TP+IPSec on Mikrotik.

DanielJB

While checking why USB disk performance on RouterOS 6.34.4 is so bad, I found ext3 format is default, and the partition is bady misaligned, so causes write amplification: # fdisk -l /dev/sdb Disk /dev/sda: 14.9 GiB, 16013942784 bytes, 31277232 sectors Units: sectors of 1 * 512 = 512 bytes Sector siz...

DanielJB

It seems likely AES-NI instruction support will be available when Mikrotik do a 64-bit x86 build. AES-NI aside, we'd see a 15% performance increase (due to correspondingly higher IPC), which is important on low-end Atom boxes.

DanielJB

Using another USB to Ethernet adapter with the Realtek RTL8153 chip (Dell "USB-C to Ethernet adapter"), I see wire-speed in both directions.

This correlates that the issue is a phy setup/programming issue.

DanielJB

I have been experiencing the same issue on the excellent hAP ac and have found: - the low bandwith (17-57Mb/s) varies with temperature - it occurs with certain ethernet phys and not others - when it occurs, I see receive issues, suggesting the root cause is the transmit from the QCA8337 switch chip ...

DanielJB

MAC-based-VLAN (/interface ethernet switch mac-based-vlan) works great on my CRS125.

Where packets don't match an FDB entry, is it possible to assign a default VLAN?

Thanks!
Daniel

DanielJB

Hi guys, Since the new RB953GS-5HnT is a single-chip QCA9558 solution, it supports 3-chain 802.11n at 5GHz: http://routerboard.com/RB953GS-5HnT In many access points, the QCA9880 chip is paired with this to give 3-chain 5GHz 11ac, and clearly when Mikrotik supports it on a mini-PCIe card, we can upg...

DanielJB

Been waiting to purchase this rackmount variant also and was told by support "in May"; seems a near-perfect product once L3 switching is available in RouterOS 6.14/15 or 7...

DanielJB

I'm looking at getting a CRS226-24G-2S+RM for layer 3 switching between VLANs. Will L3 switching work if: 1. some connections are NAT'd out of one port (used for an external internet connection)? 2. there are firewall rules allowing only certain protocols and ports between VLANs? Also: 3. how would ...

DanielJB

Indeed. With a significant number of competing TCP flows, Zheng and Kinicki demonstrate a 15% improvement in goodput (ie useful TCP segments, flow efficiency) through an ECN-capable router, page 15: http://web.cs.wpi.edu/~rek/ISCC02talk.ppt Anyway, let me know if anything more is needed to submit th...

DanielJB

We need a way to enable TCP Explicit Congestion Notification on RouterOS, so when eg TCP tunnels are established, we will get the increase in efficiency and reduction in packet loss. The current linux default is to accept ECN, but not request it when initiating connections. Thus, we need a config op...

DanielJB

+1 I suspect that OpenVPN LZO compression isn't offered the due to the compression time for the MIPS processors in the most of the MikroTik routers. I'd expect ~50Mbits/s max, as we see around 200Mbit/s on an ARM Cortex-A9: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b0...

DanielJB

Normis, Chupaka,

RouterOS 6.7 uses ext3 on internal stores; this is known to have poor lookup scaling as many files are present in directories, and thus may be a significant factor in the RouterOS proxy webcache slowdown observed.

What is the rationale on not using ext4?

DanielJB

I see an interesting slowdown in webcache speed as it fills up eg to 1GB from 8GB, as tested with RouterOS v6.6 on a RB951G with a 'fast' USB3 stick (obviously operating at USB2 speed; it can maintain 75MB/s read and 18MB/s write). The slowdown manifests as large latency spikes of 1000-4000ms, which...

DanielJB

When running a caching webproxy on the excellent RB951G [1] with RouterOS 6.2, when the cache starts filling up (eg 1GB of data), I see a significant rate of 'connection reset by peer' messages in browsing sessions, around 5-10% of the time. This affects HTTP GETs, but worse HTTP POST, so form infor...

DanielJB

Hardware packet queues can introduce significant latency below Mikrotik's QoS queuing; this is particularly problematic for wireless interfaces where eg >1000ms delays can be introduced on congested networks. Linux exposes an ioctl (SIOCSIFTXQLEN) to control queue length or eg via: ifconfig eth0 txq...

DanielJB

At present, there is no way to specify the type of flow hashing used in Stochastic Fair Queuing. The flow hash is constructed from source-IP + port and dest-IP + port, with round-robin dequeuing. This gives per-flow (eg TCP session) fairness, so one host with 20 TCP connections can starve the other ...

Search found 48 matches