MikroTik

erlinden

Can you please show your /ip routes?

erlinden

Why don't you stop posting messages if you can't give an interesting answer? That's the second question I am also interested in. As far as I know this is a forum and anav is not part of the helpdesk (correct me if I'm wrong). And a forum is for starting discussions, not a place to just drop questio...

erlinden

I'm using a recent cAP ac with 6.49beta11, and a hEX S also with 6.49beta11. Currently I'm running LTS (6.47.9) which works best for me. Why are you running beta? Could be beta related (though I have no clue). Great addition, biomesh. I alreay wondered why there was a /caps-man interface section in...

erlinden

What version Routerboard and firmware are you running?
Haven't seen the L2MTU size set before (except in very old configuration examples), do you need it? I prefer to use as much default as possible, leave everything (i.e. L2MTU) empty, etc

erlinden

Can you please share your configuration?
/caps-man export

I'm sure the cAP ac is capable of two streams (up and down), might be a configuration thing.

In regards to your expectations...500Mbps is a bit enthousiastic.

erlinden

It is REALLY easy to find out the SSID of a hidden network. Though conceptionally it sounds better to make it hidden.
Transmission power can be set in de Advanced mode of the wireless interface.

erlinden

Having a Windows machine publicly available is not really good practice security wise. You better only forward ports that are absolutely necessary. And...start running a VPN server on your router for management purposes and making resources available. By the way, to show your config use /export hide...

erlinden

Lots of recommendations here: - don't use hidden SSID, it really makes no sense at all - besides SSID and password, the security settings have to be identical - as mentioned above, always use non-overlapping channels - optimize transmission power, "as low as possible" (especially in the 2....

erlinden

Sounds like it is not in caps mode, by default it is not broadcasting any SSID's.

From Winbox you can put it in caps mode as well:
viewtopic.php?t=148207

erlinden

You can reset them to caps config:
https://help.mikrotik.com/docs/display/ ... esetbutton

erlinden

Though I fully agree, erkexzcx, first we have to know if this is unwanted.

erlinden

I read port 25 and 587, looks like someone/something is trying to connect to it. Do you have a mail server behind the router? Unfortunately your screenshot isn't showing the source IP address clearly, therefor can't say who is doing this. If you are not running a mailserver, you might want to blokck...

erlinden

I think there are not many good working implementations of bandsteering. Besides, any modern device will choose 5G over 2.4G, especially if you tweak the TX power. Any effort on implementing this would be a total waste of time in my opinion. While there are so many other relevant implementations tha...

erlinden

Can you please share your NAT rules (/ip firewall nat export)? Do you have the default filter rules (while you are at it: /ip firewall filter export)?

erlinden

This can be handled by /ip firewall nat:

add action=dst-nat chain=dstnat comment="Port translation (or any other comment)" dst-address-list=[fill in the public IP address] dst-port=443 log=yes protocol=tcp to-addresses=[fill in the private IP address] to-ports 9152

erlinden

I would:

Make a full export (/export file=anynameyoulike *))
Reset device
Upgrade to latest version
Import the export file

*) Do not forget to copy the export to a computer

erlinden

Why?

In my opinion it makes absolutely no sense (based on the supplied information) to have it configured like this.
Why not configure your MikroTiks as accesspoints with build in switches?

erlinden

Better share a complete configuration, can you please share yours (by /export hide-sensitive file=anynameyoulike)?
And...did you check the URL posted before: https://wiki.mikrotik.com/wiki/Manual:C ... s_examples
Because that exactly describes how this CRS112 should be configured.

erlinden

Please read this tutorial very carefully, it is the best resource (in my opinion) on VLAN and RouterOS:
viewtopic.php?t=143620

erlinden

I switched to LTS, currently version 6.47.9. Great performance, might help you as well.

erlinden

You might already have found, but nevertheless:
https://wiki.mikrotik.com/wiki/Per-Traf ... _Balancing
https://help.mikrotik.com/docs/display/ ... +Balancing
https://help.mikrotik.com/docs/display/ROS/Failover

erlinden

Volgens mij volstaat het om de volgende regel aan te maken:

add action=drop chain=forward comment="Block guest network except WAN" in-interface=GUEST_VLAN out-interface-list=!WAN

Herewith my guest network is blocked from any other network (VLAN), WAN is allowed

erlinden

That is a perfect approach, don't forget to configure the wireless interfaces (WPA2/AES, fixed channels, correct bandwidths, country code, etc.).

erlinden

And your question is?
What is your definition of 'better'?
And what is your definition of mesh?

erlinden

Got it installed on my RB4011/CRS112/2xcAP ac/wAP ac (coming from 6.478.1), will monitor. Upgrade went very smooth!

erlinden

Answers:

1. It depends on what you prefer to use (I never use Quickset), but the result is the same. You probably have firewall rules, but they are not hit.
2. you can do a lot of security improvements, but the question is what is required (for you).

erlinden

First thing I notice is that the SFP's have different wavelengths...sure that will work?
What RouterOS version are you running?

erlinden

Still in doubt whether I should help you or not (and especially if you are helped by getting the ports in place). By the choice of ports I'm not convinced of sufficient knowledge about security (let alone that port 20 FTP should be set outbound instead of inbound). Besides, there are tons of tutoria...

erlinden

It might be caused by the fact that the hEX S doesn't have wireless interfaces.
To "solve" this you might want to consider getting an RB with wireless interfaces, like a hAP AC2 (or 3).

erlinden

Can you please first share your configuration (via terminal):

/export hide-sensitive file=anynameyoulike

erlinden

Could not resolve DNS name...that means that there is a problem with DNS. Is the device connected to a network? Did it get a proper IP address? Does it have Internet access? I thought this might be easy. Welcome to MikroTik ;-) Tip: Instead of a cry for help, please use a proper description as title...

erlinden

ICMP doens't say anything about webserver (though the webserver could theoretically respond to the ICMP request).
Can you please share the websites you encounter problems.

Things that come to my mind:

IPv6
DNS
Block

erlinden

Just to be sure, the RB receives a public IP address?
Are you gaming through Wifi or through cable?

erlinden

Luckily you managed to disengage the Caps-Lock key in the end. Actually, that caused additional confusion (as m = milli)... @Holden1: Without proper information it will be difficult. Can you al least share the configuration? /export hide-sensitive file=anynameyoulike By default all ports should be ...

erlinden

Do you have both 2.4G and 5G radios enabled? It could be caused by too high TX Power on the 2.4G radio.
Perhaps you can share your CAPsMAN configuration: /caps-man export hide-sensitive file=anynameyoulike

erlinden

My guess would be by having three masquerade rules.
Here is a topic that can be helpful:
viewtopic.php?t=142214

erlinden

Do you experience the same problems when your computer is connected directly to the Netgear (by cable!)? Why would you use multiple routers (NAT after NAT)?

erlinden

For responding to ping, you have to have this line in your firewall filter rules: /ip firewall filter add action=accept chain=input comment="accept ICMP" protocol=icmp What do you mean by you can ping your gateway...is this from the internal network? i dont have firewall i dont know whats ...

erlinden

ok I understand, but then I have to reconfigure ASUS Wlan to be an AP instead of an router. In AP Mode NAT is not required. Is that correct ?

Correct, there are a lot of reasons why you don't want multiple NAT in your network (and you have found one of them ;-)).

erlinden

yes the ASUS Router is configured as router, therefore NAT is active and required.

There is your problem: because of NAT on the Asus, all traffic is blocked (as should be) from WAN to LAN. Please reread my earlier reply.

erlinden

You have to allow these requests in the Asus router. Is NAT required on the Asus?

erlinden

Is that correct? Yes I tried to implement the great tutorial, unfortunately I get an error when defining the WAN IP # Yellow WAN facing port with IP Address provided by ISP /ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0 get me this error back "error while running run-after...

erlinden

Have been using Hex S with cAP ac (powered by the Hex S) for some time now...without any problems. I would first check cable, what exact cable is in between the two? Can you try with a short patch cable in between?

erlinden

Topci Author, did you find a solution?

In those nearly 7 years he probably did...
Hope you are not overthinking PPTP!?

erlinden

Just add multiple frequencies: https://dub01pap001files.storage.live.com/y4mMev_QoU1Pr8O977z6UYHvcvyRmUTIRdjnX-6uT52GNTbotLyhmI6LB2k-Dlln68OtSExaE56N8Vzwci6GWE-8vyUT65PSxzc6akjYHaKgLLMXKR4V1h1-IQnb1R2LaNUw6gyky_pZxQfj41u-vTtEzzeS_Dyg4EK5Iskk9RT9_bG3KPHeEEiVohVPaelxwTj?width=376&height=270&cr...

erlinden

As far as I know by using extension channels you are able to choose for 40MHz bandwidth. And depending on the selected extension channel (Ce or eC) you can manually select the combined channels used (where XX gives you random channels). You can explain both the use case and the problems you are runn...

erlinden

Configuration can be exported using /export file=mycurrentconfig (or any other name you like).
This export can be imported into a different Routerboard, passwords won't be exported unfortunately (and I think users aren't as well).

erlinden

Please use the code tags (from the menu, select "brackets") to make it more readable. First thing I would change is using a single bridge with VLAN filtering on it (both on the CAPsMAN and the CAP). Assign IP addresses to the VLAN interfaces. Don't use auto frequencies, ever. You can add c...

erlinden

Yep, they are designed to pass good traffic for further processing by firewall

Thank you very much Chupaka, all I had to do is add the internal DNS server to the list that iukatech quoted. It is now working!

erlinden

01/13/2021 Still works like a charm on the newer firm as we just went through the same issue

Do these rules have to be at the top of the firewall?

erlinden

Where is the DHCP client on the RB3011 connected to?
Can you please share the config of the RB3011: /export hide-sensitive file=anynameyoulike

erlinden

Masquerade is for handling NAT.

erlinden

OK have done it.
Will be a problem with the disabled Masquerade? Is needed to delete it or it can be disabled?

Disabled is disabled...so it won't interfere.

Is both masquerade and port forwarding working now?

erlinden

Like the Hex S has port 1 as WAN and the other ports a LAN, does this mean that this is a hardware or is it just a convenience marking on the case. Convenience only, you can have any port(s) as WAN port. It just requires the proper configuration. Agree with @quackyo, I would actually use VLAN's (bu...

erlinden

Did you found any solution to that problem or I purchased a dummy wifi router with big antennas?

Can you please share your config?
/interface wireless export hide-sensitive file=anythingyoulike

erlinden

Can you change

add action=masquerade chain=srcnat src-address=10.0.10.0/24
add action=masquerade chain=srcnat disabled=yes src-address=10.20.11.0/24

to:

add chain=srcnat action=masquerade out-interface-list=WAN

erlinden

I have change it to the WAN, but no change. Its the same.

Can you please post your configuration here:
/export hide-sensitive file=anythingyoulike

erlinden

Ok and what should I choose in the out. Interface (list)? - LAN, Wan, all, dynamic, none and static

You can choose either the interface "Orange Optic" or the interface list WAN (assuming the interface is added tot the list as WAN).

erlinden

I was expecting an masquerade rule with an Out. Interface (List) specified. And I think the src-address can be left empty.
Are you sure you want to have your DNS server publicly available?

erlinden

If you want to use an name instead of using IP address, you will have to solve this by DNS. And...that's about it, I think.

erlinden

Can you please share your config: /export hide-sensitive file=anythingyoulike?

erlinden

Would be very helpful if you could share the config of the CAPsMAN here:
/export hide-sensitive file=anythingyoulike

What is the CPU usage on the CAPsMAN?

erlinden

What is the fix-space package? And why is the version different from your ROS?

erlinden

@Buelo, Kid Control is MAC Address based. You might run into problems because a lot of devices are using random MAC addresses for privacy purposes. @borislav, can you share your config ( /export hide-sensitive file=anythingyoulike )? Only situation where I ran into DHCP problems, it was because of m...

erlinden

Indeed it is difficult to configure wireless properly, it requires a steep learning curve. From your configuration I see a lot is either wrong or missing. Beside, your firmware is outdated, you will get much better performance on the LTS (stable has some problems with the RB3011). For the 5G radio p...

erlinden

The RB4011 will handle Gigabit just fine, unlike the crs328_24p_4s.
See also: https://mikrotik.com/product/crs328_24p ... estresults

erlinden

Then why are you trying to run SQL statements?
Can you reset with the option "No Default Configuration"?
Can you post the contents of /file (/file print or screenshot)?

erlinden

Sure you want to you use your switch as database server?

erlinden

Indeed Hairpin NAT or a proper DNS configuration. Wonder what services on the NAS you would like to publish to the Internet. There might be a better way.

erlinden

I would use IPSEC, here is a great blogpost I found (and am using):
https://blog.pessoft.com/2016/05/29/mik ... s-and-nat/

erlinden

Why would you want the port changed?

erlinden

any ideas why upgrade causes full of errors regarding IKE2 rekey?

search.php?keywords=rekey&t=171035&sf=msgonly

erlinden

Can you please share the configuration (/export hide-sensitive file=anythingyoulike)?
What have you tried, what are you trying and what problems are you running into?

erlinden

Export is the best option, make sure that the 3011 is Reset to Defaults with No Default Configuration before importing the export file. Be aware (please check the export file before importing it into the 3011) that the 1100 has more ethernet ports than the 3011. You will have to remove them from the...

erlinden

Because you treat your employees like kids...try kid control ;-)
First part was a little joke, kid control will do this just fine.

erlinden

@bwpl, agree at first sight...it is actually the second (802.11n/green) column shown in the table on your URL.

erlinden

I think it should work if you set the frequency to 5785 MHz (which is channel 157) and extension channel to Ce (to combine it with 161). In what country are you? See also: https://www.silextechnology.com/hs-fs/hubfs/Blog_Images/5GHz_40MHz%20Channel%20Update%20for%20UK.png?width=954&height=410&am...

erlinden

Be aware that this RB is not really new...ther CPU usage is a good indicator that something is limiting.
Do you use queues? Can you share your config?
/export hide-sensitive file=anythingyoulike

erlinden

I would expect better results...how are you testing? What is the CPU usage on the RB while testing? Anything special in your configuration?

erlinden

Perhaps you can share your configuration?
/export hide-sensitive flie=anythingyoulike (and place the outcome between [])

erlinden

It should be working...can you please share your configs: /export hide-sensitive file=anythingyoulike?
And please use the [] tags to make it readable.

erlinden

Do you have UPnP enabled?
By default everything is blocked unless a port is forwarded.

erlinden

There is a TX Power setting in CAPsMAN.

erlinden

Please read this great tutorial:
viewtopic.php?t=143620

erlinden

Did you read it at all?

Using RouterOS to VLAN your network

erlinden

There is no 5G radio in this device, hence it is missing.
There is a great tutorial on VLAN, just use the search option or Google.

Here you go: viewtopic.php?p=781603

erlinden

Hey, I have the same ptroblem, but I'm not that handy with stuff like this, so I just feel lost at the moment.

Open a new topic with your specific environment and all the information that is relevant. Unless you are also failing on trying to export pdf and have a compromised RB.

erlinden

Agree, but then I would need (in my special setup) an additional pieces of hardware "combining" vlan 10 and guest-vlan for internet access... I tried to avoid it and with my setup described in second post I was able to do so :) If only a router could do this... Can you please give an over...

erlinden

I absolute love the wireless improvement I'm experiencing. More stability and higher speeds. Unfortunately I noticed periodic "link down", strangely enough only between my RB4011 and my CRS112-8P-4S. This is not occurring between the RB4011 and a cAP ac and not between CRS112-8P-4S and the...

erlinden

It states "Max power consumption" which is different from consuming 13 Watt. My cAP ac is consuming below 5 Watt, both WLAN's and one LAN active.

erlinden

Can't you just make two additional VLAN's for the Guest network?
With four VLAN's you will be able to separate (or share) any combination of sharing/blocking you like.

erlinden

You might want to check how to perform a factory reset, @paul4:
https://wiki.mikrotik.com/wiki/Manual:Reset

erlinden

I have configured my VLANs in a different way, I configured all VLANs on the bridge instead of on the interface:
viewtopic.php?t=143620

erlinden

Yes, that's what should be set to none IMHO.
Look at first line, dh-group=modp4096 is used for dh in phase 1 and for PFS in phase 2.

Thanks, saved my day! Got it working!!

erlinden

With IKEv2 the pfs group is inherited from phase 1, have a look at dh group in profiles. Perfect forward secret should be used even if set to none in proposals. Correct me if I am wrong, but I think you should set pfs-group to none in proposals on all devices for IKEv2. My current settings: /ip ips...

erlinden

Make sure you are using local forwarding, not CAPsMAN forwarding. You will get the highest data rate with local forwarding. CAPsMAN forwarding involves tunneling all traffic back to the CAPsMAN which adds a lot of overhead. Local forwarding is a CAPsMAN setting, you'll find it in the "Datapath...

erlinden

No, it does not depend...

Well, actually...

Perhaps you forgot the situation that the ISP requires a PPPoE configuration?
Or it requires VLAN configuration on the WAN side (in case of fiber)?
And there might be more situations that a change is required.

erlinden

It depends... What medium (cable/xDSL/Fibre), current and future? Do you have any other hardware involved on being able to connect to the Internet (like a modem)? If so, what modem do you currently have (from your current provider)? What modem will you get from your new provider? How is the router c...

erlinden

THere are multiple ways to upgrade your device:
https://wiki.mikrotik.com/wiki/Manual:U ... g_RouterOS

erlinden

What speed is the client connected on both CAP's?

erlinden

I see the following error in the log (every 30 min): IPsec-SA expired before finishing rekey Haven't seen this issue in the current LTS and the 6.47.x releases. Found this answer in the topic, hope it helps: https://forum.mikrotik.com/viewtopic.php?f=2&t=159536&p=783686&hilit=IPsec+SA+ex...

erlinden

What is the current state of the RB?
Is the device running?

Are you aware of using Netinstall (as last resort)?
https://wiki.mikrotik.com/wiki/Manual:Netinstall

erlinden

If you run into problems, you might want:

export your configuration (/export file=anythingyoulike)
Save file to local computer
Reset RB to defaults
Upgrade
upload config file
import your configuration (/import file=anythingyoulike)

Do you get any errors (check in the log)?

erlinden

Please read this tutorial carefully...it helped me a lot understanding VLAN:
viewtopic.php?t=143620

erlinden

Can you please post your complete firewall configuration (/ip firewall export)?

erlinden

It is the signal strength of the client, measured on the CAP.
Think here you can find some good (additional) information:
https://help.mikrotik.com/docs/display/ROS/CAPsMAN

erlinden

So...you want to configure the Cisco AiroNet? Can you please share your routers config (/export hide-sensitive file=anythingyoulike)?
On what port is the AiroNet connected? Assuming the AiroNet is wired connected to the router!?

erlinden

What DNS server IP do clients get on the VPN?

erlinden

Is the map created by this user or by another user?
And, as I don't know anything about Dude, are there any Dude settings in regards to this?

And to be honest...not much time to upgrade, it is all about priorities. In my opinion, the problem your describing is of less importance.

erlinden

Instead of adding an additional cAP, you might want to consider introducing VLAN's. Where you can have a standard VLAN and an additional VPN VLAN. That would make any additional hardware (for this purpose) unnecessary. If you want to find out more about VLAN (I'm using it for guest network and IoT),...

erlinden

Not a direct answer to your question...why are you still running this version? It is 2,5 years old and I'm pretty sure there are some vulnerabilities in this version.

erlinden

Disadvantage of the dual chain is that triple chain clients will perform less in comparison with the old wAP ac.
But in my opinion the improvements outweigh this drawback.

erlinden

A way to improve roaming experience is by lowering transmission power. To start with, set the 2G radios 7dB lower than 5G radios.
Next, extension channels (5G) can be better set to Ceee instead of XXXX because you have better control.

erlinden

Central management, which is definitely an advantage. I switched from CAPsMAN to local configuration which is more stable in my experience. Big disadvantage of CAPsMAN is when rebooting the router (or other device that is running CAPsMAN) the entire wireless network drops. There seems to be an optio...

erlinden

I prefer (and I thought it was recommended) to use a single bridge with filters, see also this great tutorial:
viewtopic.php?t=143620

Not sure if it is completely related, but it is at least worth the try.

erlinden

Do you see any hits on the rule? Are port forwards supported by your ISP (especially because of the two IP addresses)?
In addition, you might want to test without the dst-address.

erlinden

My rule looks like this: add action=dst-nat chain=dstnat dst-port=[public port] in-interface-list=WAN protocol=tcp src-address=[public IP] to-addresses=[private IP] to-ports=[private port] [public port]: the port that the remote computer will connect to [public IP]: the public IP address that is all...

erlinden

That is the correct approach. Please this (really good) tutorial on VLAN's:
viewtopic.php?t=143620

erlinden

I’ve got it running and both seem to be transmitting ok but will the wireless device automatically switch to the strongest signal? Depending on the threshold of the device, the device will search for the strongest signal. To prevent that it will connect to the 2.4G radio, make sure it's transmissio...

erlinden

The 866Mbps is the maximum connection speed that a client can get. In the wireless registration tab you can see the speed of the connection (together with some more information). At what speed is your client connected? There is also some tweaking to do on the settings: Use fixed channel (and be awar...

erlinden

It would really surprise me if, by replacing the chip, the Routerboard will work again. But always good to give it a try!

erlinden

Alternatively you can Reset Configuration and choose CAPS Mode from there.

erlinden

Good question and as far as I know only CAPsMAN settings are used for the CAP's. Meaning there are some settings missing...

erlinden

VLAN1 is default vlan and therefor should not be used.
For more information on VLAN's, please read this topic: viewtopic.php?t=143620

erlinden

would it be possible that all infos i entern to the website will be encrypted or secure? even if its internal? that's why I'm asking how to make my internal website use https There is no difference between internally hosted and externally hosted websites when it comes to encryption. What webserver ...

erlinden

I prefer to have all my internal run services resolved to the internal (private) IP address. Let's assume: your server has IP 192.168.88.2 your website is called www.clydie.local All you have to do is: run a DNS server (MikroTik is running it by default) have all clients resolve through this DNS ser...

erlinden

HTTPS requires a certificate. A very good (and free) supplier is Let's Encrypt: https://letsencrypt.org/
Are you referring to a website you are hosting on a server? What is the relation with MikroTik?

erlinden

I would start by testing network speed with iPerf.

erlinden

InterVLAN traffic is possible by default. You have to add firewall rules to block any inter VLAN traffic.
Something like:

add action=drop chain=forward comment="Block intervlan traffic" in-interface=VLAN1 out-interface-list=VLAN2

erlinden

Could be DNS related, how is the domain name translated? And did you (in case of public IP address) configure NAT loopback?

erlinden

Virtualization would be my best guess.
But...why Windows 7? This OS is really outdated.

erlinden

Currently I have 6.47.8 Stable and I want ro know if I can change to 6.46.8 Long term directly from Winbox without loose my configuration. It is safe ? it is a good ideea ? Or should I remain on Stable? Why? Really...why? You can export to a configuration file that will contain near all configurati...

erlinden

I think this blog post is a great example to start with: https://www.justinho.com/blog/2017/07/15/hap-ac-lite.html It can perform, just as any other Routerboard, everything you require. Just don't expect too much of it performance wise. To help you a bit further, can you please share your current co...

erlinden

Reset the device and reconfigure it (or import from configuration backup).

erlinden

Isn't it also the only way to reduce TX Power? By specifying a higher antenna gain? Yes, there are situations where you might want to lower TX Power.

No, it is not. In advanced mode on your wireless interface you can specify TX Power. No need (anymore) to use the gain setting.

erlinden

Can you please share your configuration: /export hide-sensitive file=anythingyoulike
How do you do VLAN filtering?

erlinden

Why?

I assume because 1) most Mikrotik devices have fixed antennas (with corresponding gain) and 2) it is no longer required for "tx power abuse", as tx power can be set manually.

erlinden

I used this blogpost to configure my travel router. I think it will answer all of your questions on the "wireless bridge" site:
https://www.justinho.com/blog/2017/07/1 ... -lite.html

erlinden

Fairly simple:

- trunk ports should be tagged
- accessports should be untagged *)

It is not necessary to mark untagged explicitly as they are dynamically added (configured by the pvid in /interface bridge port).

Please also read this post carefully: viewtopic.php?t=143620

erlinden

Can you please share:

your ipconfig /all output
your config: /export hide-sensitive file=anythingyoulike

erlinden

I thought that the pvid on the bridge could be left set to 1, not sure if it is of any influence?
Could you please add <code></code> tags (with square brackets) to make your config more readable?

Are you familiar with this topic:
viewtopic.php?t=143620

erlinden

I added channels with the corresponding TX Power setting. Might be a bit hard in a big environment, but for my three accesspoints it works great!
/caps-man channel

erlinden

In case of a single unit the central management purpose is a bit contradicting. It is introducing some overhead, I think (my opinion) when you have over 2 CAPS-es it makes sense to use CAPsMAN.

erlinden

Upgrade went smooth...really interested in the "arm - improved system stability"!

erlinden

Very strange, are you sure about the key?
Could you please post /export hide-sensitive file=anythingyoulike?

erlinden

I would:

only use WPA2
set channel manually
only use Ceee as channel width
set country
upgrade firmware
never ever use quick set

erlinden

I always choose channels manually. Don't like auto...

erlinden

Besides SSID and password, you have to make sure that encryption is identical (WA+PA2/AES only).
Channels should never overlap. And make sure that tx power is optimized.

erlinden

Can you please share your /caps-man export hide-sensitive?
Are you using DFS channels? That could explain why not all radios are up.

erlinden

Your trunk port (the one between the Audience and the cAP ac) should be a trunk port. Therefor, on /interface bridge port this port should be be marked on the bridge with default pvid 1 and VLAN tagged only). Same on the trunk port of the cAP ac. Please check again the samples I provided. On /interf...

erlinden

Proper way to set TX power is by setting TX power ;-)

On the WLAN interface, enable 'advanced mode' and select the Tx Power tab. Here you can set the Tx Power Mode and corresponding power.
Don't forget to configure country code first.

erlinden

Your wish... /interface bridge add name=bridge-LAN protocol-mode=none vlan-filtering=yes /interface ethernet set [ find default-name=ether1 ] name=ether1-wan set [ find default-name=ether2 ] name=ether2-nas set [ find default-name=ether3 ] name=ether3-solar set [ find default-name=ether5 ] name=ethe...

erlinden

I spent an hour reading this and still got nowhere. I know how VLANs work, I just dont know how to implement in routerOS. To summarize your wishes: You want to have a trunk between the two devices You want to separate your network into 3 VLAN's (and perhaps an additional management lan?) Here is a ...

erlinden

In addition to your settings I also set things like rates and WMM spupport: set [ find default-name=wlan2 ] band=5ghz-a/n/ac basic-rates-a/g=12Mbps \ channel-width=20/40/80mhz-Ceee country=netherlands disabled=no frequency=\ 5500 mode=ap-bridge rate-set=configured security-profile=Profile \ ssid=MY-...

erlinden

This topic taught me a lot about VLAN's on MikroTik devices:
viewtopic.php?t=143620

erlinden

Did you perform a router reset (with default configuration)? What routerboard are you using? Are you sure that it is 6.47.8? I thought that 6.47.7 was the latest (stable) release!? Or did you mean 6.46.8, which is the latest LTS? Can you please share you config: /export hide-sensitive file=anythingy...

erlinden

I think by resetting it to defaults you should be able to test all interfaces (wired and wireless).
Perhaps do a RouterOS and firmware update to check if memory is working as well..

erlinden

Seems you are trying to configure your accesspoint as a router.
According to the manual all you have to do is press the reset button for 5 seconds and it should have default accesspoint configuration. After this, you can configure the wireless part as required.

erlinden

Though I fully agree with anav...this is still a forum.

The information is too limited...what are you trying to accomplish (functionally)?
Are you trying to configure a port forward?

If so, please read this:
https://monovm.com/blog/port-forwarding-on-mikrotik/

erlinden

Remote access to administer a MikroTik should only be possible through VPN (is my opinion).

erlinden

Depends on your exact configuration, can you please share your /caps-man export hide-sensitive file=anythingyoulike?

erlinden

Hi. Did you ever figure this out? I'm sitting in the same boat at the moment.

I think the conclusion not to expect too much wirelessly of this device as it is 2.4GHz only answers your question...

erlinden

Your Windows machine is reporting "no internet" (and not your hAP AC Lite), you have to find out why. This topic (didn't read it completely) might describe your problem: https://techcommunity.microsoft.com/t5/windows-insider-program/system-reports-no-internet-despite-having-active-connecti...

erlinden

Please try using multiple streams (underneath with 8 streams in parallel):

iperf3 -c <ip address> -P 8

erlinden

Might want to connect using the MAC address instead of IP.
Can you please share the config (/export hide-sensitive file=anythingyoulike) of this cAP ac?

erlinden

after update to 6.47.7 there is no more access to web configuration of the device if it in bridge mode.
CAP ac
what to do?

Assuming you have a Windows machine available...have you tried using Winbox? Or, SSH?

erlinden

Just checked Github:
https://github.com/topics/vpn-client?l=c%23

erlinden

I prefer to let my router perform routing functionality. Assuming you only use Ubiquiti as accesspoint(s), I would use queues. As you mention subnets...are you using VLAN's (already)?

erlinden

Could be caused that you selected "outdoor" instead of "any". Think anything beyond channel 52 is indoor only. There is some more information on this to be found in one of the topics. All my configurations are set to any.

erlinden

Did you set the country in the configuration?

erlinden

Use the terminal:

/export file=switch

erlinden

I prefer to have no forwards to any device in my network. If I have to connect to any service, I use VPN. My advise, especially on RDP, would be to close the port asap and configure VPN.

erlinden

I would:

Reset the device, no default configuration
Create a bridge
Add all interfaces to the bridge
Add DHCP client to the bridge

After this, you can browse to the IP assigned to the RB.

What would you like to demonstrate?

erlinden

Okay...makes sense. Does this require multiple bridges? Have you tried using a single bridge?

erlinden

Can you please first explain what you are trying to accomplish?
And hidden SSID's...can remember the days they were useful, long time ago.

erlinden

I'm running an RB4011 as main router. Attached to it is a CRS112-8P-4S that is providing PoE to my Dahua camera. Every day I notice at least one (and sometimes more) connection lost/connection restored. This coincides with a DHCP deassigned followed by a DHCP assigned log message. Besides this, I no...

erlinden

I would first share your config with us...looks like a misconfiguration (why did you add a vlan to eth1?).
/export hide-sensitive file=anythingyoulike

erlinden

Not sure if the default configuration is correct, herewith the default firewall rules: /ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="drop invalid"...

erlinden

You can choose the WAN interface-list instead of the public IP address (in the firewall). Your clients should connect to the cloud domain name. Not sure what OpenVPN is requiring in the configuration, but there are tons of samples and blogs about this topic.

erlinden

Ehm..."6.42.10"???
You might want to consider upgrading both devices?

erlinden

The router should be able to handle these speeds easily. Can you share your config ( /export hide-sensitive file=anythingyoulike )? Is the cable modem performing NAT as well? Do you get a public or private IP address on the RB? In case of private, does the WAN network segment differ from the LAN seg...

erlinden

First thing I notice is that you are using 5GHz and 80MHz bandwidth. That is not really a problem, except the channels you are using are overlapping. Besides, when using extension channels configured as XXXX you have no clue what channels are used. I prefer to use these settings: Channel/Frequency/E...

erlinden

I found this topic, might explain the behavior:
viewtopic.php?t=114200

Does the reset button work again?

erlinden

What about resetting it using the command /system reset-configuration?
And while you are at it...you might want to upgrade the RouterOS and firmware.

erlinden

To test network speed, you should use a tool like iPerf:
https://iperf.fr/

Why test NAT if the device will not perform any NAT tasks?

erlinden

I would expect something like this:

add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.10.X to-ports=443

Can you explain the meaning of your rules?

erlinden

Have you tried telnet/ssh/web as well?

erlinden

I prefer to use CAPsMAN when configuring more than two accesspoints. In your case you might want to consider using VLAN's to seperate public and private. Please have a look at this great topic:
viewtopic.php?t=143620

erlinden

Please have a look at this topic:
viewtopic.php?t=143620

Besides...please don't use UPnP unless security is of no means to you.

erlinden

First thing I notice is that you run the CAPsMAN manager on ether1, I have set it to all. Next to that...you are using VLAN's. I notice that you run a DHCP client on the CAP, but it is connected to a trunk port on the switch. CAPsMAN should work, but if you want to have an IP address assigned to the...

erlinden

The 2.4G band is subject to interference, especially if you use 40MHz bandwidth. Only use 20MHz bandwidth and channel 1, 6 or 11 (as being the only non overlapping channels with this width). Set country and Frequency mode to regularity-domain. And don't use 802.11B...unless you have a really ancient...

erlinden

If your computer is connected to port 1 (which is configured to be the WAN port in a default configuration), you won't be able to connect. Make sure it is connected to port 2 - 5. Other question remains...how do you reset the RB?

erlinden

Show the certificate please. And also please check your date/time.

erlinden

What port on the RB do you connect to?
How do you reset the device?

erlinden

Couple of things:

Set your TX Power higher, i.e. 2.4G @ 15 and 5G @ 20 (or leave both empty to have maximum TX Power)
Set country code
Set Basic rate to 12 and supported 12 and up
Set installation to Any

Hope this improves

erlinden

On portforward I found this information:
https://portforward.com/efootball-pes-2020/

You have to forward a sh*tload of ports:
TCP: 3074
UDP: 88,500,3074,3544,4500,5730-5731,5739

Hope you are not running an L2TP VPN server?

erlinden

Big LOL!

These ports should be open from within to the Internet, these shoud not be port forwarded (as I assume you did).
UPnP is evil...please don't use it...ever!

Though...some games do require port forwarded to the console (which sucks in my opinion).
What game(s) are giving you problems?

erlinden

Sure your WiFi nic supports AC? Sounds to me like a 802.11n dual stream. Or did you set the hAP to n only?

erlinden

Default config, create VLAN interfaces, block any intervlan traffic except what you want.

But first, start reading this: viewtopic.php?t=143620

erlinden

In addition to @mkx: it is sufficient to configure the accesspoint(s) as CAP, after that you can do all configuration on the CAPsMAN.

Search found 705 matches