MikroTik

erlinden

Have you tried disabling Band steering on the UniFi controller?

Yeah...or ask this specific question on the Unify forum?

erlinden

What exact hardware is used? So far it looks like a Unify wireless network, therefor it confuses me what the relation with RouterOS is.
In regards to upgrading...check the changelogs to decide wether or not you should upgrade. What is the main reason for you to not upgrade?

erlinden

I think this topic will bring you in the right direction:
viewtopic.php?p=1142438&hilit=vlan+capsman#p1142438

erlinden

The choice is easy...either choose three devices to configure or one device. CAPsMAN is really easy (especially if you understand the DRY concept) and has some great advantages. More info can be found here: https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-CAPsMAN-CAPsimpleconfigurationexample: A...

erlinden

Good to hear.

Can you mark this topic as solved?

erlinden

Adjust the existing rule that logs all info topics (by adding !fetch to this rule).

erlinden

According to the documentation you can't turn off ether LEDs:
https://help.mikrotik.com/docs/spaces/R ... oordevices

erlinden

As @holvoetn already mentiond: Upgrade your RB to >= 7.13 https://help.mikrotik.com/docs/spaces/ROS/pages/328142/Upgrading+and+installation#Upgradingandinstallation-Upgrading Then, configure as described in the documentation: https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-CAPsMA...

erlinden

1. Yes
2. Yes
3. Certificates is the solution

erlinden

I mean having an understanding of your network.
I regards to the IP addresses...it looks like you are behand NAT (on the outside), is that possible?

erlinden

Context is key...can you explain how you want things to work?

erlinden

Sure you are using the correct IP address? Does the camera have a fixed IP (as well)?
How is your CRS configured?

erlinden

You have both ether1 and vlan80-net added to your WAN interface list. add comment=defconf disabled=yes interface=ether1 list=WAN add interface=vlan80-net list=WAN I assume that Internet is deliverd on ether1 vlan id 80, correct? In that case: Remove ether1 from the bridge: /interface bridge port add...

erlinden

Thanks for letting the forum know...you are welcome.

erlinden

With this extensive guide you will be good to go using VLAN's:
viewtopic.php?t=143620

Once you get the concepts you will never go back.

The other option I see is setting client-isolation on an access-list, filtered by SSID. Haven't tried that myself (as I'm using VLAN's).

erlinden

Sure, why not? Out friend @tangent has written a nice blog on it:
https://tangentsoft.com/mikrotik/wiki?n ... Sans+VLANs

Any reason not to use VLAN?

erlinden

Please share your current config:

/export file=anynameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

erlinden

Well, creative is not always bad ;-) Well, you did a very good job to make it look bad ;-) yes, I still have to clean up a few little things (upnp on the AP, DHCP client on the bridge, etc.). virtual APs are now dynamically in the bridge via Datapath. But CAP in CAPS mode is then just ‘mikrotik mag...

erlinden

First thing I notice: wifi interfaces should not be added to the bridge manually. I prefer to leave the CAPS as "CAPS Mode" as possible (except for having my ether1 as trunk port and enabling VLAN filtering on the bridge). DHCP client should be on the bridge and not on an interface being p...

erlinden

Config or it didn't happen:

/export file=anynameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

erlinden

Using CAPsMAN?

My RB4011 and 3x wAP AX managed by CAPsMAN is working flawless with V7.19RC2.
Can you share your CAPsMAN config together with the CAPS?

erlinden

Can you please provide complete configs? It's really hard to understand.

erlinden

For what?

NV2 no longer exist and QuickSet is not for WISP.

To understand the need(s).

erlinden

- no NV2 Use case please - no WISP AP (Like MantBox AX) Please elaborate? - QuickSet is a horror on AX, you need to put anyhting manually QuickSet is horror on any device...just use command line. When you will fix this? Have you filed a ticket on these items? https://help.mikrotik.com/servicedesk/s...

erlinden

Seems the only way is ax2.

If you are referring to the hAP AX2, I would like to advice you to get the wAP AX. It's better than the hAP.

erlinden

Though not being @holvoetn:

Yes, roaming is drastically improved by using the wifi-qcom(-ac) driver.

erlinden

2. Why interfaces wifi1 and wifi2 do not connected to CAPsMAN?

By default, local wifi intercases can't be provisioned. Two options: set config on wifi1 and wifi2 or use the provision button on the Radios tab (after selecting the local interfaces).

erlinden

I have best experience with RB selecting the best channels (from the list 2412, 2437 and 2462) in combination with reselect-interval: https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-Channelproperties: /interface wifi channel add disabled=no frequency=2412,2437,2462 name=CHAN-2G r...

erlinden

Why allow DNS traffic to the router, while clients will use "dns-server=1.1.1.1,8.8.8.8"? Though not being incorrect, you can change this: add action=drop chain=input comment="Drop other LAN traffic to Router" \ in-interface-list=LAN_Interfaces add action=drop chain=input comment...

erlinden

That brings you to either netinstall the device (if the reset button is working) or RMA the device.

https://help.mikrotik.com/docs/spaces/R ... Netinstall

Are you 100% sure the reset button is properly pressed befor powering the RB?

erlinden

My RB5009 cannot enter the routing system You don't have access to the router? Or is there another problem? after the script automatically restarted last night. Why do you run a script? Has anyone encountered this situation? For me, the situation is unclear... I tried using the Reset Button, but th...

erlinden

If you set ether2 to pvid=1000 (instead of 1000), do you also get an IP address?

erlinden

I have a dedicated DNS server in my LAN which I already propagate via DHCP to clients. However, that DNS server is not aware of the DHCP clients (and their hostnames) of the Mikrotik router. My DNS server should be able to use the routers DNS server to resolve these hostnames, but only those. Is th...

erlinden

DNS Client uses /ip dns
LAN Client uses /ip dhcp-server network

Both can be set to mutliple DNS servers.

If you want your RB to act as DNS server for LAN clients, you should set its IP at /ip dhcp-server network.

erlinden

On the product page it is referring to this "SFP compatibility list":
https://help.mikrotik.com/docs/spaces/R ... patibility

erlinden

I resselect every 2-3 hours. It will perform a background scan and if there is a better frequency it will set it. But be aware that this can interrupt on DFS channels. It depends on your situation and surroundings.

erlinden

If one does not specify anything about "save selected" and no re-select interval (as the wireless Capsman allows this) what would happen? Are there default reelection processes going on or what is the case? AFAIK it will remain on the selected channel. That is, as long as there is no rada...

erlinden

Show what you did:

/export file=anymameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

erlinden

Didn't have a good look, but noticed you are running 2.4GHz radios on 40MHz bandwidth. Can you give it a try by disabling extension channel? Then you might have less interference (if that is causing the problems).

erlinden

That sounds like the old CAPsMAN version...the router should have wireless driver installed (can be found in the extra package) and then you are good to go: https://wiki.mikrotik.com/Manual:CAPsMAN But I can "understand" ChatGPT...your question is hard to understand: I would like to ask yo...

erlinden

Preferably use wires to interconnect. Indeed this is a basic use case for CAPsMAN:
https://help.mikrotik.com/docs/spaces/R ... iFiCAPsMAN
https://www.youtube.com/watch?v=bHotZT41w3E&t=89s

erlinden

allow firewall on udp 15252, 53 and 123 to enable the router can received data, but still didn't work. Does this mean your DNS server is publically available? That could explain the high rtt. You might want to share your config: /export file=anynameyoulike Remove serial and any other private info, ...

erlinden

To me it looks like your CAP is acting as a lot more than CAP only. I.e. there are security profiles, while all you need are interfaces that are managed by CAPsMAN. Also, there is no need to have multiple bridges and afaik wireless interfaces are added to the bridge dynamically. And why is the CAP r...

erlinden

Please provide configs of all devices involved:

/export file=anynameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

erlinden

it is working, but is it correct? This is correct. You don't have to set vlan-id on the datapath. Unless you want to work with VLAN's, but then there is a lot more to change. I have set the guest config as slave to both provisioning rules, what I expect is that GUEST is for client to decide the fre...

erlinden

Guest network can be added by using a slave (besides the master) config in CAPsMAN (no need to change the CAP):
https://help.mikrotik.com/docs/spaces/R ... einterface

erlinden

If you set the hw-supported-modes on the provision rule, the correct config is provisioned to the radio. Especially because you have a distinction in channels. Something like: /caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=cfg-5g name-format=ident...

erlinden

In addition to @gigabyte091, hereby the documentation: https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-Securitymulti-passphraseproperties Alternatively you can use access-list to set VLAN ID (depending on the MAC address). This is not in line with your requirements, I prefer it a...

erlinden

Official documentation:
https://help.mikrotik.com/docs/spaces/R ... 59120/WiFi
If you show how you would do it in the pre-wifi6 era, perhaps we can advice you?

erlinden

You can't downgrade below factory firmware. What is the version?
Besides, from the website:
https://mikrotik.com/product/hex_2024

Why would you want to downgrade?

erlinden

Could it be a radar detection incident? That should be reported in the logging. I noticed you didn't set channel width on 5GHz, running 160MHz might give some interference. And a personal note...running anything different from encryption=ccmp gave me lots of problems. But the radio should still be a...

erlinden

How do you know it is not working?
Can you add the CAPsMAN config as well (just the /interface wifi part)?

erlinden

Press the provision button on CAPsMAN on the wifi - remote cap
Also check log on both CAPsMAN and CAP.

erlinden

Have you tried a (re)provision?

erlinden

From a DRY perspective, could you please try the below (just edit: /interface wifi security add authentication-types=wpa2-psk,wpa3-psk name=main_sec ft=yes ft-over-ds=yes passphrase=HaveAg00dDay add authentication-types=wpa2-psk,wpa3-psk name=guest_sec ft=yes ft-over-ds=yes passphrase=HaveAg00dDay /...

erlinden

Unless you are able to find the wifi-qcom-ac driver in any V6 package, you are restricted to use V7

erlinden

Just to rule out everything, can you please share the config?

/export file=anythingyouwant

Remove serial and any other private info, post between code tags by using the </> button.

erlinden

Is downgrading an option? I.e. LTS 6.49.18?
I prefer to have my older hardware running V6, but it depends what functionality is required.

erlinden

You can always reset the CAP to CAPS Mode and add VLAN settings. Firewall seems unnecessary afaik. Hope it helps...
There is nothing I can see that could cause your problems.

erlinden

EDIT: I just tried that config on a cap ac and i get both masters as "slave" and "master". Seems like a bug Could that be due to the fact that you didn't set a name? I didn't check the statements... @Qbaakr, if you want to have a clean starting point, just reset both wireless in...

erlinden

I think it is only available on RouterOS V6, where it is part of the extra package (just checked, but you probably did that already as well...). Strangely enough it is shown on the help.mikrotik.com documentation site. AFAIK, that is the V7 documentation site. What RouterOS version are you running? ...

erlinden

What do you exactly mean by "best setting"? Are you only interested in single device throughput? In regards to the settings (assuming it is with the wireless driver): Is 802.11a required? How is the frequency usage on 5260MHz? Did you set country code? What is the connection rate while per...

erlinden

https://help.mikrotik.com/docs/spaces/R ... listAdlist
viewtopic.php?t=215594

You can compare it to AdGuard and PiHole, it's a way to prefend users from accessing all kind of content through DNS.

erlinden

On CAPsMAN I see you have multiple datapaths. A single datapath is sufficient, VLAN filtering is handled by the bridge:

/interface wifi datapath
add bridge=bridge-LAN disabled=no name=DP_AC

erlinden

I'm using AdList in combination with a social media list I gathered. During a specific time (I enable/disable the list with scheduler) these (social media) names are resolved to 0.0.0.0. This way you can target names instead of IP addresses. Disadvantage is the TTL and caching you have to take into ...

erlinden

viewtopic.php?p=1125951#p1125951

erlinden

i got feeling that the stable version will come very very so0n

Not so fast, first there will be a release candidate.

erlinden

You don't have anything that should be restricted from asccessing Internet? Like IoT (my Chinese camera's don't have access to Internet).

erlinden

When RouterOS on the CAPsMAN is up to date (currently stable is 7.18.2), CAPsMAN (new) is available and can manage the hAP AX2. It can be found in /interface wifi capsman You can reset the CAP (of the cAP ac) to CAPS Mode, either by using the reset button, or through cli: /system reset-configuration...

erlinden

It should. Have you checked logging? Did you reset the CAP (just to make sure)? Did you do anything manual on the CAP?
From your CAPsMAN config, I would not expect the /caps-man interface part (but it has been long time since I worked with the old CAPsMAN). Can you remove it and try again?

erlinden

@melectronics, what is your actual question? Can you explain what you are trying to accomplish?

erlinden

Sounds like multiple problems. Did you uninstall the wireless driver prior to installing the wifi-qcom-ac driver? Why are you referring to the 5GHz interface, while both interfaces are missing under WiFi? Interfaces should always be shown on devices with wifi interface. From the cAP ac, can you post...

erlinden

cAP ac supports two drivers: wireless and wifi-qcom-ac. If you want to fully integrate and cooperate with the wifi-qcom driver (included with the hAP AX2), you are limited to the latter. And in that case, you have to add virtual interfaces to the cAP ac manually. Another approach would be using both...

erlinden

Is it right that I must add every slave interface on every master interface what I have manually? That makes not much sense when I have a centralised manager for WiFi?

AFAIK this is only necessary when running wifi-qcom-ac driver AND configuring VLAN's.

erlinden

Nice finding, I hope it helps! AFAIK there is no need to create these groups manually, as they are dynamically created automatically.
But setting things explicitely is always a good idea!

erlinden

Third option: ISP issue.

erlinden

Open Dev Tools (F12) and check on the network tab if there are any problems.

erlinden

Can you add: /interface wifi capsman export Or even better: /export file=anynameyoulike My best guess is that interfaces is set to all (is that an option), meaning the CAPsMAN service is available through the WAN interface. Your firewall needs soms improvements, you'll probably get some feedback soon.

erlinden

How is this client connected, ft-wpaX-psk or wpaX-psk? I had to add the connect-priority=0/1to get better experience, can you give that a try (it is part of security). While I'm at it: settings can be overwritten. Configuration is the highest level, hence if you set things like security.ft=yes it wi...

erlinden

Some newbies dislike CAPsMAN...I actually love it :lol: Let me be clear...I've learned a lot from @anav! It's a bit difficult to analyse by lack of info...how are the cAP AX's configured? AFAIK, when they are reset to CAPS Mode, it should work. I think by sharing the config from CAPsMAN and both CAP...

erlinden

Be aware that any ax device is not able to run the old CAPsMAN (which requires the wireless driver). In this case, you would have to upgrade the cAP ac to wifi-qcom-ac driver. Assuming they are currently running the wireless driver. Just my guts feeling: I wouldn't rely on the cheapest device and wo...

erlinden

Please share your public IP besides the config, so we can watch the camera as well

Meaning...are you sure you want to have a camera publically available? Have you considered a more secure solution like VPN?

erlinden

Are you familiair with Netwatch?
https://help.mikrotik.com/docs/spaces/R ... 8/Netwatch

erlinden

Sure you want to have Internet access to these camera's? And that you want to make them available to the entire world? What are the camera's connected to? Is there a DVR? Or what do you mean by server? Where is this "server" located? UPnP, for me, is the equivalent for people not knowing e...

erlinden

Have you performed a "Freq. Usage" scan? Especially when this is happening?

erlinden

Could you share your dns settings?

/ip dns export

Make sure to remove anything non relevant (like static dns entries).

erlinden

With the wifi-qcom-ac driver, it is necessary to create the virtual interfaces on the CAP manually. Not sure if you did that? The config is different from the wifi-qcom driver: https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-CAPusing%22wifi-qcom-ac%22package: Can you please share...

erlinden

Have you already tried playing with the cache-max-ttl? I have set it to 1d (instead of your 1w).

Sure your DNS server is only used internally (and its ports aren't open to the world)?

erlinden

I think it is good when having these problems, please also include firewall and dns settings:

/ip/firewall export
/ip/dns export

# or complete export:

/export file=anynameyoulike

Make sure te remove any private information (like serial), post between code tags by using the </> button.

erlinden

Not sure if it works, but there seems to be a way to make CAPsMAN redundant:
viewtopic.php?p=760970

erlinden

Looks like the bridge is deleted on the wAP.

erlinden

I have found myself in a similar situation where the old Winbox version would work (while v4 indeed gives the similar error).

erlinden

To get some insights, can you please share your config?

/export file=anynameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

Btw, disabling the firewall is a terrible idea. Not being able to find it is even worse.

erlinden

Running newest CAPsMAN requires AX device (using wifi-qcom as only option) or AC device (using ARM processor and wifi-qcom-ac driver).

If you want to support the older CAPsMAN (ac or older devices), you have to use the wireless driver.

There are lots of topics and documentation on this topic.

erlinden

mAP Lite requires the CAPsMAN supplied with the wireless driver. If it is only for testing, you better get an AX device (or a wifi-qcom-ac supported device).

erlinden

I have had the same issue, there is a topic here on the forum that solved it. You would have to search for PPSK on the forum.

erlinden

Change this: add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.250.0/24 Into this: add action=masquerade chain=srcnat out-interface-list=WAN With this change you will get Internet on both networks. Yes, I read it and read it again :lol: thanks You might want to have anoth...

erlinden

Sure, no problem.

erlinden

What made you decide to have both multiple bridges and multiple VLAN's? While you could handle all with VLAN's alone. Why run PiHole while you can use AdList: https://help.mikrotik.com/docs/spaces/ROS/pages/37748767/DNS#DNS-adlistAdlist Don't play with antenna gain, just set TX Power. There are some...

erlinden

But will the roaming work well if local wifi1/2 are not included in CAPSMAN?

Yes!

erlinden

Your vlan config is incorrect.

Please read this topic carefully:
viewtopic.php?t=143620

erlinden

Instead of using vlan filtering, you should configure vlan on the switch menu.

https://help.mikrotik.com/docs/spaces/R ... s+examples

erlinden

Perhaps you can reset the wifi1 and then do a reconfigure. Something like /interface wifi reset numbers=0 It makes absolutely no sense why it would take ages. Nothing in the logging? Is the interface up in a fashionable time (according to Winbox or SSH or whatever you use)? Now that you mention abou...

erlinden

Can you please supply all hardware involved (CAPsMAN/CAPS), RouterOS and firmware version and configs?

/export file=anynameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

erlinden

Change this: /interface wifi security add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 \ disable-pmkid=yes disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=\ yes ft-over-ds=yes name=harf_security wps=disable Into this: add authentication-types=wpa2-psk,wpa3-psk disabled=no encryp...

erlinden

Don't forget to increase the number of parallel streams (try 8 stream) to get higher throughput.

erlinden

viewtopic.php?t=215763
viewtopic.php?t=213269

What RouterOS and firmware version are you running?

erlinden

Anything in the logging?

erlinden

First step would be creating a topic

Would like to see the config of both CAPsMAN as CAP:

/export file=anynameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

Anything in the logging (both CAPsMAN and CAPS)?

erlinden

So the best way is to replace the network cable and use iperf test, is that right?

Yes!

erlinden

At what rate are the devices connected? Aah, you just added a post, 2.4Gbps.
BTest is a great tool, just not for this purpose. It is CPU heavy, have you checked cpu load during test?

Get two pc's, connect them with wire to the RB's and perform a test with iperf:
https://iperf.fr/iperf-download.php

erlinden

For comparison reason it would be helpfull to get your config for both old and new:

/caps-man export
/interface wifi export

Remove serial and any other private info, post between code tags by using the </> button.

erlinden

Can you please share configs?

erlinden

Have you tried all suggestions mentioned in this topic?
You might want to consider either adding your config or opening an new topic.

erlinden

Can you please share your current config of the CAPsMAN?

/export file=anynameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

erlinden

Could you try with Winbox 4.0Beta18?

erlinden

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

Change to correct subnet

You know this is a static DNS entry?

erlinden

Could it be that you used "create enabled" at some point? Otherwise, there shouldn't be any static slaves (especially they should not remain any after a reboot).

Glad it is solved! And welcome to the mysteries of CAPsMAN

erlinden

You might want to share your current config again. There must be a reason why it's not working. Can clients ping the WISP router? And can they ping 1.1.1.1? Getting two devices is probably making it more complex. And be aware that, while using the WISP router there is no reason to get a second route...

erlinden

Perform: /interface wifi reset numbers=1 /interface wifi channel add band=2ghz-ax disabled=no frequency=2412,2437,2460 name=CHAN-2G reselect-interval=1d..1d12h width=20mhz /interface wifi set [ find default-name=wifi2 ] channel=CHAN-2G configuration.country=Ukraine .mode=ap .ssid=M2 \ security.authe...

erlinden

Your network makes no sense. If you want the MikroTik to work as switch/AP, do:

Remove default settings
Create bridge, add all interfaces to it
Configure wifi as you did
Add DHCP client to bridge

Let your ISP's router handle DHCP

erlinden

Go to wifi, open the wifi interface, select traffic tab.

erlinden

Change your gateway to .254

erlinden

erlinden

Can you share the complete config of both wAP AX and cAP AX? Are all devices running the same RouterOS version? And is firmware upgraded as well? Apart from the problems (have you tried a re-provision of the radio?): /interface wifi channel add band=5ghz-ax disabled=no frequency=5180,5260,5500,5580,...

erlinden

This part: add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp You are accepting all DNS requests, either from LAN or WAN. Next, you are mixing input and forward chain. In itse...

erlinden

Traffic on the interface tab.

erlinden

Seems that you did just fine. What I did (near similar config) is this: interface bridge add admin-mac=XX:XX:XX:XX:XX auto-mac=no frame-types=admit-only-vlan-tagged name=bridgeLocal protocol-mode=none \ vlan-filtering=yes /interface vlan add interface=bridgeLocal name=MGT-VLAN vlan-id=99 /interface ...

erlinden

Log to disk? It has to be (temporarily) stored somewhere.

erlinden

Can you please share your current config:

/export file=anynameyoulike

Remove serial and ny other private info, post between code tags by using the </> button.

erlinden

What filter rule do you assume to allow access from Winbox?
By far the easiest way to grant access is to add the wireguard interface to your LAN interface list.

erlinden

Indeed, debug logging can add something. Please do these steps as test (make sure everything from wifi is removed befor hand): # reset both wifi interfaces: /interface/wifi reset wifi1 /interface/wifi reset wifi2 # verufy they are part of the bridge (or add them): /interface bridge port add bridge=b...

erlinden

CAPsMAN is indeed intended as central management. If your only problem is frequencies, you could either make a configuration per radio (with a fixed frequency) or start using releselect-interval. The latter will (background) scan if the frequency is the best choice: https://help.mikrotik.com/docs/sp...

erlinden

Did you hit the provision button? I assume that the wifi interfaces are added to the bridge dynamically (as well for the CAP).
Does this problem also occur when you leave names untouched?
Have you checked the log?

erlinden

Import can be done if there is no default config in place. Otherwise, you get conflicts.

Something like:

/system reset-configuration no-defaults=yes  run-after-reset="your-config.rsc"

erlinden

You are correct. Documentation in regards to your situation:
https://help.mikrotik.com/docs/spaces/R ... %22package:

erlinden

Stats are only available on the CAP itself, not on the CAPsMAN. The "RED error messsage" is actually not an error, you can ignore it. If you provide your CAPsMAN's config, you can get some feedback on it: /export file=anynameyoulike Remove serial and any other private info, post between co...

erlinden

This is a problem: /interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=*1 internal-path-cost=10 path-cost=10 /interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=*2 internal-path-cost=10 path-cost=10 Probably the two wifi interfa...

erlinden

Firmware upgraded as well as RouterOS?
At what speed (rate) is the wireless device connected to the RB?
Is this the same for all wireless devices?

Can you start fresh:

/interface/wifi reset wifi1
/interface/wifi reset wifi2

Set country, ssid and passphrase and try testing again.

erlinden

If you open a rule (just tested this with the App, also works in Winbox), you can copy that rule.
In CLI, you can do an export and copy a specific line. If you execute that line (with some adjustments) you can execute it.

Not sure why you think it is missing.

erlinden

Only one topic you have to follow: https://forum.mikrotik.com/viewtopic.php?t=143620 I'm missing the "frame-types=admit-only-vlan-tagged" on the /Interface bridge port Just for VLAN security. But that doesn't explain the problems tou encounter. Could you please share a complete config of b...

erlinden

For (nearly) any VLAN question please read this great topic:
viewtopic.php?t=143620

erlinden

You might want to introduce something like:
https://help.mikrotik.com/docs/spaces/R ... prevention

This is for SSH, but can probably be used for OpenVPN as well.

erlinden

i want to block all traffic/ports that come via OpenVPN from WAN that should not be. As i noticed if i disable OpenVPN server that the logs also stop.. So you are running an OpenVPN server and if you disable that, there are no more log entries. What is your problem in the first place...having entri...

erlinden

Depends on what you want. What ports should be open on your internal network and what port do you want open on your public interface?
In addition, please add your config:

/export file=anynameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

erlinden

Get a complete export (show-sensitive) and be aware that the users aren't part of the export.
Netinstall the device and make sure to upgrade firmware as well. Import the above export and test again.

erlinden

My best guess would be adding a firewall filter rule on the forward chain allowing traffic from 192.168.1.0/24 to 10.128.1.0/24. As you are working with VLAN's, I would like to suggest that you add a VLAN for HOME (or whathever you like to call it) and set IP to this VLAN interface (instead of the b...

erlinden

In a VLAN world your bridge shouldn't have an IP Address. Also, bridge shouldn't be part of an interface list: /interface list member add interface=bridge list=LAN You use both IPv4 and IPv6, you might want to check how non-working (as well as working websites) resolve. Update: Thanks for clarifying...

erlinden

What speed do you get when you use iPerf (there is an App version)?

There is (at least for me) something odd with your config. You are adding VLAN to the bridge, but the bridge doesn't have VLAN filtering enabled. Did you configure it like this on purpose? And why do you have an additional SSID?

erlinden

My suggestions: Don't open ports to the router, except VPN (Wireguard?). End both input and forward chain with "block everything else". Then you only have to think about what you want to allow. Only disadvantage is that you could block yourself from the router. A way to avoid is by leaving...

erlinden

It would help if you share your config (run from terminal, this will create a file):

/export file=anynameyoulike

Copy content of this file, remove serial and any other private info en post here between code tags by using the </> button.

erlinden

/interface bridge port //add bridge=BR1 interface=ether1 -- WAN port (do I even need this here?) Nope, if you want it to work as router /interface bridge vlan Per vlan you should have the bridge tagged as well Your firewall is far from complete. Start from default, then add rules as required. /ip d...

erlinden

When the interval has passed (is this correct English?), the CAP will perform a background scan to check if the current frequency is optimal. It will reselect if there is a better frequency (and perform a DFS check from 1 to 10 minutes in addition befor activating) available. It will choose a differ...

erlinden

I am still not getting any internet connection. The following is the updated config: Could that be related to this? add bridge=bridge comment=defconf disabled=yes interface=WAN1_AT&T add bridge=bridge comment=defconf disabled=yes interface=WAN2_Comcast Or were these interfaces enabled while tes...

erlinden

Can you share:

/ip dns export

I have set my cache to 64MB, using the same list. Never had a problem with max cache reached.
Using 7.19beta6, what RouterOS version are you running?

erlinden

What does /ip settings print display?
What is the CPU usage while doing these tests?
How exactly do you test?

erlinden

1. I am not using a /32 subnet, but a /24

Are you sure?

inet 192.168.88.2/32

erlinden

Start with a single wifi interface to get things working. Set VLAN ID for the interface: /interface bridge port add bridge=bridge_router interface="wlan harf" should be: /interface bridge port add bridge=bridge_router interface="wlan harf" frame-types=admit-only-untagged-and-prio...

erlinden

Can you change this:

/ip address
add address=192.168.1.101 interface=PLC-vlan-4 network=255.255.255.0

to this:

/ip address
add address=192.168.1.101/24 interface=PLC-vlan-4 network=192.168.1.0

Also, please consider going VLAN all the way:
viewtopic.php?t=143620

erlinden

Can you also show you config?

/export file=anynameyoulike

Remove serial and any other private info.

erlinden

https://raw.githubusercontent.com/hagez ... ts/pro.txt
With homepage: https://github.com/hagezi/dns-blocklists

As for what people are doing for a living: Isn't everyone here a professional forumer?

And some are (even) Guru!

erlinden

So, adlist breaks my web browsing. Nope, the content of the list you use are using for adlist is breaking web browsing. The cache you are showing is very odd...I wouldn't expect www.google.com not on the list. Perhaps an idea to contact Steven Black on this? What do people do? For a living? 8)

erlinden

Did you upgrade both RouterOS and firmware, @wispmikrotik?

erlinden

I made "Forum Guru!"

Congratz!

erlinden

What use case do you have that you require multiple bridges?

erlinden

What does "VLAN stopped" exactly mean? And how is the router configured? From your config: You don't have to set untagged on /interface bridge vlan, as they are already set on /interface bridge port You should not use VLAN ID=1 /interface vlan only requires a single vlan for management pur...

erlinden

Can you share your complete config (of the CAPsMAN)?

/export file=anynameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

What is the purpose of renaming the interface name?
Have you tried to provision the local radios manually?

erlinden

I configured multiple VLAN's through (wireless) accesslists. This way, I assign different VLAN's (trusted/guests/untrusted) and have easy control over authorization. Only requirement is that you use AX devices (not sure if this can be accomplished with legacy wireless driver as well).

erlinden

I'm missing the IP address assignement of the VLAN:

/ip address add address=192.168.20.1/24 interface=vlan20
/ip address add address=192.168.30.1/24 interface=vlan30

Might want to have a look at this great topic about VLAN's:
viewtopic.php?t=143620

erlinden

It should be plug and play and it is for 99% of routers in the world.

Where does the percentage come from?
Can you also please provide the config?

Have you tried connecting a computer to the accesspoint's LAN cable? Does the computer get an IP address?
Have you also created on the Unifi forum?

erlinden

There is a complete example on the documentation page: https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-CAPsMAN-CAPVLANconfigurationexample: Just be aware that you have to provision local (wifi) interfaces manually or choose to configure the local interfaces as described below: CA...

erlinden

That's correct. I prefer to specify a wider frequency range so the accesspoint has a wider bandwidth to choose from (instead of 80MHz).

erlinden

Reselect might choose a different Control channel, still the same frequencies.
I think disabling FT is of most influence.

erlinden

In the documentation you can see an example on two SSID's. You will see that VLAN ID assignment is done on the CAPsMAN: https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-CAPsMAN-CAPVLANconfigurationexample: For the wifi-qcom-ac driver, VLAN id assignment is done on the CAP: https:/...

erlinden

I need to know the hardware involved (is it wifi-qcom or wifi-qcom-ac driver?).
An export would give all necessary info. From both CAPS and CAPsMAN.

erlinden

Per VLAN a datapath. Configuration per vlan, pointing to the correct datapath.

To get some more insights, please share your current wifi config:

/interface wifi export

Remove serial and any other private info, post between code tags by using the </> button.

erlinden

Can you please give this config a try. It is from a working switch, and should therefor work. When this works, you can adjust discovery settings. /interface bridge add name=BR1 protocol-mode=none vlan-filtering=no /interface vlan add interface=BR1 name=BASE_MGMT vlan-id=69 /interface bridge port add...

erlinden

Can you at least share your config (of the router)? /export file=anynameyoulike Remove serial and any other private info, post between code tags by using the </> button. What IP does your accesspoint have? And how is it controlled (App/cloud/something else)? In your case I would set the accesspoint ...

erlinden

Have you considerd (or performed) a netinstall, @mndtrp?
https://help.mikrotik.com/docs/spaces/R ... Netinstall

erlinden

Does the problem occur if you disconnect the external USB drive?
Is this drive powered through USB, or does it have it's own power supply?

erlinden

Did you also upgrade firmware, besides RouterOS?
Last resort would be using Netinstall:
https://help.mikrotik.com/docs/spaces/R ... Netinstall

To be honest, I would RMA this device.

erlinden

If memory serves me well, you have to set ft-preserve-vlanid=no (part of security/ft).

Can you share your config (of both CAP and CAPsMAN)?

/export file=anynameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

erlinden

There are no additional VLANs, what I’ve shared is the complete setup. Also, I enabled VLAN filtering, but still the same situation... The diagram is the image you supplied, please add all VLAN's in there. Did you have a look at the link I supplied. If no, please do so. If yes, do it again (untill ...

erlinden

Can you please add all VLAN's to the network diagram? And have a good look at this topic, which really handles all config questions when doing VLAN: https://forum.mikrotik.com/viewtopic.php?t=143620 The very first thing I notice is already in the second line of your routers config...vlan filtering i...

erlinden

Im not using DoH in DNS settings (Use DoH is empty) and never used it, anybody knows whats this about?

Can you share your config? Just to be sure...

/ip dns export

erlinden

Manual provision can be done under /interface/wifi/capsman/remote-cap/provision to provision all radios associated with specific CAPs, it can also be done under /interface/wifi/radio/provision , to provision specific radios.

erlinden

It is correct, just add all ether ports per /interface ethernet switch vlan like this:

add independent-learning=no ports=ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=10

erlinden

Single of multiple streams?
How does the wifi config look like?

I would expect more.

erlinden

I think you forgot enabling VLAN filtering on the bridge:

/interface bridge
add name=bridge protocol-mode=none

should be:

/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes

erlinden

Remove this line (/interface bridge vlan): add bridge=bridge1 untagged=bridge1 vlan-ids=1 Remove these lines (/ip dhcp-server network): add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24 add address=192.168.22.0/24 dns-server=192.168.22.1 gateway=192.168.22.1 netmask=24 Remove rela...

erlinden

https://en.wikipedia.org/wiki/List_of_WLAN_channels#5_GHz_(802.11a/h/n/ac/ax/be) https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-Channelproperties Specifies when the interface should rescan channel availability and select the most appropriate one to use. Specifying interval will ...

erlinden

Ok, I checked your switch and CAP config: Switch Don't use bridge VLAN filtering on the hEX, it has a switch chip that can offload VLAN. Here an example of two VLAN's (and a third for management) where port 1 and 5 are trunk ports. Do something like this: /interface bridge add name=bridge-lan protoc...

erlinden

Hope it helps. As you are using the exact range of channel 36, no need to do a reselect.

erlinden

Everything available on the WAN site is handled in the input chain of the firewall. By default, everything (except port forwards) is blocked. If you want to have an opinion on your firewall rules, just share them: /ip/firewall/export To download a cert from a site, just follow these steps: https://w...

erlinden

Your VLAN config is not complete (and correct), for instance /interface bridge port (on the router) don't have a VLAN ID assigned. You get an IP address, because you have a DHCP server attached to the bridge. That should not be there. Please (re)read this ultimate topic (also called the bible on VLA...

erlinden

Is there an official source for this urban legend? When googling for "apple dtim" I can only find results from several forums/communities/private blogs (10 years ago) claiming something like this. But I cant find any official Apple resource for this It used to be mentioned on the Apple we...

erlinden

Connect to it with a network cable and run Winbox to get access to it: https://mikrotik.com/download Onec you have access, export the current config *) and share that config with the forum: *) /export file=anynameyoulike Remove serial and any other private info, post between code tags by using the <...

erlinden

Nothing really interesting, apart from frequency choice and FT. Frequencies for 80MHz bandwidth is from 5170-5250 or 5250 - 5330 (assuming Ceee this would be channel 36 or 52). I have very good experience with: /interface wifi channel add disabled=no name=CHAN-5G reselect-interval=6h..8h skip-dfs-ch...

erlinden

You might want to read this topic:
viewtopic.php?t=208199

Can you share your config, just to make sure there are no strange settings in there?

/export file=anynameyoulike

Remove serial and any other private info, post between code tags by using the </> button.

erlinden

My experience is that password is indeed reset (to blank).
Not sure if the reset button can be disabled.

What exact RB do you have? hAP AX2 or hAP AX3?

Search found 3244 matches