MikroTik

pukkita

Which is the easiest (and if possible cheapest) way to achieve this with the router? Is it possible to exclude a device from the VPN? For example, I watch Netflix with my TV and I do NOT wont to use the VPN for that. If you are looking for a cheapest option then CyberGhost VPN is good and less expe...

pukkita

The Mikrotik LAN IP is bound to a member of the bridge rather than the bridge itself, this often breaks things in strange ways. It should be /ip address add address=192.168.88.1/24 interface= bridge1 network=192.168.88.0 Good catch, missed that. As TDW pointed, when you create a bridge, any L3 addr...

pukkita

Check System > Routerboard, does Current Firmware match Upgrade Firmware version? If not, upgrade and reboot. System > Logging, add DHCP. Try dhcp-client again on ether1, post the logs. What's the mac address of the bridge? and ether1? You can open a new terminal maximized, then issue /interface p T...

pukkita

if I've just 3 segments , e.g. DMZ, WAN, LAN in different networks, so none of them is bridged, why is there always a "bridge" involved? Because that's the way you build the "segments". Before 6.42 you had the option of either build a L2 segment by creating a bridge (by software, using CPU) or by u...

pukkita

64k is the best for gauging of raw CPU power, but again, it depends on the chores the router is carrying away, if you'll be using fasttrack or not, etc.

pukkita

Which port are you using to connect to it? Have you tried a port other than ether1? (as ether1 is usually WAN and so, firewalled on default config)? Do you see it on winbox neighbors tab? Can you connect to it from winbox if you double click on the MAC field while in neighbors tab? If you can't, wha...

pukkita

Does the CRS326 have a ip > DHCP Client entry setup? Looks like it's running a DHCP Server (not client)...

If so, disable DHCP Server, and set a DCHP Client on top of the bridge interface where all ports are.

pukkita

That's not a Routerboard, but what looks like a PC Engines Alix 2 Series board based on a 2D3 from mid 2000's. Wireless card is a 12+ year old ROS supported one, a CM9 (Atheros AR5213). Have one 2D2 still bouncing around, hw reliability vs an all-integrated routerboards is a joke (logical, this is a...

pukkita

Check your firewall (IP > Firewall > Filter) Your symptoms are the typical when being used as a DNS spoof amplification attack. If your wan port is not protected from Internet, attackers start querying your router DNS server pretending to be someone else, who gets blasted with your (and hundreds of ...

pukkita

Could be a damaged reset switch. I'd try a netinstall , try with the reset switch, keep it pressed, apply power, wait until cAP appears on netinstall. Alternatively, if reset switch doesn't seem to work, look for a reset pad on the PCB, short it with a screwdriver or something, power it on, and keep...

pukkita

Update: I've found a work-around, but I'd still like to know what's going on here. If I change the RB922 configuration from /ip address add address=192.168.3.73/24 interface=ether1 to /interface bridge add name=bridge-lan /interface bridge port add bridge=bridge-lan interface=ether1 /ip address add...

pukkita

If I connect Orange Pi and RB922 with a straight ethernet cable, I can see the link coming up on the RB922 (100M-half), but u-boot can't ping the RB922 and tftp times out. That's the first thing I'll troubleshoot, why half duplex? try issuing some "ip link" commands or whatever appropiate for the O...

pukkita

To recap in the meanwhile it gets to the Wiki: Concurrent Simultaneous Requests is now settable DNS Servers (RouteOS DNS Client Settings): goes through them sequentially passing on to the next only if it doesn't receive an answer (fails). Further clarification regarding this on the wiki would be gre...

pukkita

Just tested an EU XS with a hAP AC 6.40.9, works flawlessly, 100/115 MBps using 5GHz AC 40MHz.

Looks like device specific, definitely pointing to the iphone.

To rule everything out, Is System > Routerboard Current Firmware same version as Upgrade one?

pukkita

But I do see someone who is cruising around the forum looking for virtually irrelevant things to answer. I expect you're trying to "big yourself up" and up your post count for whatever reason. That's the only reason I can see for the post, unless you're just bored of course. And then you try and be...

pukkita

Ether port on the Groove comes as WAN port on default config, and thus is firewalled. Try this: 1.- Connect to its wireless. 2.- On winbox, go to neighbor tab. Double click on the MAC address, you should be able to connect. 3.- Once you can log in, reset it to no defaults. 4.- Set it up per your lik...

pukkita

Which specific device? Does it have a serial port?

pukkita

Yes, if using the stock Power adapter.

pukkita

Try this: On the Station (SXT5 Lite r2): 1.- Go to Bridge. 2.- Remove unknown port 3.- Add wlan1 port to the bridge Cannot say for sure as I'm missing some details about your config, but once you do that Layer 2 between both networks should be fixed, try pinging between any devices (but the antennas...

pukkita

RB2011 PoE Out is Passive only, not af nor at, you can't use a RB2011 to power the HP. Captura de pantalla 2018-09-02 a las 10.25.05.png You need to either get an standalone PoE af injector, or use a different Router which supports PoE Out af/at, like an hEX PoE Captura de pantalla 2018-09-02 a las...

pukkita

Yes, in all cases they were providing power to wap ac Do same 2011 port powers a 100BT device fine? I've experienced that, specifically when powering gigabit AC devices from 100BT PoE out ports. First time with a 951Ui and a Netbox. Something "broke" on the 951Ui which wasn't able to power a gigabi...

pukkita

However we noticed for all devices which we have set the static DHCP IP for, it will NOT show up in the DHCP Server (under leases). When we tried to manually add a lease for it by adding the IP with its MAC Address, it is always having the "waiting" status. DHCP Server will inspect the ARP table fo...

pukkita

I'm a bit new here and used to Redhat's bugzilla/etc. How do I easily find out if there is an issue Mikrotik is already fixing or if it is something that a post like this could be useful for? Sure, check Mikrotik Changelog Section . Searching the forum may lead to interesting findings, or as you ju...

pukkita

Yes, it is possible. No differences hardware-wise.

pukkita

Yes, you could go VPS and use CHR; if you prefer having your own on a NOC or Office, couldn't agree more: an hEX or hEX S are ideal, seem to be conceived with this duty in mind: generous RAM, powerful dual core processor, MicroSD... while drawing very little power, taking little space and generating...

pukkita

I would set up a VPN "hub" for those SXT LTE to call home possibly using SSTP; you can dial into the hub and by RoMON or L3 manage any of the SXT LTEs.

This also opens the possibility of running a dude server on the hub, to (mass) monitor and manage the SXT LTEs.

pukkita

6.40.8 is vulnerable to this? yes, check 6.40.9 changelog (or 6.42.7) again , CVE was added afterwards, guess due to coordination? late addition?. MAJOR CHANGES IN v6.40.9: ---------------------- !) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159; -------...

pukkita

Alex, were the 2011 powering AC CPEs?

Ondrej, did you include a supout.rif file taken while the problem was happening? do so...

pukkita

Not sure If I understood your scenario. 10.1.1.2 is a Caching DNS server? if so, let's say it's MAC is AA:BB:CC:DD:EE:FF. You need to publish the entry with the MAC of the real device having 10.1.1.2, on the interface where the queries will come. /ip arp add interface=hosting address=10.1.1.2 mac-ad...

pukkita

I see... agree with you, definitely looks like the hAP ac2 power draw at boot kicks the power draw protection. Which ROS version on the hEX? Firmware? (system > Routerboard?) This could be either a hardware limitation on the hEX S, or maybe something fixable by upgrading POE firmware, as it was the ...

pukkita

Christian, that RB1200 has some age... leaving a device for so long without upgrading rises a lot the chances of problems, moreso if the device (hardware) is old. How Old is it? ten years? ;) Looks to me like a damaged main booter. To fix: 1.- Connect a serial console to it, so that you can reach th...

pukkita

I've also setup the IP/Cloud feature but the DNS name is a little hard to remember! Use IP > Cloud. Purchase a domain, say my domain.com Setup as many CNAMEs on that domain pointing to the ip > cloud FQDN. From here onwards, no DNS query is gonna "resolve" to a port AFAIK; to manipulate based on re...

pukkita

You're not asking for help, but for someone to provide the whole (non trivial) setup for free, soo... wouldn't sweat waiting for that to happen, if ever. One thing is asking about specific issues, doubts etc on a user community forum, and a very different one is dropping a "I am a company and want t...

pukkita

Other Mikrotik PoE switches can output up to 1A per port. Don't know the specific case for the hEX S as is a recent device and not a word about output limits on its last port on the specs, so it may be the case... Again, this is the Maximum power draw by hAP ac2, won't be surprised if average draw i...

pukkita

Bestinwifi: please change your IPSec secret, you published enough details for someone to try brute forcing VPN accounts on your router... already edited your SN/soft id.

pukkita

hEX S max power draw = 11W hAP ac2 max power draw = 15W Total maximum power draw = 26W. hEX S PSU is 24V @ 1.2A = 28W. Tight, but these are maximum power draw values. Have you tried powering the hAP ac2 on its own to see if is still unstable? How long is the cable going to the hAP ac2? Yes, you can ...

pukkita

Bandwidth test tool is useless for SFP+. won't reach more than 2Gb ever.

Use iperf and two PCs...

pukkita

By using fasttrack, you will be able to get higher throughput, but I seriously doubt a CRS317 could reach 1Gbps of routed/natted traffic even with fasttrack enabled, guess a more realistic figure will be around 250-500Mbps max, though I never tested. Do not underestimate the hEX, it's a little mean ...

pukkita

Doesn't it appear on Neighbors tab of Winbox? If so, click on the router Mac-address to connect via Mac-winbox.

If it doesn't, you can gain access to the 3011 in order to reenable networking services by using the Serial Console port, RJ45 on the back of the RB3011.

pukkita

You can't AFAIK, dns name is made up from Routerboard serial.

pukkita

Your assumptions are correct, this is a programmable switch, whose CPU provides auxiliary functions, but it's not conceived to route 1Gbps. And no, specs mean that with traffic flowing to/from all ports, the device is capable to route 1270Mbps overall (not each port), if all packets were sized 1518 ...

pukkita

sid5632, no rudeness, even your gratuitous one, is allowed here.

You're Warned.

pukkita

Sure:

Captura de pantalla 2018-08-01 a las 14.00.23.png

pukkita

We have made a blog, where we will publish the most important announcements regarding security and other topics.
Bookmark this link for Security related news:

https://blog.mikrotik.com/security/

Here is the RSS feed link:
https://blog.mikrotik.com/rss/?cat=security

Great!!! Killer idea!

pukkita

Nothing special, on router just make sure the ether port where the AP is connected is in the bridge where DHCP runs on.

pukkita

Get a serial cable ( see Wiki ) and connect to the console. Try a netinstall using ether1 to latest bugfix version. To rule out the reset pressing time lottery, you can set that via the serial console (set the boot device to ether boot) having access to the console will be really useful to troublesh...

pukkita

No difference, the approach is the same. Just config all the APs as wired/wireless switch as described . Configure the same SSID and security settings on all of them. As long as the Cisco cable going to the Mikrotik connects to an ethernet port belonging to the same bridge as the DHCP server for you...

pukkita

I see... Agree with Sindy, this looks like a bug, your config looks fine to me with regards to being able to connect to other IPs but from the src/dst-natted ones. ROS version? Routerboard firmware version? How do you config the IPs, directly on the WAN interfaces (no private transit or loopback?) D...

pukkita

a wAP (or any Routerboard) can be be programmed to be whatever you want. Of course can be a wireless client. What it cannot be is a repeater (wireless client + Wireless AP at the same time) if the other device is not a Mikrotik. If your intention is placing the wAP as outdoors repeater with the Netg...

pukkita

Even if it has been set, the method of keep pressing should work... are them under warranty?

pukkita

I have got it back to a stage on Winbox with it showing the MAC address IP of 0.0.0.0, Idenity - preconfig , Version 6.37.3 and board RB952Ui-5ac2nd. Following other threads, I have also attempted to use NetInstall and cannot get it to see the router. To be on the safe side I have attempted it on a...

pukkita

For dual wan use you need to further use mangle to: - keep track of connections, so that what enters via one WAN, exits via the same one - Steer/balance traffic towards the two WANs Even if you aren't using both WANs for general internet traffic, (e.g. general traffic to Internet exits via a single ...

pukkita

... I have problem setting up dual band, but that's another story (and maybe another question here after having exhausted what I can think of!) Solved! (how can I mark it as solved?) => OK, just found it! Thanks for marking it SOLVED! Re: dual band problem Looks like CAPsMAN provisioning setup issu...

pukkita

Default Route Distance can be set also on pppoe-client, vpn clients, etc: Dial-out tab.

pukkita

You need to wipe your cAP config and set it up to be a L2 device, a simple wired/wireless switch: See this post for details.

Don't use webfig... use winbox neighbors tab, this way you can manage it in L2.

pukkita

PoE-in or PoE-out capabilities are physical port capabilities, they cannot be moved.

But you can move internet, or the WAN, to a different port, for example ether2 and leave ether1 only for powering the hAP ac2.

You can use the same method I explained here

pukkita

After disabling NAT on PPPoE interface, You need to setup RIP, but still details are missing. To set up RIP: routing rip> set redistribute-connected=yes redistribute-static=yes routing rip interface> add interface=YOURPPPoE_interface receive=v2 send=v2 passive=no routing rip network> add network=77....

pukkita

The reasoning behind: - hap ac is a router board, and as such is 100% programmable - I can provide specific instructions - One of the best APs Mikrotik has for your application. - You may want a dual WAN setup in the future The Netgear (or any other "canned setup" AP) should be possible to put it to...

pukkita

Hello, Yes, it is possible provided both are properly setup. Instead of the Netgear I'd go with a Mikrotik AP, like the Hap ac . The easiest configuration would be 1.- Set up the LTE using the wizard to provide Internet (HomeAP? setting). 2.- Plug the LTE to the Hap ac and set it up as wired/wireles...

pukkita

Power everything off for > 10 minutes, then power on.

Failing that, call Ono as their system may have blacklisted your line in DHCP, not uncommon on Fixed IP lines.

pukkita

ROS will select a Mac address from the ports in the bridge, no need to specify any.

Looks like the .rsc file is not loading, try logging to the router after the reset, and issue

/import file-name=mymapR.rsc verbose=yes

Pasting any errors here.

pukkita

You provide very little info regarding your network...

If main Mikrotik has wireless interfaces, and DLNA client devices connect by wireless, first thing I'd do is go to Wireless, select interface, enable Advanced Mode, and set the multicast helper to full.

pukkita

Hex S or RB760iGS is MMIPS, dude package should be for MMIPS Dude 6.40.8 MMIPS
I am surprised by this because how do you know which version of RouterOS is installed on the 760iGS?

Good catch, edited.

pukkita

As Pamela32 pointed out, you should watch out for voltage drops. However, the Groove doesn't support active PoE, only passive. The best approach is using a DC power adapter from 24V to max 30VDC (Groove limit), capable at least of 500mA. Power the mAP with it via it's DC-in jack with it, it will pow...

pukkita

On Mikrotik #2: 1.- Upgrade to latest bugfix 2.- Reset to no defaults 3.- Create a bridge. Add all interfaces (wired and wireless) to the bridge. 4.- Configure wireless interfaces: same SSID, security (WPA2) and passphrase as on Mikrotik #1. Done. As long as you plug one ether from Mikrotik #2 to th...

pukkita

Please post the interface stats, Rx, Tx, overall. There has been lots if changes in L2 implementation in ROS recently. What happens if you put a switch in between? Any difference? I couldn't agree more with jarda, on top of that mikrotik tries to avoid spaguetti code to fix other's bugs. Post a pack...

pukkita

ROS Version? Is DHCP set to authoritative?

If using latest bug fix, take a support while experiencing the issue and write to support attaching it.

If not, try bug fix version. Are you creating static DHCP leases for the Synaccess?

pukkita

The only modification required would be adding the interfaces directly to the bridge, instead of setting the master-port.

ROS will enable HW offloading if suitable.

pukkita

RaynoP: I'd try 6.40.8 if it weren't for the cAPs ac, which were very recently released and require current branch (see changelog). I'd put the blame on them... thing's I'd try: - Check that System > Routerboard Upgrade Firmware matches Current Firmware, upgrading if it doesn't (all devices). - neti...

pukkita

Yes, Routerboards are 100% programmable. You could achieve what you want and learn during the process, this is what I'd do to "reverse" the ports w/o having to program it from scratch: Connect to your mAP using winbox. 1.- Create an configuration export: To do so, Open a New Terminal , and issue /ex...

pukkita

If you're using a laptop, try disabling the wireless interface, to force the OS to make sure it's using the ethernet interface.

A tip: Keep pressing the rest button until you see the router appearing in netinstall.

pukkita

What I would do: 1.- Upgrade to latest bugfix 2.- Reset to no defaults 3.- Create a bridge. Add all interfaces (wired and wireless) to the bridge. 4.- Configure wireless interfaces: same SSID, security (WPA2) and passphrase as you pointed. Done. As long as you plug one ether from the hap ac lite to ...

pukkita

The developers could also add in small chunks of OS specific code where the wine APIs weren't good enough. I wish MikroTik could / would do that for the MacOS X / Linux binaries. Maybe they've tried and found it unworkable already. Couldn't agree more. Winbox works fine most of the time under wine,...

pukkita

Are you using latest winbox (3.15)? It can upgrade itself, check Tools > Check For Updates in Main Winbox window. If you suspect the CCR is misbehaving, I'd take a full export out of that CCR, netinstall it, then import the export file back watching out for errors. If there are any, you can proceed ...

pukkita

As long as the default route uses the gateway it, you're done. Make sure is it masqueraded.

pukkita

Hex S or RB760iGS is MMIPS, dude package should be for MMIPS and match the installed ROS version, e.g. if you have 6.40.8 installed: Dude 6.40.8 MMIPS

pukkita

I'd do this: 1.- Reset the groove to no defaults 2.- Connect to it using winbox Neighbors tab, as it will reboot without any ip 3.- Create a bridge on the Groove. Add wlan1 and ether1 to it. 4.- Configure wireless per your liking using a different channel than the one used by the Huawei, e.g. Huawei...

pukkita

No need for manual port redirection. 1.- Delete all those dst-nats 2.- IP > uPnP Tick: - Enabled - Show Dummy Rule Click on [Interfaces] button. Add ether1 as External Add your LAN bridge as Internal done. Enable uPnP on your torrent/skype/whatever client, close it and re-launch. Look at IP > Firewa...

pukkita

Yes, you could create one physical, one virtualAP SSID, then apply use mangle depending on traffic source interface to force exit through the desired WAN.

pukkita

You can't go wrong with the CCR... that said a 3011 will do for sure. If you want to save: RB3011. If you want to do an investment once for years to come: CCR1009. CRS326 is a great switch, but I have never used it personally as a router (I may for a 100Mbps WAN if budget were tight). IMHO 400/20Mbp...

pukkita

Which ROS version did you netinstall them to? Try 6.39.3...

pukkita

And MMIPS...

Router size is better determined by the WAN bandwidth you want to "move" first, and what kind of filtering, queueing, etc you'll want to apply.

Do you need a router with wireless capabilities? Will you go with a seperate router and AP?

pukkita

Difficult to guess... but you probably need to: - Add all ether ports where APs (or switches where APs are connected to) a bridge (I assume all APs are in layer 2 towards the RB1100AHx2) - Setup a hotspot (there's a wizard) on such bridge - Fix usermanager (I assume RB1100AHx2 was running it as radi...

pukkita

Make sure fast-forward on the bridge is enabled, I completely wiped out the bridge, recreated it with fast-forward set and proxy-arp/local-proxy-arp worked this time. No dice... reset it to defaults, loaded the config back, and it's not working now. Will try a netinstall, but looks some sort of issu...

pukkita

haven't had the time to have a thorough look, definitely proxy-ARP seems to break when upgrading both to ROS 6.41 or 6.41.1. Going back to 6.39.3 will only fix it if a pure software bridge is used. Use a master port adding it to the bridge and arp will break too. Looks like hardware acceleration iss...

pukkita

Noticed today after upgrading to 6.41.1 that proxy-arp and local-proxy-arp seem to be broken both on 6.41 and 6.41.1 (FW upgraded to match) when set on a bridge. Device: hAP AC. Reverting back to 6.39.3 (FW 6.41.1), restores proxy-arp amd local-proxy-arp, but only on a full software bridge. Setting ...

pukkita

Is this still the current behavior, as of 6.41 (jan/2018?)

No.

That concurrent hardcoded limit was removed some versions ago, and as sebastia posted now you can set up the max concurrent queries limit at will.

pukkita

Post

/ip address print
/ip route print

on the mikrotik also. We cannot guess what that dhcp-client on ether1 may end up doing to them.

You shouldn't have a dhcp-client on an interface with an static ip set...

pukkita

Apparently Bridge filters in/out doesn't work when hw-offload is active on the ports. Any Ideas? Correction: if using L2 bridge filters, there's no need to enable use ip firewall. Just tested on 6.41 (on a RB1100AHx2), and even with hw offload enabled, L2 filtering (.e.g manipulating priority, vlan...

pukkita

Apparently Bridge filters in/out doesn't work when hw-offload is active on the ports. Any Ideas? Did you enable "Use IP Firewall" (on Bridge [Settings])? Filters won't work otherwise AFAIK. If you did, maybe (as I still don't fully understand your requirements) is it possible that could be done as ...

pukkita

Wouldn't using no horizon at all but using Bridge filters allow what you want (prevent ether1,2 to see ether3,4 and ether5)? You can use interface lists... Same goes for Switch > ACLs Why the need to be in L2 to send traffic to monitor? IDS? Are you mirroring traffic and sending it towards your offi...

pukkita

What do you mean with "monitor all ports at the same time"? Why is it needed to have ether5 in L2 with the rest?

pukkita

Are we talking about Cuba? On RouterOS, if license is L4 (as is already on your Metal52 AC, check System > License) you may create multiple virtual wireless interfaces (wireless mode station) on top of the phisical wireless one, each virtual one will have a different MAC address and will appear to t...

pukkita

Post a diagram with all the devices involved at your side up to the AP, will help us to help you.

pukkita

Please posts all the IPs along its masks.

On routerboard:

/ip address print

host1 and host2:

ip addr show (or ifconfig)
ip route show (or netstat -rn)

pukkita

The thing is which CCR was used as btest client... has btest been fixed???

pukkita

What did solve the issue? changing the gateway portion of a route to an IP when previously there was an interface, or viceversa?

If so, did such interface had more than one IP assigned to it?

pukkita

750Gr3 == Hex.

pukkita

I said L4 because some configs used in public Cuban wifi require virtual interfaces to be used if you want to use several wireless credentials (to sum up more bandwidth, or for sharing with more people) with a single antenna, something not doable with L3 devices, and something that you may want to d...

pukkita

I assume WiFi is 2.4GHz? or there's dual 2.4 and 5GHz coverage? For 2.4GHz: https://mikrotik.com/product/lhg_2 (Unknown, L3 I guess) https://mikrotik.com/product/RBSXTG-2HnDr2-168 (L4) For 5GHz: https://mikrotik.com/product/RBLHG-5nD (L3) https://mikrotik.com/product/sxtsq_5_high_power (L4) Whatever...

pukkita

The real question is no sane admin will leave unrestricted access to a router from the Internet.

Best practice: prevent access completely to it from the internet, set up VPN access and allow only that.

If your router IP is not fixed, use IP > Cloud.

pukkita

Have a look at viewtopic.php?t=123380

Set the wAP AP as a wireless/wired switch as explained there.

pukkita

I think the hardware you have have selected is fine, since you are stationary in an RV park you can power it however you want. If you were trying to run off of the battery system in your RV I'd suggest not using the included power injectors, but instead to hardwire (with fuses and a switch, of cour...

pukkita

Are you sure the nano hasn't resetted itself to 192.168.1.20? Can you see it via IP > Neighbors?

pukkita

being mostly laptops, I'd go either for the Hap ac or wAP ac.

pukkita

Move IP .5.200 from ether1 to bridge1.

I understand there's nothing on Ip > Firewall > Nat

pukkita

You need to configure it to suit your needs, default configuration logs to memory only.

See /System logging, you need to:

1.- Create a remote Action setup for your syslog collector
2.- Set up logging Rules for the topics you want, setting/changing its action to the remote one you set on step #1.

pukkita

Mikrotik doesn't check anything it simply asks freeradius: user X with password Z wants to login, should I allow it? Then is freeradius which checks on its tables and simply answers Mikrotik router if the user successfully authenticated, and any user related reply items. You need to check your freer...

pukkita

I wouldn't use the Metal52ac, reasons: - You need an antenna for it. Forget about using a omnidirectional antenna to pick on distant signals, that's the worst option possible. - only 1 chain. I would use LHG2 To "pick" on the distant signal, advantages: - 1/3d of the cost vs Metal52ac + antenna - Be...

pukkita

RouterOS uses only 1 Radius client, you cannot have two hotspots using different radius servers on the same router. You can have several radius servers on /radius, but RouterOS will use the first, unless it's down; then it will try the second, and so on. You don't need two seperate radius servers fo...

pukkita

You cannot just tinker with the tables and expect it to work... Seems your freeradius configuration makes it interpret that table as radcheck, and you chose to store gender on the op field, which freeradius expects to be a two character field, containing Freeradius operators . radcheck table has to ...

pukkita

Run Tools > Torch on ether3, tick "Show VLAN id", do you see the expected VLAN IDs there?

Post a full export.

pukkita

Write to support linking to this post and explaining the situation, they'll work out the license issue.

pukkita

Yes, you're right: the wiki specifies it:

Configure script RouterOS export file produced by the export command). Any file supplied here will become the default configuration of the reinstalled router.

pukkita

This is usually MTU, or packet loss issues. Isolate and test that subnet and its uplink point to the rest of the network.

pukkita

A weird thing noticed: the throughput improves considerably when I run the Packet Sniffer on the L2TP interface! Running Packet sniffer disables FastPath and Fasttrack . Check your firewall settings if you have fasttrack enabled. Similar thread: very strange slow web access but can be solved by pac...

pukkita

You don't need different packets for upload/download, just make sure that for a given traffic category, you mark traffic on both directions. It's the parent which will dictate if QoS will be applied on upload or download, depending on parent interface, you can use same packet marks. parent=global wi...

pukkita

Can I have a parent=global queue to handle all traffic towards the LAN while not intermixing the rates with the upload traffic to the two internet interfaces?

Yes, that's the way.

pukkita

For home use, options on increasing budget: - hAP ac: router + AP on single device. Drawback: you need to position it optimally for the AP. - RB3011 + wAP AC: Best of both worlds: router can be positioned on your comm cabinet, and wAP AC(s) optimally for best wireless coverage. - RB3011 + hAP AC: if...

pukkita

Which RB433? In these cases the best option is to netinstall.

pukkita

From RB1100AHx4 brochure:

Captura de pantalla 2017-11-11 a la(s) 11.23.24.png

So a difference on dude edition is it comes with a 60GB M.2 disk from factory.

Additionally, dude edition sports 3 switch groups, while non dude edition seems to have none.

pukkita

What's new in 6.39 (2017-Apr-27 10:06):
!) ppp - implemented internal algorithm for "change-mss", no mangle rules necessary;

pukkita

Only on the 750UP location, as allstarcomps said that's the only place where you need to connect more than one station. L4 is $45, but... SXT's are directional antennas, if you want to connect the two SXT lites to the AP on 750UP location, you'll need not only a radio that has L4 license, but also i...

pukkita

Post a diagram. I tried to configure all 3 in bridge mode but could only get the bridge to function over any 2 APs at one time. SXT Lite license level is L3, that means it's limited to act as an AP for only one device (wireless mode = bridge). You can either pay to raise its license to L4, or purcha...

pukkita

CAPsMAN requires certain knowledge, QoS definitely, you would be better hiring someone knowledgeable . I wouldn't limit per user (simple queue), but program a QoS (queue tree) that categorizes traffic, dynamically distributes available bandwidth depending on traffic category priority, then use PCQ q...

pukkita

When you say MI Repeater I understand it's a wireless repeater? If so, that's your first problem. I'd: - Put the Airtel router in bridge mode if possible - Deploy a internet router to manage users, speeds, QoS and CAPsMAN. Hex could be a budget candidate that fits the job nicely. - Deploy at least t...

pukkita

Exactly. If you're setting up an AP for unknown wireless/mobile devices you'll have to set it up in the most widely compatible way.

For 2.4GHz that means 20MHz and default settings.

pukkita

You need

1.- Mikrotik radio that suports 5/10MHz (not all of them do)
2.- Client with radio with same capabilities

pukkita

Because there are two directions while communicating. Let's suppose this scenario: AP <-> STATION using frequency 5640. Interference may be local and affecting only the receiving side, (e.g. other antenna nearby STATION transmitting on 5640). while it could be possible that AP can "hear" STATION whe...

pukkita

Have you tried setting the src-address on the mikrotik router to 192.168.5.1? Windows PPTP client should get a route to 192.168.5.0 via the VPN, nothing else should be required. That's the point of using same network range on LAN and VPN + proxy-arp, no routing is necessary. Check a router print on ...

pukkita

Only place where proxy-arp is needed is on bridge1, nowhere else.

Reboot the router afterwards.

pukkita

please post

/interface export
/ip address export

pukkita

Not sure if I understood your situation right. If you want the laptop acting as server to have a fixed IP, you can still use DHCP. 1.- Go to IP > DHCP Server > Leases and locate the laptop one. 2.- Double click on it, and click on "Make static". From now on, the laptop will be always offered that sa...

pukkita

6Mbps is the lowest of the so-called "basic rates", and the only basic-rate with default configuration. Radio switches to this basic rate when initially establishing or renegotiating the radio link; this indicates you're having interferences, SXTs may have moved, a new nearby obstacle, or a new obst...

pukkita

shouldn't need this

chain=srcnat action=masquerade src-address=192.168.5.48/29 dst-address=!192.168.5.48/29 log=no log-prefix=""

if proxy-arp is properly set.

pukkita

No, USB external disk cannot be used as system partition, and I'm afraid it cannot be used for graphs storage either.

External storage can be used for web proxy cache, samba sharing, etc.

pukkita

Lots of power off/power on and bad electricity supply can corrupt the NAND format or damage it, specially if you're writing constantly to it (do you have graphs active?). If you're experiencing such electricity supply unstability, you'd better either get an UPS at least for the router... this router...

pukkita

Looks like your NAND is gone, you'd better write support, short of netinstalling it again, resetting it to no defaults and reconfiguring it looking if it holds fine this time. Better than using a .backup, you could make an export, so that you can just copy & paste the config on this, or any router (...

pukkita

Len = Length (size).

You got it right for the rest.

pukkita

300 is radio datarate, in TCP that would equal about half, 100-150Mbps TCP.

You need clients to be dual-chain / dual stream (2x2 MIMO) while most mobile devices are single chain.

pukkita

At this moment I have CRS125-24G-1S and I want to get 2nd device with spf, gigabit lan ports and with Dude support.

Sounds like RB3011 is what you are looking for. Next option would be a CCR.

pukkita

Another thing that you may need to ensure is that you are actually masquerading or dst-natting traffic from your .123 network to your .10 network. Nope, no need to. If 10.x clients use 10.x (10.1 or 10.200) as default gateway, and .123.x clients have .123.x as default gateway both networks will be ...

pukkita

Check System > License, if it's fine then I'd say you can rest asured is not a copy.

pukkita

Exported database is sqlite, you may use sqlite tools to create the XML export, like .e.g. sqlite-manager or SqliteStudio for once in a time operations. To program an automatic conversion process, you may use sqlite to export database to CSV, then use either your own code to convert, or use a CSV to...

pukkita

This is the case right now. But tbh i don't understand why this must be the GW, when there is no device with that IP (should i give the RB750 this IP?) Yes, you should either change it to 192.168.10.1, or keep the current 192.168.10.200 AND set the clients to use 192.168.10.200 as gateway. Best app...

pukkita

CRS326 is ARM platform, whereas most CRS line is mipsbe, where dude is not supported.

Have you tried uploading the dude arm package to it then rebooting (provided you're using RouterOS and not SwOS with the CRS326)?

pukkita

Sadly i'm on the edge of insanity, because i just can't seem to get it to work. I have a static Route on the AVM Fritzbox, which redirects every request etc. directed at the 10.xxx Network right to the RB750 (because the AVM is the Gateway for the 123.xxx Clients). Can you post that route? Check th...

pukkita

200Mbps is going to depend on available spectrum, contiguous free 40MHz-50MHz minimum required.

Suitable devices for this in order of preference:

- netmetal (dual chain) + mANT30-PA
- netbox + mANT30-PA
- QRT ac
- DynaDish

pukkita

GRE does not use a port!

I know... I meant ISPs are known/likely to throttle it down also, or even block it. The point of the OP was using a transport that was unlikely to be tinkered by the ISP...

pukkita

It's stated at the calculator, link it's possible, but you'll need an outrageously high tower (>70m height) to mount the Tx device. Either that, or use four devices to create 2 PTPs. First PTP will clear the elevation by Rx'ing at the edge; this first PTP Rx radio will be wired to second PTP back to...

pukkita

You seem to miss the IP > DHCP > Network entries. Also I think for your intended setup add address=10.35.0.1 interface=bridgeopen network=10.35.0.0 Should be add address=10.35.0.1/24 interface=bridgeopen network=10.35.0.0 . Do clients connected to the open network: 1.- Get an IP? 2.- post ipconfig/a...

pukkita

- L2tp works only on port UDP 500. This is a sad notice. In OpenVPN i don't use standard ports for connect. Some ISPs will slow down traffic on this common ports.

Similarly goes for GRE.

Would be nice having customizable L2TP port for ROS... of course only ROS devices could be used on both sides.

pukkita

Check your firewall for any filter o nat rules that may be getting into OSPF's way.

pukkita

Download the sstp-client-1.0.11.tar.gz package and look at the README inside, there's no need for X. You can create .deb packages rather easily, look inside the sources. pe1chl, SSTP may not be the optimal solution but giving the limitations gamba47 is facing, which SSTP dodges, there's nothing to l...

pukkita

When i connect to the private network, it's ok, i've got an ip address and have a n internet access, but when i tryed to connect to guest network, i also get ip address, but no internet access, and also i can't ping my router from the connected device. I assume you mean the internet router plugged ...

pukkita

No need for softether, SSTP Client is all you need.

What distribution are you using?

This provides a plugin for stock pppd and a sstp client tool (sstpc).

Typical area were you may find issues while setting up is the server certificate, watch out pppd client logs on Linux server.

pukkita

Your routing is fine. Did you issue the ping to 8.8.8.8 from the router??? Remove masquerade on bridge-LAN, only masquerade you need is the one already set: You posted: /ip firewall nat add action=masquerade chain=srcnat comment="default masquerade" \ out-interface=ether1_WAN add action=dst-nat chai...

pukkita

Change its logic:

 chain=input action=drop in-interface-list=WAN

pukkita

/ip address add address=192.168.88.1/24 comment=defconf interface=ether2 network=\ 192.168.88.0 You should change that IP to interface=bridge-LAN /ip arp add address=192.168.88.248 interface=bridge-LAN mac-address=7C:05:07:10:04:AD Delete this. On Winbox, open a New Terminal and issue /ip address p...

pukkita

According to the SB6141 Manual , as pcunite says there's no SFP, you should wire it like this: I am confused? I bought this SFP Copper Module (Mikrotik Item model number S-RJ01). Now you are saying i cant use it with this router and modem? I am very confused now? It is an ethernet cord, it is nothi...

pukkita

Then you'll need to to it the not optimal way. It's not optimal because you're forcing the radio on the repeater to split its tasks in two, so it: - halves the bandwidth - doubles the latency - halves available spectrum efficiency for everyone. Say wired hAP is A, repeating hAP is B, and user C is c...

pukkita

According to the SB6141 Manual, as pcunite says there's no SFP, you should wire it like this:

wiring.png

pukkita

Make sure that either - If you don't mind both SSIDs being bridged, ensure the VirtualAP interface is added as a port to the same interface (bridge) the DHCP server is running on ( Check IP > DHCP Server ). - If you want to keep both SSIDs isolated, you'll need to setup another DHCP server to be ded...

pukkita

You cannot, exceptions to proxy access list are static, so unless there's a regex pattern that will catch both orange.fr and related CDNs (highly unlikely), you'll need to add a specific proxy ACL for each.

pukkita

Yes, but that wouldn't be optimal.

Best approach is wiring both Haps, then have both broadcast any SSIDs you want on any of the two bands.

Good scenario to use CAPsMAN.

pukkita

I can't see the usefulness of storing only the src-address and port if it cannot be cross-related to a dst-address... if you just want that info, use radacct.

Otherwise, you'll need to process the data at syslog receiving stage.

pukkita

There's no dude server for MIPSBE platform, it's only supported on Tile, ARM, MMIPS and x86/CHR.

You need to install it on a supported router, then by adding the RB433 as a device, (and as long as wireless cards used aren't AC chipset), you'll be able to do spectral scans from the main dude server.

pukkita

You can setup this value on 6.40, AFAIK there's no limitation.

Obviously, unless hardware is sized for the load, this won't make a difference.

pukkita

I've setup before with port redirecting with dstnat to udp port 53, There's no need for port redirection, are you "hijacking" outgoing DNS queries and redirecting them to the cache? Depending on the resolving library used by the client this may not work (most modern libraries). You'd better hand th...

pukkita

How did you set it up? Basically you need to 1.- Add OpenDNS servers to IP > DNS Servers, you can set more than one by clicking on the small, bottom pointing triangle next to the Servers field. 2.- While you're at that screen, make sure Allow Remote Requests is enabled (this enables the DNS server f...

pukkita

How was your WAN setup? Does it use DHCP to get the WAN IP?

Are you sure sfp interface is linked and running? (Look at Interfaces > SFP1 > status)

pukkita

Post an export.

pukkita

Glad you found the fix!

Can the part of the firmware that handles this stage when booting get corrupted?

It can happen, you'd notice because after netinstall it won't boot either, there's a Backup Booter you can force on System > RouterBoard [Settings] in such case.

pukkita

Try netinstalling it

pukkita

Try this:

- Go to Wireless, open wlan1-gateway, click on [Advanced Mode] button, and set Multicast Helper to full.

pukkita

I'd say you have two problems; a L2, root one that causes the pppoe sessions to disconnect, you need to find the cause. Interface flapping on PPPoE Uplinks are not admisible on production scenarios, check wiring/fiber, SFP modules, Switches, etc. Are you using OSPF? The second one (high CPU load) se...

pukkita

Secondly, i have only six PtP long distance links in different directions at different locations, so i think its not feasible and investing extra budget using extra network gears for many links to 360 degree coverage with no such customer base in near future. This is government based organizational...

pukkita

Do you mean that you cannot "see" it via winbox neighbors or connect to it via previously known IP?

In such case, you need to do a netinstall

pukkita

Which interface flaps? the VLANs? What's the CPU load at those times?

pukkita

If I change the port to auto-negotiation disabled, port speed 1G, Full Duplex, the link light will appear on the CRS and report transmission activity. The Netgear will not establish link light or pass traffic.

Then you need to force 1G also at Netgear's end, did you try that?

pukkita

This remote wireless network connectivity belongs to government based wildlife remote monitoring project where 32 HD CCTV cameras live feeds from remote forest monitoring sites would be monitored at wildlife range office in the city. Nice project :D I'm curious, where is it? Have you disabled one o...

pukkita

Taking a routerboard and sticking multiple radio cards on it is a thing of the past, (and never 8 cards!!) and the least desirable option, several radios cramped on a single board interfere with each other; your approach, single RB + multiple cards is the worst option possible from a optimal standpo...

pukkita

RB800 was obsoleted long ago.

The "nearest" modern RB to RB800 is the RB850Gx2.

Depending on bandwidth and duties, more commonly used RBs for this task would be RB3011, RB1100AHx2, or CCR1009.

What are the RB intended tasks?

pukkita

hAP ac is the flagship AP for indoor use, really doubt mikrotik would be launching another device to replace it on for this segment soon.

pukkita

My guess was that the switch was creating a different ground level than the router, or something along these lines...

That's my guess also, check grounding of the enterasys, rack and 2011... everything should end on a single common ground.

pukkita

Try setting channel width to 20MHz.

pukkita

Use a MicroSD or USB, and run user-manager database off it, you're running out of space.

Which routerboard are you using?

pukkita

Try upgrading the bootloader via Bios: https://i.mt.lv/routerboard/files/p2020_3.24.fwf trying netinstall for 6.38.7 again.

pukkita

Which netinstall version? What's the bootloader version on the 1100AHx2? It is on par with the netinstall version you're using?

Have you tried to format NAND via the serial console first?

pukkita

E. Have you been changing cables ? F. Are you sure that someone in the building have not made a loop connecting cables to local switch?. I'd add: G. Are you sure nobody has created a new bridge, added a new port to an existing one, or changed/set some ethernet port master port parameter? If you had...

pukkita

BartoszP is right, highly unlikely three routers start to misbehave at the same time; check your network / routers first. If you don't find 100% CPU or other anomalies on logs: Make sure Current Firmware is the same version as Update firmware on System > Routerboard. If not, click on upgrade and re...

pukkita

BartoszP is right, highly unlikely three routers start to misbehave at the same time; check your network / routers first. If you don't find 100% CPU or other anomalies on logs: Make sure Current Firmware is the same version as Update firmware on System > Routerboard. If not, click on upgrade and reb...

pukkita

Computers in the same range expect others to reply to their arp queries, i.e. expect the rest to be L2 connected and thus receiving/replying broadcasts straight on their own. Proxy-arp aids when you use the same range for the VPN, as remote computers aren't directly connected to the network; it make...

pukkita

When you spoke about a closed rack I thought on an outdoor enclosure for a tower or something similar, not for indoor duty. In that case your plan will work, you'll lose some db's due to the longer cabling and the additional connectors, but will be better than having the router antennas inside the f...

pukkita

The "easy" solution would be a CCR1072-1G-8S+

Another possibilities:

- Use a router with an SFP+ port like CCR1009-7G-1C-1S+ plus a suitable switch, like CRS212 or the CRS317, connect them via SFP+ at 10G with a DAC cable and you're set.

- Budget option: a Hex + CRS212.

pukkita

It will work , but... Is this a sound plan? Am I using the right components? Will it work afterwards? Would it be better to do it another way? Instead of taking a desktop integrated router, adding an external enclosure, adding an additional loss point (SMA->SMA Antenna) and longer pigtails, and a cr...

pukkita

Yes, they have same chipset, QCA9533.

pukkita

In such case a hAP ac Lite could be an affordable dual radio device to learn with, plus you can connect an USB modem like the e3372 to build your MIFI solution, or use 2,4GHz radio to connect to your existing MIFI and re-broadcast via the 5GHz radio, etc.

pukkita

hAP ac and wAP ac are dual channel radios, so 12 APs = 24 radios; 1200/24 = 50 users per radio, I doubt all 50 will be active simultaneously, so as long as placement is well thought out it should be enough, short of additional APs to cover any shaded areas you may find. Most modern smartphones and t...

pukkita

I have yet to test this device, but I doubt it. CRS is a programmable Switch, but CPU power is not suitable for routing (software) that bandwidth, acccording to its specs : Captura de pantalla 2017-09-01 a la(s) 18.38.42.png Best bet for that duty if budget is no object: CCR or RB1100AH. Low Budget:...

Search found 2966 matches