MikroTik

pukkita

Sorry, I thought you meant a setup for the harbor to serve the boats! w32pamela is right, this would be overkill for a boat. For a boat inside a harbor, an omni is fine. If you want to connect also while out of the harbor, I'd go with a directional antenna, mounting it so that you can point it (manu...

pukkita

You are right, is it better to have three or four sector antennas, than a single omni one. But instead of looking for a routerboard that can be fitted three dual radios, I would go for a better solution: three standalone sector antennas + built in radio, and a router to act as CAPs manager; the sect...

pukkita

If you want to keep pfSense until you get more comfortable with ROS, but at the same time leverage user auth via radius, I'd keep provider edge duties (firewalling and NAT) on it, and set the Mikrotik as a pppoe concentrator, with either local accounts, User Manager, or external radius, and ditch DH...

pukkita

/ip firewall nat add action=masquerade chain=srcnat There lies your problem. You should apply such masquerade/srcnat only to your WAN interface(s). Your router is basically srcnatting everything, i.e. changing source address of any and all connections traversing the router forward chain. This cause...

pukkita

+1 for MQTT :-)
would also be interesting as transport protocol for LoRaWAN

Would be a perfect companion!

pukkita

A 2011iL isn't what I would use in 2020 for a 400Mbps line... definitely enabling fasttrack, and tuning the firewall would be a must, but even though, don't expect 400Mbps performance. How do you get your internet IP? pppoe? if so, expect around 150-250Mbps max with tuning. I'd get an HeX straight a...

pukkita

What is the best strategy for the isolation of interfaces/ports from one another? -- So machine 1 can't send packets to machine 2. This would be bad . Given that PLCs/SCADA won't be sending Gbps of traffic, the most straightforward method I'd use is setting same horizon value on all the ports of th...

pukkita

And my speculation about why vendors don't support huge MTUs just on all of their devices: if L2 device (switch) is a store&forward device (most of them are), then large configurable MTU sizes mean larger RAM (used as frame cache) is needed ... rising price of device (every penny counts) ... fo...

pukkita

This Serve The Home article with a $ per port and per Gbps analysis can help you out in picking the optimal ones for the application.

Well worth the read.

pukkita

Regarding redundant number of links... difficult to say, that's something that has to be assessed considering multiple factors, then deciding what shall be the minimum SLA and design them. I remember an specific MUM presentation by fellow trainer Mihai Saftoiu, Fully Redundant Networks ( PDF ) that ...

pukkita

ccspdk, for this application I think a GPEN approach (Gigabit Passive Ethernet Network) can fit as a glove for building distribution to flats and keep costs down so that you can be competitive.

See newsletter and the GPEN concept)

Captura de pantalla 2020-05-08 a las 17.47.27.png

pukkita

Thanks for the detailed post! This routerboard (hAP AC) supports passive PoE only. Dahua camera on the other hand, requires Active PoE (802.3af) according to its specs . If this is your only camera, the cheapest solution would be to purchase a standalone Active PoE (802-3af) injector, have seen UTEP...

pukkita

First thing that comes to mind is the typical reverse DNS query most linux distros do when accessed via SSH. If it cannot reverse-query the source IP, you may experience this delay.

Posting the 4011 config will definitely help.

pukkita

It is made of plastic and a really light wire mesh (dunno if steel or aluminum, I'd say an steel alloy) material: https://i.mt.lv/cdn/rb_images/1195_l.jpg Great point on the RBGESPs Zacharias! Definitely highly advisable to install them, moreso in this scenario. Robert, I'd contact LinITX, they're r...

pukkita

That hill is obstructing the fresnel zone, I'd mount both as high as possible, play with antenna heights to see what would be the minimum...

pukkita

In addition of Direct Line of Sight, you need to check if there's an obstacle in the first fresnel zone of the link. https://upload.wikimedia.org/wikipedia/commons/4/4b/1st_Fresnel_Zone_Avoidance.png What are the GPS coordinates of each point? I referred to a screenshot of a Link Planner calculator ...

pukkita

Have you seen it? It has been designed to stand strong winds, frosts, snows... I also think it is a sturdier design for your conditions regarding moisture, etc... https://i.mt.lv/cdn/rb_images/1302_l.jpg Captura de pantalla 2020-04-28 a las 0.54.18.png Reference: Mikrotik PtP Guide a pair of this wi...

pukkita

Glad to hear of your success!

pukkita

0.- What a wonderful place to live! 1.- The link seems to be viable even with the water masses. I'd use an online calculator, or google earth to draw the PTP and see elevation/fresnel to research a little more, but in the end the proof is in the pudding. I guess also spectrum in your area is clean??...

pukkita

What's the distance between buildings? Seems like a good match for a 802.11ad (60GHz) PTP. For < 300m, Wireless Wire kit could be an option: https://mikrotik.com/product/wireless_wire For bigger distances, I'd look https://mikrotik.com/product/wireless_wire_dish Check Complete Mikrotik 802.11ad Devi...

pukkita

Hello Dracep,

You can look at https://mikrotik.com/consultants for a list of available ones and choose freely.

For the record, I'm there too (Francisco J. Montilla)

pukkita

Interesting find Lavaburn!

I'd generate a supout.rif while this is happening on each of the routers and send it to support.

pukkita

A thing I'd check is you have actually a "drop by default" default firewall filter rule on forward chain which upnp relies on: filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed&...

pukkita

You should see two radio devices, wlan1 (2.4GHz) and wlan2 (5GHz), they will only show the supported Band, looks like you're setting wlan1, or that QuickSet only sets it (or will set wlan2 with same SSID and parameters as 2.4GHz wlan1, haven't used QuickSet in a while). Look into Wireless > Interfac...

pukkita

It should appear on a default from factory device, no need to add nor install anything special. Do you remember the ROS version it had originally? Things i would do: 1 - System > Routerboard. Check that Current Firmware is the same as Upgrade firmware version, click on Upgrade otherwise. It will ask...

pukkita

Hello Pukkita, Thanks for your reply. Why VPLS? Well, for educational purposes. Due to the current corona-situation I'm locked at home with some equipment, and I'm willing to learn more about it. Final plan would be trying to transport Dante over the wireless point-to-point links I use quite often....

pukkita

Why VPLS? From your network topology and addressing I can't see any benefit in using it? For your needs, what I would setup instead is a simple bridged network, making sure the ports are setup in an optimal way: 1.- Lay out ports on that will be communicating the most on the same switch chip . RB201...

pukkita

Bear in mind RB450G max L2MTU is 1520 (see https://wiki.mikrotik.com/wiki/Manual:Maximum_Transmission_Unit_on_RouterBoards#MAC.2FLayer-2.2FL2_MTU). With MPLS, qinq, EoIP (why EoIP with MPLS and not VPLS?) etc your RB450G L2MTU is falling short and inducing fragmentation... not the ideal device for t...

pukkita

I don't think local-forwarding mode is what you want, this is used when the cap has "closer" internet access than the master, or when the master is in the cloud and forwarding data back and forth doesn't make sense... No need either to define anything in the datapath tab for your applicati...

pukkita

You need to enable set Tools > Legacy Mode in WinBox

Once you log on, Make sure System > Routerboard Current vs Upgrade Firmware is the same, otherwise click on Upgrade and reboot.

pukkita

https://wiki.mikrotik.com/wiki/Manual:I ... ack_Bypass, see IP/Firewall/Raw solution.

pukkita

Are you using fasttrack??

pukkita

As you comment, if what you want is to create a wired to wireless bridge, all you need is adding all ether and wlan1 ports to the bridge, that's all, no need for any IP on the 951's, the 951's will extend Huawei L2 and hence L3 without requiring any other configuration. For management, you can still...

pukkita

fbl, I would also track this thread: viewtopic.php?t=158500&p=779019

pukkita

IPv6 support is installed, but disabled by default as of 6.46.4. First make a backup; you can export your config by clicking on New Terminal, then issue: /export file=myLoraWanGW.rsc Click on Files, locate myLoraWanGW.rsc, right click, download. You can open this file with any text editor (like Word...

pukkita

This is false information. Default configuration for quite some blocks access on interfaces that are not in either LAN or WAN interface lists. I stand corrected... absolutely right on recent ROS releases. But may not be the situation always, even if the running ROS version is a recent one when defa...

pukkita

No, default firewall rules won't protect if a new pppoe WAN interface is added afterwards. To be protected by the default firewall, go to Interfaces > Interface List and add the Bell pppoe interface to the WAN list. If you were using Quickset, then I guess it should have already added the pppoe inte...

pukkita

It is an interference problem. I have about a dozen smart plugs... I've had the issue of one struggling to connect to wireless while another one, one meter next to it kept wireless fine. If it were a mikrotik issue, I'd have issues with all of them, which is not the case. I have identified one that ...

pukkita

Does it happen with the plug always in the same wall socket? Is there a powerstrip maybe? PLCs?

I've found the smart sockets Wireless are very susceptible to interference, try plugging straight to the wall socket (no powerstrip), or a different wall socket or powerstrip.

pukkita

So forgetting about the CRS for a moment... You said to take ether1 off of bridge1 and set it up as a DHCP-Client. What I'm gathering from doing this, is ether1 will be a DHCP-Client for my ISP which is the DHCP-Server, is this right? That would make sense. Yes. From there, data coming into ether1 ...

pukkita

So we'll say my Gateway and DHCP server have IP Address 192.168.0.1 and will hand out addresses from 192.168.0.10 to 192.168.0.254 (Subnet is 255.255.255.0). Now Comcast sends my dynamic IP address to my modem (I use a personal Netgear modem with no routing capabilities) which in turn is sent to my...

pukkita

Try System > Routerboard Is there an USB button? (not USB power reset)? Try setting there USB Type for LoRa8 to Mini PCIe.

pukkita

Same behaviour observed with 6.46.1 between a CCR1032 and a 4011: on a speed-test tcp download fails sometimes, huge CPU peaks on 4011 (>70%) not reflected on speed-test, and obvious packet loss. EOIP+IPSec doesn't display this behaviour, tcp_download starts and finish smoothly. Measured speeds are ...

pukkita

On RB2011 CAP, unset Discovery Interface, and input 127.0.0.1 in CAPsMAN Addresses, RB2011 will recognize its wireless interface as a CAP.

pukkita

Yes... as routers are required anyway definitely L3 is the optimal solution. Using L2 bonding will only get you a system throughput speed of the slowest of the two links unless you’ve seen different? That's why I suggested active/backup... though the problem on how to force 60GHz to be detected as f...

pukkita

OSPF is undoubtely the more flexible and powerful way, but requires a routed network, and didn't fit the "simple" requirement by the OP.

Going routed though is the best future-proof approach for scalability too, so even if it means a drastic revamp it will be time and money well invested.

pukkita

action=masquerade is the same as action=src-nat, but will automatically src-nat with the IP of the interface, so no to-addresses required. add action=masquerade chain=srcnat comment="Hairpin NAT to for motioneye" dst-address=192.168.1.9 src-address=192.168.1.0/24 out-interface=YourLanBridge

pukkita

Yes. Have a look at https://wiki.mikrotik.com/wiki/Hairpin_NAT for the packet-by-packet explanation. In summary, what happens is the internal device receives an answer from the internal, dst-natted IP when it expects the source IP it to come from the public IP it requested; hairpin nat does an addit...

pukkita

Is the powerbeam in router or bridge mode? I assumed yours was a routed setup, if two unmanaged switches are connected with two links what happens is that you create a network loop and a switch disables one of the interfaces, so if the powerbeam is in bridge mode this is what is happening. You'll ne...

pukkita

Could it be the powerbeam having the same IP as the 60Ghz link? Without knowing more specifics is difficult to assess... how is the 5GHz setup? is the Powerbeam in router mode? What happens if only the radio is turned off on the PowerBeam? Supposing that both work simultaneously, there is no simple ...

pukkita

ouch, forgot about that... Remove any IP > Firewall filter / nat rules and reboot, what you want is a pure L2 device... it will perform better as CPU will only be used to forward from wireless interface to the bridge; forwarding between its ether ports will be done by the switch chip with hw acceler...

pukkita

Post a configuration Export... Or, fix it manually: Connect using winbox, go to Neighbor tab, locate & double click on hAP Ac Lite Mac address. This sounds as if hAP AC Lite had its own DHCP: - Go to IP > DHCP server tab and delete/disable it. - Go to IP > Addresses and delete any Static IPs - G...

pukkita

Just set it to use RouterOS, and load default config (System > Reset Configuration); at next winbox login you can accept several different default configs, choose or agree with "Switch mode" configuration. This will create a bridge with all the ports in switch configuration (wirespeed), wh...

pukkita

my network is made up of 2 web servers, being apache 1, apache2 and one more mikrotik, i need that when receiving a WAN request on port 80 and with the content 'glpi.kstros.com' the mk redirects to apache1 and when receiving 'wiki.kstros.com' is redirected to apache2. Can I do this redirect using o...

pukkita

That will depend on the routerboard used (RAM & CPU).

pukkita

Thank you for the detailed explanation, your answer gave me a better understanding of networks.

Glad to hear that!

pukkita

When fixing routing issues, you have to consider two routes always: 1.- The one going from the initiator to a given device, and 2.- The route that the reply will take back to the connection initiator. From initiator (server) to device (camera) seems to be working judging by the rule counters, I assu...

pukkita

Which is the easiest (and if possible cheapest) way to achieve this with the router? Is it possible to exclude a device from the VPN? For example, I watch Netflix with my TV and I do NOT wont to use the VPN for that. If you are looking for a cheapest option then CyberGhost VPN is good and less expe...

pukkita

The Mikrotik LAN IP is bound to a member of the bridge rather than the bridge itself, this often breaks things in strange ways. It should be /ip address add address=192.168.88.1/24 interface= bridge1 network=192.168.88.0 Good catch, missed that. As TDW pointed, when you create a bridge, any L3 addr...

pukkita

Check System > Routerboard, does Current Firmware match Upgrade Firmware version? If not, upgrade and reboot. System > Logging, add DHCP. Try dhcp-client again on ether1, post the logs. What's the mac address of the bridge? and ether1? You can open a new terminal maximized, then issue /interface p T...

pukkita

if I've just 3 segments , e.g. DMZ, WAN, LAN in different networks, so none of them is bridged, why is there always a "bridge" involved? Because that's the way you build the "segments". Before 6.42 you had the option of either build a L2 segment by creating a bridge (by software...

pukkita

64k is the best for gauging of raw CPU power, but again, it depends on the chores the router is carrying away, if you'll be using fasttrack or not, etc.

pukkita

Which port are you using to connect to it? Have you tried a port other than ether1? (as ether1 is usually WAN and so, firewalled on default config)? Do you see it on winbox neighbors tab? Can you connect to it from winbox if you double click on the MAC field while in neighbors tab? If you can't, wha...

pukkita

Does the CRS326 have a ip > DHCP Client entry setup? Looks like it's running a DHCP Server (not client)...

If so, disable DHCP Server, and set a DCHP Client on top of the bridge interface where all ports are.

pukkita

That's not a Routerboard, but what looks like a PC Engines Alix 2 Series board based on a 2D3 from mid 2000's. Wireless card is a 12+ year old ROS supported one, a CM9 (Atheros AR5213). Have one 2D2 still bouncing around, hw reliability vs an all-integrated routerboards is a joke (logical, this is a...

pukkita

Check your firewall (IP > Firewall > Filter) Your symptoms are the typical when being used as a DNS spoof amplification attack. If your wan port is not protected from Internet, attackers start querying your router DNS server pretending to be someone else, who gets blasted with your (and hundreds of ...

pukkita

Could be a damaged reset switch. I'd try a netinstall , try with the reset switch, keep it pressed, apply power, wait until cAP appears on netinstall. Alternatively, if reset switch doesn't seem to work, look for a reset pad on the PCB, short it with a screwdriver or something, power it on, and keep...

pukkita

Update: I've found a work-around, but I'd still like to know what's going on here. If I change the RB922 configuration from /ip address add address=192.168.3.73/24 interface=ether1 to /interface bridge add name=bridge-lan /interface bridge port add bridge=bridge-lan interface=ether1 /ip address add...

pukkita

If I connect Orange Pi and RB922 with a straight ethernet cable, I can see the link coming up on the RB922 (100M-half), but u-boot can't ping the RB922 and tftp times out. That's the first thing I'll troubleshoot, why half duplex? try issuing some "ip link" commands or whatever appropiate...

pukkita

To recap in the meanwhile it gets to the Wiki: Concurrent Simultaneous Requests is now settable DNS Servers (RouteOS DNS Client Settings): goes through them sequentially passing on to the next only if it doesn't receive an answer (fails). Further clarification regarding this on the wiki would be gre...

pukkita

Just tested an EU XS with a hAP AC 6.40.9, works flawlessly, 100/115 MBps using 5GHz AC 40MHz.

Looks like device specific, definitely pointing to the iphone.

To rule everything out, Is System > Routerboard Current Firmware same version as Upgrade one?

pukkita

But I do see someone who is cruising around the forum looking for virtually irrelevant things to answer. I expect you're trying to "big yourself up" and up your post count for whatever reason. That's the only reason I can see for the post, unless you're just bored of course. And then you ...

pukkita

Ether port on the Groove comes as WAN port on default config, and thus is firewalled. Try this: 1.- Connect to its wireless. 2.- On winbox, go to neighbor tab. Double click on the MAC address, you should be able to connect. 3.- Once you can log in, reset it to no defaults. 4.- Set it up per your lik...

pukkita

Which specific device? Does it have a serial port?

pukkita

Yes, if using the stock Power adapter.

pukkita

Try this: On the Station (SXT5 Lite r2): 1.- Go to Bridge. 2.- Remove unknown port 3.- Add wlan1 port to the bridge Cannot say for sure as I'm missing some details about your config, but once you do that Layer 2 between both networks should be fixed, try pinging between any devices (but the antennas...

pukkita

RB2011 PoE Out is Passive only, not af nor at, you can't use a RB2011 to power the HP. Captura de pantalla 2018-09-02 a las 10.25.05.png You need to either get an standalone PoE af injector, or use a different Router which supports PoE Out af/at, like an hEX PoE Captura de pantalla 2018-09-02 a las...

pukkita

Yes, in all cases they were providing power to wap ac Do same 2011 port powers a 100BT device fine? I've experienced that, specifically when powering gigabit AC devices from 100BT PoE out ports. First time with a 951Ui and a Netbox. Something "broke" on the 951Ui which wasn't able to powe...

pukkita

However we noticed for all devices which we have set the static DHCP IP for, it will NOT show up in the DHCP Server (under leases). When we tried to manually add a lease for it by adding the IP with its MAC Address, it is always having the "waiting" status. DHCP Server will inspect the AR...

pukkita

I'm a bit new here and used to Redhat's bugzilla/etc. How do I easily find out if there is an issue Mikrotik is already fixing or if it is something that a post like this could be useful for? Sure, check Mikrotik Changelog Section . Searching the forum may lead to interesting findings, or as you ju...

pukkita

Yes, it is possible. No differences hardware-wise.

pukkita

Yes, you could go VPS and use CHR; if you prefer having your own on a NOC or Office, couldn't agree more: an hEX or hEX S are ideal, seem to be conceived with this duty in mind: generous RAM, powerful dual core processor, MicroSD... while drawing very little power, taking little space and generating...

pukkita

I would set up a VPN "hub" for those SXT LTE to call home possibly using SSTP; you can dial into the hub and by RoMON or L3 manage any of the SXT LTEs.

This also opens the possibility of running a dude server on the hub, to (mass) monitor and manage the SXT LTEs.

pukkita

6.40.8 is vulnerable to this? yes, check 6.40.9 changelog (or 6.42.7) again , CVE was added afterwards, guess due to coordination? late addition?. MAJOR CHANGES IN v6.40.9: ---------------------- !) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159; -------...

pukkita

Alex, were the 2011 powering AC CPEs?

Ondrej, did you include a supout.rif file taken while the problem was happening? do so...

pukkita

Not sure If I understood your scenario. 10.1.1.2 is a Caching DNS server? if so, let's say it's MAC is AA:BB:CC:DD:EE:FF. You need to publish the entry with the MAC of the real device having 10.1.1.2, on the interface where the queries will come. /ip arp add interface=hosting address=10.1.1.2 mac-ad...

pukkita

I see... agree with you, definitely looks like the hAP ac2 power draw at boot kicks the power draw protection. Which ROS version on the hEX? Firmware? (system > Routerboard?) This could be either a hardware limitation on the hEX S, or maybe something fixable by upgrading POE firmware, as it was the ...

pukkita

Christian, that RB1200 has some age... leaving a device for so long without upgrading rises a lot the chances of problems, moreso if the device (hardware) is old. How Old is it? ten years? ;) Looks to me like a damaged main booter. To fix: 1.- Connect a serial console to it, so that you can reach th...

pukkita

I've also setup the IP/Cloud feature but the DNS name is a little hard to remember! Use IP > Cloud. Purchase a domain, say my domain.com Setup as many CNAMEs on that domain pointing to the ip > cloud FQDN. From here onwards, no DNS query is gonna "resolve" to a port AFAIK; to manipulate b...

pukkita

You're not asking for help, but for someone to provide the whole (non trivial) setup for free, soo... wouldn't sweat waiting for that to happen, if ever. One thing is asking about specific issues, doubts etc on a user community forum, and a very different one is dropping a "I am a company and w...

pukkita

Other Mikrotik PoE switches can output up to 1A per port. Don't know the specific case for the hEX S as is a recent device and not a word about output limits on its last port on the specs, so it may be the case... Again, this is the Maximum power draw by hAP ac2, won't be surprised if average draw i...

pukkita

Bestinwifi: please change your IPSec secret, you published enough details for someone to try brute forcing VPN accounts on your router... already edited your SN/soft id.

pukkita

hEX S max power draw = 11W hAP ac2 max power draw = 15W Total maximum power draw = 26W. hEX S PSU is 24V @ 1.2A = 28W. Tight, but these are maximum power draw values. Have you tried powering the hAP ac2 on its own to see if is still unstable? How long is the cable going to the hAP ac2? Yes, you can ...

pukkita

Bandwidth test tool is useless for SFP+. won't reach more than 2Gb ever.

Use iperf and two PCs...

pukkita

By using fasttrack, you will be able to get higher throughput, but I seriously doubt a CRS317 could reach 1Gbps of routed/natted traffic even with fasttrack enabled, guess a more realistic figure will be around 250-500Mbps max, though I never tested. Do not underestimate the hEX, it's a little mean ...

pukkita

Doesn't it appear on Neighbors tab of Winbox? If so, click on the router Mac-address to connect via Mac-winbox.

If it doesn't, you can gain access to the 3011 in order to reenable networking services by using the Serial Console port, RJ45 on the back of the RB3011.

pukkita

You can't AFAIK, dns name is made up from Routerboard serial.

pukkita

Your assumptions are correct, this is a programmable switch, whose CPU provides auxiliary functions, but it's not conceived to route 1Gbps. And no, specs mean that with traffic flowing to/from all ports, the device is capable to route 1270Mbps overall (not each port), if all packets were sized 1518 ...

pukkita

sid5632, no rudeness, even your gratuitous one, is allowed here.

You're Warned.

pukkita

Sure:

Captura de pantalla 2018-08-01 a las 14.00.23.png

pukkita

We have made a blog, where we will publish the most important announcements regarding security and other topics.
Bookmark this link for Security related news:

https://blog.mikrotik.com/security/

Here is the RSS feed link:
https://blog.mikrotik.com/rss/?cat=security

Great!!! Killer idea!

pukkita

Nothing special, on router just make sure the ether port where the AP is connected is in the bridge where DHCP runs on.

pukkita

Get a serial cable ( see Wiki ) and connect to the console. Try a netinstall using ether1 to latest bugfix version. To rule out the reset pressing time lottery, you can set that via the serial console (set the boot device to ether boot) having access to the console will be really useful to troublesh...

pukkita

No difference, the approach is the same. Just config all the APs as wired/wireless switch as described . Configure the same SSID and security settings on all of them. As long as the Cisco cable going to the Mikrotik connects to an ethernet port belonging to the same bridge as the DHCP server for you...

pukkita

I see... Agree with Sindy, this looks like a bug, your config looks fine to me with regards to being able to connect to other IPs but from the src/dst-natted ones. ROS version? Routerboard firmware version? How do you config the IPs, directly on the WAN interfaces (no private transit or loopback?) D...

pukkita

a wAP (or any Routerboard) can be be programmed to be whatever you want. Of course can be a wireless client. What it cannot be is a repeater (wireless client + Wireless AP at the same time) if the other device is not a Mikrotik. If your intention is placing the wAP as outdoors repeater with the Netg...

pukkita

Even if it has been set, the method of keep pressing should work... are them under warranty?

pukkita

I have got it back to a stage on Winbox with it showing the MAC address IP of 0.0.0.0, Idenity - preconfig , Version 6.37.3 and board RB952Ui-5ac2nd. Following other threads, I have also attempted to use NetInstall and cannot get it to see the router. To be on the safe side I have attempted it on a...

pukkita

For dual wan use you need to further use mangle to: - keep track of connections, so that what enters via one WAN, exits via the same one - Steer/balance traffic towards the two WANs Even if you aren't using both WANs for general internet traffic, (e.g. general traffic to Internet exits via a single ...

pukkita

... I have problem setting up dual band, but that's another story (and maybe another question here after having exhausted what I can think of!) Solved! (how can I mark it as solved?) => OK, just found it! Thanks for marking it SOLVED! Re: dual band problem Looks like CAPsMAN provisioning setup issu...

pukkita

Default Route Distance can be set also on pppoe-client, vpn clients, etc: Dial-out tab.

pukkita

You need to wipe your cAP config and set it up to be a L2 device, a simple wired/wireless switch: See this post for details.

Don't use webfig... use winbox neighbors tab, this way you can manage it in L2.

pukkita

PoE-in or PoE-out capabilities are physical port capabilities, they cannot be moved.

But you can move internet, or the WAN, to a different port, for example ether2 and leave ether1 only for powering the hAP ac2.

You can use the same method I explained here

pukkita

After disabling NAT on PPPoE interface, You need to setup RIP, but still details are missing. To set up RIP: routing rip> set redistribute-connected=yes redistribute-static=yes routing rip interface> add interface=YOURPPPoE_interface receive=v2 send=v2 passive=no routing rip network> add network=77....

pukkita

The reasoning behind: - hap ac is a router board, and as such is 100% programmable - I can provide specific instructions - One of the best APs Mikrotik has for your application. - You may want a dual WAN setup in the future The Netgear (or any other "canned setup" AP) should be possible to...

pukkita

Hello, Yes, it is possible provided both are properly setup. Instead of the Netgear I'd go with a Mikrotik AP, like the Hap ac . The easiest configuration would be 1.- Set up the LTE using the wizard to provide Internet (HomeAP? setting). 2.- Plug the LTE to the Hap ac and set it up as wired/wireles...

pukkita

Power everything off for > 10 minutes, then power on.

Failing that, call Ono as their system may have blacklisted your line in DHCP, not uncommon on Fixed IP lines.

pukkita

ROS will select a Mac address from the ports in the bridge, no need to specify any.

Looks like the .rsc file is not loading, try logging to the router after the reset, and issue

/import file-name=mymapR.rsc verbose=yes

Pasting any errors here.

pukkita

You provide very little info regarding your network...

If main Mikrotik has wireless interfaces, and DLNA client devices connect by wireless, first thing I'd do is go to Wireless, select interface, enable Advanced Mode, and set the multicast helper to full.

pukkita

Hex S or RB760iGS is MMIPS, dude package should be for MMIPS Dude 6.40.8 MMIPS
I am surprised by this because how do you know which version of RouterOS is installed on the 760iGS?

Good catch, edited.

pukkita

As Pamela32 pointed out, you should watch out for voltage drops. However, the Groove doesn't support active PoE, only passive. The best approach is using a DC power adapter from 24V to max 30VDC (Groove limit), capable at least of 500mA. Power the mAP with it via it's DC-in jack with it, it will pow...

pukkita

On Mikrotik #2: 1.- Upgrade to latest bugfix 2.- Reset to no defaults 3.- Create a bridge. Add all interfaces (wired and wireless) to the bridge. 4.- Configure wireless interfaces: same SSID, security (WPA2) and passphrase as on Mikrotik #1. Done. As long as you plug one ether from Mikrotik #2 to th...

pukkita

Please post the interface stats, Rx, Tx, overall. There has been lots if changes in L2 implementation in ROS recently. What happens if you put a switch in between? Any difference? I couldn't agree more with jarda, on top of that mikrotik tries to avoid spaguetti code to fix other's bugs. Post a pack...

pukkita

ROS Version? Is DHCP set to authoritative?

If using latest bug fix, take a support while experiencing the issue and write to support attaching it.

If not, try bug fix version. Are you creating static DHCP leases for the Synaccess?

pukkita

The only modification required would be adding the interfaces directly to the bridge, instead of setting the master-port.

ROS will enable HW offloading if suitable.

pukkita

RaynoP: I'd try 6.40.8 if it weren't for the cAPs ac, which were very recently released and require current branch (see changelog). I'd put the blame on them... thing's I'd try: - Check that System > Routerboard Upgrade Firmware matches Current Firmware, upgrading if it doesn't (all devices). - neti...

pukkita

Yes, Routerboards are 100% programmable. You could achieve what you want and learn during the process, this is what I'd do to "reverse" the ports w/o having to program it from scratch: Connect to your mAP using winbox. 1.- Create an configuration export: To do so, Open a New Terminal , and...

pukkita

If you're using a laptop, try disabling the wireless interface, to force the OS to make sure it's using the ethernet interface.

A tip: Keep pressing the rest button until you see the router appearing in netinstall.

pukkita

What I would do: 1.- Upgrade to latest bugfix 2.- Reset to no defaults 3.- Create a bridge. Add all interfaces (wired and wireless) to the bridge. 4.- Configure wireless interfaces: same SSID, security (WPA2) and passphrase as you pointed. Done. As long as you plug one ether from the hap ac lite to ...

pukkita

The developers could also add in small chunks of OS specific code where the wine APIs weren't good enough. I wish MikroTik could / would do that for the MacOS X / Linux binaries. Maybe they've tried and found it unworkable already. Couldn't agree more. Winbox works fine most of the time under wine,...

pukkita

Are you using latest winbox (3.15)? It can upgrade itself, check Tools > Check For Updates in Main Winbox window. If you suspect the CCR is misbehaving, I'd take a full export out of that CCR, netinstall it, then import the export file back watching out for errors. If there are any, you can proceed ...

pukkita

As long as the default route uses the gateway it, you're done. Make sure is it masqueraded.

pukkita

Hex S or RB760iGS is MMIPS, dude package should be for MMIPS and match the installed ROS version, e.g. if you have 6.40.8 installed: Dude 6.40.8 MMIPS

pukkita

I'd do this: 1.- Reset the groove to no defaults 2.- Connect to it using winbox Neighbors tab, as it will reboot without any ip 3.- Create a bridge on the Groove. Add wlan1 and ether1 to it. 4.- Configure wireless per your liking using a different channel than the one used by the Huawei, e.g. Huawei...

pukkita

No need for manual port redirection. 1.- Delete all those dst-nats 2.- IP > uPnP Tick: - Enabled - Show Dummy Rule Click on [Interfaces] button. Add ether1 as External Add your LAN bridge as Internal done. Enable uPnP on your torrent/skype/whatever client, close it and re-launch. Look at IP > Firewa...

pukkita

Yes, you could create one physical, one virtualAP SSID, then apply use mangle depending on traffic source interface to force exit through the desired WAN.

pukkita

You can't go wrong with the CCR... that said a 3011 will do for sure. If you want to save: RB3011. If you want to do an investment once for years to come: CCR1009. CRS326 is a great switch, but I have never used it personally as a router (I may for a 100Mbps WAN if budget were tight). IMHO 400/20Mbp...

pukkita

Which ROS version did you netinstall them to? Try 6.39.3...

pukkita

And MMIPS...

Router size is better determined by the WAN bandwidth you want to "move" first, and what kind of filtering, queueing, etc you'll want to apply.

Do you need a router with wireless capabilities? Will you go with a seperate router and AP?

pukkita

Difficult to guess... but you probably need to: - Add all ether ports where APs (or switches where APs are connected to) a bridge (I assume all APs are in layer 2 towards the RB1100AHx2) - Setup a hotspot (there's a wizard) on such bridge - Fix usermanager (I assume RB1100AHx2 was running it as radi...

pukkita

Make sure fast-forward on the bridge is enabled, I completely wiped out the bridge, recreated it with fast-forward set and proxy-arp/local-proxy-arp worked this time. No dice... reset it to defaults, loaded the config back, and it's not working now. Will try a netinstall, but looks some sort of issu...

pukkita

haven't had the time to have a thorough look, definitely proxy-ARP seems to break when upgrading both to ROS 6.41 or 6.41.1. Going back to 6.39.3 will only fix it if a pure software bridge is used. Use a master port adding it to the bridge and arp will break too. Looks like hardware acceleration iss...

pukkita

Noticed today after upgrading to 6.41.1 that proxy-arp and local-proxy-arp seem to be broken both on 6.41 and 6.41.1 (FW upgraded to match) when set on a bridge. Device: hAP AC. Reverting back to 6.39.3 (FW 6.41.1), restores proxy-arp amd local-proxy-arp, but only on a full software bridge. Setting ...

pukkita

Is this still the current behavior, as of 6.41 (jan/2018?)

No.

That concurrent hardcoded limit was removed some versions ago, and as sebastia posted now you can set up the max concurrent queries limit at will.

pukkita

Post

/ip address print
/ip route print

on the mikrotik also. We cannot guess what that dhcp-client on ether1 may end up doing to them.

You shouldn't have a dhcp-client on an interface with an static ip set...

pukkita

Apparently Bridge filters in/out doesn't work when hw-offload is active on the ports. Any Ideas? Correction: if using L2 bridge filters, there's no need to enable use ip firewall. Just tested on 6.41 (on a RB1100AHx2), and even with hw offload enabled, L2 filtering (.e.g manipulating priority, vlan...

pukkita

Apparently Bridge filters in/out doesn't work when hw-offload is active on the ports. Any Ideas? Did you enable "Use IP Firewall" (on Bridge [Settings])? Filters won't work otherwise AFAIK. If you did, maybe (as I still don't fully understand your requirements) is it possible that could b...

pukkita

Wouldn't using no horizon at all but using Bridge filters allow what you want (prevent ether1,2 to see ether3,4 and ether5)? You can use interface lists... Same goes for Switch > ACLs Why the need to be in L2 to send traffic to monitor? IDS? Are you mirroring traffic and sending it towards your offi...

pukkita

What do you mean with "monitor all ports at the same time"? Why is it needed to have ether5 in L2 with the rest?

pukkita

Are we talking about Cuba? On RouterOS, if license is L4 (as is already on your Metal52 AC, check System > License) you may create multiple virtual wireless interfaces (wireless mode station) on top of the phisical wireless one, each virtual one will have a different MAC address and will appear to t...

pukkita

Post a diagram with all the devices involved at your side up to the AP, will help us to help you.

pukkita

Please posts all the IPs along its masks.

On routerboard:

/ip address print

host1 and host2:

ip addr show (or ifconfig)
ip route show (or netstat -rn)

pukkita

The thing is which CCR was used as btest client... has btest been fixed???

pukkita

What did solve the issue? changing the gateway portion of a route to an IP when previously there was an interface, or viceversa?

If so, did such interface had more than one IP assigned to it?

pukkita

750Gr3 == Hex.

pukkita

I said L4 because some configs used in public Cuban wifi require virtual interfaces to be used if you want to use several wireless credentials (to sum up more bandwidth, or for sharing with more people) with a single antenna, something not doable with L3 devices, and something that you may want to d...

pukkita

I assume WiFi is 2.4GHz? or there's dual 2.4 and 5GHz coverage? For 2.4GHz: https://mikrotik.com/product/lhg_2 (Unknown, L3 I guess) https://mikrotik.com/product/RBSXTG-2HnDr2-168 (L4) For 5GHz: https://mikrotik.com/product/RBLHG-5nD (L3) https://mikrotik.com/product/sxtsq_5_high_power (L4) Whatever...

pukkita

The real question is no sane admin will leave unrestricted access to a router from the Internet.

Best practice: prevent access completely to it from the internet, set up VPN access and allow only that.

If your router IP is not fixed, use IP > Cloud.

pukkita

Have a look at viewtopic.php?t=123380

Set the wAP AP as a wireless/wired switch as explained there.

pukkita

I think the hardware you have have selected is fine, since you are stationary in an RV park you can power it however you want. If you were trying to run off of the battery system in your RV I'd suggest not using the included power injectors, but instead to hardwire (with fuses and a switch, of cour...

pukkita

Are you sure the nano hasn't resetted itself to 192.168.1.20? Can you see it via IP > Neighbors?

pukkita

being mostly laptops, I'd go either for the Hap ac or wAP ac.

pukkita

Move IP .5.200 from ether1 to bridge1.

I understand there's nothing on Ip > Firewall > Nat

pukkita

You need to configure it to suit your needs, default configuration logs to memory only.

See /System logging, you need to:

1.- Create a remote Action setup for your syslog collector
2.- Set up logging Rules for the topics you want, setting/changing its action to the remote one you set on step #1.

pukkita

Mikrotik doesn't check anything it simply asks freeradius: user X with password Z wants to login, should I allow it? Then is freeradius which checks on its tables and simply answers Mikrotik router if the user successfully authenticated, and any user related reply items. You need to check your freer...

pukkita

I wouldn't use the Metal52ac, reasons: - You need an antenna for it. Forget about using a omnidirectional antenna to pick on distant signals, that's the worst option possible. - only 1 chain. I would use LHG2 To "pick" on the distant signal, advantages: - 1/3d of the cost vs Metal52ac + an...

pukkita

RouterOS uses only 1 Radius client, you cannot have two hotspots using different radius servers on the same router. You can have several radius servers on /radius, but RouterOS will use the first, unless it's down; then it will try the second, and so on. You don't need two seperate radius servers fo...

pukkita

You cannot just tinker with the tables and expect it to work... Seems your freeradius configuration makes it interpret that table as radcheck, and you chose to store gender on the op field, which freeradius expects to be a two character field, containing Freeradius operators . radcheck table has to ...

pukkita

Run Tools > Torch on ether3, tick "Show VLAN id", do you see the expected VLAN IDs there?

Post a full export.

pukkita

Write to support linking to this post and explaining the situation, they'll work out the license issue.

pukkita

Yes, you're right: the wiki specifies it:

Configure script RouterOS export file produced by the export command). Any file supplied here will become the default configuration of the reinstalled router.

pukkita

This is usually MTU, or packet loss issues. Isolate and test that subnet and its uplink point to the rest of the network.

pukkita

A weird thing noticed: the throughput improves considerably when I run the Packet Sniffer on the L2TP interface! Running Packet sniffer disables FastPath and Fasttrack . Check your firewall settings if you have fasttrack enabled. Similar thread: very strange slow web access but can be solved by pac...

pukkita

You don't need different packets for upload/download, just make sure that for a given traffic category, you mark traffic on both directions. It's the parent which will dictate if QoS will be applied on upload or download, depending on parent interface, you can use same packet marks. parent=global wi...

pukkita

Can I have a parent=global queue to handle all traffic towards the LAN while not intermixing the rates with the upload traffic to the two internet interfaces?

Yes, that's the way.

pukkita

For home use, options on increasing budget: - hAP ac: router + AP on single device. Drawback: you need to position it optimally for the AP. - RB3011 + wAP AC: Best of both worlds: router can be positioned on your comm cabinet, and wAP AC(s) optimally for best wireless coverage. - RB3011 + hAP AC: if...

pukkita

Which RB433? In these cases the best option is to netinstall.

pukkita

From RB1100AHx4 brochure:

Captura de pantalla 2017-11-11 a la(s) 11.23.24.png

So a difference on dude edition is it comes with a 60GB M.2 disk from factory.

Additionally, dude edition sports 3 switch groups, while non dude edition seems to have none.

pukkita

What's new in 6.39 (2017-Apr-27 10:06):
!) ppp - implemented internal algorithm for "change-mss", no mangle rules necessary;

pukkita

Only on the 750UP location, as allstarcomps said that's the only place where you need to connect more than one station. L4 is $45, but... SXT's are directional antennas, if you want to connect the two SXT lites to the AP on 750UP location, you'll need not only a radio that has L4 license, but also i...

pukkita

Post a diagram. I tried to configure all 3 in bridge mode but could only get the bridge to function over any 2 APs at one time. SXT Lite license level is L3, that means it's limited to act as an AP for only one device (wireless mode = bridge). You can either pay to raise its license to L4, or purcha...

pukkita

CAPsMAN requires certain knowledge, QoS definitely, you would be better hiring someone knowledgeable . I wouldn't limit per user (simple queue), but program a QoS (queue tree) that categorizes traffic, dynamically distributes available bandwidth depending on traffic category priority, then use PCQ q...

pukkita

When you say MI Repeater I understand it's a wireless repeater? If so, that's your first problem. I'd: - Put the Airtel router in bridge mode if possible - Deploy a internet router to manage users, speeds, QoS and CAPsMAN. Hex could be a budget candidate that fits the job nicely. - Deploy at least t...

pukkita

Exactly. If you're setting up an AP for unknown wireless/mobile devices you'll have to set it up in the most widely compatible way.

For 2.4GHz that means 20MHz and default settings.

pukkita

You need

1.- Mikrotik radio that suports 5/10MHz (not all of them do)
2.- Client with radio with same capabilities

pukkita

Because there are two directions while communicating. Let's suppose this scenario: AP <-> STATION using frequency 5640. Interference may be local and affecting only the receiving side, (e.g. other antenna nearby STATION transmitting on 5640). while it could be possible that AP can "hear" S...

pukkita

Have you tried setting the src-address on the mikrotik router to 192.168.5.1? Windows PPTP client should get a route to 192.168.5.0 via the VPN, nothing else should be required. That's the point of using same network range on LAN and VPN + proxy-arp, no routing is necessary. Check a router print on ...

pukkita

Only place where proxy-arp is needed is on bridge1, nowhere else.

Reboot the router afterwards.

pukkita

please post

/interface export
/ip address export

pukkita

Not sure if I understood your situation right. If you want the laptop acting as server to have a fixed IP, you can still use DHCP. 1.- Go to IP > DHCP Server > Leases and locate the laptop one. 2.- Double click on it, and click on "Make static". From now on, the laptop will be always offer...

pukkita

6Mbps is the lowest of the so-called "basic rates", and the only basic-rate with default configuration. Radio switches to this basic rate when initially establishing or renegotiating the radio link; this indicates you're having interferences, SXTs may have moved, a new nearby obstacle, or ...

pukkita

shouldn't need this

chain=srcnat action=masquerade src-address=192.168.5.48/29 dst-address=!192.168.5.48/29 log=no log-prefix=""

if proxy-arp is properly set.

pukkita

No, USB external disk cannot be used as system partition, and I'm afraid it cannot be used for graphs storage either.

External storage can be used for web proxy cache, samba sharing, etc.

pukkita

Lots of power off/power on and bad electricity supply can corrupt the NAND format or damage it, specially if you're writing constantly to it (do you have graphs active?). If you're experiencing such electricity supply unstability, you'd better either get an UPS at least for the router... this router...

pukkita

Looks like your NAND is gone, you'd better write support, short of netinstalling it again, resetting it to no defaults and reconfiguring it looking if it holds fine this time. Better than using a .backup, you could make an export, so that you can just copy & paste the config on this, or any rout...

pukkita

Len = Length (size).

You got it right for the rest.

pukkita

300 is radio datarate, in TCP that would equal about half, 100-150Mbps TCP.

You need clients to be dual-chain / dual stream (2x2 MIMO) while most mobile devices are single chain.

pukkita

At this moment I have CRS125-24G-1S and I want to get 2nd device with spf, gigabit lan ports and with Dude support.

Sounds like RB3011 is what you are looking for. Next option would be a CCR.

pukkita

Another thing that you may need to ensure is that you are actually masquerading or dst-natting traffic from your .123 network to your .10 network. Nope, no need to. If 10.x clients use 10.x (10.1 or 10.200) as default gateway, and .123.x clients have .123.x as default gateway both networks will be ...

pukkita

Check System > License, if it's fine then I'd say you can rest asured is not a copy.

Search found 3023 matches