Community discussions

MikroTik App

Search found 598 matches

  • 1
  • 2
by Kentzo
Mon Jun 17, 2024 6:37 pm
Forum: Beginner Basics
Topic: IPV6 macos intermittent packet loss
Replies: 11
Views: 901

Re: IPV6 macos intermittent packet loss

Try sniffing all interfaces to see what happens to the lost ping packets when there are not seen on the WAN interface.
by Kentzo
Mon Jun 17, 2024 10:00 am
Forum: Beginner Basics
Topic: IPV6 macos intermittent packet loss
Replies: 11
Views: 901

Re: IPV6 macos intermittent packet loss

What physical interface is VDSL? Can you show a diagram of your VLANs?
by Kentzo
Sat Jun 15, 2024 11:14 pm
Forum: Beginner Basics
Topic: IPV6 macos intermittent packet loss
Replies: 11
Views: 901

Re: IPV6 macos intermittent packet loss

Post the routing tables on macOS (via netstat) and the router.
by Kentzo
Fri Jun 14, 2024 9:53 am
Forum: Beginner Basics
Topic: IPV6 macos intermittent packet loss
Replies: 11
Views: 901

Re: IPV6 macos intermittent packet loss

Sniff traffic off the PPPoE interface, your goal is to verify that the packets are dropped within your LAN.
by Kentzo
Thu Jun 13, 2024 2:01 am
Forum: Scripting
Topic: Script to locate records referencing deleted entities
Replies: 2
Views: 246

Script to locate records referencing deleted entities

In general is there a way to locate all records that reference a deleted entity, such as a deleted interface?
by Kentzo
Thu Jun 13, 2024 1:54 am
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 322
Views: 63377

Re: v7.15 [stable] is released!

[deleted]
by Kentzo
Sun Jun 09, 2024 12:23 am
Forum: General
Topic: lo -> lo in the IPv6 firewall filter forward chain
Replies: 13
Views: 726

Re: lo -> lo in the IPv6 firewall filter forward chain

It didn't crash before 7.14.3 and yet my machine with uptime of a few months does not exhibit this issue. However, I changed /ipv6/nd/prefix/default: /ipv6/nd/prefix/default/print autonomous: yes valid-lifetime: 16h preferred-lifetime: 8h Which is shorter than lifetime of my DHCPv6 delegated prefix ...
by Kentzo
Sun Jun 09, 2024 12:11 am
Forum: General
Topic: SLAAC route with wrong distance, how can I fix it?
Replies: 13
Views: 742

Re: SLAAC route with wrong distance, how can I fix it?

Interesting point. Assuming you advertise multiple prefixes via RA to the downstream hosts (i.e. your hosts are multi-homed), you can encourage their address selection via the ra-preference property in /ipv6/nd. However, will RouterOS actually prefer the gateway that corresponds to the location of t...
by Kentzo
Fri Jun 07, 2024 7:18 pm
Forum: General
Topic: lo -> lo in the IPv6 firewall filter forward chain
Replies: 13
Views: 726

Re: lo -> lo in the IPv6 firewall filter forward chain

Hmm, I don’t think I noticed this behavior. Then again I only ever have up to 2 prefixes simultaneously, so my hosts cannot get 1000 address. OTOH I’m with xfinity and my delegated prefix changes time to time. What are your default settings for nd? Did you try the 7.16 beta release, as its notes men...
by Kentzo
Fri Jun 07, 2024 5:22 pm
Forum: General
Topic: lo -> lo in the IPv6 firewall filter forward chain
Replies: 13
Views: 726

Re: lo -> lo in the IPv6 firewall filter forward chain

Then how would you expect the client OS to select source address among multiple prefixes in standard compliant way? It’d seem to me that misbehaving clients should rather have a static LUA with a translator in front of them. Not great and not standard but a better workaround IMO. I never checked, bu...
by Kentzo
Fri Jun 07, 2024 5:16 pm
Forum: General
Topic: Questions about IPSEC
Replies: 7
Views: 423

Re: Questions about IPSEC

IKEv1 and IKEv2 differ in how configuration can be supplied with IKEv2 being backward compatible. RouterOS only supports backward compatible configuration, “new” configuration payload is not (fully?) supported. What user may or may not want is orthogonal to want the implementation must support. And ...
by Kentzo
Fri Jun 07, 2024 4:46 pm
Forum: General
Topic: lo -> lo in the IPv6 firewall filter forward chain
Replies: 13
Views: 726

Re: lo -> lo in the IPv6 firewall filter forward chain

Thanks to the SMB bug my ax3 crashes and gets rebooted a few times a day :) I think the deprecation in my case is working properly: when prefix gets reassigned to another interface it seems correct to mark as deprecates on the old one. But it is wrong that Subnet ID is neither stable nor under admin...
by Kentzo
Fri Jun 07, 2024 9:40 am
Forum: General
Topic: Questions about IPSEC
Replies: 7
Views: 423

Re: Questions about IPSEC

As a responder it still requires deprecated mode-config where more appropriate IKEv2 attributes exist. IIRC split-include can only be used via mode-config, IKEv2 traffic selectors are not supported.
by Kentzo
Fri Jun 07, 2024 9:13 am
Forum: General
Topic: SLAAC route with wrong distance, how can I fix it?
Replies: 13
Views: 742

Re: SLAAC route with wrong distance, how can I fix it?

In general add-default-route via DHCPv6 client is wrong, that is why it is off by default. In IPv6 proper default route should be learned from RA.

There are examples on this forum where add-default-route=yes in DHCPv6 backfired.
by Kentzo
Fri Jun 07, 2024 6:25 am
Forum: General
Topic: Questions about IPSEC
Replies: 7
Views: 423

Re: Questions about IPSEC

For RouterOS <-> RouterOS? I don't think it matters. Otherwise you're probably better with Wireguard as RouterOS's implementation of IPsec (especially "modern" IKEv2) is incomplete.
by Kentzo
Fri Jun 07, 2024 6:23 am
Forum: General
Topic: SLAAC route with wrong distance, how can I fix it?
Replies: 13
Views: 742

Re: SLAAC route with wrong distance, how can I fix it?

Another idea: put each interface into a separate VRFs and add appropriate routes / routing rules to prioritize one default route over another. However you will have to adjust the IPv4 configuration as well.
by Kentzo
Fri Jun 07, 2024 5:55 am
Forum: General
Topic: SLAAC route with wrong distance, how can I fix it?
Replies: 13
Views: 742

Re: SLAAC route with wrong distance, how can I fix it?

If you're doing RA, you most likely want `add-default-route=no` on the DHCPv6 client. RouterOS will add the proper default route based on the RA. Not sure how to deal with PPPoE, the config does not seem to allow to selectively disable `add-default-route` for IPv6. RouterOS does not seem to support ...
by Kentzo
Fri Jun 07, 2024 3:25 am
Forum: General
Topic: lo -> lo in the IPv6 firewall filter forward chain
Replies: 13
Views: 726

Re: lo -> lo in the IPv6 firewall filter forward chain

I now understand the issue a little bit better. In my deployment I implement NPTv6 to let IPsec clients with ULA addresses to access internet using a GUA derived from an upstream delegated IPv6 prefix: I "reserve" and IPv6 prefix by allocating a non-advertising address on the `lo` loopback...
by Kentzo
Fri Jun 07, 2024 2:23 am
Forum: General
Topic: lo -> lo in the IPv6 firewall filter forward chain
Replies: 13
Views: 726

Re: lo -> lo in the IPv6 firewall filter forward chain

Regardless of the packet flow, I'd expect `out:lo` to be in the input chain and never in the forward chain.
by Kentzo
Thu Jun 06, 2024 1:03 am
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 322
Views: 63377

Re: v7.15 [stable] is released!

This behavior (bug?) in IPv6 Firewall Filter seems to be new: lo -> lo in the IPv6 firewall filter forward chain
by Kentzo
Thu Jun 06, 2024 12:56 am
Forum: General
Topic: lo -> lo in the IPv6 firewall filter forward chain
Replies: 13
Views: 726

lo -> lo in the IPv6 firewall filter forward chain

A little bit of context: AAAA is my laptop and BBBB is my phone which is currently sleeping. BBBB is not pingable nor it appears /ipv6/neighbors. An app on AAAA cached BBBB-IPv6 and continuously tries to reach BBBB. This is what I see in the IPv6 firewall filter: ... firewall,info ... forward: in:vl...
by Kentzo
Mon Jun 03, 2024 8:16 pm
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 322
Views: 63377

Re: v7.15 [stable] is released!

*) smb - added logs for share connection requests
Please revert this change. 99% of my info logs is now `... connect request user:GUEST ...` :/
by Kentzo
Mon Jun 03, 2024 7:54 pm
Forum: General
Topic: IPsec: payload missing SA error
Replies: 3
Views: 650

Re: IPsec: payload missing SA error

It looks like there is a mismatch in phase 1 configuration. Can you share the diagnostic logs from Azure's VPN? Capturing the packets might on the router by sniffing may also be helpful to see what you send vs what Azure's responder expects.
by Kentzo
Mon Jun 03, 2024 5:32 am
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 322
Views: 63377

Re: v7.15 [stable] is released!

I think builtin SMB server causes kernel panic and reboot after certain amount of data is being transferred (it appears in the direction from the Router).
by Kentzo
Mon Jun 03, 2024 5:22 am
Forum: General
Topic: Lost IPv6 addresses defined from pools after reboot
Replies: 3
Views: 841

Re: Lost IPv6 addresses defined from pools after reboot

IIRC if you add addresses like this: add address=::1 eui-64=yes from-pool=local-pool add address=::1 eui-64=yes from-pool=guest-pool then one of them will get deleted upon a reboot. This is a known problem but please report to https://help.mikrotik.com/servicedesk/servicedesk/customer/portal/1, more...
by Kentzo
Mon Jun 03, 2024 5:18 am
Forum: General
Topic: IPsec: payload missing SA error
Replies: 3
Views: 650

Re: IPsec: payload missing SA error

Where is the authentication material in `/ip ipsec identity`?
by Kentzo
Mon Jun 03, 2024 5:04 am
Forum: Wireless Networking
Topic: Apple Airplay not working
Replies: 10
Views: 1453

Re: Apple Airplay not working

If you run `dns-sd -Z _airplay._tcp` in the Terminal app on macOS, does it show any devices at all?
by Kentzo
Sun Jun 02, 2024 4:48 am
Forum: Containers
Topic: Did veth <-> disk slowed down in 7.14?
Replies: 9
Views: 1957

Re: Did veth <-> disk slowed down in 7.14?

Reading from the builtin SMB server seems to cause kernel panic.
by Kentzo
Thu May 30, 2024 11:00 pm
Forum: Wireless Networking
Topic: Apple Airplay not working
Replies: 10
Views: 1453

Re: Apple Airplay not working

What is not working specifically? The devices do not appear on the Share list in iOS / macOS / tvOS or they do but the connection fails? If so then what is the error message?
by Kentzo
Fri May 10, 2024 1:52 am
Forum: Useful user articles
Topic: mDNS between VLANs with just bridge filters - Look Mum, no containers!
Replies: 52
Views: 10572

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

As a SOHO user for almost a decade all deviations I saw were almost exclusively to circumvent RouterOS's mishaps. To that extent it's great that the OS allows for that. However, I personally want it to be easily configure to follow the RFC specs and best practices as precisely as possible. For whist...
by Kentzo
Fri May 10, 2024 12:47 am
Forum: Useful user articles
Topic: mDNS between VLANs with just bridge filters - Look Mum, no containers!
Replies: 52
Views: 10572

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

IMHO Application-level problems need application-level solutions. I did not look into the mDNS spec sufficiently, but I would not take for granted that reflection does not involve some alteration of the packet under certain circumstances.
by Kentzo
Wed May 08, 2024 6:16 pm
Forum: General
Topic: IPSEC\IkeV2 client not browsing
Replies: 3
Views: 313

Re: IPSEC\IkeV2 client not browsing

I recommend taking a look with wireshark to see what goes through and what’s not.

If ping works but nothing else then it could be an MTU issue. Can you find the maximum payload size that works for the ping tool? This thread may be useful: viewtopic.php?t=189192
by Kentzo
Tue May 07, 2024 9:18 pm
Forum: Beginner Basics
Topic: IPv6 routes not created
Replies: 8
Views: 1258

Re: IPv6 routes not created

Right now your router is not properly configured to learn upstream IPv6 route. You likely need: /ipv6/dhcp-client ... add-default-route=no ... /ipv6/nd/add advertise-dns=no interface=ether1 ra-lifetime=none ra-preference=low reachable-time=5m Also note that the dns option in /ipv6/nd does not work f...
by Kentzo
Tue May 07, 2024 9:02 pm
Forum: Beginner Basics
Topic: Help needed with IPv6
Replies: 1
Views: 307

Re: Help needed with IPv6

This description is a bit of a hodgepodge.

Please read up on IPv6 first to better understand your situation, specifically address distribution (SLAAC), Prefix Delegation (DHCPv6-PD) and classification of IPv6 addresses in general.
by Kentzo
Tue May 07, 2024 8:49 pm
Forum: General
Topic: IPSEC\IkeV2 client not browsing
Replies: 3
Views: 313

Re: IPSEC\IkeV2 client not browsing

i connect using my phone as hotspot

What gets establishes IPsec connection, your phone or another device that uses your phone as a hotspot? If it's the latter could be some traffic shaping done by your MNO specifically for the hotspot clients.
by Kentzo
Tue May 07, 2024 8:43 pm
Forum: Useful user articles
Topic: mDNS between VLANs with just bridge filters - Look Mum, no containers!
Replies: 52
Views: 10572

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

RouterOS really needs an mDNS solution out of the box (both as multicast and Wide Area Bonjour). These hacks that pop time to time are ridiculous, traps and troubles for novices that tarnish Mikrotik's reputation…
by Kentzo
Fri May 03, 2024 8:00 pm
Forum: General
Topic: [Feather Request] Ignore bad DHCPv6 DUID
Replies: 7
Views: 2316

Re: [Feather Request] Ignore bad DHCPv6 DUID

I would still like to see a binary dump of the problematic packet. It's feasible that RouterOS's parser / validation is broken in some other way.
by Kentzo
Tue Apr 30, 2024 8:38 pm
Forum: Containers
Topic: Did veth <-> disk slowed down in 7.14?
Replies: 9
Views: 1957

Re: Did veth <-> disk slowed down in 7.14?

The 7.14.3 update fixed this issue in the builtin SMB server, but the containerized one is still affected.
by Kentzo
Wed Apr 24, 2024 12:05 am
Forum: Scripting
Topic: How to use fetch tool with IPv6
Replies: 9
Views: 837

Re: How to use fetch tool with IPv6

Have you tried setting the src-address?
by Kentzo
Wed Apr 24, 2024 12:02 am
Forum: General
Topic: dhcpv6-pd assign subnet to interface
Replies: 5
Views: 453

Re: dhcpv6-pd assign subnet to interface

RouterOS only allows to customize Interface ID, but it will pick Subnet ID for you.

Please create a feature request at https://help.mikrotik.com/servicedesk/servicedesk
by Kentzo
Tue Apr 23, 2024 11:47 pm
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 27
Views: 2730

Re: Help on applying advanced firewall rules

Something in your network multicasts a packet to all nodes (ff02::1) using the 10001 port. "All nodes" also includes the router itself. You have a firewall rule that blocks such packets on the router. Everything seem to work as configured. FYI mDNSv6 uses the ff02::fb. See https://www.iana...
by Kentzo
Mon Apr 22, 2024 10:02 pm
Forum: Beginner Basics
Topic: IPV6 on mikrotik
Replies: 6
Views: 729

Re: IPV6 on mikrotik

If you don't need IPv6 on the TV, you can still bridge the mikrotik router but exclude the ethernet interface that connects the TV from the bridge.
by Kentzo
Mon Apr 22, 2024 5:27 pm
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 27
Views: 2730

Re: Help on applying advanced firewall rules

Are you sure it’s the forward chain and not the input chain? Link-local addresses are not supposed to be forwarded. My opinion is that with very few exceptions you should not firewall input (multicast or otherwise) from LAN on the router. Please make sure to report all problems you encountered using...
by Kentzo
Sat Apr 20, 2024 1:41 pm
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 27
Views: 2730

Re: Help on applying advanced firewall rules

Instead of disabling the rules, can you change it to passthrough with log and then attach here the packets whose dropping breaks your network, exactly as it appears in the log? The rule that only allows ICMPv6 Type 134 from LAN is plain wrong for an edge router: it is supposed to receive RAs from th...
by Kentzo
Thu Apr 18, 2024 2:39 am
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 27
Views: 2730

Re: Help on applying advanced firewall rules

In both cases you need to log to see what packets are being matched.
by Kentzo
Wed Apr 10, 2024 4:36 am
Forum: General
Topic: IPv6 trouble [SOLVED]
Replies: 19
Views: 1861

Re: IPv6 trouble [SOLVED]

On the one hand I agree with your reasoning… on the other hand I'd prefer IPv6 to negotiate its configuration as intended by the protocol rather than relying on this ad-hoc knowledge of underlying connection and RouterOS "hacks".
by Kentzo
Tue Apr 09, 2024 3:31 am
Forum: General
Topic: Trouble Setting up ipv6
Replies: 21
Views: 1504

Re: Trouble Setting up ipv6

I cannot point to a specific thread, but if you search this forum for "ipv6" you will find a few viable configs and useful discussions.
by Kentzo
Mon Apr 08, 2024 11:47 pm
Forum: General
Topic: can't open IPv6 websites
Replies: 2
Views: 449

Re: can't open IPv6 websites

Did you identify the exact link where IPv6 routing breaks?
by Kentzo
Mon Apr 08, 2024 11:43 pm
Forum: General
Topic: Trouble Setting up ipv6
Replies: 21
Views: 1504

Re: Trouble Setting up ipv6

Why do you have VodafoneIPv6 both as a dynamic IPv6 pool (via the DHCPv6 Client) and a manually added pool? That might confuse RouterOS. Also, remember that RouterOS's DHCPv6 Server cannot hang out addresses as its DHCPv4 Server. It only works for prefix delegation to downstream Routers . Downstream...
by Kentzo
Mon Apr 08, 2024 11:37 pm
Forum: General
Topic: IPv6 trouble [SOLVED]
Replies: 19
Views: 1861

Re: IPv6 trouble [SOLVED]

I don't know if this is necessary for PPPoE connections, but I would recommend to at least try the following: Set `accept-router-advertisements=yes` in /ipv6/settings Set `add-default-route=no` in /ipv6/dhcp-client: route, normally, should be learned via RAs (but it might be a peculiarity of PPPoE I...
by Kentzo
Sun Apr 07, 2024 7:02 am
Forum: Containers
Topic: Did veth <-> disk slowed down in 7.14?
Replies: 9
Views: 1957

Re: Did veth <-> disk slowed down in 7.14?

Noticed that I still had the rose-storage package enabled. Disabled it and rebooted. Now the reading speed over SMB does not progressively degrade and is stable. However, it seems to be slower than it used to be. It's definitely slower than both the `dd` and `iperf` speeds. This issue is still prese...
by Kentzo
Sun Apr 07, 2024 6:03 am
Forum: Containers
Topic: Did veth <-> disk slowed down in 7.14?
Replies: 9
Views: 1957

Re: Did veth <-> disk slowed down in 7.14?

Pulled the disk and connected to my linux box: `e2fsck -fcck`: no bad sectors `dd if=... of=/dev/null bs=4K` on every file: no problems, healthy reading speed Connected back RouterOS, run the "samba" container: `dd if=... of=/dev/null bs=4K` on every file: no problems, healthy reading spee...
by Kentzo
Fri Apr 05, 2024 11:25 pm
Forum: General
Topic: IPv6 trouble [SOLVED]
Replies: 19
Views: 1861

Re: IPv6 trouble [SOLVED]

I'm hesitant to trust RouterOS's undocumented defaults regarding IPv6 just yet :)
by Kentzo
Fri Apr 05, 2024 6:53 am
Forum: General
Topic: IPv6 trouble [SOLVED]
Replies: 19
Views: 1861

Re: IPv6 trouble [SOLVED]

It seems wrong to me to have an interface set on the "default" record. It also appears that you do not have ND on LAN interfaces, did you omit the output? For the reference, mine looks like this: /ipv6 nd set [ find default=yes ] disabled=yes add advertise-dns=no interface=ether1-gateway r...
by Kentzo
Wed Apr 03, 2024 8:21 pm
Forum: General
Topic: IPv6 trouble [SOLVED]
Replies: 19
Views: 1861

Re: IPv6 trouble [SOLVED]

This results in an failure of the ipv6 tests, and modifying it one by one found that setting ra-lifetime=none to be the culprit. I’m pretty sure that your ISP does not care for RAs sent by your router upstream , it should not break anything in itself. Perhaps this change forced a reconfiguration th...
by Kentzo
Wed Apr 03, 2024 10:33 am
Forum: General
Topic: IPv6 trouble [SOLVED]
Replies: 19
Views: 1861

Re: IPv6 trouble [SOLVED]

Most of the settings in /ipv6/nd are for the case when RouterOS is the Advertising Router, i.e. when it sends a configuration. However, in case of the PPPoE interface it's acting as a Host because it receives a configuration. You, most likely, want the following settings on pppoe-out1: add advertise...
by Kentzo
Tue Apr 02, 2024 11:27 pm
Forum: General
Topic: IPv6 trouble [SOLVED]
Replies: 19
Views: 1861

Re: IPv6 trouble [SOLVED]

You want `/ipv6/settings/set accept-redirects=no` and `/ipv6/settings/set accept-router-advertisements=yes` as well as `/ipv6/nd/enable` on the pppoe-out1 interface. As @mkx mentioned, there are some IPv6-specific timeouts in RouterOS that are intrinsic to how the protocol works. A reboot might be a...
by Kentzo
Fri Mar 22, 2024 6:59 pm
Forum: Containers
Topic: Did veth <-> disk slowed down in 7.14?
Replies: 9
Views: 1957

Re: Did veth <-> disk slowed down in 7.14?

Is there any particular procedure I should follow to reformat the drive? Do I need to reformat whole drive or just the partition that is mounted into the samba container?
by Kentzo
Fri Mar 22, 2024 5:45 am
Forum: Containers
Topic: Did veth <-> disk slowed down in 7.14?
Replies: 9
Views: 1957

Re: Did veth <-> disk slowed down in 7.14?

It might be a case of the disk simply dying, but I'm puzzled with that dd cannot reproduce it.
by Kentzo
Thu Mar 21, 2024 9:36 pm
Forum: Containers
Topic: Did veth <-> disk slowed down in 7.14?
Replies: 9
Views: 1957

Re: Did veth <-> disk slowed down in 7.14?

It's the hAP AX3 updated from 7.13.x
by Kentzo
Wed Mar 20, 2024 9:15 pm
Forum: Containers
Topic: Did veth <-> disk slowed down in 7.14?
Replies: 9
Views: 1957

Did veth <-> disk slowed down in 7.14?

I run Samba container and host shares on a USB attached HDD. Looks like after the 7.14.1 update both read and write speeds of the shares slowed down by ~10 times. disk: `dd if=/dev/urandom of=...disk... bs=1M count=1024` finishes within expected time veth: iperf container is on par with my connectio...
by Kentzo
Wed Mar 13, 2024 12:52 am
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 671
Views: 209697

Re: v7.14.1 [stable] is released!

*) leds - added "dark-mode" functionality for hAP ax3 and Chateau ax series devices;
What is "dark-mode", is it the "all-leds-off" LEDs setting?
by Kentzo
Tue Mar 12, 2024 10:44 pm
Forum: Beginner Basics
Topic: Airplay/Multicast packet not flooding in bridge vlan
Replies: 17
Views: 3476

Re: Airplay/Multicast packet not flooding in bridge vlan

I’m using Avahi in IPv4-only mode as the mDNS repeater in my HomeKit setup. However, my Airplay sources and destinations are in the same VLAN.
by Kentzo
Tue Mar 12, 2024 1:33 am
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 671
Views: 209697

Re: v7.14.1 [stable] is released!

After the update to 7.14.1 (and possibly 7.14 as well) my hAP ac lite (RB952Ui-5ac2nD) cannot maintain wireless clients anymore

Appears to be an unrelated error in configuration that manifested only after a reboot.
by Kentzo
Tue Mar 12, 2024 1:19 am
Forum: Beginner Basics
Topic: Airplay/Multicast packet not flooding in bridge vlan
Replies: 17
Views: 3476

Re: Airplay/Multicast packet not flooding in bridge vlan

turns out enabling IGMP snooping on the bridge was key to getting AirPlay to work across VLANs!
This is interesting. If anything, I'd expect this feature to break things not fix them.
by Kentzo
Fri Feb 16, 2024 8:44 pm
Forum: Beginner Basics
Topic: RB5009 - invalid mtu 8000 on ether1 any idea why?
Replies: 7
Views: 992

Re: RB5009 - invalid mtu 8000 on ether1 any idea why?

And see if anything breaks.
This is of the most annoying things to debug :)
by Kentzo
Thu Feb 15, 2024 8:43 pm
Forum: General
Topic: How to assign an IPv6 address to an IPsec roadwarrior client?
Replies: 7
Views: 1616

Re: How to assign an IPv6 address to an IPsec roadwarrior client?

Great that it works for you!

Was not feasible in my setup where clients want to derive network configuration from the IPsec responder.
by Kentzo
Wed Feb 14, 2024 11:12 pm
Forum: Beginner Basics
Topic: RB5009 - invalid mtu 8000 on ether1 any idea why?
Replies: 7
Views: 992

Re: RB5009 - invalid mtu 8000 on ether1 any idea why?

Upstream IPv6 router is improperly configured. IIRC RouterOS handles it gracefully but it will be in the logs.
by Kentzo
Tue Feb 13, 2024 8:29 pm
Forum: General
Topic: VPN gateway (IKEv2 Roadwarriors and IPV6) [SOLVED]
Replies: 4
Views: 1036

Re: VPN gateway (IKEv2 Roadwarriors and IPV6) [SOLVED]

I recommend running a proper IPsec server either elsewhere or in a docker container.
by Kentzo
Tue Feb 13, 2024 8:23 pm
Forum: General
Topic: How to assign an IPv6 address to an IPsec roadwarrior client?
Replies: 7
Views: 1616

Re: How to assign an IPv6 address to an IPsec roadwarrior client?

I don't think that's supported by RouterOS's IPsec client.
by Kentzo
Mon Feb 12, 2024 10:09 pm
Forum: General
Topic: Invalid Arp Entries in 7.4 version
Replies: 16
Views: 7425

Re: Invalid Arp Entries in 7.4 version

The 7.13.3 -> 7.13.4 upgrade broke the ARP record, it's "invalid" upon the first boot. Toggling the enabled status fixed the issue.
by Kentzo
Mon Feb 12, 2024 10:02 pm
Forum: Beginner Basics
Topic: Routing specific websites through IPSEC tunnel
Replies: 2
Views: 421

Re: Routing specific websites through IPSEC tunnel

One option is a combination of [RFC 8598] Split DNS Configuration and HTTPS proxy : IPsec responder tells the client to resolve github.com (INTERNAL_DNS_DOMAIN) via VPN's RDNSS (INTERNAL_IP4_DNS/INTERNAL_IP6_DNS) Client's software uses VPN's RDNSS to resolve github.com onto VPN's HTTPS proxy Client'...
by Kentzo
Wed Jan 31, 2024 9:02 am
Forum: General
Topic: IPv6: CRS not getting default routes via RA
Replies: 4
Views: 414

Re: IPv6: CRS not getting default routes via RA

You need to enable Neighbor Discovery (/ipv6/nd) on the interface that receives RA.
by Kentzo
Thu Jan 25, 2024 8:34 pm
Forum: General
Topic: Invalid Arp Entries in 7.4 version
Replies: 16
Views: 7425

Re: Invalid Arp Entries in 7.4 version

The 7.13.2 -> 7.13.3 upgrade broke the ARP record, it's "invalid" upon the first boot. Had to delete the record, reboot, and add then re-add it.
by Kentzo
Wed Jan 24, 2024 4:46 am
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 158874

Re: v7.14beta [testing] is released!

I think an easy way to improve this would be to link to the relevant bug tracker case (MikroTik has one of these, right?) which would hopefully have more tech stuff for people to read over if they want. There is a per-user support tool, but it's not for tracking: they close tickets once they are ac...
by Kentzo
Tue Jan 23, 2024 10:40 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 158874

Re: v7.14beta [testing] is released!

No, I'd like the ability to set my own lifetime (lower) and not use the lifetime offered by the ISP, and I don't know if that's possible anymore? Since the changelog is rather vague.
Agree, there must remain a possibility to change these values administratively. Changelog quality is piss-poor.
by Kentzo
Tue Jan 23, 2024 9:44 pm
Forum: Wireless Networking
Topic: Apple devices won't connect
Replies: 13
Views: 2906

Re: Apple devices won't connect

Apple devices cache information about WiFi access points. If you played with configuration on your router, such as changing SSID or security settings, then you can try "forgetting" the networks and rebooting the problematic devices.
by Kentzo
Tue Jan 23, 2024 8:24 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 158874

Re: v7.14beta [testing] is released!

So they advertise the lifetime of the received prefix now? how sad. Do you prefer stale prefixes to linger for 30 days instead? RFC requires valid and lifetime values in advertisements of prefixes derived from PD to not exceed the parent PD. Note that if PD renews to the same value, no renumbering ...
by Kentzo
Tue Jan 23, 2024 7:12 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 158874

Re: v7.14beta [testing] is released!

Some time ago I filed a bug report about RA’s advertised prefix “valid” and “lifetime” not respecting corresponding values of DHCPv6 Client PD (it used values from the `default` submenu instead).

Perhaps that’s what they addressed here?
by Kentzo
Mon Jan 22, 2024 3:57 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 158874

Re: v7.14beta [testing] is released!

And also helps potential attackers to scan IPv6 address space much more effectively. And why do you consider SOHO differently than DCs and other corporate installations? Only trusted side of the LAN gets the privilege of proper response. I treat it differently with respect to “wasted cpu cycles” co...
by Kentzo
Sat Jan 20, 2024 8:19 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 158874

Re: v7.14beta [testing] is released!

Why waste efforts/CPU cycles on ICMPv4/v6 replies for non-existent pathways? I know there's an RFC for ICMPv4/v6 replies on the LAN, but that was written 20 years ago. I think we discussed that previously elsewhere? For DC, SP etc it does make sense. For a SOHO CE router it does not. Indeed, a blac...
by Kentzo
Sat Jan 20, 2024 1:50 am
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 158874

Re: v7.14beta [testing] is released!

The delegated prefix. Client receives /56 PD from upstream, /56 aggregate is blackholed.
Ah I see, the changelog could have worded it better. Hopefully it's configurable, to allow proper ICMP errors via firewall.
by Kentzo
Fri Jan 19, 2024 11:01 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 158874

Re: v7.14beta [testing] is released!

I don't think there is an RFC that states this, but it's always good practice to blackhole aggregates to prevent layer 3 loops. Most end-users won't know how to do this, so this auto-feature, will take care of that. Apologies, but I'm not following. What routes will be automatically added as blackh...
by Kentzo
Fri Jan 19, 2024 11:01 am
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 158874

Re: v7.14beta [testing] is released!

Could someone comment on:
dhcpv6-client - install dynamic IPv6 blackhole routes in corresponding routing-table;
What RFC / part of RFC is being implemented here?
by Kentzo
Tue Jan 16, 2024 10:44 pm
Forum: General
Topic: Invalid Arp Entries in 7.4 version
Replies: 16
Views: 7425

Re: Invalid Arp Entries in 7.4 version

Smooth upgrade from 7.13.1 to 7.13.2: the static ARP record was not marked as invalid. Fixed?
by Kentzo
Mon Jan 15, 2024 7:44 am
Forum: Wireless Networking
Topic: Mikrotik wifi disconnects on my MPB when continuity camera from iPhone
Replies: 4
Views: 2046

Re: Mikrotik wifi disconnects on my MPB when continuity camera from iPhone

Can you see the disconnection reason in the RouterOS logs?
by Kentzo
Sat Jan 13, 2024 9:38 pm
Forum: General
Topic: IPv6 configuration /64
Replies: 26
Views: 3885

Re: IPv6 configuration /64

What's the output of `/ipv6/route/print` and `/ipv6/settings/print` on RouterOS?
by Kentzo
Wed Jan 10, 2024 10:57 pm
Forum: General
Topic: IPv6 bitmask in dst-address?
Replies: 4
Views: 1101

Re: IPv6 bitmask in dst-address?

atm, your best recourse is to submit a feature request at help.mikrotik.com
by Kentzo
Wed Jan 10, 2024 10:55 pm
Forum: General
Topic: EoIP DHCP to specific MAC from SITE B
Replies: 2
Views: 936

Re: EoIP DHCP to specific MAC from SITE B

I do not understand neither what you're trying to set up, nor the question / problem. Could you unfold it in more details?
by Kentzo
Wed Jan 10, 2024 9:19 am
Forum: General
Topic: IPv6 configuration /64
Replies: 26
Views: 3885

Re: IPv6 configuration /64

Yes, but SLAAC won't work and addresses will have to be assigned administratively.
by Kentzo
Wed Jan 10, 2024 9:10 am
Forum: General
Topic: Invalid Arp Entries in 7.4 version
Replies: 16
Views: 7425

Re: Invalid Arp Entries in 7.4 version

Same on 7.13.1

Except this time the ARP record remains invalid even after a reboot. To get this fixed I had to remove and re-add the entry. Rebooted after each action, for good measure.
by Kentzo
Sat Dec 23, 2023 5:49 pm
Forum: General
Topic: What is the packets coming from cable modem to router
Replies: 19
Views: 2907

Re: What is the packets coming from cable modem to router

Unless you specifically configured the router to do that, then it unlikely initiates these connections. That was just a wild guess.

Have you complained about a port scan initiated by your router on your local / ISP forum?
by Kentzo
Fri Dec 22, 2023 9:51 pm
Forum: Wireless Networking
Topic: WiFi with Apple Products
Replies: 102
Views: 34592

Re: WiFi with Apple Products

@nonolk You'd do God's work if you could troubleshoot on iPad and collect the logs. I'd do it myself, but have no device to reproduce it.
by Kentzo
Thu Dec 21, 2023 11:01 pm
Forum: Wireless Networking
Topic: WiFi with Apple Products
Replies: 102
Views: 34592

Re: WiFi with Apple Products

I remotely remember having an issue with iPad (Pro, gen. 2, os ver. 17.x) connecting to WiFi after I replaced my AP (RB952Ui -> C53UiG) and changed authentication to WPA3-PSK while keeping SSID. It displayed the same silly error about the wrong password. Had to delete the WiFi config on the iPad and...
by Kentzo
Thu Dec 21, 2023 10:54 pm
Forum: Beginner Basics
Topic: IPv6 Prefix Delegation PPPoE with VLANs
Replies: 19
Views: 3803

Re: IPv6 Prefix Delegation PPPoE with VLANs

If I activate IPv6 -> DHCP Client -> "Use Peer DNS" in ROS, the Linux clients probably prefer to use the IPv6 DNS server transmitted by the ISP. As a result, local host names are no longer resolved. You can provide your own DNS server within your LAN via /ipv6/nd's dns property and /ipv6/...
by Kentzo
Thu Dec 21, 2023 7:02 pm
Forum: General
Topic: Looking for help debugging IPv6 issue with Xfinity [SOLVED]
Replies: 11
Views: 2547

Re: Looking for help debugging IPv6 issue with Xfinity [SOLVED]

I rely on RouterOS to do the filtering of incoming RA broadcasts and DHCPv6 replies. Assuming both RouterOS is flawed and Comcast fails DHCP filtering on their bridge, your rule won’t help against malicious server on the same link. Additionally it is not required by the RFC 8415 for client to initia...
by Kentzo
Wed Dec 20, 2023 12:33 am
Forum: General
Topic: What is the packets coming from cable modem to router
Replies: 19
Views: 2907

Re: What is the packets coming from cable modem to router

Could be a built-in "security" feature on the modem? But who knows. Tell your ISP support if you're concerned. Nothing Mikrotik-specific here.
by Kentzo
Tue Dec 19, 2023 6:26 pm
Forum: General
Topic: What is the packets coming from cable modem to router
Replies: 19
Views: 2907

Re: What is the packets coming from cable modem to router

I think what you see is due to the bridge and poor modem firmware. ISP wants to access your modem for whatever reason, they use your WAN IP to reach it. But your router also sees the packets because it is in the bridge. Although it is strange to see src address being that of an internal, LAN-side IP...
by Kentzo
Tue Dec 19, 2023 2:17 am
Forum: General
Topic: IPv6 Prefix Chunking from Pool
Replies: 3
Views: 968

Re: IPv6 Prefix Chunking from Pool

Before RouterOS can assign an address it needs to allocate a pool. This pool is allocated with prefix-length set to whatever value you set in the pool-prefix-length property. You configured it to allocate pool of size 56 and then to take the ::1/64 address from it. What you probably want is `pool-pr...
by Kentzo
Tue Dec 19, 2023 12:56 am
Forum: General
Topic: IPv6 Prefix Chunking from Pool
Replies: 3
Views: 968

Re: IPv6 Prefix Chunking from Pool

You misconfigured it, `pool-prefix-length` is used as the value for /ipv6/pool's prefix-length of the dynamically created pool. I.e. it's the size of the chunks.
by Kentzo
Tue Dec 19, 2023 12:52 am
Forum: Beginner Basics
Topic: IPv6 Prefix Delegation PPPoE with VLANs
Replies: 19
Views: 3803

Re: IPv6 Prefix Delegation PPPoE with VLANs

Have you tried changing /ipv6/dhcp-client to `request=address,prefix` ?
by Kentzo
Tue Dec 19, 2023 12:51 am
Forum: General
Topic: What is the packets coming from cable modem to router
Replies: 19
Views: 2907

Re: What is the packets coming from cable modem to router

What is your ISP and what is the make and model of the router? If that's common for their devices to do that, I'm sure there are discussions.
by Kentzo
Sun Dec 17, 2023 6:40 pm
Forum: Beginner Basics
Topic: IPv6 Prefix Delegation PPPoE with VLANs
Replies: 19
Views: 3803

Re: IPv6 Prefix Delegation PPPoE with VLANs

but from technical point of view it doesn't matter at all.
If the DHCPv6 server upstream is under your control then it may be desirable to put routers into a separate prefix from clients.
by Kentzo
Sun Dec 17, 2023 7:43 am
Forum: Beginner Basics
Topic: IPv6 Prefix Delegation PPPoE with VLANs
Replies: 19
Views: 3803

Re: IPv6 Prefix Delegation PPPoE with VLANs

Any with the public prefix is good. They all represent the same device just on different internal interfaces. Some ISPs can allocate an address alongside the prefix, you can ask for it via `/ipv6/dhcp-client/set request=address,prefix`. Note that this is optional and may not be available. Alternativ...
by Kentzo
Sat Dec 16, 2023 11:32 pm
Forum: General
Topic: D53G-5HacD2HnD update 7.13 no Wifi
Replies: 24
Views: 4824

Re: D53G-5HacD2HnD update 7.13 no Wifi

16MB flash is a bit tight for ROS 7.13
The upgrade of my ancient RB952Ui went smoothly (7.12.1, 16MB flash, 64MB RAM), I have 3176.0KiB remaining. Before the upgrade I made sure that no extra packages were installed and /files/print was empty.
by Kentzo
Sat Dec 16, 2023 1:40 am
Forum: Beginner Basics
Topic: How to check IP tunnel is working [SOLVED]
Replies: 5
Views: 3411

Re: How to check IP tunnel is working [SOLVED]

You will have to dissect logs. If I recall correctly, identifier of each SA is logged.
by Kentzo
Sat Dec 16, 2023 1:39 am
Forum: Beginner Basics
Topic: IPv6 Prefix Delegation PPPoE with VLANs
Replies: 19
Views: 3803

Re: IPv6 Prefix Delegation PPPoE with VLANs

What version of RouterOS do you run? There was (?) a bug where RouterOS incorrectly recognized suffix addresses as duplicates and removed all but one.
by Kentzo
Sat Dec 16, 2023 12:35 am
Forum: General
Topic: Invalid Arp Entries in 7.4 version
Replies: 16
Views: 7425

Re: Invalid Arp Entries in 7.4 version

Had the similar problem with 7.12.1 on RB952Ui (MIPSBE) but not C53UiG (arm64). The reboot fixed invalid static entries, as they became valid.

SUP-137777 (cool number)
by Kentzo
Fri Dec 15, 2023 9:30 pm
Forum: General
Topic: What is the packets coming from cable modem to router
Replies: 19
Views: 2907

Re: What is the packets coming from cable modem to router

The suspicious detail is that packets originate from modem's IP and standard http (80) and httos (443) ports. I was thinking about a web server that servers the Modem itself, e.g. a javascript-heavy web admin. On LAN side there is a Raspberry Pi that has Unifi Controller Server for managing Unifi A...
by Kentzo
Thu Dec 14, 2023 8:51 pm
Forum: General
Topic: What is the packets coming from cable modem to router
Replies: 19
Views: 2907

Re: What is the packets coming from cable modem to router

If it were the FORWARD chain (i.e. some other device in your LAN accessed the Modem) I'd guess that web server on the Modem simply maintains connection longer than your /ip/firewall/connection/tracking/ settings. However, it suspicious that the Modem accesses the Router directly. Do you run somethin...
by Kentzo
Thu Dec 14, 2023 8:24 pm
Forum: Beginner Basics
Topic: How to check IP tunnel is working [SOLVED]
Replies: 5
Views: 3411

Re: How to check IP tunnel is working [SOLVED]

Enable debug logging for the ipsec via `/system/logging/add action=memory topics=ipsec,debug`
by Kentzo
Tue Dec 12, 2023 9:54 pm
Forum: Containers
Topic: Hardware accelerated encryption
Replies: 3
Views: 2526

Re: Hardware accelerated encryption

Indeed I'm aware that an implementation is available for the CPU used by AX3. But does "it just works"?
by Kentzo
Tue Dec 12, 2023 2:05 am
Forum: Containers
Topic: Hardware accelerated encryption
Replies: 3
Views: 2526

Hardware accelerated encryption

Does anyone know if linux kernel run by RouterOS exposes necessary interfaces for apps to use hadrware accelerated encryption?
I'm planning to run an alpine container with strongSwan on AX3 (arm64) and would like to avoid obvious misconfiguration in that regard.
by Kentzo
Sun Dec 10, 2023 8:24 pm
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

This AP is the router at my place. Its locations is fixed due to cable modem and all entertainment boxes that it supplies with ethernet.

Fantastic video, by the way. I find EM visualizations mesmerizing :)
by Kentzo
Sun Dec 10, 2023 12:44 am
Forum: Beginner Basics
Topic: IPv6 on only one vlan?
Replies: 22
Views: 4535

Re: IPv6 on only one vlan?

RA in RouterOS 7.12 is broken! You need to upgrade it to 7.12.1
Hmm, was it broken though? IIRC it only caused unnecessary renumbering, but otherwise it continue to work because the router continued sending periodic RAs after depreciation.
by Kentzo
Sat Dec 09, 2023 9:29 pm
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

I don't recomend any of devices with only 16MB of flash (hAP ac2 and cAP ac are both such devices), it's uncomfortably tight for v7 and new wifi drivers. Then I'll wait till they release something cheap with more storage. Spending $100 for 3 feet of extra coverage is a bit too much. Perhaps I shoul...
by Kentzo
Sat Dec 09, 2023 12:42 am
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Can you guys confirm that a WDS is out if I need to keep 2.4Ghz on an AP for clients? Can I set up a WDS with a virtual AP on C53UiG (so another virtual AP could serve clients)?

If I can, would that work better than EoIP (better multicast-helper, lesser overhead)?
by Kentzo
Fri Dec 08, 2023 10:31 pm
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

So it seems that you need two APs. And proper roaming will only work if both are running wave2/wifi drivers and capsman is in the mix.
What would be the cheapest dual band AP that supports the upcoming wifi driver? RBD52G?
by Kentzo
Fri Dec 08, 2023 6:31 pm
Forum: Announcements
Topic: WinBox v3.40 released!
Replies: 164
Views: 158108

Re: WinBox v3.40 released!

Why use crossover, when Wine works perfectly on macs?
IIRC there is no maintainer for macOS in the Wine project.
by Kentzo
Fri Dec 08, 2023 10:18 am
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Regardless of band, channel and width the client cannot reach the C53UiG AP from that spot. I literally make 3 steps into the room and iperf drops from 150Mbit/s to 1Mbit/s. Which is still an improvement because old RB952Ui got 0Mbit/s :) Even if not Apple, their advice is mostly generic. And most a...
by Kentzo
Fri Dec 08, 2023 9:58 am
Forum: Beginner Basics
Topic: Why adding EoIP interface to bridge lowers MTU to 1458, and breaks HTTPS connectivity (timeout errors) for some sites?
Replies: 5
Views: 3171

Re: Why adding EoIP interface to bridge lowers MTU to 1458, and breaks HTTPS connectivity (timeout errors) for some site

Now, after L2MTU of the offending bridge port is increased, all others (i.e. bridge) have to be increased manually as well In my case MTU of VLANs got re-adjusted after a reboot. How does the bridge derive which interface is going to carry EoIP? In principal, underlying interface can be switched on...
by Kentzo
Fri Dec 08, 2023 9:17 am
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Back to the "mesh" of 2 devices: one of my old hAP ac lite (one that still has somewhat white case) and the new and shiny hAP ax^3. Idea: The station-bridge and WDS cannot be used between wifiwave2 and wireless drivers. Instead the link between the APs is established via the 2.4Ghz network...
by Kentzo
Fri Dec 08, 2023 8:18 am
Forum: Beginner Basics
Topic: EoIP: guarantee MTU of 1500 [SOLVED]
Replies: 4
Views: 2655

Re: EoIP: guarantee MTU of 1500 [SOLVED]

FWIW, the current stable RouterOS allows MTU of 2290 with wifiwave2.

Hmm, I get the out-of-range error on AX3 with 7.12.1 when I attempt to set a value greater than 1560.
by Kentzo
Fri Dec 08, 2023 5:03 am
Forum: Beginner Basics
Topic: EoIP: guarantee MTU of 1500 [SOLVED]
Replies: 4
Views: 2655

EoIP: guarantee MTU of 1500 [SOLVED]

I'm planning a workaround to bridge interfaces of a legacy wireless station with interfaces of wifiwave2 AP. Since station-bridge is out, the plan is to use an EoIP tunnel as a VLAN trunk. The wireless station has L2 MTU of 2290 and the wifiwave2 AP has L2 MTU of 1560 (see the 7.12 changelog). What ...
by Kentzo
Fri Dec 08, 2023 4:47 am
Forum: Beginner Basics
Topic: VLAN: Actual MTU less then MTU [SOLVED]
Replies: 3
Views: 2643

Re: VLAN: Actual MTU less then MTU [SOLVED]

Maybe run a quick sniffer on the VLAN to see if the packets are actually getting a reduced MTU (e.g. is a bug in /interface/print OR actually reducing MTU). Funny thing: Pings (ping -D -s 1472 1.1.1.1) from the host on one of these VLANs to Internet behaved as if MTU was 1500. BUT Pings (:ping 192....
by Kentzo
Fri Dec 08, 2023 4:44 am
Forum: Beginner Basics
Topic: VLAN: Actual MTU less then MTU [SOLVED]
Replies: 3
Views: 2643

Re: VLAN: Actual MTU less then MTU [SOLVED]

There was an EoIP slave interface as a bridge port that had MTU of 1458, but it's now gone. The reboot fixed Actual MTU back to 1500.
by Kentzo
Fri Dec 08, 2023 3:47 am
Forum: Beginner Basics
Topic: VLAN: Actual MTU less then MTU [SOLVED]
Replies: 3
Views: 2643

VLAN: Actual MTU less then MTU [SOLVED]

Cannot quite wrap my head about both Winbox and Terminal showing Actual MTU of VLAN interfaces (on a bridge) less than MTU: 1458 vs 1500. Smallest L2 MTU is 1560 for a WiFi interface. Disregarding that, I don't even understand what can possible add that much overhead as there no IP tunnels. > /inter...
by Kentzo
Fri Dec 08, 2023 1:45 am
Forum: Wireless Networking
Topic: WiFi Level2 MTU ax Products
Replies: 1
Views: 2360

Re: WiFi Level2 MTU ax Products

I join this question.

That's in release notes for 7.12:
*) wifiwave2 - limit L2MTU to 1560 until a fix is available for a bug causing interfaces to fail transmitting larger frames than that;
by Kentzo
Thu Dec 07, 2023 9:29 pm
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Not compatible with new CAPsMAN either?

I wonder how it's going to work if I have the same SSID and Security settings on two 5Ghz APs: one with wifiwave2 and another with wireless. Would it be prudent to disable 802.11k/r/v on the wifiwave2 device?
by Kentzo
Thu Dec 07, 2023 9:25 pm
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Is it feasible to connect the legacy RB952 with the wireless package as station-bridge to a wifiwave2/wifi AP?
by Kentzo
Thu Dec 07, 2023 10:31 am
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

These APs no longer exist, they were replaced by new AX3.

@mkx I fear that for some reason outgoing radio signal gets trapped. My area is not that busy per frequency scan / history. I think it is the layout and materials used in my house.
by Kentzo
Thu Dec 07, 2023 7:27 am
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Yes, both APs can reach the internet, it’s just 2.4Ghz (20Mhz) is quite a bit slower than 5Ghz (20/40Mhz) even when a client has the perfect signal. Perhaps I should try 20/40 on both, maybe it will improve client’s behavior. So I did some more testing by assigning separate SSIDs for 2.4Ghz and 5Gh...
by Kentzo
Thu Dec 07, 2023 6:10 am
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

That's what I usually do.
What is your reasoning? My understanding is that 802.11k (Steering RNM), 802.11r (FT) and 802.11v (Steering WNM) are supposed to work among virtual and master APs on the same device without CAPsMAN. Is it not the case?
by Kentzo
Wed Dec 06, 2023 11:19 pm
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Is it meaningful to use CAPsMAN to manage APs (2.4 and 5) on the same and only device? I assume that 802.11r's ft-over-ds won't work otherwise.
by Kentzo
Tue Dec 05, 2023 7:09 pm
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Well ... it's not ROS kicking device, it's device which doesn't want to stick to MT (it's device which does disconnect). It might be that MT sends some roaming info which device doesn't like. Hard to tell. Are you 100% sure that both radios provide actual network connectivity? If device roams to 2....
by Kentzo
Tue Dec 05, 2023 2:52 am
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Still no definitive success with that zone: 2.4: `security.connect-priority=1 .ft=yes .ft-over-ds=no steering.neighbor-group=foobar .rrm=yes .wnm=yes` 5: `configuration.tx-power=16 security.connect-priority=0/1 .ft=yes .ft-over-ds=no steering.neighbor-group=foobar .rrm=yes .wnm=yes` In the logs I se...
by Kentzo
Mon Dec 04, 2023 8:05 pm
Forum: Containers
Topic: A question about ram-high Topic is solved
Replies: 5
Views: 7857

Re: A question about ram-high Topic is solved

The support confirmed:
The 'ram-high' value in the '/container/config' is set for all containers collectively.
by Kentzo
Sat Dec 02, 2023 12:08 am
Forum: Wireless Networking
Topic: hAP ax3 has (weird) WiFi issues (5GHz)
Replies: 10
Views: 3516

Re: hAP ax3 has (weird) WiFi issues (5GHz)

Try setting `ft=yes`.
by Kentzo
Fri Dec 01, 2023 2:28 am
Forum: Wireless Networking
Topic: hAP ax3 has (weird) WiFi issues (5GHz)
Replies: 10
Views: 3516

Re: hAP ax3 has (weird) WiFi issues (5GHz)

What do you see in the logs? Do you see good signal under the Registration tab (/interface/wifiwave2/registration-table/print stats)? What about /tool/profile, do you see high CPU usage there?
by Kentzo
Fri Dec 01, 2023 2:24 am
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Thank you for clarifying the Tx Power selection. I see now that the idea of "a negative difference from the auto selection" is not viable as Tx Power reflects a transmission rate and the transmission rate is reflected in the auto selection. Perhaps I'm pushing my luck, but I have more ques...
by Kentzo
Thu Nov 30, 2023 5:57 pm
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

I don't think this will solve the ping-pong problem ... 802.11r/k/v should help with this problem, but only for stations fully supporting these standard. I have a place in my home where overall signal drops sharply, with about 10dBm difference between 5Ghz and 2.4Ghz. Apparently for this very speci...
by Kentzo
Thu Nov 30, 2023 7:47 am
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

How does the antenna-gain property work on AX3 and wifiwave2? The spec says the antenna gain is 5.5dBm, but I don't see any reduction of the tx power in `/interface/wifiwave2 monitor` until I set configuration.antenna-gain to 11dBm (-1dBm in tx power). My goal is to reduce power for 5Ghz roaming, so...
by Kentzo
Wed Nov 29, 2023 11:04 pm
Forum: Containers
Topic: How to achieve memory deduplication?
Replies: 1
Views: 2031

Re: How to achieve memory deduplication?

I see that there is an undocumented parameter in /container/config: layer-dir.

I wonder whether it's for the container extraction algorithm used by RouterOS to share common layers and works even on ext4. Has anyone tried it?
by Kentzo
Wed Nov 29, 2023 10:51 pm
Forum: Containers
Topic: How to achieve memory deduplication?
Replies: 1
Views: 2031

How to achieve memory deduplication?

Since containers consist of layers, multiple containers based on the same image will share the same layer. I see that /disk (at least with ROSE installed) supports the btrfs format which, under the hood, supports copy-on-write making deduplication possible on the file system level. Thus the kernel c...
by Kentzo
Wed Nov 29, 2023 10:38 pm
Forum: Containers
Topic: A question about ram-high Topic is solved
Replies: 5
Views: 7857

Re: A question about ram-high Topic is solved

I'm also interested to learn what exactly is controlled by the "ram-high" parameter.

SUP-136073
by Kentzo
Wed Nov 29, 2023 8:06 pm
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

For the love god, where do I see the channel my radios are roaming in wifiwave2?

/interface/wifiwave2/monitor
by Kentzo
Wed Nov 29, 2023 7:50 pm
Forum: Wireless Networking
Topic: hAP AX3 slow SMB transfers with MacOS and Apple TV
Replies: 52
Views: 8918

Re: hAP AX3 slow SMB transfers with MacOS and Apple TV

Does it work correctly with smaller files?
IDK, I put an alpine linux container with samba, it works well.
by Kentzo
Wed Nov 29, 2023 4:29 am
Forum: Wireless Networking
Topic: hAP AX3 slow SMB transfers with MacOS and Apple TV
Replies: 52
Views: 8918

Re: hAP AX3 slow SMB transfers with MacOS and Apple TV

I tried SMB with ROSE today and while I was able to mount the share on macOS 14.1.1, it did not work properly. While transferring a 6.5GB file from macOS to RouterOS, I got an error after about 1GB. Surprisingly the /disk/monitor-traffic still reported writes at disk speed, although no data was bein...
by Kentzo
Tue Nov 28, 2023 7:19 pm
Forum: Wireless Networking
Topic: Key Handshake Timeout
Replies: 8
Views: 2235

Re: Key Handshake Timeout

You have to sniff the traffic (likely HTTP) and see if there is anything that distinguishes updates. Hopefully it is just an URL. You can do it on RouterOS or via software like Pi-hole (for an example see https://discourse.pi-hole.net/t/block-specific-websites/55573). IIRC Pi-hole can be run in a co...
by Kentzo
Tue Nov 28, 2023 6:09 pm
Forum: Wireless Networking
Topic: Key Handshake Timeout
Replies: 8
Views: 2235

Re: Key Handshake Timeout

You can block the update on the router, e.g. by serving it an invalid IP for the domain it uses, or blocking in the firewall by IP or L7.
by Kentzo
Mon Nov 27, 2023 12:31 am
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Please bear with me, because I do struggle to get a coherent picture of the wifiwave2 (and very wifi, which is very similar) configuration.

Are you saying that VLAN-related settings do not work at all, they do work but only under CAPsMAN or it's a mix of that?
by Kentzo
Sun Nov 26, 2023 9:09 am
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

I saw elsewhere, that VLAN needs to be configured via /interface/bridge/port, i.e. the wifi interfaces deal with untagged traffic. At the same time I do see that both Access List and Datapath allows some VLAN configuration. How do these options coexist?
by Kentzo
Fri Nov 24, 2023 10:01 pm
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

I contacted the support (requesting to improve the online doc) and got the following reply: Band setting specifies what band/wireless standard should be used, "Supported frequency band and wireless standard. Defaults to newest supported standard.". Wireless standards are made to be backwar...
by Kentzo
Fri Nov 24, 2023 9:55 pm
Forum: Wireless Networking
Topic: Key Handshake Timeout
Replies: 8
Views: 2235

Re: Key Handshake Timeout

It can be beneficial to have an additional device with a spare WiFi card to sniff raw Wireless traffic between the AP and clients as it may help to determine the culprit and capture evidence for warranty and service requests. Practical wise, it makes more sense to disable all automatic updates and o...
by Kentzo
Fri Nov 24, 2023 11:19 am
Forum: Wireless Networking
Topic: Key Handshake Timeout
Replies: 8
Views: 2235

Re: Key Handshake Timeout

Could it be that the thermostat got an over-the-air update which failed to apply cleanly?
by Kentzo
Thu Nov 23, 2023 10:49 pm
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Re: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Newbie question #2:

When setting `band` in the channel profile of wifiwave2 / WiFi, do I set the minimum required or maximum allowed standard? I.e. when configuring a 2.4Ghz chain to accommodate both 802.11n and 802.11ax, what value must I use?
by Kentzo
Tue Nov 21, 2023 7:44 am
Forum: Wireless Networking
Topic: Mikrotik wifi disconnects on my MPB when continuity camera from iPhone
Replies: 4
Views: 2046

Re: Mikrotik wifi disconnects on my MPB when continuity camera from iPhone

See the "process:airportd" in the Console.app and /var/log/wifi/log. Might give you some hints with respect to disconnects.
by Kentzo
Tue Nov 21, 2023 5:37 am
Forum: General
Topic: IPv6 DNS (though DHCP) for Windows devices
Replies: 11
Views: 2735

Re: IPv6 DNS (though DHCP) for Windows devices

If you disable every and all drop and reject rule in the firewall, does it still not work?
by Kentzo
Sat Nov 18, 2023 9:07 pm
Forum: Wireless Networking
Topic: Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD
Replies: 43
Views: 6330

Migrating a mesh of RB952Ui-5ac2nD to single C53UiG+5HPaxD2HPaxD

Got myself an early Christmas present and currently planning the transition. I have a few modern (ax-capable) laptops, mobile devices and a bunch of low-power (n) IoT devices. There is no need for much bandwidth and I'm happy to trade it to reduce lag, such as when low-powered devices join and force...
by Kentzo
Sat Nov 18, 2023 1:44 am
Forum: Wireless Networking
Topic: Bridge filtering client-to-client traffic
Replies: 14
Views: 2917

Re: Bridge filtering client-to-client traffic

To my best knowledge the only approach is to split them into dedicated broadcast domains and then proxy broadcasts when necessary (e.g. mDNS repeater for mDNS).

Please report back if you find a solution to keep the WiFi clients in the same broadcasta domain while being able to filter traffic.
by Kentzo
Fri Nov 17, 2023 7:40 pm
Forum: General
Topic: IPv6 prefixes leaking between vlans?
Replies: 7
Views: 1222

Re: IPv6 prefixes leaking between vlans?

I thought I needed that config to pass the prefix from the ISP to my LANs - is that not the case? Unless there is a very new change I’m not aware of, DHCPv6 server on RouterOS does not support address assignment and only allows prefix delegation (and only a subset of capabilities at that) and confi...
by Kentzo
Fri Nov 17, 2023 7:33 pm
Forum: Wireless Networking
Topic: Bridge filtering client-to-client traffic
Replies: 14
Views: 2917

Re: Bridge filtering client-to-client traffic

Not sure what you mean by WiFi drivers
wifiwave2 (new) and wireless (legacy) in Mikrotik’s terminology. Each has its own submenu for configuration and, iirc, are mutually exclusive.
by Kentzo
Fri Nov 17, 2023 5:05 pm
Forum: Wireless Networking
Topic: Bridge filtering client-to-client traffic
Replies: 14
Views: 2917

Re: Bridge filtering client-to-client traffic

What about separate VLANs for the main and virtual APs, does the new driver support that?
by Kentzo
Fri Nov 17, 2023 9:09 am
Forum: Wireless Networking
Topic: Bridge filtering client-to-client traffic
Replies: 14
Views: 2917

Re: Bridge filtering client-to-client traffic

I recently asked a similar question on reddit . I judge by the answers that this feature is not very common. --- Well, yes. Say you want to have all your LED lamps with their controller in a network where they can talk to eachother and to internet, but not to your PC or TV or whatever, then you put ...
by Kentzo
Fri Nov 17, 2023 4:29 am
Forum: General
Topic: IPv6 prefixes leaking between vlans?
Replies: 7
Views: 1222

Re: IPv6 prefixes leaking between vlans?

I wonder what underlying ICMPv6 packets looked like when RouterOS advertised itself to each vlan. Perhaps it's reasonable to file a bug request at help.mikrotik.com? --- By the way, what is the goal of /ipv6 dhcp-server add address-pool=lan-ipv6 interface=vlan-lan lease-time=12h name=\ lan-ipv6-pool...
by Kentzo
Tue Nov 14, 2023 2:18 am
Forum: Announcements
Topic: v7.13beta [testing] is released!
Replies: 467
Views: 96060

Re: v7.13beta [testing] is released!

Dunno about "code 5" (src addr policy), but code 6 is action= "reject" action already. Mmm... do you mean that "action=reject" aka "action=reject reject-with=icmp-network-unreachable" sends ICMPv6 Type 1 Code 6 and not ICMPv6 Type 1 Code 0? Either way, there ...
by Kentzo
Tue Nov 14, 2023 12:45 am
Forum: Announcements
Topic: v7.13beta [testing] is released!
Replies: 467
Views: 96060

Re: v7.13beta [testing] is released!

*) firewall - added new IPv6 filter arguments "icmp-err-src-routing-header" and "icmp-headers-too-long" for "reject-with" setting; What are the corresponding ICMPv6 Type 1 codes , is it now like this? 0: icmp-address-unreachable 1: icmp-admin-prohibited 2: icmp-not-nei...
by Kentzo
Sun Nov 12, 2023 12:39 am
Forum: Beginner Basics
Topic: IPv6 Configuration under Router OS 7
Replies: 39
Views: 4576

Re: IPv6 Configuration under Router OS 7

Do the hosts that cannot “browse” have a DNS server listed in their system settings? Can they resolve AAAA records via that DNS?
by Kentzo
Fri Nov 10, 2023 6:00 pm
Forum: Beginner Basics
Topic: IPv6 Configuration under Router OS 7
Replies: 39
Views: 4576

Re: IPv6 Configuration under Router OS 7

This is not an excuse for mistreating LAN hosts. Keep blackholes to outsiders if you cannot invest in appropriate hardware layout and engineering.

I think it is a mistake to apply techniques developed for business-on-budget applications to prosumer cases which my firewall is for.
by Kentzo
Fri Nov 10, 2023 8:32 am
Forum: Beginner Basics
Topic: IPv6 Configuration under Router OS 7
Replies: 39
Views: 4576

Re: IPv6 Configuration under Router OS 7

The reason for the trap interface is that it is used for rules that are site-specific and were omitted. Among other things it was necessary to reject packets sent to unallocated subnets of the delegated prefix with appropriate ICMP. These rules perform sufficiently on my CPE that runs on somewhat ol...
by Kentzo
Fri Nov 10, 2023 1:51 am
Forum: Beginner Basics
Topic: IPv6 ND DNS value
Replies: 5
Views: 1531

Re: IPv6 ND DNS value

IIRC as long as it's a valid IPv6 address of an actual RDNS server then it should work.
by Kentzo
Thu Nov 09, 2023 7:18 pm
Forum: Beginner Basics
Topic: IPv6 ND DNS value
Replies: 5
Views: 1531

Re: IPv6 ND DNS value

You do not have to , as RDNS servers can be set up on hosts administratively. Having them advertised via DHCPv6 and/or Neighbor Discovery is solely at your discretion based on your situation. The DNS parameter in Neighbor Discovery is, in general, useful in simple setups where there is no DHCPv6 at ...
by Kentzo
Thu Nov 09, 2023 7:28 am
Forum: Beginner Basics
Topic: IPv6 Configuration under Router OS 7
Replies: 39
Views: 4576

Re: IPv6 Configuration under Router OS 7

Is there a base ruleset I should be using? This is what I use based on RFC 4890 and RFC 7084 . Some site-specific and script-based rules are omitted, but if you follow RFC recommendations you can implement them. /interface bridge add comment="Trap to block routes with firewall" name=trap ...
by Kentzo
Thu Nov 09, 2023 2:45 am
Forum: Beginner Basics
Topic: IPv6 Configuration under Router OS 7
Replies: 39
Views: 4576

Re: IPv6 Configuration under Router OS 7

`/ipv6/settings/set accept-router-advertisements=yes` and disable all your drop ICMPv6 firewall rules, you can work on them after you get it all to work.
by Kentzo
Thu Nov 09, 2023 2:41 am
Forum: General
Topic: IPSEC Tunnel Established but not able to ping hosts
Replies: 10
Views: 2435

Re: IPSEC Tunnel Established but not able to ping hosts

Your routing or firewall is probably incorrect. Add logging to your NAT and drop rules. Sniff traffic to make sure packets go where you expect them to go.
by Kentzo
Thu Nov 09, 2023 2:21 am
Forum: Beginner Basics
Topic: IPv6 ND DNS value
Replies: 5
Views: 1531

Re: IPv6 ND DNS value

Your understanding is correct, see RFC 8106 for details.

Note, that not all hosts can extract DNS information from Router Advertisement messages. You likely want both DHCPv6 server options and ND option.
by Kentzo
Thu Nov 09, 2023 1:55 am
Forum: Beginner Basics
Topic: IPv6 Configuration under Router OS 7
Replies: 39
Views: 4576

Re: IPv6 Configuration under Router OS 7

Do I need to request a prefix and an IP address? Do you mean `/ipv6/dhcp-client/renew`? No, that should not be necessary. You can try a reboot though. See if you can sniff incoming ICMPv6 traffic on sfp-sfpplus1 to see the contents of the Router Advertisement message (ICMPv6 type 134). Could it be ...
by Kentzo
Thu Nov 09, 2023 1:22 am
Forum: Beginner Basics
Topic: IPv6 Configuration under Router OS 7
Replies: 39
Views: 4576

Re: IPv6 Configuration under Router OS 7

Might need to wait a little bit for the next RA to arrive before it takes effect.

What is your ISP, did they give you any instructions regarding configuring IPv6?
by Kentzo
Tue Nov 07, 2023 8:27 am
Forum: Beginner Basics
Topic: IPv6 Configuration under Router OS 7
Replies: 39
Views: 4576

Re: IPv6 Configuration under Router OS 7

Try
/ipv6/nd/add advertise-dns=no interface=sfp-sfpplus1 ra-lifetime=none ra-preference=low reachable-time=5m
to see if it gets you a default route (::/0) in /ipv6/route/print
by Kentzo
Wed Nov 01, 2023 9:13 pm
Forum: General
Topic: Looking for help debugging IPv6 issue with Xfinity [SOLVED]
Replies: 11
Views: 2547

Re: Looking for help debugging IPv6 issue with Xfinity [SOLVED]

Consider leaving a comment on Xfinity's forum. Let's keep pushing :)
by Kentzo
Wed Nov 01, 2023 4:49 am
Forum: General
Topic: Looking for help debugging IPv6 issue with Xfinity [SOLVED]
Replies: 11
Views: 2547

Re: Looking for help debugging IPv6 issue with Xfinity [SOLVED]

You cannot fix this, the error is on their side and they refuse to fix it. Best you can do is to configure logging to suppress this warning.
by Kentzo
Mon Oct 30, 2023 9:11 pm
Forum: General
Topic: Looking for help debugging IPv6 issue with Xfinity [SOLVED]
Replies: 11
Views: 2547

Re: Looking for help debugging IPv6 issue with Xfinity [SOLVED]

DHCPv6 cannot provide a default route by protocol design. The "Add Default Route" setting in RouterOS is an unfortunately named hack and needs to be disabled unless you are told otherwise by the upstream administrator. Contact mikrotik support and tell them that this naming is extremely mi...
by Kentzo
Sun Oct 29, 2023 7:51 pm
Forum: Beginner Basics
Topic: Static IPv6 DNS entries
Replies: 12
Views: 2562

Re: Static IPv6 DNS entries

You might have a misconception of how SLAAC operates. I recommend reading up the RFC about it. It will clear a lot of questions, specifically how address is formed and the connection to MAC.
by Kentzo
Sun Oct 29, 2023 8:16 am
Forum: General
Topic: ike2, wireguard, mark-routing, two isp and newbie
Replies: 7
Views: 1628

Re: ike2, wireguard, mark-routing, two isp and newbie

Everything appears as expected. At this point I'd start probing with /tool/sniffer and Wireshark to see where the traffic gets dropped. Are you positive that the Windows machine indeed routes traffic to ping.eu via IPsec connection? It might be possible that it fails just like macOS / iOS, but then ...
by Kentzo
Sun Oct 29, 2023 8:08 am
Forum: Beginner Basics
Topic: Static IPv6 DNS entries
Replies: 12
Views: 2562

Re: Static IPv6 DNS entries

Best is not avoid parsing /ipv6/neighbor/, as recommended by @mkx. Note that a SLAAC IPv6 address will consist, generally speaking, of 3 parts: Global ID that is given to you by the ISP Subnet ID that you can optionally provide Interface ID that is derived (in your case) from machine's MAC address [...
by Kentzo
Fri Oct 27, 2023 9:58 pm
Forum: General
Topic: Allow access to local network from IPSEC tunnel
Replies: 1
Views: 653

Re: Allow access to local network from IPSEC tunnel

It's difficult to guess without seeing RouterOS configuration. You say that incoming (from RouterOS perspective) traffic works, but forwarding doesn't. Except you somehow managed to access your local 192.168.13.8:80 over the IPsec tunnel from remote 192.168.16.0/24. It appears to me that IPsec is co...
by Kentzo
Wed Oct 25, 2023 9:59 pm
Forum: General
Topic: ike2, wireguard, mark-routing, two isp and newbie
Replies: 7
Views: 1628

Re: ike2, wireguard, mark-routing, two isp and newbie

From your description it appears to me that the very same route works for the Windows machine. I also don't immediately see in the config that RouterOS would treat Windows traffic any different from macOS traffic. To rule out the firewall, set identity's `notrack-chain` to `prerouting`. With this se...
by Kentzo
Wed Oct 25, 2023 6:57 am
Forum: Announcements
Topic: v7.12rc is released!
Replies: 225
Views: 95605

Re: v7.12rc is released!

On iOS 17 devices, established IKE2 peers will disconnect after 24 minutes of being connected.

It might be helpful to analyze iOS perspective. Search device's logs for the "NEIKEv2Provider" process.
by Kentzo
Wed Oct 25, 2023 1:58 am
Forum: General
Topic: ike2, wireguard, mark-routing, two isp and newbie
Replies: 7
Views: 1628

Re: ike2, wireguard, mark-routing, two isp and newbie

i'm sure
The screenshot doesn't show how the Router and Windows machine resolve ping.eu…

What is the IPv4 address that macOS machine obtains from its LAN, can you confirm its network configuration (DHCP?) doesn't overlap with the IPsec network?
by Kentzo
Wed Oct 25, 2023 1:41 am
Forum: General
Topic: Problem with ipv6 on cloud
Replies: 2
Views: 1038

Re: Problem with ipv6 on cloud

Interesting. I'm having the same issue here. It's not a UI bug since even if I enable DDNS the AAAA doesn't get created either.

Did you contact support?
by Kentzo
Wed Oct 25, 2023 1:33 am
Forum: General
Topic: Ipsec tunnel with only one public ip - it is possible?
Replies: 5
Views: 1218

Re: Ipsec tunnel with only one public ip - it is possible?

I'm wondering if it is possible?

Yes, that should work. Search the forum for "NAT-T" and "NAT traversal".
by Kentzo
Wed Oct 25, 2023 12:15 am
Forum: General
Topic: IPsec IKEv2 and multiple traffic selectors per SA
Replies: 4
Views: 2548

Re: IPsec IKEv2 and multiple traffic selectors per SA

I have a feeling that IKE2 in Mikrotik is not fully finished. Or it was done in some strange way, using a piece of IKEv1. This is my experience as well: RouterOS's implementation relies on mode config with IKEv2 even where IKEv2 has a "native" solution. Please send a feature request at he...
by Kentzo
Mon Oct 23, 2023 2:35 am
Forum: Beginner Basics
Topic: Site to Site GRE tunnel over IPsec (IKEv2) using DNS
Replies: 1
Views: 1291

Re: Site to Site GRE tunnel over IPsec (IKEv2) using DNS

I did not manage to make this:
add dst-network=10.1.202.0/24 gateway=172.16.1.2

it looked like wrong command so I used this:
add dst-address=10.1.202.0/24 gateway=172.16.1.2
Both lines look identical to me.
by Kentzo
Mon Oct 23, 2023 2:33 am
Forum: Beginner Basics
Topic: WIFI VLAN on ax^2
Replies: 4
Views: 1607

Re: WIFI VLAN on ax^2

IIRC, should be /interface vlan add interface=bridge name=vlan10 vlan-id=10 /interface wifiwave2 set [ find default-name=wifi1 ] channel.skip-dfs-channels=all \ configuration.country=US .mode=ap .ssid=AP5 datapath.vlan-id=10 datapath.bridge=bridge \ disabled=no name="WIFI 5G" security.auth...
by Kentzo
Mon Oct 23, 2023 2:13 am
Forum: General
Topic: ike2, wireguard, mark-routing, two isp and newbie
Replies: 7
Views: 1628

Re: ike2, wireguard, mark-routing, two isp and newbie

Are you sure the address of ping.eu as resolved by the macOS machine matches the address as resolved by the Windows machine and router?
by Kentzo
Mon Oct 23, 2023 2:01 am
Forum: General
Topic: DNS via IKEv2 on iOS
Replies: 2
Views: 952

Re: DNS via IKEv2 on iOS

I cannot say whether iOS / macOS supports `INTERNAL_IP4_DNS` / `INTERNAL_IP6_DNS` alone, but it does work for me when used together with `INTERNAL_DNS_DOMAIN` via a strongSwan responder. I suggest to run an IKEv2 responder elsewhere (or containerize) using other software as RouterOS's implementation...
by Kentzo
Fri Oct 20, 2023 8:21 pm
Forum: General
Topic: Mikrotik + Strongswan IPSec tunnel slow TCP
Replies: 3
Views: 974

Re: Mikrotik + Strongswan IPSec tunnel slow TCP

About 20-40 networking and 10-20 firewall with max on 130 mbps
And when you do the same test with UDP?
by Kentzo
Thu Oct 19, 2023 6:26 pm
Forum: General
Topic: "ipv6 address from-pool" lost after reboot
Replies: 9
Views: 1239

Re: "ipv6 address from-pool" lost after reboot

Using `eui64=yes` triggers this bug, because it assigns the same (eui64-based) `address=` to both /ipv6/address entries, causing one of them to get lost during reboot. So setting `address=` explicitly is the only work-around I know at the moment.
Interesting. I was pretty sure it worked before.
by Kentzo
Wed Oct 18, 2023 10:28 pm
Forum: General
Topic: "ipv6 address from-pool" lost after reboot
Replies: 9
Views: 1239

Re: "ipv6 address from-pool" lost after reboot

Or is this a bug in RouterOS? AFAIK, it's an acknowledged bug. I reported it back in June (SUP-118219) and was told by Sergejs B. : Thank you for the report, we are aware of the particular problem, hopefully it will be fixed shortly. Please report this again at https://help.mikrotik.com. That being...
by Kentzo
Wed Oct 18, 2023 2:53 am
Forum: General
Topic: Mikrotik + Strongswan IPSec tunnel slow TCP
Replies: 3
Views: 974

Re: Mikrotik + Strongswan IPSec tunnel slow TCP

What does the /tool/profile show during the benchmark, what hogs the CPU?
by Kentzo
Fri Oct 13, 2023 7:59 pm
Forum: General
Topic: RouterOS 6.49.1 vs 7.11.2 IPSEC NAT problem
Replies: 5
Views: 1008

Re: RouterOS 6.49.1 vs 7.11.2 IPSEC NAT problem

I saw a few issues that seemed to be related to config transition. IMO worth a try to reset everything to default after upgrading to 7.11, and then manually apply the config.
by Kentzo
Fri Oct 13, 2023 7:55 pm
Forum: Forwarding Protocols
Topic: IGMP issue over mesh
Replies: 2
Views: 1464

Re: IGMP issue over mesh

Need config exports.
by Kentzo
Fri Oct 13, 2023 3:33 am
Forum: General
Topic: RouterOS 6.49.1 vs 7.11.2 IPSEC NAT problem
Replies: 5
Views: 1008

Re: RouterOS 6.49.1 vs 7.11.2 IPSEC NAT problem

Could it be a config transition issue? Try exporting config while on 6.49 and compare it with whatever you have on 7.11.
by Kentzo
Thu Oct 12, 2023 7:45 pm
Forum: General
Topic: PPPoE client and IPv6: problems with values derived from MAC address of parent interface
Replies: 5
Views: 930

Re: PPPoE client and IPv6: problems with values derived from MAC address of parent interface

Under what circumstances do you expect additional equipment in the PPP link? One possible scenario is that if another router is also a Mikrotik. But in this case PPP negotiation will either correct identifiers or reject the connection. In general, there is Duplicate Address Detection mechanism built...
by Kentzo
Thu Oct 12, 2023 3:44 am
Forum: General
Topic: Wireguard site to multi site
Replies: 5
Views: 2648

Re: Wireguard site to multi site

Perhaps your firewall drops the packet?
by Kentzo
Wed Oct 11, 2023 11:04 pm
Forum: General
Topic: PPPoE client and IPv6: problems with values derived from MAC address of parent interface
Replies: 5
Views: 930

Re: PPPoE client and IPv6: problems with values derived from MAC address of parent interface

Perhaps there could be a potential conflict of Interface Identifiers, IAIDs and/or DUIDs? My understanding is that: PPP's initial Interface Identifier you observe is a tentative one and is only unique within the PPP link between these two peers DHCPv6's IAID is only used within DHCPv6 client to dif...
by Kentzo
Tue Oct 10, 2023 10:23 pm
Forum: General
Topic: IPSec Mode Config issue
Replies: 1
Views: 498

Re: IPSec Mode Config issue

For IKEv2 you should be able to ditch the split-include extension and configure proper traffic selectors.

IIRC on macOS IKEv2 client respects only the first network in the split. Didn't test this in a while though, because see above.
by Kentzo
Fri Oct 06, 2023 9:45 pm
Forum: General
Topic: use a remote IP as gateway
Replies: 10
Views: 1349

Re: use a remote IP as gateway

I can indicate to .2.3 to use gateway .2.2, it can address it packets, but with OVPN this is not possible. I think I was pretty clear that with OpenVPN you have to go through the server. There is no way around it as you're essentially dealing with two separate links, as you have noticed. I suggeste...
by Kentzo
Thu Oct 05, 2023 10:07 pm
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 27
Views: 2730

Re: Help on applying advanced firewall rules

@llamajaja has good wisdon… but if this is your personal device then go hack it.

Although consider something like GNS3 (it can virtualize RouterOS). It's better because you won't "brick" your LAN and can always reset to a clean slate.
by Kentzo
Thu Oct 05, 2023 9:48 pm
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 27
Views: 2730

Re: Help on applying advanced firewall rules

Try adding the rules one by one to find the one that leads to ejection.
by Kentzo
Thu Oct 05, 2023 9:24 pm
Forum: General
Topic: use a remote IP as gateway
Replies: 10
Views: 1349

Re: use a remote IP as gateway

You want Policy Routing : - 2.3 needs to select packets of the client (/32 source address) and send them via the 2.1 gateway - 2.1 needs to select packets of the client (/32 source address) and send them via the 2.2 gateway - 2.2, presumably, needs to NAT the packets and send them out via default ga...
by Kentzo
Wed Oct 04, 2023 10:55 pm
Forum: General
Topic: use a remote IP as gateway
Replies: 10
Views: 1349

Re: use a remote IP as gateway

So you have: - 2.1 on the OVPN server - 2.2 on one OVPN client - 2.3 on another OVPN client Both 2.2 and 2.3 use 2.1 as default gateway, presumably via the "add-default-route=yes" parameter of /ip/ovpn-client. Now you want 2.3 to use 2.2 as a default gateway instead. You need custom routin...
by Kentzo
Wed Oct 04, 2023 8:17 pm
Forum: General
Topic: Do I have a firewall or DNS problem? [SOLVED]
Replies: 6
Views: 1678

Re: Do I have a firewall or DNS problem? [SOLVED]

I do not see anything obviously wrong in your config, with respect to this issue. Have you considered that Fritzbox doing something shady? I have never handled this device, but some googling landed: - https://discourse.pi-hole.net/t/bogus-nsec-3-missing-since-fritzbox-update/63772/3 - https://commun...
by Kentzo
Tue Oct 03, 2023 8:35 pm
Forum: General
Topic: IPv6 addresses can not be deleted [SOLVED]
Replies: 6
Views: 9225

Re: IPv6 addresses can not be deleted [SOLVED]

This is a bug. And the problem is not solved. Why did you say it was solved in the title?
I'm running 7.10.2 and don't have an issue of reappearing deleted pools or addresses after a reboot.
by Kentzo
Tue Oct 03, 2023 8:32 pm
Forum: General
Topic: Do I have a firewall or DNS problem? [SOLVED]
Replies: 6
Views: 1678

Re: Do I have a firewall or DNS problem? [SOLVED]

Consider altering your firewall to REJECT (with appropriate ICMP codes), rather than DROP, packets that originate from you LAN. Should ease further debugging.
by Kentzo
Tue Oct 03, 2023 1:23 am
Forum: General
Topic: Recomandation router with good wifi
Replies: 16
Views: 2267

Re: Recomandation router with good wifi

I also recommend multiple APs. As alternatives to Ethernet consider Mesh systems (more expansive) and Powerline adapters (depends on how electric lines are wired).
by Kentzo
Tue Oct 03, 2023 1:19 am
Forum: Forwarding Protocols
Topic: radvd invalid mtu log spam
Replies: 4
Views: 2221

Re: radvd invalid mtu log spam

I'm using
/system logging
set 2 topics=warning,!radvd
to tame /log print.
by Kentzo
Sat Sep 23, 2023 5:44 pm
Forum: General
Topic: Help with IPv6 firewall rules
Replies: 4
Views: 1421

Re: Help with IPv6 firewall rules

Did ISP give single GUA IPv6 and you use NAT to forward traffic ULA hosts?

If not, it’s likely a misconfiguration.
by Kentzo
Tue Sep 19, 2023 7:37 pm
Forum: General
Topic: IPV6 client obtained incorrect Sever DUID
Replies: 7
Views: 2734

Re: IPV6 client obtained incorrect Sever DUID

You should send your request directly to Mikrotik: https://help.mikrotik.com/servicedesk/servicedesk/
by Kentzo
Fri Sep 15, 2023 7:44 pm
Forum: General
Topic: Help with IPv6 firewall rules
Replies: 4
Views: 1421

Re: Help with IPv6 firewall rules

This filter rules look ok to me.

Is forwarding enabled in /ipv6/settings? Are you sure IPv6 addresses are the correct ones?

Show the export of the whole /ipv6/firewall, not just /ipv6/firewall/filter.
by Kentzo
Wed Sep 06, 2023 5:38 am
Forum: General
Topic: IPV6 client obtained incorrect Sever DUID
Replies: 7
Views: 2734

Re: IPV6 client obtained incorrect Sever DUID

RFC 8415 is pretty clear that DUIDs are opaque and thus RouterOS should not attempt any interpretation. I'd suggest to capture packets and contact Miktorik's technical support.
by Kentzo
Tue Sep 05, 2023 6:36 am
Forum: General
Topic: IPV6 client obtained incorrect Sever DUID
Replies: 7
Views: 2734

Re: IPV6 client obtained incorrect Sever DUID

Would it be possible to capture DHCPv6 exchange via packet tracer such as Wireshark? I wonder why RouterOS thinks server's DUID is bad.
by Kentzo
Thu Aug 31, 2023 10:50 pm
Forum: Announcements
Topic: v7.11.2 [stable] is released!
Replies: 348
Views: 168434

Re: v7.11 and 7.11.1 [stable] are released!

If the rules of the State change, it is not MikroTik's job to inform customers, it is assumed that they already know the law, which does not admit ignorance. I remember reading in change logs that this-or-that regulatory domain was updated up to standards. Sounds more likely that they pushed newer ...
by Kentzo
Tue Aug 29, 2023 7:33 pm
Forum: General
Topic: Why /interface/vlan interface responds to IP address from bridge or different VLAN interface [SOLVED]
Replies: 16
Views: 2768

Re: Why /interface/vlan interface responds to IP address from bridge or different VLAN interface [SOLVED]

Access to login and services can be controlled by IP though.

What behavior is recommended by RFCs? Perhaps there is a requirement for router to behave like this by default.
by Kentzo
Mon Aug 28, 2023 9:26 pm
Forum: General
Topic: Why /interface/vlan interface responds to IP address from bridge or different VLAN interface [SOLVED]
Replies: 16
Views: 2768

Re: Why /interface/vlan interface responds to IP address from bridge or different VLAN interface [SOLVED]

I think a LAN host can request a non on-link IPv4 of the router via ARP (maliciously, due to misconfiguration or by being transitioned from one LAN to another) and get a reply.
by Kentzo
Mon Aug 28, 2023 6:11 pm
Forum: Beginner Basics
Topic: IKE V2 established, cannot ping remote side Gateway
Replies: 3
Views: 1324

Re: IKE V2 established, cannot ping remote side Gateway

Are you sure it’d not a firewall rule then?

Might be a too restrictive input filter for packets coming from WAN. If so, use the ipsec-policy property.
by Kentzo
Mon Aug 28, 2023 9:27 am
Forum: Beginner Basics
Topic: IKE V2 established, cannot ping remote side Gateway
Replies: 3
Views: 1324

Re: IKE V2 established, cannot ping remote side Gateway

Have you tried to manually specify the src-address property on /tool/ping? Needs to match traffic selectors in the policy.
by Kentzo
Mon Aug 28, 2023 9:09 am
Forum: Beginner Basics
Topic: Can't ping IPv6 address with MikRouterOS [SOLVED]
Replies: 17
Views: 3353

Re: Can't ping IPv6 address with MikRouterOS [SOLVED]

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
IPv6 is disabled. I suspect that's why addresses you self-assigned are marked as Invalid.
by Kentzo
Mon Aug 28, 2023 3:16 am
Forum: General
Topic: IKE2/IPSEC PSK - RB760iGS
Replies: 8
Views: 3068

Re: IKE2/IPSEC PSK - RB760iGS

Check it's Android version and see if anyone else encountered IPsec problems with it. Can be a bug, a misconfiguration or just some IKEv2 functionality is not implemented by the client and/or RouterOS.
by Kentzo
Mon Aug 28, 2023 12:17 am
Forum: General
Topic: IKE2/IPSEC PSK - RB760iGS
Replies: 8
Views: 3068

Re: IKE2/IPSEC PSK - RB760iGS

Enable verbose logging of the ipsec subsystem on RouterOS via "/system/logging/add topics=ipsec,debug action=memory". It will give you much more info regarding the mismatches that lead to the destruction of the security association.
by Kentzo
Wed Aug 23, 2023 8:33 pm
Forum: General
Topic: Mangle Rule for ipsec trafic
Replies: 1
Views: 1006

Re: Mangle Rule for ipsec trafic

Have you tried the "ipsec-policy" property of firewall rules?
by Kentzo
Tue Aug 22, 2023 9:18 pm
Forum: Forwarding Protocols
Topic: IPV6 anycast support on ROS V7
Replies: 8
Views: 3193

Re: IPV6 anycast support on ROS V7

I asked the support whether no-dad affects the overriding flag and just received an answer that no it does not. The documentation was edited to reflect that no-dad=yes does not make address a proper anycast. So it appears within RouterOS you cannot assign an anycast address. Thus Scenario 2 in RFC 7...
by Kentzo
Tue Aug 22, 2023 1:47 am
Forum: Beginner Basics
Topic: Airplay/Multicast packet not flooding in bridge vlan
Replies: 17
Views: 3476

Re: Airplay/Multicast packet not flooding in bridge vlan

It's Sonos that sends mDNS for iPhone (and other devices to see), not the other way around.

Must be a misconfiguration somewhere. What is the IP of the Sonos device? Try to sniff all traffic between your iPhone and Sonos to see what ports are being used, see if you recognize any from the list.
by Kentzo
Mon Aug 21, 2023 11:49 pm
Forum: Forwarding Protocols
Topic: IPSEC not works on Routeros V7.11
Replies: 2
Views: 2334

Re: IPSEC not works on Routeros V7.11

I'd start by running /ip/ipsec/export before and after the upgrade to make sure that the configuration was preserved.
by Kentzo
Mon Aug 21, 2023 11:34 pm
Forum: Beginner Basics
Topic: Airplay/Multicast packet not flooding in bridge vlan
Replies: 17
Views: 3476

Re: Airplay/Multicast packet not flooding in bridge vlan

AirPlay only uses mDNS for device discovery, not for actual streaming. If you see "TV Room" in the list then mDNS is working and the issue is not related to multicast. The streaming itself is a unicast. Apple lists the following ports for Airplay: 554 UDP and 3689 TCP. Have you checked the...
by Kentzo
Mon Aug 21, 2023 10:39 pm
Forum: Beginner Basics
Topic: Cross VLAN Multicast / PIM Config
Replies: 30
Views: 8736

Re: Cross VLAN Multicast / PIM Config

trying to get multicast to route between subnets. First step is to understand nature of your multicast. If it's routable, then your need IGMP Proxy or PIM (as well as a careful look into IGMP Snooping, Multicast helpers etc). If it's non-routable than you need a repeater of some sort. E.g. mDNS's m...
by Kentzo
Sat Aug 19, 2023 11:32 pm
Forum: General
Topic: Mikrotik website about ipv6 throughput?
Replies: 47
Views: 5447

Re: Mikrotik website lying about throughput?

Drop your config here.
by Kentzo
Sat Aug 19, 2023 7:28 am
Forum: Beginner Basics
Topic: [SOLVED] Implementing IPv6 from scratch on v7.1.3 - concepts and questions [SOLVED]
Replies: 10
Views: 5188

Re: Implementing IPv6 from scratch on v7.1.3 (now v7.11) - concepts and questions [SOLVED]

You want to take a look at RFC 3513, section 2.5 to get an understanding of IPv6 addressing. Is there any harm in leaving it at /56? The "pool-prefix-length" property is a configuration property used by RouterOS when it subnets delegated prefix, i.e. it will create subnets with prefixes of...
by Kentzo
Sat Aug 19, 2023 1:19 am
Forum: Beginner Basics
Topic: [SOLVED] Implementing IPv6 from scratch on v7.1.3 - concepts and questions [SOLVED]
Replies: 10
Views: 5188

Re: Implementing IPv6 from scratch on v7.1.3 - concepts and questions [SOLVED]

Basics are covered in Mikrotik's IPv4 and IPv6 Fundamentals (and subsections). For in depth see RFC 4861 and RFC 8415.

I can help with specific questions, but otherwise it's hard to elaborate in few words.
by Kentzo
Fri Aug 18, 2023 11:15 pm
Forum: Beginner Basics
Topic: [SOLVED] Implementing IPv6 from scratch on v7.1.3 - concepts and questions [SOLVED]
Replies: 10
Views: 5188

Re: Implementing IPv6 from scratch on v7.1.3 - concepts and questions [SOLVED]

/ipv6 dhcp-client add interface=sfp1 pool-name=pool6 pool-prefix-length=56 request=prefix Unless you do know that you need /56, I'd change "pool-prefix-length=56" to "pool-prefix-length=64 prefix-hint=::/48" /ipv6 dhcp-server add address-pool=pool6 interface=bridge name=DHCPv6-l...
by Kentzo
Fri Aug 18, 2023 10:50 pm
Forum: Beginner Basics
Topic: [SOLVED] Implementing IPv6 from scratch on v7.1.3 - concepts and questions [SOLVED]
Replies: 10
Views: 5188

Re: Implementing IPv6 from scratch on v7.1.3 - concepts and questions [SOLVED]

- The delegated prefix you request and receive via DHCPv6 Client is intended for the LAN only*. Don't use "add-default-route=yes", instead enable /ipv6/nd on the WAN interface (/ipv6/nd/add interface=sfp1 ra-lifetime=none advertise-mac-address=yes) and set "accept-router-advertisement...
  • 1
  • 2