MikroTik

Etz

16MB devices are obsolete, face the fact, time to upgrade....

Etz

We can compare the configs, just in case: Thanks for sharing: My roadwarrior configuration: /interface wireguard add comment="vpn: roadwarrior" listen-port=54321 mtu=1420 name=wg-rw /interface wireguard peers add allowed-address=<redacted>.30.2/32 comment="My Mobile" interface=w...

Etz

Nope, I don't... Just tested, deliberately. That is why I am actually wondering, maybe some specific config setting is involved. Maybe, let's wait and see if someone from the staff can enlighten us. Thx. We can compare the configs, just in case: /interface wireguard add comment="vpn:wireguard1...

Etz

Nope, I don't...
Just tested, deliberately.
That is why I am actually wondering, maybe some specific config setting is involved.

Etz

Must be something config specific, I do use wireguard for road-warrior setup and I have 0 such logs.
I don't use or have BTH though.

Etz

Not a bug, if you look at the CAP default config, that script actually sets bridge MAC to ether1 MAC.
If you cleared it afterwards, it is user error not an bug.

Etz

CVE-2023-52160, Does this affects ROS in any way?

Did you read it or are you just throwing CVE numbers around?
If you did read that CVE, you would know the answer ;)

Etz

*) wifi-qcom - improved system stability when using FastPath (introduced in v7.13);

Is it related to device reboots, due to kernel failure?

Etz

Older devices from times of CRS226 etc had 128 MB of storage. Is there any way to explain what happened?

Cutting costs, would probably be the one...

Etz

So 7.13.2 is stable now?

Nope my ax2's are still rebooting.

Etz

So, people with reboots must send their supout files to Mikrotik, please. 🙂 I have support ticket open with them. My config is really basic, my ax2’s act as AP’s. Only special thing is that they are managed by CapsMan. Before 7.13 they were also rock stable. Each time they crash, I dump autosupout’...

Etz

1. No
2. Assumed it would open a new WinBox instance.
3. No idea, never used
4. Nope
5. Nope

Etz

FWIW my AX2 (currently on 7.13) has never reboot since Dec 28th when I applied that version.
Simply using it as AP though via RB5009 capsman controller.

Same setup, AX’ses are crashing, pretty much, daily.
Upgraded to 7.13.1 and had first crash with it, just 15 mins ago.

Etz

@Ovic, I have similar issues with hAP AX2’es, with 7.13. Created support ticket, attached bunch of autosupout and manual supout files. 0 response so far.

Etz

Regarding airtimefairness patches: The patch has been accepted into mainline Linux (along with Felix Fietkau’s follow-up fix for a power save-related crash bug) and was released as part of Linux 4.11. The code is also in the LEDE project firmware from version 17.01. ROS uses Kernel 5.x IIRC. So the...

Etz

This seems right... there should be only one loopback interface.

Not necessarily, there are cases, where having multiple lo’s is completely valid usecase.

Etz

Only thing I notce is this: security.authentication-types="" .encryption="" Not sure if that is correct. Have you tried resetting the CAP to default CAPs mode: /system reset-configuration caps-mode=yes No, I have not tried that and it worked just fine until recent days, even wit...

Etz

There were "other" changes. Any clues in the logging? Nothing in the logs, except usual: system,error,critical router was rebooted without proper shutdown, probably kernel failure system,error,critical kernel failure in previous boot And no, there has not been any power failures. What &qu...

Etz

Mu both hAP ax2's are crashing at regular intervals, since yesterday, created support ticket.

Damn annoying, wifi is so unstable, due to constant device reboots/crashes :/
Not sure what triggered it, there were no config changes whatsoever.

Etz

This night I had another system,error,critical router was rebooted without proper shutdown, probably kernel failure system,error,critical kernel failure in previous boot system,error,critical out of memory condition was detected And Graphing looks innocent: Screenshot 2024-01-03 at 15.00.09.png Hey...

Etz

Yup, that fixed it, thank you @infabo

Etz

set cake-wash=no

Thanks, looks like this was the culprit..will keep monitoring for a while.

Etz

I have attempted to implement cake for my uplink for quite a while, but it always results on breaking DHCP on LAN. Once DHCP lease on LAN host expires, it gets stuck in "offered" state and log message appears: dhcp-server0 offering lease 192.168.0.144 for 18:65:71:XX:XX:XX without success ...

Etz

I've set name-format=2G-%I- in the CAPsMAN provisioning, to have my interface names look as follows: /interface/wifi/print Flags: M - MASTER; D - DYNAMIC; B - BOUND Columns: NAME, MASTER-INTERFACE # NAME MASTER-INTERFACE 0 MDB 2G-RBD25G-LR-01- 1 DB 2G-RBD25G-LR-01-2 2G-RBD25G-LR-01- 2 DB 2G-RBD25G-...

Etz

New models come with default password which is on the cardboard box and also on the router itself. ALSO it is available from your distributor in a digital document / CSV. Newer batches have improved label print quality and do not have ambiguous characters (0/O etc) Imho, Why we need to depends on d...

Etz

*) wifi - create first interface without number when using "name-format" provisioning setting; Is there any way to restore default behaviour, where all CAP interfaces would have number appended? This is super annoying, do I really have to downgrade to, as my only option, make it work prop...

Etz

*) wifi - create first interface without number when using "name-format" provisioning setting; Is there any way to restore default behaviour, where all CAP interfaces would have number appended? This is super annoying, do I really have to downgrade to, as my only option, make it work prop...

Etz

Yes it works, but it lacks all Wireless related metrics, which were available before.

Etz

Same thing...wondering why it was removed.

Etz

I don't see such behaviour, but definitely 7.x takes up more space:

Untitled.jpg

What puzzles me, is why there is a difference, between 2 identical systems (hAP ac2), with identical configuration.
It has been always so, even when I ran 6.x

Etz

The problematic part is "powering RB5009UPr+S+IN via PoE". Assuming your NAS is a 802.3 af/at PSE, it will limit total power available via 5009's PoE in to 30W at most (minimum is 25.5W, but depends on UTP cable length and quality) if it's 802.3 at (provides higher power than af). Not by ...

Etz

Looking to upgrade my home network, but could not figure out PoE part, by looking at the specs. What I ideally would want to do, is powering RB5009UPr+S+IN via PoE and connect 2x Hap Ax2 to it and power these via PoE as well. Doubt it would be possible though. What I am trying to achieve is to keep ...

Etz

If you uninstall the ipv6 and/or wireless package first, it may free up enough space for the upgrade to be successful. Actually this worked... :D And after that I simply restored binary backup (which I made prior), to get wireless and ipv6 config back. https://i.postimg.cc/Yqy13J64/Screenshot-2022-...

Etz

Unbundling was never officially supported nor encouraged. Would you please point me to the exact page in documentation, stating it? I tried to search for it, but did not find any references, taht it is not supported or there would be implications. Otherwise I would have not done that ~2 years ago.....

Etz

If you uninstall the ipv6 and/or wireless package first, it may free up enough space for the upgrade to be successful. That would probably erase the corresponding config as well? What you can do: create (binary) backup of your current config and fetch file off device netinstall to exactly same vers...

Etz

Yes, of course I did, this is all I have on the flash:

I don't store any backups or logs locally.

Etz

Yes, I did unbundled install as these devices have very little flash available and I wanted to be conservative on space wasted. Cannot do netinstall as all configuration would be lost then, and I would really hate to gather them for netinstall and reconfigure them manually. Fair enough, will stay on...

Etz

Today I finally felt brave enough to try 7.1.1 out of one of the devices in my possession and imemdiately ran into issue. Seems like these devices cannot be upgraded (not supported by 7.x) or packages are in upgarde branch simply broken? 20:14:37 system,error broken package security-7.1.1-arm.npk 20...

Etz

Has been requested already for 6 years...

viewtopic.php?f=14&t=95261

And it is major roadblock for using MT if IPTV VOD services are involved.

Etz

Has been requested already for 6 years...

viewtopic.php?f=14&t=95261

And it is major roadblock for using MT if IPTV VOD services are involved.

Etz

6 years later and still nothing...

Etz

OK, found the issue...I managed to do typo in server SAN somehow...

Etz

After setting PFS=none, log shows everything okey: 18:50:56 ipsec,info new ike2 SA (R): xxx.xxx.xxx.xxx[500]-xxx.xxx.xxx.xxx[11252] spi:8d62...8dbc 18:50:56 ipsec,info,account peer authorized: xxx.xxx.xxx.xxx[4500]-xxx.xxx.xxx.xxx[11156] spi:8d62...8dbc 18:50:56 ipsec,info acquired yyy.yyy.yyy.yyy a...

Etz

As an sidenote, I do have SAN fields on my certificates, matching server FQDN for server and iPad’s hostname for client.

Etz

I'm currently trying to set up IKEv2 vpn between Mikrotik RB4011 and iPad (IOS 13.3), using this guide: https://mum.mikrotik.com/presentations/MY19/presentation_7008_1560543676.pdf Everything kind of works, connection is established, but I do get immediately disconencted with message "User auth...

Etz

How do you delete saved device/group from app?

EDIT: Nevermind, noob on IOS, found it.

Etz

There seems to be a mistake in ipv6 section (wrong prefix length): add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="accept DHCPv6-Client prefix delegation. Should probably be: add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 com...

Etz

You'll need to copy and paste the script into scripts (system->scripts->new (+)->paste), change the upload and download bandwidth and inbound and outbound interface names at the top to match your settings, and run the script. (the bandwidths should be slightly less than what you normally receive as...

Etz

clear all the files on /files then upload the npk, stop and clear cache on webproxy, it will give you little space. Are you REALLY running a webproxy on a hAP using the flash as the proxy cache???? :-o :-o :-o haha yes, i am implementing transparent proxy, for testing only. i use hap for home ap. t...

Etz

Interesting, mine is not gtting hot at all, despite being fitted into very tight place with no ventilation and serving 500/500 connection, switching local network (over cpu, switch chips are crap on this), vpn, etc... https://i.postimg.cc/nj0y9tqy/IMG-20190203-143631-Copy.jpg https://i.postimg.cc/jL...

Etz

What is actual dependency behind this?

Etz

Etz

Anyway, you would want to put that logic into the dhcpcv6 script https://wiki.mikrotik.com/wiki/Manual:IPv6/DHCP_Client#Script , so that you do it only and when necessary. Yes and I already have it set up like that, problem was with vanisihing global variable, which made it run everytime lease was ...

Etz

This info would nice to find in the manual..
https://wiki.mikrotik.com/wiki/Manual:Scripting

Exactly, as I was quite puzzled about such behavour.

Etz

In my opinion the context for that script is just wrong: if you provide a service (dns or any other), it should be served from a fixed ip. Then there is also no need for such scripts. Further this script won't work from time perspective: ip's are assigned for a specific period of time. the dns opti...

Etz

Facing a strange issue: When I execute script manually, it sets global variable and it is visible in environment. When script is executed via dhcp-client and admin is logged in, global variable is set and it is visible in environment. When no-one is logged in and dhcp-client executes script, global ...

Etz

Sorry for necro posting, but how do you pass multiple parameters to script?

Would this work?:

{
:global myVar1 999;
:global myVar2 9999;
/system script run myScript;
}

Considering that MyScript has global scope variables MyVar1 and MyVar2 present?

Etz

Fixed your script: :global currentIPv6; :local optionname; :local ipv6interface; # Set DHCPv6 'option' created :set optionname "DNS"; # Set IPv6 interface to get address from (normally bridge) :set ipv6interface "bridge2"; :local newIP [/ipv6 address get [find interface=$ipv6inte...

Etz

Trying to hack together quick firewall script in ROS. I can easily get ipv6 address of an interface, with: :local ipv6addr [/ipv6 address get [find where global] address]; or with :local ipv6addr [/ipv6 address get [find where global interface=bridge1 ] address]; And it spits me out and IP address i...

Etz

Can we replace these ones on existing units (with soldering iron), without loosing warranty...?

My RB4011 also has blinding light...

Etz

IMHO :global currentIPv6; does absolutely nothing, in this script...as for some strange reason, it does not get set by :set currentIPv6 $newIP;

Etz

Found possible bug: When you add subnet into "available from" field for SSH service, under IP Services...SSH becomes inaccessible, even if PC is in that subnet. ssh_exchange_identification: Connection closed by remote host It seems only to affect SSH though, for limiting access to http, h...

Etz

Found possible bug: When you add subnet into "available from" field for SSH service, under IP Services...SSH becomes inaccessible, even if PC is in that subnet. ssh_exchange_identification: Connection closed by remote host It seems only to affect SSH though, for limiting access to http, ht...

Etz

Why is the current becoming less when the voltage increases? Isn't the current increasing due to Ohms law? (U = I * R) I know the Ohm's law, just forgot about the Watt to Amp relationship...and switching power supplies related stuff... :D Actually, my general plan is to use single power source for ...

Etz

By the spec sheet:
DC jack input Voltage 12-57 V
Max power consumption 33 W

Now wondering, when powered on 12V how much Amps should PSU provide?
Spec sheet does not say anything on which voltage that 33W is consumed.

Does anyone has any idea?

Etz

Nice concept, but it would be unusable in real world applications...

Etz

Well, I have two units and both have 200+ MB of RAM. But, it is weird that MT never mentioned that on product page.

I have also two units, both report 240MB...

Etz

Same here, no Switch tab present wit ROS 6.43.4, should not matter much anyways.

Etz

No need to custom netinstall. Just put there selected packages of higher version and reboot.

Nice to know...so far I have NetInstalled all my routers to get rid of unneeded packages.

Etz

This device does not seem to be very stable, mine has crashed at least twice while configuring...
Which ROS? We have uptime 11 days on live network without problems. With ROS 6.43.2

Latest 6.43.4 "stable", basically it crashes if you modify/remove default bridge.

Etz

This device does not seem to be very stable, mine has crashed at least twice while configuring...

Etz

... and the power led is unnecessary bright
Welcome to like every mikrotik router ever... I always cover them with electrical tape...

I usually tune them down with lacquer, which is actually used to darken the car taillights by tuners.

Etz

Anyone know if 1Gbps can be achieved if a S+RJ10 is used with this switch? I don't have 10G yet but need to uplink to a 1Gbps SFP managed switch? Don't see it specifically called out on the capabilities wiki. https://wiki.mikrotik.com/wiki/MikroTik_SFP_module_compatibility_table Thanks By looking a...

Etz

Mine was shipped out today, so I can test out that SFP compatibility pretty soon...

Etz

If there's no official answer, it might just be software.

Official answer: https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

Etz

Pre-ordered non-wireless one (as I only need L3 aggregation + 2 dumb switches), we'll see...

Wondering, if Cisco console cable would work on these...

Etz

Well technically I guess you could take RB3011 out of chassis if network cabinet is closed anyways... I guess... There is no network cabinet as such (click for bigger picture) but this could be an option indeed: https://www.upload.ee/thumb/8984889/IMG_20180911_091832_-_Copy.jpg Anyway, let's switch...

Etz

In my case, I don't even need Wireless, as AP's are separate (hAP ac2), catch is I would like to feed trunk ports to these, to have dedicated vlan and port for STB's. Reason behind it, is that MikroTik lacks RTSP helper and udpxy so feeding STB's over NAT is very tricky (IGMP proxy works, but some c...

Etz

When you want to do switching, buy a switch. That is why I don't think routers with so many ports are that useful. In a small setup it usually is enough to have about 5 ports, and when you need more or want features like VLAN, add a switch. Well, they are extremely useful on confined spaces, where ...

Etz

I think that you can do vlan's on SFP interface, as it is directly connected to CPU, not really sure about GE ports, but according to Realtek switch chip documentation in MikroTik wiki, it does not support vlans.

Etz

In my scenario RB4011 is not drop-in replacement for RB2011 or RB3011 even that name suggests it's just refresh of RB3011 - it's simply not. The difference is huge . Too bad, they don't sell 3011 in desktop case...as Rack mounted device just won't physically fit everywhere... :? Anyway, I will stil...

Etz

Not that I'm aware of, hopefully we will get udpxy eventually...

Etz

Well, this product starts to look even more wierd...

Etz

Why not use the compatibility table? http://wiki.mikrotik.com/wiki/MikroTik_SFP_module_compatibility_table S-RJ01 not supported. S+RJ10 is supported, no mention of any restrictions under the S+RJ10 section. Footnote 4 says you can only use a SFP+ DAC at 10Gb I could swear that 4011 was not listed t...

Etz

Is there a recommended SFP+ 10G Copper module that is proven to negotiate to 1G reliably? I believe it's ROS/routerboard issue. Not SFP modules issue. I wonder if S-RJ01 would work on SFP+ cage to take that SFP port into use...? I would really hate to use Switched ports for Uplink due to lack of th...

Etz

OK, nice to know...

Etz

By looking at the diagram, the best option would be to utilize SFP for uplink, not the switches :) Alternative option would be using SFP+ for uplink but that can be tricky due to ROS sloppy 1G sfp modules support in 10G sfp+ cages (autonegotiation issues). You should probably use SFP+ module, not SF...

Etz

I'll probably buy this too, as I only need two "dumb" 4 port switches in addition to 1GB/s capable router.
Still it is a pity that we don't have proper switching available, you will never know when you would actually need it.

Etz

Well, I'm completely fine with two switch chips and port groups, but switch without vlan support?
Come on?

I cannot even use it on my ISP network, unless I'll buy that extra (expensive) copper SFP+ and assign uplink to that 10G port.

Etz

Whatever we request it is too late I guess...

For HW changes yes, for parts fixable via RouterOS, we can at least try...

Etz

Proper switching would be crucial for Home and Small business use, at least the same level as models with AR8327 currently provide.

Etz

Oh yeah, let's create a decent 10 port router and then let's put Realtek switch chips into it, so you could never use these to do proper switching in SOHO deployments.

Etz

Just want to know why USB power and GbE don't mix together, is it because of the price, or technical challenges like 5V simply not sufficient for GbE? Since it seems all USB-powered only have FE available (mAP, mAP lite and hAP lite) Power consumption of GbE chipsets. Ever wondered why there is no ...

Etz

Yep, came onto it myself but I did not work, as I made typo in it

Anyway, thx for the sanity check

Etz

Can someone help me to translate this to standard iptable rule?

add action=masquerade chain=srcnat dst-address=10.0.0.0/8 out-interface=eth0.4

Etz

When adding MFDB entries, you should specify destination ports with "ports=" parameter. That is missing in your posted configuration. Tried that already yesterday, I didnt notice anything changing much, multicast still flooded out on all interfaces... [admin@kari-crs] > /interface etherne...

Etz

Unfortunately, there was an zero change, still doesnt seem to work... :( Tried by IP adress aswell, absolutely no change... :? /interface ethernet switch set multicast-lookup-mode=dst-ip-and-vid-for-ipv4 Relevant config for my IPTV Setup: /interface vlan add interface=sfp1 l2mtu=1584 name=sfp1.4 vla...

Etz

Make sure you have set multicast lookup mode for MAC address.
Code: Select all
/interface ethernet switch set multicast-lookup-mode=dst-mac-and-vid-always

Thank you for the tip

Will try it ASAP and will report back...

Etz

For some odd reason, this doesnt seem to work: /interface ethernet switch multicast-fdb add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes add address=00:02:XX:XX:XX:XY bypass-vlan-filter=yes svl=yes add address=00:02:XX:XX:XX:XZ bypass-vlan-filter=yes svl=yes And CRS stills floods multica...

Etz

It was annoying, because my dhcp lease-script set static dns names on ROS. Well that is my actual problem with this.. And it doesnt occure on any other Router, regardless of OS...at least so far I havent found any that behaves the same way. Tried OpenWRT, DD-WRT, Tomato, AsusWRT, IOS, JunOS, etc...

Etz

check settings on these devices, i have linux boxes running and have never seen trailing \00 for hostnames. Check if /etc/hostname and /etc/hosts have newline at the end of the configuration file. On WD TV you cannot check anything as you dont have SSH access at all or any other way to access confi...

Etz

I am currently observing strange behaviour on RouterOS (v.6.20). Every linux based host has \00 in their hostname. Windows Machines doesnt have it. [admin@kari-crs] > /ip dhcp-server lease print Flags: X - disabled, R - radius, D - dynamic, B - blocked # ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-LIM...

Etz

Anyway, they are same as Chassis screws and got the from local "bolt & nut" store

Etz

As apparently I lost mine (there was none in the box), can someone tell me what size and type they are so I could get new ones?

Etz

Will the RB1100AHx2 put trough 500/500mbit with NAT and a couple of firewall rules ? Just so nice to have an all in one router with onboard WIFI and learning capabilities in it :) RB1100AHx2m should do it, but it does not have wireless so either you have to keep your CRS or buy separate access poin...

Etz

Currently i'am trying to accomplish the very same situation, using the fiber from KPN on my CRS125. I Switched from a RB2011 to a CRS125. The main reason was to get more speed of my router. We have 500/500mbit over here, but with the RB2011 we only get ~200mbit d/u. So i though the CRS125 could acc...

Etz

However, there is an enhancement request to make it work for each downstream interface individually

Would be great if this would get implemented...

Etz

Bridge...

Etz

As you know, enabling Nstream will hide the network from normail Wi-Fi devices.

But it wouldnt remove frequency interference...

Etz

The air mail would be 150, plus taxes arriving to Europe. Why air mail? My friend used regular shipping, rented container and put everything into it. After that he ordered container to be shipped around the globe, it took approx 2 months but was dirty cheap and he managed to move everything he had ...

Etz

but you can set interface bonding (4 interface, 802.3ad) and bridge it into switch master port

Which will kill the whole point doing that, bridging means traffic would pass CPU and as it is not powerful enough you get even less troughput than running single interface.

Etz

Look carefully at the CCR screens

And?

Etz

Switching is pretty much wirespeed on this device, regardless of grouping...

Etz

If I were you I wouldnt share private key files publicly...

Hence, they are called private keys...

Etz

I have an 1813+ Synology NAS Network fault tolerant might work, but frankly as I understand that setting, its only for increased uptime, not for any increased simultaneous performance. You are absolutely correct, but it is just for testing, that your Synology actually works with all 4 interfaces co...

Etz

Another problem was like what Etz was saying.. very first rule cant be DROP INPUT or everythings denied! The first line only drops invalid packets. He probably meaned: add action=drop chain=input cannot be first, yours is correct implementation... Also I talked about "final drop rule", no...

Etz

Do you have the 4 ports in your 802.3ad all set to the same master port as your other non bonded ports? Yes. I forgot to paste mine in but I did have a line like this add name=trunk1 member-ports=eth19,eth20,eth21,eth22 and it accepted it. Well, I misunderstood you then, that it did not. So is that...

Etz

/interface ethernet switch trunk Did you add any trunk members? It says The Trunking in the Cloud Router Switches provides static link aggregation groups with hardware automatic failover and load balancing. IEEE802.3ad and IEEE802.1ax compatible Link Aggregation Control Protocol is not supported ye...

Etz

It depends on firmware so I would recommend running at least 6.17 or newer (dont remember exactly when that feature was introduced)

I first started using it from 6.17, and please note that I have CRS125, but it should work the very same way on CRS226

Etz

in addition stacking gets higher speeds than just trunking or Link Aggregation. Well techincally you could achive same speed via 802.3ad aswell, but It wouldnt make any sense, as you wouldnt have any ports left, If you "trunk" them all together (6 groups, 8 ports in group = 24Gbit/s)... :...

Etz

Well, you could always trunk ports together with 802.3ad to get more troughput between the two switches... :twisted: But I wouldn`t call it stacking...stacking usually means that you tie together backplanes aswell and manage it as one device. Which unfortunately cannot be done with MikroTik.. :roll:

Etz

Use IGMP Proxy.

Etz

Was looking to connect my synology NAS over multiple bonded nics (it has 4) but It only mentions 802.3ad. is it possible to config it that was on the NAS and use another option on my CRS226? Or do I basically just have to wait for Mikrotik to support 802.3ad in hardware? Can be done ;) I do use Syn...

Etz

I prefer putting an allowance rule from the interface I trust (master-port or bridge) and then block all other traffic. Well, it all depends... How many interfaces you have, how much of those are "trusted" and how many are "untrusted" also different approaches exist ;) For examp...

Etz

Final Drop rule should be last... This is my "simple firewall" example: /ip firewall filter add action=drop chain=input comment="Drop invalid connections" connection-state=invalid add chain=input comment="Permit established connections" connection-state=established add ...

Etz

Thanks all for your help...

Well, thank you too, for decreasing my karma for helping you to find those...

Etz

What should I be searching for?

http://bit.ly/1q7WrBQ

Etz

Where can I buy those 1u cable organisers on the side of the rack? They look handy.
They should be very common...

You could get them even from eBay.

Etz

Where can I buy those 1u cable organisers on the side of the rack? They look handy.

They should be very common...

Etz

Yay tapatalk working again

Sent from my Nexus 5 using Tapatalk

Also that "You exceeded the maximum allowed number of login attempts." annoyance is gone

Etz

LACP is done in Switch hardware so it does not tax CPU.

http://wiki.mikrotik.com/wiki/Manual:CR ... s#Trunking

Etz

I get the same thing when I try to login. I think MikroTik is implementing an anti-spam feature on the login.

OK, thx for confirmation...I already thought that someone is hacking my forum account

Etz

shame

Notice: For support from Mikrotik staff, write to support@mikrotik.com - Mikrotik does not generally offer support on the forum, this is a user forum

Etz

"You exceeded the maximum allowed number of login attempts. In addition to your username and password you now also have to solve the CAPTCHA below." Started to appear every time I try to log in to this forum. Is this intentional forum config change, or just someone constantly tries to log ...

Etz

because of the SFPs. in an all optical network you need them. and considered the cisco gear, CCR is not expensive at all

Cisco is more expensive indeed, but I was referring to Mikrotik products.
Nevertheless that explains it pretty well, why you specifically need CCR`s for this.

Etz

Why use "expensive" CCR as pure L2 device when much cheaper CRS can handle it on wirespeed aswell...

I would understand if you would use it for L3 traffic and then using PIM would make more sense on CCR.

Etz

What about models without wireless?

There is no Home AP mode on those.

Etz

Sorry, but what "fancy" features ASA has that Tik can't do?

TCP Sequence randomization, deep packet inspection, Active/Active clustering, etc...

Etz

/ip dhcp-client print Flags: X - disabled, I - invalid # INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS 0 vlan1.4 yes special-classless searching... Aparently your IPTV upstream interface didnt obtain IP from ISP ;) /ip firewall filter add chain=input comment="iptv igmp" in-inter...

Etz

At the last rules, which port(s) did you add, since it seems to be required? I've tried ether2, ether2 & ether22 (connected to STB) and just ether22. None of those combinations worked. What do you mean by last rules? If you use firewall then you have to allow IGMP & UDP trough it. (My examp...

Etz

9.x has has 4 major releases though. Three with BGP support 9.1, 9.2, and 9.3. Now 9.2 and 9.3 won't run on a non -X ASA though.

I know

Etz

That said they do support BGP these days.

Now it is completely Offtopic, but BGP support is in 9.x software which is quite "bleeding edge"...

I would still prefer router for routing duties...

Etz

Actually there is some things that CCR can do and ASA can`t. As ASA is not an router but pure firewall, it doesnt do BGP and it`s OSPF is quite buggy. (Have had an issues and even service outage caused by ASA just disobeying route-map`s or prefix-lists and just leaking all the routes). So if you pla...

Etz

NAT does not equal to firewall and should be never treated as anykind of "protection"

Etz

Well IMHO you cannot replace ASA with CCR.

One is firewall another is a Router and it will heavily depend what you are doing on ASA currently.

Etz

Use Winbox and connect by MAC address (Actually it should find your Routerboard and list its MAC automatically) ;) After that re-enable that interface via Winbox and all should return back to normal, no reset is required. You can get latest Winbox from here: http://download2.mikrotik.com/routeros/wi...

Etz

Good idea on using the DHCP network for the domain name. The trouble is that there isn't always a one to one mapping between the network and the DHCP server. I could do a comparison between the IP the client received and the list of networks to find the value. I'll have to look into the IP comparis...

Etz

You could use this, instead of "static topdomain" name in script. :set topdomain [/ip dhcp-server network get number=0 domain]; And every time you add an DHCP-server, increment it by 1 ;) Then if you change domain under dhcp server settings, it always changes in script accordingly. And you...

Etz

How do 3g usb modems perform if usb speeds are so limited?

They dont use SMB but different protocols and for those CPU isnt a bottleneck...

Etz

Unless it was slipped into a release without me noticing, RouterOS does not support Cisco/RFC style /31 addressing.

Thank you for clarifying...

Etz

Great tool, thank you

Etz

This command sets mirroring destination port on CRS125: /interface ethernet switch set ingress-mirror0=ether8 egress-mirror0=ether8 This one sets mirroring source port: /interface ethernet switch port set ether7 ingress-mirror-to=mirror0 egress-mirror-to=mirror0 http://forum.mikrotik.com/viewtopic....

Etz

Really?? I can't believe

Its not dead, but not being developed anymore either...

See this: http://forum.mikrotik.com/viewtopic.php ... 19#p425819

Etz

Well thats odd indeed as there is no reason whatsover to use /30 for P-t-P links and just waste 2 IP`s on every link. It`s actually pretty common nowdays to use /31 adresses for peering links, P-t-P links, etc... Lots of ISP`s do it aswell and prefer it, offering /30 only when customers equipment do...

Etz

That vertical red line represents timeperiod change...

All it does is that it separates Days, Weeks, Months, Years for easier readability.

On daily graph, for example, it represents midnight eq 00:00

Etz

Well those numbers look pretty low, but this is a router, not an File sharing device so performance is always low... ;) Router CPU`s arent optimized for such tasks, also probably RouerOS isnt either. SMB & FTP are secondary functions on those devices mainly just for Logging and backup purposes a...

Etz

whats youre DHCP lease time? Also you could consider enlarging your network for 567 customers you would need 192.168.88.0/22 network it would be good up to ~1021 simultaneous users. :) Ip address:192.168.88.1 Dhcp pool :192.168.88.7~192.168.88.254 Subnet mask: 255.255.255.0 Change it into this: Ip a...

Etz

Yes flat would be perfect but is not working in his situation. Why not? The STB's are not using a 'standard' internet connection. They have a separate network on the provider network and should have direct IP's from the provider. So also no NAT. Actually they do not. I have pretty similar setup mys...

Etz

IMHO, I dont see any reasonable point to use different internal vlan`s on a such small network...especially when you only have couple of STB`s... :) Also that would require changing switch config every time, when you unplug STB and plug it in somwhere else. When you have one "flat" Lan, yo...

Etz

Well, IGMP Proxy should resolve that problem, so you can put everything behind the NAT... ;) For example I use CRS125 for the very same purpose, only difference is that my ISP doesnt use PPPoE but plain DHCP. And 10.0.0.0/23 is ISP IPTV servers network. Relevant config: /interface vlan add interface...

Etz

RouterOS doesnt support RFC3021?

You shouldnt need /30 for running OSPF or BGP...as both routing protocols work just fine with RFC3021 adressing scheme.
As public ipv4 space is exhausted, every little trick, helps a bit in siuations where you cannot use ipv6.

Etz

Wow...many thanks

And actually by this nice example I finally understood, what you actually tried to tell me eralier...

Etz

ask tomorrow on the morning

Can you do it now, please?

Etz

I must go away now, but if I miss, remember me to show mine...

Could you please?

Etz

Its somekind of Winbox glitch, add script to scheduler from commandline after that you can adjust parameters from GUI.

AFAIK, something to do Sript and Scheduler permissions mismatch...

Etz

I must go away now, but if I miss, remember me to show mine... ;) OK, thx...I do appreciate your help... :) add chain=common action=accept connection-state=new in-interface=ether1 comment="Allow access from LAN" Should be probably just replaced with this: add chain=common action=accept in...

Etz

How I can know that if you not specify it? Indeed, sorry for that. I should have been more specific. ISP uplink is trunk interface, has two vlan`s in it. Native vlan is Internet with public IP, bound to SFP1. IPTV is tagged vlan 4, bound to subinterface SFP1.4 and it is private network. I only need...

Etz

allowing UDP and icmp on input chain results on easy (D)DoS attack or DNS flood.... Actually It doesnt, SFP1 is Internet connectivity, SFP1.4 is subinterface (vlan4 in upstream) and it is ISP "pirvate multicast network" 10.x.x.x/8, I really doubt that ISP tries to DDoS`me unless some enco...

Etz

Played around a bit with Mikrotik firewall, and now got a question which is more optimal way for doing simple home firewall: This: add chain=input action=drop connection-state=invalid comment="Block invalid connections" add chain=input action=accept in-interface=sfp1.4 protocol=igmp commen...

Etz

Well they could always include EOL and replacement announcements into their newsletter,
the very same manner as they usually annonce new models and improvements on existing ones...

Etz

Only 50% slower, JeLi claimed 40 Mbps.

Compared to my results, unfortunately I dont have a CRS226 to play with, only CRS125 so I have no way to compare them...

Etz

WOW...thanks, that is a really useful information

Which now makes me wonder, why CRS is approx 50% slower on the same Clock speed...
(I at least hope that there are technical reasons, not business reasons behind this)

Etz

Something must be wrong when a RB750G performs the following: NAT Downstream: 780 Mbps Upstream: 775 Mbps Routing Downstream: 997 Mbps Upstream: 997 Mbps You are forgetting, that CRS226 has 400Mhz CPU, RB750G (also RB2011 & RB493G as he is mentioning) has 680 Mhz CPU. One is meant for routing, ...

Etz

A CRS with 802.3at/af and passive PoE would be a nice addition Think surveillance cameras and IP phones...

Having a IGMP Snooping on CRS`es would be already a good improvement...

Etz

IGMP Snooping would be definately useful

Actually it is "must have" on CRS series, to even think about IPTV deployments...

Still makes me wonder, why it is so hard to implement?
Even sub 30$ Home "soapbox" routers have it now in conjunction with IGMP Proxy.

Etz

Well 802.3ad states that bandwith is aggregated aswell...if you have multiple data streams... :roll: • Does not increase the bandwidth for a single conversation • Achieves high utilization only when carrying multiple simultaneous conversations http://www.ieee802.org/3/hssg/public/apr07/frazier_01_04...

Etz

I do have CRS and I use LACP...

In WinBox its under Switch features and called "trunk", and AFAIK it is done in Switch HW as it doesnt seem to tax CPU whatsoever.

http://wiki.mikrotik.com/wiki/Manual:CR ... s#Trunking

Etz

CRS already does it in Hardware...

At least CRS125-24G-1S-RM does

Etz

Ugliest but doable solution would be to NAT one network to something else and route it after that.

Much easier would just to change one subnet to something else and do it normal way.

Etz

Removed all the Multicast (IPTV) & VPN related config, also specific config to my setup is removed, including Firewall rules. And pretty much this is what was left and should do it: /interface ethernet set [ find default-name=ether1 ] name=ether01-inet-gw set [ find default-name=ether2 ] name=et...

Etz

I dont think you benefit anything with MPLS on such setup IMHO...

Using MPLS would make sense if you had Meshed network.

Etz

Should support it, check under Switch configuration

Etz

Thank you for an advice, will consider it too...

Etz

It tops on NAT at about 200 Mbps with 100% processor load. Good to know, I was actually suspecting that... Pure Math showed it could do approx 250Mbit/s max, under these conditions, but CPU usage is not always linear on network devices. Too bad Miktrotik doesnt have any 16 port "entry level&qu...

Etz

As this is perfect SOHO device, I`m still wondering...can it handle 300Mbit/s connection aswell? I currently have 100Mbit/s Symmetric connection at home and it handles it just fine (~35% CPU Usage Max), but ISP will do a "upgrade " soon. Just Running a simple 20 Rule firewall, NAT and 2 ro...

Etz

IGMP Snooping would be definately useful

Etz

FYI: Same thing should be achievable via Radius auth aswell

http://www.mikrotik.com/testdocs/ros/2. ... _users.php
http://wiki.mikrotik.com/wiki/Manual:Router_AAA

Etz

This has nothing to do with mikrotik.

Figured it out already as you see...

This is not right forum to discuss windows features.

You are absolutely right, but I got quite a bit confused at the beginning...

Etz

/ip route print where dst-address = <prefix>

or

/ip route print where dst-address in <prefix range>

http://wiki.mikrotik.com/wiki/Manual:BG ... g_table.3F

Etz

I would like to my upstream provider to resend prefixes to me, they give me their juniper command for reference: clear ip bgp <neighbor_ip> soft in It is not Juniper command, it is Cisco command... :wink: And this should help you: http://wiki.mikrotik.com/wiki/Manual:BGP_soft_reconfiguration_altern...

Etz

Solved indeed, but still makes me wonder what added it there?

Winbox when I connected to my lovely CRS125 first time and upgraded firmware?
As I cannot think anything else, after that I did factory reset and started building my own config.

Etz

Finally found the culprit...now could someone explain to me, how did it get there as I definately havent added this myself.

And I am the only one using this Laptop, also this is the only routerboard I ever touched...so far...

Etz

Can you ping this IP-address (192.168.88.1) Nope, 192.168.1.1 or 192.168.4.1 (depends on a bridge) Would respond "Destination net unreachable" which makes perfect sense as there is no actual route to 192.168.88.1 host. I havent tried to ping it with absolutely no config in routerboard at ...

Etz

And most weirdest part is, it will appear there even when routerboard doesnt have config at all..

It doesnt give IP to a host, but that ipv4 Default Gateway 192.168.88.1 will appear instantly.

Etz

Have you look in the network card settings on your computer. Maby stand there the standard gateway static Sorry for my bad englisch Nope, not the case...all is automatic and obtained via DHCP... Computer itself has had multiple reboots no change. And it doesnt appaer, when I connect the very same L...

Etz

It is tried this way already, in fact I have done 4 resets and configured it always manually, as default setup doesnt do what I need anyway.

Still no luck...

Etz

[admin@Kari-CRS] > ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 ADC 192.168.1.0/24 192.168.1.1 bridge1 0 1 ADC 192.168.4.0/24 192.168....

Etz

Ofcourse I did factory rset, actually even multiple times: Relevant config: /ip pool add name=dhcp ranges=192.168.1.21-192.168.1.250 add name=dhcp2 ranges=192.168.2.2-192.168.2.254 add name=dhcp4 ranges=192.168.4.2-192.168.4.254 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge1 lea...

Etz

I presume you are doing double nat this way.
Or ISP router doesnt have nat and it wont work because of it.

As ISP router definately has Public IP on its WAN interface and you assign Private subnet between ISP and MikroTik, you definately have to do NAT on ISP device aswell.

Etz

Hi

As a newbie, i have a question.

Why CRS125 still advertises 192.168.88.1 with DHCP?

As I built my config from scratch there is no such adress present in config, so where does it come from and how could i remove it?
DHCP gives out correct gateway aswell, but still its a bit annoyance.

Search found 200 matches