MikroTik

pe1chl

Yes, it should have been added long ago, in v6 even (where separate packages for core functionality still were a thing).
I don't understand what people have against it.

pe1chl

I think it only applies to what we now call "old" devices ..[cut].. I solved the issue selecting the 'backup bootloader', rebooting and re-apply the routerboard fw update. Then back to the normal bootloader. Maybe it's not right .. but no more complaint in the log ;-) When that is the sol...

pe1chl

I think it only applies to what we now call "old" devices. The RB951G for example, which is MIPSBE. It is apparently assumed that everyone had upgraded to v7 before v7.6 and then could upgrade to that version and upgrade the backup-routerboot with that. In my ticket I explained that I got ...

pe1chl

Well, the actual whole picture here would be that our support team wanted to find out firstly what is the reason why you "must" upgrade the bootloader and just wanted to look into this deeper and help not just to you but also to others by doing some global changes if necessary. Unfortunat...

pe1chl

Maybe they have a script that adds this standard reply to every ticket that has been open for some time and does not have a supout.rif attached??

pe1chl

I expect @normis to intervene again to steer us at discussion about release-specific issues and I can understand that attitude. Well, the problem is that when you open a topic in another category you will usually not get replies from MikroTik employees, at least in the release topics that is much m...

pe1chl

From user's perspective, seeing list of available optional packages on device itself is huge step in right direction. The way it was done until now (downloading separate ZIP file, extracting wanted package, uploading it to device, rebooting) was very error prone ... one had to select correct archit...

pe1chl

Regarding wifi-qcom-ac: I don't understand why they don't split it into two separate versions: That already happened. We now have wifi-qcom and wifi-qcom-ac. Before that, there was no chance to install on 16MB devices. But maybe the wifi-qcom-ac should instead be two other packages. Unfortunately e...

pe1chl

(as new wAP still came with v6 from factory in 2024 it seems) Really struggling how MikroTik gonna stick to their "5 years of upgrades after purchase date" for some of devices released in 2024, because they are already failing on user's desks unable to take any config changes as they ran ...

pe1chl

Well of course it would be possible to have different routeros base packages, where the kernel modules and userland code for a lot of features are or are not present. I don't see the typical hAP ac2 user use stuff like MPLS, for example. I can understand why MPLS would be difficult to keep in a sepa...

pe1chl

On the note of above, can we please separate cloud package from routeros? Well, I really think that all applications should be separated in packages, not only that but also stuff like proxy, smb, hotspot, etc. But as far as I understand the architecture there is some overhead for having a package, ...

pe1chl

I do not see how such a messy and convoluted workaround would be the best solution to have connected routes in a second routing table...
I don't want to associate a routing table with interfaces, that is not the goal.

pe1chl

What's new in 7.18beta5 (2025-Feb-07 12:25): *) dhcpv4-client - allow selecting to which routing tables add default route (additional fixes); Very welcome!! A long-awaited feature :) It would be nice to allow multiple "routing tables selection" and per routing table "default route di...

pe1chl

I have a CHR "free" which I have used a since quite a while for v7 testing and where I always install the betas first. Since this week (when updating to beta4) I found that it has logged: system,error,critical could not save configuration changes, not enough storage space available. and in...

pe1chl

Can it really be that someone has knowingly opened port 53 to traffic from WAN? That message also occurs when you have correctly opened it only on LAN but have quite some online devices. For us it only happens immediately after upgrade. Probably some devices get impatient because the router is down...

pe1chl

IMO such arguments are relevant only to users with physical access to deployed devices and totally in applicable to customers who must roll trucks with such constraints. Care to make a wager about which market has greater sales volume? Well, when we look at newly introduced devices and the kind of ...

pe1chl

I think there should be an additional device-mode flag (e.g. named device-mode) which you can enable once and for all to skip all future device-mode flag additions (i.e. automatically enable them).

pe1chl

But zerotier has an associated device-mode flag!

pe1chl

It is difficult because the file management possibilities of RouterOS are limited.
Probably best is to share the disk to a PC on the local network (using IP->SMB or the optional rose-storage package for NFS etc) and then run a backup program on the PC.

pe1chl

- repartition: I don't understand what the current situation is supposed to fix. Sure I like it that without repartition flag we can now copy and switch partitions, but what attack scenario is now made impossible? - routerboard: It sure would be nice when there was another boot setting that first tr...

pe1chl

So many people will have to recover bricked router with 0 KiB of free storage, as I had to do today. I feel obliged to write some reviews and warn them. Well, I don't think there is a need to warn MikroTik, they are well aware of the 16MB issue and especially for the hAP ac2. They must have spent c...

pe1chl

But it only works on 5GHz. That is not useful for me. Remember that when "wireless" was still in the base package, and wifi-qcom-ac did not yet exist, it was already possible to install wifi-qcom on this. But it would disable the wireless function. Why? I would think wifi-qcom could handle...

pe1chl

Old Wi-Fi driver is inferior to new driver. As Normis has written before: this device was sold with the old Wi-Fi driver, it is not necessarily compatible with the new driver. It really is time to bin this thing. Unless indeed (as written by others) you use it only as a router or only as an accessp...

pe1chl

It would already be helpful when there was a separate script output by e.g. /system/default-firewall/print, in a way that can be cut/paste. That’s why I established my defconf collection . Cut and paste from any that’s close enough to your use case. Yeah, but what we need is something local to the ...

pe1chl

Expected much more from VRRP than just the routing function failover. Real (hot or cold) standby for DHCP, User Manager, Hotspot is not easy with MT. Well I am not even looking for a VRRP solution, it is fine for me when I can have two routers at two locations with a tunnel between them, each runni...

pe1chl

And you cannot combine WPA2-EAP and WPA3-EAP on a single SSID. I don't think that's correct. On my UniFi APs setting Security Protocol to "WPA3 Enterprise" allows both old and new devices to connect to the same access point and same SSID. I have tested that (maybe a year ago) and in WPA3 ...

pe1chl

I have the same problem, but with a UAP-AC-HD

Without a schematic it is difficult, as PoE has that magic detection/power-up sequence that is difficult to debug.

pe1chl

I am considering it but it ads another layer of complication as I have three physically separated locations visited by the same users. Radius would be one point of failure if it becomes inaccessible for any reason. I yet have to try setting User Manager on all locations and see if I can set managea...

pe1chl

I suggested before that the DHCP server should have a pre-lease script that is called when the DISCOVER packet is received and can be used to set DHCP parameters like the pool to be used, the lease time, network parameters, etc. With that it would be possible to put dynamic MAC addresses in a separa...

pe1chl

I am still hoping for a solution where defconf for the firewall can be applied to an existing router... some command that removes the firewall config and reloads it from defconf, if only as a commandline script. This can be done very easily - just print defconf and apply what you need. But this sou...

pe1chl

You can implement a "bridge filter" that drops packets with src MAC 02:00:00:00:00:00 / 03:00:00:00:00:00
(first is the MAC, second is the "mask")

pe1chl

My SmokePing shows a +1ms in latency difference since updating to 7.18. That's consistent across all targets. Not a big deal, but it certainly stands out in the graph and exactly coincides with me doing the update. Useless comment when you do not mention compared to what previous version! Maybe you...

pe1chl

I share the same concern. The limited 16MB flash storage has been known for years, yet no new hardware revision of e.g. hap ac2 with more memory has been released. ??? hAP ax2, clearly the successor of hAP ac2, has 128MB flash. Of course it is more expensive and what is puzzling is that hAP ac2 is ...

pe1chl

I would never buy a new 16MB device. Others can do what they like...

pe1chl

Enabled multicast but blocked multicast e.g. in firewall

pe1chl

That is not possible because those parts are not user-serviceable (they are not socketed and not easy to solder).
Furthermore, hAP ac2 is just a "throwaway device" which users would replace with something like hAP ax2 or hAP ax3 once they find the limits.

pe1chl

It depends on your configuration. And also if you installed the new WiFi driver, which really is too big for this device.
On my hAP ac2 with old driver (wireless) I still have 1028kB free.

pe1chl

Indeed there should be some way to vacuum the database. Remove all deleted records and undo history. When there is not enough space in the flash it can be done using the ramdisk as temporary storage. (of course with the risk that the config may be lost when the power is interrupted at the wrong mome...

pe1chl

Make backup, netinstall 7.17.1 and restore backup.

pe1chl

it certainly is related to the configuration as I have a similar network (IPv6 with different /64 on tagged VLANs) running without issue.
so make a new topic including /export of bridge and ipv6.

pe1chl

And: only values that are actually modified should be set when hitting OK. Those are the blue-colored fields in winbox3. That should also mean that a value that is inherited from a template (and shown in the edit dialog) is not stored when something else in the dialog is changed. Even better would b...

pe1chl

When you have a special need to have a serial number in messages, why don't you add it to the device identity of your devices?
So instead of hAP-test you call it hAP-test-E1548DC8753B

pe1chl

Does a netinstall with keep-configuration flag effectively to the same as an export to file, then reset-configuration with import from that file?
Or is it more like the restore of a backup?

pe1chl

The number after the version string is the "deviceEventClassId" which is supposed to be a unique ID of each message. However, the numbers 10 and 65 are probably not that, it looks like this is still to be implemented... Ok that would be nice for long message that may be splitt to multiple...

pe1chl

Calm down! Let them debug and finish BASIC FUNCTIONALITY in BGP before starting such things...

pe1chl

The number after the version string is the "deviceEventClassId" which is supposed to be a unique ID of each message.
However, the numbers 10 and 65 are probably not that, it looks like this is still to be implemented...

pe1chl

Settings for neighbor discover LLDP are lost on upgrade to 7.18beta2.
E.g.:

/ip neighbor discovery-settings
set discover-interface-list=discover lldp-mac-phy-config=yes \
    lldp-med-net-policy-vlan=16

After upgrade they can be re-applied and still work.

pe1chl

Yes, there is an open ticket. Useless to share it here because you cannot access that anyway.
The ticket was made 23/Jul/24 but unfortunately after the usual "please send supout files when the problem occurs" (and doing that) there was no further progress.

pe1chl

BTW, when you listed default config, your terminal windows wasn't wide enough, some rules were clipped on the right side (the above written one as well). Well, an irritating problem in printing default-configuration is that it does not wrap the lines and the lines are very long. So you need to prin...

pe1chl

Thanks for feedback. There was a chance that route process crashed during "/routing/bgp/advertisements/print". Updated the changelog: *) bgp - improved system stability when printing BGP advertisements; Ok that is nice, but I hope that the other BGP instabilities will also be fixed. At le...

pe1chl

*) bgp - improved stability;

What does it mean exactly? What is the scenario that has been fixed?

pe1chl

The "LAN devices receive adversed IPv6 addresses from all VLANs" is that referring to Windows devices that are on ports with tagged VLANs present?
As that is a Windows bug, has nothing to do with RouterOS.

pe1chl

You can compare the ipv4 firewall....

pe1chl

You can display the defconf using: /system/default-configuration/print

pe1chl

The question is: was the method before the "new method" documented? Probably it was a "known" method, apparently someone was able to write an independent mac-telnet program that worked. And now that no longer works. Still, "security by obscurity" is not a method that i...

pe1chl

We only make changes that improve security of the users, none of those changes are to actively deny 3rd party OSes @normis! So good to see you out and about. I find your reassurances both credible and compelling. Thank you, Well, "improving security of the users" by making changes and the...

pe1chl

I am still hoping for a solution where defconf for the firewall can be applied to an existing router... some command that removes the firewall config and reloads it from defconf, if only as a commandline script. So far none of changes in firewall defconf was ever applied when upgrading ROS. So I do...

pe1chl

But noticed "cloud" or "file-share" are not selectable in device-mode. If the whole of idea was minimizing the attack surface, we're already off to some inconsistency ;). I think device-mode was a knee-jerk reaction to some bad publicity about MikroTik routers being compromised ...

pe1chl

Please make the setting for "inline comments" a 3-state: either not inline (separate line) or inline with the option to have it either at the beginning (as it is now) or at the end of the line (as it is in winbox 3) by default. Of course one can always move it afterwards, but having to do ...

pe1chl

Please add fasttrack ipv6 in defconf Not saying it's not already ... but defconf is only applied when device is reset to factory defaults (where "factory" part is a bit misleading because it's not config applied in factory when manufacturing device, it's config set as default in any parti...

pe1chl

I believe the snmp error about OID not increasing was occurring a few releases back when snmp routes support was first introduced. Rerunning snmpwalk got stuck and eventually timed out, and rerunning it again it returned the same error. This router and others that have had this behavior are being m...

pe1chl

Well, in the solution I use now (as suggested above by sindy) that issue doesn't actually occur, because all the policies are configured as templates and they only become active policies when the peer has connected. I think I now have it working correctly and am working with more knowledgeable users...

pe1chl

I agree, but I also want to stress that loading 4 full tables on an internet border gateway is not the only use-case for BGP.

pe1chl

Ok I have been using RouterOS only from version ~6.29 and I was impressed with how BGP/BFD worked back then. With v7 there initially was the problem of "no BFD" and "buggy filters", but that seems to have been resolved by now. Unfortunately it now longer does its basic function: ...

pe1chl

That may be true, but before they used a standard BGP implementation and Linux routing, and in v7 it was replaced by in-house written code and frankly for me it has only caused trouble. I can understand how they were motivated by things like having a 72-core flagship router utilizing only a single c...

pe1chl

Mikrotik have a significantly larger team of developers working on RouterOS core functionality now than they did in the RouterOS v6 to v7 transition phase Where do you have that info from? Has there been some announcement that I missed? I still get the perception that the number of developers limit...

pe1chl

You will probably have to do your own tests, as it worked for me in 7.15 already... also make sure your client isn't broken, like WinPE is!
(an issue in that version is that it advertises deprecated prefixes as deprecated forever, did not test that with 7.18beta yet)

pe1chl

The problem with device-mode is not that "no router has all features". You can simply enable all features on all your routers. The problem is that it requires physical access to enable a feature, and there is no possibility to enable a feature before you upgrade (and lose access to the fea...

pe1chl

Well, it is usually possible to configure the policy, so that should not really be an issue. W.r.t. the routing: unfortunately it is not that simple. I need to announce the active routes (active IPsec tunnels) on BGP. This server is running in a separate CHR from the core router, and the tunnels can...

pe1chl

On Mikrotik acting as a server, you can have multiple /ip ipsec identity items attached to a single peer with address=::/0 , one per actual peer, that match by any remote-id other than IP address. For each said identity, you define a separate /ip ipsec policy group and set the policy-template-group...

pe1chl

Ok that is good to know, I feared it would be impossible there too because RouterOS probably uses it...

pe1chl

I have to try that solution with a group, but I have already tried to have a single defined peer with multiple identities, and that seemed to work but it breaks down when more than one peer connects at the same time. I will try with the group. Normally we use tunnels (either GRE, GRE/IPsec, or L2TP/...

pe1chl

No it is not practical to register remote locations in DNS. It is for the hobby network, not for the company, and the remote users are of varying skills. What I need is a solution where the remote can configure their router or Raspberry Pi or whatever and then get their subnet IP-tunneled. This is w...

pe1chl

I am trying to setup an IPsec tunnel server that allows remote systems without previously known public IP (or dynamic IP) to connect, and to get a subnet tunneled to them. There may be like 50 remote systems, each with their own fqdn identity and PSK. In the past I got that working using "racoo...

pe1chl

I add dummy lines to the firewall this way:

/ip firewall filter
add action=log chain=-------- comment=-------------

(I use these as separators between different chains)

pe1chl

Yes, there also is a strange problem where on multiple links between the same two routers (e.g. multiple tunnels over different networks) the prefixes received are not stored in the table for all of the links. So it is difficult to achieve redundancy. Sometimes it works, but later when one of the se...

pe1chl

It is not the only problem... I upgraded from 7.16 to 7.18beta and I had the default and an additional template for BGP, but there are issues with the default that I could solve by creating an additional template (same settings as the modified default) and using that. I changed the default back to o...

pe1chl

The default config creates a bridge and it has the admin-mac set correctly.
You should normally not create any additional bridges! The VLANs can (now) be added on the single bridge.
Open a new topic with your specific requirements and/or look in the existing topics about bridge and VLAN!

pe1chl

The whole concept of templates is riddled with bugs. Another one is that winbox will not keep inheritance of parameters from templates, it will just copy them (e.g. into the connection).
It is best to rely as little as possible on them.

pe1chl

You need to set the admin-mac= parameter to the MAC of the bridge.
The default config does that automatically but apparently you have tinkered with it.

pe1chl

No reason? I show you how must be coded corectly to avoid use scripting style that casually works... The missing "" are not only the problem, expect broken it again on future versions.... Actually I think putting a ; at the end of each line is not "useless" but is a style that p...

pe1chl

Well I am not running 7.17 but I am testing 7.18beta2 and it shows that "syn flood" error for port 53 (DNS) once after every reboot, however when I later try the port 53 answers as normal.
So there must be more than that going on.

pe1chl

I have a similar issue like i4ko: One device tries to connect to our server with a bunch of packets, because it want to establish a couple of tunnels. The 7.17 (and 7.16.2 too) version detects a TCP syn flood and shuts down any tcp syn ack traffic on that interface (Log message "possible SYN f...

pe1chl

OF COURSE that does not work when DHCP Snooping is enabled!
DHCP Snooping is an active technique to avoid the problem of Rogue DHCP servers.
You would not use both at the same time...

pe1chl

I am just reporting that route table retrieval via SNMP is broken, not looking for alternative solutions.

pe1chl

Brilliant support received today from Mikrotik. Problem resolved.

Useless to post that here when you do not include how it was resolved...

pe1chl

I have suggested before that the changelog should be changed to a link to a site, where additional info can be provided. E.g. a link to relevant documentation in the manual (help site), a mouseover tip that explains the items in slightly more detail, and information like the release where a fixed pr...

pe1chl

Also note that "Gigabit PHY" is NOT a switch! It basically is the electronics between a low-level CPU signal and the wires in the UTP. It works at L1.
It does not have any L2 or L3 functionality, as a switch chip may have. Switching is done inside the SoC here (as shown in the diagram).

pe1chl

Indeed I was once considering to use it in ESXi servers, with a short UTP from the RJ45 to the iLO port and internet feed via the SFP. But no ESXi support (of course we are now phasing out ESXi so that could be replaced with Linux) and also no clarity if it could be powered and running when the main...

pe1chl

No, all our monitoring is done using SNMP. I also do not like that each and every poll results in a log line.

pe1chl

Not much is known about this card... I also asked once if it has to be in a PCIe bus or if you could plug it into an extender card and supply only power.
No answer.

pe1chl

On one of our RB5009UPr+S+ I get the following irregular log messages: 2025-01-24T11:22:27+01:00 MikroTik ether1 detected poe-out status: voltage_on_poe-in 2025-01-24T11:22:28+01:00 MikroTik ether1 detected poe-out status: disabled 2025-01-24T11:28:29+01:00 MikroTik ether2 detected poe-out status: v...

pe1chl

Retrieving route table via SNMP (snmpnetstat -v2c -c public -Cn -Cr router-IP) no longer returns the complete routing table.
Also, when there are multiple routing tables, it still ends up in a loop (existing problem).

pe1chl

The BGP situation appears to be improved, but I am still hunting a gremlin. What happened: my home router has 2 templates for 2 different networks (different AS, different routing table, different bgp-networks), one in default and one added template. The routers at work just have the default templat...

pe1chl

Maybe the statement "Optimal nand stability requires a backup-routerboot upgrade" has to be explained. Given the fact that a backup-routerboot upgrade is impossible, what is the risk? Is there a risk when running, when booting, when using the backup booter, or all of these? I am not going ...

pe1chl

That is of course completely impractical. One cannot install an arbitrary RouterBOOT version, and the maintainers decided to change the RouterBOOT version for each and every RouterOS version, for whatever stupid reason... This package has to be updated to current RouterBOOT version (= the current Ro...

pe1chl

When upgrading a RB951G-2HnD and logging in to the commandline I got this story: 2025-01-23 20:11:32 system,info,critical Optimal nand stability requires a backup-routerboot upgrade.\r 2025-01-23 20:11:32 system,info,critical Universal package can be found here:\r 2025-01-23 20:11:32 system,info,cri...

pe1chl

Thanks! What I mean is the deviceEventClassId field that I have seen in some examples, but apparently does not yet exist in RouterOS. It probably requires "changes all over the software" to add that, and it would be nice if it would appear in non-CEF messages as well. (in the text or as a ...

pe1chl

Also in the "logging" category: could we get a log message when the state of a route with check-gateway option changes (up or down)?
I enabled all "route" messages but there does not appear to be a message for that, other than during initial establishment.

pe1chl

I am happy to notice that the "regex" match in Logging Rules was added! (actually in 7.17 but I skipped that release)
In the category "it is never good enough": could we get a "not" option for that (the familiar box in which a ! can be clicked)?

pe1chl

Well I skipped 7.17 because of that, but now I am testing this beta because it fixes a BGP problem (still have to test if it fixes all problems)... Now I find that by default "partitions" mode is OFF but I still can switch between partitions and copy active to backup, so it is not so bad a...

pe1chl

I'm not familiar with that CEF format, but isn't there supposed to be a unique message identifier as well? Or does CEF not specify that?

pe1chl

It would be nice to have REST API as a separate service too, that you can enable without allowing webfig...

pe1chl

Everything will be back to normal after upgrading RB firmware to 7.18beta. Not possible on CHR. Simple reboot does the trick as well (just verified on wAP AC). There is no "issue", it is the new normal. It says it shows the available packages after a "check for updates", and app...

pe1chl

On this above, what modems/devices support these eSIM commands?

Most likely some device that still is in development...
We can still hope there will be more 5G client devices :-)

pe1chl

TLDR: ROS DNS forwarder should not switch upstream DNS server just because a single request was answered with status SERVFAIL, because SERVFAIL not necessarily indicates a problem with the specific DNS server. A "good" way to handle this (this is how bind9 does it) is to keep a rolling av...

pe1chl

*) system - added option to list and install available packages (after using "check-for-updates");

Oh that is great! Have been asking for that / suggesting it for ages...
Now get on with it and split off some niche functions/applications into separate packages again!

pe1chl

In CLI Responder parameter for Wireguard peer renamed to "responder" and was "is-responder" in previous versions. So some exported configs will produce syntax error You should understand in general that while RouterOS does automatically convert configuration when you upgrade (an...

pe1chl

hI, In dark mode, why text is in gray and not white, it's not enough contrasted for some people. I think, there should be a separate color settings window, that will allow to select a color for each interface element (fonts, backgrounds, lines, headers, window titles and so on). It's hard to fullfi...

pe1chl

Is anything required for these commands to function after reboot or am I supposed to enter them each time after reboot? I suggest you first use the default settings, make your self familiar with RouterOS a bit more, maybe read some of the docs, and once you know the answer to such generic questions...

pe1chl

It would also be great if there was some layer 2 filtering (aside from ARP) for WAN port, but EBTables is LAN-only and doesn't filter WAN. You can just add another bridge, put your WAN port in it, and move the WAN port config (IP address etc) from the WAN port to that bridge. Then you can apply bri...

pe1chl

Yes, but who has installed 7.17? I probably never will...
Before that, an admin user could set the "try ethernet once" mode and reboot, but even then it would not work on a typical internet connection (at least here, it is all PPPoE)

pe1chl

Ok but even with a flat L2 network the "hacker" must be in the same L2 space (which means at the ISP or maybe in the same street in some cases) and it cannot be "a Russian hacker" (over here the media think that all hackers are Russian) working from home.

pe1chl

You can only set comments on static entries.
So that presumes you have entered those ARP entries manually.
Having them set by the DHCP server ("add ARP for leases") does not count, because then the ARP entries are still considered Dynamic even when the lease is static.

pe1chl

What is wrong with using "bridge filter", which probably indeed will map to ebtables, for that?

pe1chl

It can only be an issue when: - your WAN is actually a plain L2 link to the ISP network and there could be someone on the other side who can connect a machine with netinstall to that - they already know your credentials so they can log in to your router and set "boot ethernet once" and the...

pe1chl

upgrade failed, free 9 kB of kernel disk space First they have to figure out what does this message actually mean... Maybe on some devices there is a separate partition for /boot ? That used to be required/customary on some Linux filesystems or disk devices, to guarantee that the boot code was alwa...

pe1chl

Due to a chip issue which reports board temperature MikroTik decided to remove this parameter from health. The questions was "WHY?" What is the chip doing to cause this decision? Sometimes the reported board temperature is ridiculously high, I have seen that in one of our devices (while o...

pe1chl

Well, I still hope there will also be some unique message code ("topic") for each and every different message that can be logged by RouterOS. As it is now, there are too many different messages grouped under the same topic, and filtering is difficult. (also because the system logging rules...

pe1chl

Thoughts anyone? EoIP is a connectionless protocol, there is no "connection that is closing". However, as with any tunnel protocol, there is the risk of creating a loop where encapsulated traffic is again encapsulated. Maybe the circumstances have changed due to the version upgrade, like ...

pe1chl

Wow... And how about me that, using semantic versioning as a reference, I was thinking that Stable could mean that the software manufacturer should only release as stable code that is free of any known bugs. I think I'll review a little more about versioning standards. It would be desirable when it...

pe1chl

"v7 stable" NOT STABLE. Remember that "stable" in software releases means: "here you have a version that will remain for a while, we will not release a new version every week or two, so you can install this and won't have to update it immediately". The stability refers...

pe1chl

Such a message can also mean that the router is very busy doing something else or the link to the router is slow.
Apparently when the connection cannot be established correctly it will issue some generic message.

pe1chl

I tested on a debug router but it isn't really a viable solution. There are messages logged but they all have topic route,debug,calc and there is no specific message about the recursive route that goes up/down, only information about the reachability of a specific address occurring somewhere in a ch...

pe1chl

Still I think it is a shame that there is total silence from MikroTik about the BGP issues, both on this topic and from support. (I have an open ticket) I wouldn’t go as far as calling it a shame, but it is certainly irritating. Let’s hope for the best and that it gets fixed soon. Perhaps if someon...

pe1chl

I backed my most problematic router off from 7.16.2 to 7.15.3 and the BGP problems seem to have stopped. I saw some appear on other routers due to a bouncing session due to faulty BFD, and so I anticipate moving them all to 7.15.3 (BGP cores and reflectors). Thanks for confirming that! I was quite ...

pe1chl

But does that include up/down messages for routes with check-gateway? I am asking this in the context of this topic, i.e. using recursive routes with ping check to implement failover. Failover seems to work but one never knows if it is happening... Indeed I fear that this topic will include all kind...

pe1chl

Please consider to offload "filter" to the router instead of handling it in the UI. When selecting a filter, all the items are still downloaded from the router and then locally filtered. Instead, the items could be fetched from the router specifying a filter condition, and only the relevan...

pe1chl

There is now a new winbox in betatest but I do not know if it has improvements in this area. I agree with you that the route display in traditional winbox does not work correctly now, not only it can really load the router but also it sometimes lags in what it displays compared to what is really in ...

pe1chl

I would like to have logging of state changes of routes with "check-gateway".
I.e. when the state of these routes changes (up to down or down to up) a message is logged with at least the dst-address, gateway, and routing-table.

pe1chl

I would like to have logging of state changes of routes with "check-gateway". I.e. when the state of these routes changes (up to down or down to up) a message is logged with at least the dst-address, gateway, and routing-table. Right now, it is largely invisible how failover solutions like...

pe1chl

I would like to have logging of state changes of routes with "check-gateway".
I.e. when the state of these routes changes (up to down or down to up) a message is logged with at least the dst-address, gateway, and routing-table.

pe1chl

@EdPa is there any chance that SUP-172111 will be fixed before the stable release? hAP ac2 reboots itseft with SMB transfers also with 7.17rc7 ( more info ). Thanks Unfortunately I confirm that it is due to a hardware limit (low RAM) of the hAP ac2 and not a problem of ROS 7.17. SMB works perfectly...

pe1chl

Well, there are even bugs in the basic BGP function, confirmed by others and some by MikroTik too: - when a BGP session closes, at random some other (or all) session closes and has to be re-opened - when a BGP session is established, no routes are exchanged until the keepalive timer elapses for the ...

pe1chl

/interface bridge
add admin-mac=E1:E1:E1:E1:E1:E1

Your admin-MAC is invalid!
The lower bit of the first byte must be zero.

pe1chl

@oskarsk is there anyone working on the BGP issues at the moment?

pe1chl

well it seems we have 2 groups of people... 1 that needs specific features which is only possible in new versions and other group that has all they need and just want stability.... there is no right answer here... Then there is people caught in the middle. We upgraded all our routers to 7.16(.x) an...

pe1chl

But on the RB5009 since the beginning I have been unable to turn on the IGMP Snooping feature, and not only because of the VLANs. Turning it on and IPv6 RA/ND stop working. I had such an issue for quite some time on one of my devices, a hAP ac2 used as a second AP in bridge mode, and at some point ...

pe1chl

I learned the "monkey test lesson" by enabling IGMP-snooping and multicast querier some months ago. It introduced extreme latency on my whole network I could not explain - just to finally determining these 2 bridge settings as the issue. I configured IGMP snooping on our work network (swi...

pe1chl

It could be considered a lesson "do not enable each and every feature just because it looks cool"...
DHCP snooping can be useful in large networks with access for guests and other BYOD equipment, but on a home network it really isn't worth the (potential) trouble.

pe1chl

I have always wondered why the IP fragmentation code in network stacks splits a too-large packet into a maximal size packet and a small remainder... IMHO that only increases the risk that further fragmentation is required further down the path when another smaller MTU is encountered. Back when I mai...

pe1chl

Did you by chance upgrade the Unifi application to version 9.x? I see others reporting RADIUS problems for that version, unclear what the problem is.

pe1chl

But as I understand it, this mode is not compatible with wpa3-psk? PPSK functionality relies on a weakness in WPA2. It is not possible in WPA3. (you will find that it is not available on other manufacturer's devices either) A better solution for this functionality, which works with WPA3 as well, is...

pe1chl

When tracing to a file in ramdisk, I noticed that in the Files window in winbox the size at some point is shown as 252.6MB and the file date no longer changes, but when stopping the trace and downloading the file it is a 329MB file. It appears it was a "one time" fluke. Probably it would ...

pe1chl

When tracing to a file in ramdisk, I noticed that in the Files window in winbox the size at some point is shown as 252.6MB and the file date no longer changes, but when stopping the trace and downloading the file it is a 329MB file. It appears it was a "one time" fluke. Probably it would ...

pe1chl

As I wrote above, it used to be available but apparently it was pulled. And I can understand why. Fortunately, here the fiber providers mostly provide the PON in a NTU box that converts fiber to RJ45 ethernet. You can connect your own router where you have to configure PPPoE over VLAN. The only thin...

pe1chl

That is not called asynchronous, that is called asymmetric! No idea why so often people make up the term asynchronous for "different down and up speeds", it really has nothing to do with that. Back to the "MikroTik and PON" topic: there used to be a MikroTik PON SFP, but it is no...

pe1chl

When tracing to a file in ramdisk, I noticed that in the Files window in winbox the size at some point is shown as 252.6MB and the file date no longer changes, but when stopping the trace and downloading the file it is a 329MB file. I removed the file and restarted the trace to see if it is reproduc...

pe1chl

You need to make room or netinstall that device to clear leftovers from previous versions. Well, "out of memory" probably refers to RAM, not flash. A netinstall can be tried, but it seems more likely there is a memory leak in one of the components he is using. Or due to a script e.g. that...

pe1chl

PON is used to limit the amount of equipment in street cabinets, which reduces costs. It also allows some overbooking of the local access capacity, e.g. the ISP can offer several multi-GBit user connections over a single XG(S)-PON. PPPoE is often used in networks where the access network allows subs...

pe1chl

Yes. But highlights the need for better communication about their roadmap. i.e. If they giving up on the US market, that be good to know – none of new LTE products have US variants. The new cAPax+LTE is actually a nice offering – but worthless here, just like all the previous new LTE devices for pa...

pe1chl

Are we getting yet another offtopic monologue in the Newsletter topic?

pe1chl

Maybe for some of those fast internet connections a device like the CCR2004-1G-2XS-PCIe as a standalone router (2xSFP28 + 1xGbe) would be useful... could be used with a suitable switch depending on the user's requirements. Unfortunately it is not clear if the CCR2004-1G-2XS-PCIe could function in a ...

pe1chl

a hAP AC2 is not a NAS!

pe1chl

Ok I just wanted to make sure that it is not a simple issue related to the fragmenting of packets... I use UniFi APs with EAP and RADIUS, but not with MikroTik usermanager (I use FreeRadius). I would not expect that IP fragmentation would be a problem. Long messages are quite usual in these scenario...

pe1chl

Make sure that you don't have some firewall somewhere that drops the 2nd fragment of the transmission because it does not have a valid UDP header (with permitted ports in the firewall)....
Can you send a long ping to your APs? (without "do not fragment" option, of course)

pe1chl

Next time, partition the device (2 partitions), and before you upgrade copy the active partition to the other one. When the upgrade fails, select the other partition as active and reboot and you have your original version and config back. (when it does not boot at all, you can powercycle it during b...

pe1chl

When you want the best WiFi performance in a home router, MikroTik is not the place to be. The usual suppliers of ISP routers like AVM have more attractive products for that. Usually the plain (NAT)routing of those devices is faster than all but the most high-end MikroTik routers as well. When you h...

pe1chl

It would be nice when there was a list of known problems in a stable release, possibly later updated with new known problems introduced with the release. There could be a link to a webpage that has such info and that is updated when new issues are recognized and planned to be fixed, in what version....

pe1chl

Another problem with the ISP's router is that it has no WiFi power management. Normally I set it to the minimum.

MikroTik does not have that either!
In fact TPC (Transmitter Power Control) is mandatory on DFS channels, but almost nobody implements it.

pe1chl

The problem with spectrum is that they don't make it any more. There is a fixed amount, and it has been allocated to all kinds of services. While some services can release it, e.g. where there were microwave links between towers for professional use like telephony and TV distribution that now largel...

pe1chl

The 6GHz band actually is even more troublesome than 5 GHz...
Over here it allows only very low power, outdoor installations are prohibited.
(of course for the same reason: it was already licensed to other users)

pe1chl

You cannot make such blanket statements. It entirely depends on the country and the ISPs. In some places that were behind on broadband internet, fiber has been deployed to all homes and sometimes is offered at very low prices to consumers. In other places where broadband was deployed going along the...

pe1chl

Hopefully there will be a round of BGP fixes in the 7.18 betas so we have something to look forward to...
(there is of course no hope for the bugs to be fixed in 7.17 as there isn't any bgp changelog line...)

pe1chl

While perhaps the older ac chipset cannot directly handle VLAN in hardware... It is a nice try, but the UBNT accesspoints I use at work use the same QCA9984 chip as is used in older MikroTik AC hardware, but it fully supports VLAN assignment per client... and I don't think that would be a software ...

pe1chl

CRS = switch. It has routing capabilities but not much. You're most likely looking for CCR then. And then prices go up up up. E.g. CCR2004-16G-2S+ 16 Gb ethernet ports, 2SFP+ cages, PLENTY of power. No Wifi. No passive cooling. I do have a CCR2004-16G-2S+ in use at work, and maybe I would consider ...

pe1chl

The whole VLAN stuff still s*cks! Any reasonable WiFi network has the capability to assign a different VLAN to each client either via RADIUS or via access list rules. The AP network interface has to support tagged VLANs and the connected clients receive the assigned VLAN untagged, and that should no...

pe1chl

First 2.5G switch has been released already a year ago. 8x 2.5Gb ethernet and 2x SFP+ ports. Not fanless though. https://mikrotik.com/product/crs310_8g_2s_in 10G switch, fanless: https://mikrotik.com/product/crs304_4xg_in Well, what I do not like about the switch products is the relatively small nu...

pe1chl

MikroTik isn't really in 2.5G yet. Yes there are some devices with a single 2.5G port and an SFP that can do 2.5G, but what you really would want is a device like the 5009 but with several 2.5G (UTP) ports. And probably some switches too. And then for the router probably with wireless as well. They ...

pe1chl

That is "source address selection", it applies to outgoing packets (originating from the router) that do not have an explicitly set source address. What the topic is about is "the logging to network ignores the specified source address, that must be a bug". But I agree with @rpla...

pe1chl

No, I don't have a test lab to do that. I do. if you're interested in cloning a sanitized version of your configs, I have four RB5009's and two CCR2004's racked up, with two more 5009's on the shelf. The important part of the config is like this: 1 CCR2004, 3 RB5009, 3 RB951G. The latter are leafno...

pe1chl

Yes, but not me. Testing this requires a network of like 6 routers with tunnels between them and BGP running on it. So several locations with different IP addresses are required, 2 addresses at each location. We have that in production but we do not have a separate test environment that replicates i...

pe1chl

No, I don't have a test lab to do that.

pe1chl

Why???

pe1chl

absolutely. that script would need to have the lease variables exposed. The current DHCP scripts dont, you have to let the lease be created then match against it. The current DHCP lease script is called after an address has been assigned, which is fine when you want to use it to create a DNS entry,...

pe1chl

I suggested that too. In fact I think it would be very nice when a DISCOVER-phase script was added that gets all parameters from the DHCP packet and can decide which lease time, which address pool and which option set are to be used (or "none" to ignore the request). It would cover many sp...

pe1chl

It seems like BGP in general is a bit off the current attention hotspot... in 7.17rc there are no announced BGP changes at all, even though there are several new known bugs (introduced over the 7.15 .. 7.16 span) and of course some unimplemented features too.

pe1chl

Yes, that is quite low, my hAP ac2 runs with 1400 kB free at the moment, but it does not have wifi-qcom-ac installed. I noticed that the "Total HDD size" is now reported as 16.0 MiB while I am sure it was like 15.2 MiB before, so that has changed in some recent release. No idea if they rea...

pe1chl

On the other hand, it is not really MikroTik's task to work around the release and support cycle of other equipment... or the fact that people don't have money to renew the equipment they earlier have bought.

pe1chl

What you described, would following the dns list by order be somewhat similar? It would be a step in that direction in my opinion Somewhat similar, but not the same. Usually you get several alternative DNS resolver addresses from your ISP, e.g. in my case 4 (2 IPv4, 2 IPv6), and you would want to l...

pe1chl

Well, one can always wish for more advanced options. What I would like is to have groups of servers, and then at first the servers from the first group are used in some optimized way like I described, and only when all servers from the first group are failing to respond, servers from the second grou...

pe1chl

Causing a reboot just by copying a large file via SMB sounds like a big issue that should be fixed before reaching final. Well, for me it sounds like an irrelevant issue because a router is not an SMB server and the whole SMB function should not have been there... For me, the big problems in BGP sh...

pe1chl

Is there a reason using standard DNS, the in use DNS server always ends up being Cloudflare? No matter which order I put the servers in, the DNS in use always ends up being Cloudflare within a few minutes of arranging them. Or by running the dns leak test. Why is Cloudflare preferred over any other...

pe1chl

I have seen those issues in 7.16 as well: a single disconnected peer disconnects multiple or all peers at the same time, and routes via disconnected peers still appearing in the table. The first I was able to improve a bit by forcing all BGP handling into a single process (input.affinity=main output...

pe1chl

It seems that in the 7.16 (and 7.16.x) versions BGP has become unreliable. Today we had some internet outages and the backup route config I have used for a long time starting with v6 simply no longer works. I have noticed it before and tried different things but never got it working reliably anymore...

pe1chl

it seems that in versions 7.17beta/rc there is some kind of problem that is actively consumes space on a flash on my ac2, I successfully used 7.16rcX for several months without errors, but after updating to 7.17rc2, less than a day later, dozens of saving errors began to appear Did you check space ...

pe1chl

Maybe one of the outside-MikroTik users who have found detailed information about how the system works could reveal some detail about that. I would expect that RouterOS has some tables of available commands and options and directives for the GUI (webfig/winbox) which are used by the generic command ...

pe1chl

Next time partition the router and copy partition before upgrade, then you can simply revert by switching partitions as long as the device isn't completely corrupted... partitioning is a great thing, but... it is not available everywhere, I wish to have it for CHR, but again... but... but... but......

pe1chl

Ok I do not have that many peers on a 7.16 router. but I do see another problem: multiple routes to the same peer over different paths are not stored. do you see that as well? It worked fine before. E.g. we have peers with a GRE/IPsec, a GRE6/IPsec and a L2TP/IPsec tunnel (over LTE) between them for...

pe1chl

Next time partition the router and copy partition before upgrade, then you can simply revert by switching partitions as long as the device isn't completely corrupted...

pe1chl

What is that BGP+BFD problem? I have some BGP problems but not BFD related...

pe1chl

Indeed. But of course you can write a script, and run it at the interval you like, that checks if your smaller subnet is reachable in the route table, and when it is not it disables the blackhole route. That will cause the aggregated route to no longer be advertised. It was possible to do that witho...

pe1chl

Price Reduction Overhaul ??

pe1chl

Before I have suggested that sessions (now workspaces) would optionally be stored on the router itself. Of course there is the issue that the workspace is optimized for the resolution of the device and thus may be incompatible with another device, but still I think it would be useful when there is s...

pe1chl

I can't imagine any major internet operators and distributors that MK has never discussed with them about VTI support.

Well, I can understand that. VTI is not something that internet operators would use.
It is something for customers. To connect to their cloud virtual machines, for example.

pe1chl

Why is BGP not getting any love?
There are several known problems in BGP yet no release notes about improvements...

pe1chl

Yes of course it should only update to versions that have been "stable" for a long time, and without modifying them. At the moment, a "beta" is promoted to "stable" and that is when everyone starts installing it and the bugs appear all over the place. So such a "cr...

pe1chl

even in this forum there are people who are asking why they have unrecognized accounts and unrecognized scripts in their devices, that are calling traffic generator, configuring proxy etc. even forum users make mistakes and let in people they did not intend to let in. I still wonder how many of the...

pe1chl

As I wrote above, I would like some new "save as new item" which is easier to use than first COPY, save that copy, and then still have the original open. E.g. in PHPMyAdmin, which performs similar actions as modifying a RouterOS config, you can select a database row, do "edit", y...

pe1chl

But just editing the copied rule, and saving it directly as active without prompt, is one of the great attractors of the "oh no" events. Those, when we click the "ok" button and immediately think "oh, no". That would not be a problem because the copied rule is the same...

Search found 12725 matches