MikroTik

pe1chl

That is the problem, WPA2+WPA3 will not work with all clients. Especially old and IoT clients have trouble with that.
You can only use WPA2 and when you want WPA3 you need to put that on a different SSID.

pe1chl

I didn't enable WPA3 this time and did set management-protection=disabled Now the naughty clients behave, it wasn't related to what I've said above. I'll move them to another SSID in the future. That is quite common, also with other manufacturers. WPA3 requires management protection, but even setti...

pe1chl

Unfortunately you cannot have recursive routes with reference to routes in another routing table. So the "check routes" to e.g. 8.8.8.8 have to be replicated in each table. The only thing different between the tables is the order (distance) of the default routes. At least that is my unders...

pe1chl

Yes, I have 3 routing tables: the main, and an extra table for each ISP.
I use route marking to select the table, based on source address (for router outgoing traffic) or a PCC for load balancing during normal operation.

pe1chl

Probably you need to make sure that it is not activated for traffic that is high volume and does not require the feature, like DNS requests.

pe1chl

There is no "or use IPv6 servers", I need to use both of them independently to make it work for IPv4 and IPv6. Which of course is required as well because an ISP may e.g. be defective for IPv6 but working for IPv4 (currently one of ours is). So the failover procedure is independent for IPv...

pe1chl

Probably many of those examples are just special cases of the generic "there is so much flexibility in RouterOS configuration and usage that it is impossible to test everything", and stuff that we see fail over time is not a hardwired "that is not supported (anymore)" but it is j...

pe1chl

I wonder if YOU are reading the post and see if that topic has been discussed before?

pe1chl

That is what I am doing now. But you need to know the context: https://help.mikrotik.com/docs/spaces/ROS/pages/26476608/Failover+WAN+Backup (in reality it is slightly more complicated than that, because we also do load balancing using multiple route tables) With this solution you necessarily have /3...

pe1chl

Yeah, but as I wrote they are also often used by users on the local network (behind the router) so using them for the recursive route check is not optimal (when the ISP associated with the particular address is down, the service becomes unavailable). I notice that I can ping 1.1.1.2, 1.1.1.3, 1.1.1....

pe1chl

Ah that is a great idea! Thanks. Well, except of course that "they" could block ping at such servers at any time, just as they could do on 8.8.8.8 etc. I think I still have to extend my search for services that are publicly offering ping support, like 8.8.8.8 offers DNS support, and are si...

pe1chl

That is why I want to have a "reliable address to ping". Maybe I should have also specified that I prefer it to be an anycast address, like the ones I mentioned already to be using. I need addresses that are sufficiently nearby to not be affected by some random failure on the other side of...

pe1chl

Not an answer to your question, but pinging may be only part of a thorough "is internet working?" check, you may have ping OK but (for whatever reasons) DNS not working, the router will provide connection, but your browser won't go anywhere. That does not matter. We have two independent f...

pe1chl

Re: ... ping ... monitor an internet connection ... If I was going to try this , I think I would write up a Netwatch script. Have it ping multiple IPs out on the internet and then have the script detect if all the the remote IPs being pinged were down , then take an action to reboot or use an alter...

pe1chl

Code: Select all
2600::

Indeed it works, but how reliable is that? Is there a description somewhere?

pe1chl

Does anyone have a list of reliable addresses one can use to monitor an internet connection? I want to use that for a fail-over solution with recursive routing and ping-check of a sort of remote destination. (the first level pings the next hop ISP router, but I have a second level that checks if the...

pe1chl

By now it is available in winbox as well. But I find the parameters very non-intuitive... When you want to use ping (type=simple) you specify the host address to ping. But with type=dns in that host address field it wants the DNS name and there is a new field dns-server= where you specify the server...

pe1chl

You are right, it looks like "activity" no longer works in recent versions.
No idea if this is a bug or if it is an intentional change either to overcome some problem or because of customer or legislator wish...

pe1chl

Well, it is also already quite some time ago that we were promised the capability to store received routes in an address list rather than (or in addition to) a routing table, presumably via a routing filter... that would also help in some special cases.

pe1chl

Recently I see some of these messages in the log: pool6 refused acquire: bad preferred prefix length! (1) That these messages appear just now is likely not caused by a RouterOS change but by some update in client software. I am running a DHCPv6 server with only prefix pool, I guess that client is tr...

pe1chl

Actually it appears I have misunderstood the "Input accept NLRI" filtering. MikroTik told me the entries in the address list have to be an exact match, so a 0.0.0.0/0 entry only matches the default route. That makes the entire filter useless for me (I would have wanted to put something lik...

pe1chl

For the usual "WiFi access point with NAT router" function, the default configuration should be fine.

pe1chl

May I ask why using Xtightvnc is that because of using some game OS like Windows :), when you can use ssh with forward X11 ? Maybe it can be solved with WSL2 in Windows ? I don't know. I have heard that WSL2 have support for translating X11 to WinAPI. I use this because I can leave the Linux system...

pe1chl

+1 for that. would be really useful Another +1 Actually it appears I have misunderstood the "Input accept NLRI" filtering. MikroTik told me the entries in the address list have to be an exact match, so a 0.0.0.0/0 entry only matches the default route. That makes the entire filter useless ...

pe1chl

I'm using xorg-x11-server-21.1.11 Is it so difficult to read? The issue occurred with Xtightvnc. That is an X server that has no physical screen but can be connected using VNC. Kind of terminal server solution. With the normal X11 server this issue did not occur. I presume there is some way to set ...

pe1chl

Please read. The system was upgraded from Debian bullseye to Debian bookworm. The issue was that on Xtightvnc the window of WinBox 4 could not be enlarged above a certain size. As my desktop is 1600x1200 it would not allow to fullscreen the window, it looks like it crashed at about 1 megapixel. (the...

pe1chl

The important question of course remains: "what do you mean with remote access". When the MikroTik router in question provides the internet routing at the remote location, and is the only device to do so, it is a different question than when there is other connectivity to the location with...

pe1chl

One thing keeping me from using WinBox 4 on my work system is that it does not work on the Xtightvnc X server that I use there. My work Linux machine runs on a VMware server and I connect to it using VNC. The install is bullseye, still did not get around to upgrading it to see if it is magically so...

pe1chl

It is not the best approach to "define a second bridge". Keep everything in one bridge, define VLAN subinterfaces with that bride as parent interface, and configure VLANs and VLAN filtering on the bridge. Putting an IP address on the VLAN subinterface enables the management via that VLAN, ...

pe1chl

Hogwash, of course. When you have a dedicated OOB port, you need remote access to that anyway. And when that is a prerequisite, you can do it with MikroTik equipment too. Some routers have RS232, you can cross-connect that between two routers and access one router from the other, even after factory ...

pe1chl

If you do this, you can see what libs being used and loaded. Have removed the links in this list though. ldd WinBox | cut -f2 | cut -f1 -d' ' | sort /lib64/ld-linux-x86-64.so.2 libbrotlicommon.so.1 libbrotlidec.so.1... etc The issue with that is that many distributors name their packages differentl...

pe1chl

Your assumption is that customers buy their MikroTik hardware (or do not walk away from MikroTik) based on the existence of a new version of WinBox... but that isn't necessarily true. I am using winbox3 for production use myself, and only try winbox4 now and then to see how it develops. Other users ...

pe1chl

What is a reasonable time frame to complete a beta to official? I know it took GIMP 7 years to migrate from 2.10 to 3, but they were an incredibly small team of volunteers who contributed as they could. MT have been working on v4 since last August - almost a year now and still haven't got close to ...

pe1chl

With today's networking libraries you actually have to make effort to NOT support IPv6...
(like unnecessarily "validating" addresses before handing them over to the library)

pe1chl

Do you mean that we do that in winbox3 BEFORE we import the addresses into winbox4?
Or does it mean that it is safe to share the Addresses.cdb file between winbox3 and winbox4 e.g. using a symbolic link?

pe1chl

You can go to the "Tools->Graphing" menu, under "interface rules" add a new rule for "all", allow address 0.0.0.0/0, but do NOT check store on disk. Also under "resource rules" add a new entry like that (allow address 0.0.0.0/0, but do NOT check store on disk)...

pe1chl

/interface/bonding/ set LAG2 arp=proxy-arp disabled=yes

This is just WRONG!!!
They want to disable proxy arp, not the interface. It means you should use "arp=enabled".

pe1chl

I agree with you, it would be a useful extension when instead of / in addition to "use IP firewall" you could configure a set of custom firewall chains to be used for the IP filtering in bridges! What you can do to improve efficiency: in "bridge filter" apply a "packet mark&...

pe1chl

It probably depends on the use of some encryption protocol, e.g. with IPsec, OpenVPN, etc.
When you do not have any of that, you may not be affected.

pe1chl

Could it be that the 10 second disconnect is happening because the hAP ac2 is restarting?
Connect to the admin interface and check under System->Resources what the "Uptime" is.
Is that many days, or is it just a short time ?

pe1chl

There is no need to turn all of them ticket numbers into bugID, but if some of them is misunderstanding, then you could improve your documentation if/where it needed, maybe asking the reporter what should be in the documentation to get it more understandable. For misconfiguration the same. Unfortun...

pe1chl

I guess it is much easier to find developers that can create stuff like "detect internet". "kid control", "device mode", "media server" and "storage server" than to find those that can develop all those complicated routing protocols in a locally crea...

pe1chl

Apr/09/2025 07:45:24 pppoe,ppp,error could not add dhcpv6 server with pool PPP-30M-LAN: server with such name already exists (7) Apparently, there are attached elements that are not being consistently cleared from the dynamic interface, preventing the PPPoE session from being restarted. Did you con...

pe1chl

It probably depends on whether there is an active developer with interest and time for the specific topic...
The problems introduced in simple BGP use-cases (not all those VPN and VRF things but simply routing in a small partial-mesh network) in 7.16 have not been taken up either...

pe1chl

It's almost like MT is afraid to publish a super-long list of known issues and scare customers away. Well, at least give us a page of the top 20 or so of the most important issues, at your discretion. The list of issues should not only include the known issues but also the resolved issues. Then the...

pe1chl

As I have said multiple times, this forum is a deep dark corner of geeks, amongst millions and millions of other people that have never seen this forum in their life, but are using mikrotik products. It is irritating that you see it this way. A bunch of geeks. I visit the "active topics" ...

pe1chl

The graphing pattern suggests that there is a memory leak for each query to the resolver.
It may also depend on whether the target of the CNAME is also local to the router, or is some remote record.
We have seen many interesting problems with CNAME in the DNS resolver before.

pe1chl

Impossible to tell if that is the same problem.
The DNS cache has a configurable size, default is ridiculously small.
When you haven't changed it it can easily get full, but that is not the same as the DNS process using up all memory (even above configured cache size)!

pe1chl

It must be related to configuration and/or usage pattern.

pe1chl

I don't agree. Any router should be capable of providing DNS resolver functions! However, that is a difficult programming project, and it is being under-estimated by MikroTik, There are already so many bugs like this one that have been fixed in the past and then there usually was another problem (wh...

pe1chl

When you want to power a RB5009 using PoE and then use the RB5009 to power other things, you will easily exceed the max power for PoE from the switch. So you should first check that. It will probably not work. I use several RB5009UPr+S+IN to PoE-power other things (WiFi AP, phones) but always only w...

pe1chl

Meanwhile the "others" who provide the T1 are probably researching how they can keep up that T1 to the single customer that still wants it...

pe1chl

Why do you use EoIP and bridging, instead of a L3 tunnel like IPIP or GRE with the correct routes in place?

pe1chl

It is time that MikroTik abandon their resolver toy and go for something like "unbound".

pe1chl

And to be clear, the MikroTik team has improved A LOT regarding documentation in recent times! I don't know who, but someone deserves to be congratulated for this. Please give it to this person. What I miss the most are the use cases! Something that there was much better back in the wiki days. Well...

pe1chl

@felixka I have been arguing many times that this should be done at least for the release notes. Right now we get basic and cryptic statements about what has changed in a release, but we never see a complete description and an underlying bug report. It is often difficult to guess what is really mean...

pe1chl

Your issues are caused by the use of some advanced encryption method that has a bug in the kernel implementation.
It has been discussed in release topics before and will probably be fixed in the next release.

pe1chl

After upgrading old RB2011 to 7.19 beta7, can't upload anything any longer (e.g. can't upgrade to beta8). File list empty. Scripts that create backups fail.
What's up with that?

Flash memory full?

pe1chl

Yes. All advanced STP-aware equipment has this. That is not too difficult to Google, isn't it?

pe1chl

CHR version still has the issue that disk space is greatly reduced after an upgrade, usually but not always back to normal after an extra reboot.

pe1chl

Well, the whole topic of "how do I setup a number of similar routers" and "how do I migrate my existing router config to the new shiny box that I bought" certainly deserves a bit more attention! For skilled users it is possible to export a config, edit it, and paste it into a new...

pe1chl

As is stated in the documentation, the check for locally originated routes is "if ( bgp-network )"
can you share the documentation link, google was not enough for me to find it

https://help.mikrotik.com/docs/

pe1chl

So you are filtering outgoing routes here?
The local AS is not yet part of the AS-path at the time the filters are applied!
As is stated in the documentation, the check for locally originated routes is "if ( bgp-network )"
I use that and it works OK.

pe1chl

Be it routing table names or partition names - all points towards the need of better configuration integrity checks. We might not be able to get full reference level checks but object name level checks should be one of most basic things there is... Actually in most places it just works fine. You ge...

pe1chl

anyone have problem with bgp filtering for local as?
regexp ^$ or bgp-path-len < 1 did not works

what do you want to achieve?

pe1chl

Same applies to other objects as well - partitions can have same name as well to create more confusion. Partitions can be renamed from command line though... Well, at least partitions also have a number that is visible to the user. The routing table number (which of course exists in Linux) is compl...

pe1chl

in the future when IPv6 implementation start rising massively

Are you calling us from 2010? Or is it an April fools joke?

pe1chl

I noticed that it is possible to add multiple routing tables with the same name:

/routing table
add disabled=no fib name=test
add disabled=no fib name=test

This is accepted without error message and then there are two tables with name test, and it is unclear which one is used.
SUP-184107 created.

pe1chl

But they could respond like: "Hello Mr. Pe1chl, at the moment, we do not have any available resources to address these issues. We will get back to you as soon as we start working on them. Thank you." That is likely against company policy... I remember during the early days of v7 the BGP f...

pe1chl

I did, and you said "it could instead use a RAMdisk that is already configured, or dynamically configure a temporary RAMdisk, for the download and upgrade ." which is exactly what MT does... No, that is not correct. In the 16MB models, a RAMdisk is ALWAYS configured, not only for the upda...

pe1chl

Wait until they are up for a day or two... The problem has been discussed in release topics. But could You do a quick heads up here? Just a little list of small bullet points, Mikrotik style? :D I have already done that in almost every release topic after 7.16 so no need to repeat it. My support ti...

pe1chl

7.15.x was the last version where BGP worked OK Is there a thread where I could read up on what is wrong with BGP? I just upgraded our 2216s to 7.18.2 and they seem to be running fine with full table Internet peering. Wait until they are up for a day or two... The problem has been discussed in rele...

pe1chl

They do kind of, on 16MB (and some other) devices upgrade packages are downloaded to RAM not disk...

Please read the posting again. What works for 16MB devices should work for all, but it does not.

pe1chl

Yes, that is for sure a bug in the BIOS!
It should not have taken the filename up to the 00 byte, but instead it should use the length field 10 which means the filename is 16 characters long... so the FF is not part of the filename.

pe1chl

7.15.x was the last version where BGP worked OK

pe1chl

I believe that anything small enough that precludes me to use partitions, is too little. Really. I agree with that. And also I think that the way upgrades are downloaded and installed should be made the same on all hardware, or at least allowed to be configured the same. When you have a 16MB device...

pe1chl

Yes, that is a problem that started some time before the "PHPbb Prosilver has problem" described in this topic, and that just continues after the above problem has been solved. As "msatter" already wrote, just refresh a couple of times and it works. It has the behavior of a broke...

pe1chl

In my case I added a new VLAN, assigned it a new /24 address (not overlapping), and used the setup wizard selecting the new VLAN. It recognized the new address, proposed a new range in that new /24, which I accepted (Next) but in the final step it complained about the pool name already being in use....

pe1chl

The problem is that in DHCP the fields have a length, so a filename is in the DHCP packet e.g. as 03 41 42 43 to indicate the filename ABC with length 3. This is not understood by some programmers who assume that such a filename would be stored as 41 42 43 00 with 00 being the terminator byte for a ...

pe1chl

ROSE is already a separate package, so nothing to worry about.
What we need is removal of other functions from the base package so it again fits in a 16MB flash device. That is totally unrelated to ROSE.

pe1chl

When doing a demo for my co-workers today, I noticed that you can use the "DHCP setup" wizard only once. It creates the same name for the IP pool every time, so the second time you use it, it errors out with "pool already exists". (I tried using it to create a new DHCP instance f...

pe1chl

@MT any chance on fixing BGP sessions refresh on winbox3 just like how ros v6 behave?

+1
It is really a shame that this still has not been fixed.
At first the claim was "we need a new version winbox for that" but new versions have appeared, even the v4 beta does not fix it.

pe1chl

Feature request: allow the user to add custom buttons to the toolbar (stored in the workspace file) that run a specified RouterOS command when clicked. Minimal implementation would be to specify a custom button with only a "text", which would then do a /system/script/run "text". ...

pe1chl

I don't particularly like safe-mode, at the very least I would want Winbox/Terminal to blatantly indicate that it is active, across ALL connected sessions regardless of where it was turned on Even better I would prefer if MikroTik implemented a variant that took a backup of the current state, const...

pe1chl

In Linux, the functionality of "terminal emulator" and "ssh connection" are completely separate. You start a terminal emulator like xfce4-terminal or Konsole or xterm or whatever you like, usually with a shell running in it, and from there you start a connection using ssh or teln...

pe1chl

Maybe their SSH server is not fully compatible with Windows SSH clients. This is not an SSH level problem! SSH is only responsible for secure transport of the terminal bytestream, a successor to TELNET. (in the old days we used serial RS232 lines for the same purpose) What matters is the "term...

pe1chl

The tab character is often preferred by those who want the flexibility to adjust indentation to their personal preference. Any other TAB width than 8 is seriously broken! It usually isn't workable to change indentation by changing TAB width anyway, e.g. due to comments in the right margin. Today, o...

pe1chl

Get some serious terminal emulator (not putty or winbox terminal). Then you won't see/have any issues.

Ok, that hints that the bug is actually not in RouterOS but in the terminal emulator part of WinBox 4.
So those that claimed "not a WinBox bug, go away!" were probably wrong.

pe1chl

Well, of course there are two components involved in the editing: - the RouterOS /system/script/edit - the WinBOX terminal emulator When the two are not operating well together, it is a bug that should be solved. It is not yet clear in which of the two the bug is. Maybe someone who considers it impo...

pe1chl

It is part of the EU Open Internet regulation: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2015.310.01.0001.01.ENG&toc=OJ:L:2015:310:TOC (5) When accessing the internet, end-users should be free to choose between various types of terminal equipment as defined in Commission ...

pe1chl

But has Orange or the consumer authority already been contacted about this?
Because what they are doing is ILLEGAL and it should result in a reprimand and fine according to EU rules.

pe1chl

It has been fixed! This morning I got the complete set of icons and I could again locate the "user control panel" to switch back to Prosilver, and it also works again.

pe1chl

Maybe we are the betatesters for the next MikroTik product, a server load balancer? (after the storage server) The initial problem (sometimes forum not available) looked a bit like the connections are sent to different servers, but some of them are up and others are administratively down. Now at the...

pe1chl

Well, it is the budget model for home and (very) small office.
When you have other needs there are other models, even the CSS326 is only $20 more.

pe1chl

It is a more or less obscure feature, but when you have a use-case and your client supports it, it is very useful. Like so many features, probably a user has suggested it, and it was either quite trivial to implement it or the user had a good sales case. That does not mean it is useful to YOU. (or m...

pe1chl

Considering how old Mikrotik is, why dont they have a usenet server? With usenet, you do not need a server. You need a newsgroup or set of newsgroups. Others provide the servers. It would have been easy to create a number of alt.mikrotik.subgroup groups similar to what we have on the forum. With mo...

pe1chl

It seems that the forum is under some form of attack... The past few days I regularly got the message that the forum is currently offline, try again in a couple of minutes. As a Prosilver user I tried going to the profile page and selecting the other theme (forgot the name) and it shows a usable lay...

pe1chl

I've been checking on the windows 11 client and it doesn't seem to support this option. is there any information on how to reconfigure my devices to support this option? or is there a possible workaround, such as sending a message even if the client does not support the option? Why would you want t...

pe1chl

I tried again today on Windows 11 and now I found (and remembered) what was the problem: When you configure IKEv2 with username/password in Windows VPN the identity of the connecting router is not set to the username, but to the address of the system. Thus it is not possible to match the identity wh...

pe1chl

There is a 512Mbit Flash chip from ST on the upper side of the 1100AH board, and RouterBOOT says its 64MB. I went as far back as ROS 6.20 with RouterBOOT 3.18 -- always shows 64MB. Looks like some models shipped with 64MB. No worries - it served long. Greetings - azg As written above, it could be f...

pe1chl

Netinstall will for sure allow you to install the current (beta)version, but the question is whether you can upgrade after that... I had the same issue on a CCR1009 with 2 partitions (64MB each), it cannot upgrade anymore in that configuration. One would wish that it is possible to upgrade via a RAM...

pe1chl

When you have gone through so many updates, it is better to do a netinstall of 7.18.2.
Do a "/export show-sensitive file=myconfig" first and download the file, you can later import it to restore the config.
(although there usually are some unexpected hickups doing that)

pe1chl

do you have a list of domains or ip used for renewal? it doesn't seem very professional to expose the port to everyone unless there is a service exposed on it. There is no published list of IP addresses used for renewal. There is some document that says they don't publish it to reduce the risk of m...

pe1chl

I have upgraded a PPC 1100AHx2 router to 7.18.2 from 7.13 and the login page is messed up. Any ideas?

Look on page 1 of this topic!

pe1chl

Read the above.
Posting here is useless, submit a support ticket or mail to sales@mikrotik.com

pe1chl

Well, as you know this problem goes through a cycle. It has happened before that people could no longer upgrade certain devices, and they spent development effort to solve that for that moment. But of course the problem comes back, we all predicted that. Because the effort that was made yielded some...

pe1chl

hAP ac2 without wireless or wifi-qcom-ac is not a reasonably expected use of that device.
Normally you would buy a hEX for that use-case.

pe1chl

Well, there may be an issue with 7.18.2 after all... I netinstalled a wAP ac (old MIPBE version), I could connect it via MAC-TELNET, setup a password for admin (8 ASCII alphanumeric characters), could still login, then I added the wireless package (netinstall was only base package) and did a reset-c...

pe1chl

That means you are quite close to problems. Others may already run into problems, e.g. when they have a longer upgrade history, more complicated configuration, history of changes in configuration, etc.

pe1chl

Yes, I think that "applications" should all be split off in separate packages. Because there are no inter-dependency issues and often not everyone wants them. And they are now easy to install. That would include such things as: - CAPsMAN - Hotspot - Web Proxy - SMB server / Media server - ...

pe1chl

The wAP and cAP lines suffer from the same problem of having little permanent storage space, and they don't have a USB port. Why does the main RouterOS package need to load all the USB device drivers on these devices? Wouldn't it be possible to reduce the size of routeros.npk by about 2MiB if there...

pe1chl

AC2 only has 128Mb RAM ??
It's AX2 we're talking about.

Correct, I edited it. I meant ax2.

pe1chl

In any system that involves things like scripting languages, web interfaces, etc I at least avoid these characters all the time:
@ % " $ & # + < > (space)
That never hurts even when it is not really necessary.

pe1chl

I have once again log full or red "cache full, not storing" DNS Adlist related messages. My cache size is raised to 8192 KiB and Adlist size was something over the 2000 KiB. I definitely removed the functionality from the router. Ok but why do you use such a tiny amount of storage for the...

pe1chl

2025-03-04T01:01:17+01:00 MikroTik HeadOffice possible SYN flooding on tcp port 53 2025-03-04T06:06:52+01:00 MikroTik Branch3 possible SYN flooding on tcp port 53 2025-03-04T08:24:20+01:00 MikroTik Branch4 possible SYN flooding on tcp port 53 2025-03-04T08:52:10+01:00 MikroTik Branch2 possible SYN ...

pe1chl

One thing is for sure, posting on the forum will do zero for your request! You can try making a ticket in the support system, that will at least make it end up on the desk of someone considering it. Of course that does not mean it will be implemented, but at least there is a chance. Even better is t...

pe1chl

Windows Update uses http as well... (it uses https to determine what updates to download, and then downloads the actual updates over http)

pe1chl

Yes, when you have a hAP ac2 it is better to do a netinstall and also to give up on wifi-qcom-ac.
That simply will not last. Go back to "wireless" and when you want new drivers buy a hAP ax2 or ax3.

pe1chl

Why not? If https is used, then client can verify authenticity of server it's talking to. Yes, npk files do have some verification built in (I believe that packages are digitally signed by MT so it's not trivial to alter the contents). But two layers of security are better than one. And we definite...

pe1chl

*) queue - fixed system failure when CAKE kind queue was configured but queue type definition does not exist anymore (introduced in v7.18); Was the instability of CAKE that you previously mentioned really limited to having an interface with a CAKE queue and then deleting the queue type? In the ment...

pe1chl

When was that introduced?

pe1chl

Using console code as an example for how it would work in scripts is not good, especially not after you first used "print"!

pe1chl

*) queue - fixed system failure when CAKE kind queue was configured but queue type definition does not exist anymore (introduced in v7.18); Was the instability of CAKE that you previously mentioned really limited to having an interface with a CAKE queue and then deleting the queue type? In the ment...

pe1chl

Ok, a difference between your config and the one I use is that I do not use connection marks but I base the route mark on the source address of the packet (for output) and on a "PCC on src address" rule for the forwarded/NATted traffic (for loadbalancing). That selects the particular route...

pe1chl

Besides that, RouterOS already offers a "configure session" in terminal mode! Most people do not know it... When you enter a { in terminal mode, you enter a "block" (as in scripting) and you can enter commands, and when you enter } the block is closed and the commands are execute...

pe1chl

Back in those days we lived with having a dark screen with light characters on it. But when I first got a computer (in 1985) that used dark characters on a white background, and a windowing system that did the same thing, I really liked it and I never wanted to go back. Whenever I see a "dark m...

pe1chl

Thanks for the advice, It seems based on this that it would be recommended to netinstall when moving from v6 to v7.

Yes, that certainly is the case. Netinstall and import an export made just before (not a restore of a backup).
That will free up space, and prevent unexplainable problems as well.

pe1chl

When you are facing packet loss in a config like this, try disabling fasttrack.
You can start a "torch" on the internet interface, that will temporarily disable fasttrack.
When it then starts working, fasttrack is your problem.

pe1chl

Yes, there really should be multicast enhancement in the WiFi driver (multicast to unicast), but as he wrote it also happens with the Asus as an AP (and it undoubtedly has that) and is triggered by having the MikroTik router, it may be that the IGMP querier being buggy is the main cause. Of course I...

pe1chl

Actually it is not correct to stop a multicast stream immediately when there is no response to a query. I don't know if MikroTik use a well established IGMP implementation or have doctored their own (probably the latter) but the way it should work is: when a query is sent and a response received, th...

pe1chl

Please consider to have a settable option (even if only "normal" vs "long") for the connection timeout, i.e. when a device loses connectivity for up to a minute, maintain the connection instead of closing it after a few seconds.

pe1chl

When sorting the saved connection list, it can only be sorted on a single column. With v3.41, you can first click the "Note" header ("Comment" in v4) and then "Group" and you will get the list sorted by group first, and within the group sorted by Note. But in v4 for eve...

pe1chl

When you want to reach the claimed performance of these routers, you need to have "fasttrack". When you removed that (e.g. because you cannot have it co-exist with other config) or you did not yet add it (e.g. IPv6) you will not reach 1Gbit. In general, people expect performance similar to...

pe1chl

Yes, you need to do that. Because the probe packets to check the routes are sent using the main table and your actual traffic is sent via the ISPx table. Unfortunately there is no way to auto-copy some routes between different tables, so you need to do that manually. (MikroTik will tell you to use V...

pe1chl

Also, when you are so lucky to have a device like the RB951G-2HnD (low-end router from the good old days when you still got 128MB flash) you should have partitioned it before installing a beta!

pe1chl

Everything here requires either time or money, not just keeping the flash size small. Please take a look at the changelog and see where the effort goes in recent versions. The problem is that working on new features and fixing bugs in existing features inevitably leads to code expansion and people ...

pe1chl

It's not related to loops and there is an :error command already for that.

:error can only exit with error. what would be useful is an exit that exits without error.
(especially now that every script that exits with an error triggers a log message)

pe1chl

Indeed... while that LMP 5G is exactly what I am looking for at one of our locations, and it would be used with an RB5009 as a router so no need for additional packages, I really don't like the idea of having a device with so little flash space. Not only is there a risk of routeros not fitting anymo...

pe1chl

We have discovered that CAKE type queue can crash router in v7.18 and v7.19 – we are working on a fix for that. However, it is not as simple as - add queue and router crashes. Seems that a set of events or precise timing is required for the problem to appear. And yes - when your router fits the &qu...

pe1chl

For such purposes, you should use "Safe Mode". Very much suggested, especially for new users. https://help.mikrotik.com/docs/spaces/ROS/pages/328155/Configuration+Management#ConfigurationManagement-SafeMode That would only work for mistakes that make the router unreachable (like deleting ...

pe1chl

What's new in 7.19beta4 (2025-Mar-06 14:10): *) console - added on-error to "for" and "foreach" loops; Will "break" functionality ever be added for loops? (Don't tell me about workarounds) Or a way to exit from a script midway? ("exit" command with ok/error p...

pe1chl

Ok that is great! Is there further indication that they are working on fixing the BGP problems?

pe1chl

No idea if it was changed by now, but here the link on that page is: https://cdn.mikrotik.com/web-assets/supportsec/rss.xml

pe1chl

*) rose-storage - show btrfs balance and scrub errors if any; Well, in the 7.18 topic we discussed a little about whether they would use the "btrfs balance" or the "block-level mdraid" function for the RAID setups, and now we know: it is "balance". May the force be wit...

pe1chl

Assuming this is still about the "possible SYN flooding on tcp port 53": YES. When having hundreds of clients on the local network, there can be enormous bursts of DNS requests. The CCR2004 should be able to handle that. I have configured 10000 concurrent requests and 1000 TCP connections...

pe1chl

A crucial difference between "Safe mode" and also "apply changes only in RAM and require explicit save" and a transaction-like system is that with the latter you can apply a series of configuration changes and do an APPLY at the end of it. It is possible in RouterOS cmdline mode,...

pe1chl

Well, in your case it would have been valuable when you were warned because what happened is likely not what you intended! E.g. a device was powercycled without clean shutdown ... Nope, device was cleanly rebooted due to ROS upgrade. I can't explain the few hours jump myself, usually it is, as ever...

pe1chl

You still have the same BGP problems on 7.19b2? Do you have a forum post listing them all? I also have BGP with stuck routes on 7.16.1 that drive me crazy. I have not installed 7.19b2 yet. It does not list a fix for any of my problems in the changes list. I have posted several times in release topi...

pe1chl

Ok I seemed to remember that you posted it has been a problem for a while...
But indeed there are several BGP problems and the silence from MikroTik is deafening...
However, on my routers (with 7.18 and 7.18.1) there is no CPU usage problem, only the issues I mentioned before.

pe1chl

When upgrading my fleet from 7.17.2 to 7.18.1 ... I saw time jump of a few hours after reboot due to upgrade on one of devices. So the "after boot" time jump can be rather large. However I'd say that severity of first time jump (if caused by NTP client) after reboot can be down-tuned to i...

pe1chl

The point is lacking this kind of basic sanity checks on configuration changes. Even if some bug will cause this and there's no sanity check stopping it from happening and you are up to netinstall. It is not as bad as you suggest. Yes, sometimes you can remove an object and leave something else dan...

pe1chl

Critically of this action seems for me to be way to high. Exactly Very High :) Well, actually a change of time-of-day is a very critical event, but one could argue that in a device without built-in clock it could be labeled a little less severe when the time adjustment is forward, and less than 5 m...

pe1chl

We have seen this behavior as well with winbox, but port 8291 was only exposed to management vlan and I'm the only one accessing the device during that time so this SYN flooding warning is just a fluke at least for me I don't mind that it logs a bogus message, but I worry that when it detects the c...

pe1chl

I isolated the issue to BFD. When enabled it causes high CPU usage. I experience the issue on multiple routers and I set up a new router with empty configuration with just BGP + BFD and the issue still occurs. I reported the bug on ticket #SUP-181114 What parameters do you use for BFD? I have sever...

pe1chl

either way, I'd like to be able to tune this checks. Since they are in place, why not using them directly and tune them for our needs. Assuming this is still about the "possible SYN flooding on tcp port 53": YES. When having hundreds of clients on the local network, there can be enormous ...

pe1chl

What type of package manager introduces such a significant storage overhead? OpenWRT has been using "opkg" for years without issues. However, OpenWRT also provides board-specific builds - perhaps this is the key to addressing flash storage limitations on 16MB devices. The "packages&q...

pe1chl

I think the reason this has a high probability of appearing at reboot is because while the router is being rebooted, clients in the network are still firing DNS queries at it ... Yes I think that could be part of the reason, but what I observe is that on our main office network where there is lots ...

pe1chl

It is logged exactly once after every reboot. But I think that is because there is some "one time only" flag in the code to avoid overflowing the log with messages like that. However, I was watching a wireshark capture running on a PC that has "spurious delays when visiting websites&q...

pe1chl

After boot we get this message once: possible SYN flooding on tcp port 53 (I don't know at which version that started, but it was "recently") DNS service is only allowed from the local networks, not from the internet. There are hundreds of clients on the network and "SYN flooding on t...

pe1chl

I think the newly introduced products where it can be expected that users have more than basic needs (i.e. excluding switches) are no longer released with 16MB of flash. But we can all agree it was a stupid move from the beginning. Splitting stuff into packages introduces the issue that merely havin...

pe1chl

Just netinstalled this device. 7.18.1 is now running, but flash-space is tight. version: 7.18.1 (stable) free-hdd-space: 44.0KiB total-hdd-space: 16.0MiB board-name: D53G-5HacD2HnD platform: MikroTik It looks like your use-case is finished, and you need to either remain on a lower version or remove...

pe1chl

Just as an fyi for anyone here (I did create a support ticket, SUP-181012). I have a CCR2116-12G-4S+, with two partitions, each running 7.17.2 (they failover to the other if something breaks). When attempting to update to 7.18.1, via the Webfig, the system downloads the update, reboots and after ab...

pe1chl

then change the .txt to .pem

pe1chl

will measures be taken to increase free space on 16mb devices? hardly enough space to save a backup! You are not supposed to save your backup in flash memory! That normally is useless anyway. Make your backup in the RAMdisk (i.e. in the root directory on those 16MB devices), and then download it to...

pe1chl

It can also be a limitation of the used network card. I remember that my previous PC motherboard, which had 2 network devices on-motherboard, allowed >1500 byte MTU on one port but not on the other. This was with native Linux installed on the PC. I used one port for my LAN (including VLAN tags, it w...

pe1chl

There are four FP columns and you likely want to remove them all. That is most conveniently done using the available column selector.
Note that it has been much improved both in winbox 3 and winbox 4. In the old winbox 3 releases it was a multi-click procedure to remove each column.

pe1chl

You can remove columns using the widget at the extreme right on a screen. Another request: move the FP columns from the default layout of all interface types. I can understand they were added upon creation of the FP feature and MikroTik being very proud of it, but in general they are not very useful...

pe1chl

After the update, openvpn is rebooting the rb on each external connection made.

Please read previous replies to a release thread before adding another.

pe1chl

Absolutely the same situation ! It is not normal situation when need to do netinstall after each ROS upgrade. There already was good idea to exclude rarely used features like hotspot/mpls to separate packages !!! The official MikroTik reply is that running wifi-qcom-ac on a hAP ac2 is at your own r...

pe1chl

No idea why it does not work for you. It works perfectly fine for me.
In the meantime I have changed from a Vigor modem to a ZyXEL modem, do the VLAN tagging in the MikroTik, and it still works fine.
Must be an error on your config or in the network.

pe1chl

I have all kinds of BGP issues that were introduced with 7.16, reported, but not yet fixed. In version 7.15.x it worked much better. But I cannot downgrade because I require other fixes. @pe1chl, I have an idea. How many peers do your routers have? My main issues with BGP involve a network within a...

pe1chl

But you cannot replace a disk with the same disk, that is the problem.

pe1chl

Disadvantage of kernel RAID: when a single block error occurs the entire device is removed from the array and no longer updated. So when you have two disks in RAID-1 each with a block error at a different location, you lose all your data. BTRFS balance raid1 does not have that problem, it keeps both...

pe1chl

I have all kinds of BGP issues that were introduced with 7.16, reported, but not yet fixed.
In version 7.15.x it worked much better. But I cannot downgrade because I require other fixes.

pe1chl

I wanted to check if anyone else has experienced this issue on their CCR2216 running v7.16.2. Every now and then, routing seems to stop working properly, and when I go to Routing → BGP, the display is completely blank and unresponsive. Please make a support ticket! When the support tickets about BG...

pe1chl

No it does not IMHO. Different type of developers so there should be no conflict. I wish it were so, but experience shows that it isn't. If I open a ticket about dynamic routing or MPLS issue, it takes months to react. If I am the only one about this issue then there is not so big the problem is. T...

pe1chl

Indeed it already is optional on the router, that is not the issue. What most people worry about is that it takes away development resources from router functionality, e.g. BGP. That is clearly demonstrated by the BGP problems introduced in 7.16 (and not present in 7.15) still not having been fixed ...

pe1chl

Prophecy?

Well in the Newsletter #123 topic it already begins... "we want ZFS, not BTRFS".

pe1chl

PTP is used for DECT-bases to sync them if the area is large or the sync-over-air gests disturbed, so DECT with 3-60 bases can be found in basically every company, especially with a warehouse. We had them 15 years ago. All gone. Everyone uses mobile phones, with VoWIFI when required (e.g. in the wa...

pe1chl

Using BTRFS's RAID finctionality in enterprise environment is a kamikaze solution. I'm curious what solution they use if there is any RAID function in it. I hope it is battery backed HW RAID controller... It is unclear if the RAID function uses Linux block-level RAID or the BTRFS balance profile &q...

pe1chl

Yes, that would be great! But I fear that once the Rose Data Server really hits the street, we will see lots of requests for (in itself) reasonable requests around data server functionality. (some of them in software not written by MikroTik but becoming their responsibility when used as part of such...

pe1chl

Starting from 7.18, this list has both the packages that are installed, and those that are optional to install. Can't imagine people overseeing such a thing, can you? Well, I have often commented that the changelog is inadequate and should be replaced with something that has more info, links to doc...

pe1chl

PLEASE PLEASE PLEASE study the matter before you claim that packages get installed.
Starting from 7.18, this list has both the packages that are installed, and those that are optional to install.

pe1chl

There are no buffer on logging, All logs that are generated at boot are not sent since there are no network up and running. Logs will only be tried sent once, and if that does not work, they are not sent (UDP/TCP). Yes, and it is not something that can be solved easily. E.g. in our network the bran...

pe1chl

There was a firmware change in 7.16 that of course may affect you only later when you do not update firmware every upgrade. I had a CCR1009 go into a bootloop when I changed from 2 to 1 partitions (the first one being active) with 7.18beta4 to beta6 upgrade, and when trying to netinstall it things g...

pe1chl

When you require that functionality, instead log to memory (as is default) and retrieve the logs using API from a remote system...

pe1chl

Another useful addition would be when the connect-to parameter (router name) is specified without a username and password, it would connect using the username and password stored in the address list, without requiring further click on CONNECT button.

pe1chl

Everyone #2 - Please do not turn this version release topic again unrelated to the release itself and talking about how changelogs might be better, testing might be better, etc. Please open new forum topics for such discussions and let us keep these release topics related to RouterOS not management...

pe1chl

I upgraded a CHR that is on a local network only (with free license), from version 7.18beta6. After the reboot, 123MB more disk space is used than before. After another reboot, it falls back to 105MB more used. After another reboot with internet access, it returns back to normal. I have seen this be...

pe1chl

Stable release changelog has always been a list of changes since previous stable - bugs introduced and resolved within beta/rc are not in this list. It would be nice when new bugs introduced in a stable release would be added to the changelog (as a separate section) once they become known, so it is...

pe1chl

Random source port option would be useful in the NTP Client as well...

pe1chl

Indeed I should have been more specific, it was about "Windows 10 without additional client software". Of course there is software to use IKEv2 with Windows, but when you just go to networking and choose "add a connection to my work or school" (or whatever it is called today) the...

pe1chl

I can't find any LTE interface on my dozens of CCRs. CCR owners don't lose your hope and keep your spirits up Of course not... until you plug in a LTE USB stick (when your CCR has an USB port). Unfortunately there is no line with "*) bgp - improved stability;" in sight... that is what CCR...

pe1chl

It seems that in 7.16 there have been changes in the firmware to allow devices to return to factory state when a reset-configuration is done (either using command or the button) and it apparently sometimes gets invoked incorrectly, blocking a netinstall.

pe1chl

It has been discussed many times before. The trade-off is always between following the kernel releases and applying your in-house patches to ever changing kernel versions (having to adapt them all the time) or keeping the same kernel version+in-house patches and then following the kernel development...

pe1chl

It isn't an issue for statically defined peers. But those require fixed IP addresses. In this case I want to setup a service without having to worry about the IP addresses of the clients. Those regularly change, and it causes a maintenance nightmare. Also, most IPsec implementations do not backoff w...

pe1chl

In fact you can already set a lower MTU for IPv6 by configuring it in IPv6->ND. Your end devices which receive IPv6 addresses via SLAAC will pick up the reduced MTU and will use it for their transmitted packets. I have never encountered MTU=1488 on PPPoE over VLAN. Normally the 4 bytes of a VLAN hea...

pe1chl

Well, I crafted this solution as a replacement for an older implementation that was in a plain Debian Linux VM.
The goal was to use RouterOS to get an installation that would be easier to maintain.
Unfortunately until now that isn't the case, but maybe when I have everything finished it is...

pe1chl

I'm not against storage features or container support, only I think it should be a side project that gets done when the main features like routing and wireless are working OK.

pe1chl

Most likely the RB952Ui-5ac2nD died due to lack of storage during the upgrade. But netinstall should work. I had to netinstall a CCR1009 and ran into an issue because apparently the bootloader had been set to "flash-boot" and would not netinstall. I think it is due to a change in 7.16 firm...

Search found 12943 matches