MikroTik

anthonws

Here is what it worked for me: /ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT" log-prefix="Hairpin NAT Masquerade" add action=masquerade chain=srcnat comment="Default NAT Masquerade" out-interface=ether1....

anthonws

Sure, I'll explain a bit better. But I am now scared since you said "overwhelmed" :S 1. Device B (HAP AC3 AX), IP 192.168.25.3, is connected via RJ45 to Device A (RB4011 WiFi), IP 192.168.25.2. 2. Device B sits outside of the apartment (private storage room in the building) and is responsi...

anthonws

Thanks for the info. But, is my config incorrect then? Would this be a possible cause for the issues I described?

anthonws

Here's an "/export hide-sensitive" output. This is a simple config, since this is a "child" bridged AP device, that sits in my storage room. It has a VLAN for a specific port, for my Hyper-V server malware/trash lab VMs (it basically creates a direct isolated path towards my ISP)...

anthonws

@normis, I can access devices that are connected via LAN and WiFi (5Ghz), but cannot access the router itself (no PING, Winbox, SSH, HTTP).
2.4Ghz devices (Shelly mainly) are also not accessible.

@erlinden, will do.

Thanks

anthonws

IIRC, ever since I started using 7.13 beta (now with 7.14b4) I have started experiencing this weird behavior with my hap ac3 AX. After a couple of days (2 or 3) it stops responding to PING, I cannot access it via Winbox (discovery also doesn't pick it up) or HTTP, and 2.4Ghz WiFi stops being availab...

anthonws

= Scenario = 1. RB4011iGS+5HacQ2HnD as main router (connect via ethernet to ISP ONT) 2. RBD53iG-5HacD2HnD as a bridge AP (located in my building basement), connected to RB4011 via ethernet 3. Ethernet cable goes partially through a public area (building garage) 4. Main subnet 192.168.25.0/24 5. 1 VL...

anthonws

@Larsa, I don't think it is. I am using ZT in Mikrotik and haven't noticed a difference in performance, but that might be also the fact that it is single threaded... @Moba, agreed... It is unfortunate that we cannot squeeze a bit more of performance from RB4011 in this scenario. How I wished there w...

anthonws

See answers here: https://discuss.zerotier.com/t/mikrotik ... -sec/11610.

I've tried asking some related questions in this forum and never got any answer back... Folks at ZT forum are quite nice and understanding

anthonws

Hey all, Couple of questions: 1. What is the expected recurrence for package updates (if any)? I see that there is a big gap between ZT official version vs Mikrotik one. 2. Has anyone conducted perf tests between RB4011, for example? I have a RB4011 with ZT and a NUC (N4020) and I cannot get more th...

anthonws

Thank you :) All is good! Added a prerouting rule to mark route and then added a manual route for that mark, with the new gateway. Had to tweak the fasttrack rule to ignore the new mark and get "full speed" (around 70 MBits). Now on to ZeroTier and how to increase its speed (most probably ...

anthonws

Mangle

Thanks for the feedback!

So, a prerouting rule, where source address A, with destination 0.0.0.0/0 and action route to ZT gateway?

anthonws

Hello, I would like to have your insights on what would be the best way to route a specific client (LAN), that I have connected on a given port of the router, to use a different gateway from the rest of the subnet. Objective is to force only a specific device to exit via ZeroTier, instead of the dir...

anthonws

@bpwl Thanks for the reply, but unfortunately the problem is that there is no registration of that antenna in the area of cell coverage... I at least can't find any 5614 antenna in a wide range around that area. And this has been one of the aspects I have been struggling while looking into Intel off...

anthonws

Hi, Context: During summer vacations, and other times of the year, I visit a remote village where there is no cell phone reception. Nearest area with cellphone service in LOS, is around 6km to 7km from where the LHGGR LTE6 antenna is. I'm not a networking professional, and the only thing I have done...

anthonws

I think it is. Offering clarity for people, to ensure they do a proper knowledgeable decision, instead of instantly regretting it after finding out things are still not as expected. Which, looking at a previous post, it clearly shows how it is not clear for the majority. This is a SOHO device, often...

anthonws

This just shows the state of confusion of what is supported vs not and what works vs it doesn't :) Fast roaming between APs is still not supported. Only within the same AP, between interfaces. And beta firmware's should not be used to state that something is supported. Until something gets GA, it is...

anthonws

Now the questions are: 1. Will it support beam forming? 2. Will it support fast roaming between different APs? 3. We can all say "Yes" to #1 and #2, but the follow-up question would be: When? 4. And what about CAPsMAN support? I am happy for MT to finally showing signs of catching up the t...

anthonws

Personally, my biggest gripe is subpar roaming capabilities... Mobility is an important use case for me, as is bandwidth. Lack of fast roaming support is getting into my skin. Spending 1000 euros in 3 to 4 WiFi 6E AP's doesn't feel like too farfetched for me. Technology is an enabler for me. It allo...

anthonws

You can find a bit of perf info here: https://www.reddit.com/r/mikrotik/comments/uy3nhg/poor_wifi_performance_on_cap_ac/ And from the looks of it, folks won't need to use custom builds anymore. Specific pull requests have been reviewed and will be merged into master branch. https://github.com/openwr...

anthonws

Mikrotik is the new Nintendo :D Masters in "Even More Stability" changelog!!!

Thanks Znevna for the detailed container fixes/changes list! Awesome work!

anthonws

The same question again, do you think that we should stop working on BFD or fixing crashes to make pretty BGP logs? Fixing bad code vs implementing needed (basic) features is not a sane tradeoff to ask customers. And to be honest, your tone was not the most polite with that "ridiculous" c...

anthonws

I'm a regular home SOHO user, but looking at the quality of builds they are pushing out, even under 7.1 stable (yeah, call it "upgrade" branch...), with bootloops, BGP, VLAN, etc., issues, I am just mind boggled how it can happen. Clearly like you state, it must be very poor management dec...

anthonws

After adding 33th address, cpu load and memory leak starts, when memory runs out, the router crashes

https://youtu.be/Yi5_QShkT0Y

Good catch!! I reverted to 7.1.1 because of the CPU impact (RB4011), and Profiler did not exactly helped understanding where the impact was...

anthonws

Does the ether1 connect to a LAN device (not WAN) ? If you switch to another ethernet port , do you still have this port flapping ? If yes, it could be the issue of the device. for example: the apple TV 4K has this issue (if it is wire connection). It is a well known issue of Apple TV. Ether1 conne...

anthonws

@erlinden
Thanks for the feedback.
@pe1chl
No issues when was using RC5... I've restarted both the router and the ONT. Let us see, but I suspect this is going to continue to happen after a while.

I'll share more info today/tomorrow.

anthonws

Severe port flapping with RB4011iGS+5HacQ2HnD + rc6.

Submitted supout: https://help.mikrotik.com/servicedesk/s ... /SUP-65942

Disabling auto negotiation does not fix this. Disabling port and re-enabling it fixes it (temporarily).

anthonws

SUP-61109 - Still cannot update RB2011 past 7.1 beta 6... This is probably not an issue with 7.1rc4, but rather with 7.1beta6. I was unable to upgrade my RB4011 above 7.1beta6 until I did a reset to no-defaults and uploaded the 7.1rc npk file to the device using MAC Winbox. A bug in 7.1beta6 caused...

anthonws

SUP-61109 - Still cannot update RB2011 past 7.1 beta 6...

Thanks,
anthonws.

anthonws

Date and timestamp issue with netflow has been fixed! Finally! I stopped bothering and did not check. I will do it now :) Update: I can confirm it is indeed fixed! I've spent so many hours tshooting this, thinking the issue was with my Kibana or logstash that I can no longer count them... Eventuall...

anthonws

An example of how to use container package to run PiHole in RouterOS can be found here Wow! Very interesting! One less device eating power and occupying rack space (RPi4). Any thoughts about adding info on preferred HW for a given container? What kind of guardrails exist to ensure RouterOS works as...

anthonws

RB2011 still locked in 7.1beta6 (no upgrade path) :( In such situations you should do a /export of the full configuration and maybe also a backup, install the newer version, and restore the configuration from a local winbox connected to the MAC address. (so you can wipe it entirely before importing...

anthonws

RB2011 still locked in 7.1beta6 (no upgrade path)

anthonws

Will there be a way to have CAKE without a bandwidth limit? I'd like to see a version where it detects packet loss and automatically enables queueing. Isn't this what autorate-ingress is all about? I'm waiting to have CAKE stable to test this on my LHGGR LTE6, mainly for bufferbloat management and ...

anthonws

Where are you targeting the CAKE queue? At the LTE connection? Has it been stable? I wanted to try our CAKE + Autorate Ingress (given my LTE connection bandwidth is quite random). No, it's on my pppoe Internet connection. I didn't think there was a point in using CAKE on LTE since I don't know the ...

anthonws

So far all is working fine on my CRS317, RB4011 and LtAP-Mini (+R11e-LTE6). Noteworthy features in use are IPv6 to Internet, IPv6 over Wireguard (multiple tunnels), CAKE using queue tree. Lets see how stable it is ... Where are you targeting the CAKE queue? At the LTE connection? Has it been stable...

anthonws

Updated LHGGR from 6.49 latest beta to 7.1RC1. Update went smooth. I'm still testing, but it seems that the radio is now finding much less antennas than it did and also it looks like throughput has decreased a bit (TBD with more tests). And Winbox is always saying a modem firmware update is availabl...

anthonws

Upgraded my test RB750GR3 Netflow now reports an incorrect date of 1970-01-01 Netflow v9 with NFSEN target I reported this also for beta 6 (SUP-51582). Support told me they could not repro... I provided all of the needed info (several traces and debug logs from netflow from a Linux box...). I gave ...

anthonws

Is this working on LHGGR now? Hoping LTE is now fixed

anthonws

I've posted about a somewhat related issue https://forum.mikrotik.com/viewtopic.php?f=2&t=177480&p=872068#p872068. I get carrier aggregation (Primary: B1, CA: B20, optimally) just fine. But every once in a while it swaps them around for 5 minutes or so which absolutely tanks performance. If...

anthonws

+1 Also not working for me. And when locking B3 I expected that CA would be B1, but nothing... Also cell locking breaks a couple of hours later... I know there is a v28 modem firmware, but it's beta and I don't want to cross that path. Personally I am not happy with the stability and the capabilitie...

anthonws

Had to return to OpenWrt, can't withstand unreliable WiFi from ROS and is too much time consuming to fine tune it. OpenWrt WiFi just works fast and reliable out of the box without having to tinker with it. offtopic: I had Linksys WRT1200 and WRT3200 running for several years with OpenWrt. Wifi suck...

anthonws

I also had my date "reset" after the upgrade. But because the LTE interface wouldn't work (no other WAN for me) I don't know if this was interim issue or general one with NTP or whatever...anyhow I downgraded due to the LTE problem. Thanks for sharing! Reported bug (SUP-51582). Cheers, an...

anthonws

Is there any known issue with Traffic Flow in beta6? It looks like I can't get any netflow info into logstash (and I have checked everything in terms of config, FW, etc.) If no one has an idea, I will open a support case to check if it really is an issue in MT or not. Cheers, anthonws. Replying to ...

anthonws

Is there any known issue with Traffic Flow in beta6? It looks like I can't get any netflow info into logstash (and I have checked everything in terms of config, FW, etc.)

If no one has an idea, I will open a support case to check if it really is an issue in MT or not.

Cheers,
anthonws.

anthonws

Reverted to beta 27 as both 36 and 38 were completely broken (router simply hanged randomly [most definitely kernel panic]). I would classify them more as Alpha than Beta.

anthonws

Anyone care to send autosupout.rif file from the crashes experienced with these versions?

RB4011iGS+5HacQ2HnD + 6.49 beta 38.

I had 2 locks (no wifi or ethernet). Have to unplug from power. Is there a way that I can collect any data to send to support?

Thanks,
anthonws.

anthonws

RB4011iGS+5HacQ2HnD + 6.48beta40

When enabling IPFIX router enters reboot loop.

Shall I open a support case to share suppout?

Thanks,
anthonws.

anthonws

I just setup Wireguard on my hAP AC² (...) I can also confirm that 2,4 GHZ Wifi is broken and client's don't get dhcp on that one, 5 GHZ seems to work fine. For me it works... until it stops working. Then I do /interface/wireless { disable wlan1; enable wlan1} ant it works again... until it stops w...

anthonws

Upgrading 2011UiAS-2HnD from beta 12 to beta 27 puts router in bootloop (stuck). Last message is "Starting services" and then router reboots.

Downgraded to beta 12 and restored configuration.

anthonws

Does the flapping occur if you disable the wireless? I once had a routerboard that had frequent flaps, but it was the antenna that was placed to close to the board. Interesting. No I did not tested this. I'll do a quick test later on. What I notice is that it gets quite sensitive when removing/plac...

anthonws

Hey, Just acquired a RB4011iGS+5HacQ2HnD-IN from Amazon and since the very first instance that I've noticed several instabilities in the router. I've migrated from a RB2011UiAS-2HnD-IN which was/is rock solid working for the past years. Tested both importing config from previous router and also star...

anthonws

Hi! I've just setup elastiflow and started forwarding traffic flow (all interfaces) to that service. I have a GeoIP block rule (FW Input) that rejects incoming packets outside of my country CIDR (working just fine). I can successfully see the rule working when looking at logs. Looking at the elastif...

anthonws

Solved. Added an Input FW rule to block everything !MYCOUNTRY, with a reject icmp network unreachable. Then used the following script to populate "MYCOUNTRY" list. /log info "Loading MYCOUNTRY ipv4 address list" /ip firewall address-list remove [/ip firewall address-list find lis...

anthonws

What would be the best approach to only allow incoming traffic from a specific CIDR (my country), vs blocking everyone else?

I assume it would be more effective in terms of filtering.

Any hints? Or anyone willing to share something similar that they have achieved?

Thanks,
anthonws.

anthonws

I'm now constantly getting "DoH connection error: Idle timeout - connecting"...

It was working just a while ago...

anthonws

DoH?!?!?! AMAZING! Thank you so much for listening to your community!

anthonws

I'm actually more interested in understanding the actually benefits from a server perspective (Mikrotik Router), like the benefits on a ar9344 CPU (which doesn't look like it has AES-NI alike instructions). That is, *if* we ever get WireGuard in ROS.... LOLO I'm honestly more geared towards changing...

anthonws

Is there any guide/manual/info that anyone can point me on how to implement Netflow to an external service, with proper traffic encryption?

Thanks,
anthonws.

Edit: Maybe the best option would be a site-to-site VPN (IPsec)...

anthonws

Anyway of getting the Cloudfare client for MIPSBE? According to this post, someone else has done it. https://forum.mikrotik.com/viewtopic.php?t=132678&sid=a141ddac1d5e61856e505f0920de1c9d#p693725 Really hoping to find a proper solution to run DoH without having to have another equipment (piHole)...

anthonws

BGP doesn't exist in v7. Don't install beta without knowing the limitations, please. Hi Normis! Where can I see the current limitations? Are these the limitations? "What is not available: - BGP / MPLS disabled - Extra packages - Winbox does not show all features, use CLI for most functionality...

anthonws

Mikrotik is a business, so we have to treat this feature request as such. Not on ideological (privacy of user) or technical (DoT vs DoH) grounds. That said, the question Mikrotik is asking themselves is obvious. Is this feature "worth it"? Our approach should be to not only say "yes&...

anthonws

When? please an update - we are in so much pain with the existing 1072's and really don't want to replace them all if we don't need to! Or at least open up a version of CHR for ISO install with Intel drivers... when it's 1072 with ROS 7 becomes useless. why do we need beta for some devices in the e...

anthonws

p.s. Now, before everyone get's super hyped and expects a release next month...Personally, and by experience in the software engineering industry, I don't expect any betas before EOCY 2019 or Q1 2020. I was at a MUM recently and they said we could expect "stable" RouterOS 7 release before...

anthonws

I just want to let everyone know, that v7 is progressing pretty good this year, and most core functionality is usable. Some more difficult parts need to be done and we can release a public beta. Thanks for the feedback @normis! It sure adds a bit more of clarity, although there's no rough timelines...

anthonws

Windows Phone was not vaporware, it was real ... shit. And that's why it disappeared real soon ... Well, it really showed that Microsoft thrives only on existing installed base. In a "new market", it really stands no chance against the competition. However, what I meant is that the platfo...

anthonws

It's getting closer every day!

What an awesome slogan for Mikrotik!

"Trust in Mikrotik! What you're waiting for is getting closer every day!" TM

Microsoft tried patenting that for Windows Phone/Mobile, but Mikrotik got there first

anthonws

I'm going to stick around for more 9 years at least. 11 years is not enough time to age properly a piece of software.

To me, software has to be distilled for a minimum of 20 years!

No one better than Mikrotik knows how to do this properly!!

/S

anthonws

Wireguard was tested by INRIA Source: https://www.security.nl/posting/608796/Onderzoekers+testen+cryptografische+werking+WireGuard-vpn Abstract : WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol der...

anthonws

I'm waiting for 8 months when the bug 2018101022007579 will be fixed. I started refusing from CCR wherever such an opportunity arises And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities” Your top router dies completely from two packa...

anthonws

A lot of days without New firmware... Is It a Ros 7 signal?

No. It's just a signal of no signal. Typical around these corners...

anthonws

This is getting to a point of being just plain pathetic... Just forget about UDP and/or LZO... Just make a decision, and if possible, fast! #1 Adopt OVPN from source (not this crippled implementation) #2 Adopt WireGuard (it's more than a "standard" now) Oh, and provide timelines for this p...

anthonws

They probably have other methods, feedback from distributors, people contacting support, MUM participants, ... so they probably know well what customers want. Being more open about their plans, and generally making customers feel closer to developement and heard, that's surely something they could ...

anthonws

DoH is no longer a "waste of time" and it's now massively used by the industry (there's even Android Apps to turn on that nowadays with CloudFare for example). So, questions: 1. Is there an intention from Mikrotik to implement this? 2. Is there a sharable roadmap for the feature to be impl...

anthonws

@anthonws: MikroTik already has that... kind of. Description of this forum is "BETA Testing and Feature Suggestions for the next RouterOS release (ROS v7)", so you're welcome to post your ideas and people do so. Others comment on it to show their interest. Only the actual voting is missin...

anthonws

Community driven features and minimal public roadmap is not something Mikrotik knows how to handle properly. Since I recognize that roadmap/feature plans are difficult for the majority to "read" properly (i.e. understand that they might be (de)prioritized), at least the community driven fe...

anthonws

https://forum.mikrotik.com/viewtopic.php?p=725088#p725088 — isn't that about authenticity? :) dude, honestly i'm not here for the lulz. we work with business customers and we expect clear statements from MT so that we can plan our next hardware purchases. I think the plan is very clear if you're de...

anthonws

@normis Any timeline you can announce for v7 I know there was meant to be an announcement at the recent MUM but unfortunately there was not. I'm in the same boat as many others with bgp performance issues and really need a timeline that I can give to the CEO before I have to start looking at other ...

anthonws

Context: Long time (home) user, lurking in the forums, enjoying reading change logs and all the advancement that Mikrotik is doing. Perspective on the topic: I can see that Mikrotik could definitely improve their marketing and messaging around the roadmap of their products and the future investments...

anthonws

Instead of wordless pluses, how about a discussion on TLS vs HTTPS. TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects? Both would be the ideal scenario :) Naturally that I...

anthonws

Hi! I've configured a Strongswan server in my VPS, using this guide: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html. Could anyone help me with configuring my Mikrotik router to connect as a client? I've already imported the user, CA Pub and VPN Pub certs into the router. Really appr...

anthonws

Is it possible to setup a SSTP VPN (not site to site) using a wildcard certificate (i.e. *.domain.com)? And has anyone used certificates from DigiCert to establish a SSTP VPN in RouterOS? If yes, can anyone please provide some pointers for a n00b? :P Much appreciated and sorry for the thread hijack!...

Search found 82 matches