MikroTik

dnordenberg

Hi! I tried to setup a src+dst NAT for a UDP communication but it seems like routeros might not track this session correctly and therefor no answer is sent back to the original host. The first UDP packet goes like this: 192.168.1.2:29999->Router 192.168.1.1:29999 then src+dst NAT is applied. Router ...

dnordenberg

Ah, maybe I should have mentioned, the upstream switch is not an mikrotik at all :( But I get the point that this is what is supposed to happen when a switch tries to populate it's bridge host table. I thought this what done by just passively listening. So a switch is basically a hub then until it l...

dnordenberg

Hi! Noticed something strange today when I connected a RB450Gx4 (7.11.2) to another switch on a port where a device with a specific IP had previously been connected. Out of curiosity I ran a packet sniffer and saw another device send packets to this IP (which is no longer connected since I connected...

dnordenberg

Not sure this is about disk space at all since a RB450Gx2 has 512 megabyte and I had 82% free when I encountered this. I think there is a bug here somewhere which erroneously determinate the needed space or something...

dnordenberg

Hello! Lots of devices I have upgraded from like 6.48 to 7.12 complains in the log that there is not enough disk space to perform upgrade so it was aborted. 7.11.2 as an intermediate step and then flashing 7.12 has always worked for me. It is like if the 6.4x firmware can't handle the 7.12 file form...

dnordenberg

Hi I have a multiple ISP config with two default routes with different distances which is changed with a netwatch script. This works fine for letting the router control the route/ISP used. Now our secondary ISP want to monitor the other way too and ping the router on it's WAN2 IP to confirm the avai...

dnordenberg

I did some testing converting the config to bridge VLANs but this device can't handle that in hardware either so problem with dropped packets persisted. I know, docs say use switch config but just wanted to know if I could stil do it using bridge VLAN handling instead of bridging VLAN interfaces. I ...

dnordenberg

I activated VLAN filtering and ingress filtering too just to be sure for the bridge on the hEX S that I want untagged traffic too. That seems to work, now I don't see those IPs anymore on the untagged/physical interface. When I do that on the CRS106, the untagged bridge SFP ports loses their H statu...

dnordenberg

Yes I know (you can activate tagged mgmt too without going into advanced network setup and manually create bridges for that :) Aha, lucky I don't use VRRP then :) Their software development is not the best, see how they handled their DFS issues with later firmware (where they introduced a hupersensi...

dnordenberg

For example this: ho.png I don't think I should find this IP subnet directly on sfp1 since it should only be sent tagged on 601... And I can't explain everything fully with this yet. I did see ICMP pings from two hosts going out the correct interface towards the managed switch but it only replied to...

dnordenberg

Hi! I can sure try to "clean" the configs and post here but I thought I just try to get som hints first what I should look closer at :) Using UBNT gigabeams and airmax 5AC for bridges, maybe not my favorites but UBNT was selected by our IT department long before I got involved hehe. I had ...

dnordenberg

Hi! What can cause traffic in an L2 network to stop working after a number of bridge hops? I have a network that looks like this: device <-ethernet-> hEX S- <-fiber/VLAN-> CRS106 <-wireless bridge1/VLAN-> RB960PGS <-wireless bridge2/VLAN-> managed switch <-ethernet-> router/gw to WAN All devices can...

dnordenberg

It was one of my thought too to make the topic more "living". Maybe some people don't post about it at all because it feels like it is the "wrong" forum :( I also do understand that it's not good to have too many topics to chose from either in a traditional forum, it is a pita to...

dnordenberg

You have -40 dB on RX power which probably means no signal because a good fiber should not be below -11. Either the other end is not transmitting for some reason or fiber is bad.

dnordenberg

Hi! Now that mikrotik has invested in both products and RouterOS features for IoT I would like to propose to MikroTik to also have a dedicated forum section for IoT talk/help (MQTT, LoRa). I think this would help a bit to draw people who are interested or good at this to the forum since those people...

dnordenberg

More SFP in a lighter device would sure be nice :) I use the RB960PGS-PB together with RBFTC11 both for L2 and L3 work. Works fine and simple with POE but you lose ability to fetch DDM data from SFP of course. SwitchOS mainly controls the switch chip and does not do any heavy work as RouterOS can do...

dnordenberg

Seems like the answer is that I need a LoRa gateway server getting the telegrams from wAP and converts them into a PLC protocol. I found this: https://www.eyeo.se/lorawan-2-plc-integration/ And LoRa does not seem to support transfering of modbus telegrams directly, only single measuring values. I gu...

dnordenberg

Hi Can I use LoRa in a wAP as a PtP bridge and not using a shared network like the things network? I'm thinking a setup like this: Modbus TCP sensor --- wAP <----wireless LoRa---> wAP --- PLC (modbus master) And I'm not sure wAP can be a "client" in a LoRa network? If not then this might w...

dnordenberg

Hi! I'm running some ping monitoring from my CRS106 and I see some pings are dropping. When I see these drops they are on several devices not just one and the devices themselves that go through the CRS does not experience any drops. So I started to think these drops are caused inside the CRS. To con...

dnordenberg

Yes, I know switches have weak CPU. It can not see that this happens more if I try to load the CPU but I have not reached 100% either. This is without winbox connected. And the interruptions still happens if I keep only a single netwatch so I don't think it is caused by netwatch itself either. "...

dnordenberg

Hi To start with, yes I know this is a switch so ideally bridge configs should not be used but my application is extremely low throughput, talking like 0-200 kbit/s so not getting max switch performance is not really a concern for me. (And I'm running the main bridge ports HW offloaded too so I gues...

dnordenberg

In NDP/neighbor list there are a lots of ways to interact with a entry, ping, telnet, mac telnet and so on but why isn't there a winbox option? (open a winbox session against selected entry). It could try to connect using same login as current connection or if the address is found in winbox saved/ma...

dnordenberg

Issue seems fixed in 7.6rc

*) winbox - allow "timeout" value to be less than 1 under "Tools/Netwatch" menu;

Packet count behaviour when not set is still the same (locked at 10).

dnordenberg

Hi! I had a little POE accident which broke a RB450Gx4 board in a way I really can't explain by reading through any documentation :(¨ It was powered using 24V DC through the DC plug and then someone changed the upstream switch to a POE one which happened to be connected to ETH1 (which happen to be a...

dnordenberg

And not sure the packet interval value works as expected either? With 1s intervall and 0.10s packet interval you get 10 sent/response count in status. If I change packet interval to 0.2s I would expect the sent/response count to be 5 then? But it is still 10. And no matter what I change packet inter...

dnordenberg

It is a pure GUI bug, setting timeout <1s from CLI works fine

dnordenberg

Hello
In 6.x the timeout value could be set below 1s. After a 7.5 upgrade the value is still 0.10 for example but value is red in winbox and you can not change it to something else <1.00.
For example 1.50 works but 0.50 gives "Error in Timeout - Fixed point decimal expected!".

dnordenberg

As said many times before: when you want THAT, just make an IPIP or GRE tunnel and enable IPsec security on it. That does the same thing. good luck passing across NAT the advantage with ipsec is NAt traversal well known features Some of these NAT unfriendly protocols can be used with IPsec with jus...

dnordenberg

I do want VTI too as it is easier to understand the "standard" routing principles than the policy one. I think it will be easier to get a overview of what is happening in the device when IPsec behaves just like any other interface. Easier to setup firewall rules based on interfaces. As sa...

dnordenberg

I do want VTI too as it is easier to understand the "standard" routing principles than the policy one. I think it will be easier to get a overview of what is happening in the device when IPsec behaves just like any other interface. Easier to setup firewall rules based on interfaces. But th...

dnordenberg

I was suspecting that too because of the name...

Yes I think I seen some WiFi improvement notices in 6.4x changelogs recently too so I just hope it has gotten better with time.
I have no other 7.x reasons for this simple application so I think it will be 6.49.6 then

dnordenberg

Hi Never used WiFi on mikrotik before, read that it had it's stability issues in the past... Just curious, is there any difference comparing 6.x vs 7.x on that matter? Playing with a hAP ac lite TC meant for a non tech friend and trying to decide if it would be best to use 7.2.3 or stick to 6.49.6. ...

dnordenberg

Ah, thanks again :) Short story, my problem is that these "unsecure" devices are now managed by the company that produced the unit they are in and they have their own way in (LTE modem with VPN) to them and I certainly don't want them reaching the rest of my network. Once their guarantee h...

dnordenberg

Ah, thanks :) Yes, I do understand the hw offload part but thanks for the hint :) Btw, any thoughts how I could also protect the "secure" side from the "unsecure" side from unknown IPs since I do need to allow ARP for it to work transparently? Someone could easily configure somet...

dnordenberg

Hi!
Yes I looked at that setting but couldn't figure out exactly how it works. Do I configure my L2 rules in /ip firewall then? Does IP firewall take over or is bridge filter still enabled simultaneously?
This is low throughput so performance does not matter

/D

dnordenberg

Hi! Is it possible to setup L2/bridge firewall and somehow use connection tracking on TCP connections? My wish is to allow connections to be initiated from one way only while allowing only established the other way. I want both in and out interfaces to have the same subnet to work transparently. Fro...

dnordenberg

Bug Using bridge filters with IP protocol, a port based protocol is needed for src and dst port settings to be enabled/selectable but once such IP protocol has been selected you can disable the protocol selection again and src/dst port settings stay active. It is a minor cosmetic bug since you can't...

dnordenberg

Thank you for your answer mkx. Unfortunately MT isn't very big in my country so no big resellers :( Most I know of just sells MT, don't know much about them so I don't think they have any direct lanes into MT either. They are mostly Cisco, Aruba bound ones so I don't think they care to pass my reque...

dnordenberg

Hello!
Any input here, mikrotik?

Kind regards
David

dnordenberg

Hi Can we please have support for industrial use cases where a redundant ring topology is needed? For example using MRP, very common in industrial applications/networks) Support for MRP was added in linux 5.8 https://kernelnewbies.org/Linux_5.8#bridge:_Add_support_for_Media_Redundancy_Protocol_.28MR...

dnordenberg

Hi! When using RSTP on a bridge interface for redundancy, is it normal to see these loop messages in the log then when changeovers happen? "bridge port received packet with own address as source address (MAC) probably loop". I thought RSTP should guard against any loops, even a very short ...

dnordenberg

Hi! Can we please have the kernel fresh and updated in the v7 branch? Kernel 5.6 series reached end of life soon to be 2 years ago. Why was short lived non LTS kernel even chosen from the first place? I guess it has to do with wireguard which was built in from kernel 5.6 but if RouterOS uses 5.6 the...

dnordenberg

FYI hAP ac2 just got official OpenWRT support, this milestone opens the possibility of supporting more Mikrotik IPQ40XX devices such as cAP ac and hAP ac3 in the future. https://firmware-selector.openwrt.org/?version=SNAPSHOT&target=ipq40xx%2Fmikrotik&id=mikrotik_hap-ac2 I finally got aroun...

dnordenberg

Yes, G.8032 would be similar but as far as I can understand, all ring member switches needs to support it which is not the case when building a ring of all kinds of different industrial devices. Maybe in a distant future but as of today I have not seen a single industrial device supporting it so I'm...

dnordenberg

Hi! Would it be possible to enhance the loop protect feature to be able to use it as a ring topology redundancy function? Today sending interval is 5s at lowest, way to high to make a ring break/connect almost "seamless". It would be great if this setting could be set to 0 meaning it will ...

dnordenberg

I ended up with a a ping monitoring script on the root bridge device which pings remote mt devices plus a ICMP L2 fw blocking rule for the EoIP interface so if ping is timed out then the DSL must be down and links are running on 4G backup. I already had a similar script which monitored the 4G/EoIP i...

dnordenberg

Sounds like you want something like a full cone NAT on R2. I guess you want R1 to have a different IP/subnet than the rest of the LAN? That would be hard without a double NAT but one thing you might do to skip NAT on R2 is to just use normal routing on R2, adding a static route for LAN on R1 that po...

dnordenberg

Its ok, just curious :)
So from the root bridge device, there is absolutly no way to tell which way is active? From there I would like to have a script that notifies me when the 4G backup path goes active but I guess that can not be done easily then?

dnordenberg

Ah sorry fixed that :)

Ah, the last statement... I never understood that, great info :) But when is "backup port" used then? The ports facing the root bridge ports can never be the blocking ones then according to that so the role backup port is never ever used??

dnordenberg

Hi! I have three switches, first one is root bridge. To that one I have the two other switches connected via ethernet and a DSL line. Then I have a 4G modem connected to each MT device which each runs a EoIP tunnel in parallel back to root bridge switch. I set higher port path cost on each EoIP inte...

dnordenberg

No ideas? :(

dnordenberg

Hi! After a network disconnect or a disable/enable of the asocciated peer entry I get a problem with the policies after the first one. First go "established" but the rest is "no phase 2". I only get an SA for the first policy. I have to click on each policy (winbox) and click the...

dnordenberg

Tanks for your answer. So there are no possibilities for accessing the values collected locally at the site? Cloud services are not an option for us as a municipality, everything needs to work without connections to the internet :( How does the "host your own service" work? Clould is still...

dnordenberg

Hi! I'm a bit confused as to what the LoRaWAN functionality can be used for? For example I have some remote solar powered 4-20mA sensors I want to access from my PLC. Can that be done by using something like http://www.netvox.com.tw/product.asp?pro=R718KA as remote device and a mikrotik LoRaWAN base...

dnordenberg

Strange, today .178 works but still not .179. I also did another packet sniffer run and now I see packets do exit the mikrotik routers ethernet port when pinging but nothing is heard back when pinging from the host it didn't work from. Don't know if behavior is changed or if I was to blind to see th...

dnordenberg

Now the config: (Non IP related lines removed) /interface bridge add name=WAN_4G add name=WAN_kontor add comment="created from master port" fast-forward=no name=bridge_scada protocol-mode=none /ip ipsec peer add address=192.176.238.228/32 exchange-mode=ike2 name=ipsec_1 /ip ipsec profile s...

dnordenberg

Short story: IPsec tunnel 172.16.14.176/29 where .177 is the mikrotik RB450G (and default GW for all the other IPs on the subnet). A specific host on another remote subnet (other side of the IPsec tunnel) can not reach .178 and .179 IPs in the .14.176/29 subnet but other IPs work like .180 and .181....

dnordenberg

Hi! For a short story see post #2 I used IPsec many times with mikrotik and this time the setup was no different in it's setup but it is acting really strange. The tunnel uses 172.16.14.176/29 where .177 is the mikrotiks IP which is then default gateway for the rest of the devices (.178-.181) on thi...

dnordenberg

For the RB450Gx4 I use these https://www.moxa.com/en/products/accessories/mounting-kits/din-rail-mounting-kits/din-rail-mounting-kits Screws fits perfectly in two cassi holes, works with only one of the two in the kit but it will not be super stable (you can see in pic 2 it is tilted slightly) but I...

dnordenberg

fix images.

Ah sorry, direct linking to Google photos did not seem to work :(

dnordenberg

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions. Ehm, I could be wrong here but my understanding is that VTIs are purely a local thing, the tunnel or other end does not know about if VTI is used or not at the opposite end. VTI should a...

dnordenberg

While I'd like to have VTIs too, they're still L3 interfaces, so adding them to bridges is not possible. I think you may be wrong here, at least I hope so ;-) Yes they are L3 interfaces of course but isn't the whole point of VTIs is that they appear as a virtual hw like interface so you can use the...

dnordenberg

Chateau won't work as an "industrial" unit in a electrical cabinet :(

Try do this with it:

dnordenberg

Looks like mid 5GHz is selectable on some other APs too so mikrotiks usage is probably correct.
It may have been that the clients I had available for testing simply did not support mid 5GHz, we only had older devices to test with.

dnordenberg

For Sweden , you have in the list: [admin@MikroTik] > interface wireless info country-info sweden ranges: 2402-2482/b,g,gn20,gn40(20dBm) 2417-2457/g-turbo(20dBm) 5170-5250/a,an20,an40,ac20,ac40,ac80,ac160,ac80+80(23dBm)/passive,indoor 5170-5330/a,an20,an40,ac20,ac40,ac80,ac160,ac80+80(20dBm)/dfs,pa...

dnordenberg

In 5GHz band the instalation=indoor is even worse: most of indoor-only channels come with burden of DFS ... which means AP has to take measurements on channel to detect a possible radar and if it does, it needs to switch off transmissions immediately. Before it can select such channel for transmiss...

dnordenberg

Hi! A friend bought a hap ac2 and could not get 5ghz ssid to show up on his devices. I looked at it and didn't se any faults with his very default config. Only country was changed to sweden and installation was changed and indoor. After a while I see that an outdoor frequency of 5580 was selected wh...

dnordenberg

Ah, I thought we were still talking about the situation without fw rules.
Absolutely right, allow rules and then dropp all at the end is a much better approach :)

Thank you!

dnordenberg

While I'd like to have VTIs too, they're still L3 interfaces, so adding them to bridges is not possible. Oh :( The IPsec policies' traffic selectors are intended to be restricted at both local and remote subnets, so for a local user with an address from subnet LA to access remote subnet RA, there m...

dnordenberg

Hi! Thank you so much for your answer :) I don't care what IP a user tries to set but I really don't want him to be able to gain access to networks on another policy than the one I intended for devices connected to the corresponding bridge. Ok so there isn't a way to "hard tie" a policy fo...

dnordenberg

No one who can point me in the right direction here? I don't need a full solution, just an hint on the right approach here. Do I need to create FW rules maybe which would be basically copies of the policies (but inverted)?

dnordenberg

+1 I don't see the point of showing quickset on a already configured router, it is like a button of doom like mmut wrote. Maybe it should work directly only on a device without any config at all or a very default like configuration. If other settings is changed make quickset show a big disclaimer &q...

dnordenberg

My example config below. I want to make sure it doesn't work if a user connects something on bridge_vpn1 and sets and IP of bridge_vpn2 subnet and that way could reach something outside the policy defined for his bridge_vpn1 subnet. I know it would not work straight away because router has another I...

dnordenberg

Hi! I have multiple IPsec policies for different local subnets for different purposes and each subnet is used by equipment on a specific ethernet port. Each subnet has a ethernet port assigned to a bridge interface and a matching IP (which is set as gateway on the devices on that ethernet port). Set...

dnordenberg

Hi! I love the bare form of RB450Gx4 since it allows me to easily add DIN mounting brackets and use these devices in industrial cabinets. Only thing I'm missing is an M.2 slot+SIM card slot so we could install a LTE or 5G card inside too. I could use another RB model for 5G purposes but for some rea...

dnordenberg

G.8032v2 was on the roadmap. Maybe the Mikrotik guys can provide a status update ?

That would not help here anyway since it would be required on all devices in a ring.

dnordenberg

Seems like it could be the loop that is causing it, I had a slight idea the loop would cause problems but I thought if the switching back was fast enough the packet storm would be so fast it would not be noticeable. But it seems to completely block all traffic the exact same ms the loop is formed :(

dnordenberg

Some success :) Failover to ether2 works when both consecutive pings fail but when ring is completed again it is not detected :( There seems to be a problem when mac pinging ether2 from ether1 like this when they belongs to the same bridge, ping just don't go through then :( :local RingStatus 0 :do ...

dnordenberg

found this script which does about what I want. Seems ping will return number of successful pings as the return value? Manual for ping does not state this but maybe it is documented somewhere else...
viewtopic.php?t=125759#p619531

dnordenberg

If you are looking at sub 50ms, I doubt very much you will achieve this using scripts You can ping with 1ms resolution so that part is fine I guess. And the receive monitoring script would have to loop since you can't execute a new script instance faster than 1s. But I still believe it is possible ...

dnordenberg

Ya might want to take a look at spanning-tree and see what it can do. Spanning-tree will normally handle redundant L2 connections. In a ring enviornment, it is possible to have 1/2 the traffic go clock-wise and the other half go counter-clock-wise - and if the ring is broken then both directions wi...

dnordenberg

Hi! I'm thinking of trying to script this using pings. Starting a ping every few ms using a script is not hard but and then how to catch it on the other end in the best way? I'm thinking of using L2 mac ping and specify which port the packets goes out on and ping the second ports mac address. And th...

dnordenberg

G.8032 is definitely the way to go....would love to see this in the CRS3xx series. Not sure that is meant for industrial use where all the dual port devices functions as "dumb" switches? I think G.8032 will require this support on all nodes while MRP could work on only the "ring mast...

dnordenberg

There is also MRP https://en.wikipedia.org/wiki/Media_Redundancy_Protocol Which should deal with up to 14 switches at 10ms (and more switches at higer switch over times) I thought maybe it could be done with a looping script? One that sends a test packet and listens + count the timeout and if packet...

dnordenberg

Hi! Is there a way to build a layer 2 redundant ring with routeros? This is often used with industrial equipment and switches where fast fail over is needed and (r)stp can't be used. I have used hirschman switches with their Hiper ring protocol in the past which basically send a test telegram around...

dnordenberg

Ah, thanks! Sounds very similar to what I'm looking for :) Can VRRP also distribute config changes from master to backup nodes? Looks like that is left for the user to handle? VRRP (and HSRP) are intended to preserve the first hop, so that hosts can always reach their default gateway. The routers s...

dnordenberg

You may want to have a look at this . It includes configuration synchronisation from active to standby. What is missing so far is synchronisation of connection tracking, but the RouterOS 7 beta supports that too (the functionality is linked to VRRP there). Ah thanks! Certainly looks like a interest...

dnordenberg

It's tricky, trying to implement hardware failover can lead to more points of failure. For example, if the LAN is configured to use VRRP for failover between the two routers how would you connect the two routers to your network - if you use a switch that then becomes a single point of failure. Simi...

dnordenberg

You're probably looking for VRRP.

Ah, thanks! Sounds very similar to what I'm looking for :) Can VRRP also distribute config changes from master to backup nodes? Looks like that is left for the user to handle?

dnordenberg

Hi! I'm trying to find some info about hardware fail over/redundancy. Everything I found about fail over is about WAN fail over but that is not what I'm looking for. I have a RB450Gx4 which does a lots of stuff, for example port forwarding/NAT specific services between some subnets, being a NTP serv...

dnordenberg

Not a new bug and don't know if it counts as a bug either or just a minor display deficiency but if you view packets during a packet dump you only see a empty line for every captured packet. You have have to stop the capture for them to fully display all columns of info.

dnordenberg

The reason this will not work is that ssh is interactive and can not be run from scripts. Ssh-exec has to be used instead.

dnordenberg

Hi! I would like to setup a form of redundancy by taking over a specific IP (and send of packets a alternative route) if the primary layer 2 communication way to the original host/owner of that IP becomes unavailable. Because I will be taking over the IP by enabling it on the routeros device I don't...

dnordenberg

FWIW, I use about 35m cat6 to power a powerbox pro FW 6.45. I do not use a poe injector, instead I splitted out 4-5,7-8 from cable and attached them to a 2A 24V DC supply with battery backup. Load is two ubnt AF5XHD about 200mA each and two ubnt airMax devices about 130mA each if I don't remember wr...

dnordenberg

And another extremely strange thing, turning on the packet sniffer seems to make communication behave much better. This is not a single happening, I can reproduce it over and over again, when the pps rate is rocketing I can calm it down instantly by starting the packet sniffer on the eth interface. ...

dnordenberg

Here is exactly the same communication seen from the ethernet interface instead of ppp-in. Looks better and shows traffic from both directions (but I had to disable HW offload on the bridge port otherwise I saw only rx packets?). But still some strange red packets in wireshark :( But not as many &qu...

dnordenberg

Hi! I'm trying do do a PPP serial tunnel between two RB devices. It somewhat works but I have some strange fenomenas. First I seem to get a lots of junk traffic on the tunnel, I see that the lights of the serial connect is blinking extremly fast and until connection seem to reset and calms down a bi...

dnordenberg

Would be really nice, bringing in some a fresh modern feeling and options... Unfortunately to take full advantage of it you need a 5.6 kernel :( Routeros 7 is on 4.14 as this is a super long LTS kernel. Wireguard just missed the 5.5 which is expected to be the next super long LTS kernel so for route...

dnordenberg

Hi! How do I define a ipsec policy which includes my own network easiest. All my VPN networks are small 172.16 subnets. Right now I have only this below which means I can talk to 172.16.2.0/25 from my local network 172.16.6.0/27 but no other networks is reachable but I want to change that. /ip ipsec...

dnordenberg

Done

dnordenberg

Hi! If you happen to download the firmware twice so you get for example a routeros-arm-6.46.1 (1).npk, upload that to the router and reboot. Then system halts before loading kernel. Netinstall is required to bring the device back to life. I think the device should either handle the extra characters ...

dnordenberg

LE: nevermind. routeros IS the client. skip this post. too early for me.

Exactly

No problem, thanks for trying to help anyway

Anyone else have any idea? I don't know where to start looking

dnordenberg

Hello! I have some IPsec tunnels that sometimes seems to get stuck in a locked up state where no data is passed through them. I can not see any real reason, they just randomly decide to stop passing data for a period. I do have DPD configured but it does not seem to trigger on this for some reason. ...

dnordenberg

Hi!
What is an "unregistered interface"?
*) ipsec - improved system stability when processing decrypted packet on unregistered interface;

dnordenberg

Yes, VTI support please, policy tunneling is not very user friendly to setup, I rather use traditional routing.

dnordenberg

My problem must be something else then because i'm 100% sure I did not click ok in a quickset dialog. One of the routers was even failing after a upgrade from a working config and then there is no quick set auto opening. And at least in one case firmware downgrade worked for me (without config reset...

dnordenberg

This is a bug of 6.45, it has happened to my with three different units. Factory default and rolling back 6.44 has been the solution it my cases. You can know for sure it really is a bug when the MAC addressing based connection in winbox also stops working, then it simply isn't an IP config issue

dnordenberg

Hi! Thanks! That seems to do some packet dropping and at least total bandwidth does not go over the max limit :) A bit hard to tell if it really splits bandwidth equal between the child queues... One thing I can't really understand, shouldn't the parent queue also be sfq, same as the child queues? O...

dnordenberg

Hi! Continuing here since 6.45.1 topic is now locked. A few days ago I updated two RB450G from 6.42, one to 6.45.1 and one to 6.44.5. Both seemed to work fine at that time. I logged into them after upgrade and everthing worked. Now a few days later I was at the site again, now winbox ses only the 6....

dnordenberg

Yes as I wrote before, just keep the bridge settings made by the router config but remove the ether1 address config (dhcp client) and join it to the bridge (and change interface list membership, remove it from WAN). Not by using the quickset but as separate steps in the configuration. Then it could...

dnordenberg

Yes the factory default nat router config works so I can reset it back to that. It's when I apply the bridge config that things gets weird...

dnordenberg

configuring the device in bridge mode from the quickset menu results in a bad configuration where you are locked out. I did not do it exactly this way, I removed config completely after first startup (after factory reset). Then connected by MAC address, did the bridge config by hand and not trough ...

dnordenberg

Upgraded a RB960PGS-PB from 6.42 something (factory) and lost administration connectivity. And with lost conectivity I mean I could not discover the device in winbox, not even see any of it's ports MAC addresses and connect to that while I was directly on one of it's ports. So not really an IP addr...

dnordenberg

Upgraded a RB960PGS-PB from 6.42 something (factory) and lost administration connectivity. Almost empty config, no firewall, only a bridge1 with all ports and IP was set on bridge1. Reboot did nothing. I used reset button and it worked again at 192.168.88.1 but as soon as I removed config and added ...

dnordenberg

Hi! I have looked at queues to make bandwidth usage "fair" among a number of users. I looked at PCQ a bit and tried using https://wiki.mikrotik.com/wiki/Cable_setup guide but I don't think it fits my setup and what I want to do perfectly :( First I have main router and on that I have a tru...

dnordenberg

Oh and there is a hAP ac2 that is even cheaper

dnordenberg

Oh, btw, I will probably have to offer hAP ac for the apartmenta and not hAP ac lite as the lite isn't gbit

hAP ac is a bit expensive but seems to be the cheapest with poe in and gbit...

dnordenberg

Yes, VLANs as client isolation is what I'm most comfortable with :) The only thing that worries me about that is that maybe the CCR1009 is not built for handling VLANs because there is no switch cipset and what it is best for is real CPU intense routing? Handling VLANs in bridge/software might be a ...

dnordenberg

Thanks for your long and good answers. I think I'm more comfortable with the more flexible router solution then having to come back later saying they have to buy more stuff to fix my bad decisions :( Your first suggestion sounds good, everyone Will get at least minimum speed but more is available if...

dnordenberg

what type of connection is in every room? wired or wireless?? 1. if it is wireless why dont you setup RB1100AHx4 as CAPSMAN and set different bridge/subnet per CAP. this implies you install mikrotik ap in every room. 2. i have similar setup (with 50mbps internet line) with rb951ui-2hnd as main rout...

dnordenberg

In fact, when you get your internet delivered including NAT routing and your only requirement in fact is isolation of the clients, you could consider buying a switch that can do client isolation. I think (but I am not sure, so check it) that SwOS switches like the CSS326-24G-2S+RM can do that. Clie...

dnordenberg

Ah yes, now I see, you are right. Thanks guys!

dnordenberg

As i understand it, this is all about fixed rates. Which would be a real waste of bandwidth. That is not what I asked about

dnordenberg

Hi I would like to setup routeros to fairly distribute the available WAN port bandwidth among a number of clients (read subnets as one client has one subnet for himself). I read some on queues but all I can find is about absolute rate limit values. But I would like the rate limit to be dynamic. For ...

dnordenberg

Well it's not a professional ISP project, it more like a collective that wants to save money and use a single fiber as incoming. And they are not going to promise any higher speed for each apartment but of course they still wants as fast as possible... Yes I think maybe I can get them to buy the CCR...

dnordenberg

CCR1009 is cool but price is a bit too high :( Found RB450Gx4, maybe a faster alternative to hEX. Cat6 cables are already installed from each apartment to one central location. Apartment are small and on only two different floors so cabling was not a problem. RB1100AHx4 is nice, the only thing I hav...

dnordenberg

Hi I would appreciate some product recommendations for a router that can NAT roughly 1gbit normal traffic and have the power to do some traffic shaping so that one apartment can't use all the bandwidth and slow down internet for all the others. (I guess routeros has some functionality for doing this...

dnordenberg

Hi!
Outgoing PPP connections does not show up in active connections like incoming, bug?

Search found 128 matches