MikroTik

mkx

Mikrotik equipment is quite picky about SFP/SFP+ modules ... odds are high that modules you tried are fairly different and draw of luck gave working pair of modules. In principle it should not be a problem to use "long distance" SFPs on shorter fibre routes. The distance mark on SFPs indicates the p...

mkx

Why thank you. Brilliant you are!!

Hail Anav, the guru of ours!

mkx

Essentially you're running two LAN networks, company and home. And any device (printer, NAS, ...) can only be part of one network. So if you want connectivity from another network, there has to be a router between the networks. Simple switch can not do it and VLANs don't help here if devices (printe...

mkx

As @anav noticed ... if shown config is full config, then your router is vulnerable like hell. If that's so, take device off the net and netinstall it. Even if it's not, reset unit to factory default settings and configure it from defaults. Only change and/or add minimum what's needed and be sure it...

mkx

If your Mikrotik is configured properly and according to default configuration policy, you should select in-interface-list=WAN as criterion in NAT configuration. You can verify if the interface list selection is right for you if you check (existing) NAT rule for outgoing traffic ... default is chain...

mkx

Link shows up at 10 gig and not 2.5 Gig Speed reported by /interface ethernet monitor for SFP/SFP+ ports is speed with which SFP module communicates with RB. Speed between SFP module and its link peer can be different and one has to get information about that via DDC link ... which can be (as you n...

mkx

(router has NTP client set and has correct date and time)

Router has to act as NTP server ... and for that extra package ntp has to be installed.

mkx

Your idea is a completely valid. Only a remark about your setup code: consider adding settings frame-types=admit-only-vlan-tagged ingress-filtering=yes to /interface bridge port, these should add security.

mkx

That means that you can only create VLANs controlled by the CPU chip (software based instead of HW accelerated / offloaded. That means that you need to create a bridge interface per VLAN and only one bridge interface can give you wired speed. The first quoted sentence is true. The second one is not...

mkx

@mkx, you seem not to understand the problem.

As I wrote ... waste of my time.

mkx

As I explained in the other thread (which you partially ignored and I'll return to ignoring you after this post as it seems waste of my time writing you very concrete advices which you then largely ignore): you can download "Extra packages" ZIP file which is easy to verify after download. Then extra...

mkx

In current ROS there's bundle of packages which is what you get by downloading "Main package". You can not uninstall individual packages if installed with bundle, you can only disable them. But you can "unbundle" ROS by installing different version of ROS, but taking necessary packages from ZIP down...

mkx

When you put package files into proper place in device and reboot device, it will instal packages ... if extra packages versions match system package ... or if new system package version is newer than currently installed. If you want to install older version, you have to run /system package downgrad...

mkx

Im going to send you a t-shirt

Me too ... pretty please?

mkx

Quite likely your ISP is not querying your device at all, but rather they use IMEI number of modem which gets communicated between modem and network as part of handshake to establish mutual trust. IMEI, similarly to MAC, carries information about device manufacturer and device model. And no, it seem...

mkx

More likely something doesn't get loaded correctly. Mind that BIOS/UEFI can't load linux kernel directly, there has to be intermediate loader (such as grub). If something fails (either BIOS loading intermediate or intermediate loading kernel), random things happen (most often machine reset). Which m...

mkx

The problem here is Mikrotik's parlance. We have "bridge" as "ports connected through a switch" and "bridging", as "moving one ethernet datagram from one interface to another, through the CPU". Actually Mikrotik wants you to forget about switches inside their devices ... they do bridges and some po...

mkx

But then Mikrotik bridges are not simple switches. Switching implies all ports are based on same L1 technology (i.e. wired ethernet) while mikrotik bridges can span different technologies (e.g. wireless interfaces, lte interfaces, vlan pseudo-interfaces, ...). Besides, wikipedia article about bridgi...

mkx

i don't get it somehow - the box is supposed to have 4gig ram, but reports only less than 1,8g to the ros6:

Memory size detected at slightly less than 2GB is typical for 32-bit linux kernel (non-PAE). I guess ROSv7 on these devices will be 64-bit.

mkx

Also I understand mkx wanted to be paid ... Just to be clear: you misunderstood me completely by hanging on the inutial 15% if my reply and ignoring the rest where I clearly wrote I was ready to help you to get over some hurdles ... In post preceeding I actually gave you some advice about how to pr...

mkx

Please, can anyone here really help? If I was to write you configuration script, I'd have to charge you with consultancy fee ... I can help you learn by giving you advices (and by pointing out mistakes you might make, but for that you'd have to post configuration you came up so far) for free. It's ...

mkx

I suggest you to go with the "Router-Switch-AP (all in one)" example from the tutorial, just leave out wireless config other than config for wlan1. Problems you're having with the tutorial example are because your unit has two physical wireless interfaces (2.4GHz wlan1 and 5GHz wlan2). Which means t...

mkx

no difference .... if you manually set MAC address on bridge first. And even then you might experience (transitional) loss of connectivity because management MAC may change this way or another. If you connect to RB via IP (and IP address setup survives changes in L2 configuration of your RB), you m...

mkx

The picture shows vlan interface as part of bridge ... but actually they should (an are) not be added, they are added automatically.

If you haven't already, read through this fine tutorial.

mkx

Read through this fine tutorial.

mkx

If you use addresses in usual notation, then the smallest usable network on mikrotik is /30: one network address, one broadcast address and two host addresses. To mimick a point-to-point connection over ethernet, you should set it like this: add address=80.67.167.169/32 network=80.67.167.168 interfa...

mkx

There are a few "dialects" of /interface ethernet switch config, it depends on switch chip type. There are a few documents describing the way to configure it in any of "dialects". If you have trouble configuring things on a particular device model, show us non-working config and we might share a tho...

mkx

Does 'Media disconnected' in this case mean the PIX-LINK device or something more? Media disconected means either that the cable is not connected on either end, or cable is broken, or ethernet on either end is not working properly. If you can verify that cable is fine and PC's ethernet is fine, and...

mkx

From the product description page : It also supports passive PoE input and passive or 802.3af/at PoE output. Ethernet ports 2-5 can power other PoE capable devices with the same voltage as applied to the unit . Less power adapters and cables to worry about! It can power 802.3at and af mode B compati...

mkx

I have taken another backup of the router from system backup and that is all that I can do at this stage.

Make text export of config ... binary backup is only usable (with ceveat) on same model of routers.

mkx

I don't think there is.

mkx

Depends on driver ... either starts throttling using flow control ... or simply drops frames.

mkx

My guess: routing triangle. When phone, unaware of wireguard tunnel, contacts a remote server, packet goes: phone - cap (transparently) - rb (routing) - wireguard-gw - ... and on the way back ... - wireguard-gw - cap (transparently) - phone ... skipping the rb4011 and thus screwing its connection tr...

mkx

As one of your LANs is connected to dingle interface, then whatever RB roes with it is routing. And whrn it comes to routing, there is no difference between your current config and VLAN-based config. The only benefit of using VLANs would be when multipke LAN segments shared same physical infrastruct...

mkx

Ingress filtering is only enabled on eth19 (and bridge interface), the rest of ports don't have it set.

I've no other idea, perhaps some smart guys will pop by ...

mkx

Does anyone have any idea what would be wrong with the configuration?

Not without actually seeing the configuration.

mkx

The problem with low-end devices is exactly what you found out: processing takes some tiny amount of time and thus limits throughput of a single connection even though there's ample CPU power available. If you would test with multiple parallel connections, you might find out that cumulative throughp...

mkx

I recommend against using internet detect feature ... it doesn't add any usable information if admin knows which interface is WAN ...

mkx

Disable the /interface detect-internet, it's total and utter crap. Probably this setting is screwing you up. Because otherwise router doesn't add any interface to any list all by itself.

mkx

... if I export this configuration and import it in the original Mikrotik (which is level 5), will it work? It should work if you really export (not backup). But then it's tiny details: are both firewalls similar enough? After all, PPPoE client setup is pretty straight forward. It's firewall (filte...

mkx

Bottleneck is the fact that CRS devices are switches with low-capacity L3 functionality. Meaning they can route and firewall, but nowhere near wirespeed. If you want to get decent routing speed, get a router. A low-cost candidate device is hAP ac2 (you can disable wireless) ... or a RB450Gx4 - prici...

mkx

Actually the routing speed you're getting is more or less what your CRS is capable of. Any higher routing speed would mean sacrificing security (firewall) ... which might be fine for routing between two LAN subnets without any limitations about connectivity (i.e. simple routing, no firewall), but wh...

mkx

it has no firewall rules to speak of and not safe at all noted, any set of minimal rules? A pointer to a tutorial? Good starting point is to take latest config export, then reset config on CRS to factory defaults, enable PPPoE (using QuickSet) and after that do minimum number of small changes if us...

mkx

Then why is this Poe passive? What devices can I power? I thought this "hap ac" supports "802. 3af" Thanks. Standard for PoE (802.3af/at/bt) requires some (pretty simple) "data" exchange between PSE (power provider) and PD (power consumer) for PSE to start providing power. Passive PoE OTOH does not...

mkx

... bytes are swapped not shifted. I have neither hardware to test nor test case ... so, could it have something to do with big-endina VS. little-endian architecture? We all know that ethernet is big-endian, but some of our routers are little-endian... So perhaps someone developing this part of UI ...

mkx

So to make the action=reject rule work on packets belonging to already established connections, you have to place if before (above) the action=accept connection-state=...,established,... one. There's the tricky part: fast-track. To effectively control packets of certain connection(s), those connect...

mkx

One of the things I have an issue with is your WANIP status. Do you have a dynamic or static WANIP?? The reason I ask is your NAT rules show a mismatch. The sourcenat rules are setup for a dynamic WANIP and your dstnat rules are setup for a static FIXED WANIP?? I know that there are users strongly ...

mkx

Is there a (not overly complex) way to achive this in ROS? There are no "smart" ways of configuring NAT. You could configure it using some script ... but you'd still end up with N NAT rules. So even if the job would be done using a script, I'd run the script on some linux PC and copy-paste the resu...

mkx

Don't even think about variant 1 ... it's deprecated way of doing it on devices without switch chips before bridge became VLAN aware (ROS 6.42 or something). I'm running variant 3 on my own RBD52G due to the following reasons: my ISP uses PPPoE for internet connectivity, it is terminated on my RBD52...

mkx

For sure a 320GB 2.5" Samsung external HDD is usable...

It is. But the performance is below any acceptable level and even then it bogs down whole router. These devices simply are not meant to be NAS devices. The sooner you'll accept it, he better.

mkx

Your repeaters (02-09-5b) are not known in the website.

And can not be, those MAC addresses are locally administered MAC addresses and can be used freely (as long as they are unique within ethernet broadcast domain).

mkx

These devices don't have switch chips.
Which devices?

OP mentioned hypervisor in initial post. So I guess he's asking about CHR and indeed CHR doesn't have switch chip.

mkx

I think setting MTU size will do. But this is experimental. Sure. But apart from special cases (such as you described), reducing packet sizes means lower throughput, both due to higher load on any devices processing those packets (routers, firewalls, ...) and due to higher share of packet headers o...

mkx

I only have 12 IP filter rules which according to the data sheet https://mikrotik.com/product/RB750Gr3#fndtn-testresults should mean it'll still operate at full speed. I guess I could get rid of a few of them but don't know how that will impact the security of my system? When fast-track is in use (...

mkx

It would be a total waste for me I would have to get 12 sfp+ cages (from sfp+ to 1Gig ethernet). But why am I still salivating?? You're salivating for the very same reason why Øveraasen TV 2200 is subject of your dreams while in reality all you need is a basic Snow Joe. ;-) Haha, how did you know I...

mkx

Btw, if you check the packet flow diagram, you'll see that traffic enters bridge as vlan and leaves bridge accordingly. It's not very clear from documentation, but bridge in ROS has two, quite distinct, personalities: switch-like entity which forwards frames between member ports. If vlan-filtering=...

mkx

Vlan interface, created in /interface vlan , is overlaid over underlying interface ... in your case that's bridge interface ... and bridge interface is CPU's access to bridge - the switch-like entity. When it comes to traffic in VLAN 7 between ether2 and ether10 ... one of those ports is in-interfac...

mkx

You should be aware of the fact that inter-VLAN communication needs a router and CRS3xx is essentially not a router. Meaning that RB4011 wouldn't only be your internet gateway/router/firewall, it would be inter-VLAN router as well. With its routing capacity around 2.5 Gbps it would become single bot...

mkx

There's a fundamental error in your setup: all of L2 setup is about bridge interface being tagged member of VLAN with VID=7, but you set bridge with pvid=7 , which is wrong because it's setting bridge interface as untagged member of same VLAN. Set pvid on bridge (back to default) to value of pvid=1 ...

mkx

But if the two rules are true.......... WHY WOULD ONE NOT JUST MAKE IT ONE SUBNET??????

To limit amount of broadact traffic?

mkx

It would be a total waste for me I would have to get 12 sfp+ cages (from sfp+ to 1Gig ethernet). But why am I still salivating??

You're salivating for the very same reason why Øveraasen TV 2200 is subject of your dreams while in reality all you need is a basic Snow Joe.

mkx

I guess, if I'd like an IPv6 Address for my Mikrotik I have to assign it to a link lokal interface or something? Your router will have a few IPv6 addresses, one per LAN interface. They get assigned from pool. In theory one could have control over which address out of prefix is actually assigned, bu...

mkx

For better inter-VLAN routing performance you need a better router. Until a CCR2004 arrives (it's right behind the corner), you might want to look at RB4011. It's got single SFP+ interface (in addition to several 1Gbps ethernet ports) and should be able to route around 2.5Gbps.

mkx

RB4011 has SFP+ port (10Gbps) while hEX S has SFP port (1 Gbps). So it might be necessary to manually set port speed to 1Gbps on RB4011 to start communicating with the SFP module. What you see in SFP status is likely read out of DDC port and that's out-of-band ... so yes, quite likely SFP synchroniz...

mkx

I'm not sure if I understand your question right ... but anyway: VLANs are below IP and switch (or bridge part of MT router which acts as a switch) can forward frames between different ports (depending on configuration of course) without having IP address in that VLAN.

mkx

Different telekom, but using PPPoE as well ... here are my settings: /ipv6 dhcp-client # requesting only prefix ... address not needed, link-local is used for pppoe-out1 interface add add-default-route=yes interface=pppoe-out1 pool-name=pool.iov6 request=prefix use-peer-dns=no # IPv6 address pool no...

mkx

Connect a PC to a switched port on RB4011 (so there's no routing between PC and cAP ac) and use MAC connection in winbox. Alternatively connect PC directly to cAP ac (use cAP ac' cable usually connecting it to RB4011).

mkx

Default setup on Mikrotik SOHO routers is that they don't support IPv6 at all (with ROS v6 that is). One has to install IPv6 package, available in extra packages from MT's download page. Beware that after installing package, IPv6 config is empty and that includes IPv6 firewall. You'll have to manual...

mkx

But still switching between routers takes about 3-5 seconds. The telephone conversation during this time is interrupted. One thing to check: does the device keep the same LAN IP address after it switches over to another AP or band? Anyhow, even if transition period (for changing serving AP) is only...

mkx

Be very careful ... I wouldn't block any of ventilation grilles, specially not the ones on top surface right over the SFP cages ... it is known that SFP modules get hot and when they're hot, they might perform unstably. Judging from the pictures I wouldn't mount the switch rotated upside-down, I mig...

mkx

I was almost offline for half a year and the world hasn't stopped rotating

Earth is spinning all right, but the world we live in slowed down almost to a halt. I think you should accept your share of responsibility for that

mkx

Double NAT in principle means double firewall (I know, firewall and NAT don't go not necessarily together, but on SOHO devices they do) ... so you get two layers of security and you start to aporoach the onion-like layered security. But this only works if you carefully configure both firewalls. If y...

mkx

very strange........... RSRP (if your signal strength numbers are this) of -115dBm is about absolute minimum for LTE to work at all. And it only allows low throughput (up to Mbps or so), furthermore link won't be stable (a few dB higher loss due to bad weather and you loose the link). For the very ...

mkx

The problem is actually flapping of ether1 port ... now you only have to find out why is that happening.

mkx

However subnet 192.168.254.0/24 and subnet 192.168.0.0/17 need routing to communicate, unless some devices have a different (e.g. /16) subnet defined, or something else is used to make them connect directly. OP's post #28 includes some ASCII-art LAN scheme and there's a router between both subnets....

mkx

Dear Jotne, yes, I just want to use this device as a switch. So then be so kind and just tell me how to turn the firewall on for this switch.

So you decided to completely ignore my last post (just below @jotne's you're quoting). Fine, remind me to add you on my ignore list as well ...

mkx

If I understand your LAN setup, then currently CRS is switching not routing. And while it's switching, none of traffic hits firewall. If you really want to use your swirch as firewall, you have to: disable HW offload ... it is done per-port in /interface bridge port by setting hw=no This setting wil...

mkx

Depends on particular LHG you've got ... but so far every Mikrotik LTE antenna I checked had lousy gain for low bands (B20 and B8 ... something between 0 and 5 dBi) and decent to good gain for high bands (B3 around 15 dBi, even higher for B1 and B7).

The difference in gain is significant.

mkx

When fast-track is enabled, then counters don't account for majority of traffic in forward chain ... that's how effective is shortcut called fast-track.

mkx

A few aspects: ether1 is not part of bridge meaning that devices connected to bridged interfaces and devices connected to ether1 can not communicate directly, they have to use router as gateway ether1 receives specific configuration depending on ISP requirements (either DHCP client or PPPoE client o...

mkx

Mikrotik publishes performance test results for every device. Surf to product list , select your device and click "Test results". There are different sections for different functionality, when it comes to routing (any kind, including inter-VLAN), look at Ethernet test results table, rows Routing. In...

mkx

I thought my message was clear: change IP addressing of your LAN. Verify that everything works with new IP addresses. Only then add address to router which will allow it to communicate with modem. As to the src-nat rule: it might actually work as it is. We'll think about it when we determine necessi...

mkx

For changing IP config on router, use winbox with MAC connectivity ... when winbox is started, click MAC address of your router in the "discovered devices" tab. This was changing router's IP settings won't break managmenet connection. Re. IP addressing: as I can see, you're currently receiving publi...

mkx

/system interface How sure are you of that command ? Not very sure. Here's the guide, it seemed to go OK aside from the very first part. I'm testing it right now to confirm it's working as expected. https://github.com/hallzhallz/Articles/tree/master/2020-04-25%20Mikrotik%20hEX%20S This guide seems ...

mkx

So I dont unterstand why this does not work..

Because it's pretty much wrong.

Read through this fine tutorial.

mkx

As you probably know, you can check status of NTP client using /system ntp client print ... the DHCP-asigned NTP server IP address should appear in the output. If it's not, then the use-peer-ntp option doesn't work (I don't use DHCP assigned addresses for vital network appliances so I don't have exp...

mkx

Probably you can't change MAC address without first connecting to the unit. Depending on how the unit was set up you might be able to connect to it using different interfaces (e.g. wireless versus ethernet). If the unit was reasonably secured, then probably the only solution is to reset configuratio...

mkx

/system interface
But it says "bad command interface, row1 column9" or something like that.

I've been using ROS for quite a few years and quoted command did not exist in my era. So it must be some kind of an error. Can you qoute some part from the guide to see the context?

mkx

@msatter, I fully agree. I also find articles and posts, where authors use shorthened commands, most annoying. It hurts readability a lot and I guess it only serves authors to position themselves as some hotshots. @mutluit: if I knew your background, I would word my posts only slightly differently. ...

mkx

FIrewall is always used for traffic being routed ... meaning between different IP subnets. Generally yes, but I would say that a firewall can also be used inside a closed environment within just the same one subnet, without any uplink. Do you think this doesn't make any sense? IMO it very well does...

mkx

The building owner has chosen to pay for an FTP connection and provides tenants with connection via wifi. He provides the hAP ac lite device so that we can set up our own individual LANs. So if I understand this right: the hAP ac lite is client to landlord's wireless system to provide you with inte...

mkx

Just a minor remark: There is a possible problem with DHCP client on a bridge. .... Some brands of DHCP servers may struggle with the fact that the ARP entry and DHCP entry has different MAC addresses for the same IP address, what is not a conflict for DHCP packets. In station-pseudobridge-clone mod...

mkx

connection tracking: one thing different with fast-track, is that it bypass connection tracking, No, it doesn't, fast track only works for packets belonging to marked connections (see description of fasttrack ) and those are marked by connection tracking machinery. Which means router still has to p...

mkx

If devices are inter-connected with conductive cables, then they are not truly galvanicly isolated. And conductive cables include UTP cables. If you want to galvanically isolate devices, then you need to use a stretch of optical cable on interconnect ... and certainly use separate power adapters, po...

mkx

Slow speeds at the start of a download and then higher speeds after some time is not a bug of the router, it is a feature of TCP. Certainly you're right about that. However it doesn't explain the difference between behaviours OP observed ... the sending server cannot know that fasttrack is running ...

mkx

Perhaps explanation about why some services continued to work after you added the block rule: 1 ;;; TEST chain=forward action=reject reject-with=icmp-network-unreachable src-mac-address=iPhone's MAC addr. log=no log-prefix="" 9 ;;; defconf: fasttrack chain=forward action=fasttrack-connection connect...

mkx

There's a nice article on wikipedia about different bonding modes. Read it, it'll answer all your questions.

Section about Linux bonding driver is the most interesting (as this is essentially what ROS does).

mkx

FIrewall is always used for traffic being routed ... meaning between different IP subnets. The use-ip-firewall=yes option only affects traffic passing bridge which would otherwise skip CPU (because it is within same IP subnet). Regarding mismatch between reality and documentation: if you think that ...

mkx

So a thought came, what if 2 switches (desktop grade) are linked by 2 cables, would there be an increase in bandwidth between the 2 switches. As explained by posters in previous posts: this only works if both switches support bonding with the same bonding strategy (803.2ad is the most likely candid...

mkx

Two things to be done on cAP ac:

Configure default route in /ip route using main router's LAN IP address as gateway
Configure DNS servers in /ip dns ... use same IP addresses as usual LAN clients use

mkx

hEX S hardware is too weak to deal with 10Gbps speeds (that SFP+ offers). It would need better CPU and possibly better switch chip. All of that is available in RB4011 (there's also same device with wireless built-in). It is bulkier though.

mkx

Which ROS version is RB2011 running? And which version of routerboot? You can check the later in /system routerboard print?

mkx

@lapsio: nicely written. Too bad @vortex won't get past the first paragraph ...

mkx

So I guess you tried my suggestion in post #10 above and it didn't work?

mkx

I'll guess: the unclassified includes idle time. But I may well be wrong.

mkx

You can perceive things like that. But more likely, with many LTE users around, you'll hardly see actual throughput hit 100Mbps ... 300Mbps is theoretical peak which can be achieved if signal level is perfect and you're the lone user of both cells used in CA. In reality there will be many users in t...

mkx

@huntah, thanks for reply. Previous to posting my OP I also tried with vlan-header=leave-as-is ... worked just the same as with my posted setting. However if I tried to set vlan-mode=secure or vlan-mode=check , I lost access to device's CPU. From official manual : fallback - checks tagged traffic ag...

mkx

The add-on package has to match ROS architecture and version (to the last digit). Anything in log after reboot? It should have some information about package - either that it was installed or some complaint about how the package was inappropriate.

mkx

I feel relaxed since we started to have a pub chatter ...

I was attempting to demonstrate that one can leave MACWINBOX up and running and still feel secure from other LAN users.

Sorry anav, this is a recent addition to your original statement ... which changes your standpoint infinitely.

mkx

Device which routes traffic between subnets (e.g. between different VLANs) can of course account that traffic. However, VLANs are only one of ways to separate subnets (another one is having separate physical subnets). But regardless the L2 (or L2.5) technology, as long as there are devices within sa...

mkx

Since you explicitly asked me to donate my 5 cents ... I've nothing to add to @sindy's endless wisdom.

mkx

I have software that is analyzing , blocking, sniffing traffic based on ip address group. I will connect to different port different departments (i want to have traffic report for all department, not for specific pc) Ah, I forgot to add: whatever magic you do, within L2 network (whatever the extent...

mkx

Good practice is to limit mac access to winbox to only the interface the admin uses not necessarily all lan interfaces...........

And place a sentry near the device to prevent some trespassing by to plug their gear into management port.

Or get out of paranoia mode and use some common sense.

mkx

Last word of caution: your router currently doesn't have any firewall whatsoever. It is an easy target for hackers and you should really implement some. My suggestion: check the default firewall filter rules, they are very decent starting point. However, before implementing those rules you have to p...

mkx

You don't have to install ntp package if you only want to set time on the router itself, ROS includes sntp client in system package. If you want to set up router as NTP server, then install ntp package from extra packages (available as ZIP file from download.mikrotik.com)

mkx

The problem with your plan is the following: DHCP is a L2 protocol meaning that you can only have one DHCP server per ethernet segment. Which is fine as you plan to segment your network off separate ports of your router. However, devices belonging to same L3 network expect to freely communicate with...

mkx

IMHO fixed wireless broadband without using a big (ugly) antenna should be banned by constitution. In some countries, it's the reverse, use of the network designed to serve mobile users to provide service for fixed equipment was even prohibited by telecommunication law Probably you're right, but qu...

mkx

This rule

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ppp-out1 src-address=192.168.88.1

only covers router's own address ... remove the last part (src-address), it should be like this:

add action=masquerade chain=srcnat out-interface=ppp-out1

mkx

That's not that important as I'm still just learning and also experimenting. Well, be everybody's guest and do whatever pleases you ... I've always found learning by starting from solid cases to be the best. Study default firewall filter rule set, try to understand what each and every line does and...

mkx

Post the config (/ip firewall nat export and anything related, e.g. address lists and/or interface lists) and let us examine it ...

mkx

ROS runing on your device is ancient. Upgrade it to latest available for your device (globally that would be 6.46.x, I'm not sure if your vintage RB750 is still supported). Probably you'd be better off setting dial-on-demand=no on pppoe-client configuration. And enable your last firewall rule (drop ...

mkx

Wouldn't a better solution be a hAP ac2 with an outdoor mounted wAP LTE modem for fail-over, aggregation, or simple broadband connection? I have the same opinion, provided that the LTE modem used in the hAP ac³ is a plug-in one which will be available also for use in the wAP LTE kit. But some peopl...

mkx

/tool profile cpu=all

mkx

This one: 5 ;;; drop all invalid dstIPs chain=input action=drop dst-address-list=bogon_IPs because ... [admin2@MikroTik] /ip/firewall/filter> /ip firewall/address-list/print Columns: LIST, ADDRESS, CREATION-TIME # LIST ADDRESS CREATION-TIME ;;; RFC6890 2 bogon_IPs 192.168.0.0/16 apr/29/2020 14:33:28...

mkx

Make sure you have the following: in step #3 you have to configure /ip dhcp-server network ... you need an entry with minimum of the following attributes: address=192.168.88.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.88.1 netmask=24 in step #6 you need to check add-default-route As you did not ...

mkx

Interrupt handling is not relevant information to judge how general load is distributed among CPU cores. My experience goes that interrupt handling depends on HW architecture as well, many x86 hosts service interrupts on a few distinct CPU cores, some even by core 0. If you want to see if second cor...

mkx

Can you please point to wiki on how to set up a wireless repearer/bridge with mikrotik routers? Must be 802.11 protocol so non-mikrotik devices can connect to the same wifi networks This wiki article discusses different WiFi client modes available on ROS devices. What you're after is the following:...

mkx

... as a Virtual Machine (CHR) on ESXi, KVM, HyperV (and I think Xen too).

According to official docs works under VirtualBox as well.

mkx

On a RB951G I have VLANs configured "the old school" way - on the switch chip. In ROS v6 this setup works great and is fully HW-offloaded. I can't get the same/similar setup work on v7 at all. Initially I tried to upgrade from 6.45.7, but after reboot the device did not come back to the network. Min...

mkx

Queues and fast-track are mutually exclusive. So you have to disable fasttrack ... by default there's a rule in /ip firewall filter with action=fasttrack-connection chain=forward . Disable that rule and then wait for connections to die off (when a connection is fast-tracked, it can't be un-fast-trac...

mkx

Your chain=input is not complete ... some vital rules are commented out, but you didn't replace them with your own like you did for chain=forward . Which means that router with such firewall is an easy target for an attacker. You did not show it in posted fragment, so it's not possible to guess if i...

mkx

I'll qoute myself: NTP stands for Network Time Protocol. So when there's no network connectivity, you don't have precise time. Now ... you might fing some way of giving routers a tiny connectivity towards some NTP server (DHCP serving private IP address should do the trick) while still requiring PPP...

mkx

Beware of the fact that rules are executed from top to bottom. Which means that any rules below add chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN action=drop # drop all from WAN not DNATed are useless as they very likeky won't get hit at all. And make yourself...

mkx

My guess: if you add switch1-cpu interface to vlan members (in /interface ethernet switch vlan), then you should also set it as tagged (/interface ethernet switch egress-vlan-tag ... who knows what is default, probably untagged ...

mkx

NTP stands gor Network Time Protocol. So when there's no network connectivity, you don't have precise time. Apart from that: router's internal clock keeps running even without internet, it's just not very precise any more. Such devices loose or gain up to a few seconds a day (most are better than th...

mkx

@mkx personally i will never use 40Mhz channel width to any CapsMan setup in the 2.4Ghz Band... Well, what you personally do is your business and nobody (except regulator's inspectors) can force you to do otherwise. However, when you try to help other users, you can only nicely suggest they set thi...

mkx

I just wrote a PM, The header says "Sent" plus datetime, but it is placed in the Outbox folder. What is the "Sent messages" folder for? It's empty in my case. In similar forums the message stays in Outbox until receiver opens it. While message is in Outbox, sender can still edit it (and possibly de...

mkx

The first command configures ingress behaviour while the second one configures egress behaviour. Both commands are not entirely independant of each other though, setting ingress-filtering=yes establishes the dependency. Another important setting is frame-types= ... It is possible to set interface to...

mkx

best I can do right now is a CHR license

Send them to @anav and he might squeeze some mapple syrup from them

But I wouldn't mind getting one

mkx

Well, OP never mentioned which device type he's using. If it's from the pro-line (CCR, CRS3xx, RB1xxx), then it comes with empty default config and OP can't really revert to default config.

But then configuring those devices requires pro-admin who knows his job ...

mkx

Take a look at VLANs as already suggested ... using VLANs you can split your network into separate parts and configure it so that only main router can pass traffic between different VLANs. It is not that complicated (about the same as capsman) ... You'll need it for your VMs as you already mentioned

mkx

Yeah, I couldn't begin to guess I don't really know this architecture. But I tested adding it back and as soon as I did it stopped working again. As others mentioned, switch shouldn't be doing that. So I'm guessing some other config is causing it. But one can't do any more guessing without you post...

mkx

What in particular do you want to do? Because bridge without interfaces means nothing ...

mkx

My bad for not noticing the "turbo 40MHz", I (perhaps wrongly) assumed OP wanted to use 20+20 mode (which is usual these days) and had issues configuring that. And I assumed OP used that particular wording for no special reason. Re use of 2.4GHz: the problem about many articles (not just about netwo...

mkx

@vortex: do us a favour and flatter yourself for not being a typical home or small office user. Stop claiming that your desires are typical SOHO requirements ... because they're not. You can call yourself a very advanced user who wants performance which is currently meant for HPC facilities and data...

mkx

Well, @zacharias, there are many clients that support 40MHz channels on 2.4GHz. And not everybody lives in city centres where everybody (including their dogs) run at least one AP on 2.4 GHz. There are also suburban/rural users where house to house distance (counting also wall attenuation) actually e...

mkx

That's fine. None of that is typically done in the home or small offices. But it is done in small closed research groups of up to that size. Research groups can't be considered typical SOHO groups. Hence they don't use SOHO gear ... even if it's the same devices, when they use them they are instrum...

mkx

It was not me who called a 4k-11k router SOHO. No, you didn't do it directly. However, you're very vocal at claiming 40Gbps is a minimum for contemporary SOHO[*] ... I'm just extrapolating that over current gear prices. [*] I'm not talking about special uses such as set forward by @mutluit ... and ...

mkx

Your selection of knowledge sources is not entirely wrong, just ditch the "random online tutorials". But it's the order you used which made your config a weird mess. So start off with default config and only change or add things you know you need. And things you understand. Official docs should help...

mkx

On every products page you will find a "Test Results" section that shows the performance of the Device... ... but while looking at those numbers, don't take the biggest one as relevant for average real-life use. Many of us on this forum find the number in "Routing - 25 ip filter rules - 512 byte pa...

mkx

You could set filter to follow UDP packets with dst-port either 67 or 68 ... any address and any direction.

"hockey sock full of ..."

mkx

I agree with you there must be a huge market for devices like that. Everyone in the SOHO business would want or need some. What @vortex seems to be implying is that such devices should come with SOHO price tag - and I fully agree at this point. Absolute number (and currency symbol) varies from mark...

mkx

Do you think I will see an improvement in throughput/performance of system, or even an increase in signal levels to/from CPEs? That highly depends on the CPEs and environment configuration between AP and CPEs. Improvement in signal strength can be anything between zero (with single-pol clients alre...

mkx

Ideally you'd start wireshark before initial address acquisition and then keep running it until after next address acquisition ... if run with appropriate filters it should show all DHCP-related handshakes including unsuccessfull tries. And if trace shows some mis-behaviour of ISP's core nodes, that...

mkx

Official test results are done on optimally configured devices which includes (working) fast-track. So if in your real-life scenario you're getting throughput of same order of magnitude as test result, then it means fast-track works. So yes, it seems that there's a minor bug in counters you're refer...

mkx

fast-track already does that. Only packets not fast-tracked enter usual firewall chain ... and depending on fast-track rule those packets are mostly belonging to new connections ... which are not that numerous. Or packets belonging to connections which require special treatment (e.g. are being mangl...

mkx

My suggestion: reset firewall filter rules to default rule set, it is a very good starting point (pretty safe and pretty high performance) which you decided to throw away. You don't have to reset whole device, you can see default config by running command /system default-configuration print (make su...

mkx

I still need to figure why Chrome on my desktop caps at 200mbps though. So you found out that speedtest tests speed of the browser as well :wink: You can check if chrome happens to consume more CPU during tests ... or if it's running on single CPU core (whereas other browser runs on multiple) durin...

mkx

hAP ac2 the newest of all three. Surprisingly prices of MT gear don't get lower when newer devices in the same segment get released... however prices of new devices are set according to market state at the launch time. Hence the weird state where older and less potent devices are higher priced than ...

mkx

If one antenna has horizontal polarization and the other one has vertical polarization, then this would be dual polarization setup when using both antennae. The inter-antenna distance doesn't matter when polarization is orthogonal. In fact antennae used in comercial mobile networks are mostly X-pola...

mkx

I have no access to the ISP modem, and neither does their useless tech support.
Not you, not them, so who has access ?

Probably @sindy

mkx

I assume all of the interface ports can be part of the same bridge? I saw one example online that was creating separate bridges, just wondering if this is necessary for some reason. Definitely go with single bridge. Use of multiple bridge is a) old school and b) not hardware accelerated ... Mind th...

mkx

I have HP V1910-24G switch. It is L3 core switch, but doesn't have DHCP Server feature on it. So I must setup DHCP relay on all VLAN interfaces to my MikroTik. But i want to know if MikroTik router can provide multi pools on the same interface on MikroTik to VLAN interfaces HP V1910-24G). Another, ...

mkx

Post full configuration of hAP ac2 ... open terminal window and execute command /export hide-sensitive ... and copy-paste results inside [code] [/code] environment. Redact any static public address and WiFi passwords (no need to redact SSIDs or MAC addresses).

mkx

Problem solved

The quoted post is completely useless. You should describe your solution to aide any future users with similar problem.

mkx

If you made DHCP lease reservation and you want host to start using dynamic lease, then click "remove" of lease. According to explanations in previous posts host will continue to use old IP address until it tries to renew the lease. At this moment DHCP server will either allow to further use same IP...

mkx

While RSRP (it's the cell's signal strength) difference between indoor (-93 dBm) and outdoor (79 dBm) is sensible one, it's RSRQ (signal quality) which is rather low. If it was the unrelated noise, tgen RSRQ should be lower (i.e. more negative) when RSRP gets higher. But the fact that RSRQ remains t...

mkx

I have 1Gbps WAN link and with current setup I can only get ~400/400Mbps.

Official test results indicate, that this device can't reach much more ... around 530 Mbps. Without working fast-track it can't do anything near this speed.

mkx

(can anyone tell me what's the different between IPQ4018 and IPQ4019?) Seems that 4018 misses some support for peripherial devices (most of which are not present in most of MT gadgets anyway) and possibility to select WiFi band on first WLAN interface (4018 has it fixed to 2.4GHz, 4019 seems to sup...

mkx

My take is that if counters on rule for enabling fasttrack in /ip firewall filter count traffic, then fasttrack is enabled and is working. BTW, /ip settings print show zero fasttrack packets as well. For checking the cause of high CPU load you should run profile ( /tool profile cpu=all ) and check w...

mkx

Your understanding is wrong. src-nat is mangling the src-address and src-port ... while dst-nat is mangling dst-address and dst-port. By that you mean ROS looking on the src part of the packet when using src-nat, and on the dst address when using dst-nat? Exactly. Which by itself makes rule half-ba...

mkx

You need hairpin NAT.

mkx

Post config of your RB ... in terminal window run command /export hide-sensitive ...

mkx

Either router needs a new admin or admin needs a new router... According to official test results (with a pinch of my experience) hEX S can route around 380 Mbps. But that's with 25 IP filter rules. OP has got 75 IP filter rules ... and 10 mangle rules which means that fast-track is out of picture (...

mkx

You can do it like this (example is for ether1, but any ether / sfp / sfpplus ports can be set up the same way): /interface bridge port add bridge=bridge interface=ether1 frame-types=admit-only-vlan-tagged ingress-filtering=yes # this makes a trunk port - tagged only /interface bridge vlan add bridg...

mkx

Many devices from most vendors are more or less picky about SFP modules. Mikoritk prepared SFP compatibility list and you'll notice overwhelming lack of information about modules from other vendors. Which may be understandable, testing for interoperability is a huge task and there's no money for dev...

mkx

Specifications of SXTsq5 ac define powering voltage between 10 and 28 V. Implicitly this means that this device can not take 802.3af PoE (which is specced at 48V), it rather uses proprietary passive PoE (which RB960PGS can do if powered with supplied 24V power adapter). Specifications for wAP ac sa...

mkx

Which the wiki basically make a clear separation between ''dstnat chain'' to ''srcnat chain'' to my understanding, it means. srcnat - (Egress packets) - packet originated on LAN towards the WAN (LAN -> WAN) of course i don't forget the address translation process. dstnat - (Ingress packet) - packet...

mkx

@Zacharias, my suggestion was strictly for shown configuration which implies use of 3 ether ports (one for WAN, one for IPTV and one for LAN). Sure, if one wants to use 4 ports switched/bridged, then the config I proposed is not the best ... in that case I'd use single bridge which would include eth...

mkx

You'll have to set up VLANs on both devices properly. Setting vlan-id and use-tag on wAP is not enough.

I suggest you to go through this tutorial, it'll help you to see what has to be done in ROS. Hopefully you already undersrand basic concepts of VLANs ...

mkx

Thank you everyone! I really appreciate your taking a look! Why do you need "admit-only-untagged-and-priority-tagged" on the ports in your case? This setting adds extra port security ... it will discard any tagged packets on ingress which othereise might get delivered somewhere. Settings in /interf...

mkx

ROS firewall fakes connection state for UDP connections. Might not be as accurate as for statefull protocols, but helps to make constructing firewall filter rules easier. Probably helps for performance as well.

mkx

The export you're trying use is from quite old version of ROS (6.40) and sets some features not available in ROS versions past 6.42, such as this one set [ find default-name=ether3 ] master-port= ether2-master My suggestion is this: take the new device and start from default config. Then look at the...

mkx

At the last couple of weeks im working on wordpress site in my local lab, the site got to situation when i want to get others opinions so i had "port forward" any ingress traffic from WAN with dst-port 8080 using the following dstnat rule <snip> 1 ;;; enable remote access to wordpress chain=dstnat ...

mkx

Another way of dealing with your issue us to run command

/interface ethernet reset-mac-address

after restoration of "non-native" backup. I don't think there's similar command for resetting NAC of wlan interfaces ...

mkx

@mkx am trying to think how we could avoid the creation of 2 Bridges but i can't find something... I don't see where's the problem? Just a more tidy configuration... I never said there is a problem, relax @mkx :lol: Well, to make my own statement more clear: I'm all for single bridge. So I wonder w...

mkx

For my taste, the channel is much too noisy ... -68 dBm (if I interpret the table right) of noise is screaming, should be lower than -90 dBm. And signal strength from AP (-30 dBm) is too high as well - you can have problems to understand somebody shouting at your ear even though distant listeners ca...

mkx

Anyway, a working mac-telnet from linux terminal would be very handy.
Mikrotik, please share information about authentication mechanism. You do not need to provide any code, just share that information!

+1

mkx

No idea about your requirements. E.g. those 16 ports, should they be copper RJ45 or SFP? Do you want to run ROS or SwOS? If ROS, any requirements about L3 capacity?

mkx

@mkx am trying to think how we could avoid the creation of 2 Bridges but i can't find something...

I don't see where's the problem?

mkx

There's /system profile cpu=all during hicups to see if some process is over-using resources. You can check the byte-counts on interfaces (if using GUI to connect there are nice graphs made from those numbers). Look into /log if there's something logged when problems appear ... perhaps some ether po...

mkx

If you can't find a switch that suites you on this page, then you'll have to look at other vendors.

mkx

As I mentioned, /ip filter raw works more or less directly on packets without notion of connections. Then at some intermediate moment, there comes connection tracking which is a quite expensive operation. However, stateful firewalls have to do it and firewall in ROS is a stateful one. If you don't n...

mkx

I like the idea. Actually the computers I would like to assign static ips are linux machines, so I will give it a try. Beware that this idea probably fails miserably if both interfaces don't connect to same L2 network ... I guess the same idea can be used with dynamic address acquisition (over DHCP...

mkx

Filter in principle works on connection level. However .... ROS implements a feature called "fast track", which largely bypasses firewall functions for packets belonging to certain connections (depends on other parameters of enabler command, default setup is to use this feature for all established a...

mkx

Default SOHO setup does not bother with marking anything, just drops connection in /ip firewall filter...

mkx

sure there are some laptops that do it, but they have to run user-land software for that. Actually you can change the Metric of the Interface itself... If i set my ethernet card with Metric e.g. 20 and my wireless card with Metric 19 then the wireless card will be used as default... If the traffic ...

mkx

Maybe i should have posted the picture instead...

One picture tells more than a thousand words. Specially to illiterate. But then you posted link to block diagram of 2011 ... true it was before OP mentioned RB3011 as design taken as reference for all RB devices ....

mkx

@mutluit: why do you believe some random posters on internet forums rather than user support of manufacturer of your device? Common knowledge[/url] about CPU temperatures these days too much bases on stories of PC overclockers. But physics (specially thermodynamics of solid materials) says that over...

mkx

Is there any command/anything I can do to attempt to make the two connect or something like that? Used frequency sub-bands, used by H3G in your neighbourhood, are not contigous (i.e. there's a gap between both sub bands). And @uldis wrote that R11e-LTE6 doesn't support non-contigous intra-band CA. ...

Search found 4205 matches