MikroTik

mkx

What is best way to connect more the 3x iptv boxes in network? ISP modem has 4x ports.

Without giving any context? Then my guess would be: via a switch. If IPTV is delivered via multicasts, then the switch with IGMP snooping enabled.

But this suggestion can well be off the track ....

mkx

How to join two vlans on crs326? In my case vlan 301 (internet) and vlan 3999 tagged (video)? Don't. If you want to have connectivity from LAN hosts to both WAN networks (VLANs 301 and 3999), then set up appropriate routes on your router. Just don't join them on L2, you might cause all sorts of pro...

mkx

Bridge in ROS has two personalities: something like a switch (spanning member interfaces on L2) and interface (through which router can interact with networks). The interface part gets created implicitly with the "something like a switch" and is more or less full featured interface (which connects b...

mkx

I don't have any experience with Metal ... so I'm only guessing ... this device is peculiar because it has single dual-band radio. How does one select the band to operate (if setting up directly, not through capsman)? Simply by setting desired frequency band? There are some slight differences in how...

mkx

Fasttrack is firewall feature, so not applicable in OP's use case. And I think fastpath is enabled by default in all cases where possible. Anyways, I wouldn't expect CCR reach the benchmarked throughput ... my gut feeling is that the benchmark result which fits the real life the most is the one for ...

mkx

There's distinction between bridge "interface" MTU and bridge ports MTU: the later define maximum frame sizes that may pass the interface and has to be in agreement with the other end of the link (no use in sending frame that overflows the receiver). The former (bridge interface MTU) is more about t...

mkx

In the context of Internet Protocol, MTU refers to the maximum size of an IP packet that can be transmitted without fragmentation over a given medium . Also the IPv4 MTU is 64 kib which is 65535 Byte... ... over given medium ... which is L2, in our case ethernet with its limitation, whatever it mig...

mkx

Two firewall rules: first one allows connections to hospital's management system ... second one drops all other connections. It's not this simple really, there are several connections and protocols which support connections to hospital's management system, so when defining filter rules one has to ta...

mkx

And E4:8D:8C:F8:72:7F is MAC address of CAP's bridge1?

BTW, CAPsMAN config has channel.band=2ghz-b/g/n (and matching frequency), while CAP's wireless interface is 5GHz??

mkx

And how in particular did you configure certain CAP for dual-SSID operation? That config stanza is not in posted export.

mkx

mkx, the MTU of an ethernet frame is 1500 Byte.. The MTU of an IP Packet is 65535 Byte. ... However the actual MTU always remains 1500 Byte.. How about reading some docs about ethernet frame sizes? Start with Wikipedia article . IP datagram max size is 65535 bytes (and this is not referred to as MT...

mkx

Can you share capsman config (output of /capsman export hide-sensitive)?

mkx

however, 2 issues for me there: first I don't know which of 2 types described there are aplicable to me (local forwarding or capsman forwarding) Generally local forwarding is more resource friendly for both CAP and CAPsMAN devices. It is about how the data from wireless get flushed to network ... l...

mkx

You already have native Web interface. What's wrong with it? For me two things: with WebFig it's not possible to have more sub-windows open at the same time ... only jumping between sections. When debugging something it is very useful to have possibility to check more aspects of same problem instan...

mkx

Change it to what? Change it to e.g. 10000. I've checked it on my RBD52G and behaves the same way. l2mtu is set to 1598 and there's no way to set mtu to anything larger than l2mtu. And conducted a test: I created a new bridge and it appeared with l2mtu set to 65535. And I could set mtu to 10000 wit...

mkx

My approach would be this: create separate wireless networks (different SSIDs, virtual AP would do if capacity reqirements are not high), transport packets through wired network using VLANs and deal with peculiarities (filtered internet access) on the router/firewall.

mkx

I'll assume you want to set up a virtual AP to run guest WiFi and that you'll use VLANs to separate traffic of both APs between each other. So the setup steps are more or less the following: in /caps-man datapath create two datapaths appropriate for both traffic sources (VAPs). Set appropriate prope...

mkx

... based on Router OS 7.0 (perhaps even a high powered ARM device given the 7.0beta has been exclusively released on ARM for now) There is a X86 Package. So you could go with plain PC hardware. For sure a core i7 will outperform CCR. Right now ROS V7 beta is available for ARM architecture and as C...

mkx

Are you trying to get PIM or IGMP working or both? both :) I don't think you need both. If you're about to pass VLAN 3999 (almost) unaltered from ISP to your STB, then that's L2 config and IGMP snooping should do the trick. If you're going to route multicasts (so STBs are part of internal LAN witho...

mkx

Bridge BR1 is tagged member only of VLAN 99 ... but should be tagged member of all VLANs which have their corresponding vlan interface (10, 20 and 30).

mkx

... and add one on top of it with Radio A's MAC address. In my case it's MAC address of CAPs interface talking to CAPsMAN that needs to be configured in special profile ... in particular it's CAP's bridge MAC address, not the wireless interface's one ... It's not necessary to configure anything els...

mkx

mkx

You can. After you created several CAPsMAN profiles, bind particular profile to particular CAP in /capsman profile ... use radio-mac= property. It seems that when CAP wants to bind, profiles get searched from top to bottom and first match wins. Meaning that the general profile definition (without ra...

mkx

It seems that the card gets recognized

Just because ROS knows gadget's name it doesn't mean it's got drivers for it.

mkx

And share your current config (as shown by /export hide-sensitive) so that we don't have to guess the RB model and how it's set up ...

Don't obfuscate it too much, MACs and private addresses don't help potential attackers much...

mkx

You're looking for hairpin NAT.

mkx

Please execute command I wrote in my previous post (in italic ) in a terminal window ... screenshots are really hard to analyze, most of time they don't show all the needed information. BTW, do you have to expose WebFig over https? Because that's the /ip service all about. You don't have to enable i...

mkx

- I try to connect to port 443 (I have domain with https ) and forward to 8000 (it is my server) - don't work Can you post output of /ip firewall export (and obfuscate your public IP address if it's somewhere in exported data)? I still think it's something about your configuration ... or perhaps yo...

mkx

Make sure you're using latest version of winbox. When using mac-telnet from another mikrotik device, ROS version on the other device has to be recent as well.

Reason: password handling changed on ROS versions between 6.41 and 6.43 ... and older clients are not compatible with new server software.

mkx

You indicated port 110 ... which is used for POP3 protocol and should be initiated by client. But description of the problem hints at use of SMTP protocol (which delivers mail to post box), but that one usually uses TCP port 25 ...

mkx

All that browser does is it verifies server's certificate to its own information (such as FQDN used to connect to server). It is server which sends certificate back. So when you're connecting to Mikrotik port 443 (or is it port 8000?) and it returns Mikrotiks certificate instead of server's one, thi...

mkx

the gigabit standard is full duplex. BTW, the link partner in example posted in my previous post is not Mikrotik ... The IEEE 802.3ab standard defines both half duplex and full duplex. And standard explicitly states that Gbps operation without auto negotiation successfully completed should not be p...

mkx

It should be doable in SwOS, but I don't have any experience with it what so ever. It should be doable in ROS as well ... something like this: /interface bridge add name=bridge vlan-filtering=yes /interface bridge port add bridge=bridge interface=ether1 ingress-filtering=yes [pvid=N] add bridge=brid...

mkx

[admin@sw3] > set bridge=bridge comment="Bridge With All VLANs" tagged=Production,Storage,DMZ,VPN,wise_guest,RED,thor-enp3s0f0,odin-enp3s0f0,medusa-enp3s0f0,sfp-sfpplus4,sw0-24 vlan-ids= " 100,101,102,103,104,105,666 " syntax error (line 1 column 5) vlan-ids should be either single value or value l...

mkx

As it turns out my belief was inacurate. If I changed setting on bridge to frame-types=admit-only-vlan-tagged then the implicitly set vlan (implicit pvid=1 setting on bridge) disapears from output of command /interface bridge vlan print . Which means wiki is right and I was wrong, one can create tag...

mkx

Does this mean the wiki is incorrect?

Which part of which document do you have in mind?

mkx

So the best way would be to replace my current hEX RB750GR3, although it is doing a fantastic job up to wire speed, In this case the best would be to keep using RB750Gr3 as router and use CRS309 as switch (personally I'd run ROS on it, in theory OS selection doesn't change functionality nor perform...

mkx

Could this switch replace my small hEX RB750GR3 router It could ... as well as race horse can replace an ox. Seriously: you wrote ... CRS is a switch and RB750Gr3 is a router. Don't let be mislead by the fact that CRS can run ROS. Test results on the product pages show that RB750Gr3 is slightly bet...

mkx

Bridge interface , which gets created implicitly for any bridge bridge , is implicitly created as untagged member of VLAN with VID=1 (which makes using VLAN VID=1 in the rest of config so exciting). You can change that if you set pvid on bridge interface to something else ... but you can not make br...

mkx

It has a quazi directory structure so I can't just write script and past and it applies (unless there is some mode I am missing) The configuration script would be a series of CLI commands, written in plain text file and usual name extension is .rsc . You can push a script file to the routerboard an...

mkx

A thought: with CHR shut down, create a copy of HD image, then start some linux and mount the CHR virtual HD. Find and manually purge the excess files. Then unmount the CHR virtual HD from that linux and start CHR from it. If procedure failed, recover CHR virtual HD from saved backup. The whole thou...

mkx

SRC-NAT and DST-NAT don't differ much from resource-consumption point of view so the direction of connection establishment (LAN -> WAN versus WAN -> LAN) doesn't explain the difference in performance you see. So my suspicion is that ISP is somehow throttling incoming connections to discourage use of...

mkx

I guess this thread is about similar issue ...

mkx

You can set it in whatever way /ip firewall filter allows you. I.e. /ip firewall filter add action=fasttrack-connection chain=forward comment="fasttrack ether2" in-interface=ether2 connection-state=established,related Probably doesn't work for "enslaved" interfaces (e.g. interfaces which are members...

mkx

in contradictory i want to say that DST-NAT in PREROUTING chain and it is done before routing decision, not after as you said, check packet flow diagram.... DST-NAT is indeed in prerouting. However, the NAT rules are about SRC-NAT and that's done in postrouting which comes after routing decision. S...

mkx

When subnets is made, you can simply add src-nat for each subnet.. Is it really this simple? My impression is that dst-nat is done after routing decision is made (which actually selects the out-interface). Which means that src-address property in NAT rules example doesn't help. Instead it would be ...

mkx

Question: Is there a command to enable or disable mangment access on a given interface. Ex: bind IP to VLAN (as router interface then) is that by default capable of response to mgmt traffic? In RouterOS there's no a-priori distinction between L3 interfaces (those with IP address bound) with regard ...

mkx

A bit more tricky is going to be the setup / config, specially if you will use 3 AP Wifi interfaces (and not as MESH). Which 5Ghz network will a client select if you have 2 with same SSID at two different channels? Or create 2 or 3 different SSID? Running two 5GHz channels with same SSID in the sam...

mkx

I'd say its definitely your ISP. As of default config: the command outputs a script that, if run on unconfigured router, will create default config. You can take out any part and apply that manually. E.g. default IP firewall filter rule list is this: /ip firewall { filter add chain=input action=acce...

mkx

OK, from the exported config it's clear that your firewall is non-existing ... implicit default rule is allow and as you don't have any drop rules you should be able to connect to Webfig just from anywhere. As you're not able to do so from internet, it's clear that your ISP is doing some firewalling...

mkx

Both rules have one error in common: setting src-port=80 allows only connections that have originating TCP port 80 ... which is highly unlikely, browsers usually use random TCP ports with numbers higher than 30000. So delete this part of rules. Both rules shown are opposed to each other as they stan...

mkx

Distros in the US are sending out "we have Audience in stock".

But still not seeing anyone saying... "Yes I have used it... And..."

Everybody is waiting for you to share the experience

mkx

Figure out which device is "THA-101" and why it's reporting two distinct MAC addresses (using up two IP addresses). Then you might discover the reason it doesn't respond to pings ...

mkx

How do you get collisions on a gigabit port since it only operates in full duplex? My RBD52G (giga ethernet ports) shows this: /interface ethernet> monitor ether1 name: ether1 status: link-ok auto-negotiation: done rate: 1Gbps full-duplex: yes tx-flow-control: no rx-flow-control: no advertising: 10...

mkx

I think I have a bad AP, doing more testing I was able to replicate the issue with the hardware firewall with my device connected to a different AP. You never mentioned using wireless in your previous posts (although you did indicate the packet flow but obviously it was missing some hops). 1st rule...

mkx

You can select another port on WAN interface and forward it to port 80 on Fronius: /ip firewall nat add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=8080 protocol=tcp \ to-addresses=<IP-OF-SOLAR-DEVICE> to-port=80 in the above example it's port 8080 which is available on WAN side. Then...

mkx

If PPPoE connection is terminated on RB, then correct WAN interface is pppoe-out1 (or whatever its name). And you don't have to specify both dst-address and in-interface in this case as most likely there's only one IP address bound to WAN interface. BTW, default settings use interface lists. To foll...

mkx

The VLAN setup is pretty flawed. I suggest you to go through this tutorial . Then come back with questions. BTW, VID=1 is used as default in many places. So try to avoid using VLAN with this VID to avoid some surprises. And try to avoid using "hybrid" ports (a port with a few tagged and one untagged...

mkx

If I remove it, I cannot access the camera or the website on the LAN add action=masquerade chain=srcnat out-interface=bridge1 Current code. add action=masquerade chain=srcnat out-interface=pppoe-out1 add action=dst-nat chain=dstnat dst-address=\ 115.77.218.118 dst-port=8080 protocol=tcp to-addresse...

mkx

The first part of my previous post (getting rid of one particular NAT rule) should fix the IIS log entries. The second part of my previous post (question about wanted functionality) still holds ... unless you introduced the quoted NAT rules in attempt to fix IIS log entries ... in this case, get rid...

mkx

Perhaps you could start off by reading firewall manual?

mkx

what to do now? Adjust /ip firewall filter rules to allow access to services you want to expose. However, it's a baaad idea to allow access to any of router's services from random internet IP address (let alone allowing it from any address). So it would be wise that you reconsider decision to allow...

mkx

Antenna gain on a Disc should be set to 21, you are running far too much power for a short link. Sorry for being a noob, is the antenna gain subtractive to the TX power? What I mean to ask is the antenna gain in dBm units? dB != dBm. The big picture about Tx power is this: in most (if not all) coun...

mkx

Settings you shown are not conclusive, but I think you should get rid of this config line: add action=masquerade chain=srcnat out-interface=bridge1 It causes to masquerade src-address on every packet leaving router via any of interfaces that are members of bridge1 (and I assume that's your LAN). I g...

mkx

So everyone came here for x64 support on mac. Just because Mac users are more vocal it doesn't mean that there aren't non-Mac (and non-Win) users who would appreciate 64-bit windows app for runnig in their wine (or other wine-like) environment. Unless Mikrotik somehow decide to support a few OS pla...

mkx

inter-VLAN routing is no different than any other routing. Prerequisite is that router has a few vlan interfaces, one for each VLAN which it needs to route. And appropriate IP address set on both interfaces. By default, ROS will route between any interfaces with IP address attached unless firewall f...

mkx

This is using BTest on the device itself. I suspect BTest is terrible at testing tcp, ... Bandwidth test is terrible when run on devices with less than fastest CPUs. If you do CPU profile while running bandwidth test, you'll most probably note 100% CPU load which means that CPU is (artificial) bott...

mkx

Let's call CCR1009 (the ISP facing) R1. And let's call CCR1036 (the remote one) R2. The simplest case: if R1 and R2 are (more or less) completely independent from L3 (IP) point of view, then you could bridge two SFP interfaces on R1 (one currently used for WAN and one currently used to connect to R2...

mkx

If i understood correctly.... Nope, UDP port 49049 is used by Inverter to connect to the cloud and should work just fine with default RouterOS config. What needs to be done is to forward port 80 from internet to Inverter. Like this: /ip firewall nat add action=dst-nat chain=dstnat in-interface-list...

mkx

what i meant was, that if I give an IP to the bridge i will be able to login to the routers which are working as a switch, but i guess this will make it routing, not switching. Nope, it's not like that. On devices with switch chip (that can do wirespeed switching between ether ports) router's CPU i...

mkx

Those tests are described here below the produt, in the Test tab: https://mikrotik.com/product/CCR1072-1G-8Splus#fndtn-testresults I think that the point of the whole thread is not about the tests, it's about potential new high-end routers. And I think we'd all love to get some clarifications from ...

mkx

Usually I only log alarming events and not the rest ... to avoid exactly the case you've run into: log overflow. And generally firewall drops are not the kind of data I want in my logs unless I smell something fishy and want to dig into it. So unless you want to determine why some device constantly ...

mkx

... if I remove all L3 access from the switch, how would you suggest accessing it for management? Not all of it, you should keep vlan20 and related L3 setup ... And make sure you firewall VLAN20 from the rest of LANs (and WAN) on your main router. The trouble with (over-configured) L3 devices is th...

mkx

BTW3: when things start to behave, make sure you configure also VLAN security parameters on /interface bridge port ... in particular frame-types and ingress-filtering properties of individual ports.

mkx

First of all, try to restart (cold boot by first powering down) both devices to make sure that running config is actually what's configured. BTW, if you're trying to ping CRS' address, you can't because br-trunk has to be tagged member of itself. Same goes with RB ... If things still don't behave af...

mkx

There's potential chance for having problems if you want connectivity between devices in different LAN subnets and you want to have firewall between them. If you want to have it, then the setup will have to be slightly more complicated. If you won't allow any connectivity between devices in both sub...

mkx

Yup, leave pvid set to 1 or whichever vid you're not going to use. How things work: if a port has pvid set, it will add VLAN tag to any untagged packets on ingress. And natural configuration would be to have same port set as untagged member of same VLAN ... so that VLAN tags get stripped on egress. ...

mkx

1st rule: don't use pvid on bridge, rather explicitly configure vlan interface with appropriate vid (as you have it later in the config) 2nd rule: don't ever use pvid on trunk interfaces, run them all tagged (right now you have configuration mismatch... ether1 n CRS and ether2 on RB have pvid=10 set...

mkx

If I were you, I'd consider segmenting home LAN.

mkx

Almost all routerboards can work wirespeed with ports in bridge ... if there's a switch chip in the routerboard, all used ports are connected to same switch chip (you can check the block diagram for your routerboards) and no fancy functionality is used. If you are not going to use VLANs then it shou...

mkx

That's a great option, I agree. I even did that, however, the problem is, I need to route the traffic do to not let my internal network be shared with my ISP's network. If I simply create a bridge and put my LAN and my TV VLAN on it, I'll be sharing my traffic on L2 level with them. Not really. You...

mkx

My strategy is to pass the IPTV VLAN switched to my LAN (select interfaces) so that Mikrotik is not interfering with multicasts. I even don't bother with IGMP (I let multicasts flood those we select ports), you may want to play with it ... but as a feature of switches (not routers).

mkx

Like this? Yup, something like this. By the way, under /interface list member. Should I remove this? add interface=eth10_cloud_key list=LAN Since I have: add interface=gastrofix_cloudkey_bridge list=LAN Indeed. BTW, it is advisable to use action=src-nat if your WAN address is static (as it seems to...

mkx

The bridge gastrofix_cloudkey_bridge definition is fine. But you'll have to go through config and replace interface eth4_gastrofix with interface gastrofix_cloudkey_bridge almost where ever you see it. A few places where it should be done: /ip dhcp-server /interface list member (it should be enough ...

mkx

AFAIK there's no correlation between settings in /ip dns and in /ip dhcp-server . The former are used by ROS built-in DNS client (which might be configured to relay DNS queries) while the later are used by DHCP clients (LAN hosts receiving settings from ROS' DHCP server). Which means that using conf...

mkx

DNS servers to be used for particular (DHCP / IP) subnet are defined as /ip dhcp-server network add address=192.168.7.0/24 gateway=192.168.7.1 netmask=24 dns-server=X.Y.Z.W,Y.Z.W.X domain=domain.tld so you can specify multiple comma-separated DNS server addresses. And optionally you can specify (sin...

mkx

... I think to use CCR1036-8G-2S+. What do you think about it?

Personally I don't have any experience with this particular model. Hopefully some other user will chime in.

mkx

WOL packet from internet is a plain UDP packet. Since you're specifying IP address on your dst-nat rule, it's then up to routing engine to select correct L3 interface (probably some vlan interface) which should pipe the packet to correct VLAN. Packet testing method is entirely different: it uses spe...

mkx

Strictly speaking, if some port on router's WAN interface is not already used for existing connection to the same remote address, then NAT process does not have to change src-port (connection tracking engine only needs to track the tuple protocol/src-address/src-port/NAT-address/NAT-port/dst-address...

mkx

If I understand you right, the only problem is that you can't ping 8.8.8.8 from your mikrotik router (but from fortigate you can)? If that is so, then my guess is that ISP doesn't do NAT (or even blocks private IP addresses). And running /ping src-address=41.X.X.221 address=8.8.8.8 should work ...

mkx

Sorry for restarting this thread, but I am curious about how to set up DHCP on eth4. Range 192.168.7.42 to 192.168.7.80. Any help with this? create address-pool with wanted IP address range in /ip pool add appropriate network settings (which actualy define gateway address, DNS server address, etc.)...

mkx

My 5 cents: don't use DHCP to configure addresses of any important gear (which includes LAN equipment) ... unless there's a really (and I mean REALLY) good reason for that. Not even static DHCP leases. It can happen only too easily that DHCP server is not available at time when that gadget restarts ...

mkx

My guess is that you should be going for some higher-end solutions: RB1100AHx4 or CCR series (a CCR1016 would probably do), depending on which kind of interface you need to connect router to the rest of network (1Gbps copper or 1Gbps SFP or 10Gbps SFP+). Performance-wise a RB4011iGS+RM would do as g...

mkx

Do you have /caps-man datapath local-forwarding set to yes or to no? If it's set to no, then the bottleneck can be CAPs manager device as well. Generally it's advisable to set things for local-forwarding=yes ...

mkx

Product spec page states, that the device comes bundled with "license level 5". You can read about different license levels here . BTW, all Routerboard devices come with licenses included, only level varies. It is necessary to purchase license for using ROS x86 (running on generic PC hardware) or R...

mkx

Configuration I did - Please post complete configuration (output of /export hide-sensitive , you can omit the wireless security profiles). The part you posted indicates incorrect settings regarding bridge (the whole subtree), but it's hard to show what exactly is wrong with it without seeing the wh...

mkx

The two firewall filters should help. Although if your firewall filter rules are following the default filter rules set, then there's already a rule add action=fasttrack-connection chain=forward connection-state=established,related which should do the trick a few packets later than the pair of rules...

mkx

How about googling? Some of these apps have been already discussed on this forum.

mkx

... although what is /interface bridge filter add action=drop chain=input dst-port=68 in-interface=ether1 ip-protocol=udp mac-protocol=ip for? This one blocks DHCP offers and DHCP acknowledgements traveling from ether1 towards anywhere else. See description of DHCP operations . Which means that any...

mkx

Beware that queues work well on the sending side of the bottle neck (i.e. your ADSL link), but can help only slightly on the receiving side (and only for TCP, doesn't help for UDP & co). So if the problem in your case is downlink, queues on your router might help but can't cure the problem.

mkx

Take a look here https://mikrotik.com/products/group/switches
None of them has 48 sfp+ ports or 24 qsfp

Meaning that Mikrotik doesn't offer what you're looking for.

mkx

Just in case you missed it: if you want mangling to happen, you have to disable fattrack-ing (by disabling the right rule in firewall filter list). Other than that, you can export complete configuration by executing /export hide-sensitive in a terminal window. Before posting output you probably want...

mkx

If you expect that WiFi will be handy at that location, you can go for RBD52G-5HacD2HnD-TC which is a very decent router as well, plus it features both 2.4Ghz and 5GHz wireless. Why not the hAP AC2? Cost a (very) little more - but has more CPU, a better switch chip, more routing power and You can a...

mkx

latest .npk file can be succesfully uploaded manually to devices but maybe no space is left to complete update operation (after reboot they came back with the same version).

You should check the log about the reason for router not performing the upgrade.

mkx

My 2 cents: consider using fibre connection between building A and building B. It's not only because 70m is quite a long stretch for anything higher than 1Gbps. Using fibre makes your investment future proof ... and resilient to any over-voltage effects that are about to happen (it's not question ab...

mkx

... but if a car battery isn't producing 12V consistantly, it a problem with the car (or battery needs to be replaced)... so there that too... The problem with typical lead-acid batteries is that they perform worse at low temperatures ... even if they are in excellent conditions. And during those f...

mkx

Post your current config as shown by /export hide-sensitive (and redact any remaining sensitive information such as public IP address).

mkx

You're using MAC winbox connection from your PC to router: https://wiki.mikrotik.com/wiki/Manual:IP/Services

I guess you should block it

mkx

Thinking of it: you have routing triangle and connection tracking firewall on router1 doesn't like it. Let's say you're running wget from PC with IP address 192.168.191.100. Here's what happens: client starts new connection towards 192.168.88.1. It notices it's not a directly accessible remote addre...

mkx

I don't think that RB750r2 can route much more than 100Mbps with fasttrack disabled (implied by your use of mangle rules). And that's what you observed - 100% CPU when transferring at full speed. Bonding removes speed of single physical link as a bottleneck, it can't do anything about CPU load while...

mkx

For this purpose there are well standardized and established protocols ... a bunch of Spanning Tree Protocols. You can get an idea about how they work from Wikipedia.

mkx

... you can add as many caps as you want as long as they can communicate with the capsman.. ... and caps have to be able to communicate with capsman prior to configuring their wireless interface(s) ... which means that most of times caps devices will communicate with capsman over wired connections ...

mkx

The log says it all: package security needs package DHCP. Period.

mkx

Source MAC address is likely peer router (the other side of WAN interface). The sad fact is that it's almost impossible to deal with DDoS attack other than (temporarily) drop all connections contributing to DDoS. In your case it's hard to do it as those packets seemingly originate from DNS servers a...

mkx

There two things I'd think about: IP address (and setup) for LAN on router 1 is set on ether2 ... it should be on bridge I don't think router2 should be doing src-nat? In addition to that, there's nothing on router2 that would allow to connect to webfig via WAN interface (which is, if I understand i...

mkx

Is it possible to make different dhcp pool on each port of bridged interface? No, it's not possible. But what I want to achieve is because I want to run only 1 hotspot server because I don't want user to asked to relogin again when moved to another floor. In other hand, I want to differentiate the ...

mkx

I wonder why it's faster in one direction than in the other Could depend on both computers running iperf, but it's hard to tell ... The CPU is not loaded during the test. I don't have any firewall rules between these networks. I use fasttrack. fasttrack and mangle rules are mutually exclusive. You ...

mkx

What does /tool profile cpu=all show during the throughput test? Does it show some particular CPU hitting 100%? Which process?

Do you have firewall filter rules configured on CCR? Does it use fasttrack?

mkx

-netinstall software to create a cf card. Fails to create MBR on device -netinstall software to netboot to Alix. PXE error Netinstall is very fragile ... both failures might be due to some firewall on your PC preventing netinstall from doing what it has to do. It is advisable to entirely disable fi...

mkx

Virtual interface has to follow physical interface with regards to frequency channel used, channel width etc. So when one wants to use single radio for both uplink and own AP, then physical interface has to be station and virtual can be AP.

mkx

Perhaps you don't need 10 VAPs for 10 devices, perhaps you could group them together. Like based on whether they connect to some cloud or not (if yes, all devices connecting to same cloud can use same VLAN). Or based on their functionality (you might have single VLAN for both doorbell and video surv...

mkx

L2 MTU is maximum (ethernet) packet size each of physical interfaces is capable of transmitting (and receiving). MTU is maximum L3 (IP) packet size which can pass the interface and should be less or equal to the L2 MTU. At the same time it should be set to whatever size peers (accessible through tha...

mkx

... and then plugging my laptop into the ether2 of RB450G (vlanid=9), I do not get the DHCP address for the VLAN or the management IP. Surely your laptop is, at this stage, configured to simple untagged networking? It would be nice if you could export actual setup of your "switch" ... the configura...

mkx

As opposed to my arch enemy anav, I agree with him ;-) I never let my guests near my refrigerator :lol: I let guests near vacuum cleaner, but they are mostly not interested :wink: Seriously: around here I generally don't question people's strategic decissions, I only try to help them with dirty deta...

mkx

No, that is not correct.

Right

mkx

According to what you wrote about ISPs specifications your SFP module is the right one. Seems that the only thing missing is to set module to synchronize at 100Mbps. I've no idea how to do it

mkx

It seems fine to me ...

mkx

This SFP seems to work with single optical fibre and uses different wavelengths for Tx and Rx. Are you sure you're using module that is complementary to the one used by ISP? I.e. if ISP is using 1310nm for Tx , then you should be using module which uses 1550nm for Tx (that's S- 53 LC20D) ... If, on ...

mkx

In adition to the two posts above, beware that subnet 192.168.1.0/23 actually contains 192.168.2.0/25 (192.168.1.0/23 are all IP addresses from 192.168.1.0 to 192.168.2.255 while 192.168.2.1/25 are IP addresses from 192.168.2.0 to 192.168.2.127).

mkx

If manual setting of speed doesn't work, you could try to allow auto-negotiation, but limit advertised speeds only to 100Mbps (both FD and HD).

Or you might have to try with another SFP module ... Mikrotiks seem to be quite picky about which modules work and which don't.

mkx

Document regarding switch chip features states that VLAN tables are not available under ROS on RTL8367 switch chips. Making configuring VLANs on these switch chips impossible. (I've had something about that on my mind and I obviously created a shortcut of entire config subtree being unavailable ......

mkx

The only way of configuring HW accelerated VLANs on all Routerboards except CRS3xx series is to use /interface ethernet switch configuration subtree. I don't have any RB4011, but I heard that this configuration subtree is not available. And yes, ports with tagged VLANs and PVID set to same value cau...

mkx

VLAN setup seems fine to me. However, this setting might get into the way: /interface bridge settings set use-ip-firewall-for-pppoe=yes I know you're not running PPPoE over a bridge, but never the less. And better get rid of that disabled bridge-vlan, who knows if it's really nowhere configured. I g...

mkx

As far as I understand FastTrack is built on top of FastPath and requires that the underlying interface supports it. And I guess FastPath is immediately disabled as soon as bridge VLAN filtering is enabled on anything but CRS3xx. FastPath documentation is quite vague about when fastpath is enabled....

mkx

1) Free space is low but no files on flash. free-hdd-space: 2500.0KiB total-hdd-space: 16.0MiB bad-blocks: 0% That's normal. Built-in flash holds runing ROS, it's just not exposed to you. Only part of flash storage is exposed, but it's highly advisable not to use it fir anything write-intensive ......

mkx

Post complete configuration as presented by /export hide-sensitive ... and state the RB type, it might matter.

PPPoE over tagged works, but things have to be configured properly.

mkx

I could request such a special feature in the router, but who else would be interested?

Probably not many other people would really need such feature ... but that shouldn't stop you from bitching around

mkx

In theory the difference between 6dBi antenna and 12dBi antenna is +6dB. In practice it can be anything between +6dB and possibly -10dB if antennae are not properly re-aligned if needed. With omni-directional antenna the only way of getting larger gain is to reduce vertical beam width - when talking...

mkx

I'm pretty sure you don't have to enter IP address anywhere, you should be getting it as you'd get the dynamic one.

mkx

guess this behaviour is related to PoE-detection in the switch ... no passive PoE-adapter in the arsenal to verify ... so check, before climb ! Normis explained that 802.3af/at powering only works when there's a compliant device down the line ... if there isn't one, passive PoE injector should be u...

mkx

The only problem I see (but doesn't mean it's breaking your LAN) is that LAN stuff (IP address, possibly DHCP server although I don't see it configured) is bound to ether2 instead of bridge ... The behaviour you're explaining might indeed indicate that your RB might be slowly dying and that you'd ha...

mkx

Yes!

Please explain ... usual device with single radio, how can it become station of two distinct APs transmitting on different channels?

mkx

The hEX can't handle 48V.

... and doesn't do PoE out.

But OP mentioned hEX PoE which handles 48V and can do 802.3af/at on output.

mkx

Indeed you need 48V power supply. Any 48V power supply rated at least at 1A would do (but get some beefier one if this RB will deliver power to additional devices, up to 2.5A), just be careful about the DC plug dimensions. According to MT support , all routerboards feature same barrel-type power rec...

mkx

But that is beside the point and my question still remains - do anybody have some input on the "no fasttrack" question? Is fasttracking between two VLAN interfaces supposed to work? (Input VLANXXX, NAT to VLANYYY) . Fasttrack works for firewall with connection tracking enabled. Which is pretty much...

mkx

If I understood you correctly ... you want to connect your cAP as client (station) to two distinct APs? That's only possible if one AP is running on 2.4GHz and another on 5GHz, but in that case you have two interfaces (default names wlan1 and wlan2) and you can start one DHCP client per interface. I...

mkx

You can try to replace power supply (in case it's aging and strarting to fail to provide rated amperage).

If that doesn't help, post complete configuration (execute /export hide-sensitive in command window), could be something weird there ...

mkx

I'll wait until you post output of command /export hide-sensitive (redact public IP address if there's one).

mkx

It is known that many windows NIC drivers strip off VLAN tags before processing packets. Hence sniffing using windows machine can not proove VLAN-related problems ...

mkx

You might want to open new topic in SwOS section to get some advice about that.

mkx

You can use any interface to interconnect both devices (or even use more than one in a LACP bond). However, if you use RJ45 port, it'll be 1Gbps, if yu use SFP+ port, it can be 10Gbps (depending on modules/cable used). How to configure it in ROS? The interconnection port should be one of switched po...

mkx

But on trunked ports (hybrid actually) containing VLAN 201, packets from those devices can be captured without VLAN tag.

Please elaborate thos further ... how are you capturing packets and how in particular is the trunk configured?

mkx

When it comes to functionality, all Mikrotik devices are capabke of doing the same. Well, almost all, one can't realistically expect a $30 drvice to do some complex tasks such as BGP peering. The difference is in capacity obviously and hardware capabilities (not every Routerboard can use USB LTE sti...

mkx

Relevant RFC 2132 defines option format to be array of octets and first octet (after the DHCP option number) should be the length of the array (and must be multiple of 4). So I assume that when defining option value should be entered as HEX number, e.g. 0x04c0a80a0d ... I've no idea what should be t...

mkx

It's not exactly trivial to enforce special config to particular host. Perhaps the easist way would be using DHCP options ... create new one with code=3 (that's default gateway), enter the value (no idea how it should look like) and assign this option to static DHCP lease. Hopefully explicit DHCP op...

mkx

The easiest way would be to set Rpi's IP address as default gateway on PC. If PC is getting it's network settings via DHCP server, you'll have to create static DHCP lease for that PC. On that particular lease you'll set different IP address as gateway. (It will be some more work than I just wrote, b...

mkx

However the Bridge VLAN Filtering is currently only supported on CRS3xx series devices ... Small correction: above mentioned bridge VLAN filtering is supported across whole Routerboard device range ... but on all, except CRS3xx, functionality is implemented in software. Meaning that it's expected t...

mkx

-1

IMHO load balance is a pretty complex thing (specially using WAN interfaces as your post implies), way beyond simplistic QuickSet stuff.

mkx

Two questions:

which version of ROS are you running
what kind of user interface are you using to perform whatever you wanted (if GUI, which mode?)

mkx

Yes, you'll have to configure CSS separately (as if your CRS didn't exist). While I don't have any personal experience with SwitchOS, it seems to have relatively simple webUI which allows to set up everything switch can do. And CSS will act as a switch, so no fancy L3 features there (that includes D...

mkx

Is the best way to use these just as a switch to add a bridge and add all ports to the bridge? I noticed the CPU increased significantly when adding VLANs even without any routing. CRS1xx don't offload much to hardware automatically. If they are only used as simple switches (no fancy features used)...

mkx

Start with this https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router If you want to block access to router from guest network, block in firewall input chain all from this interface or IP range, allowing only needed services, i.e. DHCP, DNS, etc. I don't think this is answer to OPs question (h...

mkx

You will have to administer devices separately. Even more, CRS runs RouterOS (which you already experienced) while CSS runs SwitchOS ... and SwitchOS can only be administered using web-based GUI, you can't do it using winbox.

mkx

If i manually remove the bridge created by default config which gets a ip from dhcp and no other interface is created the device is inaccessible have to hard reset the router and the router is connected directly to my laptop. It you if you do a reset with no default config enabled you can still acc...

mkx

Use dst-nat just like you'd use it for connectivity from internet to some LAN service. So use rule something like /ip firewall nat add chain=dstnat action=dst-nat dst-address=192.168.1.23 to-address=<some internet IP address> However, there's a gotcha: router will only redirect packets to remote add...

mkx

If you set boot sequence to /system routerboard settings set boot-device=try-ethernet-once-then-nand , then you don't have to press the button for RB to try netboot ... it'll try and if it doesn't find proper bootp server, it'll resume booting from NAND.

mkx

In former versions of ROS, bridge should have vlan-filtering=yes set for VLANs to work correctly.

mkx

For proper configuration for IP interaction with VLAN you should add the following to what you've had while CRS worked fine as managed switch: /interface vlan add interface=bridge1 name=vlan100 vlan-id=100 /interface list member add list=LAN interface=vlan100 /interface bridge vlan add bridge=bridge...

mkx

Before we get into details let me explain some basic stuff... Bridge functions very sim8larly to a switch, forwarding packets between member ports. Right now your RB has all ether ports member of same bridge. Which is kind of a problem due to 3 reasons: it seems like ether1 interface is used as WAN ...

mkx

AP probably shouldn't reboot when some client connects to it. It is possible though and I can think of a few reasons for it. One is weak power supply adapter. When client connects, AP will start to transmit at higher (full) power because of improper antenna (with too low gain). Thus it's causing hig...

mkx

Set IP address to Mikrotik statically. Take any address from the same IP subnet as modem uses except from modem's own address (and network and broadcast addresses obviously). pppoe-client on Mikrotik should add default route ... but be sure to enable "add default route" on PPPoE client configuration...

mkx

Remove src-port option from the filter rule, it's still there: /ip firewall filter unset [ find src-port="47808" ] src-port (on my RB I had to use the double quotes for find to find something). BTW, you have 4 similar DST-NAT rules: add action=dst-nat chain=dstnat comment=192.168.1.33 disabled=yes d...

mkx

You should post complete configuration as all of the details matter ... run /export hide-sensitive and post it here inside [code] [/code] block.

mkx

It still doesn't look right ... but if it works for you, fine. Might stop working after some ROS upgrade though: when an interface is member of bridge, then all the rest of configuration should go to the bridge. In your case, ether2 is member of bridge named "bridge", and vlan interfaces should be a...

mkx

Your L2 VLAN setup is very far from complete (and what's done is wrong). I suggest you to read through this nice tutorial. After you're done and still have problems, come back with questions.

mkx

First of all describe topology and what kind of disconnects you experience (is it ethernet/wireless disconnects, DHCP lease expiry, connection breaks, ...). If there's a central Mikrotik device which suffers, post complete configuration (as printed out by executing command /export hide-sensitive fro...

mkx

12V adaper is just fine for your RB ... if it can supply at least 0.6A. The problem is that power adapters tend to age (mostly because capacitors loose capacity due to various reasons) and their max current deteriorates. To a point when device wants to draw higher current than power adapter is capab...

mkx

Try replacing power adapter, it might be getting old ...

mkx

I think you should post full configuration. Fetch it executing command /export hide-sensitive and redact public IP addresses ...

mkx

Stated max power consumption is 9W ... which is 1.8A @ 5V. Can your power adapter supply such current? Even micro USB connector (and port) might have hard time to pass such high current.

mkx

How did you try to ping internet via secondary modem? If by using /ping , you might have to set src-address with IP correct for interface DLINK . I've had my share of problems when RB chose wrong own address when pinging and the remote party did not have appropriate route to reply back. Other than t...

mkx

When will come a Powerline modem for Audience?

There won't be one. Audience hasn't got USB port (at least I didn't see it mentioned), so you'll have to use generic PowerLine2ethernet devices.

mkx

It is quite vital to use antenna for correct requency band. If you use wrong antenna, in best case the signal will suck as the antenna gain will be low (could be something like -10 dBi or even lower instead of +3 dBi or +6 dBi). In worst case the PAs might get destroyed due to high VSWR.

mkx

In ROS you first configure L2 stuff ... e.g. you create a bridge with selected interfaces as its members. "bridge" then offloads as much operations to the switching hardware and in your case that's just about everything related to intra-LAN traffic. On the "routing" CRS you'll leave out one ether in...

mkx

For me the "blue" network is all within the same IP Subnet (192.168.88.xxx), so in my understanding (feel free to correct me) all traffic in there is "just" switched. You're absolutely right, I've looked at the chart without due dilligence. So in your case, routing would only happen between LAN and...

mkx

Switching is when CRS moves ethernet frames from one interface to another one by using it's switching hardware. It means quite basic stuff, athough CRS3xx can do many L2 stuff by using switching hardware. I your case that's all traffic between LAN hosts in the same IP subnet. Bridging is similar to ...

mkx

Automatic fuses/switches are killing powerline. Same as wireless through reinforced concrete.
Parallel cable runs help somewhat ... as does a window in that concrete wall for wireless.

mkx

"root bridge" is a feature of xSTP. If RB in question can not create any loops (e.g. it only has one connection to the rest of network), then you can disable xSTP entirely:

/interface bridge
set [ find protocol-mode!=none ] protocol-mode=none

mkx

You can try to uninstall packages not needed, it might save enough space for upgrade to succeed.

If it doesn't help, then netinstall is the only way.

mkx

LAN and WAN interface lists are extensively used in default firewall filter lists. But then LTE interface is not configured by default. But then, if "add default route" option is available, so should be "add to interface list" option with drop-down list to select from. Rationale: if LTE is meant to ...

mkx

Are you using IGMP snooping? If yes, try to disable it and see if things start to behave.

The problem is that for IGMP snooping to work one needs multicast router present (IGMP querier). If there isn't one, then IGMP snooping only works reliably if there's single switch between source and sink ...

mkx

However, Wi-Fi 5 devices can regularly get speeds well in excess of 150Mbps speedtest - one of my clients has Cisco access points connected via 10Gbps backbone and they regularly speedtest at well over 200Mbps. But with this device, even if the Wi-Fi is connected at these realistic speeds, the 100M...

mkx

One thing I obviously don't understand: you have configuration for PPPoE in place ... but it has "dial-on-demand=yes" set. So is it used for connecting to internet or not? if yes, I suggest you to set dial-on-demand=no so that pppoe connection doesn't drop due to inactivity. At the same time you hav...

mkx

I'm afraid that if admin wants to have any kind of supervision, device needs constant IP address. Either set statically or set by DHCP but then one has to assure constant MAC. With ROS versatility it is impossible to come up with MAC addressing scheme which would persist over all the configuration v...

mkx

In theory maximum speed over wireless exceeds speed of wired ports indeed. In practice speed over wireless rarely reaches much more than one third of maximum speed in good radio conditions and less than that in sub-optimal radio conditions (e.g. when client is some distance and corners away from AP'...

mkx

This NAT rule add action=dst-nat chain=dstnat comment=Ping protocol=icmp to-addresses=10.254.254.254 grabs just any ping request regardless where it starts and what is its destination and redirects it to 10.254.254.254 (which happens to be one of router's addresses). And similar problem is present o...

mkx

NV3 is coming? Personally, if I had to choose between 802.11ax and NV3, I'd rather get 802.11ax. Because it might boil down to such choice ... either use stock linux/producer driver and miss any vendor specific protocols (such as nstreme or NV2) or write own driver and include whatever bells and wh...

mkx

No PM on this forum. You'll have to post some contact information if you want to get some feedback.

mkx

You'll have to adjust routing settings.

mkx

In CLI definition of bridge has also option called "auto-mac" and if set to "no" (together with static setting of "admin-mac") MAC doesn't change over reboots. WebFig doesn't show "auto-mac" option explicitly, might be set implicitly when one unfolds the "Admin. MAC Address" window and sets the MAC ...

Search found 2944 matches