MikroTik

mkx

I've seen mobile operators assigning public IPs to LTE devices but NATing them to other public IPs anyway.

And I've seen mobile operators assigning public IP addresses to LTE devices and not doing any NAT, but still running firewall and DPI systems on behalf of their users.

mkx

I've no idea what your RB912 is really getting. Some decent multimeter should tell.
Also inspect the power source, whatever it is ... is it some PoE switch, is it PoE injector with some "weird" power adapter?

mkx

Seems like @OP did not hear ya as well ... so I had to repeat it, perhaps @OP will go read the article and hopefully start over again. This time properly.

mkx

@yoanm: VLANs in your config are not the way VLANs should be done in post 6.42-days. Have a look at this tutorial: https://forum.mikrotik.com/viewtopic.php?t=143620 RB750r2 has a switch chip built in and if device was switching traffic between ethernet interfaces it woukd benefit from configuring VL...

mkx

A good tutorial about VLANs in RouterOS: https://forum.mikrotik.com/viewtopic.php?t=143620 Depending on switch type the resulting configuration might not be wirespeed, but it should get you moving. After you get acquainted to VLANs, you can reconfigure switch for higher performance (VLAN switching i...

mkx

Verify power supply voltage, unit is rated up to 30V and what you see is somewhat out of spec. Such supply voltage (if not killing your device) might explain high temperature as it keeps voltage regulators at their limit.

mkx

This unit has more or less omnidirectional antennae, do turning it around won't make any noticeable difference. Range of 40 metres is pretty much what can be expected (or even more than expected, most products declare 30m range in open area). High interference from 200 APs you can detect make things...

mkx

Another idea: if that port doesn't need any communication (not even other LAN hosts, such as NAS or DLNA server or printer or ...), then you can simply disable the ssid port. That'll break any ongoing connection as well. Brutally too.

mkx

NAT on "different site" should do DST-NAT which you probably configured ... but it should do SRC-NAT as well. If SRC-NAT is not done, then replies from DNS server go back to your site directky, but there they're eitger filtered by ISP, or more likely by your MT as they return from unexpected remote ...

mkx

only this one? Did this actually start with upgrade? Or was it present with previous ROS versions (but you did not notice it)? Obvious reason for that happening is CPU frequency way off what router thinks it should be (e.g. 20% slower than it should be). I'm not entirely sure how CPU frequency gets...

mkx

When connecting to CRS (or any ROS device) after factory reset, device expects management connection through first copper interface (ether1). After initial setup is done, management connection is usually possible on all other interfaces except for ether1. Not sure how this correlates with what you s...

mkx

When you were upgrading ROS, did you upgrade routerboot as well? Sometimes there are (tiny) discrepancies between (old) routerboot and modern ROS which are only resolved by upgrading routerboot to modern version (shipped with ROS itself), which has to be followed by reboot of device (sorry for that)...

mkx

I was under the impression that off-loading to switch chip was the preferred way, especially on CRS series... Is that wrong understanding? (otherwise I do not see the point of having that feature at all) So given that question, is using the bridge vlan the right way to go, or should I try to achiev...

mkx

in future , i will use this order /ip firewall filter add action=accept chain=input comment="protection" connection-state=established,related add action=drop chain=input comment="protection" connection-state=invalid add action=accept chain=input comment="protection" in-interface=bridge-trunk src-ad...

mkx

@Sob and @sindy, thanks for clarifying thing for me. I'm just mad at @anav since he knew the answer already but he kept silent forcing you two guys to answer me ;-) Makes total sense to me: ARP could well be handled by interface driver itself with little help from IP (or any other L3) stack. Indeed ...

mkx

This is not default setup, it seems that it was transferred over from old config. You have to reset it to factory default. Log in via WebFix (using web browser), click "Quick Set" button top right, then click "Reset configuration" in lower right area. Reboot device (if it doesn't do it itself). Then...

mkx

I'd say you have naming clash: on CRS in capsman configuration you set datapath.bridge=bridge while bridge on RB952 is named bridge1 ... and with local forwarding enabled datapath.bridge refers to bridge on CAP device, not on capsman device.

mkx

Instead, trust the machine: [me@myTik] > ip arp print where address in 192.168.6.0/24 Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete # ADDRESS MAC-ADDRESS INTERFACE 0 C 192.168.6.6 48:8F:5A:BC:14:20 bridge.lte.6 1 DC 192.168.6.1 48:8F:5A:BC:14:20 bridge.lte.6 I...

mkx

And when Mikrotik wants to send the packet, it uses IP address and interface as search criteria in the query to the ARP table ... I'll have to trust you on that. When looking at diagrams on packet flow manual page I can't find the box which includes reference to in-interface for outgoing packet (AR...

mkx

Once I'll learn Spanish

Sometimes it hits me that @anav must be a Vogon. ;-)

mkx

@sindy, just a short question (or rather request for clarification): how does MT in conjunction with router B handle this situation? Let's say routerB's own ARP cache for 192.168.1.210 expires but needs its MAC address to deliver some packet in downstream. It will send ARP request, and part of ARP r...

mkx

/export hide-sensitive file=anynameyouwish

I was saving heavy guns for next step ... right now I assume OP has some too broad src-nat rule in action.

mkx

I have to ask, what is the purpose of two modems from the same ISP?

OP clearly stated it's two ISPs but both are handing out addresses from same (private) IP subnet.

mkx

Not sure what you're doing, so let's stick to MT cloud and some third party DNS with CNAME. So when you have ddns-enabled=yes , then your router will update corresponding DNS entry (xxxxxxxx.sn.mynetname.net) automatically. And that A record comes with TTL of 60 seconds. If some caching DNS server r...

mkx

Interesting, I have a dynu hostname and c-name it to the cloud name of mikrotik. Are you saying that the IP of dynu will not be updated Actually client asks a series of questions to get to final answer. First question will resolve CNAME to cloudname, independent query will resolve cloudname to IP. ...

mkx

For using * or CNAME records on a domain there often is a conflict because there also need to be NS records not matched by those wildcards/CNAMEs and that makes most convenient usages impossible. Most of time no extra NS records are needed. NS recorss are needed if authoritative DNS server delegate...

mkx

Post all NAT rules - execute /ip firewall nat export and copy-paste the output here (inside [code] [/code] block).

mkx

can it be the bridge port ? Or should I take one from the switch? I'm not sure what kind of scenario you have in your mind. But anyway, if you're thinking about management VLAN, then configuring switch to use that VLAN for management is separate isssue from configuring all LAN gear for you to be ab...

mkx

Sure. Whatever fits you. Just remember: WAN is no different than any of LANs when it comes to switching, the only entity making it fundamentally different is firewall. Nope, not even routing is that different, default is only English word for 0.0.0.0/0 which is a really large L AN with really short ...

mkx

When upgrade already how to configure the firewall for more protecting for LAN and router. As I already wrote: default config which comes with recent versions of ROS, is decent config. Just be sure that "Keep old configuration" is not checked . As result, your device will be as if it came out of fa...

mkx

Okay so what you are saying in plain english is that there may be cases where you want to route the ISP traffic coming from their ONT/MODEM to several ROS routers.

Not route, switch. Inside a VLAN.

mkx

Everything correct above if you replace "GRE" by "EoIP".

Thanks for correcting me.

mkx

How can you prove we are not in a simulation???

But I know we are in a simulation, there's serious literature prooving it. Vogons are about to start building that hyperspace bypass ...

mkx

Questions: 1) What is your recommendation for overall setup, given the target scenario? 2) Is it possible to combine VLAN methods (switch/bridge) on one device (e.g. physical ports VLANs via switch chip and bonds/caps via bridge VLAN), or do I have to choose one and stick with it? (my undestanding ...

mkx

Just imagine if your ISP gets hacked ....

For that matter, internet got hacked when DARPA let in businesses back in early 1990's.

mkx

Forget about it and move on, no point in bitching around. Little optimism please ... I didn't say that nobody should make a feature request (not that such request would get my ++ anyway), I just wrote that currently DNS server in ROS is pretty much useless and looking for ways around is futile. One...

mkx

SFP can draw quite some power. Depending on length and quality of UTP cable between power injector and netmetal it could mean that netmetal draws power high enough to drop voltage below minimum accepted. If you're using supplied power adapter (48V 0.95A), then this shouldn't really happen, but who k...

mkx

If RB960 can communicate with netmetals (or you can communicate with them via RB960), then you can set up NTP server on RB960 (install ntp-X.XX.X-mipsbe.npk from Extra packages, available from downloads.mikrotik.com ... just be sure npk version matches ROS version installed on RB960) and then config...

mkx

Setup is dangerous because firewall is virtually non-existant, not protecting neither router itself nor LAN. Setup is dangerous because router is running ancient version of ROS (5.4). Setup is slow because it's got queues set up which are CPU intensive and your device is no speed monster. My suggest...

mkx

You should construct rules, similar to firewall rules, in /ip proxy access . Instructions are here . I don't have any experience with proxy, but from documentation I presume you should set something like this: /ip proxy access add action=allow src-address=<LAN v4 address>/<mask> #add action=allow sr...

mkx

For a standard setup, there is no requirement to identify the WAN with a VLAN. For a stadard setup, there's no requirement for any VLAN whatsoever. However, if one configures router in ROS (Router On a Stick) manner, it is vital to get WAN to router tagged. Why would one want to do it? Well, in my ...

mkx

If you're going to use CRS as normal switch (and will be running ROS as opposed to SwOS, some units are capable of running both), then you have two options: if you trust your LAN devices and users (sometimes that trust is not warranted), then you can configure all ports on CRS to single bridge. Then...

mkx

Can we expect the next beta version today as it is a Friday and over 2 months since the last beta release?

We've got 6.47.6 yesterday. And it wasn't even Friday. I think that's enough for this weekend ;-)

mkx

Is this an error message or an critical message.

It's a critical error ;-) With value 2 (2 and 3 binary and-ed together).

mkx

It is enough to allow protocol=udp dst-port=123 (and the default accept established,related ). Entering pool.ntp.org may or may not be fine, because firewall will resolve name to IP address(es) at some moment in time, possibly taking only single IP address. Ntp client will possibly resolve that to o...

mkx

Router 1: (192.168.1.1) 0.0.0.0/0 192.168.2.1 10.0.1.0/24 192.168.2.6 Router 2: (10.0.1.150) 0.0.0.0/0 10.0.1.151 192.168.1.0/24 10.0.1.151 Router 3: (10.0.1.151) 0.0.0.0/0 196.xxx.xxx.xxx (IP Gateway Internet) 192.168.1.0/24 192.168.2.6 On router3 the route towards 192.168.1.0/24 is set on direct ...

mkx

There are numerous cases showing that DNS server, built into ROS, is severely limited. It is not a replacement for proper DNS server if anything but limited number of plain simple records are in the play. In case of wildcard entries ... well, it doesn't work on ROS. Fullstop. Forget about it and mov...

mkx

Right. And now the big question: how are routes set on all 3 routers?

mkx

It's all about properly set routes. Your topology sketch misses quite some information, complete IP address data for starters (e.g. each link, either physical or IPIP, has two addresses, one on each end) and without it it's hard to guess what routes have to be set.

mkx

From another topic: viewtopic.php?f=1&t=167507

It seems that usual hardware has problems creating enough PPS to fill the link.

mkx

Nothing much to be done on PtP nodes, NTP needs IP connectivity with server ... But there are two possibilities: set up a NTP server, which can synchronize to precision time sources (either a high quality source, such as GPS receiver, or to internet NTP servers), and serves clients inside management...

mkx

Let's assume you have radio connected to ether1, which is also parent device of pppoe-client. For running pppoe-client ether1 doesn't need any IP address, but for connecting to radio it does. And let's assume router setup is pretty much default, which uses interface lists in firewall and NAT rules. ...

mkx

I'm with @anav: firewall is bloated. You should simplify it. If you insist on current settings, then become a network expert who knows what the goal of this firewall. Default on SOHO devices (I'm not sure if your device falls into this category) is pretty sane and one of first rules in chain=forward...

mkx

If we put in hard entries such as 1.1.1.1 and 1.0.0.01 and then as last entry the lan subnetgateway as an entry, then the router will only use entered IP DNS settings (lets say we had 8.8.8.8 in there) and its cache, if the hard entries are not providing DNS returns?? (put in another way, is order ...

mkx

That's almost craziest firewall filter ruleset I've seen so far. And without any effect for that matter. Anyway, if you want RB to act as ethernet switch, start off from an empty config, create a bridge and add all ethernet ports to it. No other bridge settings, no IP address, nothing. At this point...

mkx

Try to run DHCPv6 client on PPPoE interface and request a prefix: /ipv6 dhcp-client add add-default-route=yes interface=pppoe-out1 pool-name=ipv6 request=prefix The pppoe interface will get a LL address which is enough for routing traffic. You can assign some global address to your LAN interface: /i...

mkx

DHCP server can definitely run off a physical interface. It can run off a VLAN interface and probably some other types as well.

mkx

Since you didn't post full configuration, only a few screenshots, we can only guess. You can post full config: execute /export hide-sensitive from terminal window and copy-paste the output.

Other than that: I guess vlan20 interface should not be member of bridge bridge-Staff.

mkx

There are numerous definitions of MAC addresses and radio names in your config ... I don't think that's necessary in your case (with single CAP device). It may be necessary if there are multiple CAPs in play and some (or all) of them should get specific settings (which is done in /caps-man provision...

mkx

Are subnet masks set correctly on the VMs as well? What does /192 written as suffix of IP addresses on the topology chart? According to mikrotik route printout, you should be using /26 netmask everywhere. If it is left to default (/8 is default for 10.x.y.z addresses), then devices will try to bypas...

mkx

Default setting on SOHO Mikrotiks is to have ether2-etherX (where X is the last ether port, mostly that's ether5) in a bridge which means these ports act as being part of a switch. If you want to assign individual IP addresses to each of ports, then you have to remove ports from the bridge. Doing it...

mkx

I can't see anything wrong in your config. Except for netmask=xx attribute of /ip dhcp-server network , default value is empty (set to 0) and instructs ROS to take netmask from address. I'd go for a good power-cycle of the unit. If it doesn't get any better, then export configuration, do a factory r...

mkx

You have a few problems in config. You showed config from CAPsMAN device, I can only guess if prerequisite config from CAP device matches. One is this: /caps-man datapath add arp=enabled bridge=bridge_guest client-to-client-forwarding=yes \ local-forwarding=yes name=datapath_guest Does bridge_guest ...

mkx

Post configuration as output running /export hide-sensitive from command line. It's hard to guess what's exact running config you've got.

mkx

Where did you see VLANs in original post? Ah, I forgot about MTUNA certificate :lol: But you're right ... @digger, please describe the network layout you'd like to have and we may be able to give you some good advice. Surely what you sketched can fly with some static routes on each of involved route...

mkx

I'm not sure if Mikrotik supports /31 but I thought I'd mention it. It doesn't. You need to use pair of /32 addresses with network specified as the "opposite" one. And it works like a charm. The best thing about using /32 addressing: if a router has multiple such links, it doesn't have to have diff...

mkx

Sure. But then it makes perfect sense to sell/return 2 of the 3 hEXes and buy 3 managed switches instead (or even one managed and two unmanaged will do), and use hEX for routing only. Sure. I'd go for managed switches, that way topology can be changed from star-like (as OP currently plans it) to an...

mkx

RB760iGS won't be good as switches in vlan setup - they lack hardware vlan support, so there will be no benefit in performance compared to routed network. Performance-wise you're right. Configuration-wise, VLANs and centralized routing config is much simpler than distributed routing. Plus it would ...

mkx

Auto Negotiation: done Rate: 10Mbps Full Duplex: [unchecked] This is information about interface status at some certain moment . If there are glitches on the cable connection, then both ends will do renegotiation at every glitch ... and possibly in between (to upgrade settings if everything is fine...

mkx

On theory gAP ac has better wlan (3 chains for each band) than hAP ac2 (2 chains for each band). OTOH hAP ac2 has much better CPU. Which means that if you get a hAP ac2 you should use it as router and existing hAP ac as wireless AP, not the other way around. Re. HW offloaded VLANs: @sindy explained ...

mkx

If you have more than one WAN address, then this should be done by configuring DNS records for your domain to use different WAN IP addresses for different (for internet users virtual) hosts. Router, as device accepting connections initiated by internet clients, can not do anything to redirect them, ...

mkx

iLO works over http/https, so you need to forward appropriate ports. Beware that there might be some parts inside iLO which might omit returning the port part of URL when constructing a follow URL so if you're going to forward non-standard port (e.g. port 12345 on WAN side to port 443 on iLO IP addr...

mkx

(at least I didn't get paid yet)

I almost got paid once ... a spanish guy was so thankfull for my advice he wanted to pay me. He was mentioning paypal which I don't use, so instead he made a donation to MSF.

mkx

I fully agree that on a typical SOHO device a few packages have no place to be installed as factory default. These include: mpls, routing and hotspot, they are clearly advanced stuff that vast majority of users will never need. In addition, these are quite probably not necessary for router to be ini...

mkx

If I take from post by @dpsguard out everything I don't really understand (and some more), then what remains is: Can we have multiple VLANs (for isolation) on a common bridge ... but still part of the same large subnet? Then this doesn't make much sense to me. So you're saying that you want to have ...

mkx

What is device connected to ether1 port on such mikrotiks? Did you check for potential cable and connector defects?
How about earthing of devices on both ends of link? Could be that there's some spurious current flowing through that cable disturbing data transfers ...

mkx

Could be that either of Mikrotiks is not really compatible with DAC you're using. Mikrotik devices (and SFPs for that matter) seem to be notorial about incomplete SFP/DAC compatibility (even Mikrotik's own SFPs and DACs are compatible with all of their devices). So you may want to try different bran...

mkx

Attempt to position @anav: simple fact is that (firewall part of) router as part of connection tracking checks every incoming packet whether it's part of NATed connection. An I mean every, regardless source and destination. Let's assume subnets 192.168.60.0/24, 192.168.61.0/24 and 192.168.90.0/24 ca...

mkx

[/end of unplanned rant]

Where's the start of it? ;-)

mkx

I thought that the to-address thing was to tell the NAT where to send all the traffic, but masking it as the IP that I have in ip-address declared in the bridge, at least that is how I have always used it to redirect internet ports to the local network , did not know this function @sindy already wr...

mkx

So one would assume that all the etherport (2,3,4) are trunk ports in that they are carrying [snip] My question is how do devices attached to the ports handle it? Per diagram in original post, only ether2 is connected ... to unifi switch which is supposed to split that trunk to a few access ports. ...

mkx

Anav, that's the list of professional taxi drivers which charge starting fee, by minute, by mile and by coffee. OP is after friendly uber drivers who will do everything for a beer. Yup, that's you.

mkx

How about his: Create an address list of allowed VPN addresses to access the another network /ip firewall address-list add address=192.168.90.xx list=VPNto61 add address=192.168.90.yy list=VPNto61 ... Add src-nat rule which will do the address translation: /ip firewall nat add action=src-nat chain=s...

mkx

I just have 3 rules about port 25 on filter : logchain, action=accept and the action drop What about the rest of filter rules? As I wrote, they might be interfering without being obvious to you (and we might spot the problem because we don't have our minds set to what rules are meant to be doing). ...

mkx

whats the smallest range we can offer to customers then? IMHO /60 is reasonable, specially so if one of /64 is needed for WAN address which then leaves a few /64 for their LAN use (allowing them to run 3 subnets). As @pe1chl mentioned, /56 is not unheard of, I'm getting /56 which is entirely for me...

mkx

Setting attributes to empty string is not the same as not setting them at all. So your first filter rule on PPPoE-connected router should almost identical to the one on statis IP router except for the in-interface: add action=accept chain=input connection-state=established,related in-interface=pppoe...

mkx

Two things: apart from the firewall fiter rules you showed, do you have anything else in firewall config which might interfer? An other NAT (SRC or DST) rules (if yes, please post all of them, they might be set in a way that they interfere but in a way not obvious to you) or filter rules blocking it...

mkx

Do you experience packet loss in both directions equllky or is one direction distinctively worse?

I'd expect problems in packet direction 10G->1G where quite some buffering occurs and enabled flow control should help a lot (another matter is whether flow control actually works).

mkx

If you're going to do throughput measurements, stay away from (ROS built-in) bandwidth test, it's a CPU hog and doesn't show real life performance. Use a couple of laptops running iperf, possibly using multiple parallel streams ...

mkx

So for me the path is relative to the chroot directory.

So root is not absolute. OTOH you having chroot environment are fully aware of different breeds of paths while many users are not ... obviously.

mkx

I have two RB951Gs and I'm running one off CAPsMAN (local forwarding and VLANs) and one stand-alone, just for fun.

mkx

The path set in /tool fetch url=... is rather absolute path from server's root (not from users home directory).

mkx

I expect that for passing the VLANs to wirelles I need to bridge virtual wlan with hw bridge from th switch, am I right? Actually you need bridge if you want to span your LAN segment to anything but wired ethernet ports. And (if configuration doesn't abuse inconsistencies in ROS) you need bridge al...

mkx

Yes, any Mikrotik AP with at least two wired ports is capable of doing this. The only real question is the level of performance possible to get and that depends on devices' HW capacity. VLAN configuration should definitely be done using switch chip capabilities as this part of manual describes it. ...

mkx

backup option always creates some binary files, so you can't really check what's in them. To export all config in readable format, execute /export file=anynameyouwant.txt from commant window (ssh session will do). Then transfer resulting file to your computer.

mkx

A cat4 modem can do up to 100/50 Mbps (DL/UL) in a 20MHz cell, regardless the frequency band. That's theoretical maximum, in reality throughput is lower mainly due to 2 reasons: 1) cell load (air time is shared between active users, you can't do much about that) and 2) less than optimal radio condit...

mkx

Wording of lables on an LTE modem sounds odd to me. Traditionally only single radio stream was used, hence only one antenna was needed. However, many antennae are polarized and if polarization planes of transmitting antenna (e.g. mobile phone) and receiving antenna (e.g. cell tower) are orthogonal, ...

mkx

LTE modem R11e-LTE has two antenna connectors, main and aux ... and both have to be connected to two antenne (either that's two yagi or log-periodic antennae, mounted at 90 degree angle for different polarization to maximize MIMO effect) or two ports of a MIMO antenna. Both ports are used for downli...

mkx

How do you access the share on Qnap, using its name (e.g. \\qnap\share)? If so, does it work if you access the share using its IP address (i.e. \\192.168.0.55\share)? SMB uses NMB protocol for resolving names. Unlike DNS it is not centralized[*], it uses broadcasts and those don't pass routers. [*] ...

mkx

WinBox can't connect to SwOS device, such device is only displayed on the list of discovered devices.

mkx

I've tested the power adapater and there is a voltage coming out so it means that it is no the adapter.

Try with another power adapter never the less ... marginal power adapter may be able to produce correct voltage when unloaded but drops when load is applied.

mkx

/ip firewall filter add action=log chain=forward connection-nat-state=!srcnat dst-address=192.168.120.95 log-prefix=OUT out-interface=ether1 protocol=tcp src-port=80 /ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1 add action=dst-nat chain=dstnat dst-po...

mkx

Post full config of your router ... execute /export hide-sensitive and copy-paste results here (inside [code] [/code] environment for better readability). It could well be some other firewall rule which is interfering and it's hard to tell without seeing it all.

mkx

You can disable certain bridge port using command /interface bridge port set [ find interface=ether2 ] disabled=yes ... or disabled=no to enable it again. Use that in a scheduled script ... This completely disables bridge port, also for LAN traffic. If you want to disable only internet access for de...

mkx

Do you get a full house if you test on www.ipv6-test.com ? It is possible to get full house, I get it on one of my hosts ... but that's linux server with statically assigned IPv6 address and properly configured DNS records. For LAN host which gets IPv6 address via SLAAC, I only get 17/20. It says "...

mkx

With the RB3011 I dont see any response, means the putty window remains black. But the connection is established, because I can login by typing 'admin' and 2x<return>. It could be that connections in 3011's RJ45 console port are flakey and that pin 3 (TxD) does not properly connect to the RJ45 conn...

mkx

I want to divide my home network into two segments: LAN1: 192.168.1.10/24 and LAN2: 192.168.1.20/24. These two networks must be separeted

BTW: these two addresses are in the same /24 subnet ... you should use something like 192.168.10.0/24 and 192.168.20.0/24 ...

mkx

My issue isn't really with invalid packets, but with private addresses leaking out. Supposedly they leak out because the packets are invalid, and so do not get srcnated. I want to either prevent anything that's not srcnated from going out on the WAN interface (which I thought would be doable using ...

mkx

It is possible that SFP module is simply not compatible with CCR. Mikrotik's SFP compatibility matrix indicates that even some Mikrotik's own SFP modules are not compatible with all Mikrotik devices, so I'd expect third party modules to be even less compatible.

mkx

On CRS access (untagged) ports should have pvid set. E.g. /interface bridge port set [ find default-name=ether4 ] pvid=10 and repeat the above for all ports listed as untagged in /interface bridge vlan . After you do it, you may omit listing ports as untagged, they get added automatically (listing t...

mkx

Yes, brochure is pretty explicit about that. RBGPOE injector is rated at 2A, so things should work just fine.

mkx

You're right in saying we should be tolerant to different opinions. The problem in this discussion as I see it is that you're using cAP ac quite differently from its intended use (CAPsMAN-driven AP) and your arguments about design deficiencies are thus more or less void. Yes, it is possible to use d...

mkx

SwOS can only do switching while ROS can do switching, bridging and routing. Routing is obviously a completely different thing, but difference berween bridging and switching is moot. If one considers only wired ethernet ports, then in Mikrotik world the difference boils down to single thing: bridgin...

mkx

Modulation varies wildly in LTE. Theoretically every RB (chunk of OFDM tones) could use different modulation during same TTI (there are 25 RBs within 5MHz carrier). This is not common though, but it does change between TTIs. As TTIs in 4G are 1ms in duration, it would be impossible to show exact mod...

mkx

Show /capsman export so we can see what exactly you configured ...

mkx

Erm, no. There is nothing preventing SSIDs or switch ports being assigned to the untagged network in UniFi, in fact you have to explicitly assign them to be tagged. Then its not a switch its an abomination following no standards. Exactly which standards prohibit that behaviour? Standards cast in st...

mkx

Include :delay 10s on top of configuration script.

The problem: when script gets run, not all HW is initialized yet. So some objects (e.g. ether1 interface) are not available when script refers to them. And script breaks at that point.

mkx

It's your choice.

However, since introduction of VLAN-enabled bridges (somewhere in version 6.41 IIRC) there is no (main-stream) technical reason to run more than one bridge per MT device. And there are things that don't play well when there are multiple bridges (as you noticed yourself).

mkx

So how exactly can PoE out work on a device with single RJ-45 port (which is used as PoE in)? SFP ports don't do PoE in any direction.

mkx

When bonding layer has to decide which member to use for transmitting next packet, it uses some kind of algorithm to decide. In addition it is often (if not always) desirable that packets belonging to same L4 connection (TCP most notably, UDP as well) pass same member link due to timing reasons (to ...

mkx

@anav, you finally became a mentalist?

mkx

You can provision specific configuration to specific CAP device by adding rules in /capsman provisioning like this: add action=create-dynamic-enabled master-configuration=cfg1 radio-mac=E6:8D:8C:49:EE:4A slave-configurations=cfg2 Be sure the additional rule is placed above the general one you curren...

mkx

Again: do you have some particular reason for running multiple bridges on a RB device?

A hint: you can run VLANs entirely internal to AP if you don't want to run VLANs on wires between AP and the rest of LAN... I can elaborate but after you explain your use case.

mkx

Confusing world for me. Things are not that confusing. It's simple: packet, coming untagged from wireless, has to be tagged and only once. It can either be tagged by wireless interface (by having vlan-mode=use-tag vlan-id=XX ) or by bridge (having pvid=XX set on member port wlan). If one decides to...

mkx

@bpw, VLANs are indeed one of moot points in ROS. I've managed to get around by going strictly tagged inside device, which means management is on VLAN interface as well. E.g. instead of having this /interface bridge add name=bridge vlan-filtering=yes pvid=99 /interface bridge port add bridge=bridge ...

mkx

I got slightly lost in this thread, so I'll just emphasize two things: don't mix VLAN configs in /interface bridge and /interface ethernet switch . Setting things in both sections messes things, might cancel out each other or bite your pet. In short: both sections are exclusive even if ROS doesn't m...

mkx

Post config (/export hide-sensitive, optionally obfuscate sensible information) and describe which port connects to what.

mkx

Almost ... except that your Only one bridge doesn't really work because it lacks

/interface bridge
set [ find name=bridge1 ] vlan-filtering=yes

And your don't configure vlan-mode=use-tag vlan-id=xxx on wireless interfaces since you have pvid set on corresponding bridge port.

mkx

You definitely have DHCP issues if your device shows IP address 169.x.y.z ... whether that's basic problem or it's superimposed on top of lower layer problems (read: wireless connectivity) that's a thing to find out.

mkx

Don't know about GUI but in CLI datapath has bridge property when local-forwarding set to either yes or no. I'm not sure how it's interpreted if set with local-forwarding, but I guess it's used on CAP as intended. But then ... with bridge being VLAN aware, rarely there's need to run more than one br...

mkx

To be specific, quick guide for cAP ac (and related models) specifically instructs user to connect ether1 (via PoE injector) to ISP's device (to be used as WAN) and connect via wireless to configure the unit. But then, when everything else fails, why read the manual if one can complain on user forum?

mkx

The problem with Access list logic is that it relies on client device to keep trying to connect to the same AP again and again. If the client device is "smart", then it might remember it was kicked off from certain BSSID and doesn't try to connect to it again. Which is fine if it can connect to anot...

mkx

This IMO explains why device was not accessible through the first port on default IP - and it seems as MikroTik bug - because manual Setup paragraph clearly state: "1. Connect your internet cable to the first port"! As @Sob already explained when MT gets its default configuration, it doesn't accept...

mkx

Even though you don't intend to enforce firewall you can still have a look at it. If you're running recent ROS, execute /system default-configuration print on your RB750 and go through firewall settings. It might give you some ideas ...

mkx

TL;DR: PPPoE client can actually run off a vlan interface. It might work like this: /interface bridge add name=BR1 vlan-filtering=yes /interface bridge port add bridge=BR1 interface=ether1 pvid=30 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes add bridge=BR1 interface=ethe...

mkx

The way you configured router is fine. Only thing to fix (it seems to work fine, but it actually is not done correctly) is to move router's WAN IP address from ether1 to bridge. Re NAT: usually there are numerous devices behind a router in a LAN and LAN devices use private IP addresses (e.g. 192.168...

mkx

Could be that power adapter is playing games. Try to replace it with a new one. Supplied one is 12V 1A, but can be 24V 0.5A and anything in between.

mkx

Do you experience this too? Did you fix it? How?

Upgrade router to modern version of ROS (e.g. 6.47.4). Unless you're a troll, in that case keep running vulnerable version.

mkx

How is L3 connectivity towards ISP done? Does ISP provide that /29 subnet, but reserves one address for their own router (and the rest of devices are supposed to use that IP address as gateway)? Or is that router gets own IP address (outside the mentioned /29 address block) and that address block ge...

mkx

mkx BTW, anybody installing beta version (the thread is about v7.1beta) in any approximation of production environment is living on the cutting edge and deserves whatever hits him/her. but people with Chateau not have a way to go back to ros v6 bcs mtk give them only Ros7 and no way of installing v...

mkx

Guys, stop telling everybody that they should wait for other people do testing of new release. If you do it long enough, nobody will test new release. BTW, anybody installing beta version (the thread is about v7.1beta) in any approximation of production environment is living on the cutting edge and ...

mkx

You can't. Portable devices may choose to switch off wireless to save battery life and there's nothing on the AP to change that decision. Perhaps there some tweaking possible on portable device not to switch wireless off ... but expect notably shorter battery life. Not something you can do on random...

mkx

I set the package path to "/disk1/upgrade" and the upgrade policy to suggest same version . Ok, understood. Somehow I thought that one could upgrade CAP with any version wanted. Well, the setting you mentioned in one of previous posts (quoted above) refers to ROS version running on CAPsMAN, not to ...

mkx

Who knows when a new model of hAp ac² with SFP will be available? Wouldn't that be the existing "hAP AC" which is already available? No because hAP ac has old single-core QCA9558 CPU while hAP ac² has much newer 4-core IPQ-4018 CPU which dances circles around QCA9558 while doing some CPU-intensive ...

mkx

PoE-in is enabled in hardware only on ether1 so it is not possible to change it elsewhere (the same is true for PoE-out being limited to ether5). So besides changing WAN port to ether5 (as per instructions by @bpwl) you'll have to use power jack to deliver power to the unit.

mkx

At least 1U proliants have plenty of small-diameter fans, all running hard. Making those servers really loud beasts.

mkx

How exactly did you configure static lease via GUI? It is quite easy to miss something (DHCP server logs mention offering address 192.168.88. 246 which is not what you configured). The easiest way is to let device obtain lease from dynamic pool, then find it on lease list, click "make static" and th...

mkx

Since it's running full RouterOS there's no reason to believe this device couldn't be used as full home router/firewall. According to test results it should be able to route at (almost) wirespeed (which is 100Mbps). Since wireless operations are somehow CPU bound this may cause routing slowdowns dur...

mkx

According to official SFP module compatibility matrix you should be fine when using either S-RJ01 (1Gbps SFP) or S+RJ10 (10Gbps SFP+). I recall some reports about autonegotiation problems when using these SFP modules so you may want to go through forum threads (I don't use these modules hence my int...

mkx

What about this switch from Mikrotik. CRS312-4C+8XG-RM Do the Mikrotik switches actually do routing of vlan traffic? This switch has routing capacity of a few 100Mbps. As @tdw already mentioned, this number will sky-rocket with ROSv7. However ROSv7 unfortunately seems far from being production-read...

mkx

Never did PBR myself, so hopefully someone experienced will drop by.

Your PM brought me here ... slightly faster than I'd come on my own.

mkx

For starters go through this this tutorial , it should explain the way VLANs should be done. When it comes to (virtual) wlan interfaces - you'll have one per SSID: add them as access ports to unified bridge (set appropriate PVID). Don't bother with vlan settings on wlan interfaces. As mentioned befo...

mkx

It is fine to set /caps-man manager package-path to folder where npks reside. My successfull procedure is that when I want to upgrade the gear, I first download packages for architectures of CAPs and place them in correct folder on CAPsMAN. Then I start upgrade on CAPsMAN (usually I use usual proced...

mkx

I guess you're after Policy Based Routing...

mkx

Official product page does not list SwOS as available OS for this device.

mkx

Commands which work directly with hardware (e.g. switch chip) vary between devices according to switch chip class. And I don't see you mentioning type of main router. When it comes to HW offload: only wire2wire traffic can be offloaded to switch chip. If primary use of hAP ac devices will be wireles...

mkx

I tried to "set" ether7 with
Code: Select all
/interface bridge port
set interface=ether7 hw=yes pvid=30 comment ="IP Cameras"

Try this instead:

/interface bridge port
set [ find interface=ether7 ] hw=yes pvid=30 comment ="IP Cameras"

mkx

The only thing that I think comes close is the situation when you have WIFI users on the SAME SSID. In particular, one can only isolate wlan users from each other when they're using same B SSID ... meaning clients are connected to the very same AP. Such isolation doesn't work in environment where m...

mkx

So far I think I need to bin off my existing bridges, combine everything apart from WAN into one bridge, and then VLAN? Indeed. I like to think of VLAN as layer 2.5 ... so physical connections (ethernet, layer 2) get overlaid with L2.5 network which logically speaking has different layout than L2 n...

mkx

There are 3 main SD spec families: original SD, SDHC and SDXC ... while they are electrically compatible, they are not completely compatible on protocol level. Each comes with its maximum size: 2GB for original SD, 32GB for SDHC and 2TB for SDXC. They also come with different default files systems: ...

mkx

Did you check for any port settings mismatch? E.g. if Mikrotik is set to not do autonegotiation while Unifi does it, the link would likely fail to establish. Nowdays everything should be set to autonegotiation and most of time it would just work. If it doesn't, try to set port settings manually, jus...

mkx

Finally you decided to add external antennas to routers, what happend to all the talk how they are not needed you where tell us all this years when we complained about poor signal? :D

Sush! Don't bring this out, they might decide not to do it for future devices.

mkx

VLAN is base of MTUNA :-)

mkx

Both varieties of GUI closely follow CLI with regard to structure of configuration tree ... which makes it very convenient to exchange configuration advisories ... because it doesn't matter which xUI somebody uses. There have been some attempts to create simplified UI (such as QuickSet) which works ...

mkx

Usually when update fails, there's something in logs about it. You may also want to check list of installed packages ... to verify there aren't any duplicates. There were times when one or another package would be installed twice and that would block upgrade. BTW, there were some bigger changes betw...

mkx

For starters disable fasttrack rule in firewall filter rules. If it helps, then you'll have to change that rule to skip mangled packets ...

mkx

So how exactly is Mikrotik supposed to help if some third party (one of your upstream ISPs) breaks things in IPv6? Proper action would be to complain to your ISP with some traceroutes showing the point of failure.

mkx

You can do it even without using VLANs. When using CAPsMAN to provision APs it is possible to configure it in the way all traffic is tunneled to CAPsMAN device which then splits traffic into different IP subnets. What you do with individual subnets there is up to confing, you can bridge one with the...

mkx

Does Mikrotik make use of the Treck stack on any of their hardware? Highly unlikely. ROS runs pretty stock Linux kernel with more or less stock IP stack which doesn't have any relation to Treck IP stack. In that regard, ROS is not embedded system, it's rather full-blown Linux device. SwOS is differ...

mkx

If your devices are statically set, then there's nothing you can do about resolving DNS names on router itself. You have to configure end devices with IP address of DNS server to use. You could enter IP address of your router as DNS server, (almost) everything is set up to allow that. There's a tiny...

mkx

Remember, sometimes workaround live longer then final setup :)
https://i.imgur.com/7CdIpKh.png

What a great solution ... ROFL

mkx

Just for the record: 3GPP Rel. 11 brings CoMP (Coordinated MultiPoint) which enables CA between different eNBs (read: different towers). This is like Dual Connectivity.. DC is next step from CoMP ... in CoMP there's only one scheduler involved (running in eNB serving PCC (primary carrier component)...

mkx

Another request for clarification: when reading Packet flow section of port extender description it is not entirely clear whether PE device actually switches frames between own ports (after physical port, associated with DST MAC, is known) on its own or all packets are forwarded to CB regardless the...

mkx

Also note that VLAN 0 is still rejected in v7 even though that is a valid value. .... When VLAN 0 is not going to be implemented there should be some flag that allows you to push an 802.1q tag with the current priority e.g. as an interface- or port setting. 0 is not a valid value to be set as VLAN ...

mkx

There is no such thing as MTU negotiation. You're probably thinking about PMTUD which is IP layer function ... that's L3 while switches are L2 devices. Only routers contribute in PMTUD. HW can have MTU limits (switches included) and when deciding upon MTU value to be used inside an IP subnet one has...

mkx

Big question is that all connection give you the same eNB Just for the record: 3GPP Rel. 11 brings CoMP (Coordinated MultiPoint) which enables CA between different eNBs (read: different towers). The feature has to be supported both by network and user's device ... I'm not sure if any of current Mik...

mkx

Above 1G I'm starting to encounter out-of-sequence frames. Which, if I understand things correctly, is the basic reason for single stream consuming single CPU ... much easier to get the timing right and not to introduce out-of-sequence frames due to different processing time on different CPU cores.

mkx

Does anybody know if this is possible? The reason for needing this is that iOS 14 now randomizes the MAC addresses, but I would still like these devices to have fixed IP address on my own network without disabling the randomization. Can't you disable randomization for particular SSID only? It is po...

mkx

My problem was in the authentication type in my security profile. The iPad Pro doesn't like WPA2 EAP Did you actually have configured everything needed for EAP (EAP methods and other related settings)? If you did not, then it's not that IPad pro doesn't like it, more likely it prefers it and it sim...

mkx

In LTE mobility is supposed to be driven by network ... based on terminal's measurement feedback. The same goes for CA component carrier selection. Client device can not force any of them. If device's feedback (e.g. measurements) indicate that, according to network settings, some channel on certain ...

mkx

Having two routers in your network complicates things a lot. The fact you can't put Nokia into bridge mode is a complication which mostly affect ability to port-forward external connections (i.e. if you are running a web server in your LAN and you wanted to allow external connections to it). The big...

mkx

As @bpw already mentioned, if your use scenario (with regards to CCR) is exactly as shown in network topology, then it would be slightly more resource-efficient to go without bridge. However, if you do choose bridge solution, then config you showed is missing quite a few important settings, such as ...

mkx

And all of that because fasttrack causes packets to skip most of packet processing, which includes encapsulation/decapsulation of packets into/from IPsec tunnel ...

mkx

Regarding "the changes are not necessary", does that mean they are bad changes, or just a waste of time? If you mean this: The previous computer tech was wanting to make these changes ... 1. Turn off UPnP, remote administration, ping,telnet,SSH, and HNAP; set ports to 'stealth'. 2. Change SSID and ...

mkx

Could LtAP mini act as gps ntp server using built-in gps module ? Probably not because it takes much more than simple NMEA datagram reception to set NTP server's clock to precise time. AFAIK Mikrotik's GPS module lacks required interfaces (e.g. 1PPS interface), possibly NTP server lacks required dr...

mkx

I agree with @Znevna as well ... I'm using a weak password (according to password selection rules) and forum keeps accepting it (didn't have to change / refresh it). So it seems like password database actually got somehow damaged during works but that damage did not affect all forum users.

mkx

Is it not relevant that the static IP is on the bridge, and the DHCP client is not on the bridge? And that my only connection was to the DHCP client port? How could a second IP address on the same subnet cause issue if the link is down? The location of IP address (bridge vs. stand-alone ethernet po...

mkx

If router has two IP addresses from same subnet, then it has two possible routes to reach target IP address. Mind that interface, used for inbound packets, does not define interface to be used for return packets. So yes, unless you configure some kind of routing priority[*], setting second IP addres...

mkx

- MAC address (a value and a mask) In the light of MAC address randomization it becomes less and less useful... But that is in fact one of the the applications I have for it :-) Exactly. There are a few good use cases where client device MAC randomization doesn't make any sense and it's good to hav...

mkx

And what You say about HEX S? Better? Worse? (I do not need wifi antenna inside) Not exactly worse. Just different. Nevertheless - slower: will cap at 800-900 in real-life scenarios. If you're extremely lucky. More likely hEX S won't go any faster than 400Mbps when routing/firewalling/NATing while ...

mkx

Does the provisioning fail if you copy-paste individual commands into command window? If yes, then you should be able to identify command which breaks config ... If no, then it might have something to do with timing of commands (e.g. command referring to item which is defined by preceding commands b...

mkx

Check official test results, available for all devices. While absolute numbers don't quite resemble reality, they still show relative speed of devices. If one device is twice as fast in test, it will be approximately twice as fast in reality as well.

mkx

Use VLAN-aware bridge with all ports members of it. This tutorial should explain things pretty well.

mkx

To stay on the safe side (and keep away from frying anything in CRS328 or RB4011) you better don't use PoE in this combination. Power consumption of RB4011 will likely exceed CRS328's PoE out capability with your configuration (at least from time to time). If you really can't use supplied power adap...

mkx

It's really up to application. The main difference between "normal" UDP and UDP-lite is that damaged packets don't get dropped with UDP-lite. That application can do with damaged packets is up to application itself. The idea is that bit stream, as produced by application, has some redundancy built i...

mkx

Shouldn't we be seeing the changelog from 6.45.9 to 6.46.7 not from 6.46.6 ? Going up a major version in a long-term release should be looked over a bit more carefully before we take the plunge.
Yes, that would be logical.

Mikrotik fought the Logic and Mikrotik won.

mkx

Support Memory up to 16GB In RouterOS V6 like RouterOS V7 Don't hold your breath. Personally I'd much rather see MT devs focus on V7 advance than to try to backport everything to V6. BTW, RAM support is about kernel used in ROS and V6 uses ancient kernel. Possibly 32-bit only (on all platforms, inc...

mkx

it seems there is no option to mark as "true answer" for the question in the forum!

There is a way, but only user that started a topic can do it.

mkx

You can't really hide L2 devices on a L2 switched network. So if you really want to hide the rest of devices from certain device, you should contain that "offending" device to its own L2 network (think of VLAN) and then use similar L3 mechanisms (e.g. IP firewall) to limit connectivity between the "...

mkx

When thinking of MTU, one has to keep in mind that MTU is property of a whole L2 subnet, in case of WAN interface that includes upstream (ISP) device. Mismatched MTU size can mean breaking connectivity between devices with mismatched MTU settings, in case of WAN connection this means no internet. Ad...

Search found 4774 matches