MikroTik

mkx

As @anav suggested: post full config of RB and you'll get some quality advice. Until then we'll just bitch around.

mkx

I hardly choose 40Mhz for my cAP because it will get channel not support(?) in CAPsMAN setup. This puzzles me as it's different if configured through capsMan than if it's configured directly on device. But it works for me if I set up like this: /caps-man channel add band=2ghz-g/n control-channel-wi...

mkx

@pe1chl Don't get me wrong, in fact everytime MKX is wrong I do a happy dance and treat myself to a nice cold beer!

I try really hard not to be wrong too often because I don't want you to become alcohol-addict

What pe1chl writes makes much sense to me.

mkx

The only idea about NAS not communicating with the other LAN is that NAS itself has some firewall running or some access filter ... My neighbour and me want to whitelist the devices that the other one can connect to. What is the best / simplest / most performant filter rule to reach this? The most p...

mkx

MT support acknowledged a bug about untagging certain PPPoE packet ... which means PPPoE doesn't work in the following scenario: ISP provides PPPoE over untagged ethernet, which is connected to access port of a VLAN. Somewhere there's vlan interface and PPPoE client is attached to it. As mentioned i...

mkx

But as I want to have the best performance without CPU load i have to go back to the switch menu. Personnaly I don't care about CPU load too much. I mean: why should CPU load be kept to say below 10% most of the time, specially if there isn't a single task which might be bound to single CPU core hi...

mkx

If we're speculating: why should raw rules be stored any differently than tracked connections? Because typically they only contain a fraction of information compared to tracked connections? But then, the connection tracking engine should update state of the connection (to check if e.g. TCP connectio...

mkx

Drawback of using multiple pools per single DHCP "network" is that all DHCP settings (i.e. gateway, DNS server, ...) apart leased IP address are same for all leases served via same DHCP "network". They are good if one needs large number of IP addresses for dynamic leases but the address space is not...

mkx

I'm glad it's working for you now. I'll just bitch about it a little more, I like discussing things I don't know much about :wink: I also read the documentation about VLAN via switch chip and it turns out that only new devices are able to do hardware offload if VLAN filtering enabled in the bridge. ...

mkx

for each packet some cpu cycles will be used to compare with existing list of connections and determine if it's established or related to them and if they can be allowed to pass .... which might be thousands of comparisons if that many connections are tracked by FW at given time. Compared to that, ...

mkx

What about it? Didn't check every detail, but by the looks of it it's a default filter rule...

mkx

Yes. You just have to keep LAN interface list updated.

Generally when constructing some rules one should use criteria which has least possibility of spoofing. Remote attacker can easily spoof src-address but can hardly spoof ingress interface.

mkx

I was guessing wrong about the gain numbers. I was thinking higher was stronger. You were thinking right. What puzzles here is the way that antenna gain is used in ROS. By changing the setting actual antenna gain is not changed, because antenna gain is physical property of anantenna (array) - excep...

mkx

Indeed there is no direct way of setting Tx power of wifi radios on Mikrotik devices. Instead there's antenna gain setting (which you already found), which can be used for what you want to achieve. The idea is this: there are legal limits about effective radiated power of wifi devices (EIRP), let's ...

mkx

Or, to stick with concept used in default firewall setup by MT: use "in-interface-list=LAN"
Right. I still didn't get used to in-interface-list, as it's relatively new and I've been using in-interface for too long.

You're not saying you're old, are you?

mkx

So I ... add the WLAN1 to the bridge ! This doesn't seem to hurt but it seems it's not necessary ... I've had wlan1 interface added to bridge as well. However, when I was looking around while preparing my previous answer, I set /interface wireless cap set enabled=no , removed wlan1 interface from b...

mkx

My reply might not be very constructive, but never the less: your routing is overly complicated and your firewall rule set is not safe at all. My suggestion: reset router to default (if it's a SOHO unit, else apply what's default firewall filter rule set on SOHO routers) and add simple static route ...

mkx

After wireless is up, what do the following commands show? /interface wireless print detail /interface bridge port print detail where interface=wlan1 /interface bridge vlan print detail I don't know what should the output of the third command look like. My setup uses VLANs set up on switch chip and ...

mkx

Yes you resolved your problem but have make you router vulnerable because somebody can send you connections to UDP port 53 and saturate you processor usage! As ongdaka said you ave made your system vulnerable at the moment, That's not the case. Combination of these two firewall rules keep OPs route...

mkx

If a FQDN resolves into multiple IP addresses (which is customary for some CDNs) and obviously only single IP address is needed to establish connection, it is customary to return IP address in round-robin fashion. Thus subsequent requests to DNS resolver will return different results. It is vital fo...

mkx

Is the vlan configuration regarding wireless interface correct? Does it allow to pass all necessary VLAN IDs?

mkx

Try to replace power adapter. Get one rated similarly to original one (24V, 0.38A) or slightly higher (bigger amperage). Or any power adapter providing voltage in allowed range (8-30V) with adequate output power - rated max power consumption of hEX is 5W without attachments (whatever that means) or ...

mkx

You can improve the firewall rule accepting input traffic from LAN by adding in-interface=<LAN>. Or, to stick with concept used in default firewall setup by MT: use "in-interface -list =LAN" I've read about bogons lists in the firewall. Should I be concerned with this and implement rules for this? ...

mkx

I didn't really click apply (don't want to spoil the fun of my family), but I believe it should work like this (I used WebFix - inside web browser - ... if you're using winbox, the process should be somehow similar): Go into Quickset select "HomeAP dual profile" in "Address acquisition" select "Auto...

mkx

Individual trunk member ports should not be members of bridge. Only trunk device is supposed to be member of bridge (the below is "cure" for switchA, apply similar to switchB): /interface bridge port remove [ find interface=ether1 ] remove [ find interface=ether2 ] add bridge=bridge interface=Trunk-...

mkx

So something must be set differently in your case which breaks your SSID-ignoring WDS connection when you use a security profile on it. My guess, completely uneducated: the station with wds-ignore-ssid=yes connects to AP with different wireless security profile ... and in that case the link breaks ...

mkx

> Phase array 60 degree beamforming Yes, but is that the width of the beam? What the total area covered by the radio? One would think that is some multiple of 60. "60 degree" means that generally antenna is capable of transmitting/receiving in direction which is +-30 degree from direction where ant...

mkx

"static IP that is provided by the ISP via DHCP reservation" means you should be running DHCP client on your WAN port. You did not mention the type of your Routerboard. I think recently most SOHO devices come unconfigured and you should follow quick guide to connect to device and use quickset for on...

mkx

Now if you life in a Castel in Nova Scottland (or someplace like that), then the situation is different.

The Chateau in Nova Scotia contains more fibre per sq ft. than a typical bowl of breakfast cereal.

No need for PLC, wireless mesh or any of those low-tech solutions.

mkx

Not sure if it affects winbox connectivity, but IP settings on local interface are wrong: /ip address add address=192.168. 16 .254 /24 network=192.168. 0 .0 broadcast=192.168. 0 .255 interface=Local Address with its netmask is not compatible with network and broadcast addresses. Netmask seems correc...

mkx

Your port forwarding is not working because there is no firewall filter forward chain rule that allows that traffic. Actually there is one, but it's wrong and disabled: add action=accept chain=forward comment="allow NAT dstnat " \ connection-nat-state=dstnat connection-state=established,related \ d...

mkx

Any news about date of release Ros v7? Maybe Christmas gift Christmas in July? Two things: Who said there will be news in July? July is synonym for summer for many people. for quite a few people, Christmas happens in the middle of summer (southern hemisphere) I wouldn't mind some positive news abou...

mkx

Download particular version of ROS you want to install from https://mikrotik.com/download ... extract .npk files you need (check list of currentlyinstalled packages) and manually upload them to your CCR. If version of packages you uploaded is newer than ROS installed on device, just reboot device. I...

mkx

Do I need to just add VLAN interface and set it to eth1, add address for VLAN? It depends on how ISP delivers internet. If it's straight IP (with static IP address or DHCP served), then the way you wrote should work. If ISP delivers internet in some other way, you'll have to adapt (e.g. if you have...

mkx

Do you think i could have damaged the card by trying it without the antennas connected? It might get damaged ... depends how PA of Tx chains react to largely wrong impedance on its output. I think, however, that damage is not very likely. Just connect some (at least semi-proper) MIMO antenna and it...

mkx

I did some extensive tests on a RBD52G (a.k.a. hAP ac²) ... it's not really comparable to RB750Gr3 (different architecture, different block diagram), but if one compares published test results it can be expected that RB750Gr3 can do 1Gbps wire-speed switching/bridging (including VLAN filtering) ... ...

mkx

Just another thought: does degraded performance of Tx-1 correlate with lower signal strength, measured by client at the refference spot? Personnaly I often use "WiFi analyzer" on android gadgets, but similar software for other platforms/OSes exists as well ...

mkx

So it seems that Tx chain 1 is busted (hopefuly another ROS updrade will un-bust it). I'd keep both chains active for Rx, it might help with UL.

A thought: did you only upgrade ROS or routerboot as well? If you haven't, you might wanna try.

mkx

Which speed does drop, UL, DL or both? If DL, then it's probably the RF power amplifier on Tx-1 chain. If UL, then it might be pre-amplifier of Rx-0. If both speeds suck when using same chain for Tx and Rx (0 or 1), then may be the antenna is the cause of trouble. Or cable between the board and case...

mkx

Look at CRS devices ... they are good switches and mediocre (by today's standards) routers ... but should still perform better than old unit such as RB493. CRS109 seems like almost a drop-in sans availity of miniPCI and miniPCI-e slots.

mkx

You switched off MIMO and set your RB to use one antenna for Tx and another one for Rx. Which doesn't really explain why this solves your problem unless there's some HW problem with RB (duplexer malfunctioning) or your wireless client(s) don't support MIMO (802.11 n devices should support it). In th...

mkx

It seems that the way how multiple DNS servers, set up in /ip dns , are utilized in ROS, is to use one until it fails then switch over to another one and use that one until it fails, etc. So use of multiple DNS servers is fine as long they all resolve whatever needed. In your case, the second DNS se...

mkx

Adding to what @td32 wrote: I've seen cases when a wireless device refused to "see" SSID operating on channel 13 even though it supported it ... until device determined it was actually allowed to use channel 13 (one example: it was a pristne new LG G4 mobile phone which wouldn't see WAP until I inse...

mkx

My guess: MT devs implemented some HW accelerated crypto on kernel 3.3 (used by ROSv6), then management decided to speed up development of ROSv7 and devs went on to implement the rest of crypto in HW for ROSv7. So forget any new functionality in ROSv6 as all development time goes to v7. I hope the a...

mkx

3) If I use router and configure it as switch can I use the USB port still to share data ? If you run ROS on device and configure (at least one) IP address, then you can also run whatever service ROS offers (including file sharing if you will). You don't necessarily need to run routing and configur...

mkx

Mikrotik seemingly decided at some point that they don't want to play whack-a-mole with users throwing together random pieces of hardware and stopped development of x86 ... in favour of CHR. Indeed VM layer takes a toll (some CPU cycles and some features), but provides hardware abstraction layer mak...

mkx

In one of your previous posts you mentioned that you didn't add static routes to the main routers yet. Traceroute shows that the static route exists on your side, what about the neighbours side? If neighbours main router doesn't have static route yet, it is logical that traceroute can't work beyond ...

mkx

On most sites I run internal DNS (on separate small server) ... so when I set static DHCP lease, I also add (by hand) that device to DNS system.
This you can do on the MT Router itself. No need for an external server.

I know ... and that's not the point.

mkx

Isn't connection considered one as a whole regardless the direction of packet flow? Meaning that any connection initiated from LAN will be marked as upload because initial packet will be flowing from LAN towards WAN. Likewise connections initiated by some internet hosts will be marked as downlink. T...

mkx

You should not add sfp interfaces to bridges ... traffic between LAN and neighbour's hEX should be routed, not bridged. Be careful about firewalls and connection tracking on main routers. After you add static routes towards neighbour's LAN to your main router (using hEX as gateway) you'll have a rou...

Search found 2252 matches