MikroTik

mkx

Simplest config would be if you directed clients to use 10.10.10.1 as their DNS server. In that case you don't need any of shown NAT rules, single rule performing SRC-NAT for traffic towards WAN would do (a limited version of your current last rule). If your clients are configured to use whatever DN...

mkx

They're provisioning everything on their RADIUS server ...

mkx

1. Port-based VLAN versus bridge vlan filtering depends whether you want to use device as router/switch combo or as plain router. The guy in video is using leftmost device as plain router and bridge is not needed at all. If you want to use multiple ports on CCR to carry same (V)LAN, then you should ...

mkx

Known issue with most (if not all) RJ45 SFP modules is excessive heating due to high power needed to transmit data at 1Gbps through UTP cable. Long stretch (70 metres) adds to the problem. RB4011 being passively cooled device adds (big time) as well. I suggest you to keep using the ether1 port until...

mkx

How are you using the SD card? Over network using CIFS? CIFS server is known to be slow in ROS, RB device is not intended to replace NAS device.

mkx

Investigate if RF channels, used for links 1-2, 3-4 and 5-6 overlap. Note that it's not enough that these use different channel numbers, it is necessary that there's no overlap of channels used. Use this document to verify frequency ranges used by individual channels (depending on channel width).

mkx

so I'm guessing additional load increases the power requirement It does. It is "only a few watts", but that can mean that voltage drop on the UTP cable becomes just a tad too big. As you're powering the gear off a battery, you may want to do some measurements of efficiency of the DC upcon...

mkx

Your case is slightly different then the case from your links as both paths are completely separate (not the case with second link) and have pretty different characteristics (not the case with first link). You may get better results if using policy-based routing.

mkx

Not sure if buffer on switch is per-port or is it common for while switch chip. If it's later, then a slow port can exhaust buffer making faster ports suffer.

mkx

v7 will have much better support for most of hardware, including x64, support for more than 2GB RAM (also on CCR2004 IIRC), many more supported peripherials under i386/x64 (storage devices, 10Gbps+ NICs, broadband USB sticks, ...). Could well be that lack of x64 support in v6 is due to proprietary d...

mkx

It seems a workable configuration, possibly something will pop up when you try to actually use it ;-) Another question: does the LAN GW (@10.13.2.1) know about CCR2004 being gateway for subnets 172.26.11.0/24, 172.26.12.0/24 and 172.26.13.0/24? If it doesn't, you'll have to configure some NAT on CCR...

mkx

One thing: switch (and you're using CRS317 as a switch) doesn't need VLAN interfaces for all VLANs that are passed between switched ports. Meaning you only need interface for management LAN (in your case that's ether1 used as MGMT interface ), but you don't need any of vlan 26xx-* interfaces. For OO...

mkx

You still have a problem: both WAN and MGMT interfaces are members of same IP subnet but the interfaces are not members of same L2 subnet (which is usually necessary). /interface ethernet set [ find default-name=ether1 ] name=MGMT /ip address add address=10.13.2.13/24 interface=MGMT network=10.13.2....

mkx

There are L2 ports , which are bridged together to single L2 (ethernet) domain. All member ports have to use same max MTU size (not to overrun some interface). Bridge switches ethernet frames between member ports according to MAC table. There are L3 interfaces which carry IP (or IPv6) addresses. Rou...

mkx

There was a discussion about required HW for wave2 drivers and disk size larger than 16MB was IIRC one of them. Supported devices (Audience, hAP ac3) have 128MB storage ...

mkx

What @joegoldman wrote, is advanced stuff. According to the network topology chart you don't need any advanced stuff (you only have one upstream gateway from CCR2004 so no VRFs or other bells and whistles).

mkx

Your setup as per network diagram would actually work without any bridge. You actually set up things that way, you just don't know what to do with bridge. Just omit all setup under /interface bridge . And in order for MGMT to work, you'd have to rename interface ether1 to MGMT: /interface ethernet s...

mkx

If you don't go into some advanced stuff, then ROS will route through interfaces with appropriate IP address set. E.g. if you have bridge1 with sfp-sfpplus1,sfp-sfpplus2 and sfp-sfpplus3, bridge2 with sfp-sfpplus4,sfp-sfpplus5 and sfp-sfpplus6 and ether1 (for OOB management), then you will probably ...

mkx

Not gonna happen. With that port spec, it would be CRS320-16P-4S+RM.

mkx

Surely log has something regarding failed package installation?

mkx

ROSv6 is based on linux kernel which pre-dates NVMe hardware, so I don't think ROSv6 will ever work off NVMe. ROSv7 might work, though it's in late alpha / early beta stage.

mkx

If you only want to isolate LAN beyond ether2, then only perform steps I listed for ether2. E.g. remove ether2 from bridge, set IP address from a new IP subnet to ether2, add DHCP server on ether2 (with appropriate settings for selected subnet), add appropriate firewall rules which will block connec...

mkx

In ROS, every interface (ethernet, SFP, wireless, tunel endpoints, ...) can be used either standalone or as bridge port. Management interface on CRS317 will appear as ether1 and you can set up L3 settings for management lan directly on ether1. I guess you'll want SFP+ ports (appearing as sfp-sfpplus...

mkx

I didn't see my hAP ac2 reboot since 6.43.something. I've always had ntp package installed and active. I'm also using IPsec (implicitly, I'm running ipip tunnels). Current uptime with 6.47.9 is 20 days (since I upgraded ROS).

mkx

It would, but his current setup is default which "only" drops everything from WAN. I was writing task list according to his current config, not according to your golden standard.

mkx

You did not clarify about how dumb switches in buildings are connected to RB4011. Assuming each of those switches is connected to individual ethernet ports of RB4011 and assuming you want to run one subnet per building, then: construct 4 subnet pools for DHCP servers remove appropriate ethernet port...

mkx

Network diagram is needed indeed. The simplest network topology with one subnet per building and one building per RB4011 ethernet port does not require smart switches and VLANs, some reconfiguration of RB4011 will do. However if you want to segment networks in the buildings (or have flexible configu...

mkx

The src-nat rules are "too greedy": add action=src-nat chain=srcnat src-address=192.168.1.0/24 to-addresses=xxx.xxx.xxx.250 add action=src-nat chain=srcnat src-address=192.168.2.0/24 to-addresses=xxx.xxx.xxx.252 add action=src-nat chain=srcnat src-address=10.0.0.0/24 to-addresses=xxx.xxx.x...

mkx

I'd say it's the issue with linux kernel and drivers and as such not very likely to go away in ROS. I checked on my ubuntu desktop, running linux kernel 5.4 on CPU with 4 cores (and HT). Most peripherials (e.g. built-in USB hub, ethernet NIC, sound card, ...) see their interrupts served by same logi...

mkx

This is one of default firewall filter rules, present in SOHO line in 6.47.9:

/ip firewall filter 
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"

mkx

To use the 10G sfp to connect to my switch instead of ether2 do I need to somehow add it to the bridge?

Yes, add sfp-sfpplus1 to bridge local. After that you'll be able to replace ethernet connection with SFP.

mkx

Doesn't look like. But examination of textual export would tell. Execute /export hide-sensitive file=anynameyouwish in terminal windiw, fetch resulting file and copy-paste contents into [ code] [/code] block (square brackets icon just above post editing window). You may want to skim through config a...

mkx

First answer to question #3: it happens, but it's not normal. It means that firewall does not block these connection attempts so you actually see attempts (hopefully it stays at attempts). And that means you have to do something about firewall. If you just started off with configuring your router, t...

mkx

If that really works all around, wifi will be irrelevant in the next decade. It does work if user only cares about internet and there's LOS between device and base station (forget about 600Mbps when in toilet or wine cellar). OTOH if one has home LAN with services reserved for LAN users, wifi will ...

mkx

Seems quite right to me. What I see on my LAN: router's link-local address is passed as IPv6 src address (dst address is ff02::1 which means "all nodes" according to RFC4291) ... and it seems that SLAAC clients take this address as proper default gateway. setting "Router lifetime (s)&...

mkx

These settings won't allow device to route between subnets, it's switching between ethernet interfaces. Instead, you should end up with configuration like this: /ip address add interface=ether3 address=192.168.8.42/24 # adjust address to what other devices in 192.168.8.0/24 expect add interface=ethe...

mkx

If the only functionality you need is routing between two subnets, then current config is overly complicated and in large part simply wrong (e.g. both interfaces are bridged while they shouldn't be, you have SRC-NAT enabled, ...). Fetch winbox, then reset router to no configuration. Connect using wi...

mkx

With router having addresses properly set[*] on two interfaces (and having proper network mask set, in your case subnet mask is most probably /24 in both cases) and without anything in firewall, router will pass all packets between both subnets ... if those packets arrive at router, which implies pr...

mkx

I don't think Mikrotik (if that's your local router) has anything to do with it, it's your VPN which is greedy taking over all of traffic. Many VPN setups do it, excuse is that if a PC becomes member of another LAN (via VPN), it should not become potential bridge between both LANs. Depending on VPN ...

mkx

Run command /ip route print with gateway setting enabled and disabled and see what is tge difference.

mkx

No way. Binary backup can only be restored on same model ... and even that is not recomended due to some settings which override HW properties of "receiver" (e.g. interface MAC addresses). Which means you have to re-do the config on your new router anyway. If you had text export from RB751...

mkx

Interconnects are (almost) always full-duplex.

mkx

Betas in v7 line come out quite infrequently. I expect most of new functionality in v6 to land in v7 betas soon. However in v7 quite a few old functions from v6 are missing and I guess development in v6 and in v7 is not parallel at the moment.

mkx

So it seems there isn't a quick-set that would entirely fit your requirements. What you can do is start off with quick-set which serms closest to what you require and make remaining changes manually. I don't have much experience with quick-set, but it seems that "Home Dual AP" is close. I'...

mkx

I'd replace cable connecting RB and UBNT ... marginal cable can cause lowering the negotiated speed.

mkx

It's the matter of controlling air flow. If there are only "suckers" at one side, then air will escape the unit everywhere. If you have a "sucker" and a "pusher", then air will mostly flow between the two fans. If device case and device internals are designed to force a...

mkx

I would expect DLAN to be transparent for VLANs (as is a dumb switch, only requirement is support for 1504 byte MTU). To rule this out, try to connect AP directly to ether3 of your mikrotik. If it still doesn't work, then its configuration mismatch. If it works with direct connection but doesn't wit...

mkx

If I understand you right, then AP sends tagged packets over wifi? The idea is this: wlan interface happily passes tagged frames, you just have to deal with tags on bridge. The wlan interface should not be configured with any of vlan-related properties, those are onky necessary if wlan interface its...

mkx

Only if logs are sent elsewhere (not to memory), such as disk or network syslog server.

mkx

Complete configuration tree is possible to get by executing /export (with optional parameters, such as verbose or terse or ... Use [tab] key to get printout of posible parameters).

If you're asking about (scripting) commands, then I don't know a way of getting complete list of commands ...

mkx

Filter rules are matched from top to bottom. You want to push your blocking rule high on the list.

I've already explained the ports in my previous post.

mkx

If you intend to install ROS on bare metal, then you better wait for ROS v7. It will come with greatly improved support for modern NICs. If you intend to run CHR, then HW support is up to Hypervisor you're going to use. In any case I'd go for CPU with smaller number of high-performance CPU cores ......

mkx

Port numbers are always the same on server's side (and are standard/well known). Port numbers on clients' side (source port in your case) are random and different each time, this is completely normal. What makes thing suspicious is number of clients conecting from same IP subnet, sometimes it indica...

mkx

Just to mention (even though it might be obvious): for CAPsMAN configuration you need wired connection between router and cAP.

mkx

The rumour goes that antennae of hAP ac3 are only uglier versions of those of hAP ac2 ... that performance is similar. Audience is a completely different beast on 5GHz though. It has two 5GHz radis, one is dual-stream and one is true quad-stream (MIMO 4x4). They can be used at the same time as they ...

mkx

Step #3 is done on cAP ac ... if cAP ac doesn't have wlan, then I don't know anything.

mkx

It's about DNS service (UDP port 53) and should be blocked for internet connections. Default firewall blocks it already. It's not clear if these log lines are from a drop rule (which is then fine and you should stop logging it) or they are from accept rule which means you allowed those connections. ...

mkx

As others mentioned: Mikrotik doesn't offer cheap switches with multiple PoE-out ports. So you'll probably have to look elsewhere. If you're after cheaper switch (CSS family in mikrotik world) with simple web-ui management and without L3 capabilities, then mikrotik might not be optimal choice anyway...

mkx

It seems a whole /24 subnet of source addresses: 45.142.120.0/24 ... and occasionally some other src-address ... if this is gateway to a typical home network, then dst-ports are suspicious: plain sever-to-server SMTP (TCP port 25) and SMTP submission (TCP 587). If OP is not running kind of public em...

mkx

If the command above fixes the problem, then proper solution (assuming most of firewall setup is default) is to add interface VLAN1425 to WAN interface list ... same as pppoe-out1. After that remove the setting above, it should not be necessary anymore.

mkx

I'm not sure what's your definition of "low end". CRS328-24P-4S+RM seems to be the cheapest device offering 24 PoE out ports ...

mkx

Actually yes, both networks use IP 192.168.0.1 as gateway. Apart from suggestion by @anay (which is not out of place at all) ... so you have single Mikrotik router separating (at least) two LAN subnets and WAN? If you don't want to follow anav's advice, then you'll have to post current config of ro...

mkx

There's one major trouble: hospital network (192.168.0.0/16) "contains" pharmacy's network (192.168.41.0/24). If those are really network addresses in use, you'll have to perform NAT on mikrotik and for that you need to know details about communication between server and PC. The other prob...

mkx

Your VLAN setup seems completeley screwed to me. I suggest you to slowly go through this tutorial . Other than that: one of most important points in dividing network to VLANs is to contain broadcast traffic within single subnet. If you need raspi to listen to Davis broadcasts, then raspi should be m...

mkx

When using ROS device as wireless client, it doesn't matter what options you have enabled (e.g. tkip, b/g, ...) because client can not force AP to work in certain way, client has to follow AP's setup to certain degree and AP preferences overrule client's if both support same features. So if you disa...

mkx

At what point will I slowly convert? Will it first be my IP address given to me by the ISP is an IPV6 address and my LAN is IPV4? After that??? As stated I dont want my fridge IPV6 address to be accessible outside my router, unless talking to the fridge company cloud I suppose. Conceptually IPv6 is...

mkx

There is no way to install ROS version lower than version installed in factory.

mkx

I would: Make a full export ( /export file=anynameyoulike *) ) Reset device Upgrade to latest version Import the export file *) Do not forget to copy the export to a computer I'd do it differently: Make a full export ( /export file=anynameyoulike *) ) Upgrade to latest long-term version Reset devic...

mkx

I think the show stopper is that firewall filter does not include rule which actually allows DST-NATed connections. Constructing DST-NAT rules is not enough in Mikrotik world (mind that this has its merits). Default configuration has a rule (the last in list) which combines allowing dst-nat-ed conne...

mkx

It seems that all CCR1009 have same CPU built in and I would assume that they all feature same HW encryption device with same performance. So you can have a look at performance tables of some other CCR1009. Performance table for CCR1009-7G-1C-1S+ indicates that realistic max IPsec throughput for sin...

mkx

/tool speed-test is quite heavy on router's CPU and can easily be bottleneck itself. So if you really want to check VPN throughput, use PCs connected to each router and run iperf test through routers and connection between them. Other than that, both CCR2004 and CCR1009 support HW encryption for VP...

mkx

I'm not saying DHCP client in ROS is bug free. I'm just saying that regarding re-lease timer ROS DHCP client works according to RFC and that @sjafka was looking at wrong symptom (which is clearly explained by RFC linked by @tippenring). IMO the only problematic thing was you laughing at @tippenring ...

mkx

If you can access your router via IPv6 from some internet site, then IPv6 is fine between your ISP and your router. If at the same you can't access (ping) LAN devices, then it's most probably due to device's own firewall. If you can access your router from some intetnet sites, but not from the other...

mkx

I can uderstand everybody who decide not to install beta version, it's their gear, their time, their life. But why bitching about quality of betas (or lack of it)? Either accept the lack of quality of betas and proceed to test (reporting issues etc.) or stop testing and shut up about it.

mkx

Your RB960PGS is running ancient ROS version. Do yourself a favour and 1) create asciii export of configuration executing /export file=anynameyouwish , 2) transfer resulting file to managemrnt PC, 3) upgeade to latest long-term (currently 6.47.9) 4) reset to factory defaults and 5) re-do whatever ve...

mkx

I think it's one bridge per switch chip, not per device You're right. I just didn't want to go too much in details as only a few models feature two switch chips (RB2011, RB3011 and RB4011) and with those one has to be extremely careful to create bridges not spanning ports from different switch chip...

mkx

Here's how DHCP works per https://www.ietf.org/rfc/rfc2131.txt
Lol, this is a bit stupid, refer to a RFC is a to easy answer.

If you refuse to read RFC which explains why MT behaviour is correct, then perhaps Mikrotik is not right selection for you.

mkx

Example command as below. set bridge=BR1 tagged=BR1 [find vlan-ids=10] Now the vlan is functionable, but when I export and check the configuration file. I can't see the above command in it. The command is essentially included in the command below: /interface bridge vlan add bridge=bridge1 tagged=br...

mkx

Forget about DHCPv6 server on MT. ND advertises prefix which corresponds to IPv6 address set to corresponding router interface. For example: # let's assume you have two LANs connected to ether2 and ether3 respectively /ipv6 address add address=::1 from-pool=internode interface=ether2 add address=::1...

mkx

Tagged+untagged (a.k.a. hybrid) : ingress-filtering=no OR frame-types=admit-all ingress-filtering=yes

It actually should be the later (with ingress filtering enabled) to enforce ingress filtering acording to allowed VLANs as configured in /interface bridge vlan ...

mkx

Csn you ping router itself from internet? E.g. ping 2a10:f300:1:1::1 ? You're pinging a LAN host which may have its own firewall blocking pings. It may have multiple IPv6 addresses in use and is not replying to pings on most of them ... You can verify addresses actually in use by router running /ipv...

mkx

If cable connecting hEX PoE and camera is long, then detecton/negotiation can fail due to excessive cable resistence. In such case forcing PoE out can help but it also depends on voltage drop over cable, 802.3 af/at requires at least 37V at PD (camera).

mkx

You did not mention device model you have in mind. Anyway: CRS3xx are switches. These work best if using single bridge because only one bridge per device can be HW offloaded. The same is true for all other MT devices with switch chips built in, even though some devices have relatively fast CPUs ther...

mkx

Is possible to tell me which changes do you suggest on the network by the new configuration? I didn't have anything in particular on my mind. Nowdays it's common to have a few IoT gadgets in the household and generally its good practice to keep those in separate (V)LAN heavily firewalled in all dir...

mkx

I suggest to have PoE set to off on all ports where peer does not expect to be PoE powered. Checks done to verify that remote device is PoE client are pretty basic for passive PoE and can fail quite easily. And if RB960PGS wrongly decides to power remote end with 48 volts, it can cause damage on bot...

mkx

Did you know that /export verbose works when /export doesn't? For me that was a great discovery! No, I did not and I agree it's worth mentioning. However, issue with running export (without any options) had been reported many times so far it's really stale by now and because it did not get fixed it...

mkx

It's not clear to me how duties are shared between both MT devices and where BGP enters the game. You did not mention the other device's model, but CRS328 is not a router, it's a switch. Sure it can route but performance is next to none (compared to switching performance). Anyway, have a look at thi...

mkx

why is that functionality ( set disable-running-check=yes on wireless interfaces ) not turned OFF by default and furthermore why has not the wifi guru himself, "bpwl", not recommended this setting (if he has I missed it unfortunately) It's not turned off probably for the same reason bridg...

mkx

I wish MT acknowledged the problem so that not everybody (and their dog) reports it as some great discovery.
It would be even better if the problem was fixed ASAP even though this problem probably doesn't affect normal device operation.

mkx

I also noticed that /system/backup/save dont-encrypt=yes name=foo is even faster than any export. ROS v6 is like this as well and it's easy to explain: backup file is a mere a collection of binary configuration, I guess a combination of memory dumps (or may be not) and pre-existing binary configura...

mkx

When ports are members of a bridge, the frames are forwarded via select egress ports depending on (learned or statically set) MAC table. Which means that most frames egress only relevant port and only a few (broadcast, multicast and yet unknown unicast destination) frames are egressing all member po...

mkx

Since such a general-purpose plugin would require a complete pass-through (both configuration and traffic), so why bother to build-in such an add-on board? Use standard interfaces (such as 1000Base-Tx) and be done with it. Making option to build-in such a solution would open a huge can of worms and ...

mkx

I don't think you can get per-VLAN statistics for fully hw-offloaded ports ...

mkx

Run CPU profiler to see if some CPU cores are maxed out. 25% average CPU load could as well be 9 CPU cores at 100% while others are idle.

mkx

@mkx Plausible explanation. Does this still apply if I'm using capsman and local forwarding?

I'd expect it does, but I'm not sure.

mkx

As I explained: connections (including pings) from any client (any of subnets, internet included) to any of router's IP addresses is handled by chain=input. So if you have as last rule in input chain one dropping everything, and none of preceeding rules allow that particular connection, then pinging...

mkx

Backups are not portable between devices. Not really between devices of same model, much less between different models. Importing exported config is more likely to succeed, but it's not recomended either. The recomended approach seems to be to export config from the old device, then open it in text ...

mkx

Given fragility of netinstall process which is likely to fail even with direct UTP connection between netinstall server and routerboard device ... it would surprise me if this would work. I'm not saying it's not possible though ...

mkx

The router you have is old and slow. Check official test results ... the most real-life numbers are usually under "Routing - 25 ip filter rules - 512 byte [packet size]". As you have 1Gbps internet connection, you'll need a newer and faster device. Search for one through product pages and ...

mkx

No, there's no netinstall tool for ROS.

mkx

Is that correct?

Yes.

I concur that ROS learning curve is steep indeed. It helps if newbie has good knowledge of how linux kernel works but that's not common at all.

mkx

But my question is... if MKX's original rule using the forward chain can't block a ping between the two networks how does it block any other network traffic? What am I missing in my understanding. It has been explained a few times before, but I'll try to do it again. Packet passing router[*] in any...

mkx

@anav went fly-fishing to a pond. As no fish cared to bite, he fixed it by going to fish market instead.

mkx

When wireless interface has no clients connected, it toggles port state to "not running". When first client connects afterwards, interface state toggles to running. This in turn trips xSTP to check for loops and before check finishes, no traffic can pass that bridge port. Time necessary fo...

mkx

There are a few errors in your configuration: /ip address add address=10.38.25.31/16 interface=ether1 network=10.38.0.0 add address=192.168.214.1/24 interface=ether5 network=192.168.214.0 # The following two lines should be removed add address=10.38.25.31 interface=ether1 network=10.38.25.31 add add...

mkx

In the linked page, note the "routing subnet" between router1 and router2 ... it is important and makes life of both routers easier. The thing is that in usual SOHO networks router1 runs a stateful firewall as well ... and this firewall can trip if it doesn't see traffic in both directions...

mkx

If you have wires all over place, then you probably don't need to have "mesh" ... "mesh" usually means that wireless APs use wireless both to connect towards router and to serve clients. If you have wires everywhere, then you'll just connect APs to wires and run them as normal AP...

mkx

What is server's default gateway IP address? You can only route traffic from Sophos network via MT is either server or its default gateway know to use RB as gateway towards Sophos network.

mkx

Check firewall on the Computer ... some OSes (Windows most notably) consider anything but it's own subnet to be evil internet and block pings originating from other networks.

mkx

It's what @tdw wrote: when packet arrives at some ROS interface, ROS first determines which chain to use. And if packet's destination address is any of router's own addresses (in-interface is not considered when determining chain, neither is src-address), it will be handled by chain=input regardless...

mkx

What happens if you add individual interfaces first and remove interface=all at the end? You can check actual bridge port list (and flags) by running /interface bridge port print at each step to see if things progress in desired direction. Another possibility would be to add at least one of individu...

mkx

which of these rules prevents access to services on the mikrotik itself (winbox, webfig, ssh etc)? None actually. Default firewall filter rules have this stanza et the end of rules for chain=input : add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-l...

mkx

Many MNOs protect their mobile clients (not really known for their security) using a firewall. Even if client's IP address is not NATed, it is still subject to firewall rules. And very often those firewall rules are pretty restrictive.

mkx

Why can I not get the full throughput to the internet?? Because RB2011 is an old and (for today's standards) slow router. Check official test results and concentrate on number in "Routing 25 -> ip filter rules -> 512 byte [packet size]" which seems to be the most relevant for real-life us...

mkx

One error in the script: # OFFICE VLAN interface creation, IP assignment, and DHCP service /ip address add interface=OFFICE_VLAN address= 11 .0.10.1/24 And I guess you do have a DNS server running @ IP address 10.0.0.1 ... Without knowing the full context, IP setup seems messy. And you're surely awa...

mkx

If you're doing it optimally (single bridge with vlan-filtering=yes), then whatever you'd do differently you'd loose performance.

mkx

In RouterOS no, it is not possible to load custom drivers or any other part of software.

mkx

Right you are, it should be admit-all ... which is default and thus is not shown in your configuration export. Regarding GUEST-AP: I don't see anything wrong in hAP lite configuration, tagged frames with VID=20 should pass it. If GUEST-AP on hAP lite works fine, then I would suspect configuration on...

mkx

I don't even want to imagine how a 1U sounds like :D Like a small jet plane taking off (the large jets are louder, but their noise is more bearable for me). When talking about servers in SOHO environments, one should not forget about power consumption. A decent server has idle power consumption wel...

mkx

Bridge is something like a switch. So if machines are in same VLAN / IP subnet, then you want ports bridged/switched. If machines are in different VLANs / IP subnets, then you can't do anything else than routing and for that ports have to be treated as separate interfaces, each having own IP address...

mkx

I did not write that the solution shared was a no-go (I wouldn't post it at all, I'd let somebody else do it), I just wrote my opinion about the right (best) solution. But that's only my opinion and surely not everybody agrees.

mkx

If APold is client to APnew, it will communicate occasionally. If the devices are physically really close, then their Tx power is too high and will mutually overpower each others receiver. Client overpowering APs receiver means lots of interference for whole APs wireless network. If you want to use ...

mkx

Can you please help me in that direction?

I already did ... either copy-paste the code to terminal window or change setting through GUI. I'm not fluent in ciscogibberish, so I couldn't guide you towards all-tagged setup.

mkx

@tdw pointed out that frame-types=admit-only-vlan-tagged could not work because ether2 is configured with VLAN10 untagged & VLAN20 tagged. My needs are that a device connecting on the Cisco would, depending on the SSID (SOHO or GUEST) be restricted to the particular VLAN. Stressing that my unde...

mkx

If an USB device appears under /system routerboard usb this doesn't mean ROS has a driver for it. ROSv6 has pretty limited support for peripherials, specially modern ones. Reason being that current ROS is based on outdated linux kernel (and I guess quite some then-existing drivers are omitted from R...

mkx

Superwhat? It must be some Yankee stuff again, I'm surprised you Canadiens fall for it so often. ;-)

mkx

No, ROS doesn't reboot automatically, you'll have to do it manually. Or not, with mature devices routerboot firmware mostly doesn't change at all between ROS versions so there's no need for immediate reboot. When device reboots next time, it'll run updated routerboot as well. If you run into some tr...

mkx

It doesn't seem to be possible to have port mirroring with software bridge. You might get some useful idea from this topic: viewtopic.php?t=131332

mkx

I think your settings (auto-negotiation enabled and advertised all speeds) are fine. Also l2mtu of 1520 should be just fine for now. Just keep in mind to check all ethernet settings if something breaks ... The thing about ROS versions I mentioned: when upgrading ROS version, settings are not changed...

mkx

Well, I missed the fact you're using the device inside LAN. To achieve what you want it would best to configure device from scratch like this: Download winbox to your management PC connect management PC to router using one of ether2-ether5, run winbox and click MAC address of router to connect to it...

mkx

anav, my friend, I was trying to teach OP to catch a fish ... not to go to a supermarket to buy pre-fried fish sticks.

mkx

It is not possible to upgrade routerboot before device reboots to upgraded ROS version. The only corner that can be cut is to set /system routerboard settings set auto-upgrade=yes which saves administrator from executing /system routerboard upgrade after ROS upgrade. Another reboot is still necessary.

mkx

Firewall is cripled beyond any usable protection simply because of first (top-most) rule allowing just any connection from WAN towards LAN.

mkx

A bridge spans multiple ports. So you'll need two bridges, one spanning ether2 and ether3, the other spanning ether4 and ether5. Bridges come with implicitly created interfaces, which are members of same bridge. These interfaces allow ROS to interact with subnet. So you assign IP addresses to those ...

mkx

1. **port** is a layer 2 concept. Anything that has a MAC address is an ethernet port. Phyisical interfaces: ether2, ether3 and ether4 are ports. The bridge itself is a port (it has a MAC address). The virtual interfaces vlan20 and vlan30 are also ports. Bridge itself is not a port. Bridge has two ...

mkx

Does it only happen when router is trying to connect mikrotik servers or it happens from a PC behind the router as well? If you have a linux PC handy, you can try to see where connection breaks by running tcptraceroute (probably something similar exists for other OSes). For me some hops in Latvia fa...

mkx

Probably nowdays there is no good reason to use two fibre strands for a duplex connection. Historically there were numerous reasons for that, two pretty important were these: fibres used to have usably low attenuation in narrower wavelength bands around 1310 nm and around 1550 nm while attenuation i...

mkx

There's the all-in-one approach where one box does it all. And there's "building blocks" approach where a few specialized boxes are used, each doing part of a job. Each approach has its pros and cons. Whatever you choose, if you want job done properly, you'll have to master the setup. Gene...

mkx

I think you could disable MSTP on all APs ... and leave MSTP enabled on switches. You only need MSTP on "core" of your network, where loops can happen duue to redundant links. If, OTOH, you'd connect same AP to two of your core switches at the same time, you would have to run MSTP on APs a...

mkx

The idea behind 802.3 af/at handshake is that PSE doesn't apply power to non-compliant PD. cAP ac is 802.3 af/at client, so that PoE injector happily provided power. cAP ac as PSE is not 802.3 af/at compliant, it can only work according to MT's proprierary passive PoE implementation. It is quite sim...

mkx

Usual execution of export command only shows settings different than bare minimum default. For ethernet ports current default ( export verbose ) is set [ find default-name=ether1 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto \ auto-negotiation...

mkx

There are two things you should check: any xSTP run on bridge causes quite some delay for bridge port to get enabled after it enters "running" state. For that reason its best to disable it unless you absolutely need it (e.g. your network topology is a ring-shaped for failovers). That being...

mkx

There are two ways of getting said device work in ROS and they (most) probably both involve ROSv7 (so you probably should ask this question in subforum dedicated to v7): either driver for that device lands in mainstream linux kernel really soon (and MT devs pick it up before finalizing v7) or MT dec...

mkx

There is no way that normal L3/L4 firewall prevents malware from being installed on computers behind it. For that one would have to use proxy server (the non-transparrent one) which does full anti-malware (and antivirus) scan ... which is not really possible to do "on the fly" while file (...

mkx

Will never test betas again ...

If you can't accept random things broken, then beta testing is not for you. No need to publicly announce that, we'll accept your decision regardless.

mkx

Will be there no further V6.48.XX versions?
From the doomed V6.48 straight to V6.49?
I would guess we will get a 6.48.1 today.

Yup. At around 16 hours EET (which is 14 hours UTC, do the maths for your own time zone yourselves).

mkx

However, you might fry the radio by going that low. Probably not. According to information from MT staffer, ROS picks lowest number of (card rates, country limit, manual Tx power setting) as Tx power at any rate used. So by setting antenna gain to 0 (and choosing country with most generous Tx power...

mkx

You did not write anything about SFPs you're using. Mikrotik seems to be quite picky about supported SFPs. Here's official compatibility list: https://wiki.mikrotik.com/wiki/MikroTik ... lity_table

mkx

AFAIK all MT devices can do passive PoE (either IN or OUT if they are PoEout) even if quick specs say 802.3 af/at. OTOH MT devices won't do voltage conversion for PoE out. If they are powered with voltage outside normal 802.3 af/at range (44-57V), they'll provide PoE out without 802.3 af/at negotiat...

mkx

So MikroTik, please say .. something!

In case you missed it, in post #303 above Mikrotik did say something.

mkx

Not sure how ID property is used in API, but I suspect it's similar to CLI. In CLI ID property is dynamic and doesn't exist until elements are listed (e.g. with print command). Which means ID is useless in scripting, one has to use other means of selecting the right element (e.g. to change its prope...

mkx

Check, if SFPs in port7 and port8 actually establish a link ... The optical link is set for auto-negotiation which doesn't exactly work with optical SFPs, in ROS it is usually necessary to fix port speed to whatever remote end expects. OTOH you have autonegotation disabled on port8 (RJ45 SFP) which ...

mkx

m could be any of the following ?
miles
meters

also
molecules ( really really close stuff )
milk ( yea the white liquid stuff )

Sure. That's where context helps.

Anyway, even it might be off by a few orders of magnitude, your suggestion makes sense ... in different context ;-)

mkx

Yeah but Tom is a Yankee, its all square miles when you put in an "m" in there! ;-)

Well, Yankees are known not to know what units to use. Last time they tried to do anything coherent, they crashed Mars climate orbiter ...

mkx

Since PE device doesn't do much (encapsulation of packets ingressing through extended ports and decapsulation of packets egressing through extended ports; and I certaily hope that's done in hardware), you don't really need any resource monitoring. I guess failing extended ports will show as such in ...

mkx

When there was a discussion about port-extender functionality when it was first announced, MT staff confirmed that in such setup, PE device is completely brain-dead. Doesn't even switch traffic between own ports autonomously, everything passes via CB device. So I guess you don't really need neither ...

mkx

What is Hikvision camera's rated power consumption? Omnitik has PoE out limitation to 450mA (at 30+ V) which at 50V translates to 22.5W ...

mkx

I'm no expert for CAPsMAN, but from my limited experience ... you should not add wlan interfaces to the bridge explicitly, they get added automatically. Manual settings are probably not overriden, hence possibility for misbehaviour. If capsman datapath setting is local-forwarding=yes , then wlan int...

mkx

Having said that , other than the fact that the hack could have happened before the backup , is three any other concern ? The hack very probably happened due to inadequate firewall settings. By simply restoring (mediocre) config you'll be vulnerable to same attack again. What you can do is to resto...

mkx

Try to netinstall router. https://wiki.mikrotik.com/wiki/Manual:Netinstall Beware that netinstall is pretty fragile process and it easily fails. Which is not necessarily sign of router troubles. And when doing it, keep away from netinstall/ROS version 6.48, it seems to have quite a few nasty bugs. Y...

mkx

Do you guys know when the final version is out, shell we aim for the end on 2021?

We can aim at whatever we want, devs will surely move the target at their will (if they have a target at all).

mkx

And another question to illuminated members - how can i know if router (eth driver) is supporting multi-queue-ethernet-default (mq pfifo).

I guess only support@mikrotik.com can tell you that. If you get any feedback, please share it with us.

mkx

But next to this, we've setup also PPPoE client, and set interface to vlan20

What does log show regarding PPPoE? Probably there's some error ... which doesn't relate to NAT.

mkx

OK, so we need to treat MoCAs as kind of a dumb switch. Since you have one Tivo box connected directly to MoCA network, some untagged traffic has to pass MoCA. And if you want to have the other Tivo device member of same subnet, then yes, you have to pass VLAN 10 untagged over MoCA network. Which me...

mkx

Sure it might be the case with congestion on other interfaces but that was not the case :-) How did you determine this? Just because router can route at speeds averaging above 1Gbps (that's what tests are telling) it doesn't mean it can do it at all times. And if ROS' IP stack can not ingest packet...

mkx

The basic idea of @BrainPain is to use RB4011 as router-on-a-stick[*] ... both WAN and LAN tagged with tagging of both being done by a switch (so don't worry about it). [*]only that he doesn't want RB4011 to do any routing, just transparrent firewalling. So he needs a bridge between WAN and LAN to m...

mkx

Let's say you'll use ether1. You should use the interface in stand-alone mode (i.e. not enslaved to a bridge) and create appropriate vlan interfaces off it. Then bridge those interfaces and use bridge filters in similar manner as currently: /interface vlan add interface=ether1 name=extern vlan-id=10...

mkx

"Visibility" of network devices is many times based on broadcasts ... and that only works inside single L2 domain which most of times is same as IP subnet. So you'll have to rethink your network layout and requirements of individual devices. From your explanations so far yor network layout...

mkx

For any serious IPsec throughput you should look at devices with HW support for encryption. Those devices have IPsec throughput numbers stated in test result page, such as CCR1009-7G-1C-1S+ . When deciding on which device offers enough performance: seems that number for 512-byte packet sizes represe...

mkx

I'm only surprised that such fast RB and still with pause frames. In the stats window it is shown that your router passed somewhere around 550M packets, of those 220M were pretty small packets (64-127 bytes). If you look at test results , you'll see that routing speed with small packets is around 3...

mkx

What I want to know is what is connected to ports 3-9 with hybrid in mind?? (untagged for vlan 10, tagged for vlan20)?

IP phones with PC port usually require such setup. In this case for VLAN20 OP's router acts as a switch only, he mentioned separate SIP gateway.

mkx

OK, se ether2 on router needs to be a trunk port tagged with VLAN 10, 20, 30, and 99 (because that's what AP expects). At the same time it needs to be untagged (member of any of VLANs for that matter) for MoCA administration. The thing is that single port can either be tagged or untagged member of c...

mkx

Either set pvid=10 on bridge such as add name=BR1 protocol-mode=none pvid=10 to make bridge BR1 untagged member of VLAN 10 ... Or covert your L3 setup to tagged (i.e. add BR1 as tagged member of vlan 10 and move all router setup to PC_VLAN, adding said interface to LAN interface list allows to keep ...

mkx

Try to use another version of netinstall. In the past there were reports that some netinstall versions caused problems for some devices/users while other netinstall versions were fine. In addition, ROS version 6.48 seems to have a few bugs on its own.

mkx

Mikrotiks don't know anything about MoCAs ... if the setup works uf AP and router are connected directly by ethernet cable, then the problem is in MoCA devices ... not being transparent enough. The thing is tgat VLAN tags add 4 bytes of overhead to each ethernet frame so any device in the way must s...

mkx

It's strange. Could be some intermittent interference present on channel used by closest AP. As @Normis already wrote: wifi standard does not have anything about mobility hence AP can not force client to connect to another AP, it can only reject registration. But as many have learned, rejecting cli...

mkx

regarding the single chip, according to the board schema look like it has 3 wire chips No, these are only converters between QSGMII (interconnect protocol) and ethernet ... they are not switches. Only single block is marked with "Switch chip" and it spans 24 ethernet ports, SFP port and i...

mkx

Dobrodošel na forum! # Because bridging can introduce network loops, # bridge implements various loop preventions mechanisms (STP, RSTP, MSTP). If your LAN layout physically doesn't allow network loops, it's best to disable it. At best ports will get live much faster after they get link up, xSTP tak...

mkx

To clarify a bit: hEX S can have two power sources connected: PoE in (which can be anything between 12V and 57V) or DC jack (with same voltage range). PoE in can be 802.3af/at as well. If both power sources have different voltages (e.g. 802.3af/at at 48V and provided 24V DC adapter), then the source...

mkx

For home installation, I'd go with RB4011. CCRs are good at larger number of concurrent connections but not so good at lower number of high throughput connections. In addition, CCR1009 price tag is twice the price tag of RB4011. Also, RB4011 has switch chips (not the greatest functional-wise though)...

mkx

As @normis wrote, device will try to connect to any AP with same SSID. If you want to constrain certain client devices to certain APs, create SSIDs specifically for each AP (e.g. AP1, AP2, ...) and configure those devices to use appropriate SSID (e.g. configure IoT3 device to connect only to AP #2 b...

mkx

Good signal connection that cover 40 sqm.
...
I will use it for cafe.

Reading these two lines together makes me believe OP is writing about square metres ... and any AP positioned centrally will cover square of 7x7 metres just fine.

mkx

CRS125 has single switch chip. Which means only one of bridges you created can be HW offloaded. If you want to be deterministic about which one, you should set hw=no on the rest of bridges. My guess is that having HW offload on bridge-local would be more beneficial than on the bridge-dsl-iptv interf...

mkx

MT support for GPS is partial ... in a sense that with supported GPS modules it is possible to obtain location. What doesn't work is to use GPS module as source for accurate time ... because it takes much more than reading NMEA0183 telegrams to get accurate time (time stamp precision in telegrams is...

mkx

As for ipsec if I use the same entry criteria as above I see IPSEC speeds of 160-180. So in your case you are under a bit but not my that much and perhaps the type of ipsec you are using have is slower? OP is getting more than what you predict: he's running bi-directional test and getting 95Mbps Tx...

mkx

Even if you did manage to connect it the behaviour may not be what you expect. If the Mikrotik is configured to shutdown on low battery warning and that occurs BUT the mains is restored before the UPS powers off the Mikrotik will still be in shutdown, it requires a power cycle to restart it. For th...

mkx

mkx

All MT routers are slow when it comes to encryption ... apart from a few that support HW-assisted encryption but that is currently available for IPsec. And even those don't easily pass multi-100Mbps mark. So yes, probably you'll have to go with x86. But you'll have to benchmark yourself if the devic...

mkx

Quite a few users reported port flapping on RB3011 when running ROS 6.48. The cure is to downgrade to ROS 6.47.8.

mkx

Our team has repeated complaints of forgetting to activate Safe Mode as soon as it starts changing something in the box. Forgetting to toggle safe mode is a problem. As much as some admins are forgetting to enable safe mode before start of making changes they will forget to exit safe mode after cha...

mkx

This works, both /64 networks are created. However, when I reboot the router, only the first address is still around, the second is gone. On the device with the static IP, routing stops working when rebooting the router. Generally it doesn't make much sense to give device multiple addresses from di...

mkx

A few things: remove pvid setting from bridge move DHCP client from ether1 to interface vlan-20-private add interface vlan-20-private to LAN interface list (not that it actually matters in your particular setup but it's the right thing nonetheless) after DHCP client starts to work, remove static IP ...

mkx

Assuming that by writing "group switch" you mean bridge ... you can either use two bridges, each covering ports from one of switch chips (both bridges will be HW offloaded) or you can use single bridge. You should be aware that either way, traffic passing from one switch to another will be...

mkx

I don't think that will actually work without any hicups. 802.11 standards don't allow transparent wireless bridge between two wired islands. Most of vendors came up with their own standard extensions for that (Mikrotik included) but those are mutually incompatible and only work if wireless devices ...

mkx

Unlike @CZFan I don't see an error in VLAN setup. However, according to configuration set, AP has static IP set (so it should be accessible within VLAN 20), but doesn't have default route set (enough for it to not have internet access) nor does it have DNS server set (even if it did have IP connecti...

mkx

A better workaround would be to use a dual radio mikrotik. Not a workaroud, it should be actual solution. By using single radio both for connecting to wireless network and as access point, you're cripling the wireless network by using excessive air-time (more than twice compared to normal user). I ...

mkx

In MT world there are two types of "top end" routers (with third type emerging with ROSv7), all come with their own limitations: routers with large number of CPU cores (e.g. CCR1036 and CCR1072). They shine when large number of concurrent connections have to be handled. They suck if one wa...

mkx

... when I connect a non-authenticated device, it puts me in some never-never land. I'm not on the guest VLAN according to Wireshark. DHCP Discover packets go unanswered. When I manually configure the Mikrotik interface for the "guest" VLAN and disable dot1x for that interface - I'm on th...

mkx

Do you have any ideas?

Not without seeing complete (or most of) setup of RB4011.

mkx

In capsman you can limit Tx power under /caps-man channel ... even if you currently have something there, you'll want to create a new one (possibly similar to the existing one), but with tx-power property set add name=lowpower tx-power=15 and then use that setting in /caps-man configuration as chann...

Search found 5457 matches