MikroTik

mkx

This can be expected when there's a device with proxy-arp enabled. It will answer with own MAC address to queries for all of its "clients".

mkx

Default firewall configuration on recent ROS versions is quite decent one. It only needs some minor tweaking (e.g. some port forwarded), but basics are sound. If you can't ping GPON modem from router, then it might be due to some config on GPON modem itself. I can imagine config where if modem is se...

mkx

Can you ping GPON modem from hAP ac? Until you can, nothing else will work ... Firewall rules in your setup are slight mess ... so I suspect they come from a fairly old version of ROS. You might want to consider re-configuring hAP ac from scratch (export config using /export file=exported_config.rsc...

mkx

Did you change settings on your server as well? The IP address/route config there should mirror the one from router ...

mkx

But, coudn't find its mac on dhcp/ arp table. That device is a ghost in the network. ARP tables get populated as devices make connections to each other. If you want to see MAC address of a LAN device in router's ARP table, you can ping the LAN device ( /ping <LAN IP> ). After that, consult ARP tabl...

mkx

Generally one can not just randomly pick up a MAC address If you look at MAC addresses in your screenshot, you'll notice that they are not entirely random: every listed MAC address has 7th bit (counting from most significant bit, i.e. from left) in first (most significant) octet set to 1. Which deno...

mkx

You don't want to allow discovery on isp-pppoe ... so remove this one: /interface list member add interface=isp-pppoe list=discover Addressing seems OK, so RB should be able to access GPON modem. You can verify by running command /ping 192.168.1.1 on router itself. If it is, then modem should be acc...

mkx

Your additional src-nat rule is all wrong ... again, read posts about hair-pin NAT. Keys to understanding: src-address is the address of client that initiates connection ... if your case it's an address from 192.168.10.x subnet dst-address is the address where client initiated connection originally ...

mkx

Oh, great, I've never met a guy who's moving his NAS around ... making wired LAN connection unfeasible. You'll have to set default-forwarding=no on your wifi interfaces ... so that wifi adapter won't directly forward packets between pair of wireless clients. I just hope that RB will, after performin...

mkx

You have to read about hair-pin NAT. You'll have to change your current dst-nat rule and add a src-nat to make it work. Currently it doesn't work because when you try to connect to your WAN IP address while being in LAN, your connection doesn't come through interface pppoe-client, hence the dst-nat ...

mkx

Add IP address from 192.168.1.x subnet to ether1 interface of your mikrotik. Then construct a src-nat rule for that particular interface.

If you want to get some concrete configuration examples, post complete configuration of your routerboard (/export hide-sensitive).

mkx

As I wrote, my tests show that hAP ac2 is capable of switching wire-speed and CPU load remains well below 100%. My tests were done using iperf (single stream and multiple parallel streams). But then ... hAP ac2 is a ROS device and as such it's only too easy to mess with the configuration ... in a se...

mkx

Yes, longest link is 32km, 36 dBm EIRP, 34 dBIDishes, 250MBit real TCP
That's 36 dBm Tx power or 2 dBm Tx power?
2 db tx power

Amazing.

mkx

Yes, longest link is 32km, 36 dBm EIRP, 34 dBIDishes, 250MBit real TCP

That's 36 dBm Tx power or 2 dBm Tx power?

mkx

OK. Next is to dump all your current NAT rules as they are just a heap of random garbage. Keep only add action=masquerade chain=srcnat out-interface-list=WAN If your WAN interface is lte1, then add lte1 to interface list WAN instead of adding another NAT rule. For making LAN to LAN port translation ...

mkx

Everybody who's running their Pt(M)P devices with antenna gain set to 0 (instead of setting it to 14 or whatever real antenna gain). Everybody who's running their WiFi gear set to no_country so that country limitations (e.g. to 20dBm on certain channels) don't kick their arses.

mkx

To do port forwarding for internal lan, you'd have to force all LAN traffic through router ... if all clients are wireless and samba server is wired, then this might be possible by setting

/interface bridge settings set use-ip-firewall=yes

...

mkx

It is illegal to change the IMEI It's also illegal to transmit with EIRP higher than country limit and yet everybody seems to happily violate that. But to return to OT: probably it's not possible to change IMEI unless one re-flashes LTE card's permanent config area (which is left intact by normal f...

mkx

Or a coffee LOL.

Remember: sleeping is poor substitute for caffeine.

mkx

Did you check for any signs of water ingress? Or, after a while when water already dried, any oxidation/dust deposits?

mkx

It's for more throughput ... effectively it's got 3 antennae built in, one vertical and two horizontal. AP device with 3 TX/RX chains is needed to take full advantage. It's not completely necessary that the other end is triple-chain as well, the link can benefit by employing Tx and Rx diversity on o...

mkx

It is part of the extra packages, right? I have downloaded these files but how to install? Take needed .npk files out of ZIP archive and push them to root folder of files section (either scp, ftp or winbox files can do it). Reboot device afterwards and the packages should get installed. If they don...

mkx

Is the posted config complete? If yes, then your router lacks LAN addresses ... on all 3 VLAN interfaces (vlan4, vlan15 and vlan99). Without them it's not aware of subnets behind each VLAN interface and can not properly route/firewall traffic.

mkx

Sounds like you've misconfigured the VLAN stuff ... post output of /interface export for us to check.

mkx

hAP ac² can switch wire-speed ... including VLANs. Not on all ports simultaneously though, it's limited by 2Gbps interconnect between switch chip and CPU. It could do it if things are configured in HW (including VLANs) but personaly I don't recommend it as my piece was unstable when I it. If VLANs a...

mkx

May be don't include modules disabled by default in RouterOS package for smips ? advanced-tools, hotspot, mpls, routing, security -- that modules can be uploaded separately. That's how I managed to resolve the problem. By only downloading the absolute minimum packages required for the next version ...

mkx

Also, disabling packages does not free up HDD space. Uninstall it instead of disabling.

Unfortunately it's not possible to un-install bundled packages ... To be able to do that one has to perform upgrade by manually uploading only needed packages from "Extra packages".

mkx

You can run openwrt on some routerboard models ... and that's all about how mikrotik relates to openwrt.

mkx

You can run openwrt on some routerboard models ... and that's all about how mikrotik relates to openwrt.

mkx

Any kind of tunnel would do: GRE as the most simple kind would do nicely. If you have a whoke mesh of routers, you might want to think about MPLS ... it hides infrastructure and adds some useful functions ...

Why does it bother you so much?

mkx

If other routers in the mesh don't have configured the route towards your LAN subnet 192.168.0.0/24, you have to configure SRC-NAT ... you haven't mentioned it so you may have it or not ...

mkx

Add another set of filter rules, but set protocol=udp ... I'm not sure if it's worth bothering with action=reject with all of its attributes. Simple action=drop would do the job just as well ... and with that you could probably completely omit protocol= setting... making it match both TCP and UDP, s...

mkx

So the reason the server sends it directly back to the originator is because it uses layer 2 connectivity first??? If the source is in a different subnet there is no layer2 window of opportunity!! 99.9% correct ... more precisely: server sends reply directly because it was made to believe it's got ...

mkx

Probably the Irish guy's cousin is already in the US ... perhaps subcontracting tower operations?

mkx

If DHCP is set up without static leases, then this indicates that assigned IP addresses don't matter, any random IP address from given subnet is just fine. So I don't get people whining about a particular order of IP address assignment ... Also I don't understand why post about DHCP server landed in...

mkx

Command /export doesn't show dynamic settings ... to make sure ipv6 setup doesn't exist, one should check settings using print ....

mkx

So only change the chain from input to forward. To fine-tune the rule you might want to add out-interface-list=WAN ...

Unrelated: it was aactually a wheel on the car roof failing to make car rolling uphill ...

mkx

Address in your FW rule (10.215.81.105) is not a proper internet address. And even if it was, you're blocking communication between that particular host and router ( chain=input ... and that particular direction of connection establishment - src-address ) ... which might be already blocked by rule n...

mkx

Any good reason for having set reduced MTU on some particular ether ports?

mkx

Bridge with all vlans inside will isolate those vlans from each other if things are set correctly. The only path between vlans lead via IP: host10 <-> vlan10 <-> router's IP interface on vlan10 <---------+ firewall | routing host20 <-> vlan20 <-> router's IP interface on vlan20 <---------+ Using in-...

mkx

It doesn't matter what you do on managed switch or router, it's the dumb switch performing a loop. Think about why you need it there, probably you're trying to abuse it.

mkx

Assuming you have everything configured correctly on your managed switch, hooked to eth4 (DSL modem connected to access port for VLAN VID=200) it should work. And it shouldn't be necessary to have dial-on-demand=yes ... One test to be done with this regard: even if DSL modem is set to bridge mode it...

mkx

Are you actually connecting both qrts to same sector of mant ... making mant act as PtMP? I guess you're suffering of the "hidden station" problem where stations A and C don't hear each other (if they did, you wouldn't need station B) and thus can't avoid collisions. Bringing whole channel performan...

mkx

capsMan doesn't make cAPs to coordinate use of air time, they still operate independantly.

mkx

I don't think you can emulate a hub properly using routerboards. The MAC address tables can be flushed which would make RB to work as a hub ... but only for a very short while. It'd soon learn addresses again.

mkx

It doesn't matter which addresses you advertise via BGP or OSPF or whatever. As long as your private IPs are used by equipment which participates in routing of packets across your network, it'll show on traceroutes. The only way of hiding it from the world would be by performing NAT on ICMP TTL EXPI...

mkx

WiFi (or any other radio equipment) doesn't work well if there's excessive interference. By configuring all cAPs to use same channel you created lots of interference. You better configure cAPs to use channels 1, 6 and 11 alternately ... and do some planning so that the physical distance between cAPs...

mkx

As I wrote: routerboards don't work as hubs. They can be made to work as switches.

mkx

Apart from the PPPoE/VLAN bug I've had another issue with my RBD52G: stability. Being desparate I switched over from HW-based VLAN setup to the new bridge vlan-filtering setup. Which bypasses the PPPoE/VLAN bug ... probably also fixed the stability issue (one fellow forum member reported ether ports...

mkx

The HP switch has no special configuration, just a "dumb" switch. When I make a connection between the HP and a port of each of the VLAN groups (like in the pic), MSTP will block one of the 2 connections although it would logically be a loop free topology. This would logically be a loop topology. A...

Search found 1765 matches