Community discussions

Search found 2267 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 46
by mkx
Wed Jun 19, 2019 11:49 pm
Forum: RouterBOARD hardware
Topic: 2011 and 3011 questions
Replies: 4
Views: 269

Re: 2011 and 3011 questions

It seems like webfig is not in sync with CLI with regard to switch-chip rate limiting. I've set rate limit in rule section through CLI and webfig knew nothing about it. Attempts to set rate limiting through webfig were futile on my RB951G as well. Perhaps you could ask support@mikrotik.com about this?
by mkx
Wed Jun 19, 2019 11:19 pm
Forum: Beginner Basics
Topic: VLAN configuration pfsense + Mikrotik CRS125-24G-1S-2HnD-IN
Replies: 8
Views: 247

Re: VLAN configuration pfsense + Mikrotik CRS125-24G-1S-2HnD-IN

Settings seem fine to me.

But then ... I don't have any CRS1xx so I can't say for sure there isn't something that should be set.
by mkx
Wed Jun 19, 2019 11:08 pm
Forum: Beginner Basics
Topic: Port forwarding
Replies: 7
Views: 268

Re: Port forwarding

One setting which is not right and usually fixing it makes unexpected performance improvements: move LAN IP address from ether2 to bridge "interface". As you're using PPPoE you can probably disable/unconfigure DHCP client from ether1? Firewall filter with "action=fasttrack-connection": by default it...
by mkx
Wed Jun 19, 2019 3:01 pm
Forum: Beginner Basics
Topic: Port forwarding
Replies: 7
Views: 268

Re: Port forwarding

Surely you did read this manual page? In short: you need one additional src-nat rule to make hair-pin NAT working.
by mkx
Wed Jun 19, 2019 2:08 pm
Forum: General
Topic: Google pings corrupts
Replies: 1
Views: 84

Re: Google pings corrupts

Ping from a linux host, completely unrelated to MT products (basically a Cisco-infested network), shows wicked game as well: $ ping -s 100 -M do 8.8.8.8 -c 10 PING 8.8.8.8 (8.8.8.8) 100(128) bytes of data. 72 bytes from 8.8.8.8: icmp_seq=1 ttl=42 (truncated) 72 bytes from 8.8.8.8: icmp_seq=2 ttl=42 ...
by mkx
Wed Jun 19, 2019 2:00 pm
Forum: Beginner Basics
Topic: Port forwarding
Replies: 7
Views: 268

Re: Port forwarding

As they say: there are many ways to skin the sheep. So you can configure DST-NAT by using dst-address (and omit in-interface/in-interface-list altogether ... which has its own merits which I won't discuss at this place) or by using in-interface (which, as you say, is the way done by UPnP) or by usin...
by mkx
Wed Jun 19, 2019 11:43 am
Forum: General
Topic: No routing to external network
Replies: 8
Views: 314

Re: No routing to external network

I think your route towards "unreachable" network is wrong: /ip route 0 A S 0.0.0.0/0 195.168.8.57 1 1 A S 10.53.0.0/16 10.54.10.2 bridge10 1 2 ADC 10.54.10.0/24 10.54.10.2 bridge10 0 3 ADC 10.54.250.0/24 10.54.250.1 bridge250 0 4 ADC 195.168.8.56/29 195.168.8.62 ether1-gateway 0 The marked route sho...
by mkx
Wed Jun 19, 2019 11:14 am
Forum: Beginner Basics
Topic: VLAN configuration pfsense + Mikrotik CRS125-24G-1S-2HnD-IN
Replies: 8
Views: 247

Re: VLAN configuration pfsense + Mikrotik CRS125-24G-1S-2HnD-IN

Seems like you can't add another config line for same vlan-id=xx , rather you should change existing config line ... like this /interface ethernet switch egress-vlan-tag set [ find vlan-id=40 ] tagged-ports=ether2,ether3 set [ find vlan-id=70 ] tagged-ports=ether2,ether3 set [ find vlan-id=80 ] tag...
by mkx
Wed Jun 19, 2019 9:30 am
Forum: RouterBOARD hardware
Topic: 2011 and 3011 questions
Replies: 4
Views: 269

Re: 2011 and 3011 questions

RB2011 has got 2 different switch chips ... the one behind ports ether6-10 is AR8227 and doesn't support rule table (hence no rate limiting). BTW, how did you try to set rate limit, through CLI? I can do it on my RB951G (with AR8327 chip). For 3011 I guess you can try to configure a "hybrid" soluti...
by mkx
Wed Jun 19, 2019 9:08 am
Forum: Beginner Basics
Topic: VLAN configuration pfsense + Mikrotik CRS125-24G-1S-2HnD-IN
Replies: 8
Views: 247

Re: VLAN configuration pfsense + Mikrotik CRS125-24G-1S-2HnD-IN

port 3: should carry tagged vlan traffic for 40, 70, 80 and 90 towards a ubiquity wireless AP. However this step failed with "failure: already have such switch egress vlan tag entry" /interface ethernet switch egress-vlan-tag # outgoing to ubiquity AP add tagged-ports=ether3 vlan-id=40 add tagged-p...
by mkx
Tue Jun 18, 2019 9:12 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 287
Views: 57543

Re: v6.45beta [testing] is released!

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates. I'd like the ability to force the update before i deploy the unit to the field on it's static ip. It would also be handy if we could force delete a published DDNS Record. Ability to define IP address ...
by mkx
Tue Jun 18, 2019 2:46 pm
Forum: RouterBOARD hardware
Topic: Difference between LTE products
Replies: 4
Views: 233

Re: Difference between LTE products

According to specs (and "intro blurb"): wAP R is "LTE ready" ... meaning it's got antenna but no actual LTE card. And built-in antenna is not a great one (only info available from brochure is that it's got max 4dBi gain). wAP LTE kit is the same hardware, but with LTE modem already included. Interna...
by mkx
Tue Jun 18, 2019 2:23 pm
Forum: Beginner Basics
Topic: Port forwarding
Replies: 7
Views: 268

Re: Port forwarding

Let's assume you started off with a default settings for your firewall and NAT. So you should go to IP -> Firewall -> NAT and add a new rule: Chain: dstnat Protocol: udp Dst. port: 9987 (that's port number, accessible from WAN) In. Interface List: WAN Action: dst-nat To Addresses: <LAN host which sh...
by mkx
Tue Jun 18, 2019 11:37 am
Forum: General
Topic: Incorrect time on 2011UiAS-2HnD
Replies: 2
Views: 91

Re: Incorrect time on 2011UiAS-2HnD

The time option of cloud is giving only rough time to have time in logs at least somehow sensible (eg. year and month). If you configured SNTP client, then disable cloud update time: /ip cloud set update-time=no and preferably set timezone manually to whatever appropriate (Europe/Madrid) as well. It...
by mkx
Tue Jun 18, 2019 8:14 am
Forum: General
Topic: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Replies: 8
Views: 767

Re: Linux vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

How safe and resource-hungry would it be to include also rule /ip firewall filter add action=drop chain=forward comment="CVE-2019-11477, CVE-2019-11478, CVE-2019-11479" protocol=tcp tcp-flags=syn tcp-mss=0-500 to potentially protect linux/BSD hosts behind the firewall? Let's assume that non-firewall...
by mkx
Mon Jun 17, 2019 8:37 pm
Forum: General
Topic: No routing to external network
Replies: 8
Views: 314

Re: No routing to external network

As @anav suggested: post full config of RB and you'll get some quality advice. Until then we'll just bitch around.
by mkx
Mon Jun 17, 2019 8:28 am
Forum: Wireless Networking
Topic: Mikrotik WLAN & CAPsMAN - Bad download perfomance
Replies: 44
Views: 3630

Re: Mikrotik WLAN & CAPsMAN - Bad download perfomance

I hardly choose 40Mhz for my cAP because it will get channel not support(?) in CAPsMAN setup. This puzzles me as it's different if configured through capsMan than if it's configured directly on device. But it works for me if I set up like this: /caps-man channel add band=2ghz-g/n control-channel-wi...
by mkx
Sat Jun 15, 2019 11:08 pm
Forum: Beginner Basics
Topic: single IP constantly trying to log to my Mikrotik
Replies: 33
Views: 1196

Re: single IP constantly trying to log to my Mikrotik

@pe1chl Don't get me wrong, in fact everytime MKX is wrong I do a happy dance and treat myself to a nice cold beer!
I try really hard not to be wrong too often because I don't want you to become alcohol-addict :wink:

What pe1chl writes makes much sense to me.
by mkx
Sat Jun 15, 2019 10:48 pm
Forum: General
Topic: Connecting two Hex POE or S via fiber
Replies: 15
Views: 872

Re: Connecting two Hex POE or S via fiber

The only idea about NAS not communicating with the other LAN is that NAS itself has some firewall running or some access filter ... My neighbour and me want to whitelist the devices that the other one can connect to. What is the best / simplest / most performant filter rule to reach this? The most p...
by mkx
Sat Jun 15, 2019 9:08 pm
Forum: Wireless Networking
Topic: CAPsMAN local forwarding not working :-( [SOLVED]
Replies: 11
Views: 416

Re: CAPsMAN local forwarding not working :-( [SOLVED]

MT support acknowledged a bug about untagging certain PPPoE packet ... which means PPPoE doesn't work in the following scenario: ISP provides PPPoE over untagged ethernet, which is connected to access port of a VLAN. Somewhere there's vlan interface and PPPoE client is attached to it. As mentioned i...
by mkx
Sat Jun 15, 2019 2:15 pm
Forum: Wireless Networking
Topic: CAPsMAN local forwarding not working :-( [SOLVED]
Replies: 11
Views: 416

Re: CAPsMAN local forwarding not working :-( [SOLVED]

But as I want to have the best performance without CPU load i have to go back to the switch menu. Personnaly I don't care about CPU load too much. I mean: why should CPU load be kept to say below 10% most of the time, specially if there isn't a single task which might be bound to single CPU core hi...
by mkx
Sat Jun 15, 2019 2:05 pm
Forum: Beginner Basics
Topic: single IP constantly trying to log to my Mikrotik
Replies: 33
Views: 1196

Re: single IP constantly trying to log to my Mikrotik

If we're speculating: why should raw rules be stored any differently than tracked connections? Because typically they only contain a fraction of information compared to tracked connections? But then, the connection tracking engine should update state of the connection (to check if e.g. TCP connectio...
by mkx
Sat Jun 15, 2019 1:17 pm
Forum: General
Topic: Block dynamic dhcp request or assign dynamic dhcp requests an ip from other ip range
Replies: 8
Views: 272

Re: Block dynamic dhcp request or assign dynamic dhcp requests an ip from other ip range

Drawback of using multiple pools per single DHCP "network" is that all DHCP settings (i.e. gateway, DNS server, ...) apart leased IP address are same for all leases served via same DHCP "network". They are good if one needs large number of IP addresses for dynamic leases but the address space is not...
by mkx
Sat Jun 15, 2019 12:42 pm
Forum: Wireless Networking
Topic: CAPsMAN local forwarding not working :-( [SOLVED]
Replies: 11
Views: 416

Re: CAPsMAN local forwarding not working :-( [SOLVED]

I'm glad it's working for you now. I'll just bitch about it a little more, I like discussing things I don't know much about :wink: I also read the documentation about VLAN via switch chip and it turns out that only new devices are able to do hardware offload if VLAN filtering enabled in the bridge. ...
by mkx
Sat Jun 15, 2019 11:55 am
Forum: Beginner Basics
Topic: single IP constantly trying to log to my Mikrotik
Replies: 33
Views: 1196

Re: single IP constantly trying to log to my Mikrotik

for each packet some cpu cycles will be used to compare with existing list of connections and determine if it's established or related to them and if they can be allowed to pass .... which might be thousands of comparisons if that many connections are tracked by FW at given time. Compared to that, ...
by mkx
Sat Jun 15, 2019 10:32 am
Forum: Beginner Basics
Topic: Firewall Filter Rule before NAT rule
Replies: 12
Views: 13678

Re: Firewall Filter Rule before NAT rule

What about it? Didn't check every detail, but by the looks of it it's a default filter rule...
by mkx
Sat Jun 15, 2019 10:19 am
Forum: Beginner Basics
Topic: My first Mikrotik Router - Firewall Help
Replies: 16
Views: 682

Re: My first Mikrotik Router - Firewall Help

Yes. You just have to keep LAN interface list updated.

Generally when constructing some rules one should use criteria which has least possibility of spoofing. Remote attacker can easily spoof src-address but can hardly spoof ingress interface.
by mkx
Sat Jun 15, 2019 10:11 am
Forum: Wireless Networking
Topic: Metal AC transmit power setting?
Replies: 3
Views: 197

Re: Metal AC transmit power setting?

I was guessing wrong about the gain numbers. I was thinking higher was stronger. You were thinking right. What puzzles here is the way that antenna gain is used in ROS. By changing the setting actual antenna gain is not changed, because antenna gain is physical property of anantenna (array) - excep...
by mkx
Fri Jun 14, 2019 6:41 pm
Forum: Wireless Networking
Topic: Metal AC transmit power setting?
Replies: 3
Views: 197

Re: Metal AC transmit power setting?

Indeed there is no direct way of setting Tx power of wifi radios on Mikrotik devices. Instead there's antenna gain setting (which you already found), which can be used for what you want to achieve. The idea is this: there are legal limits about effective radiated power of wifi devices (EIRP), let's ...
by mkx
Fri Jun 14, 2019 2:18 pm
Forum: Beginner Basics
Topic: My first Mikrotik Router - Firewall Help
Replies: 16
Views: 682

Re: My first Mikrotik Router - Firewall Help

Or, to stick with concept used in default firewall setup by MT: use "in-interface-list=LAN"
Right. I still didn't get used to in-interface-list, as it's relatively new and I've been using in-interface for too long.
You're not saying you're old, are you? :wink:
by mkx
Fri Jun 14, 2019 1:55 pm
Forum: Wireless Networking
Topic: CAPsMAN local forwarding not working :-( [SOLVED]
Replies: 11
Views: 416

Re: CAPsMAN local forwarding not working :-( [SOLVED]

So I ... add the WLAN1 to the bridge ! This doesn't seem to hurt but it seems it's not necessary ... I've had wlan1 interface added to bridge as well. However, when I was looking around while preparing my previous answer, I set /interface wireless cap set enabled=no , removed wlan1 interface from b...
by mkx
Fri Jun 14, 2019 12:03 pm
Forum: General
Topic: Static route between 2 routers,2 networks
Replies: 7
Views: 308

Re: Static route between 2 routers,2 networks

My reply might not be very constructive, but never the less: your routing is overly complicated and your firewall rule set is not safe at all. My suggestion: reset router to default (if it's a SOHO unit, else apply what's default firewall filter rule set on SOHO routers) and add simple static route ...
by mkx
Fri Jun 14, 2019 11:52 am
Forum: Wireless Networking
Topic: CAPsMAN local forwarding not working :-( [SOLVED]
Replies: 11
Views: 416

Re: CAPsMAN local forwarding not working :-( [SOLVED]

After wireless is up, what do the following commands show? /interface wireless print detail /interface bridge port print detail where interface=wlan1 /interface bridge vlan print detail I don't know what should the output of the third command look like. My setup uses VLANs set up on switch chip and ...
by mkx
Fri Jun 14, 2019 11:03 am
Forum: Beginner Basics
Topic: My first Mikrotik Router - Firewall Help
Replies: 16
Views: 682

Re: My first Mikrotik Router - Firewall Help

Yes you resolved your problem but have make you router vulnerable because somebody can send you connections to UDP port 53 and saturate you processor usage! As ongdaka said you ave made your system vulnerable at the moment, That's not the case. Combination of these two firewall rules keep OPs route...
by mkx
Fri Jun 14, 2019 10:55 am
Forum: RouterOS v6 RC and v7 BETA
Topic: firewall src add and dst add
Replies: 38
Views: 3246

Re: firewall src add and dst add

If a FQDN resolves into multiple IP addresses (which is customary for some CDNs) and obviously only single IP address is needed to establish connection, it is customary to return IP address in round-robin fashion. Thus subsequent requests to DNS resolver will return different results. It is vital fo...
by mkx
Fri Jun 14, 2019 9:16 am
Forum: Wireless Networking
Topic: Wi-fi RADIUS Assigned VLAN based on user/password, troubleshooting help
Replies: 5
Views: 300

Re: Wi-fi RADIUS Assigned VLAN based on user/password, troubleshooting help

Is the vlan configuration regarding wireless interface correct? Does it allow to pass all necessary VLAN IDs?
by mkx
Fri Jun 14, 2019 9:01 am
Forum: General
Topic: router rebooted without proper shutdown, probably power outage
Replies: 1
Views: 122

Re: router rebooted without proper shutdown, probably power outage

Try to replace power adapter. Get one rated similarly to original one (24V, 0.38A) or slightly higher (bigger amperage). Or any power adapter providing voltage in allowed range (8-30V) with adequate output power - rated max power consumption of hEX is 5W without attachments (whatever that means) or ...
by mkx
Fri Jun 14, 2019 8:33 am
Forum: Beginner Basics
Topic: My first Mikrotik Router - Firewall Help
Replies: 16
Views: 682

Re: My first Mikrotik Router - Firewall Help

You can improve the firewall rule accepting input traffic from LAN by adding in-interface=<LAN>. Or, to stick with concept used in default firewall setup by MT: use "in-interface -list =LAN" I've read about bogons lists in the firewall. Should I be concerned with this and implement rules for this? ...
by mkx
Fri Jun 14, 2019 8:08 am
Forum: Beginner Basics
Topic: Need Advice -- Simplest Setup for Static IP with DHCP Reservation
Replies: 3
Views: 141

Re: Need Advice -- Simplest Setup for Static IP with DHCP Reservation

I didn't really click apply (don't want to spoil the fun of my family), but I believe it should work like this (I used WebFix - inside web browser - ... if you're using winbox, the process should be somehow similar): Go into Quickset select "HomeAP dual profile" in "Address acquisition" select "Auto...
by mkx
Thu Jun 13, 2019 2:18 pm
Forum: Beginner Basics
Topic: CRS125 - VLANs with Trunks...
Replies: 3
Views: 156

Re: CRS125 - VLANs with Trunks...

Individual trunk member ports should not be members of bridge. Only trunk device is supposed to be member of bridge (the below is "cure" for switchA, apply similar to switchB): /interface bridge port remove [ find interface=ether1 ] remove [ find interface=ether2 ] add bridge=bridge interface=Trunk-...
by mkx
Thu Jun 13, 2019 10:31 am
Forum: General
Topic: WDS ""wds ignore ssid"
Replies: 9
Views: 328

Re: WDS ""wds ignore ssid"

So something must be set differently in your case which breaks your SSID-ignoring WDS connection when you use a security profile on it. My guess, completely uneducated: the station with wds-ignore-ssid=yes connects to AP with different wireless security profile ... and in that case the link breaks ...
by mkx
Thu Jun 13, 2019 9:24 am
Forum: General
Topic: Annoyed with Mikrotik 'Support'
Replies: 8
Views: 438

Re: Annoyed with Mikrotik 'Support'

> Phase array 60 degree beamforming Yes, but is that the width of the beam? What the total area covered by the radio? One would think that is some multiple of 60. "60 degree" means that generally antenna is capable of transmitting/receiving in direction which is +-30 degree from direction where ant...
by mkx
Thu Jun 13, 2019 8:54 am
Forum: Beginner Basics
Topic: Need Advice -- Simplest Setup for Static IP with DHCP Reservation
Replies: 3
Views: 141

Re: Need Advice -- Simplest Setup for Static IP with DHCP Reservation

"static IP that is provided by the ISP via DHCP reservation" means you should be running DHCP client on your WAN port. You did not mention the type of your Routerboard. I think recently most SOHO devices come unconfigured and you should follow quick guide to connect to device and use quickset for on...
by mkx
Wed Jun 12, 2019 4:54 pm
Forum: Wireless Networking
Topic: Large Apartment, no Ethernet
Replies: 28
Views: 1305

Re: Large Apartment, no Ethernet

Now if you life in a Castel in Nova Scottland (or someplace like that), then the situation is different.
The Chateau in Nova Scotia contains more fibre per sq ft. than a typical bowl of breakfast cereal. :lol: No need for PLC, wireless mesh or any of those low-tech solutions.
by mkx
Wed Jun 12, 2019 4:35 pm
Forum: General
Topic: Cant connect to winbox after hotspot setup
Replies: 5
Views: 219

Re: Cant connect to winbox after hotspot setup

Not sure if it affects winbox connectivity, but IP settings on local interface are wrong: /ip address add address=192.168. 16 .254 /24 network=192.168. 0 .0 broadcast=192.168. 0 .255 interface=Local Address with its netmask is not compatible with network and broadcast addresses. Netmask seems correc...
by mkx
Wed Jun 12, 2019 9:09 am
Forum: Beginner Basics
Topic: My first Mikrotik Router - Firewall Help
Replies: 16
Views: 682

Re: My first Mikrotik Router - Firewall Help

Your port forwarding is not working because there is no firewall filter forward chain rule that allows that traffic. Actually there is one, but it's wrong and disabled: add action=accept chain=forward comment="allow NAT dstnat " \ connection-nat-state=dstnat connection-state=established,related \ d...
by mkx
Wed Jun 12, 2019 8:57 am
Forum: RouterOS v6 RC and v7 BETA
Topic: v6 RC and v7 BETA
Replies: 126
Views: 21025

Re: v6 RC and v7 BETA

Any news about date of release Ros v7? Maybe Christmas gift Christmas in July? Two things: Who said there will be news in July? July is synonym for summer for many people. for quite a few people, Christmas happens in the middle of summer (southern hemisphere) I wouldn't mind some positive news abou...
by mkx
Tue Jun 11, 2019 12:03 pm
Forum: Beginner Basics
Topic: Update to a specific version: CLI / CCR1009 [SOLVED]
Replies: 6
Views: 266

Re: Update to a specific version: CLI / CCR1009 [SOLVED]

Download particular version of ROS you want to install from https://mikrotik.com/download ... extract .npk files you need (check list of currentlyinstalled packages) and manually upload them to your CCR. If version of packages you uploaded is newer than ROS installed on device, just reboot device. I...
by mkx
Tue Jun 11, 2019 10:54 am
Forum: Beginner Basics
Topic: WAN VLAN tagging
Replies: 2
Views: 167

Re: WAN VLAN tagging

Do I need to just add VLAN interface and set it to eth1, add address for VLAN? It depends on how ISP delivers internet. If it's straight IP (with static IP address or DHCP served), then the way you wrote should work. If ISP delivers internet in some other way, you'll have to adapt (e.g. if you have...
by mkx
Mon Jun 10, 2019 2:38 pm
Forum: RouterBOARD hardware
Topic: r11e-lte + basebox2 [SOLVED]
Replies: 10
Views: 537

Re: r11e-lte + basebox2 [SOLVED]

Do you think i could have damaged the card by trying it without the antennas connected? It might get damaged ... depends how PA of Tx chains react to largely wrong impedance on its output. I think, however, that damage is not very likely. Just connect some (at least semi-proper) MIMO antenna and it...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 46