Community discussions

MikroTik App

Search found 5709 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 20
by mkx
Mon Apr 12, 2021 9:11 pm
Forum: RouterBOARD hardware
Topic: RB5011?
Replies: 19
Views: 1093

Re: RB5011?

For the record, RB4011 uses SoC AL21400 (SoC among other things features ARM cores but contains much more). This SoC can route around 2.5Gbps (give or take), IMO plenty for SOHO users now and good enough for vast majority in next few years. If you trip on "features", like CPU names, then y...
by mkx
Mon Apr 12, 2021 8:54 pm
Forum: RouterBOARD hardware
Topic: RB5011?
Replies: 19
Views: 1093

Re: RB5011?

I don't want it 3 years outdated. Which part of RB4011 is 3 years outdated ? The great thing about Mikrotik devices is that they come with insanely long support time. The only thing that outdates Mikrotik devices is lack of performance, other vendors tend to limit support to much shorter time and t...
by mkx
Mon Apr 12, 2021 8:47 pm
Forum: Beginner Basics
Topic: Vlan no internet - hEX router 6.48.1
Replies: 2
Views: 138

Re: Vlan no internet - hEX router 6.48.1

Your setup is missing half of DHCP server settings (in /ip dhcp-server network in particular).

VLAN setup is almost non-existent. I suggest you to read through this excellent tutorial.
by mkx
Mon Apr 12, 2021 8:39 pm
Forum: RouterBOARD hardware
Topic: RB5011?
Replies: 19
Views: 1093

Re: RB5011?

If you need your "RB5011" then either look around and see if some available devices may do what you need or just don't buy Mikrotik at all. What are the alternatives? Guess what? Performance doesn't come for free. If you need performance because you have high speed WAN link for which you ...
by mkx
Mon Apr 12, 2021 7:21 pm
Forum: General
Topic: Winbox Safe mode
Replies: 30
Views: 53529

Re: Winbox Safe mode

It will work with almost all commands. I don't know but I'd expect not to work on e.g. restore of backup. There might be a few other "huge" commands where undo doesn't work.
by mkx
Mon Apr 12, 2021 7:17 pm
Forum: General
Topic: Time Sync with SNTP client and IP Cloud Not Working
Replies: 26
Views: 4063

Re: Time Sync with SNTP client and IP Cloud Not Working

You may want to verify that selected NTP servers are actually accessible from your location (you can run ntpdate -d -v <IP address> from a linux host). Just checked and the first one (129.6.15.28 is time-a-g.nist.gov) is fine from my location, however the other one (132.163.96.5 is ntp-b.nist.gov) i...
by mkx
Mon Apr 12, 2021 5:07 pm
Forum: Beginner Basics
Topic: VLAN Filter - how do ingress and egress rules work?
Replies: 15
Views: 771

Re: VLAN Filter - how do ingress and egress rules work?

I can only agree that bridge in MT world is a mess because it's not explicitly clear which settings are about bridge (the switch-like stuff) and which settings are about bridge (the interface). It's confusing and hence the article by @sindy (it took some time for all of us to find out all of the dar...
by mkx
Mon Apr 12, 2021 5:02 pm
Forum: General
Topic: no access out of firewall
Replies: 4
Views: 193

Re: no access out of firewall

One thing I'd change is this: /interface detect-internet set detect-interface-list=all I'm yet to hear about anything useful about this setting enabled, but there are reports it can break random things. Other than that, your firewall is messy and I certainly hope all of those PCs with exposed RDP se...
by mkx
Mon Apr 12, 2021 4:49 pm
Forum: Beginner Basics
Topic: VLAN Filter - how do ingress and egress rules work?
Replies: 15
Views: 771

Re: VLAN Filter - how do ingress and egress rules work?

Not really. but it does not tell you that the PVID setting is acting on ingress and egress. IMO you already covered this case under 2.B.ii.b ... because when bridge interface has PVID set (and it always has it set, if not other the hidden default PVID=1), again all frames pass bridge the switch lik...
by mkx
Mon Apr 12, 2021 4:43 pm
Forum: General
Topic: Time Sync with SNTP client and IP Cloud Not Working
Replies: 26
Views: 4063

Re: Time Sync with SNTP client and IP Cloud Not Working

Proper NTP client takes a while before it reaches status: synchronized (usually a few minutes). The initial firewall filter in your export (chain=input action=accept connection-state=established,related) should allow NTP client to work (but should have allowed the SNTP client to work as well if it's...
by mkx
Mon Apr 12, 2021 4:34 pm
Forum: General
Topic: no access out of firewall
Replies: 4
Views: 193

Re: no access out of firewall

Smells like ARP problem but it's hard to tell without seeing full router config (text export) and some chart explaining network topology (seems it's not entirely trivial).
by mkx
Mon Apr 12, 2021 4:31 pm
Forum: Beginner Basics
Topic: VLAN Filter - how do ingress and egress rules work?
Replies: 15
Views: 771

Re: VLAN Filter - how do ingress and egress rules work?

looks like that I need to update my OP once again. Not really. What you're missing is that bridge has two or three personalities (depends how you count). When you consider those personalities separately, you don't have to change your explanation. This topic explains bridge and its personalities nic...
by mkx
Mon Apr 12, 2021 3:27 pm
Forum: Wireless Networking
Topic: WAP LTE kit Performance
Replies: 4
Views: 224

Re: WAP LTE kit Performance

I don't know what you can do. Getting a cat6 (or better) LTE modem would definitely help, this way you could avoid locking wAP to B7 or B3 cells ...
by mkx
Mon Apr 12, 2021 3:20 pm
Forum: General
Topic: Static route - connect to a secondary LAN
Replies: 2
Views: 156

Re: Static route - connect to a secondary LAN

Your case is pretty simple and there's no need to play with mangling and routing marks. Remove everything shown in your config excerpt except for the default route ( add check-gateway=ping distance=1 gateway=192.168.0.1 ). Simply adding IP address (with correct subnet mask) to ether5 already allows ...
by mkx
Mon Apr 12, 2021 3:02 pm
Forum: General
Topic: Time Sync with SNTP client and IP Cloud Not Working
Replies: 26
Views: 4063

Re: Time Sync with SNTP client and IP Cloud Not Working

NTP package is not available for HAP AC. hAP ac is MIPSBE and MIPSBE has ntp package (get extra packages file for your ROS version, mine is 6.47.9 and it contains all packages including ntp-6.47.9-mipsbe.npk ), upload it to your router and reboot. Works great on my RB951G devices (MIPSBE as well). ...
by mkx
Mon Apr 12, 2021 11:20 am
Forum: Wireless Networking
Topic: WAP LTE kit Performance
Replies: 4
Views: 224

Re: WAP LTE kit Performance

R11e-LTE (LTE module included in your device) isn't capable of CA. Which nowadays severely limits DL speed (as most of MNO's cells are quite loaded and only way of getting good throughputs is by using CA). That could explain lower DL throughputs. Beware that on B20, where RSRP is likely highest, cha...
by mkx
Mon Apr 12, 2021 11:04 am
Forum: Wireless Networking
Topic: SXT5 NV2 "lost connection, synchronization timeout"
Replies: 5
Views: 309

Re: SXT5 NV2 "lost connection, synchronization timeout"

Done - but shouldn't DFS=ALL be set by my regulatory domain? Why is this important? Should it be enabled on both - master and slave? Default is to use all channels feasible. The lsit depends on a) regulatory domain, b) selection of indoor vs. outdoor vs. any . The problem with DFS channels is (as I...
by mkx
Mon Apr 12, 2021 8:49 am
Forum: RouterBOARD hardware
Topic: RB5011?
Replies: 19
Views: 1093

Re: RB5011?

CCR2004 no switch chip.RB3011 is too big.

CCR2004 is a proper router and thus does not lack switch chip. The rest of devices on your list are SoHo devices (a completely different device group).

You're saying RB3011 doesn't fit standard 19" rack?
by mkx
Mon Apr 12, 2021 8:39 am
Forum: General
Topic: Time Sync with SNTP client and IP Cloud Not Working
Replies: 26
Views: 4063

Re: Time Sync with SNTP client and IP Cloud Not Working

Actually cloud timesync is broken. I've read explanation by Mikrotik that cloud timesync is very approximate and only useful for setting approximate time for logs. For everything else disable cloud timesync and use (S)NTP client. In fact you should only use single time sync method as multiple fight ...
by mkx
Mon Apr 12, 2021 8:24 am
Forum: Wireless Networking
Topic: SXT5 NV2 "lost connection, synchronization timeout"
Replies: 5
Views: 309

Re: SXT5 NV2 "lost connection, synchronization timeout"

While you might get upset about watchdog not triggering you really should adjust list of allowed frequencies so that "master device" (sw15) doesn't select a DFS frequency by setting skip-dfs-channels=all ... even if reboot occurred earlier it could still happen that sw15 selects a DFS freq...
by mkx
Sat Apr 10, 2021 6:14 pm
Forum: General
Topic: CRS328 Temperature high
Replies: 5
Views: 540

Re: CRS328 Temperature high

CRS328-24P does have fans and OP contains data about their RPM. However fans are temperature driven and it seems MT thinks these temperatures are fine or else fans would run much faster (I seem to remember they can go as high as 5000 RPM or something like that).
by mkx
Sat Apr 10, 2021 1:14 pm
Forum: SwOS
Topic: Multicast issue on SwOS
Replies: 4
Views: 354

Re: Multicast issue on SwOS

MT devices in general (both ROS and SwOS) don't implement IGMP snooping quite properly and it's hard to get it working right (with SwOS giving much less possibilities for tinkering with settings even more so) . My own sollution is to have it disabled but this might not be sollution for you if cummul...
by mkx
Sat Apr 10, 2021 1:01 pm
Forum: RouterBOARD hardware
Topic: idea for a mUPS version 2
Replies: 1
Views: 233

Re: idea for a mUPS version 2

The simple design is guarantee for batteries to get destroyed sooner or later. Even if one uses very simple lead-acid batteries, there are a few problems: when charged, a 12V lead-acid battery has voltage of around 13.7-13.9 Volts. Exact number depends on exact manufacturing process (e.g. normal vs....
by mkx
Sat Apr 10, 2021 12:18 pm
Forum: General
Topic: Tagging Untagged VLAN From Other Devices
Replies: 3
Views: 352

Re: Tagging Untagged VLAN From Other Devices

What you want is perfectly doable. However you'll have to reconfigure both devices (RB951G and hAP lite) for use of VLANs. Reconfiguration of both will be done in similar manner: you will use two VLANs: one for IPTV and one for LAN. Use any number between 2 and around 4000. Let's say you'll use VLAN...
by mkx
Fri Apr 09, 2021 11:54 pm
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 64
Views: 5331

Re: "antenna gain" missing in 6.46.8?

And can't the router ask the chip? Obviously it can't. Not easily at least. I don't think MT devs deliberately threw the functionality out of ROS for ac chipsets (and newer) just for fun. There must be a reason for lack of Tx power information and I guess it has something to do with in-house develo...
by mkx
Fri Apr 09, 2021 7:43 pm
Forum: Beginner Basics
Topic: Connect switch and router via SFP - partially working [SOLVED]
Replies: 7
Views: 465

Re: Connect switch and router via SFP - partially working [SOLVED]

No wasnt aware that the large switch setups with sWOS dont have a config to export.....

Any switch setups with swOS only have one type of human-readable configuration export: the graphical one.
by mkx
Fri Apr 09, 2021 6:09 pm
Forum: General
Topic: VLAN setup for CCR1016 and CRS226
Replies: 14
Views: 916

Re: VLAN setup for CCR1016 and CRS226

Documentation about switch trunks, supported by CRS1xx/CRS2xx, is slightly scarce, but judging from configuration example shown in this document it is possible to assume it's similar to bonding with layer2-and-3 transmit policy. And with this kind of bonds pair of hosts (same pair of MAC addresses -...
by mkx
Fri Apr 09, 2021 5:53 pm
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 64
Views: 5331

Re: "antenna gain" missing in 6.46.8?

Problem is that default value very much depends on exact radio chip model used. Not a problem with pre-ac hardware which can show exact values used. So when you'd set tx-power mode to "card-rates" and check running values, you'd get all the information you need. With newer chipsets that's ...
by mkx
Fri Apr 09, 2021 11:46 am
Forum: Wireless Networking
Topic: Fast update of upstream L2 switch MAC address tables when roaming across APs
Replies: 3
Views: 278

Re: Fast update of upstream L2 switch MAC address tables when roaming across APs

Slightly off-topic, but I'll correct myself (before many other users do it):
As this forum is un-official user forum,
Actually this forum is official forum. The user part is true, MT staff don't necessarily react to bugs reported (only) on this forum.
by mkx
Fri Apr 09, 2021 10:51 am
Forum: Wireless Networking
Topic: Fast update of upstream L2 switch MAC address tables when roaming across APs
Replies: 3
Views: 278

Re: Fast update of upstream L2 switch MAC address tables when roaming across APs

As this forum is un-official user forum, I suggest you to send your suggestion/request directly to mikrotik, e.g. via e-mail address support@mikrotik.com
by mkx
Fri Apr 09, 2021 10:48 am
Forum: General
Topic: Connectivity
Replies: 1
Views: 133

Re: Connectivity

Assuming fibre router is not Mikrotik, you can not set Mikrotik LAN address to same subnet as fibre router's. Instead Mikrotik should perform NAT and all the rest. Default config on SOHO line is using interface list throughout firewall rules (including NAT) and if you stick to that concept, you shou...
by mkx
Fri Apr 09, 2021 12:09 am
Forum: General
Topic: How to make a router plugged into an interface only see a VLAN
Replies: 5
Views: 340

Re: How to make a router plugged into an interface only see a VLAN

Add configuration something like this; /interface bridge add name=bridge1234 vlan-filtering=yes /interface bridge port add bridge=bridge1234 interface=ether4 pvid=1234 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes /interface bridge vlan add bridge=bridge1234 tagged=bridge...
by mkx
Wed Apr 07, 2021 10:33 pm
Forum: General
Topic: PowerPro no HOfload on second Bridge
Replies: 1
Views: 153

Re: PowerPro no HOfload on second Bridge

In ROS (currently) only one bridge can offload operations to hardware. If configuration is same for all brudges, ROS automagically selectd one for offload. You can affect the selection by manually disable HW offload on all non-preferred ports. Actual limitation is one bridge per switch chip, but mos...
by mkx
Wed Apr 07, 2021 5:22 pm
Forum: General
Topic: How to make a router plugged into an interface only see a VLAN
Replies: 5
Views: 340

Re: How to make a router plugged into an interface only see a VLAN

Just to make it clear: which device (CCR or anonymous router) should take care of VLANs? If it's CCR, then you can use bridge, which is kind of a software bridge and can deal with VLAN tags as well. Have a look at this fine tutorial, applies to CCR as well.
by mkx
Wed Apr 07, 2021 4:35 pm
Forum: RouterOS v7 BETA
Topic: intel 710 chipset driver
Replies: 7
Views: 909

Re: intel 710 chipset driver

Absolutely not. Even when ROS v7 will be officially released, you should wait before deploying in production environment. The track record shows that there are always some teething problems after release of new minor version, let alone after major version (such as jump from v6 to v7).
by mkx
Wed Apr 07, 2021 4:26 pm
Forum: General
Topic: Multiple Trunk setup performance issues
Replies: 13
Views: 758

Re: Multiple Trunk setup performance issues

If trunk port is set to vlan-header=leave-as-is and vlan-mode=secure then on ingress VLAN table (otherwise governing egress filtering) would be consulted. And there's no "untagged" option in that table (could be that it would be possible to add VID 0 to that table, VID 0 is sometimes used ...
by mkx
Wed Apr 07, 2021 4:18 pm
Forum: General
Topic: Bridge hosts table when 2 interfaces with same MAC
Replies: 4
Views: 281

Re: Bridge hosts table when 2 interfaces with same MAC

Hmmm ... only now I see the weirdness of your setup. I still think it's bug in code which prints out the ARP table, possibly it expects that one MAC address is only available through one of bridge ports (and in your case, bridge ports are vlan interfaces on top of ether5) which would be usual case. ...
by mkx
Wed Apr 07, 2021 4:06 pm
Forum: General
Topic: Certificate valid days question
Replies: 5
Views: 278

Re: Certificate valid days question

There's a myriad of issues, revolving around 32-bit timers with offset to UNIX epoch. Linux kernel has support for 64-bit counters since ages ago (also 32-bit kernel), but there are other (mostly 32-bit) applications (and glibc and ...) which not necessarily use it yet. And those include ssl librari...
by mkx
Wed Apr 07, 2021 3:45 pm
Forum: Beginner Basics
Topic: Trying to setup VLANs with hAP ac3 and CSS 610-8G-2S+IN [SOLVED]
Replies: 3
Views: 185

Re: Trying to setup VLANs with hAP ac3 and CSS 610-8G-2S+IN [SOLVED]

/interface ethernet switch port set 4 default-vlan-id=5 vlan-header=add-if-missing vlan-mode=secure Port with index 4 uslually relates to ether5 ... and setting I highlited means it'll untag frames from VLAN 5 on egress [*]. Which obviously is not what you want. So unset the default-vlan-id (or set...
by mkx
Wed Apr 07, 2021 3:14 pm
Forum: Beginner Basics
Topic: VLANs, trunk ports and vlan interfaces
Replies: 3
Views: 384

Re: VLANs, trunk ports and vlan interfaces

/interface vlan add interface=bridge name=VLAN-1111 use-service-tag=yes vlan-id=1111 The setting I highlited is toggle between using 802.1q ("usual" VLAN) and 802.1ad ("QinQ" VLAN). Most users want to use 802.1q tags and corresponding setting is use-service-tag=no (which is defa...
by mkx
Wed Apr 07, 2021 7:59 am
Forum: General
Topic: Bridge hosts table when 2 interfaces with same MAC
Replies: 4
Views: 281

Re: Bridge hosts table when 2 interfaces with same MAC

I don't think anything is wrong with your setup, I guess it's a bug in printing host table. Bridge is supposed to do independent VLAN learning. Plus it's customary for VLAN interfaces to use physical interface's MAC address (at least linux does it) so from router's point of view your two gadgets mig...
by mkx
Tue Apr 06, 2021 10:07 pm
Forum: Beginner Basics
Topic: Can't access hosts via certain ports from a computer connected to an hEX-S
Replies: 24
Views: 1163

Re: Can't access hosts via certain ports from a computer connected to an hEX-S

Curious: although it's probably moot with the relatively small amounts of data we push, wouldn't separating out guest users with multiple bridges (which occur at the hardware level) be faster than segmenting with VLANs (which occur at the software level, right?) ? As @anav mentioned, bridges in ROS...
by mkx
Tue Apr 06, 2021 9:55 pm
Forum: Beginner Basics
Topic: Why is there "Current Tag" & "Current Untagged" in each VLAN
Replies: 6
Views: 454

Re: Why is there "Current Tag" & "Current Untagged" in each VLAN

PVID=1 setting is implicit default on all bridge ports when vlan-filtering is enabled. thx but there is no traffic with VLAN-ID=1, so why are they listed? There is active, physical link only on port 01-10 (and 16). Only traffic with VLAN ID=100 runs over port 01-10, so why does VLAN10 say that ther...
by mkx
Tue Apr 06, 2021 5:36 pm
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 64
Views: 5331

Re: "antenna gain" missing in 6.46.8?

We can only speculate how it works. All those other brands that talk in 100%,90%, 75%,50%,25%,10% TX power setting, how do they implement it? Over all MCS encodings, or is that wishful thinking (again)? Indeed we can only guess. Unless somebody with some professional measurement gear can do some me...
by mkx
Tue Apr 06, 2021 5:32 pm
Forum: Beginner Basics
Topic: Why is there "Current Tag" & "Current Untagged" in each VLAN
Replies: 6
Views: 454

Re: Why is there "Current Tag" & "Current Untagged" in each VLAN

PVID=1 setting is implicit default on all bridge ports when vlan-filtering is enabled. If you really want to get rid of it, set trunk (tagged only) ports with the following settings: /interface bridge port set [ find interface=ether2 ] frame-types=admit-only-vlan-tagged ingress-filtering=yes (same f...
by mkx
Tue Apr 06, 2021 5:18 pm
Forum: Wireless Networking
Topic: POE Surge protection test!
Replies: 4
Views: 1005

Re: POE Surge protection test!

best surge protector sofar = 2x 1gbps media converters connected with 1 meter of single mode fiber ...
... powered by? Don't forget that power adapters are "guilty" of quite many surge damages, overvoltage can pass those as well.
by mkx
Tue Apr 06, 2021 5:03 pm
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 64
Views: 5331

Re: "antenna gain" missing in 6.46.8?

This way you make an AP that is performing way below par, that is interfering more than any other other AP, that looses connection easily, since the chipset with 6-7dBm variation in allowed TX power according MCSrate is in use. Even if your assumption that setting antenna gain higher reduces Tx pow...
by mkx
Tue Apr 06, 2021 4:42 pm
Forum: General
Topic: Multiple Trunk setup performance issues
Replies: 13
Views: 758

Re: Multiple Trunk setup performance issues

Only one (minor) thing: on trunk ports I always set vlan-header=leave-as-is ...
by mkx
Tue Apr 06, 2021 4:38 pm
Forum: Beginner Basics
Topic: Default Configuration
Replies: 3
Views: 245

Re: Default Configuration

As @own3r1138 noticed: default settings are quite good and it's advisable to keep them. It's much better than most of what you can find on internet. If you need some other functionality (e.g. some ports forwarded), then add needed rules, no need to remove anything. Study defaults, understand them be...
by mkx
Tue Apr 06, 2021 10:38 am
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 64
Views: 5331

Re: "antenna gain" missing in 6.46.8?

(*) Max TX power in the specs is not what the radio can transmit with a certain MCS, but how well the radio controls the side lobes of the channel, to remain below the legal line of sidelobes in the RF spectrum. Higher MCS rates have a more complex spectrum and do leak more sidelobes than lower MCS...
by mkx
Tue Apr 06, 2021 10:23 am
Forum: Beginner Basics
Topic: Port 80 open for letsencrypt
Replies: 4
Views: 258

Re: Port 80 open for letsencrypt

ACME working over HTTP needs HTTP server running and delivering (right) response to request from letsencrypt server. This can either be done using already running web server (and asme script simply stores response to correct place in web server's file structure) or acme script can temporarily run it...
by mkx
Mon Apr 05, 2021 11:39 pm
Forum: Wireless Networking
Topic: How to enable Bridge VLAN Filtering on a wireless access-list rule?
Replies: 9
Views: 366

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

/interface bridge vlan add bridge=bridge-local untagged=wlan1 vlan-ids=10 doesn't go together with /interface wireless access-list add allow-signal-out-of-range=20s interface=wlan1 mac-address=xx:xx:xx:xx:xx:xx vlan-id=10 vlan-mode=use-tag And setting vlan-filtering actually enables the former sett...
by mkx
Mon Apr 05, 2021 11:25 pm
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 64
Views: 5331

Re: "antenna gain" missing in 6.46.8?

Normis explained in post #32 above: you can set Tx power lower than default (maximum considering country regulations and hard-coded antenna gain) using parameter tx-power . In webfig it's available in advanced section and you can set value if you select "all-rates-fixed" as "Tx Power ...
by mkx
Mon Apr 05, 2021 10:59 pm
Forum: General
Topic: Multiple Trunk setup performance issues
Replies: 13
Views: 758

Re: Multiple Trunk setup performance issues

Regarding RB2011 in switch mode: The /interface ethernet switch port export is always confusing to me because it's using index numbers instead of port names so it's hard to correlate this section to other sections of config. Command interface ethernet switch port print provides missing information. ...
by mkx
Mon Apr 05, 2021 6:33 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 19
Views: 1449

Re: Transparent hEX S to change vlan-priority for DHCP request only

Standards ... one thing is to support normal SFPs which (semi-)transparently pass bits between left and right. And it's a pitty these are not more compatible. Which mostly is not result of poor standards but rather bad practice by major players who introduced incompatible extensions. The other probl...
by mkx
Mon Apr 05, 2021 6:16 pm
Forum: Beginner Basics
Topic: VLAN Filter - how do ingress and egress rules work?
Replies: 15
Views: 771

Re: VLAN Filter - how do ingress and egress rules work?

What beats me is that in Cisco world there are two names for frames without 802.1q headers: untagged VLANs and native VLANs. I'm not fluent in ciscoish so I guess that there can only be single native VLAN per switch/stack/CDP domain while every untagged VLAN port can belong to different VLAN. To me ...
by mkx
Mon Apr 05, 2021 4:03 pm
Forum: General
Topic: "antenna gain" missing in 6.46.8?
Replies: 64
Views: 5331

Re: "antenna gain" missing in 6.46.8?

Mental masturbation: if devices are not locked against illegal settings, they can not be legally sold in certain market. While some nations are used to smuggling goods from third countries, other nations (which might represent considerable markets for MT) are used to buying goods from local business...
by mkx
Mon Apr 05, 2021 3:59 pm
Forum: General
Topic: Transparent hEX S to change vlan-priority for DHCP request only
Replies: 19
Views: 1449

Re: Transparent hEX S to change vlan-priority for DHCP request only

Mikrotik support for ONT SFPs is non existent so some might work and most don't. Even compatibility with "normal" SFPs is incomplete (mildly put). Which means that trying to get ONT SFP to work with any MT device is similar to trying to win a jackpot, even if particular ONT SFP works with ...
by mkx
Mon Apr 05, 2021 3:45 pm
Forum: Beginner Basics
Topic: VLAN Filter - how do ingress and egress rules work?
Replies: 15
Views: 771

Re: VLAN Filter - how do ingress and egress rules work?

I dare to say the setting Bridge -> Ports -> Bridge Port -> VLAN PVID is clear to me. I assume this is the ingress rule: Untagged traffic incoming: The VLAN tag is added according to the PVID. tagged traffic incoming: the VLAN tag is read but not changed. Yes, your asumptions are correct. However t...
by mkx
Mon Apr 05, 2021 3:25 pm
Forum: Beginner Basics
Topic: 2 links between CSR /using vlan filtering, but without LACP/
Replies: 9
Views: 531

Re: 2 links between CSR /using vlan filtering, but without LACP/

I think that setting all 4 ports involved (two at each end) to ingress-filtering=yes frame-types=admit-only-vlan-tagged might solve your problem of switches detecting a loop when you're half way through moving VLAN99 from one link to another. The thing is in the first setting which would drop VLAN99...
by mkx
Mon Apr 05, 2021 12:16 pm
Forum: RouterBOARD hardware
Topic: NetPower16 feeding AF11FX
Replies: 3
Views: 528

Re: NetPower16 feeding AF11FX

According to wikipedia article the PSE (netPower) has quite some constraints about PoE out voltages: when in 802.3 af mode, output voltage should be in range between 44V and 57V. Maximum power is limited to 15.4W. when in 802.3 at mode, output voltage should be in range between 50 V and 57V. Maximum...
by mkx
Mon Apr 05, 2021 11:49 am
Forum: General
Topic: Multiple Trunk setup performance issues
Replies: 13
Views: 758

Re: Multiple Trunk setup performance issues

Basically you can configure VLANs either with bridge filtering or on switch, you should not mix both. If you want to configure SFP+ port on CCR as trunk as well, then you have a problem. Your CCR is unfit for switching duties between any pair of ports apart from ports ether1-ether4 (which are run by...
by mkx
Mon Apr 05, 2021 11:29 am
Forum: Beginner Basics
Topic: 2 links between CSR /using vlan filtering, but without LACP/
Replies: 9
Views: 531

Re: 2 links between CSR /using vlan filtering, but without LACP/

I'm pretty sure VLAN99 gets into a semi-loop state when you configure two ports as members even on single end. In this moment switch (which has both ports configured as members) starts sending certain frames to both ports and the other switch (which is still configured with single port member of VLA...
by mkx
Sun Apr 04, 2021 11:44 pm
Forum: General
Topic: RB4011 InterVLAN Routing
Replies: 3
Views: 454

Re: RB4011 InterVLAN Routing

Would there be any reason to use Bridge VLAN filtering on the RB4011 ?

Only if RB4011 was not simply a router-on-a-stick ...
by mkx
Sun Apr 04, 2021 11:36 pm
Forum: Beginner Basics
Topic: 2 links between CSR /using vlan filtering, but without LACP/
Replies: 9
Views: 531

Re: 2 links between CSR /using vlan filtering, but without LACP/

So if I understand you right: currently you have VLAN 99 over primary link and everything works fine. If you start to configure VLAN 99 also for secondary link, switches detect loop? But there indeed is (a partial) loop in that case. You can have it like that (I guess you have redundancy in your min...
by mkx
Sun Apr 04, 2021 9:54 pm
Forum: General
Topic: RB4011 InterVLAN Routing
Replies: 3
Views: 454

Re: RB4011 InterVLAN Routing

When you power on both devices and nothing much works ... is the DAC link up&running? You should be able to check that if you configure management computer with static address from 192.168.10.x/24 subnet and connect to ether24 of CRS. You may want to configure a management port on RB4011 in simi...
by mkx
Sun Apr 04, 2021 8:38 pm
Forum: General
Topic: Multiple Trunk setup performance issues
Replies: 13
Views: 758

Re: Multiple Trunk setup performance issues

Ah, so your unit is one of old ones. The bridge vlan-filtering can only be offloaded on CRS3xx devices. The rest can not offload vlan filtering and one has to configure VLANs on switch chip (under /interface ethernet switch).
by mkx
Sat Apr 03, 2021 8:09 pm
Forum: General
Topic: Multiple Trunk setup performance issues
Replies: 13
Views: 758

Re: Multiple Trunk setup performance issues

Your CCR1009 quite likely doesn't have switch chip built in (only early models without SFP+ port had one) and hence nothing can be HW offloaded. Your CCR is a great router but mediocre switch/bridge.
by mkx
Sat Apr 03, 2021 3:50 pm
Forum: General
Topic: port 53 open despite firewall rules
Replies: 41
Views: 1863

Re: port 53 open despite firewall rules

You could try to run TCP traceroute ... targeting same destination IP address, but different standard TCP ports (e.g. 443 along with 53) and compare the path. And choose some normal destination known not to be hosted by some large cloud hosting company as those tend to geographically distribute serv...
by mkx
Fri Apr 02, 2021 11:36 pm
Forum: General
Topic: port 53 open despite firewall rules
Replies: 41
Views: 1863

Re: port 53 open despite firewall rules

Should i netinstall clean firmware? And how can i do it? Netinstalling your device would certainly be a good action. Prior to doing it do export of configuration ( /export file=yourexport ) so task of configuring the unit afterwards will be easier. The process of netinstalling is quite well documen...
by mkx
Fri Apr 02, 2021 11:02 pm
Forum: General
Topic: port 53 open despite firewall rules
Replies: 41
Views: 1863

Re: port 53 open despite firewall rules

I tried also nc -w5 -z -v <MyIP> 53 and Connection to <MyIP> 53 port [tcp/domain] succeeded! I dont know what to say.... How my ISP can make a port in my router to respond to requests? You ran the command from where? If you ran it from a device connected directly to WAN interface of your router, th...
by mkx
Fri Apr 02, 2021 10:41 pm
Forum: General
Topic: port 53 open despite firewall rules
Replies: 41
Views: 1863

Re: port 53 open despite firewall rules

My guess is that your ISP is redirecting/blocking connections to port 53 (DNS server) ... possibly in attempt to block DDoS attacks which abuse mis-configured routers of your ISP's clients.
by mkx
Fri Apr 02, 2021 5:59 pm
Forum: Wireless Networking
Topic: detect LAN log messages
Replies: 6
Views: 415

Re: detect LAN log messages

/interface detect-internet set detect-interface-list=none
by mkx
Fri Apr 02, 2021 5:47 pm
Forum: Wireless Networking
Topic: detect LAN log messages
Replies: 6
Views: 415

Re: detect LAN log messages

If I was in your position, I'd disable the feature altogether. I don't know if anybody (I dare to say: MT staff included) has ever found a good use of it, while there are reports of random things breaking and problems stopped after disabling this "feature".
by mkx
Fri Apr 02, 2021 12:22 pm
Forum: Beginner Basics
Topic: A little help with VLANs - CRS328
Replies: 10
Views: 751

Re: A little help with VLANs - CRS328

Quoted sections of RB4011 config which are incorrect: /interface bridge add admin-mac=08:00:00:C0:00:00 auto-mac=no comment=defconf name=bridge Bridge absolutely needs setting vlan-filtering=yes . But first fix the next error ... /interface bridge vlan add bridge=bridge tagged=sfp-sfpplus1,bridge vl...
by mkx
Fri Apr 02, 2021 12:11 pm
Forum: Wireless Networking
Topic: detect LAN log messages
Replies: 6
Views: 415

Re: detect LAN log messages

Could it be related to detect-internet "feature"?
by mkx
Fri Apr 02, 2021 12:07 pm
Forum: Wireless Networking
Topic: for when spectral analysis will work on AC radios
Replies: 3
Views: 379

Re: for when spectral analysis will work on AC radios

Did anybody check the new wave2 drivers for 7.1beta if they support spectral scans?
by mkx
Fri Apr 02, 2021 12:03 pm
Forum: General
Topic: Force SFP interface running
Replies: 1
Views: 178

Re: Force SFP interface running

I don't think MT actually supports ONU SFPs in any way. If it works somehow it's purely coincidental. So I wouldn't hold my breath waiting for your suggestion to be implemented. Besides, if you really want your suggestion to get to MT devs, you'll have to communicate it directly, this forum is user ...
by mkx
Thu Apr 01, 2021 9:28 pm
Forum: Beginner Basics
Topic: Multiple VLANs and DHCP servers on a single physical port
Replies: 3
Views: 263

Re: Multiple VLANs and DHCP servers on a single physical port

Both methods (bridge vlan and switch chip vlan) only matter in switched/bridged environment which is when multiple ports are members of same vlans (or subset of thereof) and pat of traffic simply passes router/switch between these ports (almost) unaltered. When only single port is carrying all vlans...
by mkx
Wed Mar 31, 2021 9:11 pm
Forum: General
Topic: Dead 750GL [SOLVED]
Replies: 4
Views: 420

Re: Dead 750GL [SOLVED]

Next thing you could try is to netinstall the router.
by mkx
Wed Mar 31, 2021 6:37 pm
Forum: General
Topic: Dead 750GL [SOLVED]
Replies: 4
Views: 420

Re: Dead 750GL [SOLVED]

Did you click on MAC address to connect?

It's a good sign that it shows in winbox, this means it's up&running, but configuration might be in weird state. Also beware that if ROS running on RB is older than 6.40 you have to use older winbox as well (I think 3.1x should be fine).
by mkx
Wed Mar 31, 2021 5:00 pm
Forum: Beginner Basics
Topic: Invalid Forwards [SOLVED]
Replies: 9
Views: 671

Re: Invalid Forwards [SOLVED]

You beleive that there nothing to worry abour? I worry about Koreans knowing my TV watching habbits so my TV is banned from internet (also helps against automatic unattended firmware upgrades, some were not exactly user-friendly in the past), but can access DLNA server in LAN (keeps my daughters ha...
by mkx
Wed Mar 31, 2021 2:16 pm
Forum: RouterBOARD hardware
Topic: Can the RB260GSP Switch power both the Hex Router and the hap ac lite?
Replies: 5
Views: 344

Re: Can the RB260GSP Switch power both the Hex Router and the hap ac lite?

The only way to power the hAP lite is via the 5 Volt USB power supply, correct?

Looking at Powering section of product page it certainly looks like that.
by mkx
Wed Mar 31, 2021 2:13 pm
Forum: RouterBOARD hardware
Topic: Chateau hanging
Replies: 4
Views: 291

Re: Chateau hanging

In theory[*], 71.beta5 should be better than 7.0beta6. But since it's still beta (and beta in MT world means less than usually in ICT world) you never know if your particular unit will like it better or not. So before you upgrade your unit, do the following: create (binary) backup ( /system backup s...
by mkx
Wed Mar 31, 2021 1:59 pm
Forum: Wireless Networking
Topic: hap ac2 selects outdoor 5ghz frequency by default when indoor is selected
Replies: 8
Views: 508

Re: hap ac2 selects outdoor 5ghz frequency by default when indoor is selected

(MKX is faster in typing than me. I will post it anyway .... :-) )

I'd be disappointed if you didn't. It's always pleasure to read your highly skilled and very informative posts, I always learn something new.
by mkx
Wed Mar 31, 2021 1:53 pm
Forum: General
Topic: Bridge Trunk Ports
Replies: 6
Views: 385

Re: Bridge Trunk Ports

The article should apply to CRS326 ... but if you have some weird scenario (can't figure it out completely from your vague description), then you have to adjust the config from article for your particular case. You can post config (at least from one of units) so we can see if there's room for improv...
by mkx
Tue Mar 30, 2021 11:29 pm
Forum: Wireless Networking
Topic: hap ac2 selects outdoor 5ghz frequency by default when indoor is selected
Replies: 8
Views: 508

Re: hap ac2 selects outdoor 5ghz frequency by default when indoor is selected

installation=indoor or outdoor is not physical, but rather political setting. In certain countries there are certain frequency channels which are only allowed for indoor use (these usually come with lower Tx power limits as well) and other frequency channels are allowed for outdoor use ... which ac...
by mkx
Tue Mar 30, 2021 7:12 pm
Forum: Beginner Basics
Topic: Multiple VLAN on Single Port
Replies: 6
Views: 924

Re: Multiple VLAN on Single Port

My current network is running off a Ubiquity Access Point with no VLAN and I would like to seperate network traffic using VLAN's as per below: 1) WLAN1 - 192.168.16.0/24 - No VLAN currently (would like to add a VLAN 100) 2) WLAN2 (Guest) - 192.168.168.0/24 - VLAN 999 I have configured the bridge wi...
by mkx
Tue Mar 30, 2021 7:05 pm
Forum: Beginner Basics
Topic: 2 links between CSR /using vlan filtering, but without LACP/
Replies: 9
Views: 531

Re: 2 links between CSR /using vlan filtering, but without LACP/

In theory it might work with careful configuration. Can you post actual configuration of one of switches (I guess you configured both in similar fashion)? (execute /export hide-sensitive and copy-paste output here).
by mkx
Tue Mar 30, 2021 9:35 am
Forum: RouterBOARD hardware
Topic: Replacing the NAND in a RB1100
Replies: 1
Views: 288

Re: Replacing the NAND in a RB1100

License is "baked" to NAND in a way netinstall doesn't touch it. Which also means you can't transfer the license to new NAND just like that. I suggest you to contact support@mikrotik.com and ask them about your options.
by mkx
Tue Mar 30, 2021 9:34 am
Forum: RouterBOARD hardware
Topic: Powering 2 devices from hAP ac3 PoE-out port
Replies: 2
Views: 367

Re: Powering 2 devices from hAP ac3 PoE-out port

I wouldn't do it, there's real chance that either PoE out port gets damaged or that both PoE-powered devices will not be stable. If you really want daisy-chain both PoE-in devices and run them off single PoE cable, use RBGSP injector which has 2A limit.
by mkx
Tue Mar 30, 2021 9:32 am
Forum: RouterBOARD hardware
Topic: Can the RB260GSP Switch power both the Hex Router and the hap ac lite?
Replies: 5
Views: 344

Re: Can the RB260GSP Switch power both the Hex Router and the hap ac lite?

Yes it can. RB260GSP comes with 24V power adapter and both hEX Gr3 and hAP ac lite can take this voltage. However, you'll have to reconfigure hEX from defaults: hEX can take PoE in via ether1 while default config uses ether1 as WAN port. In your case you'll want to use ether1 as LAN port (and dedica...
by mkx
Tue Mar 30, 2021 8:59 am
Forum: Beginner Basics
Topic: Issue with my network setup
Replies: 43
Views: 2429

Re: Issue with my network setup

Is router successfull in obtaining DHCP lease from FIOS router? Check by running command /ip address print and verify that there's a dynamic address bound to ether1_WAN.
by mkx
Tue Mar 30, 2021 8:51 am
Forum: Beginner Basics
Topic: N00b - protecting router from external access
Replies: 3
Views: 231

Re: N00b - protecting router from external access

I guess my question was too generalized to attract helpful responses ... will try to ask better questions next time. The question was indeed very general. On a side note: which particular Mikrotik device type are you using? SOHO devices (most Mikrotik devices except CCR, CRS and some high-end RB de...
by mkx
Tue Mar 30, 2021 8:42 am
Forum: Beginner Basics
Topic: LAN Traffic Passing To MT!! [SOLVED]
Replies: 3
Views: 274

Re: LAN Traffic Passing To MT!! [SOLVED]

PC01 -> Dumb switch -> to Mikrotik ether2 interface then on my bridge then out to eth2 -> switch again then to -> Server So your router is connected to switch with single ethernet cable, connected to ether2? Unless PC01 and Server are in different subnets (and RB has two IP addresses set on ether2/...
by mkx
Mon Mar 29, 2021 6:48 pm
Forum: Wireless Networking
Topic: Reaching the end of the IPS of my LAN [SOLVED]
Replies: 3
Views: 350

Re: Reaching the end of the IPS of my LAN [SOLVED]

Mkx is almost correct.

Right. I stand corrected.
by mkx
Mon Mar 29, 2021 6:43 pm
Forum: General
Topic: RB4011 VLAN Routing Performance
Replies: 4
Views: 477

Re: RB4011 VLAN Routing Performance

It's a shame that a single CPU thread limits it in such a way though. ARM-based routers (RB4011, CCR2004) are quite good actually, their single-core performance is not too bad. Imagine your disappointment if you used a CCR1072 instead ... on paper it's got tons of umph, but in your case it'd be muc...
by mkx
Mon Mar 29, 2021 4:53 pm
Forum: General
Topic: Three Subnets in one ethernet interface [SOLVED]
Replies: 9
Views: 587

Re: Three Subnets in one ethernet interface [SOLVED]

Ethernet 2: ip address 192.168.3.5/24 ip address 192.168.10.5/24 ip address 192.168.0.220/24 Simply setting all 3 addresses to same interface (ether2) does the trick. But the clients cannot see each other. The router can see them all tough. What exactly is the question? That clients should not see ...
by mkx
Mon Mar 29, 2021 4:40 pm
Forum: General
Topic: RB4011 VLAN Routing Performance
Replies: 4
Views: 477

Re: RB4011 VLAN Routing Performance

What does /tool profile cpu=all show during ongoing iperf test? I wouldn't be surprised if only single CPU core gets loaded. How does running multiple parallel streams ( iperf -P 8 ... ) affect overall throughput? The thing is that when routing, ROS will use single CPU core for all packets belonging...
by mkx
Mon Mar 29, 2021 3:58 pm
Forum: Beginner Basics
Topic: Winbox can no longer connect
Replies: 7
Views: 451

Re: Winbox can no longer connect

Try to use newest version of winbox. The way password is stored on RB in how password is negotiated with winbox changed somewhere around 6.44. Old versions of winbox don't work with new versions of ROS and vice versa.
by mkx
Mon Mar 29, 2021 3:54 pm
Forum: Beginner Basics
Topic: Issue with my network setup
Replies: 43
Views: 2429

Re: Issue with my network setup

Because device with IP address 192.168.188.165 needs to communicate with gateway at 192.168.188.1 ... the longest netmask covering both addresses is 24-bit long. Because, believe it or not, the link between RB and FIOS router is an entire subnet (because it's running on top of ethernet which is typi...
by mkx
Sun Mar 28, 2021 10:52 pm
Forum: Wireless Networking
Topic: Reaching the end of the IPS of my LAN [SOLVED]
Replies: 3
Views: 350

Re: Reaching the end of the IPS of my LAN [SOLVED]

You can extend numbering to 192.168.1.1/ 23 ... which gives you another 256 addresses (192.168.1.1-192.168.2.254 ... usable host addresses are then also 192.168.1.255 and 192.168.2.0). You have to change netmask on router's LAN interface, change address pool for DHCP server, change network mask in D...
by mkx
Sun Mar 28, 2021 9:31 pm
Forum: Beginner Basics
Topic: Issue with my network setup
Replies: 43
Views: 2429

Re: Issue with my network setup

add address=192.168.188.165/24 interface=ether1 network=192.168.188.0

Fixed WAN IP for you ...
by mkx
Sun Mar 28, 2021 6:52 pm
Forum: Wireless Networking
Topic: ROS 7 AND WISP
Replies: 2
Views: 264

Re: ROS 7 AND WISP

Probably as soon as ROSv7 will start working for everybody else. The date? Your guess is as good as everyone's.
by mkx
Sun Mar 28, 2021 4:23 pm
Forum: Beginner Basics
Topic: Cannot get value with console command
Replies: 3
Views: 237

Re: Cannot get value with console command

Index numbers (you're using 0 in your example) are dynamic and are created when running print command. They are only valid until next print (the worst thing would be that add or remove or similar doesn't invalidate them). Which means you can't reference entries like this from scripts, you have to us...
by mkx
Sun Mar 28, 2021 4:14 pm
Forum: Beginner Basics
Topic: Does changing configs causes to a Flash write ?
Replies: 6
Views: 510

Re: Does changing configs causes to a Flash write ?

What is "SOP" and "MT" ? S tandard O perating P rocedure M ikro T ik In that case, it seems that a script which is scheduled often could (potentially) degrade the Flash quickly which would subsequently adversely affect the device operation. Yes. So you should think of ways to ma...
by mkx
Sun Mar 28, 2021 4:09 pm
Forum: RouterOS v7 BETA
Topic: Possible error in DNS canonical name handling
Replies: 7
Views: 609

Re: Possible error in DNS canonical name handling

Address list uses resolved IP addresses (repeats resolving after DNS record TTL expires so it keeps IP address semi-uptodate) ... since ultimate destination is some akamai cloud address, it could be same IP address is whitelisted for some other domain. If you want to block according to FQDN, you eit...
by mkx
Sun Mar 28, 2021 4:01 pm
Forum: General
Topic: ARP without DHCP server?
Replies: 3
Views: 512

Re: ARP without DHCP server?

If TV is the only device to be isolated and is connected to dedicated port on router, then use of VLANs is un-necessary complication. The way OP started was fine. There are a few gotchas though. The biggest might be the bug in default configuration where ports ether2-etherX are bridged but LAN IP se...
by mkx
Sat Mar 27, 2021 9:45 pm
Forum: General
Topic: No internet connection after PPPOE reconnect (disable, pause, enable)
Replies: 5
Views: 455

Re: No internet connection after PPPOE reconnect (disable, pause, enable)

The internet is up and running, but not working. How can disable "detect internet" help? I don't think any MT user ever found out what function "detect internet" offers that's not available otherwise. However, there is a number of reports of weird problems which went away after ...
by mkx
Sat Mar 27, 2021 7:35 pm
Forum: General
Topic: 10 Gbps SFP + RouterOS Compatible NICs
Replies: 3
Views: 352

Re: 10 Gbps SFP + RouterOS Compatible NICs

Regarding NIC support (which includes 10Gbps NICs) there are 3 ROS variants: ROS v6 x86 Due to age of ROSv6 and underlying linux kernel it generally lacks support for newer devices. Which (sadly) includes most 10Gbps NICs apart from NIC based on early chipsets. Nothing much will change about support...
by mkx
Sat Mar 27, 2021 5:57 pm
Forum: Beginner Basics
Topic: Right MTU and L2 MTU for SFP+ 10GB Ports [SOLVED]
Replies: 4
Views: 427

Re: Right MTU and L2 MTU for SFP+ 10GB Ports [SOLVED]

It is fine to configure L2MTU as high as it gets. But for (L3) MTU you have to consider a few things: L3 MTU has to be the same in whole subnet or else some members of same subnet won't be able to communicate (peers with smaller MTU will silently drop packets) when client and server are in different...
by mkx
Sat Mar 27, 2021 5:25 pm
Forum: Beginner Basics
Topic: Firewall does not drop ssh connection by local name
Replies: 2
Views: 266

Re: Firewall does not drop ssh connection by local name

The only reason why IPv6 matters in your case is that server.local somehow resolves to IPv6 address. BTW, bridging two L3 subnets and then using bridge filters (or switch ACLs if you were using some real switch for that) to block traffic is, mildly put, weird. And since your OP was extremely scarce ...
by mkx
Sat Mar 27, 2021 5:20 pm
Forum: Beginner Basics
Topic: Does changing configs causes to a Flash write ?
Replies: 6
Views: 510

Re: Does changing configs causes to a Flash write ?

All what is remembered after a reboot has been written into flash. When exactly does the device performs a write to Flash ? SOP is to write changes imediately. MT stated that simply cutting power to device shouldn't affect it in any way. However there are indications that marginal power supply migh...
by mkx
Sat Mar 27, 2021 4:38 pm
Forum: Beginner Basics
Topic: Help Bonding two ports [SOLVED]
Replies: 5
Views: 820

Re: Help Bonding two ports [SOLVED]

Alb only differs from tlb when the other end is (a dumb) switch connecting multiple clients which don't know anything about this bond. Multiple clients are needed because many bond modes keep traffic between same set of peers (i.e. server and client) on same link to ensure in-order delivery of packe...
by mkx
Sat Mar 27, 2021 3:29 pm
Forum: Beginner Basics
Topic: Right MTU and L2 MTU for SFP+ 10GB Ports [SOLVED]
Replies: 4
Views: 427

Re: Right MTU and L2 MTU for SFP+ 10GB Ports [SOLVED]

When device is used as a switch, the (L2)MTU setting doesn't matter (much). It has to be large enough not to drop large frames on ingress. If L2MTU is set larger, it still won't make passing frames larger. Where MTU matters is if interface us used for L3 i.e. if interface has IP address set. In this...
by mkx
Sat Mar 27, 2021 3:20 pm
Forum: Beginner Basics
Topic: Help Bonding two ports [SOLVED]
Replies: 5
Views: 820

Re: Help Bonding two ports [SOLVED]

Post full config for review, it's hard to guess which minor detail is missing/wrong. Execute /export hide-sensitive file=anynameyouwish from terminal window and open resulting text file in any text editor, then copy-paste config here inside [code] [/code] environment.
by mkx
Sat Mar 27, 2021 10:58 am
Forum: Beginner Basics
Topic: hEX & bonding/link aggregation setup
Replies: 4
Views: 344

Re: hEX & bonding/link aggregation setup

2. [Tab Bonding] Create a bonding with ether4 and ether5 as slaves and mode "balance rr" (this appears to be the equivalent for Netgear static LAG). I called that one "bond45" I don't know what exactly is Netgear's "static LAG" ... however RR is not the same as XOR. XO...
by mkx
Sat Mar 27, 2021 10:39 am
Forum: Beginner Basics
Topic: Help Bonding two ports [SOLVED]
Replies: 5
Views: 820

Re: Help Bonding two ports [SOLVED]

Your wording and action don't match when you're talking about adding bond to the bridge. Adding to a bridge is done thusly: /interface bridge add bridge=bridge1 interface=bond0 pvid=10 What you did was to setup VLAN membership of port bond0 (which is done automatically by the command above due to pv...
by mkx
Fri Mar 26, 2021 12:04 am
Forum: RouterBOARD hardware
Topic: Wifi RB4011 - HAP AC3 - HAP AC3 LTE
Replies: 11
Views: 869

Re: Wifi RB4011 - HAP AC3 - HAP AC3 LTE

If you set up wireless interface according to local legislation, then most probably there will be no difference between Tx power of all three units, clients will measure same signal strength from any of those APs. These days most countries limit wireless devices to 20 dBm or (less frequently) 30 dBm...
by mkx
Thu Mar 25, 2021 8:50 pm
Forum: Wireless Networking
Topic: Wireless Client Isolation
Replies: 7
Views: 701

Re: Wireless Client Isolation

Yes.
by mkx
Thu Mar 25, 2021 7:53 am
Forum: General
Topic: PPPoE connection from was already active - closing previous one
Replies: 1
Views: 255

Re: PPPoE connection from was already active - closing previous one

Post configuration, it's hard to tell what's wrong without seeing it. Is it "native" x86 installation or a CHR?
by mkx
Thu Mar 25, 2021 7:45 am
Forum: General
Topic: Switch Chip VLAN Setting Question (HAPAC2)
Replies: 6
Views: 503

Re: Switch Chip VLAN Setting Question (HAPAC2)

I didn't say there was no difference. In case A traffic from other VLANs will bleed through ether5 (broadcasts, multicasts and some unicast packets if switch won't know exact egress port for dst MAC address, ...). It goes against the gist of setting vlan-mode=secure ... Even more so if you don't se...
by mkx
Wed Mar 24, 2021 11:39 pm
Forum: Beginner Basics
Topic: Disabling/Enabling a specific entry in an Address List [SOLVED]
Replies: 3
Views: 507

Re: Disabling/Enabling a specific entry in an Address List [SOLVED]

The easiest way is to add comment to the entry ... and then toggle disabled flag by searching the comment. E.g. /ip firewall address-list add address=192.168.88.88/32 list=somelist comment="My address #1" # from some script set the address list entry disabled /ip firewall address-list set ...
by mkx
Wed Mar 24, 2021 8:30 pm
Forum: Wireless Networking
Topic: Wireless Client Isolation
Replies: 7
Views: 701

Re: Wireless Client Isolation

Would setting the "bridge uses firewall" setting get this done?

It would if HW offload was disabled for involved ports. And if APs were connected to different ports of a bridge.
by mkx
Wed Mar 24, 2021 4:35 pm
Forum: General
Topic: Switch Chip VLAN Setting Question (HAPAC2)
Replies: 6
Views: 503

Re: Switch Chip VLAN Setting Question (HAPAC2)

If in practice there is no difference (even though A does not make sense), then I would rather use A. I didn't say there was no difference. In case A traffic from other VLANs will bleed through ether5 (broadcasts, multicasts and some unicast packets if switch won't know exact egress port for dst MA...
by mkx
Wed Mar 24, 2021 3:37 pm
Forum: Beginner Basics
Topic: Some issues with tethering usb and wifi with my hap ac2
Replies: 9
Views: 540

Re: Some issues with tethering usb and wifi with my hap ac2

If your hotspot only supports 2.4Ghz, then you can create virtual interface as STA on 2.4Ghz and keep the Wifi AP interface at same time. wireless mode station should only be used on master interface because it has to follow the serving AP (or phone tethering internet connection) ... virtual interf...
by mkx
Wed Mar 24, 2021 3:33 pm
Forum: Beginner Basics
Topic: Date & Time from NTP Server [SOLVED]
Replies: 14
Views: 856

Re: Date & Time from NTP Server [SOLVED]

What does
/system ntp client print
show?
by mkx
Wed Mar 24, 2021 3:06 pm
Forum: General
Topic: Switch Chip VLAN Setting Question (HAPAC2)
Replies: 6
Views: 503

Re: Switch Chip VLAN Setting Question (HAPAC2)

Case A (ether5 member of VLANs 1, 01 and 20) doesn't make much sense since ether5 port is set to untag everything on egress and can only tag untagged frames with single default-vlan-id on ingress.
by mkx
Wed Mar 24, 2021 2:54 pm
Forum: General
Topic: RB4011 > hAP AC Lite VLAN configuration
Replies: 13
Views: 796

Re: RB4011 > hAP AC Lite VLAN configuration

@anav, with your mileage in ROS and VLANs I still don't get what exactly is bothering you. I'll try to answer never the less (but I'll probably miss the point). Bridge personality of bridge ... just carries frames between ports ... doesn't care if they're tagged or not. When you're talking of bridge...
by mkx
Wed Mar 24, 2021 2:18 pm
Forum: General
Topic: DHCP: MAC vs. Client-ID
Replies: 1
Views: 249

Re: DHCP: MAC vs. Client-ID

DHCP server only cares about Client ID. Client ID is value supplied by DHCP client when requesting DHCP lease. It usually does contain MAC adderss, but it can be some other identification. Client ID can be of 3 types: text, integer number and MAC address. MAC address, shown by DHCP server, is FYI on...
by mkx
Wed Mar 24, 2021 11:07 am
Forum: General
Topic: RB4011 > hAP AC Lite VLAN configuration
Replies: 13
Views: 796

Re: RB4011 > hAP AC Lite VLAN configuration

I still fail to understand your question. Which bridge personality (according to classification by @sindy) are you talking about?
by mkx
Wed Mar 24, 2021 11:03 am
Forum: Beginner Basics
Topic: SSL certificate for Proxmox
Replies: 3
Views: 620

Re: SSL certificate for Proxmox

That's perpetual "problem" with certificates. Solution is to add DNS entries (resolvable for LAN hosts only) which link public host name with local IP address.
by mkx
Wed Mar 24, 2021 11:01 am
Forum: Beginner Basics
Topic: accessing local network hosts by host-name.local-domain-name [SOLVED]
Replies: 4
Views: 407

Re: accessing local network hosts by host-name.local-domain-name [SOLVED]

The problem is now how can i secure my router from external dns requests when "allow remote requests" is enabled? It's firewall rules for chain=input . Default firewall setup (in recent ROS version on SOHO devices) already blocks most connections from WAN, but it really depends on changes...
by mkx
Tue Mar 23, 2021 8:26 pm
Forum: General
Topic: help with a firewall address rule
Replies: 2
Views: 334

Re: help with a firewall address rule

The only time when firewall actually cares about anything else but IP addresses (and port numbers) is in L7 firewall. Which doesn't work for HTTPS traffic because it's encrypted.

If you describe use case, you might get better answer.
by mkx
Tue Mar 23, 2021 7:44 pm
Forum: General
Topic: hAPac2 high latency on WiFi clients [SOLVED]
Replies: 2
Views: 417

Re: hAPac2 high latency on WiFi clients [SOLVED]

Wireless clients (most notably battery-powered ones, such as phones and tablets) frequently enter sleep mode and during sleep they don't listen to radio. AP knows that and buffers unicast packets until devices wake up. This way packets get delivered, but delay has high jitter. So if you want to test...
by mkx
Tue Mar 23, 2021 7:36 pm
Forum: General
Topic: Winbox Safe mode
Replies: 30
Views: 53529

Re: Winbox Safe mode

So it seems that "undo" buffer for safe mode is not endless. You should exit and re-enter safe-mode after each block of commands that might break your management connection (whereas your management connection survives).
by mkx
Tue Mar 23, 2021 7:23 pm
Forum: General
Topic: RB4011 > hAP AC Lite VLAN configuration
Replies: 13
Views: 796

Re: RB4011 > hAP AC Lite VLAN configuration

wlan interface is historically capable of dealing with VLANs itself. If wlan interface has vlan-id=400 vlan-mode=use-tag (set in /interface wireless section), then from bridge point of view this is tagged port and should be added as tagged member to appropriate VLAN. If, OTOH, one uses wlan interfac...
by mkx
Tue Mar 23, 2021 2:42 pm
Forum: General
Topic: RB4011 > hAP AC Lite VLAN configuration
Replies: 13
Views: 796

Re: RB4011 > hAP AC Lite VLAN configuration

Our on-duty configuration parser @anav missed this question: How do I assign an IP address to the bridge that exists in VLAN50? as just adding "192.168.5.254/24" to the bridge only ever replies locally and then prevents further access to the device. For this you'll have to add bridge (the ...
by mkx
Tue Mar 23, 2021 2:37 pm
Forum: Wireless Networking
Topic: WDS or independent APs?
Replies: 1
Views: 547

Re: WDS or independent APs?

All three 2.4GHz antennas run on the same frequency and SSID, but all three (Omni +the two APs) handle their own DHCP with a different network IP scheme. This pretty much breaks roaming preformance: when client sees different AP with same SSID, it often assumes L3 network would be contiguous and af...
by mkx
Tue Mar 23, 2021 2:18 pm
Forum: Beginner Basics
Topic: accessing local network hosts by host-name.local-domain-name [SOLVED]
Replies: 4
Views: 407

Re: accessing local network hosts by host-name.local-domain-name [SOLVED]

What is setting of dns-server property in /ip dhcp-server network? If it's not your router's IP address, then clients will use other DNS server and will miss configuration from /ip dns static.
by mkx
Tue Mar 23, 2021 2:11 pm
Forum: Beginner Basics
Topic: SSL certificate for Proxmox
Replies: 3
Views: 620

Re: SSL certificate for Proxmox

The tutorial author is using DNS-01 challenge (instead of a more often used HTTP-01) which requires you to have DNS server for your (sub)domain under your control. In this case the certificate receiver (Proxmox) doesn't have to be publicly accessible. Doesn't have anything to do with particular type...
by mkx
Tue Mar 23, 2021 1:58 pm
Forum: RouterOS v7 BETA
Topic: IPv6 DHCPv6 server?
Replies: 19
Views: 1317

Re: IPv6 DHCPv6 server?

Problem is that quite some OSes (e.g. Windows) will use different short-lived IPv6 addresses (even multiple at any given time), constructed in SLAAC manner, and will use those addresses at will. This mostly matters for out-going connections but that means you can't rely on IPv6 address only to contr...
by mkx
Tue Mar 23, 2021 1:41 pm
Forum: General
Topic: DST-NAT when not default gateway
Replies: 1
Views: 232

Re: DST-NAT when not default gateway

This won't work because SMTP server doesn't know it needs to use MT as gateway. There are (at least) two ways of dealing with it: set up static route on SMTP server to use MT as gateway. I don't know how feasible that would be if SMTP server should only use MT as gateway for SMTP to most destination...
by mkx
Tue Mar 23, 2021 11:04 am
Forum: General
Topic: help fix leaky vlans, NP16 + PBP
Replies: 7
Views: 525

Re: help fix leaky vlans, NP16 + PBP

Post actual configuration of both devices, it's not really possible to know what exactly you configured from your description. Possibly it's not what you think you configured but what you actually configured.
by mkx
Tue Mar 23, 2021 11:00 am
Forum: General
Topic: Connect two subnets
Replies: 5
Views: 398

Re: Connect two subnets

If you follow instructions by @bpwl ... I don't see a point in having Mikrotik in the first place. It will act as a dumb switch ... which you already have in place. So you really have to decide the role of Mikrotik router in your LAN. However, if it is to be firewall for your LAN, then ... well, it ...
by mkx
Tue Mar 23, 2021 9:02 am
Forum: Announcements
Topic: v6.48.1 [stable] is released!
Replies: 120
Views: 28144

Re: v6.48.1 [stable] is released!

I just noticed now, winboard dosn't find it anymore, is that because i turned lldp off? I mean that winboard dosn't find the board? It seems that MNDP (neighbour discovery) runs on top of LLDP. However, you should still be able to connect to your router using winbox if entering its IP address (or M...
by mkx
Mon Mar 22, 2021 10:54 pm
Forum: General
Topic: Connect two subnets
Replies: 5
Views: 398

Re: Connect two subnets

Proper solution would be to add static route towards 192.168.88.0/24 via gateway 192.168.2.1 on ISP router. And add some firewall rules which would allow desired connections and block the rest. And drop SRC-NAT on mikrotik, ISP router should do it for both parts of network. I'll assume you really wa...
by mkx
Mon Mar 22, 2021 10:49 pm
Forum: General
Topic: CAPsMAN - AP falls out of the bridge after a few hours
Replies: 7
Views: 603

Re: CAPsMAN - AP falls out of the bridge after a few hours

I don't have experience with such behaviour under CAPsMAN. With stand-alone wlan interfaces it's normal that they become inactive (i.e. without R flag) when no client is registered. This is normally not a problem, interface changes state to "running" quickly enough for initial traffic betw...
by mkx
Mon Mar 22, 2021 12:36 pm
Forum: General
Topic: L2TP/IPSEC xtremely slow speeds
Replies: 4
Views: 361

Re: L2TP/IPSEC xtremely slow speeds

Have a look at HW acceleration capabilities per device model. If the combination of encryption algorithm, hashing algorithm and key length is right, HW offload should happen automatically.
by mkx
Mon Mar 22, 2021 8:47 am
Forum: Beginner Basics
Topic: lte1 not selectable for dhcp-client
Replies: 10
Views: 986

Re: lte1 not selectable for dhcp-client

Which part of answer by @SiB is not clear? LTE interface (or mobile broadband interfaces in common) don't need DHCP client running to get IP address from ISP. That's handled automatically when modem is registering to the network (modem can't be registered to the network without having at least one I...
by mkx
Sun Mar 21, 2021 11:12 pm
Forum: Wireless Networking
Topic: Wireless Client Isolation
Replies: 7
Views: 701

Re: Wireless Client Isolation

The forwarding setting only blocks client-to-client forwarding when both clients are served by same AP. If you want to block connectivity between clients of different APs, you have to use either bridge filtering on common device (either switch or router, where APs are connected to different ports of...
by mkx
Sun Mar 21, 2021 5:26 pm
Forum: General
Topic: needing netinstall most of the times after restarting the router
Replies: 8
Views: 714

Re: needing netinstall most of the times after restarting the router

OK, if we get bat on topic: if OP would test if powering device with at least 12V, that would give conclusive answer to the question if marginal power supply caused the problems or not.
by mkx
Sun Mar 21, 2021 1:23 pm
Forum: General
Topic: CRS328 Bonding With Vlan Filtering
Replies: 4
Views: 469

Re: CRS328 Bonding With Vlan Filtering

It all depends on the destination MAC and IP addresses of your traffic in each direction. There should not be a problem with layer-2-and-3 , did you change the setting at both ends? transmit-hash-policy does not have to be the same on both ends, as name hints it only affects Tx direction. Using lay...
by mkx
Sun Mar 21, 2021 1:00 pm
Forum: General
Topic: Set IP public to server behind mikrotik rb4011 wihtout nat
Replies: 5
Views: 573

Re: Set IP public to server behind mikrotik rb4011 wihtout nat

The solution by @erkexzcx will work only if the extra addresses are handed out exactly the same way as A1 (come with gateway and subnet mask). If you follow the solutuon, then RB's firewall won't protect server unless you configure bridge to use IP firewall. Another option is to create a DMZ bridge ...
by mkx
Sun Mar 21, 2021 12:37 am
Forum: General
Topic: mikrotik not responding to only one host on internal network
Replies: 5
Views: 446

Re: mikrotik not responding to only one host on internal network

You've got mechanism to automatically black-list some addresses. It can happen that "trusted" host lands on the list. You also have white-list. You should allow connections from white-list before dropping any of black-list (both static list and auto-list).
by mkx
Sat Mar 20, 2021 9:35 pm
Forum: Wireless Networking
Topic: One SSID and multiple VLANs with hardware acceleration
Replies: 2
Views: 360

Re: One SSID and multiple VLANs with hardware acceleration

If you want to do it in hardware, then you'll have to tell which hardware. BTW anything passing wireless can't be HW offloaded, only traffic between ethernet ports (managed by same switch chip) can be handled in hardware.
by mkx
Sat Mar 20, 2021 5:25 pm
Forum: General
Topic: needing netinstall most of the times after restarting the router
Replies: 8
Views: 714

Re: needing netinstall most of the times after restarting the router

Device is shiped standard with a 24V power adapter. Go figure.
by mkx
Sat Mar 20, 2021 4:00 pm
Forum: RouterBOARD hardware
Topic: wAP ac LTE6: 41n is 5G?
Replies: 6
Views: 660

Re: wAP ac LTE6: 41n is 5G?

No, I'm saying band 41 (n or without it) is a frequency band which can be used for 4G and/or 5G. It then depends on particular equipment whether it supports one or both technologies (which are similar but obviously not the same). With terminals (modems) it's not very often that software upgrade woul...
by mkx
Sat Mar 20, 2021 1:26 pm
Forum: RouterBOARD hardware
Topic: wAP ac LTE6: 41n is 5G?
Replies: 6
Views: 660

Re: wAP ac LTE6: 41n is 5G?

Most of frequency bands now used for various mobile technologies, are legally speaking technologically neutral. Which means that operator gets license to use certain sub-band to build public mobile network and it's up to operator to choose technology to operate. A pretty notable example in Eutope is...
by mkx
Sat Mar 20, 2021 12:49 pm
Forum: Wireless Networking
Topic: [SOLVED] Setting up a Mesh/CAPsMAN - 5GHz not transmitting, general random disconnects
Replies: 16
Views: 1456

Re: Setting up a Mesh/CAPsMAN - frequent general disconnects

Never powered anything bigger than a wap or cap off the ether 10. If it comes with PoE in, there might be a way to use it... It's not the PoE in, it's PoE out. RB4011 has limit of 600mA output when voltage is less than 30V. If using power adapter shiped with unit (24V 1.5A), that means 14.4W availa...
by mkx
Sat Mar 20, 2021 1:07 am
Forum: General
Topic: Why can't I make my hEX lite into a router?
Replies: 19
Views: 1151

Re: Why can't I make my hEX lite into a router?

There is no secret setting which completely changes personality of a ROS device. What Quickset setting "router" does it preloads device with certain set of rules. If you wanted to, you could manually configure those starting from no settings (which is what @erkexzcx was suggesting). What m...
by mkx
Fri Mar 19, 2021 9:58 pm
Forum: General
Topic: Why can't I make my hEX lite into a router?
Replies: 19
Views: 1151

Re: Why can't I make my hEX lite into a router?

In the left part of winbox you have "New Terminal" icon ... click it and you'll get CLI access. A question: after you set device into router mode, did you do any changes in any other configuration parts? The thing is that quickset can't understand anything done outside it's very limited sc...
by mkx
Fri Mar 19, 2021 9:23 pm
Forum: RouterBOARD hardware
Topic: can passive PoE input be used as PoE output? hAP ac2
Replies: 4
Views: 483

Re: can passive PoE input be used as PoE output? hAP ac2

When the 'hAP ac2' is connected to its power supply adapter through the round power connector, is then the 24V available on its Internet/PoE 'in' connector so that it can supply the device that receives the internet, so actually working as Internet 'in' / PoE 'out' ? No, hAP ac2 does not have PoE o...
by mkx
Fri Mar 19, 2021 9:00 pm
Forum: General
Topic: Why can't I make my hEX lite into a router?
Replies: 19
Views: 1151

Re: Why can't I make my hEX lite into a router?

It looks like you connected WAN cable to one of LAN ports. WAN port in default configuration on Mikrotik is ether1 port (the left-most port), the rest are LAN ports. If this doesn't seem to be the problem, please provide the textual export of configuration. You can get it following these steps: open...
by mkx
Fri Mar 19, 2021 8:56 pm
Forum: General
Topic: Moving from rb3011 to rb4011 [SOLVED]
Replies: 9
Views: 633

Re: Moving from rb3011 to rb4011 [SOLVED]

I'm glad you made your RB4011 work as you want ... regardless the way you managed it. Actually, even if my router is old, it's still was running the current stable RouterOS version. (6.48.1) The problem with old devices is the following: even if they are regularly upgraded to recent ROS version, the...
by mkx
Fri Mar 19, 2021 5:54 pm
Forum: General
Topic: Moving from rb3011 to rb4011 [SOLVED]
Replies: 9
Views: 633

Re: Moving from rb3011 to rb4011 [SOLVED]

Based on your remark about ssh service I strongly advise you to start configuring RB4011 from defaults ... and not by blindly copying settings from old 3011. Reason: recent ROS versions come with pretty sensible defaults (which blocks pretty much everything from WAN). Only add things you really miss.
by mkx
Thu Mar 18, 2021 9:12 pm
Forum: General
Topic: Trunking + Bridging Question
Replies: 4
Views: 395

Re: Trunking + Bridging Question

You started to mix in bridge vlan-filtering ... which should not be used together with switch-chip vlan setup. First decide which way you want to do and then we'll help you. BTW, my post #2 above was based on switch-chip vlans (since you had that in your original post). It does not apply (directly) ...
by mkx
Thu Mar 18, 2021 8:49 pm
Forum: Beginner Basics
Topic: setup hap lite wifi
Replies: 9
Views: 476

Re: setup hap lite wifi

You can read more about the problem in this article. In short: get yourself another AP by same vendor and you'll likely get it working in short time. Use any other vendor and you'll have problems this way or another.
by mkx
Thu Mar 18, 2021 5:07 pm
Forum: Beginner Basics
Topic: setup hap lite wifi
Replies: 9
Views: 476

Re: setup hap lite wifi

The post @erlinden linked is generally fine. However the setup has one drawback (which might be show stopper): it is not possible to directly access devices "behind" wireless device. As you're mentioning server (for which powerline adapters are not reliable enough), I guess you are actuall...
by mkx
Wed Mar 17, 2021 6:51 pm
Forum: Wireless Networking
Topic: LtAP LTE 6 kit + R11e-LTE6 + External Antenna [SOLVED]
Replies: 4
Views: 482

Re: LtAP LTE 6 kit + R11e-LTE6 + External Antenna [SOLVED]

I did run the "no-smoke.bat" file, so all should be ok :-)
8.3 rocks ;-)
by mkx
Wed Mar 17, 2021 6:41 pm
Forum: General
Topic: Mangle on rb450 and rb750
Replies: 1
Views: 162

Re: Mangle on rb450 and rb750

Mangle means that fast-track is out of question and that severely increases processing load (and thus reduces practical throughput). You did not tell what throughput you require, but none of devices you listed (if those are full model names) is exactly powerful. Mangle is not really memory-demanding...
by mkx
Wed Mar 17, 2021 6:36 pm
Forum: General
Topic: can I link a PWR-LINE AP with a PWR-LINE PRO?
Replies: 1
Views: 187

Re: can I link a PWR-LINE AP with a PWR-LINE PRO?

Pwr-line pro (PL7510Gi) product page states
This product works best with other PL75xx series products, but is backwards compatible with PL64xx and PL74xx as well.

So the combo you're after should work.
by mkx
Wed Mar 17, 2021 6:20 pm
Forum: General
Topic: Trunking + Bridging Question
Replies: 4
Views: 395

Re: Trunking + Bridging Question

From the explanation I fail to see what exactly is the problem wiith wlan1 and wlan2. It seems you'd like to have wlan1 and wlan2 set as access ports to VLAN 20? You can achieve that by setting vlan-mode=use-tag vlan-id=20 on wlan1 and wlan2 interfaces while adding those as ports of bridge VLAN-BR.
by mkx
Wed Mar 17, 2021 6:06 pm
Forum: Beginner Basics
Topic: No Internet on Wlan bridge [SOLVED]
Replies: 12
Views: 579

Re: No Internet on Wlan bridge [SOLVED]

Configuration on bridge1 seems overly complicated to me. From a quick glance nothing is sticking out as wrong to me, but frankly I don't want to delve into config. There are quite a few mis-configs (which don't necessarily break the whole config, such as assignment of IP addresses to each of bridge ...
by mkx
Wed Mar 17, 2021 1:06 pm
Forum: Beginner Basics
Topic: No Internet on Wlan bridge [SOLVED]
Replies: 12
Views: 579

Re: No Internet on Wlan bridge [SOLVED]

I can't say anything about devices on bridge2 ... but since you can ping bridge1 from your phone, then I guess bridge2 is pretty much transparent for communication between phones and bridge1. Since bridge2 is getting its IP config via DHCP, you have to verify that DHCP server also sets default gatew...
by mkx
Wed Mar 17, 2021 9:26 am
Forum: General
Topic: Proper MTU setting between sites.
Replies: 1
Views: 170

Re: Proper MTU setting between sites.

In principle MTU is end-to-end property of a connection. So you should set it to lowest number known to exist on a connection, in your case it would be 1492 gross (and substract tunnel overhead from that). It may happen that even this setting is too big if there's an intermediate segment of the conn...
by mkx
Wed Mar 17, 2021 8:31 am
Forum: Wireless Networking
Topic: cannot use 80Mhz with my realtek on asus laptop
Replies: 12
Views: 738

Re: cannot use 80Mhz with my realtek on asus laptop

It's hard to fix realtek problems on mikrotik ... other than configuring mikrotik such that realtek works (e.g. changing channel width to 20/40 if that's what makes realtek happy).
by mkx
Wed Mar 17, 2021 8:20 am
Forum: General
Topic: Uninstall Wireless and other packages [SOLVED]
Replies: 9
Views: 2470

Re: Uninstall Wireless and other packages [SOLVED]

If you create address list where entries have timeout set, then this configuration doesn't get stored to permanent storage. It is lost on reboot and you have to refresh it every now and then, so this might or might not be a solution for you. There's no way for ROS to use anything else than built-in ...
by mkx
Tue Mar 16, 2021 9:16 pm
Forum: General
Topic: Uninstall Wireless and other packages [SOLVED]
Replies: 9
Views: 2470

Re: Uninstall Wireless and other packages [SOLVED]

1. Yes, for devices with small disk (i.e. less tgan 128MB disk) this is tgen RAM disk.
2. Yes, configuration related to "surviving" packages will be kept intact.
3. As written: after you "unbundle" ROS once, it'll stay unbundled after normal upgrades (using winbox).
by mkx
Tue Mar 16, 2021 8:56 pm
Forum: General
Topic: VLAN: Ingress Filtering vs. PVID
Replies: 2
Views: 259

Re: VLAN: Ingress Filtering vs. PVID

In mikrotik settings for ingress and for egress are pretty independent of each other (but not entirely). In example by @Guscht: ingress settings say that both tagged and untagged frames are allowed on ingress and that untagged frames get tagged with PVID (in example it's 1). Additional setting "...
by mkx
Tue Mar 16, 2021 8:34 pm
Forum: General
Topic: Best Firewall Setting Allowing Most Speed
Replies: 6
Views: 463

Re: Best Firewall Setting Allowing Most Speed

Any IP service (e.g. DHCP server) can be run by any network-connected device, it just needs to have adequate capacity. However it doesn't have to be a dedicated device. But when concetrating multiple services to a single device, take care to reduce number of failure points in your LAN. A typical MT ...
by mkx
Tue Mar 16, 2021 8:19 pm
Forum: Beginner Basics
Topic: PoE to power RouterBoard 951Ui 2HnD [SOLVED]
Replies: 5
Views: 389

Re: PoE to power RouterBoard 951Ui 2HnD [SOLVED]

Thanks for the reply, it is specified as 802.3af compliant. So per your details, it will not be compatible. Where is this particular model listed as 802.3 af/at compliant? Are there any passive PoE devices that are recommended to power a RouterBoard? Mikrotik is selling its own passive PoE injector...
by mkx
Tue Mar 16, 2021 8:13 pm
Forum: Beginner Basics
Topic: Synology NAS behind the Microtik hAP Lite
Replies: 2
Views: 229

Re: Synology NAS behind the Microtik hAP Lite

@Jerre: you should set up hAP lite as access point / switch. Unfortunately there isn't a predefined template for that (a QuickSet setting), so you'll have to do it manually. It's not a trivial task, but if you feel you're up to it, we can list you the necessary steps. Or find a post with steps alrea...
by mkx
Tue Mar 16, 2021 4:01 pm
Forum: Beginner Basics
Topic: PoE to power RouterBoard 951Ui 2HnD [SOLVED]
Replies: 5
Views: 389

Re: PoE to power RouterBoard 951Ui 2HnD [SOLVED]

In short: PoE injector and RB951Ui are not compatible. Since you're mentioning 48V PoE ... I'll assume it's a PoE injector adhering to 802.3af/at standard. Your RB951Ui on the other hand only supports passive PoE (passive means it doesn't do any active handshake with PSE) and accepts voltages betwee...
by mkx
Tue Mar 16, 2021 8:20 am
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM - idle power consumption [SOLVED]
Replies: 4
Views: 733

Re: RB4011iGS+RM - idle power consumption [SOLVED]

It is possible that in upcoming ROS versions all ARM-based devices will see lower idle power consumption, MT implemented dynamic CPU frequency scaling on those platforms ... which should help save a watt or two and decrease CPU temperature a bit.
by mkx
Tue Mar 16, 2021 8:15 am
Forum: Wireless Networking
Topic: Mikrotik wifi mesh
Replies: 7
Views: 619

Re: Mikrotik wifi mesh

Ideally wires. If wires are out of question, then point-to-point connections, preferably on different frequency band (e.g. if available bands are 2.4GHz and 5GHz and there are some 2.4GHz-only clients, use 5GHz band for point-to-point or point-to-multipoint connections and 2.4GHz to offer access to ...
by mkx
Tue Mar 16, 2021 8:12 am
Forum: Wireless Networking
Topic: Short dropouts
Replies: 2
Views: 275

Re: Short dropouts

Also: what is in log on AP? Anything about wireless problems? What are normal values for wireless signal between AP and problematic station? Execute /interface wireless registration-table print stats and make note of rx-rate, tx-rate, signal-to-noise and all signal-strength values. Make sure there's...
by mkx
Tue Mar 16, 2021 8:02 am
Forum: General
Topic: Best Firewall Setting Allowing Most Speed
Replies: 6
Views: 463

Re: Best Firewall Setting Allowing Most Speed

Which device type are you working with? Most SOHO models can't route at wirespeed.

SOHO models come with factory default firewall rules which give almost higher routing/firewalling performance while giving decent protection. You may want to have a look at those settings and continue from there.
by mkx
Tue Mar 16, 2021 7:59 am
Forum: General
Topic: OLD 751U-2HnD best firmware
Replies: 1
Views: 191

Re: OLD 751U-2HnD best firmware

ROS v6 has quite different configuration than ROS v5. If you simply upgraded router while not touching configuration, then the resulting configuration, as created by upgrade scripts, might not be optimal. I suggest you to export configuration (that's not backup!) by running command /export file=conf...
by mkx
Tue Mar 16, 2021 7:53 am
Forum: General
Topic: Firewall filter & address lists [SOLVED]
Replies: 8
Views: 566

Re: Firewall filter & address lists [SOLVED]

My solution is slightly different: I drop traffic from/to addresses in black list in raw. Above the drop rule I have an allow rule using white list: /ip firewall raw add action=accept chain=prerouting comment="static whitelisted SRC-addresses" src-address-list=staticWL add action=accept ch...
by mkx
Mon Mar 15, 2021 7:23 pm
Forum: Beginner Basics
Topic: Link between two Mikrotik S-31DLC20D
Replies: 3
Views: 256

Re: Link between two Mikrotik S-31DLC20D

Product brochure states that this SFP has Tx power between -9dBm and -3dBm while receiver can handle Rx power between -24dBm and 0dBm. As max Rx power is greater than min Tx power (and even greater than max Tx power), this means that these SFPs can be used with optical cable with length anything be...
by mkx
Mon Mar 15, 2021 6:32 pm
Forum: Wireless Networking
Topic: LtAP LTE 6 kit + R11e-LTE6 + External Antenna [SOLVED]
Replies: 4
Views: 482

Re: LtAP LTE 6 kit + R11e-LTE6 + External Antenna [SOLVED]

1. The SMA-SMA cable is very stiff, so cant make sharp bends as I am sure it will damage the cable. Do I need to drill holes in the black cover for the SMA-u.fl connectors? Alternatively I would assume it needs to be operated without the black cover? Or, alternatively, drill holes for the SMA-SMA c...
by mkx
Mon Mar 15, 2021 9:50 am
Forum: General
Topic: Mikrotik UPS Solution
Replies: 11
Views: 817

Re: Mikrotik UPS Solution

The injector needs 120/240v input which converts down to 24v (many devices we use are 48v though) I guess @k6ccc was talking about RBGPOE (or some other passive injector) which takes some DC power through power jack and puts it on the UTP wires. In this case one uses DC battery power directly, no c...
by mkx
Sun Mar 14, 2021 11:23 pm
Forum: Wireless Networking
Topic: CAPsMAN 5ghz - no supported channel [SOLVED]
Replies: 12
Views: 853

Re: CAPsMAN 5ghz - no supported channel [SOLVED]

/caps-man interface add configuration=2g_config disabled=no l2mtu=1600 mac-address=**:**:**:**:**:61 master-interface=none name=\ cap1 radio-mac=**:**:**:**:**:61 radio-name=**********61 add configuration=5g_config disabled=no l2mtu=1600 mac-address=**:**:**:**:**:62 master-interface=none name=\ ca...
by mkx
Sun Mar 14, 2021 10:30 pm
Forum: Beginner Basics
Topic: ipv6 package
Replies: 7
Views: 571

Re: ipv6 package

So if need to block ipv6 traffic even within a L2 segment I need to activate the package and implement appropriate rules (bridge filter or ipv6 firewall)? Blocking IPv6 traffic within L2 domain does not rely on ipv6 package at all. You can do it on (SW) bridge by configuring bridge firewall and blo...
by mkx
Sun Mar 14, 2021 2:58 pm
Forum: Wireless Networking
Topic: CAPsMAN 5ghz - no supported channel [SOLVED]
Replies: 12
Views: 853

Re: CAPsMAN 5ghz - no supported channel [SOLVED]

Change installation=indoors to installation=any . This setting affects frequency availability and Mikrotik uses this in a very unusual way. And with more than single cAP device, you realy shouldn't be setting mac-address or radio-mac or radio-name in common configuration. Either leave it unset and l...
by mkx
Sun Mar 14, 2021 2:01 pm
Forum: General
Topic: Winbox on Linux Problems
Replies: 30
Views: 11675

Re: Winbox on Linux Problems

I'm sure there are many experts on this forum that would be able to interpret iptables. I might be able as well, but I'm sure as hell that I won't install UFW just to get a list of iptables rules that default UFW enforces. So somebody running UFW (minimum config which interferes with winbox would be...
by mkx
Sun Mar 14, 2021 1:15 pm
Forum: RouterOS v7 BETA
Topic: Slow IPv6 speeds on v7.1beta4
Replies: 9
Views: 854

Re: Slow IPv6 speeds on v7.1beta4

I'd say this is related to tunnels ... any type (6to4, PPPoE, ...) because tunnel overhead reduces effective MTU through tunnel and it becomes lower than native MTU on end devices. Which then necessiates fragmentation etc.
by mkx
Sun Mar 14, 2021 10:47 am
Forum: Beginner Basics
Topic: ipv6 package
Replies: 7
Views: 571

Re: ipv6 package

router can only pass traffic between L3 interfaces. In case of IPv6 this means interfaces with IPv6 address set and without ipv6 package you can't set IPv6 address and this means router blocks all IPv6 traffic between distinct interfaces (note that there's difference between interface and port). br...
by mkx
Sat Mar 13, 2021 8:22 pm
Forum: General
Topic: Winbox on Linux Problems
Replies: 30
Views: 11675

Re: Winbox on Linux Problems

As with ROS firewall (which is yet another UI to iptablrs BTW): right solution very much depends on current state. Hence my suggestion to check what UFW did on your machine and then add appropriate rule to the right place in right chain. Or better yet: find the right settings for UFW. Mixing direct ...
by mkx
Sat Mar 13, 2021 8:17 pm
Forum: Beginner Basics
Topic: How to block traffic between ethernet ports
Replies: 10
Views: 672

Re: How to block traffic between ethernet ports

The easiest way would be to set-up firewall directly on PC.

Another way would be to enable use-ip-firewall=yes on bridge, disable hw offload on port 4. Beware IP firewall for bridge traffic works slightly differently from same firewall for routed IP traffic...
by mkx
Sat Mar 13, 2021 4:28 pm
Forum: RouterBOARD hardware
Topic: CRS326-24G-25+RM and S+RJ10 SuperMicro X540-AT2 10 Problem
Replies: 2
Views: 403

Re: CRS326-24G-25+RM and S+RJ10 SuperMicro X540-AT2 10 Problem

Where does booting stop? After kernel is already loaded and driver (re-)initializes NIC? Intel implemented a SFP whitelisting and linux driver (seemingly contributed by Intel) checks that. This is governed by certain bit in card's ROM and not all vendors set it. It is possible to instruct driver not...
by mkx
Sat Mar 13, 2021 4:07 pm
Forum: General
Topic: Winbox on Linux Problems
Replies: 30
Views: 11675

Re: Winbox on Linux Problems

I guess most of power users on this forum don't use UFW (they use iptables directly) so it's not very likely somebody will provide a really good "recipe" for enabling winbox in UFW.
by mkx
Fri Mar 12, 2021 9:58 pm
Forum: General
Topic: Winbox on Linux Problems
Replies: 30
Views: 11675

Re: Winbox on Linux Problems

Here's how things work: RB devices use MNDP to announce their presence ... MNDP is broadcast to IPv4 address 255.255.255.255 (which is not usual IP subnet broadcast address) and (if IPv6 is enabled) to ff02::1 "all nodes" IPv6 multicast address. If iptables is configured to block reception...
by mkx
Fri Mar 12, 2021 8:12 pm
Forum: RouterBOARD hardware
Topic: hEX block diagram
Replies: 44
Views: 4083

Re: hEX block diagram

From the CPU profile it's obvious that most of CPU is consumed for interrupt handling. Since any given interrupt can be handled by any of CPU cores (however, usual linux drivers in recent versions of stock kernel tend to stick to a particular CPU core), it could well happen that during certain tests...
by mkx
Fri Mar 12, 2021 7:59 pm
Forum: RouterBOARD hardware
Topic: hEX block diagram
Replies: 44
Views: 4083

Re: hEX block diagram

Here's how I understand the block diagram of a RB750Gr3 when ether1 is stand-alone interface (e.g. to piggy-back PPPoE) while ether2-ether5 are members of same bridge which has HW offload enabled (and active): https://www.mkx.si/switching.png If there was another stand-alone interface, e.g. ether2, ...
by mkx
Fri Mar 12, 2021 7:38 pm
Forum: RouterBOARD hardware
Topic: FTTH, PPPoE, 2 VLANs and IPTV - performance issue
Replies: 3
Views: 412

Re: FTTH, PPPoE, 2 VLANs and IPTV - performance issue

Before changing setup, make backup of device. If you don't succeed in reconfiguring the device, you can still revert to current setup. For switch-chip centric setup, the L2 setup should look something like this: /interface ethernet switch set ether1 vlan-header=leave-as-is vlan-mode=secure set ether...
by mkx
Fri Mar 12, 2021 7:15 pm
Forum: Wireless Networking
Topic: MikroTik Home Network Setup
Replies: 4
Views: 412

Re: MikroTik Home Network Setup

I'd use one of hAP ac2 devices as main router, it'll run circles around RB2011 performance wise. If you really need number of wired ports (you'll need one for WAN and two for other two hAP ac2 devices), then use RB2011 as a (not exactly a great) switch.
by mkx
Fri Mar 12, 2021 5:12 pm
Forum: Beginner Basics
Topic: Forum exact search
Replies: 20
Views: 1047

Re: Forum exact search

Mostly though in my Mikrotik Searches I put (TOPIC & SINDY & !MKX), so that I can get a well detailed solution fast ;-P
I'm past the point of getting offended by such remarks from you ... if that's what you were aiming at.
by mkx
Fri Mar 12, 2021 4:29 pm
Forum: General
Topic: How to access to local network chat server from PPPoE?
Replies: 2
Views: 192

Re: How to access to local network chat server from PPPoE?

If PPPoE clients use addresses from different IP subnet, then it's entirely up to firewall configuration to allow/block whatever needed. If OTOH PPPoE clients use addresses from same IP subnet, then it might still be doable, but in which way largely depends on LAN layout and current config of your f...
by mkx
Fri Mar 12, 2021 4:27 pm
Forum: General
Topic: PHP + MySQL Problem
Replies: 1
Views: 162

Re: PHP + MySQL Problem

There's nothing in RouterOS which would specifically block connections between MySQL and PHP on that site. You'll have to learn how in particular PHP application interacts with MySQL and see if ROS is blocking it in any way.
by mkx
Fri Mar 12, 2021 4:23 pm
Forum: Beginner Basics
Topic: Forum exact search
Replies: 20
Views: 1047

Re: Forum exact search

If we just ignore @anav (sometimes he switches to a troll-mode, at other times he's much nicer): the sad reality of vast majority of web pages is that built-in search engines are of poor quality and mostly return useless results. I often wonder why they exist after all if smartly crafted link to sea...
by mkx
Fri Mar 12, 2021 4:15 pm
Forum: Beginner Basics
Topic: Routing between two dhcp-servers across two routers [SOLVED]
Replies: 3
Views: 612

Re: Routing between two dhcp-servers across two routers [SOLVED]

Technically you have 2 LAN subnets at CRS125: 192.168.81.0/24 and 192.168.3.0/24 (doesn't matter if they're behind VPN or ethernet interface) ... if you want clients in 192.168.82.0/24 to access either of CRS125's subnets (and vice versa), you have to add a corresponding static route on RB2011. And ...
by mkx
Fri Mar 12, 2021 3:55 pm
Forum: Beginner Basics
Topic: Bridging wlan to ether with hap ac²
Replies: 3
Views: 302

Re: Bridging wlan to ether with hap ac²

I don't have experience with various quickset modes ... however I assume that CPE is intended for WISP-provided device and is thus configured so that management access is possible through wireless interface (WAN) rather than through LAN interfaces. Either way it will probably contain a firewall and ...
by mkx
Fri Mar 12, 2021 3:44 pm
Forum: RouterOS v7 BETA
Topic: Request: iPhone USB tether 2021 "a Blackmagic Design Atem video mixer can do this on its own... but Mikrotik doesn't ?"
Replies: 4
Views: 559

Re: Request: iPhone USB tether 2021 "a Blackmagic Design Atem video mixer can do this on its own... but Mikrotik doesn't

While I support the plea for USB tethering (although I don't use it and don't need it), I beg to differ: Most of the Mikrotik devices come with a huge amount of free disk space Quite many recent Mikrotik devices (e.g. hAP ac2, hAP ac3, wAP ac, cAP ac, etc., not to mention low-end devices) have reall...
by mkx
Thu Mar 11, 2021 9:00 pm
Forum: RouterOS v7 BETA
Topic: Slow IPv6 speeds on v7.1beta4
Replies: 9
Views: 854

Re: Slow IPv6 speeds on v7.1beta4

ROS has a feature called fast-track. It decreases processing overhead for select packets, if configuration and traffic mix is right, more than 99% of packets qualify. This feature thus increases capacity of a device. In ROS v6 (currently stable and long-term versions) unfortunately it doesn't exist ...
by mkx
Thu Mar 11, 2021 5:51 pm
Forum: RouterBOARD hardware
Topic: New Router / WiFi
Replies: 3
Views: 493

Re: New Router / WiFi

Commenting on "all in one" possibilities: mikrotik is listing it's products in 3 distinct lines: 1) ethernet switches, 2) ethernet routers and 3) wireless for home and office. Ethernet routers: none of models has more than 12 (or 13) ethernet ports, so this category won't cut. Wireless for...
by mkx
Thu Mar 11, 2021 5:32 pm
Forum: Beginner Basics
Topic: Two gataway in same network and return packet nat
Replies: 5
Views: 417

Re: Two gataway in same network and return packet nat

rp_filter has nothing to do with multiple gateway hosts, it has to do with multiple network interfaces on a PC (or rather on a router). Which is not the case here, PC communicates with both gateways through single interface. A pretty good description of what rp_filter on linux host does can be found...
by mkx
Thu Mar 11, 2021 4:23 pm
Forum: Beginner Basics
Topic: Two gataway in same network and return packet nat
Replies: 5
Views: 417

Re: Two gataway in same network and return packet nat

Did you actually confirm that PC drops return packet due to wrong gateway passing return packet? I don't think that's the problem, gateway's IP address is not recorded anywhere in the packet, gateway's IP address is only used to get next hop's MAC address. I'm not aware of any IP stack implementatio...
by mkx
Thu Mar 11, 2021 1:59 pm
Forum: Beginner Basics
Topic: Routing between two dhcp-servers across two routers [SOLVED]
Replies: 3
Views: 612

Re: Routing between two dhcp-servers across two routers [SOLVED]

You really should use a private subnet address numbering in the CRS125-RB2011 connection subnet. The ones you're using now are in principle public IP addresses and you could run into some issues later. You don't need DHCP server running on connection subnet. Both routers have statically set address...
by mkx
Thu Mar 11, 2021 12:24 pm
Forum: Beginner Basics
Topic: RB 2011iL does not get Gib traffic
Replies: 19
Views: 1380

Re: RB 2011iL does not get Gib traffic

Then this is a remarkable result. Another thought for @OP: are you aware that ethernet ports 6-10 are 100Mbps only? For testing throughput both WAN (PPPoE client is using ether4 which is fine) and LAN client have to be connected to one of ports ether1-ether5. There's another gotcha: the interconnect...
by mkx
Thu Mar 11, 2021 12:11 pm
Forum: RouterBOARD hardware
Topic: S-RJ01 SFP Module in RB4011iGS+ flapping
Replies: 12
Views: 1069

Re: S-RJ01 SFP Module in RB4011iGS+ flapping

We replaced the MT S-RJ01 with a spare SwissGBIC SG-1G-T (OEM version of FS.com SFP-GB-GE-T https://www.fs.com/uk/products/75324.html ). The SG-1G-T is 1000BaseT only. After disabling auto neg and forcing 1G full duplex on sfp-sfpplus1 we got a stable link using the same 70m S/FTP cabling. You coul...
by mkx
Thu Mar 11, 2021 12:06 pm
Forum: General
Topic: Switch Rules - questions
Replies: 1
Views: 213

Re: Switch Rules - questions

From https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features : copy-to-cpu=yes/no - a packet can be cloned and sent to cpu port redirect-to-cpu=yes/no - a packet can be redirected to cpu port I don't know about particular use cases. I guess copy-to-cpu is useful if you want to debug something usi...
by mkx
Thu Mar 11, 2021 11:48 am
Forum: Beginner Basics
Topic: RB 2011iL does not get Gib traffic
Replies: 19
Views: 1380

Re: RB 2011iL does not get Gib traffic

Quite possibly it's an unrealistic scenario. If firewall did not have any rule, then I guess router doesn't perform connection tracking (I may be wrong) which is single most expensive task performed by firewall/router. Router had 60%-70% CPU load during the test ... and if indeed it only performed P...
by mkx
Thu Mar 11, 2021 12:08 am
Forum: SwOS
Topic: CSS610-8G-2S+IN LACP LAG to Synology NAS not working
Replies: 7
Views: 730

Re: CSS610-8G-2S+IN LACP LAG to Synology NAS not working

I googled a bit and stumbled across this document. It doesn't go into much detail, but in short it says not to use "Adaptive Load Balancing" if you have a switch that knows what link bonding is. I guess the safest choice would be to use 802.3ad bonding.
by mkx
Wed Mar 10, 2021 11:55 pm
Forum: General
Topic: RB3011UiAS switch1 reset during File Transfer
Replies: 2
Views: 311

Re: RB3011UiAS switch1 reset during File Transfer

I guess that what you see other victims of same phenomenon call port flopping (interface reset would take longer to recover). Not sure if there's a definite fix for it though.
by mkx
Wed Mar 10, 2021 11:29 pm
Forum: Beginner Basics
Topic: Is it OK to set public IP to bridge?
Replies: 2
Views: 357

Re: Is it OK to set public IP to bridge?

In principle it is fine to have more than one IP address set to same interface (bridge in your case). However, just to perform NAT it is not necessary to assign that IP address to any of router's interfaces, your NAT rule #1 (the second one counting from #0) should work regardless. NAT rule will aff...
by mkx
Wed Mar 10, 2021 11:20 pm
Forum: Beginner Basics
Topic: RB 2011iL does not get Gib traffic
Replies: 19
Views: 1380

Re: RB 2011iL does not get Gib traffic

As I wrote: the test results are indication, not exact match of reality. It doesn't matter much whether it's 100 Mbps (and I wrote that PPPoE is quite a burden) or 200 Mbps (something RB2011 realistically can do), it's still very far from 750Mbps or 1Gbps (which you were asking about). Again: the de...
by mkx
Wed Mar 10, 2021 11:12 pm
Forum: Announcements
Topic: Future of LTE products, user feedback requested
Replies: 174
Views: 56435

Re: Future of LTE products, user feedback requested

...not sure how practical that is, however, you would have to know as a customer on which band your telecom operator works... I agree it's not practical for end-user. However, if a device is used as CPE and provided by MNO, then MNO likely knows which antenna would fit best for certain customer. If...
by mkx
Wed Mar 10, 2021 11:15 am
Forum: RouterOS v7 BETA
Topic: v7.1beta4 [development] is released!
Replies: 211
Views: 30316

Re: v7.1beta4 [development] is released!

how to fix the current wifiwave2 package to run on some boxes with less flash: ... flash is an issue, but if i throw away all new hw and only keep the IPQ4019, things might fit on a minimal setup with system, security, wifiwave2, maybe even on a 16MB flash. I certainly hope that if they manage to s...
by mkx
Wed Mar 10, 2021 11:06 am
Forum: Announcements
Topic: Future of LTE products, user feedback requested
Replies: 174
Views: 56435

Re: Future of LTE products, user feedback requested

Antenna is a passive element which doesn't know anything about what's transmitted (doesn't care about modulation, coding or technology in general). It only cares about frequency. Since LTE is using quite wide range of frequencies (in Europe from 690MHz to 2700 MHz for FDD, TDD frequencies are somewh...
by mkx
Tue Mar 09, 2021 11:48 pm
Forum: SwOS
Topic: CSS610-8G-2S+IN LACP LAG to Synology NAS not working
Replies: 7
Views: 730

Re: CSS610-8G-2S+IN LACP LAG to Synology NAS not working

What I meant was to change e.g. 192.168.1.5 to 192.168.1.6 and see if it uses same link. But then: ... I get now that by having only two devices that concurrently try to fetch large files off a NAS ... Since in this case SAN is the transmitting party (files being sent by SAN towards PCs), transmit h...
by mkx
Tue Mar 09, 2021 9:14 am
Forum: SwOS
Topic: CSS610-8G-2S+IN LACP LAG to Synology NAS not working
Replies: 7
Views: 730

Re: CSS610-8G-2S+IN LACP LAG to Synology NAS not working

It seems that SwOS only supports LACP load balancing based on Layer2 and Layer3 hashing. Which means that single client (same MAC and IP address) will always use single connection towards NAS even if running multiple simultaneous transfers (which may differ on L4 - TCP port number). While statistica...
by mkx
Tue Mar 09, 2021 9:01 am
Forum: Wireless Networking
Topic: Cannot connect to Mikrotik using the wireless interface when configured as station
Replies: 1
Views: 204

Re: Cannot connect to Mikrotik using the wireless interface when configured as station

There are numerous details which might be wrong. So post actual config (run /export hide-sensitive file=anynameyouwish from terminal window, fetch resulting file to management PC, open file with text editor, copy-paste contents into [ code] [/code] block) so we can see actual configuration. Meanwhil...
by mkx
Tue Mar 09, 2021 8:21 am
Forum: Beginner Basics
Topic: Firewall config
Replies: 6
Views: 486

Re: Firewall config

Does change of public IP address involve change of ISP? Since most of forwarded ports are non-standard, it could well be that the new ISP blocks them. The export shows pretty incomplete firewall rules compared to the default rules, e.g. it's missing rule add action=accept chain=forward comment="...
by mkx
Tue Mar 09, 2021 7:55 am
Forum: Beginner Basics
Topic: RB 2011iL does not get Gib traffic
Replies: 19
Views: 1380

Re: RB 2011iL does not get Gib traffic

I can't understand why some users related getting up to 900 MB using rb 2011. Some users expect that routers are capable of routing wire speed. Since RB2011 has a few ports capable of 1Gbps, those users expect RB2011 to be able to route at 1Gbps. Sadly this is quite far from reality for vast majori...
by mkx
Tue Mar 09, 2021 7:54 am
Forum: Beginner Basics
Topic: RB 2011iL does not get Gib traffic
Replies: 19
Views: 1380

Re: RB 2011iL does not get Gib traffic

Speed setting on ethernet ports isn't a show stopper, it doesn't matter as long as port is not set to auto-negotiation=no (which is not default, hence it would be shown in config export). Another factor affecting throughput is use of PPPoE ... it does cause some performance drop compared to "st...
by mkx
Mon Mar 08, 2021 11:11 pm
Forum: Beginner Basics
Topic: RB 2011iL does not get Gib traffic
Replies: 19
Views: 1380

Re: RB 2011iL does not get Gib traffic

RB2011 is not able to route much faster than around 200Mbps half duplex (give or take), depending on complexity of firewall rules. If you want to get near the speed you're mentioning (750Mbps full duplex), you'll have to get a much faster router. When looking for a suitable model, check official tes...
by mkx
Mon Mar 08, 2021 8:29 pm
Forum: General
Topic: Security audit of a router
Replies: 2
Views: 301

Re: Security audit of a router

There have been reports that compromised router could not be recovered in any other way but using netinstall. Which means that it is possible to hide part of exploit which makes exploit active again after attempted recovery. However action by which router works differently (which is the point of exp...
by mkx
Mon Mar 08, 2021 8:06 pm
Forum: RouterBOARD hardware
Topic: Bridge Mikrotik Routers through SFP
Replies: 5
Views: 456

Re: Bridge Mikrotik Routers through SFP

With fibre optics there are two things to consider: fibre type. There are two: single-mode and multi-mode and each requires corresponding SFP modules. Multi-mode is strictly for short-range (up to around 500 metres), single-mode is for all ranges. if using single-mode, one has to be careful about ra...
by mkx
Mon Mar 08, 2021 7:10 pm
Forum: General
Topic: Routing Problem [SOLVED]
Replies: 24
Views: 1545

Re: Routing Problem [SOLVED]

Check settings on your cameras ... do they have set default gateway? If they don't, then they can only communicate with devices within own subnet. Not setting gateway can be considered a security feature ...
by mkx
Sun Mar 07, 2021 10:27 pm
Forum: RouterBOARD hardware
Topic: R11e-LoRa8 on Linux
Replies: 5
Views: 682

Re: R11e-LoRa8 on Linux

You'd have better chance of getting answer by sending e-mail to support@mikrotik.com .
by mkx
Sun Mar 07, 2021 8:31 pm
Forum: General
Topic: CCR1036 capacity
Replies: 7
Views: 691

Re: CCR1036 capacity

Winbox is part of management ... and can bog down a CPU if there are open windows displaying long list of elements (e.g. list of tracked connections or some such). Probably webfig falls into this category, SNMP might as well ...
by mkx
Sun Mar 07, 2021 8:24 pm
Forum: General
Topic: Bridge vs. Switch Menu
Replies: 1
Views: 271

Re: Bridge vs. Switch Menu

Switch = wirespeed
Bridge = depends on CPU speed, speed of CPU-switch chip interconnect, other tasks performed by device (wireless, firewall, IPsec tunnels)
by mkx
Sun Mar 07, 2021 4:00 pm
Forum: General
Topic: Traffic between 2 subnets
Replies: 9
Views: 758

Re: Traffic between 2 subnets

No, you can't "see" what's in backup file. Configuration export created by executing /export file=myexport.rsc is, OTOH, plain text file and you can easily use its contents when doing some configuration ... If you only have backup file, you'll have to restore device configuration from it, ...
by mkx
Sun Mar 07, 2021 3:52 pm
Forum: General
Topic: dst-NAT works with 1.1.1.1 and not with local DNS [SOLVED]
Replies: 11
Views: 872

Re: dst-NAT works with 1.1.1.1 and not with local DNS [SOLVED]

Generally hairpin-NAT is only needed if client is in the same subnet as server which is redirect target. If hairpin-NAT solves your problem, then your setup is "out of a box" and needs special consideration. Or there's some other configuration which interferes.
by mkx
Sun Mar 07, 2021 2:51 pm
Forum: General
Topic: input chain best practice [SOLVED]
Replies: 13
Views: 697

Re: input chain best practice [SOLVED]

Talking of bridge filtering - can I check that is the best place to stop some clients on a VLAN having access others on the same VLAN - I think this is another instance where the firewall has no effect. Yes. With a caveat ... connection has to pass the bridge (e.g. both parties are connecting to di...
by mkx
Sun Mar 07, 2021 2:47 pm
Forum: General
Topic: input chain best practice [SOLVED]
Replies: 13
Views: 697

Re: input chain best practice [SOLVED]

As @sindy explained, DHCP is an IP service which is not entirely L3. But IMHO deserves a (positive) firewall filter rule just in case if handling somehow changes some time in the future. Quite some time I've had a similar experience: I was trying to set up DHCP server on a linux host sitting on a tr...
by mkx
Sun Mar 07, 2021 2:42 pm
Forum: General
Topic: dst-NAT works with 1.1.1.1 and not with local DNS [SOLVED]
Replies: 11
Views: 872

Re: dst-NAT works with 1.1.1.1 and not with local DNS [SOLVED]

What is the difference in the rules you posted? I fail to see it. Anyway, it's worth to mention that firewall and NAT rules are processed in order from top to bottom. If you have a specific rule (such as in your example) but pushed quite to the bottom of rules and at the same time you have some more...
by mkx
Sun Mar 07, 2021 1:16 pm
Forum: General
Topic: input chain best practice [SOLVED]
Replies: 13
Views: 697

Re: input chain best practice [SOLVED]

You have to allow access to all services offered by router. If router is acting as DHCP server, then you have to allow connections to UDP port 67 (originating from port 68). Ditto for TCP/UDP ports 53 (any source port number) if router is acting as DNS server for clients. Etc. As to other probed con...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 20