Community discussions

MikroTik App

Search found 6586 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 22
by mkx
Tue Sep 21, 2021 7:19 pm
Forum: General
Topic: VLAN Help on a CRS326 Switch [SOLVED]
Replies: 3
Views: 84

Re: VLAN Help on a CRS326 Switch [SOLVED]

/interface bridge port add bridge=bri1 frame-types=admit-only-untagged-and-priority-tagged \ interface=Uplink /interface bridge vlan add bridge=bri1 untagged=Uplink,bri1 vlan-ids=1 add bridge=bri1 tagged=Uplink,ether1 vlan-ids=10 add bridge=bri1 tagged=Uplink untagged=ether2 vlan-ids=30 add bridge=...
by mkx
Tue Sep 21, 2021 5:06 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM with SFP to RJ45 Copper Transceiver Module
Replies: 4
Views: 220

Re: RB4011iGS+RM with SFP to RJ45 Copper Transceiver Module

Instead of short DAC cable one can use optical connection as well. Use supported SFP+ module on each side (can be different make as well), they only have to match on optical side (i.e. multi-mode 850nm). And use optical patch cord with appropriate length. Optical SFP+ modules also consume quite low ...
by mkx
Tue Sep 21, 2021 4:57 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1113

Re: Need help on rb750gr3 about maximum lan connection

What Wireless Routers are you using as (im assuming are acting as Access Point / switches and not routers ) OP provided network schema in post #13 above ... a comment there indicates wireless gadgets are used in router mode. Their WAN sides are all in same network, knit together using dumb switches.
by mkx
Tue Sep 21, 2021 11:02 am
Forum: Wireless Networking
Topic: Devices cannot connect to both APs
Replies: 2
Views: 140

Re: Devices cannot connect to both APs

/interface bridge vlan add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 \ vlan-ids=100 add bridge=bridge1 tagged=ether1, wlan3 wlan1,wlan2 vlan-ids=101 add bridge=bridge1 tagged=ether1 untagged=wlan4 vlan-ids=102 add bridge=bridge1 tagged=ether1 untagged=wlan3 vlan-ids=...
by mkx
Tue Sep 21, 2021 10:36 am
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1113

Re: Need help on rb750gr3 about maximum lan connection

But as said, the "congestion" may be a consequence of intentional shaping ... Either that or the modem (being residential type) might have problems with NATing large number of concurrent connections (ROS limits depend on device's RAM size). You could rule this out if you could (temporaril...
by mkx
Mon Sep 20, 2021 6:24 pm
Forum: General
Topic: Only 100Mbps full-duplex speed on 1Gbps port
Replies: 4
Views: 189

Re: Only 100Mbps full-duplex speed on 1Gbps port

Also 100Mbps full duplex works without any problem (which also requires the 4 pairs right?)

Nope, 100BaseTx (including full-duplex) uses only 2 pairs.
by mkx
Mon Sep 20, 2021 6:13 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc4 [development] is released!
Replies: 87
Views: 5252

Re: v7.1rc4 [development] is released!

Still slow paste of code.

Emulation of tty at 2400 baud?
by mkx
Mon Sep 20, 2021 12:59 pm
Forum: Wireless Networking
Topic: CAps configuration
Replies: 6
Views: 227

Re: CAps configuration

Maybe i will try a single pool, but that could mess with my IoTs.... What people mostly do is to have multiple wireless networks with different SSIDs and using different VLANs on wired backbone. Then each of networks has it's own IP subnet. Those wireless networks actually share same wireless infra...
by mkx
Mon Sep 20, 2021 12:54 pm
Forum: Beginner Basics
Topic: Remove port 5 from the bridge
Replies: 4
Views: 180

Re: Remove port 5 from the bridge

You can remove it. In CLI run the following command: /interface bridge port remove [ find interface=ether5 ] Then proceed by configuring IP settings on ether5. In case if you want to control/limit connectivity between your current LAN and the new one you'll have to add some firewall filter rules, yo...
by mkx
Mon Sep 20, 2021 12:38 pm
Forum: RouterOS v7 BETA
Topic: IPv6 response connection state new,invalid
Replies: 7
Views: 263

Re: IPv6 response connection state new,invalid

I've no idea about queues, so perhaps somebody else will chime in.
by mkx
Mon Sep 20, 2021 12:09 pm
Forum: RouterOS v7 BETA
Topic: IPv6 response connection state new,invalid
Replies: 7
Views: 263

Re: IPv6 response connection state new,invalid

Your IPv6 firewall config is IMO a mess. Not sure what you want to do with all of those mangle rules. But they might interfere with connection tracking machinery state ... if you can, disable all of them to check if your (simplified) setup still doesn't work right. BTW, does your ISP require your WA...
by mkx
Mon Sep 20, 2021 11:52 am
Forum: RouterBOARD hardware
Topic: can CCR2004-16G-2S+ downgrade to v6 ?
Replies: 8
Views: 429

Re: can CCR2004-16G-2S+ downgrade to v6 ?

Maybe so, but it "DOESN't" say that on the downloads page !! Overly cryptic !! The fact is that it is not possible to downgrade ROS version below the factory installed. On any ROS device. It is true that this fact is not printed in large friendly letters on every device box, but this fact...
by mkx
Mon Sep 20, 2021 11:38 am
Forum: RouterBOARD hardware
Topic: save Logs to WD NAS SERVER
Replies: 1
Views: 87

Re: save Logs to WD NAS SERVER

It doesn't seem you could. RouterOS supports a few different actions for logs, the interesting ones in your case are disk and remote . The disk action needs disk mapped in RouterOS and that's generally only possible for local disks, e.g. if disk is USB. Not an option in your case as RB4011 doesn't h...
by mkx
Mon Sep 20, 2021 11:16 am
Forum: RouterOS v7 BETA
Topic: IPv6 response connection state new,invalid
Replies: 7
Views: 263

Re: IPv6 response connection state new,invalid

It's hard to understand what's going on without you providing some more detailed information, such as relevant pieces of configuration (/interface - both configuration and running values - and /ipv6 subtrees) and contents of log (to see what exactly is logged).
by mkx
Mon Sep 20, 2021 11:13 am
Forum: General
Topic: CCR1016-12G Network issues
Replies: 3
Views: 419

Re: CCR1016-12G Network issues

- some machines cannot go out to the internet without having the public IP installed on the machine (configuring the public IP in the network settings), this completely bypasses Mikrotik firewall, no logs for the NAT rule (which is correctly setup) Ports ether1, 3, 4, 5, 6, 7, 8, 9, 10, 11 and 12 a...
by mkx
Mon Sep 20, 2021 9:10 am
Forum: General
Topic: Bind Webfig and ssh to a vlan
Replies: 11
Views: 313

Re: Bind Webfig and ssh to a vlan

As mentioned in your other thread, your L2 (bridge and VLAN) setup is wrong. While it might work for you, it's bound to create problems sooner or later. So it's up to you to either invest some time to study ROS (yes, learning curve is very steep from beginning) and do it right (we'll help you learni...
by mkx
Mon Sep 20, 2021 9:07 am
Forum: Wireless Networking
Topic: Low WiFi speeds on hAP ac²
Replies: 17
Views: 851

Re: Low WiFi speeds on hAP ac²

I have an Audience running that wifi driver. I know that currently ROS v7 is RC (with quality somewhere in between alpha and beta) and wifiwave2 driver quality is on the same level. But I wrote: People who did test the upcoming wifiwave2 driver, confirmed that it both increases obtainable throughpu...
by mkx
Sun Sep 19, 2021 9:01 pm
Forum: General
Topic: Inter VLAN filtering fom VLAN A to VLAN B
Replies: 23
Views: 656

Re: Inter VLAN filtering fom VLAN A to VLAN B

Can we rewind a bit? OP asked teo very well articulated questions: How do I achieve inter VLAN filtering with a Mikrotik router? Can it be done at wire speed? Answer to first question: using IP firewall. Router needs to have connectivity to all VLANs, then it will use "usual" IP firewall t...
by mkx
Sun Sep 19, 2021 8:56 pm
Forum: General
Topic: Inter VLAN filtering fom VLAN A to VLAN B
Replies: 23
Views: 656

Re: Inter VLAN filtering fom VLAN A to VLAN B

I think you're kicking in wrong direction here. CCR can't offload anything because it doesn't have needed and supported hardware. CRS might offliad something if it was used as L3 switch/router.
by mkx
Sun Sep 19, 2021 7:50 pm
Forum: Wireless Networking
Topic: CAps configuration
Replies: 6
Views: 227

Re: CAps configuration

Curious how do you say multiple networks don't roam nicely? When client decides that current BSSID (AP running certain SSID) signal is not good enough, it looks around for another feasible AP. If it finds another AP running same SSID, it will roam which means it'll expect all the IP settings to rem...
by mkx
Sun Sep 19, 2021 7:32 pm
Forum: Wireless Networking
Topic: Accesspoint only with VLANs
Replies: 17
Views: 471

Re: Accesspoint only with VLANs

What would you like to achieve? learn how to do it properly even if it takes a while get somebody write a few lines of config so you can copy-paste them and be done If it's a), then read the tutorial I linked and try to really understand. Play a bit until you understand it, without trying (for now) ...
by mkx
Sun Sep 19, 2021 7:23 pm
Forum: General
Topic: Inter VLAN filtering fom VLAN A to VLAN B
Replies: 23
Views: 656

Re: Inter VLAN filtering fom VLAN A to VLAN B

Do pray tell which L3 limited features could the Switch do with RoS7, that would offload the router..........

Here is some food for your twisted mind.
by mkx
Sun Sep 19, 2021 7:17 pm
Forum: RouterBOARD hardware
Topic: can CCR2004-16G-2S+ downgrade to v6 ?
Replies: 8
Views: 429

Re: can CCR2004-16G-2S+ downgrade to v6 ?

CCR2004-1G-12S+2XS - Size of RAM in RouterOS v6 1792MB ECC / RouterOS v7 4GB ECC [sarcasm] So when I install v7 on a CCR2004-1G-12S-2XS, little Latvian gremlins sneak in with additional RAM? And do they take it away if I downgrade to v6 again? But chips on board say they're 4GB all the time? [/sarc...
by mkx
Sun Sep 19, 2021 7:11 pm
Forum: RouterBOARD hardware
Topic: RBGPOE max power
Replies: 6
Views: 160

Re: RBGPOE max power

Sure gadgets do get aged
Many think electronics do not age ... :lol:

They're right, electronics don't age. They either become obsolete (and get replaced) or they simply blow up (and get replaced).
by mkx
Sun Sep 19, 2021 7:02 pm
Forum: RouterBOARD hardware
Topic: RBGPOE max power
Replies: 6
Views: 160

Re: RBGPOE max power

Well ... nobody's gonna offer their neck to put under axe for long-term functionality. Sure gadgets do get aged. Aging means capacitors might leak (which might mean lower sustained voltage ... with 50V supply voltage it might lead to loss of smoke). Aging means corrosion, corroded contacts mean high...
by mkx
Sun Sep 19, 2021 6:44 pm
Forum: Wireless Networking
Topic: Accesspoint only with VLANs
Replies: 17
Views: 471

Re: Accesspoint only with VLANs

The traffic coming to the wireless interface is already tagged, or at least that is how it is considered... If you see my example earlier, the wifi interface is set to accept only VLAN tagged, although the incoming traffic from the wireless clients is not Tagged ofcorse.. I think that has to do wit...
by mkx
Sun Sep 19, 2021 6:33 pm
Forum: Wireless Networking
Topic: CAps configuration
Replies: 6
Views: 227

Re: CAps configuration

First thing you have to decide is whether all APs form single large network or each runs their own. If each runs their own, then they'll run in routing mode, but roaming won't work (not nicely that is), so in this case you better set them with different SSIDs. CAPsMAN is out of question in this case...
by mkx
Sun Sep 19, 2021 6:20 pm
Forum: General
Topic: CRS312-4C+8XG L2 VLAN slow performance [Fixed]
Replies: 8
Views: 233

Re: CRS312-4C+8XG L2 VLAN slow performance, misconfiguration?

I removed eht9 from the non-existant bridge and this make it.

How's fan speed now under load?
by mkx
Sun Sep 19, 2021 6:16 pm
Forum: General
Topic: Inter VLAN filtering fom VLAN A to VLAN B
Replies: 23
Views: 656

Re: Inter VLAN filtering fom VLAN A to VLAN B

What @zacharias wants to hide from @anav (by not saying it out loud) is the fact that any device running ROS can be a router. This includes switch CRS312-4C+8XG ... which can do (limited set of) L3 tasks wirespeed if running v7.1. I guess that (accompanied with a glass of Canadian rye) is making @an...
by mkx
Sun Sep 19, 2021 4:00 pm
Forum: RouterBOARD hardware
Topic: RBGPOE max power
Replies: 6
Views: 160

Re: RBGPOE max power

RBGPOE doesn't deliver power, it only passes power. I guess power limit on PoE-out devices is due to ability to power-off/power-on the port and to select output voltage (if device has two power inputs) and both imply some active circuit. RBGPOE has none. Max voltage depends on isolation class of ele...
by mkx
Sun Sep 19, 2021 3:48 pm
Forum: Wireless Networking
Topic: Accesspoint only with VLANs
Replies: 17
Views: 471

Re: Accesspoint only with VLANs

No, no, no ... you've got VLANs wrong again. Here's a good tutorial about VLANs in RouterOS. Regarding starting from scratch: there's winbox (windows binary, but works well under wine in linux and macOS) which can connect to device via MAC (no IP necessary). A great tool for configuring devices when...
by mkx
Sun Sep 19, 2021 3:27 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 19
Views: 630

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

A prime example of changing landscape is VLAN support on RB4011. Traditionally the only way was the software way (bridge vlan-filtering), nothing was possible through /interface ethernet switch (unlike vast majority of switch-chip equipped MT devices). With 7.1rc1 this happened: * added bridge HW of...
by mkx
Sun Sep 19, 2021 1:47 pm
Forum: General
Topic: Poor inter-vlan routing and High "Networking" CPU usage on RB5009
Replies: 19
Views: 630

Re: Poor inter-vlan routing and High "Networking" CPU usage on RB5009

RB5009 doesn't support L3 HW offloading, only CRS309 does.
by mkx
Sun Sep 19, 2021 1:21 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+RM with SFP to RJ45 Copper Transceiver Module
Replies: 4
Views: 220

Re: RB4011iGS+RM with SFP to RJ45 Copper Transceiver Module

Answer to Q3: ether1 power from Cisco switch PoE The RB4011iGS+RM doesn't support IEEE 802.3XX PoE It only supports Passive PoE with an input Voltage between 18-57 V If you connect it, it probably won't work But it might. @normis explained in one post that RB4011 does negotiate 802.3 af/at PoE on i...
by mkx
Sun Sep 19, 2021 1:04 pm
Forum: Wireless Networking
Topic: Accesspoint only with VLANs
Replies: 17
Views: 471

Re: Accesspoint only with VLANs

There are multiple ways of dealing with multiple-SSID-per-radio situation. But if we want to stick to VLAN-way, then the most "politically correct" way is to use bridge with vlan-filtering=yes . In this case you don't set anything regarding VLANs on wireless interfaces (neither master nor ...
by mkx
Sun Sep 19, 2021 11:32 am
Forum: General
Topic: Inter VLAN filtering fom VLAN A to VLAN B
Replies: 23
Views: 656

Re: Inter VLAN filtering fom VLAN A to VLAN B

As per initial post of this thread: OP wants some limitations on connectivity between VLANs. Which means firewall (with fairly simple rules) is involved. While CRS can do fasttracking in hardware, it comes with some serious limitations. If they get hit, performance drop will be dramatic and in this ...
by mkx
Sun Sep 19, 2021 11:24 am
Forum: Beginner Basics
Topic: Real DMZ on second IP range
Replies: 15
Views: 742

Re: Real DMZ on second IP range

So did you check network settings on virtual servers? Check network settings on vswitch as well, it should allow connectivity between vhosts.
by mkx
Sun Sep 19, 2021 11:16 am
Forum: RouterOS v7 BETA
Topic: v6.48.7 hap ac2 admin ghost [SOLVED]
Replies: 3
Views: 271

Re: v6.48.7 hap ac2 admin ghost [SOLVED]

Where did you get version 6.48.7? It wasn't from from official download site for sure ...
by mkx
Sat Sep 18, 2021 10:50 pm
Forum: General
Topic: Inter VLAN filtering fom VLAN A to VLAN B
Replies: 23
Views: 656

Re: Inter VLAN filtering fom VLAN A to VLAN B

With v7 of RoS some Tik switches will have the capability to do NEAR line speed forwarding … unfortunately the switch then OP SELECTED CANNOT DO IT.

Mikrotik's documentation says it does. (OP mentioned CRS312-4C+8XG )
by mkx
Sat Sep 18, 2021 10:35 pm
Forum: Beginner Basics
Topic: Real DMZ on second IP range
Replies: 15
Views: 742

Re: Real DMZ on second IP range

So you have ether11 and ether12 bridged for the DMZ in question (and ether12 is actually disabled). I don't see error which would force servers to communicate via gateway. Since router isn't running DHCP server for that subnet I assume servers have IP settings configured manually. So I'm asking you ...
by mkx
Sat Sep 18, 2021 5:06 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1113

Re: Need help on rb750gr3 about maximum lan connection

@OP: where do you enforce the 20Mbps limit: on wireless routers or on hEX? Anyways, the fact that hEX CPU liad resched 90% during speedtest indicates that it's underpowered for workload it has to deal with. My personal opinion is that router should not have load more than 50% long enough for me to n...
by mkx
Sat Sep 18, 2021 5:00 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1113

Re: Need help on rb750gr3 about maximum lan connection

I'm not that much concerned about IP address space[*] (each wireless router performs NAT by its own, main router again and ISP modem again), but what bothers me is potential congestion of wifi bands. Are those wireless routers all operating on 2.4GHz? How far from each other are they? Take your smar...
by mkx
Sat Sep 18, 2021 12:15 pm
Forum: Beginner Basics
Topic: **HELP NEEDED** RB750Gr3- Load balancing and Failover configuration
Replies: 16
Views: 962

Re: **HELP NEEDED** RB750Gr3- Load balancing and Failover configuration

then possibility of only one ISP line being used is around one in a thousand. Right ... But not impossible. If somebody has too much time and is checking performance every few seconds (or has enabled graphing), then seeing this happen now and then is a reality and might trigger some sort of anxiety...
by mkx
Fri Sep 17, 2021 10:08 pm
Forum: General
Topic: Route ALL NTP traffic over a specific WAN [SOLVED]
Replies: 30
Views: 905

Re: Route ALL NTP traffic over a specific WAN [SOLVED]

HW offloaded routing (inter LAN or inter-VLAN, doesn't matter) is being in development (ROS v7.1) and only for CRS3xx models.

HW offloaded switching/bridging is to certain extent possible on all devices with switch chip, the way it should be configured varies between device models.
by mkx
Fri Sep 17, 2021 10:03 pm
Forum: Beginner Basics
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 4
Views: 203

Re: Need help on rb750gr3 about maximum lan connection

OP started two identical threads, this is the other one: viewtopic.php?f=2&t=178631
Let's continue thrre, shall we?
by mkx
Fri Sep 17, 2021 9:13 pm
Forum: Beginner Basics
Topic: Real DMZ on second IP range
Replies: 15
Views: 742

Re: Real DMZ on second IP range

Oh the joys of (great)parenthood ...
by mkx
Fri Sep 17, 2021 9:10 pm
Forum: Beginner Basics
Topic: **HELP NEEDED** RB750Gr3- Load balancing and Failover configuration
Replies: 16
Views: 962

Re: **HELP NEEDED** RB750Gr3- Load balancing and Failover configuration

If things are all working right then seeing sharing ratios different than 200:200 is matter of statistics. As I explained it is most probable to see even ratio, but some odd ratios are possible but you should not see that too often. Since we're talking about two ISPs with different backbone and peer...
by mkx
Fri Sep 17, 2021 8:58 pm
Forum: General
Topic: Route ALL NTP traffic over a specific WAN [SOLVED]
Replies: 30
Views: 905

Re: Route ALL NTP traffic over a specific WAN [SOLVED]

None of RB devices (your IPQ4019-based RB450Gx4 is not excluded) can HW offload bridge vlan-filtering in ROS v6. In ROSv7 things might change (RB4011 was mentioned, but uses completely different SoC). If you want VLAN operations done by switch chip, you have to configure things under /interface ethe...
by mkx
Fri Sep 17, 2021 8:51 pm
Forum: General
Topic: Need help on rb750gr3 about maximum lan connection
Replies: 40
Views: 1113

Re: Need help on rb750gr3 about maximum lan connection

How many users are served by humble RB750Gr3? I'd first check two resources while you observe problems: CPU load (run CPU profiler to see load of individual CPU cores and which process uses most of it) and number of connections tracked (see output of /ip firewall connection tracking print ). Another...
by mkx
Fri Sep 17, 2021 5:51 pm
Forum: General
Topic: Route ALL NTP traffic over a specific WAN [SOLVED]
Replies: 30
Views: 905

Re: Route ALL NTP traffic over a specific WAN [SOLVED]

One drawback of using IP address list instead of mangling NTP traffic is that all traffic towards those targets will use alternative WAN, non-NTP traffic as well. Some NTP servers share their IP addresses with other services (the most famous NTP servers don't). Plus, if I understand the latest conce...
by mkx
Fri Sep 17, 2021 5:42 pm
Forum: Beginner Basics
Topic: **HELP NEEDED** RB750Gr3- Load balancing and Failover configuration
Replies: 16
Views: 962

Re: **HELP NEEDED** RB750Gr3- Load balancing and Failover configuration

It seems impossible ...
Not impossible. But probability of it happen is 1 divided by 2 to the power of (N-1) (where N is number of active torrent peers). E.g. if number of active torrent peers is 11, then possibility of only one ISP line being used is around one in a thousand.
by mkx
Fri Sep 17, 2021 5:36 pm
Forum: Beginner Basics
Topic: Real DMZ on second IP range
Replies: 15
Views: 742

Re: Real DMZ on second IP range

I guess we need a script for guessing indeed :wink:

@anav, feeling dizzy yet?
by mkx
Fri Sep 17, 2021 5:34 pm
Forum: RouterOS v7 BETA
Topic: CRS317-1G-16+ on 7.1rc3: IPFix with wrong timestamp, terrible InterVLAN Routing performance
Replies: 6
Views: 525

Re: CRS317-1G-16+ on 7.1rc3: IPFix with wrong timestamp, terrible InterVLAN Routing performance

Circular reference: vlan1 marked as a tagged interface of bridge1, but bridge1 is the interface under vlan1.

Would it be possible for command interpreter to detect such circular references? They seem to be quite frequent for inexperienced users ...
by mkx
Fri Sep 17, 2021 3:26 pm
Forum: General
Topic: Route ALL NTP traffic over a specific WAN [SOLVED]
Replies: 30
Views: 905

Re: Route ALL NTP traffic over a specific WAN [SOLVED]

(NTP is one of the protocol than for be full compliant want also the src port 123) AFAIK neither src-port nor dst-port have to be exactly 123. There are two kinds of NTP applications: applications running as service/daemon and usually work as clients (to lower stratum servers) as well as servers (t...
by mkx
Fri Sep 17, 2021 3:18 pm
Forum: Wireless Networking
Topic: Low WiFi speeds on hAP ac²
Replies: 17
Views: 851

Re: Low WiFi speeds on hAP ac²

OP wrote in OP: I need one of the multi-anthena access points supporting multiple streams. Is there a MikroTik product that would suite my needs? Audience with stable ROS v7 (with wifiwave2 driver) would quite probably satisfy the needs and is a Mikrotik product. None of TPlinks you're mentioning an...
by mkx
Fri Sep 17, 2021 3:14 pm
Forum: General
Topic: CCR2004-16G-2S+ with RouterOS 7.0.4 [SOLVED]
Replies: 1
Views: 239

Re: CCR2004-16G-2S+ with RouterOS 7.0.4 [SOLVED]

ROS 7.0.4 is a device-specific (non-beta) version and is reported to be pretty stable on devices which they have it available and installed. Whether it's stable enough for use in production environment it's up to your decision (based on extensive lab testing). Beware that ROS version installed on yo...
by mkx
Fri Sep 17, 2021 3:10 pm
Forum: General
Topic: Route ALL NTP traffic over a specific WAN [SOLVED]
Replies: 30
Views: 905

Re: Route ALL NTP traffic over a specific WAN [SOLVED]

Why would use mangle. @ishanjain clearly stated that he doesn't control which NTP servers are used by clients. The only clear way of determining that a packet should be routed via alternative path is thus matching against certain properties (protocol=udp and dst-port=123) for packets about to leave...
by mkx
Fri Sep 17, 2021 3:02 pm
Forum: General
Topic: Bridge different VLANs together [SOLVED]
Replies: 5
Views: 328

Re: Bridge different VLANs together [SOLVED]

Where are the different vlans. I assume OP knows pretty much exactly what he wants and linux commands make sense in context of what he wrote. So essentially OP needed a linux2ROS translator ... not something we expect you to be :-P In the context of what OP asked, your suggestion of Thus simple ONE...
by mkx
Fri Sep 17, 2021 2:44 pm
Forum: Beginner Basics
Topic: Real DMZ on second IP range
Replies: 15
Views: 742

Re: Real DMZ on second IP range

mkx stop guessing, its driving me crazy..........

Let me guess: you never liked guesswork? :-P
by mkx
Fri Sep 17, 2021 2:40 pm
Forum: Beginner Basics
Topic: same sim card: different performance between mobile and SXT LTE6 kit
Replies: 5
Views: 277

Re: same sim card: different performance between mobile and SXT LTE6 kit

Another possibility: MNO throttles traffic depending on device's IMEI (MSB are device model specific). Not many (still) do it though.

And no, generally it is impossible to change IMEI (and generally it's forbidden to do it).
by mkx
Fri Sep 17, 2021 2:22 pm
Forum: General
Topic: Bridge different VLANs together [SOLVED]
Replies: 5
Views: 328

Re: Bridge different VLANs together [SOLVED]

The idea in ROS is the same, but slightly different syntax: /interface vlan add interface=ether2 name=e2v10 vlan-id=10 add interface=ether2 name=e2v20 vlan-id=20 add interface=ether3 name=e3v222 vlan-id=222 /interface bridge add name=br222 /interface bridge port add bridge=br222 interface=e2v10 add ...
by mkx
Fri Sep 17, 2021 12:25 pm
Forum: General
Topic: Scheduler stops executing script
Replies: 22
Views: 1068

Re: Scheduler stops executing script

Scripts are running fine! 100%. The only problem is, that the scheduler does not try to run them after some thousand successful runs. This is also visible at "next-run" in scheduler, which is in the past in that case. Since problem seems to be connected to internal state of your router an...
by mkx
Fri Sep 17, 2021 11:38 am
Forum: Wireless Networking
Topic: Low WiFi speeds on hAP ac²
Replies: 17
Views: 851

Re: Low WiFi speeds on hAP ac²

People who did test the upcoming wifiwave2 driver, confirmed that it both increases obtainable throughput as well as reduces throughput fluctuations. Which is something to look forward, however there's no published ETA for ROS v7.1. It seems very likely that hAP ac3 will be supported, RB4011 (wirele...
by mkx
Fri Sep 17, 2021 11:07 am
Forum: RouterOS v7 BETA
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 19233

Re: v7.1rc3 [development] is released!

The irq info contains name which driver sets and doesn't bear any special meaning. It really depends on what driver servicing certain interrupt line sets. And I'd guess it's the very same driver loaded on both IPQ4018 and IPQ4019 SoCs and then driver is intelligent enough to initialize whatever hard...
by mkx
Fri Sep 17, 2021 10:55 am
Forum: Beginner Basics
Topic: CRS317-1G-16S+RM HELP REQUESTED!
Replies: 21
Views: 894

Re: CRS317-1G-16S+RM HELP REQUESTED!

Just one more correction needed: the last item is numbered as bullet #7 while it should be #9.
by mkx
Fri Sep 17, 2021 9:19 am
Forum: RouterBOARD hardware
Topic: Wireless menu and wlan devices missing after update of SXTs to 6.48.4
Replies: 3
Views: 200

Re: Wireless menu and wlan devices missing after update of SXTs to 6.48.4

I have 2 of the older SXTs and after updating to RouterOS 6.48.4 I can no longer access any wireless features. Verify the list of installed packages after upgrade ... under /system packages . Version number of all installed packages should match version number of system package. There should be a n...
by mkx
Fri Sep 17, 2021 9:13 am
Forum: RouterOS v7 BETA
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 19233

Re: v7.1rc3 [development] is released!

Later I will unscrew board from enclosure and see if its IPQ-4018 or IPQ 4019-based. Even if ROS says IPQ4019 on board you should have an IPQ4018 according to the official specs, I have opened my hAP ac2 and it's an IPQ4018. Where exactly does ROS report exact SoC in the device? On my hAP ac2 the m...
by mkx
Fri Sep 17, 2021 9:00 am
Forum: Announcements
Topic: Mēris botnet information
Replies: 54
Views: 18991

Re: Mēris botnet information

Default configuration (on devices that come with default) on recent ROS versions includes this: # Establish proper interface list membership /interface list member add list=LAN interface=bridge comment="defconf" add list=WAN interface=ether1 comment="defconf" # block access to ro...
by mkx
Fri Sep 17, 2021 8:43 am
Forum: Beginner Basics
Topic: Real DMZ on second IP range
Replies: 15
Views: 742

Re: Real DMZ on second IP range

First off: are the two servers supposed to communicate with each other a) through firewall or b) are they allowed to communicate directly? If it's b), then they should be able to communicate even if they are connected to a dumb switch. Hence you should check if they have proper IP settings, speciall...
by mkx
Fri Sep 17, 2021 8:34 am
Forum: Beginner Basics
Topic: CRS317-1G-16S+RM HELP REQUESTED!
Replies: 21
Views: 894

Re: CRS317-1G-16S+RM HELP REQUESTED!

I suggest executing step #8 (setting admin password) right after step #3 (reconnecting after configuration reset). This step should thus become new step #4. It is extremely dangerous to get router connected to internet without first having at least admin password set. It would be advisable to make s...
by mkx
Thu Sep 16, 2021 11:28 pm
Forum: Beginner Basics
Topic: **HELP NEEDED** RB750Gr3- Load balancing and Failover configuration
Replies: 16
Views: 962

Re: **HELP NEEDED** RB750Gr3- Load balancing and Failover configuration

When benchmarking using torrent, you should get net throughput very close to sum of both ISP throughputs because torrent uses maaany concurrent connections to many peers which is ideal for your kind of load balancing.The exact result still depends on how peers perform though. For streaming you will ...
by mkx
Thu Sep 16, 2021 11:25 pm
Forum: Beginner Basics
Topic: CRS317-1G-16S+RM HELP REQUESTED!
Replies: 21
Views: 894

Re: CRS317-1G-16S+RM HELP REQUESTED!

There are two ways to configure switches in the MT world.

For CRS3xx (OP mentioned CRS317), only the first one is the right one.
by mkx
Thu Sep 16, 2021 9:36 pm
Forum: General
Topic: Audit my input firewall
Replies: 38
Views: 1297

Re: Audit my input firewall

add action=drop chain=output comment="Drop Access to WebUI" protocol=tcp src-port=80 It's similar to add action=drop chain=input comment="Drop Access to WebUI" protocol=tcp dst-port=80 but acts s packet later. The second rule drops even initial packet (SYN packet, the first step...
by mkx
Thu Sep 16, 2021 7:50 pm
Forum: General
Topic: Audit my input firewall
Replies: 38
Views: 1297

Re: Audit my input firewall

... is hard to think something that Router generate for bad purpose...

Not that hard ... but that would probably mean router was hacked and we really need to protect router from getting hacked in the first place. Hence high importance of quality input filters.
by mkx
Thu Sep 16, 2021 6:09 pm
Forum: General
Topic: Why firewall rules are so important...
Replies: 12
Views: 1187

Re: Why firewall rules are so important...

You do realize this is not a oppionion debate.

Obviously it is.
by mkx
Thu Sep 16, 2021 6:04 pm
Forum: General
Topic: Why firewall rules are so important...
Replies: 12
Views: 1187

Re: Why firewall rules are so important...

The point is that router's management access (any kind) should not be wildly open. Period. Guess what, many management processors built in servers (BMC, iLO, whatever vendor calls them) have http(s) access and show firmware release on login page. The fact server's got physical management interface w...
by mkx
Thu Sep 16, 2021 5:51 pm
Forum: General
Topic: Help... for IP address scheme with multiple router
Replies: 2
Views: 193

Re: Help... for IP address scheme with multiple router

Hint: RB951 snd RB4011 don't have to act as routers at all, they can be used simply as switches and/or AP in the way that all other hosts (regardless how they're connnected to these two devices) are part of same subnetwork. Hence plea for high-level overview of wishes/requirements and we'll give you...
by mkx
Thu Sep 16, 2021 8:34 am
Forum: Beginner Basics
Topic: **HELP NEEDED** RB750Gr3- Load balancing and Failover configuration
Replies: 16
Views: 962

Re: **HELP NEEDED** RB750Gr3- Load balancing and Failover configuration

If you want to get some advice, you'll have to be more verbose on what exactly doesn't feel right. At least my crystall ball is out of order today.
by mkx
Wed Sep 15, 2021 9:26 pm
Forum: Beginner Basics
Topic: CRS312-4C+8XG-RM 10G switch fan noise
Replies: 3
Views: 284

Re: CRS312-4C+8XG-RM 10G switch fan noise

If noise is an issue for you, and having it in living room it clearly is, then you should definitely go for a passively cooled switch. You can also decide to run RouterOS but it doesn't guarantee that fans will be silent at all times, it just has a tad better temperature and fan control. If you are ...
by mkx
Wed Sep 15, 2021 9:18 pm
Forum: General
Topic: Audit my input firewall
Replies: 38
Views: 1297

Re: Audit my input firewall

@anav 8)

Now can I have a docker containainer that automatically selects the right IP subnet mask please. :-)
but... i do not understand... really....

Neither does @anav :-P
by mkx
Wed Sep 15, 2021 5:36 pm
Forum: General
Topic: 2 separate networks - no internet access
Replies: 6
Views: 389

Re: 2 separate networks - no internet access

Im assuming your alluding to the fact that the network mask should match the IP Pool? No, I'm alluding that it's a jolly good idea that client IP settings (i.e. subnet mask received from DHCP server, which is defined in /ip dhcp-server network section) match IP settings of their gateway. IP pool is...
by mkx
Wed Sep 15, 2021 4:56 pm
Forum: Beginner Basics
Topic: Bandwith control on Fast Fibre
Replies: 1
Views: 235

Re: Bandwith control on Fast Fibre

Queues and fasttrack are mutually exclusive. But then your router might net be powerful enough to run firewalling without fasttrack at wire speed. I suggest you to disable fasttrack again and while traffic is bottlenecked, run /tool profile cpu=all to see if CPU is bottleneck[*] and if it is, verify...
by mkx
Wed Sep 15, 2021 4:46 pm
Forum: General
Topic: 2 separate networks - no internet access
Replies: 6
Views: 389

Re: 2 separate networks - no internet access

Oh suggest something like 22 will work, pulling any number out of a hat........ ;-p :

And that wisdom of yours has nothing to do with OP's setting in /ip dhcp-server network ... :wink:
by mkx
Wed Sep 15, 2021 4:44 pm
Forum: Beginner Basics
Topic: 2 separate networks - no internet access
Replies: 4
Views: 253

Re: 2 separate networks - no internet access

By the way I am a quick study!!
viewtopic.php?f=2&t=178542

You're my man :-)
by mkx
Wed Sep 15, 2021 4:07 pm
Forum: Beginner Basics
Topic: 2 separate networks - no internet access
Replies: 4
Views: 253

Re: 2 separate networks - no internet access

/ip address
add address=10.18.100.1/22 comment=Guest interface=ether3 network=10.18.100.0

Missing subnet mask implies subnet mask /32 which effectively disables all communication via this interface.

@anav, I'm deeply disappointed because you did not catch this error :wink:
by mkx
Wed Sep 15, 2021 1:10 pm
Forum: Wireless Networking
Topic: Low WiFi speeds on hAP ac²
Replies: 17
Views: 851

Re: Low WiFi speeds on hAP ac²

In short: getting throughputs above 300 Mbps with your setup is pretty decent (but not great) result. Sure there are devices which do better (using similar hardware) and there are reports that wifiwave2 driver, which comes with ROSv7 (it's testing software) enables much better performance on certain...
by mkx
Tue Sep 14, 2021 11:28 pm
Forum: Wireless Networking
Topic: Unable to connect to hAC2 Wirelessly
Replies: 2
Views: 302

Re: Unable to connect to hAC2 Wirelessly

This problem is being dealt with in another thread, will just reply here for readers who might get here by chance. Something might be stripping the tag. No, it's not. OP has set vlan-mode=use-tag on wireless interfaces without explicitly setting vlan-id property. Implicit default setting is vlan-id=...
by mkx
Tue Sep 14, 2021 11:21 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1351

Re: Client isolation within VLAN and fast roaming

My new problem is: How can I gain access to a cAP ac in CAPs mode. The CAPsMAN device did assign it an IP (192.168.88.235). I tried to access it via SSH, Telnet and WebFig via Ethernet 1 to no avail. CAPsMAN only provisions wireless interfaces. The rest you have to do yourself (or some autoconfigur...
by mkx
Tue Sep 14, 2021 10:24 pm
Forum: RouterOS v7 BETA
Topic: PLEASE MikroTik made NetInstall version for Docker....
Replies: 41
Views: 2163

Re: PLEASE MikroTik made NetInstall version for Docker....

I assumed that and spent a LOT of time on it. I could only get a bridged mode of 172.17.0.0/16 to work and not a bridged mode to my local network. Well ... perhaps this docker container support indeed needs some polishing. IIRC docker (implicit) default networking uses bridge with 172.17.0.0/16 net...
by mkx
Tue Sep 14, 2021 3:55 pm
Forum: Beginner Basics
Topic: Traffic to management of MikroTik switches not going through
Replies: 16
Views: 633

Re: Traffic to management of MikroTik switches not going through

Well ... as @anav already wrote: show us text export of configuration and we might be able to tell you where things went wrong. Without that we can only guess.
by mkx
Tue Sep 14, 2021 3:42 pm
Forum: RouterOS v7 BETA
Topic: PLEASE MikroTik made NetInstall version for Docker....
Replies: 41
Views: 2163

Re: PLEASE MikroTik made NetInstall version for Docker....

Getting netinstall to work in a container is not difficult when using host networking. When using bridge mode - which is the only mode I have seen on the examples for ROS it won't work. Why not? Configuration examples, prepared by Mikrotik, go like this: create bridge for docker set IP address on d...
by mkx
Tue Sep 14, 2021 3:25 pm
Forum: Beginner Basics
Topic: Traffic to management of MikroTik switches not going through
Replies: 16
Views: 633

Re: Traffic to management of MikroTik switches not going through

Two things: I'm not going to look at some random screenshots. I suggest you to start using CLI real quick and post text export of configuration (execute /export hide-sensitive and copy-paste ouptut inside [ code] [/code] environment). Are you sure you want to mirror traffic originating from (and ter...
by mkx
Tue Sep 14, 2021 12:29 pm
Forum: Beginner Basics
Topic: Bridge an existing Wifi to LAN
Replies: 6
Views: 505

Re: Bridge an existing Wifi to LAN

Generally switching between 2.4GHz and 5GHz is done solely on basis of signal strength (current throughput does not count as decision criteria) and that's true for all wireless devices (OK, perhaps there are some advanced devices extending what WiFi 802.11 standard defines that can do it more intell...
by mkx
Tue Sep 14, 2021 12:24 pm
Forum: Beginner Basics
Topic: Traffic to management of MikroTik switches not going through
Replies: 16
Views: 633

Re: Traffic to management of MikroTik switches not going through

For CRS3xx devices, port mirroring can be configured according to this manual.

I strongly suggest you to get the CLI access working ASAP.
by mkx
Tue Sep 14, 2021 12:10 pm
Forum: Beginner Basics
Topic: Devices connecting to the wireless are assigned vlan1 instead of intended VLAN
Replies: 4
Views: 320

Re: Devices connecting to the wireless are assigned vlan1 instead of intended VLAN

A few (minor) problems: /interface bridge add name=bridge1 pvid=100 vlan-filtering=yes /interface vlan add interface=bridge1 name=vlan100 vlan-id=100 /interface bridge vlan add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 vlan-ids=100 First configuration (setting PVID on...
by mkx
Tue Sep 14, 2021 8:16 am
Forum: Beginner Basics
Topic: Traffic to management of MikroTik switches not going through
Replies: 16
Views: 633

Re: Traffic to management of MikroTik switches not going through

So when you get some command for CLI, you should be able to configure the same through GUI Well I tried port mirroring on both ingress and egress from the switch bridge to the sfp port, but there's no traffic. and that's pretty much what the guide said about CLI. Depending on which particular switc...
by mkx
Tue Sep 14, 2021 8:13 am
Forum: RouterOS v7 BETA
Topic: v7.1rc3 adds Docker (TM) compatible container support
Replies: 165
Views: 16891

Re: v7.1rc3 adds Docker (TM) compatible container support

Is https://hub.docker.com/r/frrouting/frr supported? Because it supports protocols that RouterOS doesn't? I wonder what's the point? Running container with routing engine ... on a router? Why not take a decent RPI (more RAM, user can choose decently sized storage) and run FRR there? Pair RPI with a...
by mkx
Mon Sep 13, 2021 11:24 pm
Forum: Beginner Basics
Topic: Traffic to management of MikroTik switches not going through
Replies: 16
Views: 633

Re: Traffic to management of MikroTik switches not going through

I tried looking at the documentation but it's all for the terminal and not for the web, Webfig (I hope you're not still using QuickSet) has almost identical hierarchical structure as CLI. So when you get some command for CLI, you should be able to configure the same through GUI (both Webfig and Win...
by mkx
Mon Sep 13, 2021 7:21 pm
Forum: General
Topic: Is this type of filtering possible?
Replies: 4
Views: 390

Re: Is this type of filtering possible?

There's bridge setting use-ip-firewall (or something close to that). If it's set to yes and W offload is disabled for at least one of involved ports (so that traffic is handled by CPU), this setting makes bridge to push traffic through firewall rules (both raw and filter). Some properties are not av...
by mkx
Mon Sep 13, 2021 3:09 pm
Forum: SwOS
Topic: Configuration needed to pass iSCSI? Windows says 'connection failed'
Replies: 16
Views: 737

Re: Configuration needed to pass iSCSI? Windows says 'connection failed'

@OP: since we're now talking about RouterOS problem, start a new thread in appropriate subforum (e.g. Beginner Basics).
by mkx
Mon Sep 13, 2021 3:08 pm
Forum: SwOS
Topic: Configuration needed to pass iSCSI? Windows says 'connection failed'
Replies: 16
Views: 737

Re: Configuration needed to pass iSCSI? Windows says 'connection failed'

I was thinking of adding the "redact remaining sensitive data" sentence but then decided not to ... I assumed there wouldn't be much of sensitive data when device is configured as switch.
by mkx
Mon Sep 13, 2021 3:00 pm
Forum: Beginner Basics
Topic: Cannot SSH from LAN to outside devices - strange [SOLVED]
Replies: 8
Views: 468

Re: Cannot SSH from LAN to outside devices - strange [SOLVED]

The rule identified by @rextended ... you should change it to
add action=dst-nat chain=dstnat comment=SSH dst-port=22 protocol=tcp to-addresses=192.168.2.10 to-ports=22 in-interface-list=WAN
(added the in-interface-list property). Ditto for the wireguard port forwarding rule.
by mkx
Mon Sep 13, 2021 2:59 pm
Forum: SwOS
Topic: Configuration needed to pass iSCSI? Windows says 'connection failed'
Replies: 16
Views: 737

Re: Configuration needed to pass iSCSI? Windows says 'connection failed'

It's RouterOS heh.

So you can post full config (run /export hide-sensitive from terminal window and copy-paste output into [code] [/code] environment) for review.
by mkx
Mon Sep 13, 2021 2:40 pm
Forum: Beginner Basics
Topic: Cannot SSH from LAN to outside devices - strange [SOLVED]
Replies: 8
Views: 468

Re: Cannot SSH from LAN to outside devices - strange [SOLVED]

The screenshot you posted does not tell enough of story. Post full config in text: execute /export hide-sensitive file=anynameyouwish inside terminal window, fetch resulting file, open it using text editor and copy-paste contents here ... inside [ code] [/code] environment. Before copy-paste check i...
by mkx
Mon Sep 13, 2021 2:35 pm
Forum: Beginner Basics
Topic: Bridge an existing Wifi to LAN
Replies: 6
Views: 505

Re: Bridge an existing Wifi to LAN

If you want to use both wireless interfaces to connect to same AP and use them in parallel, you're after bonding ... but that requires configuration on both ends. While bonding in RouterOS is pretty versatile, I'd be surprised if you could do it on AP of a random vendor.
by mkx
Mon Sep 13, 2021 11:09 am
Forum: Announcements
Topic: Mēris botnet information
Replies: 54
Views: 18991

Re: Mēris botnet information

CCR comes without any default configuration and that includes firewall. So it is essential to do all the configuration before ever exposing it to WAN. And that includes solid firewall rules which is not an easy task for novice ROS user.
by mkx
Mon Sep 13, 2021 11:07 am
Forum: SwOS
Topic: Configuration needed to pass iSCSI? Windows says 'connection failed'
Replies: 16
Views: 737

Re: Configuration needed to pass iSCSI? Windows says 'connection failed'

iSCSI uses TCP for transport. Which means iSCSI initiator (client) has to be able to connect to iSCSI target (server) via IP. Typically both devices use usual IP routing information. QNAP only supports using TCP port number 3260 so verify that iSCSI initiator (windows) uses that port as destination ...
by mkx
Mon Sep 13, 2021 9:04 am
Forum: General
Topic: Is this type of filtering possible?
Replies: 4
Views: 390

Re: Is this type of filtering possible?

It is possible. When a RouterOS device is plugged between some device and the rest of network, it can be configured as a bridge (same L2 network). At the same time it can do some traffic filtering, bridge can enforce firewall settings. More in bridge firewall manual.
by mkx
Mon Sep 13, 2021 8:24 am
Forum: General
Topic: CRS317 Switch VLAN
Replies: 20
Views: 1028

Re: CRS317 Switch VLAN

As @biomesh already wrote ... IMO when bridge has vlan-filtering=yes set, then all traffic passes bridge (the switch-like entity) tagged. And frames get tags either a) because they enter bridge already tagged through trunk port or b) get tagged on ingress by bridge due to PVID setting. So if ether4 ...
by mkx
Mon Sep 13, 2021 8:06 am
Forum: RouterOS v7 BETA
Topic: Loosing configuration after reboot (7.1rc3)
Replies: 12
Views: 1028

Re: Loosing configuration after reboot (7.1rc3)

With a restart it downgrades. I used the button ‘downgrade’ in /system/packages to initiate the process. I’m not sure if a normal reboot would have done the trick as well.
No, it wouldn't. ROS doesn't downgrade unless explicitly instructed to do so.
by mkx
Sun Sep 12, 2021 10:10 pm
Forum: General
Topic: CRS317 Switch VLAN
Replies: 20
Views: 1028

Re: CRS317 Switch VLAN

Changing the PVID on the Bridge itself is all about the VID the untagged traffic will be assigned too... If for example an access port with PVID 201 and a Bridge with PVID 201 as well, access to that CPU/Device management will be successful through the untagged traffic between these ports... Settin...
by mkx
Sun Sep 12, 2021 10:06 pm
Forum: General
Topic: CRS317 Switch VLAN
Replies: 20
Views: 1028

Re: CRS317 Switch VLAN

Let's not get into theoretical discusions, it would be hijacking of the thread. For OP's case (judging from the network topology chart he posted) the problems with VLAN interface as bridge port will not happen. Ditto for the bridge PVID ... it was my suggestion based on my understanding if OP's prob...
by mkx
Sun Sep 12, 2021 9:22 pm
Forum: General
Topic: CRS317 Switch VLAN
Replies: 20
Views: 1028

Re: CRS317 Switch VLAN

@mkx, Not to forget: bridge has to have PVID set as well: The Bridge has already a PVID of 1, what would be the purpose of changing the PVID of the Bridge to something else ? If OP indeed wants to have ether4 tagged with VID 201 and the rest of ports untagged ... and he says he wants all PCs to com...
by mkx
Sun Sep 12, 2021 9:09 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

I stand corrected.
by mkx
Sun Sep 12, 2021 9:05 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc3 adds Docker (TM) compatible container support
Replies: 165
Views: 16891

Re: v7.1rc3 adds Docker (TM) compatible container support

How to mount a file instead of a folder ? You can't. The way linux works is that you can only mount a folder. Because mount point is always a folder. Usually application, run inside container, wants to open configuration file . So you'll have to prepare a folder containing configuration file and mo...
by mkx
Sun Sep 12, 2021 1:18 pm
Forum: General
Topic: is connection-tracking full ?
Replies: 5
Views: 493

Re: is connection-tracking full ?

6.45.7 at least I hope?
it is fixed after upgrading.

Not likely. Reboot associated to upgrade cleared connection tracking trable, but without shorthening some timeouts (the TCP established timeout in particular) the connection tracking table will fill up again in a few days.
by mkx
Sun Sep 12, 2021 1:14 pm
Forum: RouterOS v7 BETA
Topic: Feature Request : IPv6 Fasttrack
Replies: 35
Views: 4168

Re: Feature Request : IPv6 Fasttrack

I totally agree: IPv6 is a matter of present for everybody and should be trated and supported as such. No amount of turning blind eye will change that. While advanced features such as NATv6 would be nice to have, it's basic IPv6 support that has to be brought to higher level and it has to be done li...
by mkx
Sun Sep 12, 2021 1:11 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 19233

Re: v7.1rc3 [development] is released!

Does anyone has experience with CRS125-24G-1S-2HnD and RouterOS 7.x ? If you're using CRS as a switch with configuration that allows full hardware offload, then you neither gain nor loose anything by upgrading. So far it was not shown that v7.1 exposes any new feature of switch chip which would pot...
by mkx
Sun Sep 12, 2021 11:56 am
Forum: General
Topic: How to find the origin of a Packet marks ? [SOLVED]
Replies: 6
Views: 559

Re: How to find the origin of a Packet marks ? [SOLVED]

Do a "/export" to file and search for it.
I don't have any tools to read exported ".backup" file.

/export command produces text output (commands usable in CLI). Binary files are output of /system backup command.
by mkx
Sun Sep 12, 2021 11:32 am
Forum: General
Topic: CRS317 Switch VLAN
Replies: 20
Views: 1028

Re: CRS317 Switch VLAN

On PC3 is only VLAN201 possible (no untagged). PC3 should communicate with PC1,PC2 and Router If you need ether4 tagged and the rest untagged, then configuration has to be the opposite of what you did ... ether4 without PVID set, the rest of ports (ether1..ether3) PVID set. The /interface bridge vl...
by mkx
Sun Sep 12, 2021 11:22 am
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

I don't have any good ideas about RR not working, I've been using RR between linux hosts in the past. One gotcha I already mentioned: out-of-order delivery. TCP in theory should be able to deal with out-of-order packets (some TCP implementations are not exactly happy about it, reducing throughput an...
by mkx
Sat Sep 11, 2021 4:16 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

For bonding make sure you select bonding mode well supported by both link partners. CRS3xx series supports LACP (803.2ad) and RR modes in hardware (others include switch CPU meaning miserable throughputs). With 803.2ad, you have possibility to choose between different transmit-hash-policy settings w...
by mkx
Sat Sep 11, 2021 3:41 pm
Forum: General
Topic: Static IP address on every port with lease on demand
Replies: 4
Views: 430

Re: Static IP address on every port with lease on demand

I hope MikroTik will be smarter than TP-LINK with lease time. It's not entirely up to DHCP server (Mikrotik or TP-Link), it's up to DHCP client as well. RFC2131 defines granularity of 1 second for lease time and minimum lease time restriction was removed. DHCP clients might adhere to older RFC1541,...
by mkx
Sat Sep 11, 2021 3:29 pm
Forum: Beginner Basics
Topic: Mikrotik hAP lite and Pihole
Replies: 4
Views: 451

Re: Mikrotik hAP lite and Pihole

I guess we'll have to wait for containers built for low-memory boxes. Most containers nowdays don't care about RAM (and disk) requirements, some containers are too greedy to comfortably run on devices with only 32 MB RAM (such as hAP lite) of which half is already needed by ROS itself ... even if de...
by mkx
Sat Sep 11, 2021 3:17 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

Official performance numbers are here: https://mikrotik.com/product/ccr2004_1g_12s_2xs#fndtn-testresults If you go without any firewall rule, then I guess the relevant line will be Routing , none (fast path) configuration. And performance will probably be somewhere between the first and second colum...
by mkx
Fri Sep 10, 2021 8:56 pm
Forum: Wireless Networking
Topic: Is there a way I can use eSIM with Mikrotik?
Replies: 25
Views: 1607

Re: Is there a way I can use eSIM with Mikrotik?

Point taken.
by mkx
Fri Sep 10, 2021 8:43 pm
Forum: General
Topic: Is it possible to NAT/PAT this traffic?
Replies: 10
Views: 585

Re: Is it possible to NAT/PAT this traffic?

Right... What i don't understand is, if the clients uses a wrong port to connect to the database, why not correct that at the first place... That would certainly be correct approach ... but in certain circumstances it might not be possible. E.g. if the application in question is a legacy binary exe...
by mkx
Fri Sep 10, 2021 4:48 pm
Forum: General
Topic: Is it possible to NAT/PAT this traffic?
Replies: 10
Views: 585

Re: Is it possible to NAT/PAT this traffic?




Per OP's initial post, there's already a masquerade rule which should take care of source NAT of that particular connection as well. So no need to add a specific one.
If that is his WAN connection yes ...
He said his WAN network was 10.1.1.2/30 ...
by mkx
Fri Sep 10, 2021 4:43 pm
Forum: Wireless Networking
Topic: Is there a way I can use eSIM with Mikrotik?
Replies: 25
Views: 1607

Re: Is there a way I can use eSIM with Mikrotik?

not like mkx's which is just sterile controversy as always. You have right to have your own opinion about my posts, if you find them like that, you're free to ignore them. I'm just trying to give out as realistic and concrete posts as possible. There are some ideas floating around that simply fail ...
by mkx
Fri Sep 10, 2021 4:39 pm
Forum: General
Topic: Is it possible to NAT/PAT this traffic?
Replies: 10
Views: 585

Re: Is it possible to NAT/PAT this traffic?

You need to source NAT that connection

Per OP's initial post, there's already a masquerade rule which should take care of source NAT of that particular connection as well. So no need to add a specific one.
by mkx
Fri Sep 10, 2021 4:34 pm
Forum: General
Topic: Is it possible to NAT/PAT this traffic?
Replies: 10
Views: 585

Re: Is it possible to NAT/PAT this traffic?

You can dst-nat any connection, NAT machinery doesn't care about administrator's perception of what is LAN and what is WAN. It does its magic as long as packets in both directions pass router's CPU. Something like this: /ip firewall nat add chain=dstnat action=dst-nat dst-address=10.20.20.7 dst-port...
by mkx
Fri Sep 10, 2021 4:00 pm
Forum: General
Topic: When is 6.49 going to be released?
Replies: 16
Views: 1016

Re: When is 6.49 going to be released?

... you'll have to bite a bullet and get out of this beta mess.
If Mikrotik would me let escape the messed up Beta.

If Mikrotik allowed you to exit the beta without bothering, would you have to bite a bullet? :wink:
by mkx
Fri Sep 10, 2021 3:40 pm
Forum: Wireless Networking
Topic: Is there a way I can use eSIM with Mikrotik?
Replies: 25
Views: 1607

Re: Is there a way I can use eSIM with Mikrotik?

I just thought of a possible solution.

You're late. https://letmegooglethat.com/?q=sim+bank Not sure if prices are compatible with Mikrotik's prices.
by mkx
Fri Sep 10, 2021 3:26 pm
Forum: General
Topic: Do I need to contact support@mikrotik.com directly to get answers about the forum itself? [SOLVED]
Replies: 17
Views: 1218

Re: Do I need to contact support@mikrotik.com directly to get answers about the forum itself? [SOLVED]

Please, can someone explain why I have yesterday warning level [2] and now "Your warning level: [3]"???

Where do you see your warning score? I'm getting a feeling I'm being neglected ...
by mkx
Fri Sep 10, 2021 3:24 pm
Forum: General
Topic: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]
Replies: 10
Views: 614

Re: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]

So why don't you follow suggestion by @sindy and post configuration? We can have a look at what's configured and what not. Without seeing actual configuration of your hEX we can only guess endlessly.
by mkx
Fri Sep 10, 2021 3:22 pm
Forum: General
Topic: When is 6.49 going to be released?
Replies: 16
Views: 1016

Re: When is 6.49 going to be released?

Hmmm .. you can't downgrade from 6.49betaX to 6.48.4 without netinstalling device? And you can't get (at least most of) config exported to text file? If answer to both is NO, then I'm surprised. Don't get me wrong, I didn't say that 6.49 is a dead-end, only MT can declare such thing. I was just sayi...
by mkx
Fri Sep 10, 2021 12:10 pm
Forum: General
Topic: SSH Brute force Prevention [SOLVED]
Replies: 2
Views: 360

Re: SSH Brute force Prevention [SOLVED]

I guess most of (advanced) forum users agree that management access to router should be allowed in "allow few, block the rest" manner ... your firewall is in manner "block a few, allow the rest" which opens huge window of opportunity to try to hack it (by using a distributed crow...
by mkx
Fri Sep 10, 2021 11:58 am
Forum: General
Topic: When is 6.49 going to be released?
Replies: 16
Views: 1016

Re: When is 6.49 going to be released?

Your assumptions about thing being in development for certain amount of time becoming stable ... are just assumptions. While things do work like this usually, they don't have to. Dead-ends in development process are not unheard of and I'd completely understand if MT declares 6.49 a dead-end. I guess...
by mkx
Fri Sep 10, 2021 11:48 am
Forum: General
Topic: Do I need to contact support@mikrotik.com directly to get answers about the forum itself? [SOLVED]
Replies: 17
Views: 1218

Re: Do I need to contact support@mikrotik.com directly to get answers about the forum itself? [SOLVED]

Okay, well I can spare them the trouble as I have too much free time. I will only post if I have questions from now on. MKX needs more work to hone his support skills anyway ;-) Mabe we can cut a deal on this: I'll let you to provide support "behind the scenes" so you don't loose your pro...
by mkx
Fri Sep 10, 2021 11:36 am
Forum: General
Topic: Static IP address on every port with lease on demand
Replies: 4
Views: 430

Re: Static IP address on every port with lease on demand

It is not possible to do it without lease time because lease time is part of DHCP protocol. But you can get to the point where device plugged to particular port will have predictable IP address. With some cludge: remove all ether ports from bridge configure IP addresses directly on ether interfaces,...
by mkx
Fri Sep 10, 2021 11:22 am
Forum: General
Topic: hAP ac3 IPv6 firewall throughput issue
Replies: 3
Views: 404

Re: hAP ac3 IPv6 firewall throughput issue

... the routers CPU shows 25% use on both IPv4 and IPv6 during a speedtest Since hAP ac3 has a 4-core CPU, CPU load pegged at 25% likely indicates only single core is used. You can verify that by running CPU profiler during speedtesting. Make sure you're running speedtest with multi-thread option e...
by mkx
Fri Sep 10, 2021 11:18 am
Forum: Beginner Basics
Topic: Mikrotik hAP lite and Pihole
Replies: 4
Views: 451

Re: Mikrotik hAP lite and Pihole

In theory you can build any custom container for use with docker on ROS. But yes, you need container image prepared for architecture of router where you want to run the container. I guess most container images will be available for ARM, ARM64 and AMD64 platforms as they are common, they are powerful...
by mkx
Fri Sep 10, 2021 11:11 am
Forum: RouterOS v7 BETA
Topic: IPERF3 server on RouterOS ARM
Replies: 6
Views: 1165

Re: IPERF3 server on RouterOS ARM

A word of caution: we all know that MT's own bandwidth test is a CPU hog and quite a few RB devices have CPUs too weak to saturate even one interface. Iperf3 is CPU-bound as well (possibly less than bandwidth test) and will likely have problems to saturate interfaces as well. Specially so as docker ...
by mkx
Fri Sep 10, 2021 10:59 am
Forum: RouterOS v7 BETA
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 19233

Re: v7.1rc3 [development] is released!

Can't this lead to overheating and crashes? Since the default CPU frequency is 716MHz? I guess this is the effect of using modern linux kernel, which supports CPU frequency scaling. Intel has same technology, named Turbo Boost, which allows CPU clock to rise beyond nominal frequency. It is then thr...
by mkx
Thu Sep 09, 2021 8:44 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

You can either run wireshark/tcpdump on firewall - the interface towards router. Or add a simpke linux host without any firewall into same subnet with firewall and router (you'll have to make it larger than /30 though) and test connectivity between servers and test host. Router will behave the same ...
by mkx
Thu Sep 09, 2021 8:39 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

I'll write it once again: as long as you have that NAT rule enabled, firewall won't see anything but router's address. However, when you disable (or remove) that rule, nothing in router's config blocks traffic from flowing between firewall and any of subnets. So if you remove NAT rule and traffic do...
by mkx
Thu Sep 09, 2021 8:31 pm
Forum: General
Topic: How is default config allowing Winbox access?
Replies: 8
Views: 633

Re: How is default config allowing Winbox access?

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN That "!LAN" means "not member of LAN". At the same time "LAN" is not something magical, it's interface list (in /interface list ) which has to be appropriately ...
by mkx
Thu Sep 09, 2021 8:21 pm
Forum: SwOS
Topic: Can't get multiple vlans to talk on one port
Replies: 3
Views: 367

Re: Can't get multiple vlans to talk on one port

When saying "multiple VLANs talk to one port" ... is the device, connected to that port, VLAN aware?
by mkx
Thu Sep 09, 2021 8:18 pm
Forum: Wireless Networking
Topic: MIMO vs SISO 8km urban link
Replies: 1
Views: 259

Re: MIMO vs SISO 8km urban link

With 8km distance, attenuation of signal will be high enough that SISO with much better antenna (7 dBi difference in gain) will more than compensate lack of MIMO.
by mkx
Thu Sep 09, 2021 7:41 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

I've no idea about how to configure opensense, sorry.
by mkx
Thu Sep 09, 2021 7:32 pm
Forum: General
Topic: Client isolation within VLAN and fast roaming
Replies: 30
Views: 1351

Re: Client isolation within VLAN and fast roaming

The first line should be writren like this: a. the ability to isolate clients on the same capac on the same virtual or real wireless interface (1) Can I assume that capsman is actually required for a, and b, and this canNOT be done with a regular setup of a capsman (local). You can do a) on stand-al...
by mkx
Thu Sep 09, 2021 7:22 pm
Forum: General
Topic: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]
Replies: 10
Views: 614

Re: hEX en ports all slaves but en1 & 2, how to send to freedom? [SOLVED]

Which ROS version is running on your hEX?

Post current configuration (as per signature by @sindy) so we can see what you're talking about.
by mkx
Thu Sep 09, 2021 7:15 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

But wasn't needed. SRC-NAT only does the trick for traffic leaving router (through that particular interface) of connections marked for NAT and only un-NATs traffic identified as being part of nat-ed connection (or "connection" in case of stateless protocols such as ICMP or UDP). And only ...
by mkx
Thu Sep 09, 2021 7:07 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

Right. So from connectivity point of view everything works without NAT. Which means you should review firewall rules on your firewall .... does it allow input (ping) and forward from LAN interface where src address is not covered by LAN interface address/netmask?
by mkx
Thu Sep 09, 2021 6:56 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

I strongly suspect that some bit of configuration is off on firewall. Can you perform traceroute from firewall towards one of LAN servers to see whether packets actually reach as far as CCR? BTW, even though for now you seem to need NAT, remove firewall filter rules so that they don't interfere with...
by mkx
Thu Sep 09, 2021 6:44 pm
Forum: Announcements
Topic: Newsletter 101
Replies: 43
Views: 7700

Re: Newsletter 101

What does the RB5009 give you that the RB4011 doesnt ?? and only for few more bucks $$ CCR1009

None of alternatives mentioned are half-width half-height ugly looking beasts offering 2.5Gbps copper port out-of-the-box. Perhaps rack-mounted RB4011 comes close ...
by mkx
Thu Sep 09, 2021 5:48 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 19233

Re: v7.1rc3 [development] is released!

Or it could be issue with how virtualization platform of your choice deals with network interfaces ... some don't allow guest OS to play with MAC addresses ...
by mkx
Thu Sep 09, 2021 5:43 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

So the relevant (if I didn't forget to include anything else) configuration part, which does things you don't want to see, is this: /interface list add name=WAN /interface list member add interface=ether1 list=WAN /ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN Essentially...
by mkx
Thu Sep 09, 2021 5:10 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc3 adds Docker (TM) compatible container support
Replies: 165
Views: 16891

Re: v7.1rc3 adds Docker (TM) compatible container support

After removing the container twice, the internal disk filled up. That's a well known "feature" of docker: it doesn't automatically remove container images ... sometimes they can be re-used so I guess savings in "compile time" are the idea behind this decission. I don't know how ...
by mkx
Thu Sep 09, 2021 4:08 pm
Forum: General
Topic: When is 6.49 going to be released?
Replies: 16
Views: 1016

Re: When is 6.49 going to be released?

I'm not talking about users who like to live on the edge (upgrading from 6.49beta to 7.1rc). I'm talking about "sane" users who are using "stable" (not about "paranoid" users on "long-term" :wink: ) ... I believe backups work just fine on 6.48.4. And it's thos...
by mkx
Thu Sep 09, 2021 4:02 pm
Forum: RouterBOARD hardware
Topic: SFP+10Gbe issue
Replies: 6
Views: 562

Re: SFP+10Gbe issue

This is official SFP+ compatibility matrix. You won't see any 3rd party modules on it, which means they are not officially supported (although they might work just fine). FWIW, even some own MT's modules are not working with certain modules.
by mkx
Thu Sep 09, 2021 3:52 pm
Forum: General
Topic: When is 6.49 going to be released?
Replies: 16
Views: 1016

Re: When is 6.49 going to be released?

No offense taken. But what exactly in 6.49beta line makes you want it released because you're missing it from 6.48? OK, change log does include a few stability improvements, so these should be released in some version from v6 series (either as 6.48.5 or 6.49). Simple fact that it's been some time si...
by mkx
Thu Sep 09, 2021 3:42 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

I'm pretty sure that if you set static IP address on ether1 (the last configuration you showed had DHCP client running on that interface) nad then you remove all /ip firewall setup, then things should work ... perhaps a good reboot of CRS has to be performed to get rid of any non-removeable entries ...
by mkx
Thu Sep 09, 2021 3:14 pm
Forum: Beginner Basics
Topic: Bridge an existing Wifi to LAN
Replies: 6
Views: 505

Re: Bridge an existing Wifi to LAN

¹ Not necessarily via bridging. I will gladly take anything that gets the job done but I believe "bridging" is what I ultimately want, right? Actually you probably can't do it by joining your wired LAN to landlord's network in L2 (ethernet). Original 802.3 standard did not allow for prope...
by mkx
Thu Sep 09, 2021 2:59 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

ROS won't let you remove the dummy rule (which is for counting fasttracked traffic), but will disappear when you reboot the router if there is no "normal" fast track rule. Re. static routing: right. If your firewall was Mikrotik, it would need the following routes: /ip route add dst-addres...
by mkx
Thu Sep 09, 2021 2:31 pm
Forum: Wireless Networking
Topic: Using Mikrotik hAP Lite as a WLAN AP und WLAN Client
Replies: 4
Views: 369

Re: Using Mikrotik hAP Lite as a WLAN AP und WLAN Client

It is possible to configure wireless interface so that it will run as client to another AP and offer SSID (act as AP) at the same time. However this comes with a high hurdle: the client function has to be configured on "master" wireless interface and the AP function can then only be config...
by mkx
Thu Sep 09, 2021 2:18 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

There are two possibilities: keep firewall config as is, but you have to keep using NAT on core router for traffic towards firewall (I assume it's behind ether1). This means firewall will keep seeing router's (dynamic) IP address as source for all traffic configure number of static routes on firewal...
by mkx
Thu Sep 09, 2021 2:01 pm
Forum: Beginner Basics
Topic: New to Mikrotik
Replies: 54
Views: 2556

Re: New to Mikrotik

If device is going to be used as internal core router, then you can (or should) remove all config under /ip firewall (and sub-tree).
by mkx
Thu Sep 09, 2021 10:48 am
Forum: RouterBOARD hardware
Topic: CRS112 switch low throughput [SOLVED]
Replies: 6
Views: 667

Re: CRS112 switch low throughput [SOLVED]

To rule out winbox as culprit for CPU load, connect to the switch via ssh and run /tool profile cpu=all for a while to see if a) CPU is high or normal and b) what process is consuming the CPU.
by mkx
Thu Sep 09, 2021 10:44 am
Forum: RouterBOARD hardware
Topic: NetInstall Instructions
Replies: 15
Views: 11188

Re: NetInstall Instructions

One thing I wonder if we should be updating the Firmware or not? I'ts been ages since I've seen last routerboot firmware changelog so it's moot what changes are included in firmware. However there have been some posts (by MT staff) about need for recent firmware in order to boot ROS v7 ... which me...
by mkx
Thu Sep 09, 2021 10:37 am
Forum: General
Topic: 2 ip adresses on one intarface (Winbox showing wrong) [SOLVED]
Replies: 5
Views: 355

Re: 2 ip adresses on one intarface (Winbox showing wrong) [SOLVED]

Not exactly the answer to your question, but: when winbox shows list of devices, you can click on MAC address (instead of IP address) and then winbox will connect via MAC. Access control for this is not via firewall, but rather via /tool mac-server and subtree.
by mkx
Thu Sep 09, 2021 10:31 am
Forum: RouterOS v7 BETA
Topic: v7.1rc3 adds Docker (TM) compatible container support
Replies: 165
Views: 16891

Re: v7.1rc3 adds Docker (TM) compatible container support

I'm very curious about ALL these possibilities xD I guess everybody wanting to run several apps in docker (either one super-container or several separate containers, the later will be easier to get running but consuming more resources) will soon run into RAM shortage. So containers are probably not...
by mkx
Thu Sep 09, 2021 9:19 am
Forum: General
Topic: hAP ac3 IPv6 firewall throughput issue
Replies: 3
Views: 404

Re: hAP ac3 IPv6 firewall throughput issue

Default configuration in IPv4 firewall includes rule with action=fasttrack ... fasttrack greatly reduces processing overhead and thus greatly improves throughput. There is no such thing as fasttrack in IPv6, hence IPv6 firewalling performance is way lower than IPv4 firewalling performance on very sa...
by mkx
Thu Sep 09, 2021 9:14 am
Forum: Beginner Basics
Topic: Using a MikroTik Router to manage downport MikroTik Switches
Replies: 6
Views: 537

Re: Using a MikroTik Router to manage downport MikroTik Switches

if that's the case I don't see a reason to keep this old router, and not upgrade to something a bit more robust. If ability to manage downstream switches from "master router" is vital to you, then yes, you'll have to switch network gear vendor. Be prepared for "enhanced" gear pr...
by mkx
Thu Sep 09, 2021 9:07 am
Forum: Announcements
Topic: MikroTik cloud is back online
Replies: 25
Views: 3762

Re: MikroTik cloud is back online

For me, whois and DNS query are both saying that nameservers for mynetname.net are ns1.kissthenet.net and ns2.kissthenet.net ... and both name servers have different addresses: user@host:~$ for H in $( whois mynetname.net | grep ^Name | awk '{ print $3 }'); do host $H; done ns1.kissthenet.net has ad...
by mkx
Thu Sep 09, 2021 8:55 am
Forum: Announcements
Topic: Newsletter 101
Replies: 43
Views: 7700

Re: Newsletter 101

What is up with MikroTik hardware production? Nobody has parts in stock and its getting pushed to December. Like the CRS328 PoE switch.
https://g.co/kgs/w6EhVA

What, ARM CPUs in MT devices caught SARS-COV-2?

Just kidding ...
by mkx
Wed Sep 08, 2021 6:11 pm
Forum: General
Topic: Openvpn ipv4 server ipv6 client
Replies: 2
Views: 316

Re: Openvpn ipv4 server ipv6 client

The way you explained it seems that MNO (ISP of second SIM) is running some sort of 6to4 gateway. And that is by no means transparent (there are simply not enough IPv4 addresses to cover a single /64 prefix, let alone whole IPv6 address space). Which means it is similar to CGNAT. And your tcpdump sh...
by mkx
Wed Sep 08, 2021 6:05 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc3 adds Docker (TM) compatible container support
Replies: 165
Views: 16891

Re: v7.1rc3 adds Docker (TM) compatible container support

Currently there is no option for interactive console for containers. This is a deal-breaker for things like PiHole, as many management functions are handled only through the console. Create container which (with other things) includes ssh service, make container start sshd (in parallel to whatever ...
by mkx
Wed Sep 08, 2021 3:03 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc3 adds Docker (TM) compatible container support
Replies: 165
Views: 16891

Re: v7.1rc3 adds Docker (TM) compatible container support

niche stuff. Exactly (really not all, but the majority are useless for 99,9% of users...) Actually we can start a few +1 threads about removing some useless functionality from system package ... One prime example would be support for SMB (file services). Or (borken) DNS service. Or (your suggestion...
by mkx
Wed Sep 08, 2021 2:51 pm
Forum: General
Topic: When is 6.49 going to be released?
Replies: 16
Views: 1016

Re: When is 6.49 going to be released?

The only sensible reason for releasing 6.49 would be to make it kind of transitional package to upgrade to 7.1. Which likely means including some updated routerboot firmware (so that v7.1 successfully boots) or some configuration sanitizing. Otherwise I don't see any point in doing it. For security ...
by mkx
Wed Sep 08, 2021 2:36 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc3 adds Docker (TM) compatible container support
Replies: 165
Views: 16891

Re: v7.1rc3 adds Docker (TM) compatible container support

Answering to @anav (question posted in generic v7.1rc3 thread ) ... rextended you seem excited about docker. ;-) Can you please elaborate if this is a feature I can use at home or is this something for those running ISPs?? Docker is one of many implementations for running containers. More about cont...
by mkx
Wed Sep 08, 2021 2:22 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc3 [development] is released!
Replies: 172
Views: 19233

Re: v7.1rc3 [development] is released!

*) added support for running Docker (TM) containers; Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa............................................................. Yup. No more complaints about shittly featureset of built-in DNS server ... just run container with fu...
by mkx
Wed Sep 08, 2021 8:37 am
Forum: RouterBOARD hardware
Topic: Netpower 16P max PoE out contradictory
Replies: 6
Views: 1358

Re: Netpower 16P max PoE out contradictory

From what I see on mine, it draws power from the highest voltage source, not the one with the least load. It seems that general principle for all MT devices which can take more than one power input (e.g. POE-in + barrel connector) is that there's simply a diode on each power input connected to comm...
by mkx
Wed Sep 08, 2021 8:24 am
Forum: General
Topic: Damaged wireless@ package: bad image(6) [SOLVED]
Replies: 6
Views: 1143

Re: Damaged wireless@ package: bad image(6) [SOLVED]

The minimum list of packages. needed for a typical home router, is this: system advanced-tools dhcp security wireless Depending on requirements, some (or all) of the following might be needed: ppp If your ISP delivers internet via PPPoE and you need to run client. ipv6 If your ISP supports IPv6. Be ...
by mkx
Tue Sep 07, 2021 11:04 pm
Forum: Wireless Networking
Topic: Have I Bricked my HAP ac lite?
Replies: 5
Views: 629

Re: Have I Bricked my HAP ac lite?

Quite likely you can use Winbox and MAC connectivity to access your HAP ac lite. Use any of ether2-ether5 ports (avoid using ether1, that one is by default intended for internet and winbox connection is blocked for security reasons) and when winbox lists device, click on MAC address (not its IP addr...
by mkx
Tue Sep 07, 2021 10:59 pm
Forum: Wireless Networking
Topic: CAPsMAN network
Replies: 1
Views: 298

Re: CAPsMAN network

Do I've roaming functionality using CAPsMAN? CAPsMAN doesn't offer any benefit with regard to roaming between APs. If one properly configures APs manually then roaming works equally good. The CAPsMAN manager can be an AP? Yes. What are the advantage /disadvantage to use local or manager forwarding?...
by mkx
Tue Sep 07, 2021 3:38 pm
Forum: SwOS
Topic: css610 vlan error
Replies: 3
Views: 397

Re: css610 vlan error

If router can get IP address via PPPoE, then VLAN 2 on CSS is configured just fine.

Internet on router is another thing. If your router is Mikrotik as well and at (pretty much) default configuration, then interface pppoe-out1 has to be member of WAN interface list (or else NAT etc. won't work).
by mkx
Tue Sep 07, 2021 2:30 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc2 [development] is released!
Replies: 194
Views: 16688

Re: v7.1rc2 [development] is released!

KERNAL panic after 3 days on rc2. ccr2004. no i won't log a ticket
First it's kernel and not kernal,


[sarcasm]
What is this kernel you all are talking about? The only kernel I know is a walnut kernel.
[/sarcasm]
by mkx
Mon Sep 06, 2021 9:38 pm
Forum: Beginner Basics
Topic: Help with choosing an antenna for a rural setting please
Replies: 8
Views: 524

Re: Help with choosing an antenna for a rural setting please

If so should I go for the 4G LTE as that has 21dB gain or one with less gain but other features? All antennae have different gains depending on frequency. The problem with all Mikrotik's LTE sollutions (and most others) is that declared antenna gain is the maximum gain which is almost always at som...
by mkx
Mon Sep 06, 2021 6:51 pm
Forum: Beginner Basics
Topic: Help with choosing an antenna for a rural setting please
Replies: 8
Views: 524

Re: Help with choosing an antenna for a rural setting please

RSRP is signal strength and anything lower than -100 dBm is bad. RSRQ is signal quality, realistically achievable maximum is around -2 dB with normal values around -5 dB. Anything lower than -8 or -10 dB is bad. With quoted RSRP of -116 dBm I wouldn't be too optimistic. Even with directional antenna...
by mkx
Sun Sep 05, 2021 9:01 pm
Forum: Wireless Networking
Topic: capsman local forwarding clarification
Replies: 5
Views: 430

Re: capsman local forwarding clarification

I'll just write this: if you're sure there can not be any loops in your network (these are almost every time due to wired connections), then try to set "mode=none" on all bridges on all MT devices. Or, alternatively, set it on the device which is complaining ... and observe performance. Wh...
by mkx
Sun Sep 05, 2021 7:03 pm
Forum: Wireless Networking
Topic: capsman local forwarding clarification
Replies: 5
Views: 430

Re: capsman local forwarding clarification

CAPsMAN does not influence roaming of clients at all ... if APs forming same wireless network are also members of same wired broadcast domain (e.g. same DHCP serves requests made via all APs), then the roaming performance will be just the same with central forwarding and with local forwarding (or wi...
by mkx
Sun Sep 05, 2021 6:42 pm
Forum: Beginner Basics
Topic: mysterious hidden ssid with capsman [SOLVED]
Replies: 3
Views: 527

Re: mysterious hidden ssid with capsman [SOLVED]

Master interface has to be up&running because it's the only configuration which has radio parameters (frequency, channel width, extended channels layout, other advanced parameters) defined. Usually one assigns one of SSIDs to master interface ...
by mkx
Sun Sep 05, 2021 6:33 pm
Forum: RouterOS v7 BETA
Topic: Howto use Let's Encrypt command on 7.1rc2?
Replies: 6
Views: 583

Re: Howto use Let's Encrypt command on 7.1rc2?

I stand corrected. I have my own view on feasibility of using any other than HTTP-01 challenge for most of general public. Which makes procedure to get wildcard certificate impractical to me. In addition there are number of security implications when using wildcard certificates. If one needs certifi...
by mkx
Sun Sep 05, 2021 3:51 pm
Forum: General
Topic: STATIC ROUTING WITH PBR FOR MULTI WAN
Replies: 11
Views: 648

Re: STATIC ROUTING WITH PBR FOR MULTI WAN

  • are you aware that 192.169.x.x are not private IPs?

Neither are the rest of 192.16x.0.0/yy he's using for other interfaces/networks. Nor is 172.13.0.0/16 (server room subnet)
OP seems to successfully avoid the private address space of 192.168.0.0/16, kudos for that.
by mkx
Sun Sep 05, 2021 3:43 pm
Forum: RouterOS v7 BETA
Topic: Howto use Let's Encrypt command on 7.1rc2?
Replies: 6
Views: 583

Re: Howto use Let's Encrypt command on 7.1rc2?

Is there support for creating a wildcard-certificate? Letsencrypt doesn't support wildcard certificates, it only supports SAN (Subject Alternative Name), which includes explicitly requested server names ... but each of them separately have to pass whichever verification chosen (usually it's challen...
by mkx
Sun Sep 05, 2021 2:47 pm
Forum: Wireless Networking
Topic: Connect 2.4 and 5GHz in bridge
Replies: 3
Views: 566

Re: Connect 2.4 and 5GHz in bridge

Sharing same radio for both uplink and client connections is bad to begin with. Bonding works fine if both (all) member links are of approximately same speed, work reliably, without delay spikes. And most importantly: almost all transmit algorithms will use same link for all packets belonging to sam...
by mkx
Sun Sep 05, 2021 2:35 pm
Forum: Wireless Networking
Topic: RBSXTR&R11e-LTE6 why just 100M Ethernet? [SOLVED]
Replies: 5
Views: 584

Re: RBSXTR&R11e-LTE6 why just 100M Ethernet? [SOLVED]

But i'm really wondering to not find a gigabit ethernet port. I'm just asking why? Why pairing CAT6 LTE together with fast-ethernet and not gigabit? While CAT6 in theory peaks at 300/50 Mbps it is for vast majority of users highly unlikely to see anything near this speed. Mainly due to two reasons:...
by mkx
Sun Sep 05, 2021 2:11 pm
Forum: Beginner Basics
Topic: Is it able to use route function when RouterOS is running as switch?
Replies: 5
Views: 398

Re: Is it able to use route function when RouterOS is running as switch?

If CRS' role in the network is switch, then it will mostly be ignored for routing tasks. It can terminate the VPN connection, but all LAN devices will simply ignore it. I can think of three possibilities: configure broadband router with static route towards 192.168.1.0/24 using CRS as gateway map (u...
by mkx
Sun Sep 05, 2021 1:58 pm
Forum: Beginner Basics
Topic: VLAN
Replies: 10
Views: 731

Re: VLAN

Right ... Right as in your correct or is that a Right sarcastically?? I cant tell this time.......... Both. Sometimes I don't get how some particular thing fits into OSI 7 layer scheme. DHCP being service which (upon request) returns some data (IP address, network mask, gateway address, etc.) is L7...
by mkx
Sat Sep 04, 2021 9:18 pm
Forum: Beginner Basics
Topic: VLAN
Replies: 10
Views: 731

Re: VLAN

Right ...
by mkx
Sat Sep 04, 2021 1:10 pm
Forum: Beginner Basics
Topic: VLAN
Replies: 10
Views: 731

Re: VLAN

I forgot to add: there's a really great tutorial, which explains how to properly configure VLANs in RouterOS.
by mkx
Sat Sep 04, 2021 12:44 pm
Forum: Beginner Basics
Topic: VLAN
Replies: 10
Views: 731

Re: VLAN

Networking basics: in princliple[*] there can only be one DHCP server per L2 broadcast domain[**]. So first thing you need to get straight is your L2 network and only after that deal with issues of your higher layers (IP is L3, DHCP is strictly speaking L2 but with hooks to L3). [*] There can be mor...
by mkx
Sat Sep 04, 2021 10:52 am
Forum: Wireless Networking
Topic: 802.11r for hAP ac2?
Replies: 4
Views: 648

Re: 802.11r for hAP ac2?

Wifi wave2 drivers and 802.11r functionality are not exclusive. The thing is that 802.11r works with some kind of AP coordination beyond what CAPsMAN can do currently, so CAPsMAN needs some work to be done. Might be that current CAPsMAN design can not easily accomodate needed coordination. Or the CA...
by mkx
Sat Sep 04, 2021 10:38 am
Forum: Beginner Basics
Topic: Another vlan question
Replies: 37
Views: 1787

Re: Another vlan question

I'm not sure if I should set a static ip for the router (not sure how exactly) or let DHCP hand out the first address to the router (again, not sure how exactly). My thinking: if access (management, service, whatever) is primarily remote, then device needs static address (on appropriate interface i...
by mkx
Fri Sep 03, 2021 11:50 am
Forum: Beginner Basics
Topic: gratuitous arp issue
Replies: 8
Views: 602

Re: gratuitous arp issue

@mkx, how exactly MikroTIK finds that this IP is indeed in use ? Not sure how mikrotik determines that IP address is already in use. In theory it should consult its own ARP tables and only answer the query when it finds entry exactly matching the target IP address and device is residing behind inte...
by mkx
Thu Sep 02, 2021 10:47 pm
Forum: Beginner Basics
Topic: Inside server not seeing external user's IP [SOLVED]
Replies: 19
Views: 1116

Re: Inside server not seeing external user's IP [SOLVED]

The MikroTik software is certainly powerful, but it is like learning how to use a 100-bladed
Swiss Army knife.

As much as this is a curse for newbie it's what experienced MT users wouldn't give away no matter what.
by mkx
Thu Sep 02, 2021 10:30 pm
Forum: Beginner Basics
Topic: gratuitous arp issue
Replies: 8
Views: 602

Re: gratuitous arp issue

Screenshot from wireshark only shows that proxy-arp works ... phone invents an APIPA address, tries to verify it is unique in current LAN using ARP whohas .. and MT screws this royally because it answers the ARP request (as it's supposed to do with proxy arp setting) making phone believe the address...
by mkx
Thu Sep 02, 2021 12:19 pm
Forum: General
Topic: RB951G-2HnD reset problem
Replies: 2
Views: 224

Re: RB951G-2HnD reset problem

Using reset button on Mikrotik devices (RB951G is no exception) is not entirely straight forward, exact function of the button depends on when button is pressed and when button is released. The different functions are described in reset button manual.
by mkx
Thu Sep 02, 2021 12:13 pm
Forum: Beginner Basics
Topic: VLANs - different address on different ports
Replies: 43
Views: 2128

Re: VLANs - different address on different ports

In principle it is possible to pass VLAN tagged frames through unmanaged switch (shown by the right part of your scheme that @anav likes so much) with a few gotchas: switch has to support "baby jumbo" frames. Traditional standard payload size of ethernet frames was 1500 bytes, hence usual ...
by mkx
Wed Sep 01, 2021 5:22 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc2 [development] is released!
Replies: 194
Views: 16688

Re: v7.1rc2 [development] is released!

P.S. There is an internal discussion to restore the old "?" behavior based on the context. Or, perhaps easier to implement, the suggestion already given by somebody else: make help key configurable with F1 default setting. For all farts like myself (and many other forum users) used to &qu...
by mkx
Wed Sep 01, 2021 5:14 pm
Forum: General
Topic: Different Public IP for different devices (On Different port preferably if posible)
Replies: 20
Views: 960

Re: Different Public IP for different devices (On Different port preferably if posible)

A question: do you want to use specific public IP address for any device connected to specific router port (e.g. ether2)? Or you rather want to use specific public IP address for specific LAN IP address? (these are two completely different things)
by mkx
Wed Sep 01, 2021 5:01 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc2 [development] is released!
Replies: 194
Views: 16688

Re: v7.1rc2 [development] is released!

What is the difference between v7.1rc2 and v7rc2?
v7rc2 ... is a release candidate #2 for version 7.0.0
v7.1rc2 ... is a release candidate #2 for version 7.1.0
by mkx
Wed Sep 01, 2021 1:24 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc2 [development] is released!
Replies: 194
Views: 16688

Re: v7.1rc2 [development] is released!

Backups are generally ROS version specific ... sure there are version series where backups are compatible but in general no. Since v7 comes with quite some differences under the hood (some are exposed via API), I sincerely doubt one can safely use v6.xx backup to restore v7 device.
by mkx
Wed Sep 01, 2021 12:18 pm
Forum: Beginner Basics
Topic: Port Forwarding over PPPoE
Replies: 4
Views: 524

Re: Port Forwarding over PPPoE

What does check about how public is your WAN IP say?

The DST-NAT rule you posted is fine ... when you try to test it from outside (i.e. no hairpin NAT involved).
by mkx
Wed Sep 01, 2021 8:04 am
Forum: Beginner Basics
Topic: Another vlan question
Replies: 37
Views: 1787

Re: Another vlan question

I'm sorry you got bad feedback from this forum. As you noticed, there are some super-helpful members of forum and then there are ... the rest :wink: ... read this post and get back. The problem for helpful forum members is that there are plenty of users coming with (almost) identical questions. As y...
by mkx
Tue Aug 31, 2021 11:12 pm
Forum: RouterOS v7 BETA
Topic: 7.1rc1 bricked 3 pcs RB951Ui-2HnD
Replies: 6
Views: 699

Re: 7.1rc1 bricked 3 pcs RB951Ui-2HnD

@Amm0: I'm not talking about Router OS, which is upgraded via system->packages sub-menu, I'm talking about Routerboot firmware, which is upgraded via system->RouterBOARD submenu. The later can be compared to computer's BIOS (or UEFI) and if it's too old, it can't boot new OS kernel. Routerboot image...
by mkx
Tue Aug 31, 2021 11:00 pm
Forum: Beginner Basics
Topic: Inside server not seeing external user's IP [SOLVED]
Replies: 19
Views: 1116

Re: Inside server not seeing external user's IP [SOLVED]

You get fixed-width font if you place text inside [ code] [/code] environment. The reason that SSH server sees router's LAN IP address is some sort of SRC NAT (masquerade is just another form of SRC NAT), but in config you posted the masquerade rule only performs SRC NAT on packets leaving through e...
by mkx
Tue Aug 31, 2021 10:49 pm
Forum: Beginner Basics
Topic: Another vlan question
Replies: 37
Views: 1787

Re: Another vlan question

How do trunk ports work? In Mikrotik world, trunk ports are ports carrying (one or) multiple tagged VLANs and none untagged VLANs. Ports carrying some tagged and (exactly) one untagged VLANs are called hybrid ports. It's a network in service. I can't bring it down to put it back up. Changing networ...
by mkx
Tue Aug 31, 2021 10:33 pm
Forum: Beginner Basics
Topic: VLANs - different address on different ports
Replies: 43
Views: 2128

Re: VLANs - different address on different ports

In fact on my main router I have about 20 vlans going through one port to a main managed switch.
You do realize you don't need separate VLANs for each bit of connected device's MAC address, right? :lol:
by mkx
Tue Aug 31, 2021 10:23 pm
Forum: RouterOS v7 BETA
Topic: 7.1rc1 bricked 3 pcs RB951Ui-2HnD
Replies: 6
Views: 699

Re: 7.1rc1 bricked 3 pcs RB951Ui-2HnD

How did you get from 6.42 to 7.1rc?

IIRC routerboot has to be one of recent 6.xx to successfully boot any of v7. You might want to try netinstall one of bricked devices with 6.48, upgrade routerboot and only later go to 7.1rc2.
by mkx
Tue Aug 31, 2021 7:18 pm
Forum: RouterOS v7 BETA
Topic: ZeroTier added to RouterOS v7.1rc2
Replies: 143
Views: 21715

Re: ZeroTier added to RouterOS v7rc2

Should I upgrade to a newer beta version or will I lose my wireguard connectivity...........

Well, it's beta VS release candidate. Being advanturistic (stewpid) enough to be on beta, why don't you try and then clean the mess you'll get before reporting back?
by mkx
Tue Aug 31, 2021 7:12 pm
Forum: Beginner Basics
Topic: Another vlan question
Replies: 37
Views: 1787

Re: Another vlan question

As @anav said: your VLAN setup is a mess. For example: /interface bridge vlan add bridge=bridge comment=guest tagged=ether5 untagged=ether2,bridge vlan-ids=10 add bridge=bridge tagged=ether5 untagged=bridge,ether2 vlan-ids=1 While ROS doesn't blurp, you can't have two VLANs untagged at the same time...
by mkx
Tue Aug 31, 2021 6:54 pm
Forum: Beginner Basics
Topic: Private VLAN on a RB4011
Replies: 21
Views: 1254

Re: Private VLAN on a RB4011

And ofcorse on the wireless interface all the traffic goes through the CPU... AFAIK (but I may be wrong) traffic between two wireless clients of same radio (i.e. same wifi interface) is handled by wireless driver. While technically they are handled by CPU (because whole wireless driver runs on CPU)...
by mkx
Tue Aug 31, 2021 6:43 pm
Forum: RouterOS v7 BETA
Topic: Solved: Problem with two default IPv6 routes using dhcpv6-client (7.1rc2)
Replies: 8
Views: 744

Re: Problem with two default IPv6 routes using dhcpv6-client (7.1rc2)

If I understand right, you're setting IPv6 address to PPPoE interface from pool of IPv6 addresses, assigned by ISP? Yes but on the LAN bridge and not the PPPoE interface. Essentially the same as I'm doing on 6.48.4. The only difference is IPv6 handling of pppoe-client which was non-existant in ROS ...
by mkx
Tue Aug 31, 2021 5:40 pm
Forum: RouterOS v7 BETA
Topic: Solved: Problem with two default IPv6 routes using dhcpv6-client (7.1rc2)
Replies: 8
Views: 744

Re: Solved: Problem with two default IPv6 routes using dhcpv6-client (7.1rc2)

In which case can link-local addressed frames go out through WAN interface? E.g. if LAN is properly configured with SLAAC / DHCPv6 server, then LAN devices will use global addresses. Router itself will in this case have at least one global address (i.e. the one bound to LAN interface). So is it conn...
by mkx
Tue Aug 31, 2021 5:32 pm
Forum: RouterOS v7 BETA
Topic: ZeroTier added to RouterOS v7.1rc2
Replies: 143
Views: 21715

Re: ZeroTier added to RouterOS v7rc2

Sounds super but of course even reading the Wiki for zerotier, still lost.
I gather this is something of not much utility for the homeowner.
Think of ZeroTier as VPN with configuration on cloud.
by mkx
Tue Aug 31, 2021 5:28 pm
Forum: RouterOS v7 BETA
Topic: Solved: Problem with two default IPv6 routes using dhcpv6-client (7.1rc2)
Replies: 8
Views: 744

Re: Problem with two default IPv6 routes using dhcpv6-client (7.1rc2)

So I set the default route via PPPoE, aquire the prefix via dhcpv6-client and set the address using the prefix pool. If I understand right, you're setting IPv6 address to PPPoE interface from pool of IPv6 addresses, assigned by ISP? But does PPPoE interface actually need routable IPv6 address? In m...
by mkx
Tue Aug 31, 2021 5:16 pm
Forum: Beginner Basics
Topic: Another vlan question
Replies: 37
Views: 1787

Re: Another vlan question

Link to your export doesn't work. Just a general remark: avoid using VLAN ID 1 as tagged VLAN. In ROS, VLAN ID is used as implicit default all over the place and if one doesn't catch all the occurrences, things misbehave in most random ways. Avoid for untagged as well, if link between two devices is...
by mkx
Tue Aug 31, 2021 5:10 pm
Forum: Beginner Basics
Topic: Private VLAN on a RB4011
Replies: 21
Views: 1254

Re: Private VLAN on a RB4011

But, when using the Bridge Firewall, in order for it to work, you must disable the hardware offload,... As I wrote (more than once ;-) ): for bridge to block traffic between two hosts traffic has to travel through bridge. If hosts are connected to different bridge ports (e.g. ether13 and ether42), ...
by mkx
Tue Aug 31, 2021 5:01 pm
Forum: Beginner Basics
Topic: CCR2004-1G-12S+2XS slow NAT performance
Replies: 28
Views: 1599

Re: New to Mikrotik: a few questions

Disconnect from WebFig: there's an icon (kind of a blue left arrow on brownish background) in the upper right corner of page which causes you to log out. Is bootloader secure and signed: Bootloader is included in side RouterOS install images. If one deems ROS install package to be safe, then one doe...
by mkx
Tue Aug 31, 2021 4:40 pm
Forum: Beginner Basics
Topic: Private VLAN on a RB4011
Replies: 21
Views: 1254

Re: Private VLAN on a RB4011

Why not if i enable the Bridge Firewall ? You can successfully block users to reach each other using the Bridge Firewall even if they exist on the same interface... Only if you somehow force both hosts to communicate through bridge, which is usually hard to achieve. Basics of IP over ethernet netwo...
by mkx
Tue Aug 31, 2021 4:18 pm
Forum: Beginner Basics
Topic: SSH NAT forwarding
Replies: 1
Views: 346

Re: SSH NAT forwarding

I created a NAT rule, General: dstnat dstn port 52022, tcp, Action:to addresses: 192.168.88.50, to ports 52022 If you did not manually configure ssh server on linux machine to listen to non-standard port, the correct DST-NAT rule would be /ip firewall nat add chain=dstnat action=dst-nat protocol=tc...
by mkx
Tue Aug 31, 2021 1:24 pm
Forum: General
Topic: NAT to one of my VLANs [SOLVED]
Replies: 5
Views: 489

Re: NAT to one of my VLANs [SOLVED]

Masquerading itself doesn't block connections from SERVICE towards MAIN. So you still need some (more or less selective) drop rule which does it. In addition it messes with servers' visibility of real clients (i.e. if you perform NAT, server will see connection from router and log that ... if you wa...
by mkx
Tue Aug 31, 2021 12:55 pm
Forum: General
Topic: NAT to one of my VLANs [SOLVED]
Replies: 5
Views: 489

Re: NAT to one of my VLANs [SOLVED]

Not going into configuration details ... but (largely simplified) FW configuration as the following should do what you're after: /ip firewall filter add chain=forward action=accept connection-state=established,related,untracked add chain=forward action=accept in-interface=vlan-main-100 out-interface...
by mkx
Tue Aug 31, 2021 12:16 pm
Forum: General
Topic: Who has the biggest uptime ?
Replies: 22
Views: 3218

Re: Who has the biggest uptime ?

Not Mikrotik related, but uptime related :-) If we're into (true) uptime stories: I've had a linux server (running early 2.6 kernel with fixed uptime counter) with uptime of more than 1700 days. The company I worked for at that time decided to move data centre and I came up with a plan to move the ...
by mkx
Tue Aug 31, 2021 11:40 am
Forum: General
Topic: L2 Connection controll
Replies: 4
Views: 454

Re: Mikrotik

RouterOS keeps ARP table ... you can check it under /ip arp ... not sure if that table gets populated only when device communicates with router directly or even if it uses RB as a switch. Anyway, ARP table contains interface as well ...
by mkx
Tue Aug 31, 2021 11:34 am
Forum: General
Topic: Tiktok Live Problems
Replies: 24
Views: 1319

Re: Tiktok Live Problems

Is is ilegal to put the mail here like that?

It's not illegal. But since forum is public, potential spammers will see your e-mail address. Hence most forum members decide not to publish their e-mail addresses just like that.
by mkx
Tue Aug 31, 2021 11:30 am
Forum: Beginner Basics
Topic: Port Forwarding over PPPoE
Replies: 4
Views: 524

Re: Port Forwarding over PPPoE

PPPoE doesn't make NAT any different. The idea is this: WAN interface has public (or "public") IP address. WAN interface is often a physical port (e.g. eth1 with DHCP client running), but can be tunnel interface such as pppoe-out1. MT default configuration handles this case just fine, you ...
by mkx
Tue Aug 31, 2021 11:17 am
Forum: Beginner Basics
Topic: Private VLAN on a RB4011
Replies: 21
Views: 1254

Re: Private VLAN on a RB4011

Any mechanism trying to separate users can work as long as the port (or pseudo port[*]), used by user, is dedicated one. As soon as multiple users share one port (even through a downstream switch which is not managed with goal to separate users, e.g. a dumb switch), there's nothing device can do to ...
by mkx
Tue Aug 31, 2021 11:12 am
Forum: RouterOS v7 BETA
Topic: DHCPv6 Client in 7.1beta6
Replies: 4
Views: 602

Re: DHCPv6 Client in 7.1beta6

@woro: are you aware that 7.1rc1 is released (rc2 is rumoured to be out soon). So you should upgrade your device and retest. If the problem persists, ask in appropriate thread.
by mkx
Mon Aug 30, 2021 11:37 pm
Forum: Beginner Basics
Topic: Private VLAN on a RB4011
Replies: 21
Views: 1254

Re: Private VLAN on a RB4011

If more than one user exists on the same port, then nothing on MT device can prevent those users talk to each other as long as they are in same VLAN (or none VLAN).
by mkx
Mon Aug 30, 2021 11:29 pm
Forum: Beginner Basics
Topic: Firmware change from INT to US ver. into WAP LTE modem
Replies: 2
Views: 433

Re: Firmware change from INT to US ver. into WAP LTE modem

The problem is not with firmware, the problem is physical - support for different frequency bands. R11e-LTE (international) supports: 1 (2100MHz) / 2 (1900MHz) / 3 (1800MHz) / 7 (2600MHz) / 8 (900 MHz) / 20 (800MHz) / 38 (2600MHz) / 40 (2300MHz) (the last two are TDD bands) R11e-LTE-US supports: 2 (...
by mkx
Mon Aug 30, 2021 10:10 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc1 [development] is released!
Replies: 345
Views: 30363

Re: v7.1rc1 [development] is released!

With RouterOS v7 will it be easier for the RouterOS developers to update the Linux Kernel version so as not stuck with a 10 year old Linux Kernel like RouterOS v6? It's not kernel version per-se, it's changes in API that sometimes makes kernel upgrades next to impossible. Kernel upgradability in RO...
by mkx
Mon Aug 30, 2021 5:07 pm
Forum: Wireless Networking
Topic: Wifi sucks in an outside garage
Replies: 16
Views: 1463

Re: Wifi sucks in an outside garage

OR ... Steps: invest in a pickaxe dig a trench from house to the new garage lay fibre optics fill back the trench, seed some grass or wait for random weeds to grow connect fibre to appropriate equipment on both ends Steps #4 and #5 can be done in reverse order or in parallel if better half agrees. A...
by mkx
Mon Aug 30, 2021 4:13 pm
Forum: Beginner Basics
Topic: access in between the VLAN`s
Replies: 8
Views: 898

Re: access in between the VLAN`s

Looking at GUI screenshots is such a royal PITA ... post text export of configuration: run /export hide-sensitive file=anynameyouwish in a terminal window, fetch resulting file and open it in text editor. Copy-paste contents here (inside [ code] [/code] environment). You may want to redact some furt...
by mkx
Mon Aug 30, 2021 3:55 pm
Forum: Beginner Basics
Topic: access in between the VLAN`s
Replies: 8
Views: 898

Re: access in between the VLAN`s

Unless playing some very advanced tricks routing is identical for any IP protocol (either ICMP or TCP), so the problem is most likely not about routing.

Apart from firewall on router itself you should check MTU settings on various involved interfaces (both physical as well as VLAN) on router.
by mkx
Mon Aug 30, 2021 3:43 pm
Forum: Beginner Basics
Topic: access in between the VLAN`s
Replies: 8
Views: 898

Re: access in between the VLAN`s

Check firewall on server that it allows incoming connections from "alien" subnets ... default firewall on windows doesn't. Another thing to check is firewall on router itself.
by mkx
Mon Aug 30, 2021 3:31 pm
Forum: Beginner Basics
Topic: Private VLAN on a RB4011
Replies: 21
Views: 1254

Re: Private VLAN on a RB4011

Can someone confirm that it is possible to do Private VLAN on the RB4011 router? As @anav already wrote (using different words): what exactly does "Private VLAN" mean in your context? If wikipedia article describes your view of the matter, then ... hell yes, RB4011 can run large number of...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 22