MikroTik

mkx

If you're thinking of a combo "interface is bridge port, but is anchor for a vlan interface" ... then no, it shouldn't be done like that (it falls into category "it shouldn't be used as interface"). The problem in your setup procedure is that you're effectively changing L2 topolo...

mkx

"Trunk with native VLAN" in Cisco is "hybrid" in Mikrotik. So configure port to: "vlan receive - any" and set "default vlan id" to "native VLAN ID" of your choice (e.g. 4000). You have to mark such port as member of VLAN with "native VLAN ID&quo...

mkx

It seems that the only Mikrotik's own wifi card supporting 802.11 ac is R11e-5HacD. And that one is built around QCA9882. If you find a card built around same chipset, chances are that it'll work. Or go for this card if miniPCIe format suits you.

mkx

I did another test incorporating the changes in my last post and I've now positively identified the point at which I lose connection to be enabling ether1 as a port on br0. It shouldn't come as a surprise. After an interface is "enslaved" as port of a bridge, it shouldn't be used as inter...

mkx

wifi-qcom-ac doesn't support "native" VLAN tagging. So how do you make wifi interface a bridge port?

mkx

Two things to check: list of currently installed packages. In order for downgrade/upgrade to succeed, files with all currently installed packages have to be uploaded to device. After performing next downgrade attempt and after you see it failed, check logs. It will always contain something about upg...

mkx

Proxy-ARP might explain that ...

mkx

I'll comment on "just before loosing contact" config on hAP: you should never add vlan interface back to anchor. Like this: /interface vlan add comment=team451 interface=br0 name=team451 vlan-id=500 /interface bridge port add bridge=br0 comment=team451 interface=team451 internal-path-cost=...

mkx

Can you post the "bootstrapped" config of hEX? The one before trying to add ether1 to bridge (which breaks your connectivity)?

mkx

Yes, and as I pointed out, that's a multi-port aggregate test, not a single-stream single-port test. mkx's point builds atop that. What you're saying makes no sense. It's not like each interface is dedicated to it's own single CPU core, so using more ports won't make the CPU process the packets any...

mkx

I just configure ntp client server as pool.ntp.org, so, nothing to do with hamilton.com pool.ntp.org points at a few IP addresses, where public NTP servers reside. Addresses, to which pool.ntp.org resolves, can vary with subsequent DNS queries. And, again: the NTP servers arr volunteered by differe...

mkx

Your screenshots show that you're using built-in bandwidth test. It is a well known fact (you're excused since you're new to ROS) that bandwidth test is heavy on CPU and on many device models it itself is a bottleneck. It is recommended to run tests using two external devices, known to be able to cr...

mkx

Is it possible to disable connection tracking for the scanner, while still swapping the LAN IP with WAN IP?

Nope, NAT relies on connection tracking. So no connection tracking, no NAT. At least in ROS.

mkx

Take a look at the RB5009 test results . Your application is the lower rightmost number in the first table, ... Not even that. Tests are using normal long-living connections, so even tests which use tiny packets, can benefit of fast-tracking. OP is doing port scanning, which means that every third ...

mkx

Just manually override MTU setting of EOIP interface. EOIP does fragment/defragment frames, which are otherwise too large to fit the outer MTU, if needed.

mkx

Concentrate on working with ether1, other ports aren't used for netinstall process. Then follow this sequence (it worked most of times on all of my devices): connect cable between ether1 and PC setup PC appropriately (e.g. disable firewall, excess network interfaces, ...) start netinstall executable...

mkx

If nothing else helps you'll have to netinstall the device. Note that the process is very fragile and sometimes takes lots of experimenting with different details before it succeeds.

mkx

I think that passive DACs require both connected devices to be of same SFP generation/variety ... as these DACs more or less simply connect appropriate SFP signal lines together. Many devices have SFP ports that are actually single rate (e.g. SFP+ only supports 10Gbps ... it's the module which can n...

mkx

PPPoE can't really be in bridge mode because bridge is L2 and PPPoE is L3. IP address is "integral part" of L3 interface, it can't be "forwarded" elsewhere. What usually "put in bridge mode" means is that that device is L2-transparrent ... passing either DHCP handshake ...

mkx

NATed traffic also gets fasttracked if appropriate rules are set. And in this case indeed rules, which handle traffic initially, don't get hit any more and thus counters don't increment.

mkx

Clearly 'hiding' the true mac address............ Perhaps you prefer "FU:FU:FU:FU:FU:FU" "=) Yup, I figured as much. But every time I see somebody playing this game (not knowing that MAC addresses are almost the least sensitive information a config can contain), I always wonder what ...

mkx

I'll pay close attention to this versus the link you sent me. In particular pay attention to these details: bridge CPU-facing port VLAN membership has to be configured explicitly as well frame-types, tagged/untagged and PVID properties have to be consistent distinction between different properties ...

mkx

You have a number of errors in VLAN-related config. I suggest you to go through the definitive guide to ROS VLANing.

BTW, I don't think FF:FF:FF:FF:FF:FF is a valid MAC address for bridge.

mkx

For FT to work, CAP devices have to run wifi-qcom (or wifi-qcom-ac) driver. Which means ROS 7.13+ and ARM architecture. As to CAPsMAN device: it has to run ROS 7.13+ as well. But it doesn't have to run wifi-qcom (or wifi-qcom-ac) as these are "only" wireless chipset drivers. Core functiona...

mkx

All devices I mentioned, run 7.13.2. None are hEX. Here's export from one of them: /interface bridge add admin-mac=E6:8D:8C:49:EE:4A auto-mac=no name=bridge port-cost-mode=short /interface bridge port add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10 add bridge=bridge interface=e...

mkx

- cAP ax: reset config and set it in CAPs mode (this is enough) - CAPsMAN: config datapaths with corresponding VLAN id's Use a hybrid port with management VLAN untagged, Corporate and Guest tagged. Just to clarify: the last line (regarding hybrid port) refers to port to which cAP ax devices are con...

mkx

I guess you should ask support@mikrotik.com to clarify what happens after 60 days of internet unavailability to licensed CHR. And report back their answer as it'll be probably interesting for a few other people.

mkx

I guess you have "detect internet" feature enabled ... and adding a DHCP client to interface, which is determined to be a WAN interface, is one of "magic" things which happen. If you have incentive (and knowledge) to fine-tune router's config, then I suggest you to disable "...

mkx

Having "connection-state" property set to empty string "" is not the same as not having it set at all. So unset connection-state property on your inter-VLAN firewall rules.

mkx

Well, by default there is only one bridge. Called, bridge. so I don't know what you mean by "manually set MAC addresses on all bridges" ... I have a few Mikrotik devices on the LAN, each have one bridge and I manually set MAC addresses on each and every bridge. Hence use of plural "b...

mkx

If you replace old router with a new one and the public IP address is the same, then you'll end up with two A records: <old_SN>.sn.mynetname.net and <new_SN>.sn.mynetname.net ... both pointing at same address. I don't see how this is a problem, if you know <new SN>, then old record won't make any ha...

mkx

With lots of fiddling it is possible to replace the two 1783-NATR devices with a single "multi purpose" router. But it's not easy as both "private" LANs use same IP address space and this is actually problem from routing point of view. So it is actually much easier to use one NAT...

mkx

Are there any of devices you listed in your previous post which are interconnected with more than single UTP cable? In particular I'm thinking of connection between AX88U and CRS326 ... To be on the "fast" side: please ammend the description with exhastive list of connection between the de...

mkx

why is this working and : chain=srcnat action=src-nat to-addresses=10.10.5.50 src-address=10.10.1.0/24 out-interface=ether5 did not work? Because you used wrong address setting for to-address property. The "to-address" property of src-nat rule sets the IP address which will replace the or...

mkx

Are you sure that cameras provide their service on ports 8001 and 8002? I'd guess they are actually using standard port 80 ... in which case NAT rules should have "to-ports=80" set.

mkx

This is wrong: /interface vlan add interface=ether3 name=CAM88 vlan-id=88 add interface=ether3 name=IoT687 vlan-id=687 add interface=ether3 name=VLAN82 vlan-id=82 add interface=ether3 name=VLAN3000 vlan-id=3000 add interface=ether3 name=WIFI20 vlan-id=20 add interface=ether3 name=WORK999 vlan-id=999...

mkx

usually the antennas should be vertical, no matter how you install the device Nope. MIMO works best if reception from both Tx antennas is as uncorrelated as possible. Antennas are polarized and with 2x2 MIMO, different polarization makes best possible diversity ... and that's when both antennas are...

mkx

You should set Egress setting on access ports (on SwOS device ports 2-5) to "Always Strip".

mkx

Mikrotik (and members of the board) advise is that of assigning manually a mac address to the bridge, but it has to be seen if - even if doing that - it would be listed on another device with /tool/mac-telnet ... Just checked ... I have manually set MAC addresses on all bridges ... and /tool/mac-te...

mkx

Not only in ROS, also elsewhere. VLANs work between devices, if one uses them but the rest don't then they are either no good or interfere with traffic. Here kicks in the suggestion by @loloski: show us the physical/logical network topology (which includes ISP gear) so we can suggest you all the nec...

mkx

In Firewall / Address list I create 2 new records with the same name and each should have the subnet? Is this the way?

Yes, enter address with subnet mask, e.g. "192.168.4.0/23"

mkx

PPPoE works directly over ethernet ... so VRRP and routing etc. doesn't affect it. So yes, ISP's and your own PPPoE servers can interfere with each other. You should separate WAN and LAN on L2 (it seems you don't have it right now, only on L3), VLANs seem a natural solution to your problem (in this ...

mkx

So far I didn't stumble upon setup where DHCPv6 server was dynamic, so I'm a bit lost here. In your case, how does DHCPv6 server pppoe-sn_dsnw2845b110 get created? Since pools are all static, you should be able to create static DHCPv6 serve as well ... and in that case, you should be able to make le...

mkx

I have created a Firewall rule which works, but it gives access also from these subnets 192.168.0.x, 192.168.1.x , 192.168.2.x as well Is it possible to give access only to 192.168.4.0/23 and 192.168.10.0/23 with another way? You'll have to use two rules, each targeting individual subnet. Problem w...

mkx

RB1100AHx4 is still listed as "current device" on Mikrotik web page. So it should be able to buy it. Whether it's from old stock of from production line ... that can only Mikrotik answer (but I highly doubt they would). As to local distributor's stock: they tend to keep in stock models tha...

mkx

This is really weird. In your opening post you wrote that wireless client can ping gateway (router), but the rest of (internet?) traffic is blocked for a while. But if device wants to communicate with internet, it is sending traffic to router ... and that works as you are saying. You can try to torc...

mkx

Show config ... the /ipv6/dhcp-server/export part at least.

mkx

Your topology description is a bit fuzzy ... but combined with log entry it indicates you might have some misconfiguration of your device ...

mkx

Is the prefix pool ... which DHCPv6 uses to fetch prefixes for clients ... a dynamic (i.e. fetched from upstream DHCPv6 server) or a static one?

mkx

The way you explain the symptoms, the problem might be also in ARP entry aging on switches/bridges ... all mentioned devices are part of it, including the TP-link switch. If you can, connect both hAPs to hEX directly just to make sure that TP-link isn't playing games.

mkx

Where are you accessing 192.168.1.40:8123 from, the rest of LAN? If that's so, you can't block traffic on router because traffic between two LAN devices doesn't pass router.

mkx

I'm not trying to diss it (too much) but defending the existing isn't too helpful when you're trying to think outside the existing box. It would really help if you stated what are your wishes/requirements from the new web app. Because there are many things that can already be done, but using a few ...

mkx

Can I improve the rules further?

I don't really have much experience with switch chip ACLs so I can't give you any further assistance.

mkx

I see native WinBox on Linux in my dream when i sleep ))) Which is why IMO effort should be directed at web applications, not native apps. There's already WebFig ... functionality-wise it's on par with WinBox, so no need to re-invent the wheel. But there's a very important difference, which can not...

mkx

I'm out of ideas ... sorry.

mkx

Your config shows that your ROS is using 192.168.10.1 as gateway. Is this correct? Is gateway allowing traffic?

mkx

Mikrotik is purported to be working on a "multiplatform client" ... US-ASCII works on all modern platforms just fine :wink: For the record: my native language doesn't fit in any western 8-bit encodings, even less in 7-bit US-ASCII, so I'm grateful for UTF-8. But when it comes to networkin...

mkx

Since both ports connect devices in same subnet, they clearly have to be in same bridge. But: simple bridge (no VLANs, etc.) is by default offloaded to hardware so bridge filters can't catch traffic (bridge is executed by CPU, HW offloaded traffic never leaves switch chip). There are two options: 1)...

mkx

If you run comnand

/tool/traceroute 8.8.8.8

what does it show?

mkx

On your router, look in "IP address" and check which IP address is listed for your WAN interface. Then compare it to pubic IP address, reported in various places (cloud is one thing, there are several web pages telling you this information). If they are not the same, then your WAN IP addre...

mkx

If you want any feedback from MT support, then you'll have to open support ticket. This is merely an user forum, hosted on MT's servers ... and occasionally visited by MT staffers. It is not means of official support.

mkx

Out of interest, inSSIDer is reporting signal strength of ~-50 but the hAP ax2 log shows about -20 lower. Why the difference? Each device reports strength of signal received from the link peer . inSSIDer is reporting signal strength of AP, received by laptop. And hAP ax3 reports signal strength of ...

mkx

By default, device considers ether1 to be WAN port and management is not possible via that port. Management is possible via all other ports (including wireless). However: by default it also serves as router and its LAN address is 192.168.88.1/24 ... which conflicts with your existing LAN. The best w...

mkx

WAF?

It doesn't hurt either, so why do you bother?

mkx

What's wrong with server-dns-names property? Used instead of primary-ntp and secondary-ntp?

mkx

I am one of these "others" as well I connect to ISP using SFP module ...

Ah, OK, that explains it.

mkx

I cannot tell difference when it comes to CPU usage on RB5009. Both before and after disabling HW offload it's ~30% when transferring between WAN and LAN @ 2Gbit speed. That's because vast majority of CPU resourdes are used for firewalling, some for routing and only minor portion for interface hand...

mkx

One of possible outcomes of using reset button is configuration reset to factory defaults (which doesn't include CAPsMAN). Another one is to put device into CAP mode.

You can do that also via any of UIs (I'd suggest you winbox as it allows connection even if device doesn't have usable IP setup).

mkx

For many years we have been using "United states" here in Ukraine )) ... We can use 12,13 channels in 2,4GHz, but in real life we have a lot of American gadgets IMO the first one explains the second one. But the second one doesn't explain the first one, using Ukraine country settings does...

mkx

While we wait to be joined by @mkx

Nah, not my piece of pie. There are too many buzzwords in the thread title which I don't do (hotspot, radius, ...).

mkx

Better ask your ISP about possibilities. Either they could configure their router to hand out prefixes (preferrably larger than /64, /60 would be fine), or to bridge mode do that your MT would be talking to tgeir core directly (I guess tgat in this case your MT would receive prefixes). The way it is...

mkx

When someone disables that graphic... doesn't it get removed from the storage?

Only the stats data ... which I guess is a few kB. But graphics library and anything else needed stays installed ... probably most of it is needed for WebFig graphs anyway.

mkx

If someone want to partition, I'd say 64MB would be the minimum acceptable. It might if ROS was changed to use RAM disks more aggressivelly. As it is now, 128MB on audience isn't enough (or it wasn't back in v7.5 times), with 64MB partitions upgrade didn't succeed due to lack of flash space. It's b...

mkx

At Router A, what does the router see.......... It should see source being user from RouterB with destination IP of server on Router A LAn, ( if traffic is sourcenatted, the source IP would be the wireguard IP of B ). The rule I suggested for site B is a dst-nat ... so src-address is not changed. T...

mkx

Can we expect some solution in this problem? The only solution is to forget about superchannel altogether ... it wasn't obeying country-specific regulatory constraints and as such is illegal. Since majority of users didn't care about country regulations (and created havoc), EU (and many other count...

mkx

subprofile can be assigned to main configuration profile, which can be assigned to interface. Subprofile values can be overwritten in main configuration profile, and all values can be overwritten on the interface itself. The problem I an see is that often users consider properties set to empty valu...

mkx

You can make the NAT rule as general as you want. But it may soon break something else. For example establishment of wireguard tunnel (tunnel might drop momentarily while siteA address doesn't change and then wireguard connection may get NAT-ed to 192.168.0.1 which is not accessible until after wire...

mkx

What is connected to such a port?

It could be some device in sleep mode ... often LAN interfaces are configured into 10Mbps half-duplex mode (which seems to require least amount of power). But seeing it go up for a second and then down again is a bit weird.

mkx

But only with an L2 misconfiguration, i.e. if I put, say, ether1 through ether4 in bridge1, set up a few VLAN interfaces on bridge1 and then put them all in bridge2. The problem will be that the moment a packet actually gets bridged between VLANs, it will need to first get flooded to all ports in b...

mkx

The ether1-gateway WAN interface has RA effectively disabled (ra-lifetime=none) On my routers I set "advertise=no" to addresses which are not supposed to be advertised (so no RA for that particular address). And it seems that if an interface doesn't have any address without this setting, ...

mkx

No, hairpin NAT is not the problem here, communication between client on site B and server on Site A has to pass router (actually both of them) in both directions (if it doesn't, then one needs hairpin NAT). The problem here is selection of the route from site B to site A (and back) when client uses...

mkx

So it is the usual case of two very different things that - in order to better distinguish them - are called in Mikrotikish with the same or a very similar name. Sort of homonyms or homographs. Well not really. Routing is pure L3 function and according to that, all devices which MT says support L3H...

mkx

Mkx posted that this switch supports L3HW offloading. You just re-stated that it doesn't. One of the two must be accurate, not both. We're both right ... I already mentioned that L3HW offload in this switch only covers routing, not firewalling. And @chechito is talking about firewalling in his late...

mkx

None of the CRS3XX series of switches then has L3HW offloading if I had to base it on ethernet test results ( very slow ).

Generally I don't really trust test results from MT. So in this case I'd go with documentation, like official L3HW offload manual with its L3HW Device Support section.

mkx

Didn't somebody mention routers a few posts higher?

Just to be clear is HW offloading possible on some routers regarding its chip, completetely different from L3HW offloading discussed for switches?

mkx

I can create a VLAN interface with id=1, that's for sure. But it appears that it's either not capturing traffic, You're right, it's not capturing traffic. Reason being that native VLAN comes untagged off bridge interface while any VLAN interface expects tagged frames on "anchor" side. If ...

mkx

RB5009 doesn't support L3HW offload. On routers that do (those have capable switch chips built in), the L3GW offload concept is the same as on switches. The difference is in the effectiveness of handling traffic which for some reason (e.g. route prefixes already offloaded use up all the ASIC route p...

mkx

Is there a way to make it so that I can browse to A.dyndns.org:81 It may be possible to construct a DST-NAT combination on router of site B which would work most of time ... except in time periods after change of A public IP address (because A.dyndns.org has to be updated and TTL of the old record ...

mkx

Have seen this when you have removed names from userlist and they are pointed at from another setting. I know. I was hinting @OP to remove those because clearly they are remnants of something not needed any more. Probably they are not the reason for problems though, but it's always good to have cle...

mkx

Sirbyran, lets make it real, ..................... @Sirbyran is referring to CRS310 capability of doing L3HW offloading: https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-L3HWDeviceSupport That makes CRS310 a wirespeed router. But, as he also noted, it can suppo...

mkx

What are these two entries? /interface bridge port add bridge=bridge comment=defconf interface= *6 /interface bridge port add bridge=bridge comment=defconf disabled=yes interface= *7 Does log have anything about wifi24 and DHCP server? Best to reboot device and check log immediately after it comes u...

mkx

Additionally, I've noticed in some tutorials that firewalls are used to block access between VLANs. If I'm required to use a firewall, what's the purpose of using VLANs? This is a common knowledge, the same for all network vendors (in no way specific to Mikrotik): OSI layers can explain some of you...

mkx

What if I use long feeder cables? How can I compensate attenuation? Minimum antenna gain is only fixed for devices with permanently attached antennas. Devices, which only have antenna connectors and one has to use external antennas, don't have it set (or they have it set to 0). I don't think that u...

mkx

Did you check log after reboot (which was supposed to downgrade but failed to do so)?

mkx

Both sfp-sfpplus8 and bond/9+10 are trunk (all tagged) ports. So how are hosts configured regarding VLANs? And, BTW, you didn't post full config. So I'll assume you're just trolling and not expecting to get any usable advice if you won't post full config (sensitive data obfuscated, not left out).. I...

mkx

I'd say it's normal. I see similar stuff on my IPIP links (it also uses IPsec under the hood).

mkx

Do all leases show all-zero MAC addresses or just some? Lease list showing such MAC address usually indicates that the lease was offered but the handshake did not finish. Could be that the devices (webcams) only perform first part of handshake (getting lease offer) but not the second part (mutual ac...

mkx

when i /system/packages/downgrade the system reboots but doesnt downgrade to 7.13 You have to manually upload NPKs for all packages currently running (e.g. routeros and wireless) for the target version and correct architecture. then execute "downgrade" and reboot. After router boots up, i...

mkx

You want to use EOIP to bridge vlan500 interface on HQ mikrotik and whatever vlan interface (can be 500 as well, I don't see a reason to have it different) on branch office mikrotik.

mkx

(I also don't quite like how the router has to have a separate address for each VLAN, this seems pretty unnecessary) It seems that you don't quite understand the (V)LAN concept, do you? I haven't read your explanation in depth, just skimmed it ... and it seems to me you want to have a flat LAN, so ...

mkx

Show us the config. From what is shown so far and what you explained it seems like IPv4 is being routed while IPv6 is being bridged ... but only look at config can tell what you actually have.

mkx

How about showing complete config of your switches? What you've shown is not complete. And since you don't know where the error is, I don't think you can decide which part of config is relevant and which isn't. But I agree that you have lots of holes in your VLAN setup (and errors as well), so it's ...

mkx

Generally the argument to give clients real DNS is some clients is additional caching slows upstream changes from appearing as quickly (e.g. since there cached, clients have to wait for the TTL to expire and unable to "force" DNS to re-resolve)... Every recursive DNS resolver (including y...

mkx

You can't bridge L2 networks (that's what VALNs are) over L3 (IP) just like that. You need some L2 tunnel, running on top of L3 ... in MT world (both routers are MT according to your description) that's EIOP. Beware that EOIP alone doesn't encrypt traffic, so you may want to run EIOP on top of IPsec...

mkx

As @normis said: this function is intended to detect (and autoconfigure to certain extent) WAN-facing interfaces (which is a very good thing). However, the experience is that detection success rate is lower than we would all love to see and when it fails, then the whole router starts to behave in ra...

mkx

You can do the ring. But make sure RSTP is enabled. And I suggest you to make bridge priority on CSS, connected to uplink, lower than the rest of devices (e.g. to (0x)4000) so that it wins root bridge selection ... selection about which segment of your fiber ring will be disabled will be made relati...

mkx

But, a few devices now cant connect to the new wireless network: Another thought: did you try to remove those devices from your wireless network and re-add them? I seem to remember this was necessary on certain smart phones (but not all of them ... all running various versions of Android) when I st...

mkx

You should enable CCMP cipher - screenshot shows that note of ciphers are selected and I don't know what's default.

Also try to disable FT, it's another AP capability which some clients may trip over.

mkx

If you have bridge with vlan-filtering, then something like /interface/bridge/host/print where vid=<vlan id> where <vlan id> is VLAN ID you want to query. Another possibility (not sure if it's available on all ROS devices): /interface/ethernet/switch/host/print where vlan-id=<vlan id>

mkx

There are a few settings available in new wifi configuration which might upset older stations (in no particular order): enabling wpa3 authentication type enabling anything but "ccmp" and "ccmp-256" as encryption type setting "management-protection" to anything other tha...

mkx

One prerequisite is to have wireless package installed on RB4011 (not wifi-qcom-ac ... which drops support for 2.4GHz radio on RB4011 anyway). Then you have to configure things in /capsman configuration subtree. When everything is configured there correctly, you should be able to put your cAP ac int...

mkx

... but I can ping and get access from VLAN 10 to 11 ... In addition to what @CGGXANNX wrote also note that due to how firewall works, router will respond to pings regardless which of its IP address is being targeted (e.g. pinging router's address in VLAN 11 from a client inside VLAN 10). It is pos...

mkx

Could the "memory leak" be due to 0 disk space available?

It might ... because ROS might be caching writes to flash. AFAIK that's not what linux kernel usually does though.

mkx

I've set pool-prefix-lenght=64 on the dhcpv6 client, but did not made a difference. From various posts about my KPN ipv6 settings, I always found 48 to be used and I see the prefix I get is also /48. My feeling tells me that 48 is all I will get? The pool-prefix-length property sets the prefix size...

mkx

The port that you should NOT (normally) use for netinstall is ether1 (or anyway WAN ports) try one of ether2+. See: https://forum.mikrotik.com/viewtopic.php?t=206301 Wrong. Netinstall is always done via ether1 (which is usually WAN port) ... and this includes devices with single (management) ether ...

mkx

Try these steps:

Disconnect everything
Start netinstall on linux machine
Connect ethernet cable brtween PC and ether1
Press reset and keep pressing it until step #6
Plug in power plug
When netinstall executable on linux machine detects hAP ac2, release reset button

mkx

Guess it is a good idea to set up the router from scratch. Before[*] starting from scratch, have a look at this tutorial to get an idea about how VLANs are properly done in ROS. [*] I wrote "before" not because you shouldn't tear your config apart but to learn how to do it properly from s...

mkx

Netinstall does work in vast majority of cases. But it's a very fragile process (a bit less so if using linux netinstall) so it may take some (or many) tries to make evrything click together.

mkx

Set pool-prefix-length=64 on your DHCPv6 client.

And why all those advertise-*=no in ipv6 nd setup?

mkx

Post MT's config. Without it it's not clear what you mean by saying "I am using DHCP on VLAN"...

mkx

With incorrect VLAN filtering setup you can easily loose MAC access to device ... so if doing something you're not comfortable with, it's smart to take one port off bridge and add it to the list with allowed MAC access ... that port would then be immune to whatever errors one might do in bridge conf...

mkx

That's right. CRS326 is not bad (its L3HW offload is impressive) but CRS317 is way better.

mkx

For L2 they both do wirespeed on all ports simultaneously. Difference is in bridging (software L2, usually not necessary) and routing.

mkx

The idea is to have some storage to run few networking containers like traefik, dns server, mdns repeater As I wrote elsewhere before: why forcing router to become general-purpose device while there exist more cost-effective and versatile solutions (from Raspberry PI to x86-based servers of various...

mkx

FTC11XG is a SwOS device so it provides very little management possibilities by itself. Since your SFP module is ONU, it needs quite some configuration (and that can't be done via SwOS). The only thing that SwOS can do is adjust SFP+ port speed to what ONT module expects/requires. Many of those SFP ...

mkx

For one it very much depends on ROS version running on both devices. In addition it depends on which of optional packages are installed on cAP ac. After you provide this information, we can go further.

mkx

When using polarized antennas (they all are) it's important to perform measurements when polarization planes of both antennas match exactly. If using 2 chains on one side and both antennas are at some angle (ideally at 90° angle), then they'll both contribute to reception even if the other party onl...

mkx

I'd say that ROS only supports BT hardware vased on chipsets akso used by hardware made by Mikrotik. I could only find references to Quectel's BG77 in this context. So I guess that if you find a BT modem, based on this chipset, it might work. What you see is not ROS support, only generic USB enunera...

mkx

If the other WAN addresses are not router towards your NAT device[*], then you need to set those addresses explicitly on WAN interface. NAT only kicks into action after packet was already delivered to the device. NAT configuration does not affect the way packets are handled before they are received ...

mkx

I would expect the DHCP client to have gotten an IP as well? Where from? That would work only if you had another DHCP server running on network, attached to bridge. But then I'm why woukd you need anotger DHCP server (running on your L009). No, it doesn't have any sense to run both DHCP server and ...

mkx

So if the EoIP terminated at some central router, it be able to see anything with RoMON enabled – even if it's two hops aways (e.g. hub router --(eoip)--> remote --(etherX)--> ap).

Wouldn't this require bridge between eoip and etherX on remote device?

mkx

Was just hoping for some shortcuts here, is all. No, there are no shortcuts. Adding VLANs is the same as building a completely new physical network (including laying cables and adding switches). Even worse, you have to break things "to make space" for new setup. When doing that, it's hard...

mkx

But I'm very curious as to what Mikrotik support has to say on this. In release change logs for 7.14 MT repeatedly states that wireless package size got smaller. The issue is that during ROS upgrade, storage usage is temporarily slightly increased and if storage is almost full before upgrade, the u...

mkx

Intended behaviour is to provision local interfaces on CAPsMAN devices locally. This is not a problem since local wifi provisioning and capsman (can) actually share same configuration profiles. This wasn't a case with legacy wireless where it did make sense to let capsman provision also local interf...

mkx

Just try 5180 and see if it works. For some reason now it works but I haven't put anything in the frequency field yet. In the Status tab it says Channel: "5220/ax/eeCe" Yup, it's the same "sweet" 80MHz band (between 5170 and 5250 MHz; mind that frequencies shown and used through...

mkx

Are Tenda routers, on their WAN side, configured to use tagged VLANs? If they are not, then you have to configure access switches (the ones between ONUs and Tendas) and nake Tenda-facing ports as access ports for appropriate VLANs (and keep ONU-facing ports configured as trunk/tagged-only ports).

mkx

thanks for the response. When you say I'd say that gateway address in /ip dhcp-server network should be 10.10.10.1 ... does that mean that the "gateway" address is always on the near end of the link in the separate subnet? Gateway setting in DHCP setup informs DHCP client (i.e. the far en...

mkx

forward: in:bridge out:up-etisalat, connection-state:invalid src-mac 30:9c:23:28:5e:0d, proto TCP (ACK,RST), 192.168.88.19:52394->52.210.81.44:443, len 40 or forward: in:bridge out:up-etisalat, connection-state:invalid src-mac 30:9c:23:28:5e:0d, proto TCP (ACK,FIN), 192.168.88.19:52383->52.210.81.4...

mkx

After the lease is made static, it's possible to edit it, e.g. set a different IP address. Just keep in mind that changes in lease settings aren't pushed to client, they are only taken into account after client tries to renew the old lease.

mkx

This doesn't seem quite right to me: /ip dhcp-server lease add address= 10.10.10.10 client-id=1:b8:69:///:aa mac-address=\ B8:69:F4:47:5D:AA server=server10 /ip dhcp-server network add address=10.10.10.0/24 gateway= 10.10.10.10 netmask=24 I'd say that gateway address in /ip dhcp-server network shoul...

mkx

Mikrotik could have not made a "wifi-qcom-ac" driver

I'm glad they did ... because it allows me to get rid of all wireless drivers, I'm using my hAP ac2 as router only. And it allows me to unleash full wireless power of Audience (OK, this was achieved by wifiwave2 already).

mkx

EOIP works between two IP addresses and doesn't care about how its packets move from point A to point B. So one can use any kind of connectivity to do the job. Since EOIP doesn't do any encryption, it's wise to use something that does it. IPsec is fine, wireguard is fine, etc.

mkx

Default firewall fiter rule set folliws the "allow needed, drop the rest" concept, although the last rule in chain=forward is formulated in a bit cryptical way. Too bad that some people eradicate the default firewall setup only to replace it with a pile of garbage. Instead of adjusting def...

mkx

Anav where did you get the 15% from?

Seems that VAT rate for fire-breathing donkeys is higher in NS ?

mkx

I'm not saying that I'm not ubiquiti man ... you may find one mkx on the forum you linked

(no, you won't, not this one)

mkx

I've no idea how nanostation is to be configured ... I don't know any Mikrotik by that name ...

mkx

No need for NAT on nanostation. However, often firewall config on client computers considers anything outside own subnet (as determined by network address and mask) to be "evil internet" and is thus blocked. NAT on nanostation would help to overcome this problem (making clients believe it'...

mkx

You'll have to add WAN interface to bridge and convert bridge into VLAN-aware entity. Tge untagged internet access you have currently on separate interface will become access port of a dedicated VLAN, current LAN ports will become access ports of another dedicated VLAN. Actually your current WAN por...

mkx

I have some suggestions that the reboot is due to overheating of the processor, the frequency is once every 3-4 days... The suggestion you are mentioning goes directly against the log line saying "out of memory condition was detected" ... which indicates a memory leak (and there are repor...

mkx

Check the actual 5GHz frequency used while your hAP ax2 seems not to be working. With recent ROS releases, ax devices seem to prefer highest frequencies (when left at auto selection) and not every client supports those.

mkx

The ALCATEL "LACP" part - that is MLAG and not LACP. I disagree. From Alcatel device point if view the links are in LACP mode. Even if all three devices were by same vendor, the bottom one would have to be configured as LACP peer of the upper pair. However, both CRS518 have to be aware th...

mkx

It might have model names hard coded (so it might not perform hardware detection routines). And it's different than your case: if device had wifiwave2 installed previously, then legacy wireless (was part of core package back in time) was disabled ... hence legacy capsman could not be in use (and thi...

mkx

See my post #7 above.

mkx

Because installer is a very simple one ... in most ROS versions (up and including 7.11 and 7.13 and later) it simply downloads and installs the very same packages as already installed. MT went all overboard with installer in 7.12 which knows the following 3 cases: wifiwave2 installed and device is o...

mkx

In screenshot 2 ... select router first and then package ... or this still doesn't do the trick?

Also make sure that the routeros npk file you have available is for the CPU architecture of your RB750 (it seems that RB750 is MIPSBE but verify yourself).

mkx

Personally I'd upgrade using ROS built-in updater as far as it goes ... and upgrade routerboot as it goes. Running ROS v7 requires routerboot which is not ancient (6.45.7 might be fine, but to be on safe side ...). Next: if you want to upgrade from v6 to v7 using built-in updater, you have to set ch...

mkx

The installer doesn't analyze actual configuration of the device hence it doesn't know whether capsman functionality, included in now separate package wireless, is needed or not. To be on safe side the package is installed even though device doesn't have wireless hardware.

mkx

@Amm0: exactly, proper setting would be something like propagation-delay-max with integer setting (>=1) and unit of microseconds (and 10km would roughly translate into 33 microseconds). But imagine chaos this would cause among most AP admins. Constant indoor would translate into 1 microsecond or aro...

mkx

The signal strength, reported with disconnection events (around -30dBm), is very high. Does the same happen when there's some distance between AP and station? Healthy signal strengths are between -50dBm and -60dBm.

mkx

But would then it be speed of light in vacuum or in some thick air with large refractive index?

mkx

These NAT rules should be fine. If you can set up routes on "WAN" side and PLC address space doesn't clash with addresses on WAN side, then you could set route (dst 192.168.0.0/24 gateway 10.40.100.X (where this address is router's WAN IP address). Then you only need single SRC-NAT rule: /...

mkx

well, your issue is all about "skip-dfs-channels=all". In the heart of an incredibly RF and people dense city, in a huge apartment building, I don't have a choice but to use DFS channels. Well, then set this to skip-dfs-channels=disabled ... only then will your ax3 try to use DFS channels...

mkx

First of all, I'm glad you found the problem. BTW, when I tried updating software it said 7.12.1 is the highest version possible. However, when I want to download netinstall there is 7.14.1 Stable available as default... Should I go with that or rather use 7.12.1? 7.13 came with breaking change (wir...

mkx

Does Mikrotik have some models with PoE-out with 12V? Any device with passive PoE out and which can be powered using 12V power adapter. But I suggest you not to go this way. If you absolutely have to power ZTE via PoE, use passive PoE injector (MT's own RBGPOE might do the trick) and use dedicated ...

mkx

I'll start from the scratch and check step by step when the connectivity fails, hope I'll find out. That's something I was about to suggest you. Start by netinstalling the switch and try to progress at desired setup without taking turns. There were cases where visible configuration of device (the o...

mkx

CAPsMAN for legacy (wireless) and wave2 (wifi-qcom ...) radios are two distinct entites and have to be configured separately. With ROS 7.13+ it is possible to run both CAPsMAN instances on the same device, but it needs legacy wireless package installed (even if device itself doesn't have any wireles...

mkx

If reset button is indeed disabled[*] (a.k.a. protected routerboot), then your RB951Ui just became e-waste. [*] In theory it's not possible to enable protected routerboot without physical access to device, so it's unlikely that remote hacker did it. If you didn't do it yourself, then it still should...

mkx

Signal strength of 50 is quiet impossible as far as I know. In theory it's possible, but in practice not so much. It would mean that Rx antenna is pumping 100W worth of signal into receiver. Not many WiFi devices can transmit at that kind of EIRP and as soon as there's some air gap between Tx and R...

mkx

If flash is full (or there's only very little free space), then changes in config are not (successfully) saved to flash any more. One has to make some more space. Either by removing some files (e.g. old backup files). Or if there are some optional package files installed, uninstall one (it can very ...

mkx

L3HW offloading only works between if all routes reside on same bridge. It seems your WAN is on off-bridge interface sfp-sfpplus1 .

mkx

Your wish goes against established operation and good practice. All configured DNS servers are supposed to return same results to any query. Hence when multiple servers are configured, then DNS client (resolver) is free to use any of them with no particular affinity. Most use one server for all quer...

mkx

I think it was said that min-antenna-gain depends on factory software version (or was it routerboot version? ... lately it's the same, so ...). My audience says "factory-software: 6.45.8" and "factory-firmware: 6.47.9" (which strikes me odd to see such a huge discrepancy in these...

mkx

Are your LAN devices (in all VLANs) set up to use CRS317 as gateway?

mkx

I found one that works: 5735-5895

Beware that these high channels are recent addition and not all station devices support them.

mkx

You can't "invent" frequency settings ... so go for 5260.

Frequency setting in MT is center frequency of control channel (so if setting frequency to 5260, set band to Ceee).

mkx

Management often equals winbox connection with multiple windows open and refreshing stats.

mkx

Now when you say single core CPU, the systems I have in mind will definitely have 6 cores at least, not because I have some absolute requirement but simply because they come with these and there is no way around...Since I will be using VMware Workstation pro with the CHR (if I go with it) are you s...

mkx

2.4ghz Scan shows that neighbours are well educated and mostly operate in 1-6-11 pattern. You should stick to it as well, channel 11 (2462MHz) seems slightly less loaded. And don't try to use 40MHz channel 2.4GHz band (outside deserted areas) simply doesn't have enough band width. Channel utilizati...

mkx

On layer2 interfaces are isolated. So possibility of leaking frames is slim. If frames do leak, it's probably due to errors in configuration.

Also note that without special config, router will pass packets in all directions and L2 isolation alone can't do magic.

mkx

. . . For extras there are USB ports, SD slots, M.2 slots, mountable disks, etc. . . . On the ax2 device ? Let me quote @strods for you: Usually, if you need more, then you most likely need more powerful device. And "power", in a sense, is also ability to attach useful peripherials. In th...

mkx

I recently upgraded my CSS610 to SwOS Lite 2.18 after just looking at the web gui for an unrelated thing. Had no idea there was an update available and was thinking, since the web-GUI does a check for a new version and also finds the version and release date, can this info not also become available...

mkx

Now I wonder if it was legit pumping a watt worth of signal into the antenna. It wasn't legit. Country regulations are limiting EIRP which includes antenna gain (and cable losses if there are any) and with antenna gain of 4.5dBi this means your Audience transmitted with EIRP of 34.5dBm (which would...

mkx

1) Default setting is frame-types=admit-all ... so if it's not changed explicitly according to needs, it'll remain that way. 2) Do as you see fit. IMO access to management VLAN should be as restricted as possible but also depends on particular use case. 3) Bridge is (also) interface which allows ROS...

mkx

My Audience running 7.13 says about Panama: ranges: 2402-2472/36 5735-5835/30 5170-5250/30 5490-5730/24 5250-5330/24 And that's what ROS will observe. Yes, it may happen that allowed EIRP table in ROS is not correct. But also sometimes there are certain limitations (e.g. TPC) and if device doesn't c...

mkx

The goal is to reduce MSS to value which fits MTU. Because many routers don't do fragmentation (it's CPU intensive and IPv6 doesn't allow it), MSS has to be low enough to allow packets pass end-to-end. Since a working value for MTU is 1420, this translates to MSS value of 1380 (1420 minus TCP and IP...

mkx

Is there a way of running an Internet speed test directly from a RouterOS device ... ROS' own bandwidth test is a pretty CPU demanding application and is often limited due to that. So in essence it doesn't correspond to device performance (when device is used as switch/router) and frequently it doe...

mkx

It simply means that when these ARM devices were designed and released, such package did not exist yet. Neither did exist the advanced SMB (from ROSE) nor DLNA nor wireguard ... and yet you (MT) are pushing these (among other things) into base package. If anything has to be done (and I'm glad it's ...

mkx

Is it possible to do roaming between asus and mikrotik? If yes then maybe you could use both on different channels. As long as all security settings (and SSID) are equal, you should be able. Just beware of what "roaming" means. In answer by @erlinden, "roaming" means that statio...

mkx

For now, 16 MB are still enough for each and every device with 16 MB chip to run the system as intended for the particular model device. So you're saying that e.g. hAP ac2 was intended to offer wifi4 performance even though it's got wifi5 hardware? Because that's what one essentially gets when usin...

mkx

This setting /interface/bridge/add pvid=4094 frame-types=admit-only-vlan-tagged name=bridge # Best practice don't set pvid=1 doesn't change a thing ... PVID setting is irrelevant when frame-types property is set to admit-only-vlan-tagged . In addition, it only applies to bridge CPU-facing port , not...

mkx

CCR2116 sounds a great upgrade, may i know what's the limitation, please? The price is even cheaper than my CCR1036, most important of all, any PSU failure posts about CCR2116? As I said, the switch chip.. CCR2116 can do L3 HW offload, so in certain (almost trivial?) conditions, ASIC (switch chip) ...

mkx

I checked my faulty replaced PSU with multimeter, it shows 23.6v... Marginal PSUs, which cause issues with connected devices, tend to show acceptable output voltage when idle. However, they tend to drop voltage when they are loaded. And they tend to supply voltage which is not very well regulated a...

mkx

1. My CCR1036 is not in high demand, only a few people will connect through it, therefore, i already adjust down the CPU frequency to lower the operating temperature. However, consider the capacitor overheating theory, the heat comes from the nearby power transistors to regulate the current, it see...

mkx

Yup, devices with less than 32MB flash and more than 32MB RAM have their "storage root" in RAM. To verify that this is indeed true, check contents of storage root ( /file print ), if it contains folder "flash", then this scheme is in power. And upgrade packages are always downloa...

mkx

Setting locally on the 'offender' and then re-provisioning it, it didn't help. I am wondering why not, and is this a bug?

Probably it's a feature. After all, CAPsMAN is supposed to provision radio interfaces (to their fullest), leaving antenna gain out would be a bug I guess.

mkx

Indeed.

mkx

As the linked article says: on your device, you need basic routeros installed and optional package named "wifi-qcom". After you get these packages installed, I suggest you to reset router to factory default config. The rest of configuration is done in /interface/wifi (I believe that's WiFi...

mkx

And the "wifi-qcom-ac" can still be used on Audience and RB4011, even if it has "unneeded" drivers for IPQ-4019 since that prevent breaking folks already using wifi-qcom-ac on 16MB today. Audience has both IPQ-4018 (used as SoC and for 2.4GHz + lower 5GHz radio) and QCA9984 (for...

mkx

The required upgrade path is expressly for in-ROS upgrade (because old ROS needs to fetch extra packages / packages with different names). Has nothing to do with installation of packages, manually uploaded to device. A gotcha though: IIRC one had to upload package files for all currently installed p...

mkx

... is necessary to have QCA9984 which is only for RB4011iGS+5HacQ2HnD-IN ...

... and for RBD25G-5HPacQD2HPnD (Audience). Admittedly Audience has flash larger than 16MB as well.

Search found 12008 matches