MikroTik

mkx

I've no idea about exact radiation patterns of those sticks. I have a suggestion: cut it to half (both along the long axis and perpendicular), take a few good photos and post them here. Then we'll start to guess about possible radiation patterns :wink: Without that, my guess is that the only orienta...

mkx

Think of AP if it was a switch and each connected station connected to separate switch port. And additional uplink port (which is wifi interface, usually connected to device's bridge). This "AP switch" is implemented in wireless driver. When default-forwarding is enabled, then "AP swi...

mkx

When setting up IPv6, one usually sets a proper (i.e. not a link-local) IPv6 address to individual interfaces. When VLANs are in the mix, this means assigning IPv6 address to vlan interface. And MT router will, by default, send out router advertisements on interfaces with proper IPv6 address. So if ...

mkx

When mentioning ether1 I meant config you have. Having it as bridge port of main-bridge in principle includes tagged traffic as well, even though you have the vlan interface attached to ether1 port. If you had vlan filtering enabled, then you could filter tagged frames from entering main-bridge, but...

mkx

Have a look at the excelent tutorial on how to do VLANs on Routeros, in particular Router on a Stick section . Switch has to be configured appropriately as well. If fiber modem works as untagged device, then configure switch port connecting it with "default vlan id" (or PVID) so that switc...

mkx

The VLAN setup is funky. You really should be using single bridge, have a look at this tutorial. In particular, use of ether1 (interconnect interface) is not fine.

mkx

DFS, a.k.a radar detection. On certain channels AP is required to listen full 10 minutes before it can start to transmit.

mkx

Increasing antenna gain and decreasing Tx power has same end effect. Normis explained in a post a few years ago (I can't find a reference, but I remember the contents very well) that wifi radio chooses actual Tx power to be the lowest of these values: country EIRP limitation less antenna gain Tx pow...

mkx

Actual loss happens on mikrotik ... packet somehow arrives at port Tx queue (another name for FIFO buffer) where it's discarded. So it's never attempted to pass to SFP and SFP knows nothing about it (not even that it was dropped). PPPoE is, in this case, payload of discarded packet. PPPoE interface ...

mkx

In that case, I'm affraid you're screwed.

mkx

Create 3 bridges, one for each LAN ad assigne ethernet port to each bridge. Configure 2 port as trunk for VLANS Use Wireguard to access my BR2 from everywhere If it is possible, configure the router as VPN Client I would like to connect the Cisco switch to the router using SFP or Ethernet Port usin...

mkx

Tx queue drops mean drops caused by Tx buffer being full because port could not transmit frames fast enough to keep the pace with rate of frames being queued for transmission. This kind of errors is not due to state of physical link and thus receiver (in this case it's SFP) can not see any sign of ...

mkx

The problem when creating firewall rules is that one needs to know exactly what traffic is expected - which combinations of remote_ip/remote_port will be used for connections. For windows defender tash is much easier as it can be configured to allow certain executable to open communiaction ports (an...

mkx

But I can't find out what the port "switch1-cpu" is for and when should I add it to a vlan or not? It's the window through which ROS (running on CPU) can communicate with (V)LANs handled by switch chip. On ROS side, that's bridge interface in your current config. On a typical switch you n...

mkx

For your goal, you need to enable "Ingress Filtering" on every port you want (not just the bridge's interface itself). With that enabled, an ingressing frame is checked against its VID and if the port is member of this VID. If no tag is there, the PVID is checked against. If the port is n...

mkx

A question: which switch model exactly are you using? There's no such thing as CS108 ... it might be CRS109 or RCS309 ... and these two need to be configured in different way to get wirespeed switching ... But in neither case it should be necessay to mix configuration in both /interface/bridge subtr...

mkx

Just a word of caution: 80+80 is not the same as 160. And if I'm not much mistaken, ax2 doesn't support any of these variants.

mkx

Much more readable configuration is shown using command "export" ... only rarely some things are missing (such as dynamic addresses, etc.). Please provide those exports.

mkx

Exactly for reasons I'm mentioning (the device-specific bits) you can't get a complete .bin file, that would mean cloning a device and that's not good (not only because of cloning license, there are other, more technical, issues involved). I suggest you to get in touch with support, they might be ab...

mkx

My goal is to reduce power for 5Ghz roaming, so that far away devices stay connected to 2.4Ghz instead of going back and forth. I don't think this will solve the ping-pong problem ... it'll just move it closer to AP (or even prompt brain-dead stations to remain on 2.4GHz even when really close to A...

mkx

It's a calculation: EIRP (which is Tx power + antenna gain) must not exceed country limitations. hAP ax3 on 5GHz has Tx power anywhere between 20dBm and 28dBm (depending on radio symbol rate). If talking about fastest rates, where lowest Tx power can be used (20dBm), and when using channels without ...

mkx

So my understanding is this should work when using a bridge that has been already attached to a VLAN? Depends how you deal with VLANs on bridge. Essentially: if you have bridge with VLAN filtering enabled, then currently the only option si to (manually?) add wifi interface to bridge as port with PV...

mkx

I can upload certificate but connection can't establish correct ... I'd say that it has something to do with key type, used in certificate. ROS v6 is pretty outdated with regard to support of security features (encryption protocols, key types, etc.) and it could be that recent windows servers depre...

mkx

Your hEX should be able to route at 100Mbps (it ma peak at around 300Mbps). But that's true with optimal config. With non-optimal config, it's routing capacity can drop to any number and it's impossible to say why in your particular case it can't reach 100Mbps. There's additional gotcha: the mention...

mkx

I think you really should communicate about this directly with support of Mikrotik (e.g. via email support@mikrotik.com). Your issue is a ROS intrinsic, forum users can't help you with it and MT staffers don't necessarily visit all the forum threads, so they will likely miss your post/question.

mkx

Mikrotik is a L3/L4 firewall. It has some L7 functionality, but that doesn't work at all if connection is encrypted (and modern web browsing uses https, so it's encrypted). Ergo, your request can not be fulfilled on Mikrotik firewall. You really should try to implement this kind of security on appli...

mkx

I don't know if it's possible to actually see the custom init script. However, the way export command works is it shows differences between current config and default. So a test would be to reset such unit to defaults (which includes custom init script) and create an export. If such export contains ...

mkx

I still cannot get VLANs working for hAP Ac2 and virtual access points for v7.13beta. Yup, it's documented behaviour. See new WiFi manual under "Replacing 'wireless' package" -> "Lost features" here are quite a few of us hoping that this feature will come back (or rather, will b...

mkx

Where exactly does it break? Is it upload phase or certificate import phase? Describe how exactly are you doing the failing phase.

And a suggestion: upgrade ROS to latest long-term version (6.49.10).

mkx

I believe that fwf file is in a kind of proprietary pseudo-flash file. The flash uploader (built in ROS) probably interprets that and writes it to flash the way it should be done. So those fwf files are not usable for generic flash writers. One thing that ROS updater definitely does is it avoids fla...

mkx

I think it will. Because incompatibility is between wireless and wave2/wifi drivers. And it's (indirectly) documented in Replacing wireless package section of new wifi manual. The 7.13 wifi driver is renamed (and enhanced) wifiwave2 driver from earlier v7, so it's compatible with it (to extent of fu...

mkx

Tx queue drops mean drops caused by Tx buffer being full because port could not transmit frames fast enough to keep the pace with rate of frames being queued for transmission. This kind of errors is not due to state of physical link and thus receiver (in this case it's SFP) can not see any sign of t...

mkx

Divide the number 3 subsequent times by 1024, a bit of free mental training :) Now days every disk manufacturer uses decimal "human readable" prefixes ... it makes "human readable" number higher (roughly by 7.4% when talking about Giga bytes). And in modern times there are even ...

mkx

Config says you're using legacy wireless driver on hAP ac2 ... upgrade that device to 7.13beta, it allows you to use wifi-qcom-ac driver (essentially wifiwave2, but slimmed to fit on hAP ac2). I know that using station-bridge mode between station and AP which don't run same generation of wireless dr...

mkx

And, damn it, I just realized that this is not an AX model so wifiwave2.npk is not needed at all.

wifiwave2 (up and including 7.12.1) is known no emit (spurious?) error message about default config.

Chateau 5G doesn't require wifiwave2 package, but will surely benefit from it. I'd put it back.

mkx

And, freezing temperatures, such as -32°C?
I think the chip will make it hot enough to withstand low temperatures.

If power accidentally fails during low temperature periods, then device will freeze to death. Literally.

But I agree on high temperature issues being more probable.

mkx

I have hard time understanding what exactly is the issue? And how exactly things are connected together? Is nginx-proxy-manager in the same subnet as internal hosts?

mkx

I just had a look at config of appr1-dsw1, I'll assume the rest suffer from same errors. Here's a brief list of things done wrong: no need for multiple bridges (MGMT is on different bridge, which doesn't have any access towards the rest of network) no PVID setting for access ports there's no need fo...

mkx

What's not correct by displaying exact size in bytes instead of some rounded multiple?

One thing is your request for option to have size displayed in MB / GB / TB, another thing is claim that CLI current behaviour is not correct.

mkx

Still getting CRL fetch failed: http error: Network unreachable for: http://x1.c.lencr.org/ It's not ROS problem, it's web site problem: $ telnet x1.c.lencr.org 80 Trying 23.205.191.135... Connected to e8652.dscx.akamaiedge.net. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.0 400 Bad Request Ser...

mkx

@riy: what's wrong with instructions in post #5 above?

mkx

Oh, since when does this minor detail matter? I thought that turning off LEDs is THE thing and the rest doesn't matter? I used to keep a RB951G inside a hard-wood (oak) under-TV cabinet and wireless worked just fine in the same room with cabinet doors closed (signal strength around -60dBm at my chai...

mkx

Closing cabinet door dims all leds (front and back) in a quickly-reversible way.

mkx

In such case, I'd be curious to see output of /interface/wifiwave2/actual-configuration/print detail ... specifically channel.width . I wouldn't drop dead if actual channel width would turn out to be less than configured in order to avoid radar detected on the lower channel. The thing is that AP is ...

mkx

Since ROS v7.12, ssh keys of type ed25519 are fine. Recent OpenSSH versions deprecated whole RSA algorithm family. And IMO enabling it is not necessarily a bad thing (if it was such a bad thing, it wouldn't be supported any more) if one uses it only to connect specific remote hosts (i.e. use actual ...

mkx

Close the cabinet door?

mkx

As mentioned the only other way I can think of is creating a VLAN interface at the Switch end of the trunk for the management VLAN and sticking a DHCP client on that. Nope. Since trunk port is member of bridge, then any other business with that port is strictly off limits. Instead you should config...

mkx

On hAP ac2? I'd say it only depends on Tx power setting. Both radios are run by same wireless chip inside same SoC. Due to lower free.air loss in lower frequencies I'd expect slightly better coverage of 2.4GHz radio, so you might be able to reduce Tx power slighly and still get same coverage. By all...

mkx

I looking for a CRS326-24S+2Q+RM Bootloader (FWF file)

It's included in each ROS system package file ... after ROS is installed, FWF file is available to upgrade routerboot.

Why do you want the file explicitly?

mkx

Hard to verify (I'm beyond 6.x since ages), but it could be that 7.11.2 has slightly smaller footprint than 6.4x (you're starting from) so there's more space for whatever temporary files ROS needs to overwrite itself.

mkx

In my working case, ISP is giving out (dynamic, but doesn't matter much) /56 prefixes via DHCPv6 prefix delegation. The I'm using /64 address for LAN interface and none for WAN interface (routing is done using link-local addresses). DHCPv6 client automatically adds route such as this: Flags: X - dis...

mkx

You need SFP+ modules for both sides (SFP without + only goes up to 1Gbps). You have a choice of using either ethernet cable (UTP cat7) or fiber optics (either multimode or singlemode would do), but ethernet is limited to 30m/90ft and even on shorter distances it tends to downrate link (2.5Gbps woul...

mkx

Have a look at Back To Home, it might help in your case. I'm just not sure if hAP ac lite is supported (already), additional architectures got supported with latest stable releases of ROS.

mkx

But my configuration can't have fast track If you really can't enable fasttrack, then RB3011 won't be much better. My hAP ac2 (a slightly better performer than RB3011 if one can trust official test results) can route at 1Gbps with fasttrack (with CPU cycles to spare) but only around 350Mbps without...

mkx

But the same specs page you linked above lists 128MB ... hmm. You ok? I bought over 100 of them and they were all 256MB! hAP ac2 (I believe it's almost identical inside apart from number of ether ports) has officially 128MB RAM. However, some early batches came with 256MB RAM (I happen to have one ...

mkx

Whenever AP decides to use some DFC channel, it has to do the listening (some channels 2 minute, some 10 minutes). Only if AP doesn't detect anything remotely similar to radar it can start using it. If it later detects anything remotely similar to radar, it has to stop transmiting at once and enter ...

mkx

I'm saying that wifiwave2 (and its successor wifi) is under active development. Some config options might exist, but the functionality is yet to come (doesn't happen often, but can happen), options might still exist but functionality is getting deprecated ... or options exist, but the way they affec...

mkx

There might be brain-dead network gear (managed switches, APs) which support VLANs but not for management access. For those one has to use hybrid ports inside LAN infrastructure. However, many (if not most) support using a dedicated VLAN for management access ... and that allows to get rid of untagg...

mkx

There are two, incompatible, versions of CAPsMAN used currently: legacy capsman which can control cAPs running legacy wireless driver and new capsman which can control newer wave2wifi devices. The ones you're mentioning in your post (hAP ac2, hAP ac3, hAP ax2) are all capable of running new wave2/wi...

mkx

Is it the same if I connect from the sfp port? Yes, all ports are connected to switch chip, that one in turn is connected to CPU (doesn't matter that both main parts are in same SoC). https://i.mt.lv/cdn/product_files/CRS112-151027100733_151033.png But your main problem is not device topology, the ...

mkx

If the existing setting gets ignored, what good is it then? Let's be patient and see what 7.13 stable brings us, shall we?

mkx

hAP config has nothing about VLANs so according to config, it should not touch tags at all. I'd netinstall hAP ac2 to be 100% sure it's really VLAN-free (it seems that occasionally the internal configuration database gets out of sync with visible configuration and proper reset clears it ... reset to...

mkx

The reason is that CRS112 is antiquated switch (which happens to support routing functions but at low sppeeds). It's not listed under "archived" hardware on MT page, but it's antiquated nrver the less. Just to be clear: it's still strong if used as proper 1Gbps switch, but for routing it w...

mkx

New wifi driver (wifi-qcom and wifi-qcom-ac, but the same was already in original wifiwave2 driver) can't tag/untag frames. ... What is doing the tagging/untagging then? The RB5009 does receive tagged frames on the ether7 interface and the stations connecting to the wifi networks do not see any VLA...

mkx

IMO things around (new) wifi are very murky right now. 7.13beta bringing wifi separated into different packages is IMO proof that MT is in the middle of serious reworking of wave2/wifi ... so we'll have to be a bit patient and wait to see what will come out of this process. I'm hoping to see vlan-ha...

mkx

.... I'd like to use as high a voltage as possible to keep current low. If your PoE cables are not really long (to cause significant power losses), then you're probably loosing more on internal DC-DC downconverters (inside PoE-powered drvices), their efficiency gets lower with increased difference ...

mkx

New wifi driver (wifi-qcom and wifi-qcom-ac, but the same was already in original wifiwave2 driver) can't tag/untag frames. It's in the new WiFi manual, section "Replacing 'wireless' package" under "Lost features".

So it seems that the problem actually starts on cAP ax ...

mkx

Without seeing (non-working) hEX config and more detailed description of wanted setup we can only respond with: it should work.

mkx

I wonder if it's still possible to configure channels in a way to "force" 802.11n.

No, not to my understanding. With wifi/wave2 we're back to supporting legacy clients (e.g. 802.11a and 802.11b).

mkx

5745 Ceee is 80MHz channel #155 and 5885 eeeC is channel #175, so they are different But they're same freq range, right? My 3 clients are newish - a Samsung Note 20, a Framework Laptop, and a Surface Pro 9. No, they're adjacent 80MHz channels. 5745 Ceee spans from 5735 to 5815 MHz and 5885 eeeC spa...

mkx

Yes. Post config so we can see how exactly is device set up.

mkx

To see complete picture we are missing capsman config. Because cap config (obviously) doesn't say anything about VLANs used for wireless interfaces.

Also: which port on CRS112 is used to connect cap?

mkx

When UDP iperf3 test shows transmitter to fall lower than configured total bandwidth, this usually means bottleneck on the transmitter itself - that's the only place UDP throughput is throttled without packets being dropped.

mkx

High-level view on CRS will show: single vlan-enabled bridge all SFP+ ports (and ether1 port) will members of bridge with per-port vlan settings as needed (port connecting to CCR will be tagged-only, other ports might be untagged access ports for a particular VLAN with pvid set appropriately) bridge...

mkx

Why do both servers have to be in same VLAN? This complicates things a lot.

mkx

Mikrotik ones S+RJ10. Docs say they can use up to 30 Meters of cable ... Another caveat: due to required high Tx power, these modules tend to run quite hot (MT's own seems to be one of hottest) ... if cooling is not adequate (with most passively cooled devices, such as CRS309-1G-8S+IN, this is the ...

mkx

I don't think that there's a single ONU SFP module on the official list of compatible hardware . There are a few threads on this forum about using various GPON SFP modules with MT and mostly the gist of them is that things either don't work at all (with some rare exceptions) or are extremely tricky ...

mkx

My impression is that you're setting the "newest" standard, older than setting are then supported as well. E.g. if you set band=5ghz-n , AP will support 802.11a and 802.11n but will not support 802.11ac nor 802.11ax. To support all standards, set highest supported by AP hardware (i.e. 5ghz...

mkx

What are exact cable lengths used? Operation at 10Gbps requires significant amount of energy and nkt many RJ45 SFP+ modules are capable of transmitting at needed power. And cable category doesn't affect this much. Which SFP+ modules are you using? Support for different SFP modules in MT devices is f...

mkx

I'm also unsure about the difference between 5745 Ceee and 5885 eeeC. Aren't they essentially the same? From the channel list on wikipedia follows, that 5745 Ceee is 80MHz channel #155 and 5885 eeeC is channel #175, so they are different (in addition, channel #175 seems to be illegal to use anywher...

mkx

Do you have country propetly set to country which actually allows use of channel 13? USA and (AFAIK) Canada don't.

mkx

thank you for your reply. so if i create a vlan interface achored to bridge i use L3, so the cpu? no? Yes, in most setups involving VLAN interface (created under /interfacw/vlan ), vlan interfaces should be used exclusively to support L3 operations (routing, providing services such as DNS). Using v...

mkx

Since 7.13beta, your wAP ac is compatible with new wifi driver: https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-Compatibility Based on this great new feature can we also expect that in the not-so-distant future, we will be able to join wifiwave2 APs to the existing CAPsMAN that has legacy wire...

mkx

What I recommend is (besides generous use of SAFEMODE) is to take an unused port lets say 5 and take it OFF the bridge. And absolutely add it to LAN interface list in case one needs winbox MAC connectivity - default config limits this kind of connectivity to LAN interface list. If done this properl...

mkx

OK, so here goes another experience: ROS will use single core to deal with packets, belonging to same connection (either real TCP connection or "apparent" UDP connection). The reason being to avoid out-of-order packet delivery (which upsets some TCP stacks). On devices with larger number o...

mkx

Since 7.13beta, your wAP ac is compatible with new wifi driver: https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-Compatibility So try to upgrade wAP ac to 7.13beta2 (should go smooth since you are already on 7.12), uninstall wireless package (it becomes a separate package after upgrade), install...

mkx

The highest part of 5GHz spectrum was added to wifi spectrum fairly recently. Not all devices support it (either their hardware can not work with such high frequencies or their firmware was not updated with new channel layout and/or country regulatory limits). So as a rule of thumb: whenever clients...

mkx

There are two wireless drivers currently in use on mikrotik gear: wireless - legacy driver which was available already in v6 and is supported by all devices except for newest (AX) gear wifi / wifiwave2 - new driver which came with v7 and AX ger. Also supported by AC devices with ARM processor. Any *...

mkx

Other dumb question, ont the crs 309 it's better to set the ip for the lan on the bridge or an interface? There are interfaces (L3 entities, essentially anything carrying IP address) and there are ports (L2 entities). When something is set as member of bridge, it becomes a port. And it should not b...

mkx

Simply set all APs with same security settings. Those include SSID, authentication types and password. Beware that when wireless station roams between APs having same SSID, it expects that the new AP is member of same L2 network (ethernet). Which basically means that APs have to act as simple switch...

mkx

*) defconf - use device factory preset credentials when using CAPs mode;

This will make my life miserable :(

Why's that? defconf is just default config ... and one can change it as it fits.

mkx

It's a pretty well known fact that ROS internal bandwidth-test tool is pretty CPU-heavy (single CPU bound) and results of it are hardly representative for device which is actually running it. If you really want to assess the performance of your setup, you have to use external test probes (such as a ...

mkx

... but because he doesn't even know how to tie his shoes...

We desperately need AI-enabled shoes.

mkx

Have a good look at 5GHz channel list . As one can see, standard channel layout (including channel width) says that 5745 and 5805 at 80MHz wide channels overlap (as well), both are covering 80MHz channel number 155 (spanning between 5735 and 5815 MHz). So try to allow properly spread frequencies ......

mkx

It's a shame about the controller requirement. I wouldn't call that "a shame" ... multiple devices can not cooperate smoothly without being coordinated by some central entity. And the same is true for any WiFi vendor. Because there isn't a standard which would allow APs to signal necessar...

mkx

I don't see any IP setup on vlan10 interface on CCR ... you'll definitely need some if you want CCR to communicate with devices in that subnet (and you want if it's supposed to be gateway for that subnet).

mkx

Did you read through this tutorial? The setup you showed is a bit awkward (it's not recomended to use VLAN ID 1 for explicit setups).

And it's likely that the problem lies in CCR setup. Can you show that config?

mkx

If the problem starts to develop (from mild one to a more serious one) without any changes in configuration or software, then this likely means a hardware fault ... such as a crack in cold junction which is getting bigger due to thermally induced material ageing. And that kind of problem is hard to ...

mkx

defconf means Default Configuration ... which only gets applied when config is reset to factory default. This doesn't apply when upgrading ROS from one version to another.

mkx

People can agree to disagree.

I don't agree

mkx

The problem is that when I check the balance of the vcores from the “Profile” tool I see that there is always one that shoots up between 80 to 98% and the rest remain at an equal average between them. What kind of workload is going on when you see one vCPU load rise towards 100%? If you're, by any ...

mkx

What if at the end of custom chain there is no explicit return?

There's implicit return at the end of all custom chains.

mkx

The last paragraph of ChatGPT-generated text is, IMO, the crux of the whole ordeal.

Long live rextended!

mkx

Despite the fact that the AI's success is impressive, it is important to keep in mind that the AI can only combine [*] the knowledge it has gained during training. Don't think like that. Regarding GPT4, he can, for example, search for knowledge on the Internet, climbing into any online manuals and ...

mkx

My guess: it's your "test-script" setting (it's very probably needless). According to netwatch docs , the netwatch service itself already does ping test by default and test-script property defines additional test to be run after the probe (simple ICMP by default) already finishes. Since /p...

mkx

Guess they need to update the page...

Probably they will, when the 7.13 gets released as stable.

mkx

New capsman doesn't support manager forwarding mode (yet) and hence the cap interfaces are not seen on capsman bridge. BTW: I'm not sure (I don't have wireless-less arm device at hand), but according to what MT staff wrote, you don't need wifi-qcom-ac installed, that package only includes hardware d...

mkx

I don't think you can. And even if it's possible, this doesn't guarantee to really get vanilla setup, sometimes some settings escape all the reset hooks. Netinstall is the only way where reset is guaranteed (it formats flash and installs ROS from scratch).

mkx

... still the adress lists exist in the flash memory, like theyre not being deleted at all. When flash is almost full, it's not possible to remove part of config (it seems that ROS wants to save a copy of new config before deleting old and it fails to do so). So this situation is unrecoverable, net...

mkx

Posted export says wireless interfaces are managed by capsman. So I don't see where seems to be the problem?

mkx

Router doesn't have anything to do with the way any wireless distribution system installed. If a particular mesh system requires a centeal controller (to keep it together), then that controller has to run somewhere. Indeed many vendors (mikrotik included) forsee running controller on a router, but i...

mkx

I suspect it has to do something with ROS update to 7.12

Each new ROS versions use ever increasing amount if permanent storage ....

mkx

@mkx, I think you missed what I meant by without FastTrack . Indeed I missed the fact you intentionally disabled fasttrack. BTW, if you only need to apply queues to a portion of traffic, then you can craft fasttrack rule so that it doesn't fasttrack traffic which has to be subject to queues (or add...

mkx

Try to sniff DHCP traffic to see actual hanshake ... I guess that final DHCP ACK comes back from repeater's MAC while MT expects to see client's MAC ... or the other way around. My guess is that repeater works similarly to station-bridge mode and that can cause all kinds of random problems, see mikr...

mkx

My suggestion: netibstall device with stable ROS (okd RSC probably means v6, so use 6.49.10), then configure it manually. Stick to defaults as much as possible and only use that RSC as reminder what was done ... but when implementing that part of functionality keep sticking to concepts of default co...

mkx

Failure to reboot is a sign that something went really wrong. Quite likely flash storage was full. And in such condition also creating backupis likely to fail. And backup is very probably incomplete and/or corrupt, so extracting config from it won't do much good. Morale of your story: relying on aut...

mkx

No, MIMO chains are part of same radio and can not be used individually.

Even devices with proper dual radios have to be used very carefully not to destroy the other radio's receivers if they are hardware-wise capable of running in same frequency spectrum.

mkx

https://en.wikipedia.org/wiki/Spanning_Tree_Protocol

mkx

A clarification question: how are configured ports which are used for the two connections between SW03 and SW02? Any special config (such as bonding) or nothing?

mkx

Check the "Design skin" if something got hidden ... skins are used both for webfix and winbox ...

mkx

The new driver doesn't care about VLAN tags, so it's critically important to attach wifi interfaces (master and slaves) to vlan-enabled bridge as ports with pvid set (or play games with ugly workarounds in case bridge is not vlan-enabled). But this rules out any fancy setups (such as VID set in acce...

mkx

I'm pretty sure address lists "work" immediately. There's another "gem" with regard to firewall: new drop rules only affect new connections. Already established connectiobs are not affected. Clearing connection tracking table does the job (but drops all the rest of established co...

mkx

While being impressed by AI success it's important to keep in mind that AI can only combine[*] knowledge it absorbed during training. The (perceived) quality of this combinatorial process does get better with newer AI generations (so yes, GPT5 will mostly give better answers than GPT4 does). But wha...

mkx

The way you describe ONT's expectations (XXX vlan as default, 201 as tagged) mostly means that vlan 200 (as identified in ONT and possibly on ONT's upstream interface) will come out on ONT downstream interface as untagged. So on CSS you could tag it (back) to any VLAN ID, but it's sensible to keep u...

mkx

All current Mikrotik devices are officially supported by ROS v7. And vice versa.

mkx

In the CAPsMAN setup, you have to set client-to-client-forwarding=yes (default is no) ... it's a datapath property.

mkx

Since your wireless setup consists of all Mikrotik devices, your slave should be configured to "station-bridge" mode ... pseudobridge has a heap of problems, missing DHCP assignments is one of them.

Read extensive article about different station modes and their problems.

mkx

It's an RB850Gx2 running ROS 6.47.9 Could be that the problems you're seeing are related to older version of either ROS or Winbox. The version of ROS you have on your device is pretty dated. It's fine to stay with v6, but you should upgrade it to latest v6, which is 6.49.10 ... And make sure you'er...

mkx

I didn't realize this forum is not monitored by mikrotik which is pretty unusual. Well, it is monitored, but loosely. We do see some MT staffers discussing here and there, but this forum is more or less intended for user to user interaction. It seems that MT wants bugs and issues officially logged ...

mkx

And you're seriously comparing GPT's ROS scripting skills with Rex? Oh my... we need more cats.

mkx

Winbox connectivity is configured under Tools>MAC Server ... and uses interface lists. Winbox visibility is configured under IP>Neighbors>Discovery Settings ... and again uses interface lists. Default setup uses two interface lists: WAN and LAN, by dedsult ether1 is member of WAN and bridge (includi...

mkx

For a, quote: "For a fly by night DYI", gear with youtube tutorials, provided by vendor and with actors speaking various dialects[*], is the best choice. With anything else, one is on his own. Umm, wait a minute, isn't this a part of DIY concept? Now I'm confused. [*] it would be unfair to...

mkx

Quite possibly yes. AFAIK RB-GPOE works both ways (also as "extractor"), but requires the PSE to work with passive PoE devices. CRS328 can be set to work with passive PoE clients when selected low voltage output (26V), which is great in this case. The only remaining detail is how to "...

mkx

Nobody is forcing to order a CD and pay for preparing it and shipping. How about that documentation? I am practically forced to waste time in rereading sentences multiple times while trying to clarify what the (obviously) non-English speaker meant through an ugly translation. Is that what customers...

mkx

My RB4011 has cores at 100% at less than 1 Gbps without FastTrack on v7 ... I have the opposite experience: my hAP ac2 was at 15-20% under v6 when doing 30Mbps (at the time I was using 30/5 VDSL), the same unit now is at 10% when doing 980Mbps (I have FO 1Gbps/100Mbps) on v7. Alas: I did netinstall...

mkx

Just beware: traditionally, ROS wasn't known for exploiting full USB capacity when working with USB flash sticks. So if a device supports USB3, this doesn't mean you will get 100MBps of file transfer rates (if USB flash disk can do it on normal computers), it might still be limited at some significa...

mkx

Just wondering... Both times this happened after a regular shutdown (/system/shutdown). Is there anything special now that breaks configuration?

Check storage space ... right before shutdown. If storage is full (or close to full), then this might be the reason for problems.

mkx

zandhaas use check for updates button and ignore the above ranting. nothing special has to be done. upgrade and forget ******************************************************** And it's true but then you have the "old" wifi package and not the qcom-ac package installed. Yes, that's a part ...

mkx

free storage space 304 KiB
How much free storage did you have on 7.12?

I posted pretty detailed observations about storage usage in my post #71 above.

mkx

RAM consumption is a dynamic thing ... and it starts from 0 after each reboot, so you should not worry about it too much. Unless your device crashes, like @sinisa observes. After all, until 7.12 wave2 driver, requirement was device with 256MB RAM. And I guess your hAP ac2 has 128MB ...

mkx

Beware of small antennae, usually antenna gain is inversely proportional to antenna size. An idea: since your problem is that device itself is inside metallic housing, why don't you re-use original antennae. only use cables of appropriate length? Depending on cable quality, additional loss is around...

mkx

The point of my question is that minimum power draw doesn't matter if device actually draws higher power significant portion of time ... as you explained your setup lacks heat dissipation, but you have to make sure that device doesn't overheat during expected (extended) periods of time with higher a...

mkx

The only way to get anything sent over PPPoE link is to have ISP to route it through. And since that traffic is actively routed via the PPPoE link towards you (ISP already configured their router to use your PPPoE link when sending the traffic for the new /29 address space), you don't have (and shou...

mkx

ChatGPT is as good at writing ROS scripts as with any other things: mostly it gets things done (surprisingly well), but sometimes it fails miserably ... the problem with ChatGPT failing is not that it's failing, the problem is that it doesn't admit that it cant provide a good result, instead it pres...

mkx

*) disk - fixed hang on reboot when network file systems mounted; That is interesting! Strods says 'Please remember that actual "bugs" must be reported to support@mikrotik.com complemented with logs, supout files, etc.' above. @pe1chl, do I understand you correctly that you're complaining...

mkx

... we require a smart LTE antenna ... What is your definition of word "smart" in this context? In UK smart means "having a clean, tidy, and stylish appearance" while in US smart means "intelligent, or able to think quickly or intelligently in difficult situations" ......

mkx

If one takes official test results with a pinch of salt, then RB4011 should be able of routing at roughly 2.5Gbps give or take. The number is approximately 10-times larger than the one of RB2011. I guess that your particular use case (200 1-to-1 NAT mappings) does mean somehow more complicated setup...

mkx

What I wrote above is my definition of idle device, for the purpose of measuring power consumption. Performance I need is full 1Gb routing with firewall, VPN and many many parallel connections. So what is your expected busy/idle ratio? If it's higher than 0.1 (or even less), then idle power consump...

mkx

If I create a backup now, it's gone again after a reboot. It seems that you're not aware of one fact: on devices with flash storage equal or less than 64MB (I think that's the magic size, could be 32MB), the root of file structure resides on RAM disk and the (raminder of) permanent flash storage is...

mkx

Then, I loaded my configuration, which is only 1 MB in size Configuration 1MB in size is not "only", it's huge for a 16MB flash device IMO. My hAP ac2 config, while device was running ROS v6, contained two country address lists (both for IPv4 and IPv6, so this actually makes 4 decently si...

mkx

If you're not able to decide which public IP address you're supposed to use, then I wonder if you have skills and information needed for the task you have to do?

mkx

While waiting for a comment from MikroTik engineers, ...

If you're serious about getting a comment from MT, then you better open a support ticket with them ... using official support channels, this forum is not one of those.

mkx

However, when users follow the official doc and at the end the cofiguration is not working, it can get frustrating. In the MT official doc, pihole container is only mentioned as an example of how to build a container. It doesn't touch the workings of the container contents at all ... so I don't see...

mkx

*) - idle is defined as: configured and working device, few registered devices (wifi), small traffic (up to 1Mbit).

How comes that RB2011 doesn't have enough performance for what you wrote above?

mkx

Isn't it the other way around (enabling TX flow control does the signaling)? My bad. But the point is: you need both flow controls enabled on both sides of a link or else it doesn't work. Now, in your particular case: you're saying there are Tx pauses on CCS610 but no Rx pauses on conected CRS310 p...

mkx

RouterBoards are far from SDRs. RouterOS is a closed source OS which only runs drivers made and approved by Mikrotik.

Therefore I'm guessing that you'll have to forget about Mikrotik for your science project.

mkx

So when 7.12 with installed wifiwave2 package gets upgraded to 7.13beta1 (or newer), wifi-qcom (or wifi-qcom-ac) package replaces the previously installed wifiwave2 package. I noticed an important difference on AC2 (no previous wifiwave2). Wireless was there after upgrade... Sure thing ... because ...

mkx

Did you enable both tx-flow-control and rx-flow-control on all involved ports on both switches? As far as I understand, Rx flow control only signals the other end of each physical leg that it needs to pause if port receives feedback from upstream buffer ... and as far as I understand, most switches ...

mkx

The document, linked by @EdPa in post #2, says: The configuration menu used to be called 'wifiwave2' in RouterOS versions before 7.13, where it was a part of the 'wifiwave2' software package. So when 7.12 with installed wifiwave2 package gets upgraded to 7.13beta1 (or newer), wifi-qcom (or wifi-qcom...

mkx

You do realize that container images them selves are not Mikrotik's business, right? Anything you place inside container image is on you, you have to find relevant documentation (possibly on container package maintainer's site). Mikrotik only makes possible to run container images and that's where t...

mkx

What is possible to do to avoid double reboots, but requires quite some manual work: download main package of new ROS version for correct device platform open it using 7zip and extract correct routerboot firmware file. It's inside etc/ folder, but most platform packages contain multiple firmware fil...

mkx

Even if I can do VLAN tagging based on specific MAC addresses I would still need to route the traffic from bridge->bridge which I would think would result in the same behavior. Nope, from IP layer point of view, it would be vlanX <-> vlanY traffic ... in this case, bridge interface has no meaning a...

mkx

Do devices running the new wifi-qcom-ac package still have the old wifiwave2 limitation where VLANs couldn't be configured? Found it in the wiki: 802.11ac chipsets do not support this type of VLAN tagging (vlan-id), but they can be configured as VLAN access ports in bridge settings. Just upgraded m...

mkx

hAP ac2 has a few led lit during normal operation: power led on tge same side as ethernet ports and power jack - between power jack and ether ports. It's steadily lit after power on. ethernet activity leds on the otger side ... beliw those dot pictograms (those dots are supposed to represent the num...

mkx

I stand by my first line of my previous post.

I'd think again (and again) about necessity to run two IP subnets over single ethernet broadcast domain.

mkx

I was unable to import the public key ED25519 from my YubiKey, I successfully imported ed25519 keys, created by openssh. The pub file starts with "ssh-ed25519 ", continues with 69 characters (the actual publuc key) and followed with key owner identification (user@host). Format of file on ...

mkx

Do as it says: write to support@mikrotik.com

mkx

As long as you take into account the differences between different technologies when estimating throughput from SINR, then you should get some sensible results. Just don't react on minor differences, when estimating throughput from SINR the error margin can even exceed 50% (I guess).

mkx

As the error message says: disc-lite5 already serves maximum number of clients and the new one is not allowed to connect. Two things, in order from less important to the critical one: taking from description from diagram "PTP BRIDGE AP" ... I'm assuming that disc-lite5 is running in "...

mkx

This seems to be ax-related bug. So I suggest you to create supout file at the time when ax2 is unable to communicate with OpenWRT (WPA-TKIP only) ... and open trouble ticket with support@mikrotik.com.

mkx

You've placed yourself in a pond of mud ... I assume your client devices are configured with /24 subnet and proper gateway address, so initially they don't know a squat about the other subnet being available on the same physical network. And this is what happens: deviceA (e.g. from 10.0.0.0/24 subne...

mkx

I don't use DoH, so I can't provide you with definitive answer here. But: your setup uses FQDN of DoH server ... so before DNS DoH client on your router can resolve anything, it has to resolve FQDN of DoH server itself. Do you see the chicken-egg problem here? There are a few ways out, one is to set...

mkx

According to specs, both devices you mentioned are nearly identical wireless-wise. So they should perform similarly as long as positions of AP and clients doesn't change. Any obstacles, even TV set, negatively affect the range and throughput. When there's an obstacle close to a device (either AP or ...

mkx

Honestly, it's not even worth the effort. It has no impact on router performance and is not indicative of any issue at all. Thank you! Netinstall didn't helped. :( Netinstall formats flash disk in a sense of writing new filesystem metadata. But I highly doubt that it does low-level format of flash ...

mkx

Meanwhile, still can not understand how to get to SFP Module information page... The IP manually assigned to the SFP interface leads to RouterOS Web GUI... :? If you try to access IP address, assigned to one of ROS interfaces, then ROS believes (rightfully so) that you're trying to use ROS service....

mkx

... Mikotik Manual:Fast Path says that FastTrack is FastPath+Connection Tracking. Does it means that FastTrack contains Fast Path？ My interpretation is that without fastpath there is no fasttrack. However I have mixed feelings about the importance of fastpath ... as fastoath manual specifies, there...

mkx

You really can't AFAIK. In theory it's possible, in practice not so much. SINR figure gives a very good estimate about maximum possible spectral efficiency. Google for "SINR throughput" to read more and get some tables/charts (one random link ). But then there are other unknowns. SINR val...

mkx

Well, if you're running firewall, then fastpath doesn't make much sense (if I understand its function correctly, it's a shortcut between different drivers and traffic then bypasses some of generic L2 of ROS and all of L3, for firewalling such shortcuts should not happen). Fasttract is (again accordi...

mkx

The information, shown in the screenshot, is actually data about reception on RB951 side for that particular wireless station (station doesn't report its stats to AP). So the values shown by AP mostly depend on station's transmit capabilities and (to a lesser extent) on AP's reception capabilities (...

mkx

... I was assured that this bug has been fixed in the 7.12 branch.
Well, it isn't. Still...

[sarcasm]
Well, 7.12 branch isn't abandoned/surpassed yet.
[/sarcasm]

mkx

I guess the concept you described is quite fine. If you care about autonomy while on batteries, make sure you get a highly efficient DC-DC down-converter. Some shitty ones can have efficiency as low as 50% and difference between 0.5A and 1A of power draw for 10W load (at 24V) is significant if batte...

mkx

Noticed that on all of them I needed to reboot a second time to upgrade the routerboard firmware despite having "/system routerboard settings set auto-upgrade=yes" configured. That's expected and has been so ever since auto-upgrade is available. The reason is that .fwf files with new rout...

mkx

I don't think you can get around this "positive-negative" mismatch without DC-DC converter. Unless you're willing to mount RB so that metallic parts of its chassis don't touch metallic parts of rack and other devices (i.e. have its chasis galvanically isolated from the rest of your DC). Yo...

mkx

It could be 5009 specific (i.e. a bug), but anyway: check how frequently graphing data gets stored to flash, it's under Tools->Graphing->Interface Rules->Graphing Settings ... it seems that default is 24 hours, try setting it to shorter interval. This probably won't make the bug disappear, but you'l...

mkx

I think @pe1chl is right: telco DC power supply is nominally -48V, so positive on chasis. IT gear, if DC powered, is almost always +48V, so negative on chasis.

mkx

The config may partly work but it's all wrong. Have a look at this tutorial about how to properly configure VLANs on mikrotik devices.

mkx

You are wrong. Let's have a look... v6.48.4 [stable] on Mon Aug 23, 2021 v6.49 [stable] on Thu Oct 07, 2021 v6.48.5 [long-term] on Fri Oct 08, 2021 What your table doesn't show and I'm not sure it's possible to get that missing info from the past: when exactly did 6.48.x got promoted into long-term...

mkx

Which existing version should become long-term?

My favourite kebab-retailer said that 7.1.5 was a good one ...

mkx

Trying to figure out why Bridge is passing packets through firewall. Packets from where to where? Since your posted setup heavily deviates from defaults, I strongly suggest you to disable detect-internet , i.e. /interface/detect-internet/set detect-interface-list=none . As to DNS: you're heavily ma...

mkx

How would you implement this within a flat network setup? Either simply add bond interface (bonding1) to bridge1 which makes the bond (from layer 2 perspective) equal member of LAN network. You can do teh same on both devices, in that case use one as switch only, without firewalling, routing, DHCP ...

mkx

Hi buy one Rb L41G-2axD I upgraded from 7.8 to 7.12and the Wireless interface disappeared, what should I do to get the wireless interface back?

Install wifwave2 package (from extra packages). Next time use built-in upgrade feature which upgrades all installed packages automaticalky.

mkx

Are you sure that bridge HW offload is disabled (at least for ports which are of interest)?

mkx

Huh? This is definitely a no-go: /ip address add address=192.168.1.9/24 interface=bridge1 network=192.168.1.0 add address=192.168.1.31/24 interface=bonding1 network=192.168.1.0 You can't have two independent interfaces with same network address and expect for router to figure it out. And if the same...

mkx

Config says that device should be transmitting SSID with name MikroTik-2C00AA and that it's an open AP, i.e. no password needed and no encryption used over the air. Config also says it's running ancient ROS version and that config has a minor error in config (due to error in default config): LAN IP ...

mkx

RB951G boots with 7.12. Can't say if it's stable, nobody's at home ATM. ;-)

mkx

Post #11 above (by @jericho63) IMO shows that throughput problems are not due to traffic hitting CPU (it'd be much higher than 2% at 2.5Gbps) but some other reasons, internal to how switch chip handles the traffic. High CPU load while running btest is usual but has nothing with normal traffic handli...

mkx

Did you try to enable flow control (both Tx and Rx) on all involved ports? The thing that bothers a switch the most is speed change - from faster to slower port. In this case switch has to buffer data and we all know that buffer bloat is bad. So when that tiny buffer fills up, switch has two choices...

mkx

From release notes of 7.12 (released today):

*) ssh - added support for user ed25519 public keys;

So upgrade to 7.12 and check if it works for you. If not, then ask for support directly MT support (support@mikrotik.com), posting in this forum won't help (much).

mkx

If you try to access PiHole web interface by connecting to that IP address explicitly and you don't get the expected behaviour, then this has nothing to do with dst-nat, it has either something to do with routing or config on PiHole device itself. So post full config of your router to see if it's th...

mkx

To get better idea about what's going on you may want to fire up wireshark on client and capture all communication. But in a nutshell it's like this: client has IP address 192.168.0.254, netmask /24 and gateway 192.168.0.1. Let's assume there are no specific routing rules on client. similarly server...

Search found 10983 matches