Community discussions

MikroTik App

Search found 11644 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 39
by mkx
Fri Feb 23, 2024 2:44 pm
Forum: General
Topic: UDP faster than TCP - why?
Replies: 4
Views: 198

Re: UDP faster than TCP - why?

I testet with UDP (single stream) and it reached almost 850-900 Mbps throughput. The questiosn is - and what I want to understand -, why has TCP vs. UDP such an immense influence in regards to the throughput? Did you see this number reported by receiver? One of big differences is that TCP is acknow...
by mkx
Fri Feb 23, 2024 2:04 pm
Forum: General
Topic: Masquerade with Multiple IPs
Replies: 3
Views: 136

Re: Masquerade with Multiple IPs

Masquerade does slight magic when deciding which IP address to use for SRC-NAT and gracefully handles changes. But I don't think it handles multiple IP addresses on egress interface in any particular way, so it probably simply uses one (possibly the first one configured).
by mkx
Fri Feb 23, 2024 1:53 pm
Forum: Beginner Basics
Topic: router not broadcasting wifi
Replies: 12
Views: 500

Re: router not broadcasting wifi

Where were you when I said ...
Wasn't it @anav who said that? :wink:
by mkx
Thu Feb 22, 2024 6:43 pm
Forum: Announcements
Topic: v7.14rc [testing] is released!
Replies: 128
Views: 28533

Re: v7.14rc [testing] is released!

Isn't it recommended by Mikrotik documentation in the L3HW docs and the basic VLAN docs to not place a VLAN directly on top of a physical interface? It is. But that's only true for devices supporting L3HW (which RB5009 doesn't). Which in turn only works for "plain" VLANs ... but we're dis...
by mkx
Wed Feb 21, 2024 8:49 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 885
Views: 233558

Re: v7.13.5 [stable] is released!

After upgrade from 7.12.1 to 7.13.5 (but surely it will be the case with any 7.13.x version), wireless package was also present, eating away precious storage space. Why ? On a switch ? Because upgrader is obviously pretty stupid (as it can't only install e.g. wireless driver for device's chipset) a...
by mkx
Wed Feb 21, 2024 8:41 pm
Forum: RouterBOARD hardware
Topic: New L11UG-5HaxD
Replies: 28
Views: 5378

Re: New L11UG-5HaxD

So no, bridging still doesn't work between old/new wireless packages.
As the rumours go it'll stay this way ... i.e. no bridging between wifi and wireless drivers ... ever.
by mkx
Wed Feb 21, 2024 7:58 pm
Forum: Wireless Networking
Topic: Do hAP ax2/3 support AP + STA mode?
Replies: 2
Views: 150

Re: Do hAP ax2/3 support AP + STA mode?

On MT devices with dual radio (e.g, 2.4GHz + 5GHz) these are idependent abd can be configured in completely different manners. So yes, you can configure e.g. 2.4GHz radio as station and 5GHz radio as AP. And yes, the "uplink radio" can be stand-alone in L2 sense, so traffic has to be route...
by mkx
Wed Feb 21, 2024 6:38 pm
Forum: Beginner Basics
Topic: Translate the income ip to the ethernet
Replies: 4
Views: 259

Re: Translate the income ip to the ethernet

So there's a SRC-NAT rule which triggers on connections from internet to your server. If you post your config, we might be able to find it.
by mkx
Wed Feb 21, 2024 6:32 pm
Forum: Beginner Basics
Topic: CRS125-24G-1S - Internet Link
Replies: 6
Views: 311

Re: CRS125-24G-1S - Internet Link

I don't know, but if the published tests talk of 240-250 with 25 firewall rules and you get 100-130 with 10 (or 7), it sounds like there is *something else* slowing down the network. AFAIK test results are achievable if fasttrack is in use, otherwise not easily. OP's config is a slight mess as it p...
by mkx
Mon Feb 19, 2024 9:34 pm
Forum: General
Topic: How to completelly kill all traces of V6 config
Replies: 2
Views: 181

Re: How to completelly kill all traces of V6 config

When running netinstall, there's option called "Keep old configuration" ... make sure it's not checked.
by mkx
Sun Feb 18, 2024 7:28 pm
Forum: Wireless Networking
Topic: Old wireless driver compatibility issue
Replies: 4
Views: 341

Re: Old wireless driver compatibility issue

My experience with a few legacy MT wireless devices is that they normally work up to around 5700MHz (country regulations permitting), so U-NII-1 and U-NII-2 (A,B and C). Higher than that they are iffy.

I don't think this is well documented in official documents (if at all).
by mkx
Sun Feb 18, 2024 6:18 pm
Forum: Beginner Basics
Topic: Bridge filter rules not working
Replies: 26
Views: 1424

Re: Bridge filter rules not working

Feel for you buddy, looking at at CRS310 I just took out of the box. :-)
Anytime you want to wireguard in and look around let me know.
I don't think CRS310 is that sexy :wink:
by mkx
Sat Feb 17, 2024 10:29 pm
Forum: Wireless Networking
Topic: Old wireless driver compatibility issue
Replies: 4
Views: 341

Re: Old wireless driver compatibility issue

Which channel is used by AP (running wifi-qcom-ac driver)? I believe that wifi driver supports U-NII-3 channels (5720MHz and upwards), it seems that they are even preferred. Legacy wireless driver might not support them (or it supports them in a weird way, I couldn't make it use proper channel centr...
by mkx
Sat Feb 17, 2024 9:26 pm
Forum: General
Topic: Bridge and VLAN Interface on bridge MTU problem : MTU needs to be L2MTU - 1 ??
Replies: 2
Views: 188

Re: Bridge and VLAN Interface on bridge MTU problem : MTU needs to be L2MTU - 1 ??

We should be able to put the same MTU as the L2MTU. Generally setting MTU to a random value is wrong. Generally all devices in same IP subnet (which talk to each other without gateway) should have the same MTU set and unless one knows (much better) industry standard value of 1500 is safe to stick t...
by mkx
Fri Feb 16, 2024 11:04 pm
Forum: Beginner Basics
Topic: VLANS creation and testing-AX2
Replies: 157
Views: 5634

Re: VLANS creation and testing-AX2

CRSxxx are switches. And all have L2 HW offload. It's just that on CRS1xx and 2xx bridge can HW offload only basic switching (non-VLAN aware, etc.) while on CRS3xx and CRS5xx bridge can offload VLANs as well. This is what HW property on bridge ports is all about. But we didn't mention routing yet. B...
by mkx
Fri Feb 16, 2024 10:33 pm
Forum: Beginner Basics
Topic: MikroTik switch and Unifi Switch can no longer negotiate 10Gb connection over SFP+
Replies: 4
Views: 368

Re: MikroTik switch and Unifi Switch can no longer negotiate 10Gb connection over SFP+

Maybe I should revert back to e.g. 7.12 or earlier? If the MT-UFi combination worked back then, then downgrade would be a sensible action. But before doing it, create a supout.rif file (while MT and UFi are connected but don't negotiate 10Gbps) andvopen a trouble ticket with support@mikrotik.com .....
by mkx
Fri Feb 16, 2024 9:45 am
Forum: General
Topic: UDP Packet Mark
Replies: 1
Views: 167

Re: UDP Packet Mark

How exactly did you configure marking? And which UDP packets should be marked? And what do you mean by "traffic is not captured"?
by mkx
Thu Feb 15, 2024 11:00 pm
Forum: General
Topic: Vlan configuration with trunk port
Replies: 1
Views: 169

Re: Vlan configuration with trunk port

Post configuration of your mikrotik: open terminal window, execute /export file=anynameyouwish (and add hide-sensitive if device is running ROS v6), fetch file to your computer, open it with text editor and copy-paste it inside [ code] [/code] environment. Redact any remaining sensitive information ...
by mkx
Wed Feb 14, 2024 8:45 pm
Forum: Wireless Networking
Topic: hap ac2 switch chip vlan and WIFI setup with remote capsman
Replies: 10
Views: 609

Re: hap ac2 switch chip vlan and WIFI setup with remote capsman

Bridge MAC addresses are obfuscated, so not sure if this is relevant: I strongly recommend to set different MAC addresses to bridges. Just in case.
by mkx
Wed Feb 14, 2024 8:41 pm
Forum: General
Topic: 2 Station bridge and 1 master
Replies: 1
Views: 147

Re: 2 Station bridge and 1 master

I don't see why not.
by mkx
Tue Feb 13, 2024 9:22 am
Forum: SwOS
Topic: private VLAN for SAN to servers? [SOLVED]
Replies: 2
Views: 319

Re: private VLAN for SAN to servers? [SOLVED]

Under the VLAN tab I specified "enabled" and "only tagged" for those two ports. Which means that devices, connected to these two ports, have to be configured for tagged operation as well. Are they? If SAN and servers don't work with tagged VLANs, then you have to configure these...
by mkx
Tue Feb 13, 2024 9:19 am
Forum: RouterBOARD hardware
Topic: L11UG-5HaxD and 160mhz?
Replies: 1
Views: 292

Re: L11UG-5HaxD and 160mhz?

If the 2400Mbps number is correct, then it has to support 160MHz channels.
by mkx
Mon Feb 12, 2024 7:37 pm
Forum: Wireless Networking
Topic: hap ac2 switch chip vlan and WIFI setup with remote capsman
Replies: 10
Views: 609

Re: hap ac2 switch chip vlan and WIFI setup with remote capsman

I'm not using CAPsMAN (my hAP ac2 is currently wireless-less), so only like 2/3 of required config: interface bridge add admin-mac=BA:69:F4:xx:yy:zz auto-mac=no name=bridge port-cost-mode=short add admin-mac=B2:69:F4:xx:yy:zz auto-mac=no name=bridge41 add admin-mac=BE:69:F4:xx:yy:zz auto-mac=no name...
by mkx
Mon Feb 12, 2024 7:22 pm
Forum: General
Topic: WireGuard throughput depending on running torch [SOLVED]
Replies: 9
Views: 561

Re: WireGuard throughput depending on running torch [SOLVED]

Here I started torch at ~4s to and stopped at ~12s: Hmm, it seems we'll have to educate @Mesquite (just like we had to educate @anav): torch disables fasttrack. And this prompts to reading the tutorial @rooterle linked ... which introduces mangle rules. And we all know that fasttrack and mangle rul...
by mkx
Mon Feb 12, 2024 12:25 pm
Forum: General
Topic: PPPoE Bonding - MLPPP vs Bonding vs NTH?
Replies: 1
Views: 205

Re: PPPoE Bonding - MLPPP vs Bonding vs NTH?

I think that middle option (bonding with PPPoE on it) wouldn't really work, PPPoE is an L2 point-to-point protocol, so src and dst MAC are always the same and no proper Tx strategy will be able to spread traffic of single PPPoE connection over multiple physical links (if there are multiple PPPoE con...
by mkx
Mon Feb 12, 2024 12:01 am
Forum: Wireless Networking
Topic: hap ac2 switch chip vlan and WIFI setup with remote capsman
Replies: 10
Views: 609

Re: hap ac2 switch chip vlan and WIFI setup with remote capsman

is it possible to create config with vlans using switch chip features and working wifi? It is possible, but it involves quite a few tricks outside "the beaten path" ... so not for the faint of heart. Before taking that path one has to ask himself what gains are expected ... realistically.
by mkx
Sun Feb 11, 2024 11:55 pm
Forum: General
Topic: Can't access hEX (pretty urgent) [SOLVED]
Replies: 30
Views: 1356

Re: Can't access hEX (pretty urgent) [SOLVED]

Not really. If export was "verbose", then you could reset the new one to empty config, then importing it wouldn't clash with config already present. If export is not "verbose", then some things may be different (or missing). Not many, but still ...
by mkx
Sat Feb 10, 2024 4:31 pm
Forum: General
Topic: L009UiGS-RM low transfer and high CPU usage [SOLVED]
Replies: 14
Views: 708

Re: L009UiGS-RM low transfer and high CPU usage [SOLVED]

hAP ax2: 2625Mbps ... winner in "bang for buck" category.
by mkx
Fri Feb 09, 2024 11:32 pm
Forum: Beginner Basics
Topic: L2TP connection and the same LAN subnet IP
Replies: 10
Views: 762

Re: RDP connection and the same LAN subnet IP

It's not about tunnel establishnent, it's about pushing routes from server to client. On MT L2TP those are configured for each user (these are created under /ppp/secret and routes are defined with property routes ). Corporate IP subnets should be set here along with L2TP server's tunnel local addres...
by mkx
Fri Feb 09, 2024 6:37 pm
Forum: General
Topic: Changelog Question
Replies: 21
Views: 868

Re: Changelog Question

I'm saying that reset to defaults would be great ... and I've only mentioned wifi as an example why other parts of config (apart from firewall) would benefit from it as well. One case is to get anything (other than nothing and disabled interfaces), the other case is to start over with configuration ...
by mkx
Fri Feb 09, 2024 6:15 pm
Forum: General
Topic: Changelog Question
Replies: 21
Views: 868

Re: Changelog Question

In 7.13 ability to reset /interface/wifi to defaults would be welcome for all WiFi5 devices previously running legacy wireless driver.
Actually, it does exist.
Great. But the command name is non-descriptive. Does it reset all the profiles as well?
by mkx
Fri Feb 09, 2024 5:53 pm
Forum: General
Topic: Changelog Question
Replies: 21
Views: 868

Re: Changelog Question

It would be helpful when there was a separate commend/button to "reset firewall to default" Actually it would be good to have option to "reset to defaults" any configuration subsection. In 7.13 ability to reset /interface/wifi to defaults would be welcome for all WiFi5 devices p...
by mkx
Fri Feb 09, 2024 5:28 pm
Forum: General
Topic: Hex crashing with 7.5
Replies: 6
Views: 798

Re: Hex crashing with 7.5

If you have any special characters in your user name, for eg. š,č,ć
So đ and ž are fine? :lol:
by mkx
Fri Feb 09, 2024 5:17 pm
Forum: Beginner Basics
Topic: Drop invalid FW forward
Replies: 15
Views: 695

Re: Drop invalid FW forward

A comment on logged items: when either client or server decides to finish TCP connection, it'll send a packet with flags ACK and FIN to the other party. The other party will respond with FIN ACK as well. And any of parties might re-send FIN ACK (to make sure that the other party "gets it")...
by mkx
Fri Feb 09, 2024 3:29 pm
Forum: Beginner Basics
Topic: The ABC of CAPsMAN v2 (with updates) [SOLVED]
Replies: 41
Views: 1942

Re: The ABC of CAPsMAN v2 (with updates) [SOLVED]

And IMHO the possibility to override settings from an inherited profile is neat in some cases.

I'm not saying it's not neat, I agree with that. I'm saying that it's misleading (or confusing) as witnessed by @OP's experience.
by mkx
Fri Feb 09, 2024 8:56 am
Forum: Beginner Basics
Topic: L2TP connection and the same LAN subnet IP
Replies: 10
Views: 762

Re: RDP connection and the same LAN subnet IP

Some VPN software (clients in conjunction with server) solve the problem by disabling access to client local LAN entirely ... routing all the traffic (excluding VPN packets obviously) through VPN interface. Including local IP subnet. This then solves the problem you're seeing but introduces another ...
by mkx
Fri Feb 09, 2024 8:49 am
Forum: Beginner Basics
Topic: The ABC of CAPsMAN v2 (with updates) [SOLVED]
Replies: 41
Views: 1942

Re: The ABC of CAPsMAN v2 (with updates) [SOLVED]

When writing configuration profiles to be provisioned, each profile has a section where you select the security profile. This is where the problem occurs. The selection of the security profile does not fill-in the form: the authentication types and passphrase are not filled in automatically. Why sh...
by mkx
Fri Feb 09, 2024 8:39 am
Forum: General
Topic: Bricked RB1100AHX4
Replies: 5
Views: 412

Re: Bricked RB1100AHX4

Hooked a console cable up and here is the output Nothing after that? It seems like routerboot is fine. I'd check power supplies though. A few years ago MT had a batch of bad capacitors which bulged with time (and devices started to misbehave in most strange ways). This problem affected both power s...
by mkx
Fri Feb 09, 2024 8:34 am
Forum: General
Topic: Hex crashing with 7.5
Replies: 6
Views: 798

Re: Hex crashing with 7.5

I tried NetInstall, the device does not appear in the Router/Drives section. I noticed the LAN connection is also coming on and off along with the blinking USR/LAN led. It seems like router in in a boot loop. Netinstall should work, however netinstall is a very fragile process (linux breed not so m...
by mkx
Thu Feb 08, 2024 7:26 pm
Forum: Beginner Basics
Topic: CRS5 multiple vlans
Replies: 2
Views: 214

Re: CRS5 multiple vlans

According to this tutorial. Single bridge, two VLANs (ports either untagged/access or tagged/trunk). Bridge port doesn't have to be member of any (apart for management VLAN), certainly not having IP address (so no risk of CRS becoming a router).
by mkx
Thu Feb 08, 2024 1:24 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 885
Views: 233558

Re: v7.13.4 [stable] is released!

Today MT sites are slow for me, e.g. downloading PDF (a few MB brochure) takes ages. Forum keeps asking me to log in. Some other sites work just fine. And I'm not running 7.13.4. So what gives?
by mkx
Thu Feb 08, 2024 1:10 pm
Forum: RouterBOARD hardware
Topic: CUBE 60 AC vs CUBE 60 PRO SA
Replies: 2
Views: 296

Re: CUBE 60 AC vs CUBE 60 PRO SA

Is your wAP 60G "normal wAP 60G or "AP" variant? If it's "normal", then you can't connect second client (i.e. option 2 is not feasible).
by mkx
Thu Feb 08, 2024 1:03 pm
Forum: RouterBOARD hardware
Topic: New hAP ax lite LTE
Replies: 199
Views: 24612

Re: New hAP ax lite LTE

Other cell tower and other band so may be normal.
Not necessarily different cell tower but definitely different band (2600MHz now vs. 1800MHz before).
by mkx
Thu Feb 08, 2024 12:57 pm
Forum: Wireless Networking
Topic: Wifi master interface not available on RB4011 [SOLVED]
Replies: 1
Views: 228

Re: Wifi master interface not available on RB4011 [SOLVED]

2.4GHz interface on RB4011 is not supported by new wifi drivers. Installing new wifi drivers disables loading the old ones. Additionally: replacing wireless with wifi doesn't convert old config, it has to be done from scratch. Read through this thread: https://forum.mikrotik.com/viewtopic.php?t=202578
by mkx
Thu Feb 08, 2024 12:49 pm
Forum: Beginner Basics
Topic: hap ax2 config copied to hap ax3?
Replies: 73
Views: 2695

Re: hap ax2 config copied to hap ax3?

Recommended reading about all the bridge personalities: viewtopic.php?t=173692

It should help understand VLAN tutorial better.
by mkx
Thu Feb 08, 2024 12:45 pm
Forum: Beginner Basics
Topic: Bridge filter rules not working
Replies: 26
Views: 1424

Re: Bridge filter rules not working

I don't have a CRS3xx device, so discussion in this thread is now beyond my knowledge.
by mkx
Wed Feb 07, 2024 6:44 pm
Forum: Announcements
Topic: v6.49.13 [stable] is released!
Replies: 24
Views: 9084

Re: v6.49.13 [stable] is released!

Why not provide a migration script?

Your script is inefficient ;-) . Here's one that does the same but using single command, fixed for use in v6:
/ipv6 firewall filter set dst-port=33434-33534 !port  [find comment="defconf: accept UDP traceroute" port=33434-33534]
by mkx
Wed Feb 07, 2024 6:40 pm
Forum: RouterBOARD hardware
Topic: CCR1072 1G-Port Speed and security
Replies: 3
Views: 389

Re: CCR1072 1G-Port Speed and security

Apart from being handled less efficiently by Tile CPU (it's handled via PCIe drivers etc. instead of directly by CPU like SFP+ ports) the only special treatment is that it's used for netinstall.
by mkx
Wed Feb 07, 2024 5:52 pm
Forum: Beginner Basics
Topic: Bridge filter rules not working
Replies: 26
Views: 1424

Re: Bridge filter rules not working

I'd say that with bridge filters is similar to firewall filter: the lower the number of filters the better performance. But it all depends on what needs to be done. Which includes the ultimate drop all rule.
by mkx
Wed Feb 07, 2024 3:44 pm
Forum: Beginner Basics
Topic: Bridge filter rules not working
Replies: 26
Views: 1424

Re: Bridge filter rules not working

I'm pretty sure that accept and drop packets are different ... and thus trigger different rules. E.g.: 10:08:18 firewall,info accept forward: in:ether6 out:sfp1, connection-state:invalid src-mac 40:ed:00:a2:4a:b5, dst-mac ff:ff:ff:ff:ff:ff, eth-proto 0806 10:08:18 firewall,info drop forward: in:sfp1...
by mkx
Wed Feb 07, 2024 9:24 am
Forum: Wireless Networking
Topic: Wifi Disable [SOLVED]
Replies: 5
Views: 480

Re: Wifi Disable [SOLVED]

Try to set "disable-running-check=yes" on wifi interfaces. Reasoning: when no wifi station is connected to AP, then interface becomes "not running". And this signals to bridge that port is disconnected. When first station connects to AP, interface transitions to "running&quo...
by mkx
Wed Feb 07, 2024 9:02 am
Forum: Beginner Basics
Topic: Bridge filter rules not working
Replies: 26
Views: 1424

Re: Bridge filter rules not working

According to docs, bridge filter rules should behave like firewall filter rules (i.e. rule order matters, first matching executes and processing of further rules does not happen). Action to take if packet is matched by the rule: accept - accept the packet. No action, i.e., the packet is passed throu...
by mkx
Wed Feb 07, 2024 8:54 am
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2317

Re: CCR2004-16G-2S multiple bridges or not?

Bottom-line, single bridge means packet is punted to CPU for inter-switch chip traffic… Don't know how I was wrong at all. Re-read post #10 above ... you claimed that single bridge means reduced throughput (you didn't go with CPU punting initially). And you claimed that one would have to use short ...
by mkx
Wed Feb 07, 2024 8:47 am
Forum: Beginner Basics
Topic: after subnet change, Winbox has no path to directly wired router
Replies: 11
Views: 835

Re: after subnet change, Winbox has no path to directly wired router

It's crucial to be aware that change of IP address used by router requires change in several places: /ip/address (ant make sure you define proper subnet mask, e.g. /24, without setting it default is /32, so single-host "network" only) possibly /ip/route /ip/dhcp-server/pool /ip/dhcp-server...
by mkx
Wed Feb 07, 2024 8:37 am
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 885
Views: 233558

Re: v7.13.3 [stable] is released!

If they did it, then it was a poor design decission. It all boils down to space. Each package have its own overhead. The question is: "does the package overhead is bigger or smaller than the space we save breaking it up?" Mikrotik says it's bigger. I have no idea - but I think they know i...
by mkx
Tue Feb 06, 2024 11:15 pm
Forum: General
Topic: Possible problem with VLAN [SOLVED]
Replies: 11
Views: 789

Re: Possible problem with VLAN [SOLVED]

@Mesquite: my latest post is reply to request by @anav, it doesn't relate to config by @OP in any way. Added a warning in nice large letters not to mislead any potential reader.

Alas: as I wrote, it can be used as complete config of a switch (but I'm not asserting any context).
by mkx
Tue Feb 06, 2024 11:11 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 885
Views: 233558

Re: v7.13.3 [stable] is released!

And for static routes linux doesn't need to run any daemons.
It still needs some user-land program to manage static routes, and I strongly suspect they put everything routing into a single binary.
If they did it, then it was a poor design decission.
by mkx
Tue Feb 06, 2024 10:56 pm
Forum: General
Topic: Possible problem with VLAN [SOLVED]
Replies: 11
Views: 789

Re: Possible problem with VLAN [SOLVED]

I'm not good in plain English, it's alien to me (or is foreign correct word? :wink:) Warning: config in this post is a hypothetical example and has nothing to do with actual config by @OP Example: device is used as a switch, so there's a bridge spanning ether1-5 and SFP. There are a few VLANs, e.g. ...
by mkx
Tue Feb 06, 2024 10:01 pm
Forum: General
Topic: User poll about using Winbox
Replies: 91
Views: 35661

Re: User poll about using Winbox

Don't get me wrong, I'm not against having native linux version of winbox (and I don't really care about macOS :wink:), I'm just saying that rewriting it in java would be dumbest thing to do (and, let's admit it, java application isn't native in any of normal OSes, android is not one). But if MT doe...
by mkx
Tue Feb 06, 2024 9:43 pm
Forum: Beginner Basics
Topic: Bridge filter rules not working
Replies: 26
Views: 1424

Re: Bridge filter rules not working

Error on my side could be is that i disabled HW offload on ether6 and not on the other ports... So far I lived with belief that it's enough to disable HW offload on one of ports involved in communication and the whole (bi-directional) traffic should pass CPU. It does serm that sometimes a power cyc...
by mkx
Tue Feb 06, 2024 9:34 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 885
Views: 233558

Re: v7.13.3 [stable] is released!

In 7.13.3 arm npk route binary is actually the largest one, it is so huge at 541k compressed (1.4M unpacked) that I am pretty sure it contains linked in some kind of routing daemons to support OSPF, BGP, RIP etc... and although separating those daemons probably would not be an easy task it makes se...
by mkx
Tue Feb 06, 2024 2:32 pm
Forum: Announcements
Topic: v6.49.13 [stable] is released!
Replies: 24
Views: 9084

Re: v6.49.13 [stable] is released!

I diffed for you all: Tanks 1000x! Now I can skip upgrade and do the right thing (which is harden the firewall) which wouldn't happen as @infabo rightfully points out). And, BTW, 7.13.2 has same (erroneous) IPv6 firewall rule in default config. And documentation as of writing this has the same rule...
by mkx
Tue Feb 06, 2024 12:30 pm
Forum: Beginner Basics
Topic: Bridge filter rules not working
Replies: 26
Views: 1424

Re: Bridge filter rules not working

I tried to disable HW offload but then there is no connection with or without rules. The thing is: as long as HW offload is active, you won't be able to block unicast traffic between pair of offloaded ports using firewall ... for that traffic has to pass via CPU. The reason you're seeing multicasts...
by mkx
Tue Feb 06, 2024 9:15 am
Forum: Beginner Basics
Topic: Bridge filter rules not working
Replies: 26
Views: 1424

Re: Bridge filter rules not working

/interface bridge filter add action=drop chain=forward in-interface=ether6 log=yes log-prefix=filter \ src-mac-address=10:27:F5:66:03:36/FF:FF:FF:FF:FF:FF Using bridge port as in-interface isn't correct AFAIK. If using use-ip-firewall=yes , then it should be possible to use in-bridge-interface inst...
by mkx
Tue Feb 06, 2024 8:43 am
Forum: Beginner Basics
Topic: Default Firewall Rules for CRS326
Replies: 6
Views: 464

Re: Default Firewall Rules for CRS326

I have 800/20 Mbps internet connection (via Motorola cable modem). It seems hAP x2 might be a bit lean. hAP ac2 seems to perform roughly the same as hAP ax2 (test results are not directly comparable 1:1, ac2 was tested running ROS v6 and it's known that ROS v6 has a bit better routing performance t...
by mkx
Tue Feb 06, 2024 8:28 am
Forum: General
Topic: User poll about using Winbox
Replies: 91
Views: 35661

Re: User poll about using Winbox

Please rewrite winbox in Java, so that non-Windows users can finally remove 2GB of wine... . WebFig is built-in and sufficiently useful Winbox is not built-in and superfluous So we can agree that the only essential difference between Winbox and WebFig is the ability of former to connect device even...
by mkx
Mon Feb 05, 2024 10:19 pm
Forum: Beginner Basics
Topic: Default Firewall Rules for CRS326
Replies: 6
Views: 464

Re: Default Firewall Rules for CRS326

Depending on your WAN speed you might get away by purchasing a humble ARM-based miktotik to be used as router. It seems that hAP devices provide best price/performance ... in particular hAP ax2 or hAP ax3 or hAP ac2. They all consume up to around 15W. WiFi is a bonus (or you can disable it or even u...
by mkx
Mon Feb 05, 2024 8:13 pm
Forum: Beginner Basics
Topic: Default Firewall Rules for CRS326
Replies: 6
Views: 464

Re: Default Firewall Rules for CRS326

Two things: CRS is a switch, not a router and definitely not a firewall. Yes, since it can run ROS, it can perform those tasks ... but very slowly. Default config of CRS is config of a switch. If you, despites bullet #1 above, insist on using it as router/firewall, then you'll have to configure it. ...
by mkx
Mon Feb 05, 2024 8:04 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 885
Views: 233558

Re: v7.13.3 [stable] is released!

Switches are not a problem, ROS 7.13.2 running on ARM (hAP ac2) without any wireless package uses around 12.2MB storage (switches should be fine without any optional packages).
Problem are all ARM wireless devices with 16MB flash.
by mkx
Mon Feb 05, 2024 4:56 pm
Forum: General
Topic: Bridge filter rules.. Dropping all devices except my access points
Replies: 9
Views: 479

Re: Bridge filter rules.. Dropping all devices except my access points

And how to do it for eg on L009 ? Is it better to use bridge filter rules or firewall rules ? Since you have to choose between CPU-intensive (bridge filter) and CPU-intensive (firewall filter) and it's about MAC stuff (i.e. L2), I'd choose bridge filters. L009 doesn't support bridge L2HW offload so...
by mkx
Mon Feb 05, 2024 4:54 pm
Forum: General
Topic: Bridge filter rules.. Dropping all devices except my access points
Replies: 9
Views: 479

Re: Bridge filter rules.. Dropping all devices except my access points

Sooo I ended up changing the access points to the VLANs and then setting ports to Admit-only-vlan-tagged.. but now they dont show up on /ip neighbor print.
Did you adjust discover-interface-list (and/or interface list membership)? Under /ip/neighbor/discovery-settings/ ...
by mkx
Mon Feb 05, 2024 2:48 pm
Forum: General
Topic: using POE to power the CCR1009 on port 7 [SOLVED]
Replies: 2
Views: 330

Re: using POE to power the CCR1009 on port 7 [SOLVED]

I didn't check the specs of those power supplies, but in principle any of them would do as long as it provides at least 39W of power (and that the UTP cable between RBGPOE and CCR1009 is not too long). Or whatever your particular breed of CCR1009 (there are several) is specified to consume. RBGPOE i...
by mkx
Mon Feb 05, 2024 2:40 pm
Forum: Beginner Basics
Topic: Apache on public IP ( Forwarding )
Replies: 9
Views: 440

Re: Apache on public IP ( Forwarding )

Shouldn't port 80 be enabled and started in the IP service list? In the photo I sent you, only port 8291 is open. No, this is list of services provided by router (port 80 is used for WebFix ... since you're using WinBox, you probably don't need WebFig). NAT has no relation with the list on this scr...
by mkx
Mon Feb 05, 2024 2:24 pm
Forum: Beginner Basics
Topic: Problem with VLAN and WebFig [SOLVED]
Replies: 3
Views: 294

Re: Problem with VLAN and WebFig [SOLVED]

First of all, disable detect internet function, it serves no purpose in your case: /interface detect-internet set detect-interface-list=none Is this complete config? Default config on SOHO devices contains lot more and many things are depending on LAN and WAN interface list membership current. The c...
by mkx
Sun Feb 04, 2024 10:07 pm
Forum: RouterBOARD hardware
Topic: Switch with two SFP port [SOLVED]
Replies: 11
Views: 726

Re: Switch with two SFP port [SOLVED]

Not so sure, both of them have only 16MB of storage so you could run into same issue you ran into with hex lite. With 7.13 it's possible to uninstall wireless (on hAP lite it's sensible to keep it) which makes lots of free space on permanent storage. And I'm pretty sure that ROS v7 runs comfortably...
by mkx
Sun Feb 04, 2024 11:56 am
Forum: General
Topic: Bridge filter rules.. Dropping all devices except my access points
Replies: 9
Views: 479

Re: Bridge filter rules.. Dropping all devices except my access points

AFAIK adding bridge filters on CRS3xx drops L2 HW offload. On those switches one should be using ACLs under /interface ethernet switch rule .

I'd go with VLANs though, makes adding devices (or moving them between switches) so much easier.
by mkx
Sun Feb 04, 2024 11:27 am
Forum: Beginner Basics
Topic: hap ax2 config copied to hap ax3?
Replies: 73
Views: 2695

Re: hap ax2 config copied to hap ax3?

Rebooting a router is highly disruptive to all LAN ... the fix would be not to do it. In particular: is your PC connnected directly to router (either by wire or wireless)? If not (e.g. there's a switch / another AP in between), then PC doesn't notice that LAN got disrupted and assumes it doesn't hav...
by mkx
Sun Feb 04, 2024 11:13 am
Forum: Beginner Basics
Topic: From slave to master port eth1 - how to fix?
Replies: 1
Views: 208

Re: From slave to master port eth1 - how to fix?

Having a bridge implies multiple member ports. Additionally adding an interface to a bridge demotes it to port, interface "duties" are transfered to bridge "interface". So you should move DHCP client to WAN interface. It's similar to what you have with LAN: IP address and DHCP se...
by mkx
Sat Feb 03, 2024 7:28 pm
Forum: Wireless Networking
Topic: How do you specify the location in ROS 7? [SOLVED]
Replies: 11
Views: 596

Re: How do you specify the location in ROS 7? [SOLVED]

There are people in this forum who are way more knowledgeable on this and other subjects than me. If I raise a support ticket, I'll be asked questions that I might not be able to answer. Even @normis posted a few times in some topic or another ... asking topic author to open support ticket and to m...
by mkx
Sat Feb 03, 2024 7:22 pm
Forum: Wireless Networking
Topic: RB and AX Devices CapsMan compability [SOLVED]
Replies: 6
Views: 405

Re: RB and AX Devices CapsMan compability [SOLVED]

See wireless package for controlling legacy wifi devices.
Beware that by installing legacy wireless package on hAP ax3 (to get legacy capsman) you're loosing wireless on hAP ax3 itself. See viewtopic.php?t=202578
by mkx
Sat Feb 03, 2024 5:32 pm
Forum: Wireless Networking
Topic: cAP AC VLAN Switching - Hardware Offload
Replies: 5
Views: 1559

Re: cAP AC VLAN Switching - Hardware Offload

Within this setup why do we need an additional bridge per vlan? Isn't it enough to add the vlan interfaces as slaves to the main bridge? It's really about the first sentence in my post which you chose to omit from the quote: if for some reason you can't/don't want to run bridge as VLAN-aware entity...
by mkx
Sat Feb 03, 2024 3:51 pm
Forum: General
Topic: RB3011 different storage size
Replies: 5
Views: 318

Re: RB3011 different storage size

Yup. Repartition on both unused partitions. Partition which remains is left intact (apart from growing).
by mkx
Sat Feb 03, 2024 3:05 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 65
Views: 3134

Re: [Discussion] MikroTik configuration abstraction complexity

why does ROS not resolve the caveats behind the curtains magically without having the user to know every aspect of any platform and what is wrong and right depending on just a piece of chipset/hardware. Because MT obviously lacks a few developers to do something from start to end and not stop half ...
by mkx
Sat Feb 03, 2024 1:36 pm
Forum: RouterBOARD hardware
Topic: Detect PoE-IN
Replies: 2
Views: 487

Re: Detect PoE-IN

Generally it's not possible to determine power source, used by MT device. This includes all power sources (barell jacks, PoE, terminal blocks). If device does report supply voltage, and voltages, provided to different power inputs are distinctively different, then checking this status helps to deter...
by mkx
Sat Feb 03, 2024 1:20 pm
Forum: Wireless Networking
Topic: How do you specify the location in ROS 7? [SOLVED]
Replies: 11
Views: 596

Re: How do you specify the location in ROS 7? [SOLVED]

Ahh... that's not good is it. Certainly has the small potential for getting you into hot water? Once again, a quick reply from a developer here would help the speculation. Very likely devs reply won't be seen here. This is s bug so one should open a support ticket. Only this gives some chances to s...
by mkx
Sat Feb 03, 2024 1:13 pm
Forum: General
Topic: hAP ac lite slow ethernet [SOLVED]
Replies: 17
Views: 733

Re: hAP ac lite slow ethernet [SOLVED]

when you have it configured as a switch without a firewall, is fast track even a thing?

No, fasttrack is firewall thing (specifically: filter part with connection tracking working; raw doesn't relate to fasttrack).
by mkx
Sat Feb 03, 2024 12:55 pm
Forum: General
Topic: Routing over subnet split (port based DHCP workaround) [SOLVED]
Replies: 4
Views: 311

Re: Routing over subnet split (port based DHCP workaround) [SOLVED]

Basic problem: how are devices in DUT network (with IP addresses 172.16.0.X/24) supposed to know that IP addresses of your docks are behind a router (docks' addreses are 172.16.0.Y/30). From DUT device point of view these IP addresses are in same /24 subnet and are supposed to be accessible directly...
by mkx
Sat Feb 03, 2024 12:25 am
Forum: Wireless Networking
Topic: WiFi inside metal buildings?
Replies: 7
Views: 388

Re: WiFi inside metal buildings?

Other than the radio interferance, is there any issue using 2 WiFi cards on a single device?

As long as additional card is supported by ROS there should not be any problems other than possibly destructive interference from the other radio.
by mkx
Fri Feb 02, 2024 10:10 pm
Forum: General
Topic: Possible problem with VLAN [SOLVED]
Replies: 11
Views: 789

Re: Possible problem with VLAN [SOLVED]

... looks like SFP port is connected to the CPU so looks like if SFP is used as trunk towards other switches all traffic must go trough CPU ? Yes, that's right. The block diagram shows that if hEX S is used as a switch, then using SFP port cripples it quite severely: traffic to/ftom SFP has to pass...
by mkx
Fri Feb 02, 2024 10:00 pm
Forum: Wireless Networking
Topic: WiFi inside metal buildings?
Replies: 7
Views: 388

Re: WiFi inside metal buildings?

Ideally you'd use dual-band device with separate detachable antennae for both bands (at least one band has to utilize detachable antennae so you can place them outside, indoor band can use built-in antennae). Then use one band outside as backhaul and another band inside as AP for guests. From capaci...
by mkx
Fri Feb 02, 2024 9:46 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 142960

Re: v7.14beta [testing] is released!

Maybe legacy SMB needed more space than the new one. Could that be? It doesn't matter. What matters is tgat there's now rose-storage optiobal package which neatly packs various network file sharing protocols (SMB, NFS, iSCSI, etc.) and it's a great opportunity to declare that if somebody wants to u...
by mkx
Fri Feb 02, 2024 9:27 pm
Forum: Wireless Networking
Topic: Unable to use 5580/Ceee on hAP ax2 but can on hAP ac lite [SOLVED]
Replies: 19
Views: 715

Re: Unable to use 5580/Ceee on hAP ax2 but can on hAP ac lite [SOLVED]

accept the fact they have to wait for 10 minutes before wifi appears Considering my neighbour's Virgin Media Superhub is sat on the 10 minute CAC frequency It doesn't matter what other APs do. CAC requires for device to sit silent for specified period of time and listen for anything resembling rada...
by mkx
Fri Feb 02, 2024 9:12 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 142960

Re: v7.14beta [testing] is released!

!) rose-storage - moved SMB service in the RouterOS bundle; !) smb - removed legacy SMB service (replaced with newer and faster ROSE SMB service); While it may be good to retire legacy SMB service from ROS (so I welcome the second bullet) I think that moving SMB service from ROSE to main bundle is ...
by mkx
Fri Feb 02, 2024 9:03 pm
Forum: General
Topic: Possible problem with VLAN [SOLVED]
Replies: 11
Views: 789

Re: Possible problem with VLAN [SOLVED]

It seems that your hEX S suffers from the same bug as devices with dual switch chips (e.g. RB4011). The bug being in the way bridge configures switch chip for HW offload. Normally the CPU-switch chip interconnect only has to pass VLANs of which bridge port is member. But in case where this interconn...
by mkx
Fri Feb 02, 2024 8:38 pm
Forum: Beginner Basics
Topic: hap ax2 config copied to hap ax3?
Replies: 73
Views: 2695

Re: hap ax2 config copied to hap ax3?

Unless I am reading the wireless specification table wrong: the AX2 achieves the same receive-sensitivity with less transmit power. Isn't that better? Tx power helps client to hear AP better. Rx sensitivity helps AP to hear better. So they are pretty unrelated. The difference in Tx power between ax...
by mkx
Fri Feb 02, 2024 4:16 pm
Forum: Wireless Networking
Topic: Unable to use 5580/Ceee on hAP ax2 but can on hAP ac lite [SOLVED]
Replies: 19
Views: 715

Re: Unable to use 5580/Ceee on hAP ax2 but can on hAP ac lite [SOLVED]

So on a ROS v7 device out the box, it will never use the DFS channels with 10 minute CAC MT seems to be more user-oriented lately. They obviously received a fair share of "my 5GHz wifi doesn't work after I unpack device" complaints and decided to make things converge faster by disabling 1...
by mkx
Thu Feb 01, 2024 10:48 pm
Forum: General
Topic: LHG 52 ac Wireless performance
Replies: 1
Views: 189

Re: LHG 52 ac Wireless performance

When signal strength is too high, receiver gets overwhelmed and percieves increased noise level. Solution is to do something to decrease signal level to a bearable level, usually thats around -50dBm (or slightly better, around -45dBm). Technically: receiver needs certain signal level do successfully...
by mkx
Thu Feb 01, 2024 10:18 pm
Forum: Beginner Basics
Topic: Device accessible from any Address(/ip address)?
Replies: 4
Views: 314

Re: Device accessible from any Address(/ip address)?

It's not about addresses, it's actually about (router's L3) interfaces. If L3 of router (which does routing and firewalling, in most cases you can think of CPU) receives packet via one of interfaces and ultimately sends the packet (possibly altered due to NAT) out via one of interfaces (it can even ...
by mkx
Thu Feb 01, 2024 10:01 pm
Forum: Beginner Basics
Topic: need help with choosing right hardware stack for a home office [SOLVED]
Replies: 12
Views: 667

Re: need help with choosing right hardware stack for a home office [SOLVED]

... see if Audience is acceptable ... but no idea how well they work. My audience, running 7.13.2 and wifi-qcom-ac, runs excellently. Just tested with recent smart phone: it connects with 866Mbps rate (both Tx and Rx) and running speedtest gives around 570Mbps in download (and caps at ISP line rate...
by mkx
Thu Feb 01, 2024 1:56 pm
Forum: Beginner Basics
Topic: VLAN-Internet Access from WAN
Replies: 4
Views: 332

Re: VLAN-Internet Access from WAN

You didn't include info about particular device model. Anyway, as @Mesquite noted, RSO running is awfully old. So it's really essential to get up to 6.49.10. Config is based on ancient defaults, so it's actually sub-optimal in the area I mentioned previously (routing, firewalling). The best would be...
by mkx
Thu Feb 01, 2024 11:57 am
Forum: Wireless Networking
Topic: hAP ax3/ac3 antenna options / specification
Replies: 6
Views: 2192

Re: hAP ax3/ac3 antenna options / specification

But are specifically the ac3/ax3 antennas actually a MIMO setup?

Or more simply the 2.4 GHz radio is connected to one antenna and the 5 Ghz radio is connected to the other?
They are MIMO antennae.
by mkx
Thu Feb 01, 2024 11:52 am
Forum: Beginner Basics
Topic: VLAN-Internet Access from WAN
Replies: 4
Views: 332

Re: VLAN-Internet Access from WAN

After VLAN is "terminated" on a router (by assigning router an IP address on appropriate VLAN interface), packets don't have VLAN association any more. It's up to routing and firewall rules to properly pass packets in any direction (including proper SRC NAT and DST NAT if needed). Default ...
by mkx
Thu Feb 01, 2024 11:39 am
Forum: Virtualization
Topic: mikrotik RouterOS can work on Banana Pi R4
Replies: 4
Views: 408

Re: mikrotik RouterOS can work on Banana Pi R4

Yup. Even when software for Ampere (ARM-based general purpose machines) becomes available it almost definitely won't allow running on 3rd party ARM-based hardware (Banana Pi R4 falls into this category) because it'll lack most of needed drivers for peripheral hardware (switch chip, SPI flash, etc.).
by mkx
Thu Feb 01, 2024 8:59 am
Forum: Virtualization
Topic: hAP lite - not enough space for update
Replies: 9
Views: 2094

Re: hAP lite - not enough space for update

If anyone is interested, I've successfully upgraded a hap lite remotely from 7.10.1 to 7.13.3 directly. For the record: the only reason for the "recommended" / "required" upgrade path <early v7> -> 7.12 -> <7.13 or later> is when one uses ROS mechanism of upgrading packages ( /s...
by mkx
Thu Feb 01, 2024 8:47 am
Forum: Scripting
Topic: RouterOSv7 - Terminal is substantially worse to use?
Replies: 9
Views: 1005

Re: RouterOSv7 - Terminal is substantially worse to use?

The ? key does nothing F1 key is supposed to do the same. The problem I observed is that some terminal programs don't send proper F1 key codes so sometimes F1 works and sometimes it doesn't. The TAB autocomplete could definitely be better, I agree with that. I guess it only autocompletes the first ...
by mkx
Thu Feb 01, 2024 8:34 am
Forum: Wireless Networking
Topic: hAP ax3/ac3 antenna options / specification
Replies: 6
Views: 2192

Re: hAP ax3/ac3 antenna options / specification

* Note that some 2x2 MIMO antennae are designed to operate perpendicular to one another, i.e. one is vertically polarized and the other is horizontally polarized. The hAP ac3 and ax3 appear to be designed for parallel antennae. I am not sure if they can handle perpendicular, though this is exactly ...
by mkx
Thu Feb 01, 2024 8:11 am
Forum: General
Topic: How does IP -> Raw -> Content work?
Replies: 1
Views: 197

Re: How does IP -> Raw -> Content work?

(the old) firewall manual says: content (string; Default: ) Match packets that contain specified text So it really only matches packets which contain set string in full. Not even connection but only packet. So basically this may match one of initial packets where client includes server name in SNI ....
by mkx
Wed Jan 31, 2024 3:06 pm
Forum: RouterBOARD hardware
Topic: Everything but hAP ax2 is pointless?
Replies: 23
Views: 1473

Re: Everything but hAP ax2 is pointless?

I use one as switch on my desktop. So, is it a good switch, but not such a good router? RB2011 is not even a particularly good switch, because it's a combo of one 5-port 100Mbps switch and one 5-port 1Gbps switch ... with decent but not great interconnect. L009 will be much better switch as all the...
by mkx
Wed Jan 31, 2024 2:59 pm
Forum: Beginner Basics
Topic: Speed and CPU issue with HEX s
Replies: 28
Views: 1982

Re: Speed and CPU issue with HEX s

Ah, I misread the part you are talking about most performant setup (where voice doesn't work). I'm not sure how much better this can work, test results for your hEX S indicate that it may be capped at 380Mbps (give or take) of routing speed real life. Regarding PoE: it might work with some tweaking:...
by mkx
Wed Jan 31, 2024 2:50 pm
Forum: Wireless Networking
Topic: cAP AC VLAN Switching - Hardware Offload
Replies: 5
Views: 1559

Re: cAP AC VLAN Switching - Hardware Offload

It really boils down to the question: do you need traffic between ether1 and ether2 to be wirespeed and no impact on CPU or not? If the answer is yes, then it's necessary to configure things on switch chip (as @robtor already mentioned). And live with basic bridge which doesn't handle VLAN tags. Sin...
by mkx
Wed Jan 31, 2024 2:38 pm
Forum: Wireless Networking
Topic: Any plans for spectrum analyzer on new wifi6 products?
Replies: 9
Views: 488

Re: Any plans for spectrum analyzer on new wifi6 products?

... as essential of a tool as a RJ45 crimper....

What's wrong with prefabricated UTP patch cables? :wink:
by mkx
Wed Jan 31, 2024 2:35 pm
Forum: Announcements
Topic: Newsletter #116 | January 2024
Replies: 90
Views: 23459

Re: Newsletter #116 | January 2024

WiFi6 Vending Machines hahahahahaha Qaulity
Serves you coffee and serves wifi to your kids or younger co-workers. Everybody happy.
by mkx
Wed Jan 31, 2024 2:34 pm
Forum: Beginner Basics
Topic: Speed and CPU issue with HEX s
Replies: 28
Views: 1982

Re: Speed and CPU issue with HEX s

I already mentioned possible reason for the whole thing not working according to wishes: it can be (IMO it's even very probable) that phone needs some tagged VLAN which is used to transport VoIP data ... and you don't have it configured. You need that info from trusted source (hopefully ISP can prov...
by mkx
Wed Jan 31, 2024 2:24 pm
Forum: General
Topic: Slow interface performance CRS326-24G-2S+ [SOLVED]
Replies: 2
Views: 277

Re: Slow interface performance CRS326-24G-2S+ [SOLVED]

It seems that HW offload is disabled for some reason on those certain ports. Execute /interface/bridge/port/print on terminal window and check if all ports have a 'H' in status column (between index number and interface name, without column header). If you can not determine which setting does it, th...
by mkx
Wed Jan 31, 2024 2:19 pm
Forum: Beginner Basics
Topic: Assignment of one client to 5GHz and other client to 2.4 GHz
Replies: 8
Views: 520

Re: Assignment of one client to 5GHz and other client to 2.4 GHz

First thing to find out is to see if IoT communications can pass over router. There are two aspects: can you manually set IP address of IoT controller (or individual devices, whatever applies to your IoT swarm) in smart phone app. Or does it insist on auto-discovery instead? Autodiscovery generally ...
by mkx
Wed Jan 31, 2024 12:28 pm
Forum: Wireless Networking
Topic: Same IP addresses in two datapaths in Capsman WiFi 6 RB 7.13.2
Replies: 2
Views: 209

Re: Same IP addresses in two datapaths in Capsman WiFi 6 RB 7.13.2

You don't mention VLANs, so I gather you used to use local-forwarding=no (or, in other words, capsman forwarding) in old setup. However, capsman forwarding is not possible in new capsman, so all traffic breaks out on individual CAPs ... and to keep separation one has to dive into VLANs. If my guessw...
by mkx
Wed Jan 31, 2024 12:15 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 15
Views: 1025

Re: SR-IOV with CHR - What hypervisors are you using ?

... it might be justified to consider solutions like vSphere/Hyper-V. Is it just me ... but it seems to me that Tom "North Idaho" is currently using VMware / vSphere / ... and is looking into replacing it with another virtualization platform. Quite probably due to how Broadcom/VMware is c...
by mkx
Wed Jan 31, 2024 8:50 am
Forum: Beginner Basics
Topic: Assignment of one client to 5GHz and other client to 2.4 GHz
Replies: 8
Views: 520

Re: Assignment of one client to 5GHz and other client to 2.4 GHz

If you want to connect to IoT devices using your wireless gadget, then these two don't have to be connected to same SSID. It's all about network layout and there are many ways to skin the sheep. Which way is most optimal is up to (high level) requirements and we don't know your requirements so that ...
by mkx
Tue Jan 30, 2024 10:03 pm
Forum: SwOS
Topic: from network to network without a gateway
Replies: 4
Views: 680

Re: from network to network without a gateway

To let two network communicate without going through a router, you need a level3 switch. L3 switch is a router by definition ... because it acts as a router in a sense that devices explicitly use it as a gateway. It may not support all the routing bells and whistles (e.g. routing protocols), but st...
by mkx
Tue Jan 30, 2024 9:49 pm
Forum: Wireless Networking
Topic: Wifi-qcom-ac, United Kingdom no Band C support
Replies: 6
Views: 419

Re: Wifi-qcom-ac, United Kingdom no Band C support

Could be that MT failed to certify ac/ax gear (running wifi driver) as SRD?
by mkx
Tue Jan 30, 2024 9:21 pm
Forum: Beginner Basics
Topic: Assignment of one client to 5GHz and other client to 2.4 GHz
Replies: 8
Views: 520

Re: Assignment of one client to 5GHz and other client to 2.4 GHz

The easiest way is to set different SSIDs to both wireless interfaces (you may keep same PSK for both, but you can set them different as well). Then configure stations to connect to whichever you want them to ... and make sure they don't "remember" the other SSID so that they don't connect...
by mkx
Tue Jan 30, 2024 9:07 pm
Forum: Beginner Basics
Topic: Improve firewall
Replies: 5
Views: 535

Re: Improve firewall

Thank you for your explanation. Generally, I think similarly, but this is just my speculation - I have not found evidence anywhere that this is actually the case - and how much it differs. Since MT firewall is esentially UI/frontend to iptables of Linux kernel, I guess you could dig the answer to y...
by mkx
Tue Jan 30, 2024 8:11 am
Forum: Beginner Basics
Topic: Vlan setup on multiple devices
Replies: 1
Views: 252

Re: Vlan setup on multiple devices

Have a look at this excellent VLAN tutorial, it's got example with switch configuration.
by mkx
Mon Jan 29, 2024 10:16 pm
Forum: General
Topic: To xSTP...or not [SOLVED]
Replies: 4
Views: 437

Re: To xSTP...or not [SOLVED]

As long as you're sure there won't be any (physical) loops in your network, then you can set anything between none and mstp. However, if you foresee loops (could even be they are there by LAN design), then you need some varuant of STP. If you want to have physical loops but from VLAN topology point ...
by mkx
Mon Jan 29, 2024 10:09 pm
Forum: General
Topic: Mikrotik config forweb sites [SOLVED]
Replies: 2
Views: 284

Re: Mikrotik config forweb sites [SOLVED]

What I need to know is if a mikrotikti router can help me cinfigure the network so that I can connect domain names to each web site in my servers. It can't. Mikrotik router only works with L3 (IP) and L4 (TCP), you're asking for L6. So what you need is a proper reverse proxy which would accept requ...
by mkx
Mon Jan 29, 2024 10:00 pm
Forum: Beginner Basics
Topic: VLAN question
Replies: 12
Views: 987

Re: VLAN question

As I already wrote: I'm affraid that your "lab test" on "production" hardware won't succeed without disturbance to your "production" networks. Because, like I wrote, you may have to reboot your device to get config actually applied.
by mkx
Mon Jan 29, 2024 6:40 pm
Forum: Beginner Basics
Topic: Approximately 5s delay in TCP connections when using a static route via an address on bridge [SOLVED]
Replies: 9
Views: 2519

Re: Approximately 5s delay in TCP connections when using a static route via an address on bridge [SOLVED]

... I'm still noticing some issues in pcaps You may want to analyze these particular packets in depth. It seems that there was some out-of-order delivery. At the same time it mentions "reassembled PDUs" while size is larger than 1500 bytes. This might be due to wireguard's overhead ... wh...
by mkx
Mon Jan 29, 2024 6:12 pm
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 546

Re: currently-untagged contradicts untagged [SOLVED]

Whatever settings you see under /interface/bridge/port , e.g. pvid or frame-types, which can be set on bridge itself (/interface/bridge) are about bridge port (CPU-facing port member of bridge). So yes, setting bridge port with frame-types=admit-only-vlan-tagged and adding bridge port as untagged me...
by mkx
Mon Jan 29, 2024 3:17 pm
Forum: Beginner Basics
Topic: Router blocks communication
Replies: 55
Views: 2887

Re: Router blocks communication

I do see an IP here. So this shouldn't be the problem?

It only proves that router itself can resolve FQDN to IP address. IMO it's still doubtful if wireless stations can do it as it's highly possible that they don't receive DNS server addresses with DHCP lease.
by mkx
Mon Jan 29, 2024 2:57 pm
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 546

Re: currently-untagged contradicts untagged [SOLVED]

> includes also ports which are implicitly untagged members of that VLAN (e.g. because they have PVID set in /interface/bridge/port Is that so? Even when vlan-filtering=yes and ingress-filtering=yes? If I remember correcly, then setting vlan-filtering=yes will prevent ports dyamically added to the ...
by mkx
Mon Jan 29, 2024 2:02 pm
Forum: Beginner Basics
Topic: Router blocks communication
Replies: 55
Views: 2887

Re: Router blocks communication

You should see IP address on the terminal: [user@router] > put [:resolve cloud.plejd.com ] 52.209.92.67 If you get nothing, then DNS resolver on your mikrotik doesn't work. Even more ... if you didn't redact too much, then you have /ip dhcp-server network add address=** comment=defconf gateway=** wh...
by mkx
Mon Jan 29, 2024 1:49 pm
Forum: Beginner Basics
Topic: Speed and CPU issue with HEX s
Replies: 28
Views: 1982

Re: Speed and CPU issue with HEX s

As I indicated in my previous post: your current config expects ISP to talk via tagged VLAN with VID=15: /interface bridge vlan add bridge=bridge1 tagged =bridge1, ether1 vlan-ids=15 But is it? If it's not talking tagged, then remove ether1 from list of tagged members of VLAN 15 (and leave pvid sett...
by mkx
Mon Jan 29, 2024 12:31 pm
Forum: Beginner Basics
Topic: CRS112-8g VLAN challenges
Replies: 13
Views: 630

Re: CRS112-8g VLAN challenges

Can you please help me with what I'm doing wrong with my configuration anyways? Apart from VLAN interfaces (which allows CPU to talk to individual VLANs) you don't have any VLAN configuration in place. So none of ports are members of any of VLANs. Have a look at CRS1xx switch configuration examples...
by mkx
Mon Jan 29, 2024 12:23 pm
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 546

Re: currently-untagged contradicts untagged [SOLVED]

You see, ether3-green is not listed in untagged, but it is listed in current-untagged. How is this possible??? As far as I know, untagged property is settable by config and includes only ports which were explicitly added as untagged ports. current-untagged shows actual running value (if you wish) a...
by mkx
Mon Jan 29, 2024 9:12 am
Forum: Beginner Basics
Topic: Dst-nat not seeing traffic from Cloudflare
Replies: 4
Views: 324

Re: Dst-nat not seeing traffic from Cloudflare

I was surprised that adding the filter didn't seem to have an immediate effect ... It's typical that changes in firewall filters might not have immediate effect as they only affect new connections. But that explains only connections which were already established at time of firewall filter changes....
by mkx
Mon Jan 29, 2024 9:07 am
Forum: Beginner Basics
Topic: Speed and CPU issue with HEX s
Replies: 28
Views: 1982

Re: Speed and CPU issue with HEX s

These two settings contradict each other: /interface bridge add name=bridge1 protocol-mode=none pvid=15 vlan-filtering=yes /interface vlan add interface=bridge1 name=vlan15 vlan-id=15 If you're using vlan interface, anchored off bridge1, then bridge1 has to be tagged for that VLAN. So I suggest you ...
by mkx
Mon Jan 29, 2024 8:55 am
Forum: Beginner Basics
Topic: VLAN question
Replies: 12
Views: 987

Re: VLAN question

The full config you posted shows that VLAN-filtering is not enabled on bridge-home-88 ... without it, pvid settings don't work and hence ingress traffic via ether1, ether11, ether12 and sfp-sfpplus-1 don't get tagged.
by mkx
Sun Jan 28, 2024 4:46 pm
Forum: General
Topic: migration from RB2011UiAS-2HnD to L009UiGS-2HaxD-IN
Replies: 6
Views: 791

Re: migration from RB2011UiAS-2HnD to L009UiGS-2HaxD-IN

It's not possible ... RB2011 has 10 ether ports, L009 has only 8. RB2011 supports configuration directly on switch chips, L009 doesn't (or has severely reduced set of configuration options). Etc. It also includes new wifi driver which requires config style which is completely different than the old ...
by mkx
Sun Jan 28, 2024 4:34 pm
Forum: Beginner Basics
Topic: CRS112-8g VLAN challenges
Replies: 13
Views: 630

Re: CRS112-8g VLAN challenges

Don't... That device is not meant to be a router... Really? Eventhough it says it can work as a router? It can work as a router, but performance is below mediocre. Look at official test results . Even in most optimistic interpretation it can't route at more than a few hundred Mbps. Reslistic real-l...
by mkx
Sun Jan 28, 2024 4:23 pm
Forum: Beginner Basics
Topic: Dst-nat not seeing traffic from Cloudflare
Replies: 4
Views: 324

Re: Dst-nat not seeing traffic from Cloudflare

The last change I made was adding a Forward f/w Filter rule to allow traffic where 'Connected NAT State = dstnat'. That entry seems to be a Mikrotik special requirement for Port Forwarding. Shame is on you :wink: default MT config includes such a rule, so it was your doing to remove it (I'm guessin...
by mkx
Sun Jan 28, 2024 4:07 pm
Forum: Beginner Basics
Topic: VLAN question
Replies: 12
Views: 987

Re: VLAN question

What is wrong with configuration of LAN members? Interface is L2 entity (ethernet pirt, pppoe interface , etc) with IP address. In your (partial) example there are ether1, ether11, ether12, sfp-sfpplus1-LAN and bridge (yes, this one as well) ports and bridge interface. IP firewall sees bridge inter...
by mkx
Sun Jan 28, 2024 12:12 pm
Forum: General
Topic: Reverse Porxy doesn't work without 2nd masquerading for specific IP
Replies: 1
Views: 218

Re: Reverse Porxy doesn't work without 2nd masquerading for specific IP

When doing DST NAT with certain new destination address (in your case 172.16.20.12) the problem arises when client connecting to NAT-ed service resides in same IP subnet as destination address. In this case server, seeing that client is coming from same subnet, chooses to reply directly. Reply packe...
by mkx
Sun Jan 28, 2024 11:52 am
Forum: Beginner Basics
Topic: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.
Replies: 11
Views: 1193

Re: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.

Why do you need IPv6 if IPv4 still works for you ?

A short while ago I've got information that google cloud is giving only IPv6 addresses for certain cloud infrastructure. So I guess we are starting to see actual needs for IPv6 everywhere (which usually means dual stack).
by mkx
Sun Jan 28, 2024 11:44 am
Forum: Beginner Basics
Topic: No IPv6 Internet on CRS326, IPv4 works. [SOLVED]
Replies: 2
Views: 278

Re: No IPv6 Internet on CRS326, IPv4 works. [SOLVED]

Parameter add-default-route on DHCPv6 client is a MT hack and should be disabled. DHCPv6 (unlike DHCPv4) doesn't provide gateway information, RAs provide that info. What the parameter mentioned does is that it takes IPv6 address of DHCPv6 server and adds it as gateway address. Sonetines that's OK, b...
by mkx
Sun Jan 28, 2024 11:33 am
Forum: Beginner Basics
Topic: VLAN question
Replies: 12
Views: 987

Re: VLAN question

You have interface lists in the setup part you posted (LAN with several members, configured wrongly, and WAN with no apparent member). What's the story about them? Posted config doesn't seem to be complete and reason for setup not working according to your wishes can be anywhere.
by mkx
Sat Jan 27, 2024 3:29 pm
Forum: Beginner Basics
Topic: Improve firewall
Replies: 5
Views: 535

Re: Improve firewall

Consider this: firewall has to try to match every matching criteria of a rule before it can conclude whether to execute it or pass it (OK, it might stop matching if one criterium doesn't match as all criteria has to match for rule to execute). And let's say each simple matching costs the same (e.g. ...
by mkx
Sat Jan 27, 2024 3:12 pm
Forum: Beginner Basics
Topic: ap bridge missing on cp AX (cAPGi-5HaxD2HaxD)
Replies: 8
Views: 566

Re: ap bridge missing on cp AX (cAPGi-5HaxD2HaxD)

So the "bridge" which kind of roles plays usually? bridge functions are used when two wireless devices "bridge" gap between two wired islands. One device us "ap-bridge" and other device is "station-bridge". There are variations of the setup, but roughly this ...
by mkx
Sat Jan 27, 2024 11:55 am
Forum: Wireless Networking
Topic: New WiFi package: Missing 'etsi 5.5-5.7 outdoor' country
Replies: 14
Views: 1302

Re: New WiFi package: Missing 'etsi 5.5-5.7 outdoor' country

The new wifi driver doesn't seem to allow setting indoor/outdoor/any , similar to property installation of legacy wireless driver. We can only guess what this means for radio setup then.
by mkx
Sat Jan 27, 2024 11:33 am
Forum: Beginner Basics
Topic: ap bridge missing on cp AX (cAPGi-5HaxD2HaxD)
Replies: 8
Views: 566

Re: ap bridge missing on cp AX (cAPGi-5HaxD2HaxD)

You're using new wifi driver on cAP ax. Which has most options reworked. Mode "ap" supports what "ap-bridge" did in old wireless driver. One question: how do APs (cAP ax and older cAP acs) connect to router? Wired using UTP cables? If that's do, then the "bridge" part o...
by mkx
Sat Jan 27, 2024 11:23 am
Forum: Beginner Basics
Topic: Improve firewall
Replies: 5
Views: 535

Re: Improve firewall

I guess the second one will be slightly better in average. There's performance hit for every firewall rule checked and if packet doesn't trigger any of them, then all of them have to be checked before packet is either implicitly accepted (packet passing through all rules in a chain is accepted) or e...
by mkx
Sat Jan 27, 2024 11:12 am
Forum: SwOS
Topic: from network to network without a gateway
Replies: 4
Views: 680

Re: from network to network without a gateway

The idea of having multiple (V)LANs is to separate devices in different subnets from each other on layer 2 (ethernet/VLAN). If some devices still have to communicate, then gateway (L3 ... IP router) is a must. So the obvious interpretation of your post means that you're trying to go against the whol...
by mkx
Sat Jan 27, 2024 10:58 am
Forum: Wireless Networking
Topic: New WiFi package: Missing 'etsi 5.5-5.7 outdoor' country
Replies: 14
Views: 1302

Re: New WiFi package: Missing 'etsi 5.5-5.7 outdoor' country

But how do I tell the AP whether it is placed indoors or outdoors?

It seems like you don't have to ... at least I didn't and AP happily operates on 5180 with decent power. But I may be missing something (don't fix it if it ain't broken).
by mkx
Fri Jan 26, 2024 10:17 pm
Forum: Wireless Networking
Topic: New WiFi package: Missing 'etsi 5.5-5.7 outdoor' country
Replies: 14
Views: 1302

Re: New WiFi package: Missing 'etsi 5.5-5.7 outdoor' country

The older wireless package includes a useful country info function. If you're thinking about /interface/wireless/info/country-info country=<country> , then this command should return something similar: /interface/wifi/radio/reg-info country="<country>" number=0 The double quotes around co...
by mkx
Fri Jan 26, 2024 10:05 pm
Forum: General
Topic: Filter rules
Replies: 7
Views: 463

Re: Filter rules

Since CCR is used as router and needs IP addresses set on all relevant interfaces for routing purposes, it also needs firewall rules which limit access to its management. Again: the rules you showed are fine as long as the permitted IP subnet (192.168.88.0/24) is safe. Whether it's safe depends on t...
by mkx
Fri Jan 26, 2024 9:35 pm
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2317

Re: CCR2004-16G-2S multiple bridges or not?

inter-asic traffic is punted via CPU, stop purporting fake information like mkx. Cable across two device's ports will allow for 1Gbps interconnect between switch chips and without bothering CPU at cost of dedicating 2 ports. Configuring single bridge and thus using switch chip - CPU interconnect wi...
by mkx
Fri Jan 26, 2024 9:20 pm
Forum: General
Topic: Filter rules
Replies: 7
Views: 463

Re: Filter rules

These rules control access to router's management interface. They are fine, they don't interfere with traffic passing router in any way.
by mkx
Fri Jan 26, 2024 6:26 pm
Forum: General
Topic: CCR2004-16G-2S+ and Downgrade
Replies: 2
Views: 276

Re: CCR2004-16G-2S+ and Downgrade

After trying to downgrade by executing the procedure you described, if router fails to downgrade, check log. And an idea: first check the list of installed packages. Upgrade/downgrade procedure requires files with all packages currently installed. If you have any of wifi-qcom packages or wireless pa...
by mkx
Fri Jan 26, 2024 6:16 pm
Forum: General
Topic: Traffic on different bridges [SOLVED]
Replies: 2
Views: 361

Re: Traffic on different bridges [SOLVED]

CRS line of devices are switches. Having said that we can continue: yes, CRS can route (like every other device running ROS). If running recent ROS (v7.something) it can do routing with ASIC so it's wirespeed. If ASIC can't do it for some reason, then CPU does it and it's slow (up to around 300Mbps ...
by mkx
Fri Jan 26, 2024 6:08 pm
Forum: General
Topic: Filter rules
Replies: 7
Views: 463

Re: Filter rules

It’s used as a router and has a static IP assigned. The third party firewall performs all of the rules.

I wasn't sure if I needed to have any rules set on the MikroTik firewall as well.

Only for chain=input to protect MT router itself from possible attacks.
by mkx
Fri Jan 26, 2024 6:05 pm
Forum: General
Topic: UDP NAT connection tracking requirements?
Replies: 1
Views: 256

Re: UDP NAT connection tracking requirements?

Connection tracking generally assumes that bi-directional communication flows between same ip:port pair. In your case between 192.168.1.2:29999 and 192.168.20.2:29999 ... and in both directions. If 192.168.20.2 instead starts to send return packets from 192.168.20.2:30000, then for connection tracki...
by mkx
Fri Jan 26, 2024 5:47 pm
Forum: General
Topic: AutoUpgrade via /system/upgrade/download-all does not work
Replies: 5
Views: 376

Re: AutoUpgrade via /system/upgrade/download-all does not work

Might it be an problem that the files are within a subdirectory of the USB?

IMO this is very likely. You may want to open issue with MT support asking them to provide detailed description (or example of setup) of this function.
by mkx
Fri Jan 26, 2024 5:27 pm
Forum: Beginner Basics
Topic: Firewall rules - Isolating two networks [SOLVED]
Replies: 4
Views: 501

Re: Firewall rules - Isolating two networks [SOLVED]

You need it for chain=forward ... and connection-state at least "established,related" ... untracked most often doesn't hurt (but doesn't help in your particular case either). But most definitely not "new", you're trying to block new connections by using your rules. And push this ...
by mkx
Fri Jan 26, 2024 9:19 am
Forum: RouterBOARD hardware
Topic: New NOC option for Central Swtich vs Dell 4048s-on
Replies: 3
Views: 375

Re: New NOC option for Central Swtich vs Dell 4048s-on

If you're looking for switches, then any of CRS3xx or CRS5xx should do. Which model in particular depends on requirements regarding number and speed of ports. Just a word of caution: many of mentioned switches seem to suffer when switching traffic between ports with different (negotiated) speeds in ...
by mkx
Fri Jan 26, 2024 9:13 am
Forum: RouterBOARD hardware
Topic: Chateau LTE12 D53G-5HacD2HnD - Lack of storage space
Replies: 9
Views: 3165

Re: Chateau LTE12 D53G-5HacD2HnD - Lack of storage space

When buying a device, pay atention to available resources, if you wish to put a lot of custom config on the device. Part of a problem we're seeing today is that ROS v6 ran pretty comfortably on these devices. v7 brought new features (wireguard and zerotier to name a couple) which consume additional...
by mkx
Fri Jan 26, 2024 8:38 am
Forum: RouterBOARD hardware
Topic: Chateau LTE12 D53G-5HacD2HnD - Lack of storage space
Replies: 9
Views: 3165

Re: Chateau LTE12 D53G-5HacD2HnD - Lack of storage space

What else can I do to free some space on this device? There's nothing you can do (apart from uninstalling wifi packages but I don't think you want to do that). It seems that MT considers that only one solution exists: buy new device with larger storage. Because they don't seem to accept any idea wh...
by mkx
Fri Jan 26, 2024 7:15 am
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2317

Re: CCR2004-16G-2S multiple bridges or not?

mkx - believe you are wrong this time around. Every one of the devices cited in that section has 1 switch chip only. The document cites some devices and some switch chip types. Device which @IP uses, has one of cited switch chip types. And section doesn't consider multi-switch-chip devices at all. ...
by mkx
Thu Jan 25, 2024 10:06 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1142

Re: Can't ssh from router to LInux server?

Likely your ubuntu runs recent OpenSSH version, which deprecates use of ssh-rsa algorithm to exchange keys whike ROS doesn't support newer ones.

So on the server, add PubkeyAcceptedAlgorithms +ssh-rsa to /etc/ssh/sshd_config ...
by mkx
Thu Jan 25, 2024 9:48 pm
Forum: Announcements
Topic: v6.49.12 [stable] is released!
Replies: 23
Views: 10837

Re: v6.49.12 [stable] is released!

Somewhere in the past someone said 64Kb was more then enough for any PC

It was 640 and kB ... but yeah
by mkx
Thu Jan 25, 2024 8:56 pm
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2317

Re: CCR2004-16G-2S multiple bridges or not?

Don't listen to @mkx, he's trying to sell you a piss poor implementation that itself doesn't match official MikroTik docs. He calls my approach as “tricks” even though official MikroTik agrees. See this link: https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching#BasicVLANswitching-Otherde...
by mkx
Thu Jan 25, 2024 8:39 pm
Forum: Beginner Basics
Topic: Firewall rules - Isolating two networks [SOLVED]
Replies: 4
Views: 501

Re: Firewall rules - Isolating two networks [SOLVED]

One of default firewall filter rules is similar to this: add action=accept chain=forward comment="defconf: accept established,related, untracked" \ connection-state=established,related,untracked And it's placed very high in the forward chain. This rule takes care of all packets which belon...
by mkx
Thu Jan 25, 2024 6:44 pm
Forum: Virtualization
Topic: Trunking VLAN with Meraki cannot reach other vlan
Replies: 3
Views: 507

Re: Trunking VLAN with Meraki cannot reach other vlan

The question is, what should I do on MikroTik so that I don't have to configure the firewall settings individually on all computers? Since computers block traffic to/from other IP subnets, the only thing you can do on MT is make computers believe they're communicating with members of own IP subnet ...
by mkx
Thu Jan 25, 2024 6:17 pm
Forum: Beginner Basics
Topic: Need Help : with DDOS with UDP to My Routers - it takes all my bandwidth
Replies: 16
Views: 992

Re: Need Help : with DDOS with UDP to My Routers - it takes all my bandwidth

Reducing CPU load on your router is important, so dropping infringing traffic in RAW is necessity. The rest is not entirely to you. As already written, in ideal world your ISP would drop the traffic. Next possibility is to change WAN IP (if ISP agrees and if you can "move" publicly accessi...
by mkx
Thu Jan 25, 2024 3:49 pm
Forum: General
Topic: Difference between these firewall rules [SOLVED]
Replies: 2
Views: 358

Re: Difference between these firewall rules [SOLVED]

Most of properties are "selector" properties which narrow down the connections upon which action is executed. These properties include: in-interface-list, ipsec-policy, src-address-list, dst-address-list, out-interface-list (used in "your" rules) in-interface, out-interface, src-...
by mkx
Thu Jan 25, 2024 11:15 am
Forum: General
Topic: QinQ, VLAN Filtering, and absolute confusion!
Replies: 2
Views: 418

Re: QinQ, VLAN Filtering, and absolute confusion!

Basically: bridge with VLAN filtering enabled will deal with only outer VLAN header and won't care about inside headers. vlan interface (anchored off another interface) will deal with only VLAN header and won't care about inside headers. Based on that there's a short sketch of what you can do (this ...
by mkx
Thu Jan 25, 2024 9:26 am
Forum: Beginner Basics
Topic: Need Help : with DDOS with UDP to My Routers - it takes all my bandwidth
Replies: 16
Views: 992

Re: Need Help : with DDOS with UDP to My Routers - it takes all my bandwidth

With a strong Mikrotik, is there any better method for drop UDP ddos? For N-th time: the only thing you can do on your router is drop incoming traffic. This protects devices on your side of router but can not make situation with bandwidth consumption on ISP line any better. So when using better Mik...
by mkx
Wed Jan 24, 2024 10:36 pm
Forum: Beginner Basics
Topic: Need Help : with DDOS with UDP to My Routers - it takes all my bandwidth
Replies: 16
Views: 992

Re: Need Help : with DDOS with UDP to My Routers - it takes all my bandwidth

Why block Traffic to ISP? I'm not trying to say that this would help in your case. I'm saying that it's only possible to reliably block traffic leaving a router/firewall, but not traffic arriving at router/firewall. So in your case where your ISP line is drowned by traffic from ISP towards your rou...
by mkx
Wed Jan 24, 2024 6:27 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 142960

Re: v7.14beta [testing] is released!

My point is that it's possible to add intelligence into installer ... if it can select different packages, then it could also selectively copy contents of npks. If MT devs made necesary changes that is.
by mkx
Wed Jan 24, 2024 6:06 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 142960

Re: v7.14beta [testing] is released!

Maybe not ... I guess that CAPsMAN initiated upgrades of CAPs are actually more or less handled by CAPs the same way as "manually initiated upgrades from within ROS" are ... only the kick to do it comes from CAPsMAN (instead of a GUI button click) and npks are downloaded from different so...
by mkx
Wed Jan 24, 2024 3:11 pm
Forum: Beginner Basics
Topic: NTP stuck on Waiting....
Replies: 91
Views: 23374

Re: NTP stuck on Waiting....

OK. So in /system/ntp/server you have "use-local-clock" set to "yes" and "local-clock-stratum" to some sane number (like 10). After a while, what does /system/ntp/monitor-peers say about "server" with address 127.127.1.0?
by mkx
Wed Jan 24, 2024 3:02 pm
Forum: Beginner Basics
Topic: Constant, similar packets being dropped by raw filter rule
Replies: 8
Views: 1419

Re: Constant, similar packets being dropped by raw filter rule

The offers take this form:
I still think that my analysis in post #2 above explains everything. Personally I would stop logging these packets as being dropped ... and since I believe they are harmless I even wouldn't bother to drop them explicitly.
by mkx
Wed Jan 24, 2024 2:49 pm
Forum: Announcements
Topic: v6.49.12 [stable] is released!
Replies: 23
Views: 10837

Re: v6.49.12 [stable] is released!

... it does normally mean no new major features get implemented. Which is exactly how every "abandoned" version ends up (e.g. 7.11). What makes "long-term" different from other random "abandoned" versions is that it's not abandoned, instead it does receive occasional f...
by mkx
Wed Jan 24, 2024 12:32 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 142960

Re: v7.14beta [testing] is released!

And this possibly requires change in netinstall as well As well as the way CAPs are upgraded from CAPsMAN (both versions), I guess. Maybe not ... I guess that CAPsMAN initiated upgrades of CAPs are actually more or less handled by CAPs the same way as "manually initiated upgrades from within R...
by mkx
Wed Jan 24, 2024 9:22 am
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 142960

Re: v7.14beta [testing] is released!

MT, it is noble to reduce wireless package size. But splitting wifi-qcom-ac by chipset would have a huge impact and would be - IMHO - easy to achieve. Low hanging fruits. Perhaps there's another way instead of further package splitting: include a pre-install script into package ... that script dete...
by mkx
Tue Jan 23, 2024 10:13 pm
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2317

Re: CCR2004-16G-2S multiple bridges or not?

So if I want a single bridge I need to connect two ports (one of each switch chip) and probably configure them as trunk for all VLANs. Wrong. Either you have single bridge and (implicitly) use internal interconnects to "glue" the two switch chips together. Or you have two bridges (with in...
by mkx
Tue Jan 23, 2024 10:08 pm
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2317

Re: CCR2004-16G-2S multiple bridges or not?

Hi mkx, that's an interesting remark. It was a more or less rethorical remark, directed at @DarkNate . Since you already have the device, you should use it as much as possible ("abuse" even). If using it as router/switch combo fits your needs, then just use it so. And if you're not after ...
by mkx
Tue Jan 23, 2024 9:49 pm
Forum: Beginner Basics
Topic: ISP requires VLAN 300 tag
Replies: 6
Views: 623

Re: ISP requires VLAN 300 tag

It depends on how much your actual setup deviated from default. My suggestion was based on assumption that it's close enough. For any better advice we have to see config (complete if possible) ... open terminal, execute /export file=anynameyouwish (if you're running ROS v6, add hide-sensitive option...
by mkx
Tue Jan 23, 2024 9:41 pm
Forum: RouterBOARD hardware
Topic: Missing product: RB on an top-hat raill
Replies: 7
Views: 883

Re: Missing product: RB on an top-hat raill

MT is not into this market. Any 3rd party mounting options are simply violence against innocent devices.

There are other vendkrs which have large DIN-mount device portfolio, one example is Moxa. Yes, it comes with a price ...
by mkx
Tue Jan 23, 2024 9:31 pm
Forum: Beginner Basics
Topic: ISP requires VLAN 300 tag
Replies: 6
Views: 623

Re: ISP requires VLAN 300 tag

Basically you add VLAN interface (with VLAN ID set to required value) and anchor it to your WAN interface. Then move WAN setup (DHCP client or whatever needed) to the just created VLAN interface. This will then add/remove VLAN tags to packets passing WAN port. Additionally you have to add the VLAN i...
by mkx
Tue Jan 23, 2024 9:19 pm
Forum: General
Topic: Wrong country when selecting Time Zone Autodetect
Replies: 16
Views: 1138

Re: Wrong country when selecting Time Zone Autodetect

Works okay on Android, iOS though. Static is best though. Because it is getting it from the local cellular tower or GNSS, the phone knows where it is. Basically phone gets timezone from cellular tower. Offset from UTC only (in 15-minute steps), not TZ name, but for showing local time that's enough....
by mkx
Tue Jan 23, 2024 8:47 pm
Forum: General
Topic: Create a script to check Stratum 0/1 NTP servers with lower ping
Replies: 2
Views: 396

Re: Create a script to check Stratum 0/1 NTP servers with lower ping

Often using country .pool.ntp.org gives very acceptable results. country is 2-letter ISO country code (e.g. de for Germany). Most of servers are stratum 1 or stratum 2 and have to be open for use by everybody (that's policy to get server onto the list). To help with configuring a few servers it's po...
by mkx
Tue Jan 23, 2024 8:14 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 142960

Re: v7.14beta [testing] is released!

IMO it should be the the otger way around ... throw SMB out if core ROS. I obviously agree. Now MT's counterpoint has been there is overhead in packaging ... If understood MT's reasoning correct, this was argument for inclusion of routing protocols (BGP, OSPPF, whatnot) into base package and the re...
by mkx
Tue Jan 23, 2024 8:02 pm
Forum: Beginner Basics
Topic: How a Bridge interface belong to a different subnet
Replies: 1
Views: 385

Re: How a Bridge interface belong to a different subnet

Bridge in ROS has multiple personalities, this tutorial explains them pretty well. If the tutorial doesn't answer your question, then come back and rephrase the question. To add: if address is set as "address" (not "network" or "broadcast"), then it's address. The x.y.z...
by mkx
Tue Jan 23, 2024 7:59 pm
Forum: Beginner Basics
Topic: Need Help : with DDOS with UDP to My Routers - it takes all my bandwidth
Replies: 16
Views: 992

Re: Need Help : with DDOS with UDP to My Routers - it takes all my bandwidth

Most DDoS attacks cease after a while (when attackers see that their efforts are fruitless). Meanwhile protect the services you're using so that they can't be abused easilly. If you can't stand the attack any more, you can try to change your IP address (this might not be feasible and/or possible). A...
by mkx
Tue Jan 23, 2024 7:52 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 142960

Re: v7.14beta [testing] is released!

If the idea is more unification (ROSE SMB in routeros package)... IMO it should be the the otger way around ... throw SMB out if core ROS. For those who want to use their ROS device as NAS, they can install (full) ROSE. If they want to run NAS services, they better use device with decent storage si...
by mkx
Tue Jan 23, 2024 12:14 am
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2317

Re: CCR2004-16G-2S multiple bridges or not?

... but why? Using a CCR2004 in a switch manner is a sin to begin with. But it's up to device admin how he wants to use his device and I simply answered questions by @KrisVG. You, OTOH, are risking accusations about pushing your own ideas upon person asking for help (accusations seem to be fashiona...
by mkx
Mon Jan 22, 2024 10:24 pm
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2317

Re: CCR2004-16G-2S multiple bridges or not?

Two ASICs, means two bridges. bridge1 for ports ether1-8, bridge2 for ether 9-16, this ensures both port groups are fully hardware offloaded to the correct ASIC. For SFP1 and SFP2, both being independent paths towards the CPU, you could put them in bride3 That's one way of doing it ... if two bridg...
by mkx
Mon Jan 22, 2024 10:18 pm
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2317

Re: CCR2004-16G-2S multiple bridges or not?

mkx was that across platforms or only applicable to the RB4011 ?? As far as I understood MT staffer who chimed in (could be it was Normis, could be it was somebody else) was that the bug was in the way ROS configured the switch-CPU interconnect port of the switch. I.e. it was configured to pass onl...
by mkx
Mon Jan 22, 2024 7:41 pm
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2317

Re: CCR2004-16G-2S multiple bridges or not?

Yes, you can have single bridge spanning both port groups. With potential performance hit mentioned by @anav. There was a bug in how ROS configures VLAN offload to switch chips ... on devices with two switch chips it was necessary to add bridge port as tagged member of all VLANs which span both swit...
by mkx
Mon Jan 22, 2024 5:55 pm
Forum: Beginner Basics
Topic: VLAN can't ping gateway
Replies: 8
Views: 635

Re: VLAN can't ping gateway

From the part of config you posted it's not clear why it doesn't work. And since you do get IP address from correct address pool, it seems that L2 setup is fine. However: are you sure it's not firewall? If there is some firewall setup (which you omitted from post), then we'll have to see it. And any...
by mkx
Mon Jan 22, 2024 4:36 pm
Forum: RouterBOARD hardware
Topic: mANTBox 15s vs OmniTIK 5 ac
Replies: 9
Views: 1120

Re: mANTBox 15s vs OmniTIK 5 ac

... I mean the of Connect List on the Station. That's great if you control stations. But if you don't (e.g. because stations are customers of a camping place), then this is not an option. It all depends on actual use scenario of @OP (which he didn't really describe in detail, so we can only guess ....
by mkx
Mon Jan 22, 2024 12:26 pm
Forum: RouterBOARD hardware
Topic: mANTBox 15s vs OmniTIK 5 ac
Replies: 9
Views: 1120

Re: mANTBox 15s vs OmniTIK 5 ac

you won't be able to control stations about which AP they'll connect Why, if you use a Connect List, you can distinguish access points by MAC. Yeah, you can see which station is connected to which AP. You can try to push stations to the other by using ACLs. But you can't really control them (some s...
by mkx
Mon Jan 22, 2024 12:01 pm
Forum: Announcements
Topic: WinBox v3.40 released!
Replies: 109
Views: 99741

Re: WinBox v3.40 released!

I don't understand these screenshots. They must be in macOSish. Anthing in Linuxish? 😛
by mkx
Mon Jan 22, 2024 11:55 am
Forum: RouterBOARD hardware
Topic: mANTBox 15s vs OmniTIK 5 ac
Replies: 9
Views: 1120

Re: mANTBox 15s vs OmniTIK 5 ac

Omnitik is a decent outdoor (weather proof) AP with mediocre antenna gain: antenna patterns document implies that it's antenna gain is 0dBi or very similar. It's vertical pattern is slightly directional (so it does matter how stations are placed around AP vertically) but not so much. mANTBox 15s, on...
by mkx
Mon Jan 22, 2024 9:00 am
Forum: General
Topic: Bridge filter rules
Replies: 12
Views: 980

Re: Bridge filter rules

However, interesting point - there is a row -> bridge with none rules at 1500bytes frame - this gives almost ~80gbps traffic. This I understand is routing by switch chip only? Nope, that's still bridging via CPU. Proper switches have in their test results additional section: switching. That one is ...
by mkx
Mon Jan 22, 2024 8:52 am
Forum: Beginner Basics
Topic: Speed and CPU issue with HEX s
Replies: 28
Views: 1982

Re: Speed and CPU issue with HEX s

If you're not using any V7 features, there might be some merit with latest V6 on a HEX S. Or at least testing it. In case of hEX S (having MT7621A SoC) it's actually beneficial to use v7 in certain use cases since it enables L2 HW offload. And if @OP is going to go with VLAN-enabled bridge, then th...
by mkx
Sun Jan 21, 2024 10:08 pm
Forum: Beginner Basics
Topic: Speed and CPU issue with HEX s
Replies: 28
Views: 1982

Re: Speed and CPU issue with HEX s

Indeed only one bridge will be offloaded to hardware (switch chip) and I don't know how automatic selection determines which one to offload. Is there a way to select which of the two bridges will be offloaded to hardware? Since one bridge only has an IP phone and the WAN port, there is not much tra...
by mkx
Sun Jan 21, 2024 7:43 pm
Forum: General
Topic: Support responses?
Replies: 9
Views: 1155

Re: Support responses?

To my knowledge MT doesn't offer 24/7 support with guaranteed response deadlines to end users. I've seen them mentioning support through certified distributors but I don't know if they could support you any better. Which, in a nut shell, means that one expecting support to mission critical applicati...
by mkx
Sun Jan 21, 2024 4:41 pm
Forum: Beginner Basics
Topic: MikroTik Groove 52HPn Antenna
Replies: 11
Views: 807

Re: MikroTik Groove 52HPn Antenna

Nope. License level 3 means your device can't be AP. Period. The closest to being AP is (legacy) mode bridge which only allows single station connected in station-bridge mode. These both modes are MT specific, so you almost definitely can't make a random device to connect in this mode.
by mkx
Sun Jan 21, 2024 4:29 pm
Forum: Wireless Networking
Topic: Wifi Wave2 on RB4011iGS+5HacQ2HnD
Replies: 43
Views: 11553

Re: Wifi Wave2 on RB4011iGS+5HacQ2HnD

Basically: upgrade to ROS 7.13.2 If you want to avoid netinstall, then upgrade path is via 7.12 when on 7.13.2, uninstall wireless package and install wifi-qcom-ac (part of extras) configure wifi from scratch, new config layout doesn't resemble the old config layout, so forget the idea of copy-paste...
by mkx
Sun Jan 21, 2024 4:08 pm
Forum: Wireless Networking
Topic: HAP AX2 (2472 Channel on 2.4Ghz)
Replies: 1
Views: 492

Re: HAP AX2 (2472 Channel on 2.4Ghz)

On my Audience, Brazil is allowed up to 30dBm EIRP on 2.4GHz band. ROS 7.13.2

AP will substract antenna gain from that (upward rounded to 5dBi). Which seems to be consistent with what you see (Japan allows 23dBm EIRP).
by mkx
Sun Jan 21, 2024 4:02 pm
Forum: Beginner Basics
Topic: Speed and CPU issue with HEX s
Replies: 28
Views: 1982

Re: Speed and CPU issue with HEX s

Indeed only one bridge will be offloaded to hardware (switch chip) and I don't know how automatic selection determines which one to offload. However, CPU in hEX S is capable of wirespeed bridging (it will considerably increase CPU load), but realistically it can't route and firewall wirespeed. So @O...
by mkx
Sun Jan 21, 2024 1:45 pm
Forum: General
Topic: Bridge filter rules
Replies: 12
Views: 980

Re: Bridge filter rules

By the way, in the mean time I'm found some presentation that was describing, that this kind of filtering (bridge level) can be only done with HW offload switched OFF. I have checked this and the filter started to working. However, this maybe affect the streaming performance (relating to @mkx maxim...
by mkx
Sun Jan 21, 2024 12:59 pm
Forum: General
Topic: Support responses?
Replies: 9
Views: 1155

Re: Support responses?

These days the problem is that MT seems to downplay importance of this forum ... so directing your issue here will probably have no effect what so ever.
by mkx
Sun Jan 21, 2024 12:53 pm
Forum: Beginner Basics
Topic: Speed and CPU issue with HEX s
Replies: 28
Views: 1982

Re: Speed and CPU issue with HEX s

On the other hand, my firewall rules are almost none, I even tried it with these disabled with no difference. Shouldn't the ports work in fast path mode? In this case the speed should be 1820 as well. Nope, that would be true if routing was HW offloaded to switch chip, which isn't. Packets still oa...
by mkx
Sun Jan 21, 2024 12:04 pm
Forum: Beginner Basics
Topic: Got my HEX working and wanting a sanity check
Replies: 10
Views: 1064

Re: Got my HEX working and wanting a sanity check

Another reason for using ssh inside wireguard: a vulnerability in all but most recent OpenSSH was recently found: CVE-2023-48795 . I guess MT's implementation is not OpenSSH based, but since many (if not all) SSH implementations are vulnerable, it's quite possible that MT's implementation falls into...
by mkx
Sun Jan 21, 2024 11:37 am
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 142960

Re: v7.14beta [testing] is released!

... with proper ICMP troubleshooting is so much nicer and it is so much friendlier to the software as it allows immediate and accurate error reporting to the user. And also helps potential attackers to scan IPv6 address space much more effectively. I don't know if potentual benefits actually outwei...
by mkx
Sat Jan 20, 2024 5:01 pm
Forum: Wireless Networking
Topic: MESH and sonoff devices
Replies: 3
Views: 491

Re: MESH and sonoff devices

A general remark, just in case you're not aware of it: ACL rules are checked in order from top to bottom, first matching rule executes (pretty much the same as, e.g., firewall filter rules). So you have to push general rules below any of specific rules which are supposed to override the general ones.
by mkx
Sat Jan 20, 2024 4:57 pm
Forum: General
Topic: /ip/firewall/filter/export - discrepancy with the where clause
Replies: 3
Views: 504

Re: /ip/firewall/filter/export - discrepancy with the where clause

I see the same (on both ROS 7.13 and 7.13.2). I did some experimenting with rule reordering and it seems that when using where chain= export only outputs first rule (top most inside certain chain).

ROS 6.49 doesn't have where on export, hence it doesn't exhibit this bug :wink:
by mkx
Sat Jan 20, 2024 3:18 pm
Forum: Wireless Networking
Topic: 7.13.2 (CAPSMAN) zero stats on wifi interfaces
Replies: 15
Views: 995

Re: 7.13.2 (CAPSMAN) zero stats on wifi interfaces

And how would it know if traffic is not passing there ?
It might if CAPs collect the stats and report it to manager. As we all know, manager, who doesn't know what subordinates are doing, can't do his job efficiently. Right?
by mkx
Sat Jan 20, 2024 12:23 pm
Forum: RouterBOARD hardware
Topic: [SOLVED] Is it mandatory to mount antennas on hAP ac3?
Replies: 9
Views: 919

Re: [SOLVED] Is it mandatory to mount antennas on hAP ac3?

Their flat design makes them directional for 5GHz, not great for indoor use. While antenna pattern is not exactly circular in horizontal plane, the difference in antenna gain of slightly less than 5dB doesn't make it "directional" IMO. Usually directional antenae have front-to-back ratio ...
by mkx
Sat Jan 20, 2024 11:54 am
Forum: General
Topic: Bridge filter rules
Replies: 12
Views: 980

Re: Bridge filter rules

AFAIK bridge filters (and firewall rules) only work if traffic passes CPU. As you're probably aiming for HW offload (to see wirespeed operation), you'll have to use switch ACLs. The model name you wrote is not complete and thus I can't tell if its switch chip supports ACLs at all.
by mkx
Sat Jan 20, 2024 11:46 am
Forum: General
Topic: RB5009 directly connected to CRS310 pings timeout
Replies: 6
Views: 995

Re: RB5009 directly connected to CRS310 pings timeout

Removing port 3 from bridge on the RB5009, to bridge1 doesn't seem to work. If you didn't, try to reboot RB5009. Sometimes config, related to HW offload, only gets applied after reboot (or cold boot even). And changing bridge port membership most of times is related to HW offload on most RB models.
by mkx
Sat Jan 20, 2024 11:37 am
Forum: Beginner Basics
Topic: Need some config help
Replies: 5
Views: 625

Re: Need some config help

@mikrotikfanboy I guess your NAT rules using those extra public IP addresses are not correct. So I agree with @vingfjg, post config so we can check it. Additional idea: if you're trying to connect to publuc addresses from inside LANs, then you may have to implement hairpinNAT. Exact implementation a...
by mkx
Sat Jan 20, 2024 11:28 am
Forum: Beginner Basics
Topic: Bridge VLAN Filtering
Replies: 24
Views: 2194

Re: Bridge VLAN Filtering

PVID settings on different bridge ports are independent. The only criterion when deciding if a port needs PVID (and which VID) is config of the device connecting to that port. If the other device is configured to send and receive untagged frames (IMO a bad idea for trunk ports), then port on this si...
by mkx
Sat Jan 20, 2024 11:13 am
Forum: Beginner Basics
Topic: NTP stuck on Waiting....
Replies: 91
Views: 23374

Re: NTP stuck on Waiting....

As I wrote: NMEA telegrams from GPS receiver are not very precise (+- 0.5 seconds is pretty normal) but NTP is supposed to be precise. And using localclock on MT devices as any kind of reference clock for network is even worse idea. You'll have to rethink your setup and come up with another solution...
by mkx
Sat Jan 20, 2024 10:58 am
Forum: Beginner Basics
Topic: Constant, similar packets being dropped by raw filter rule
Replies: 8
Views: 1419

Re: Constant, similar packets being dropped by raw filter rule

dropbaddst prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:fd:22:**:**:**, proto UDP, 10.81.236.1:67->255.255.255.255:68, len 344 These are DHCP packets, sent out by DHCP server at 10.81.236.1 (UDP port 67 is used by DHCP server) and are broadcast (dst address is global b...
by mkx
Sat Jan 20, 2024 10:02 am
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 142960

Re: v7.14beta [testing] is released!

... it just means that the next stage bootloader must be in the first 16MB. This reminds me of first linux bootloader - lilo (LInux LOader), which had similar restriction (IIRC it was 31 bits or 2GB). Solution on larger disks was simple: create a small partition (16MB was plenty in those times, now...
by mkx
Fri Jan 19, 2024 9:19 am
Forum: Beginner Basics
Topic: NTP stuck on Waiting....
Replies: 91
Views: 23374

Re: NTP stuck on Waiting....

negative. I use GPS as the clock source and configure stratum=1, but the issue still exists. I'm not sure if ROS NTP client can actually work with GPS receiver as source of (highly) precise time data. NMEA telegrams provide low precision as they are transmitted within one second, the problem is als...
by mkx
Thu Jan 18, 2024 9:59 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 289
Views: 411168

Re: Using RouterOS to VLAN your network

Or Winbox with MAC.
Equally safe.

Is not. When doing VLANs and bridge (and ethernet switch chip on devices where this still exists), one messes with ethernet config. And MAC winbox relies on working ethernet setup (it does bypass L3 f*kups though). Been there, done that, learned a lesson.
by mkx
Thu Jan 18, 2024 9:39 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 885
Views: 233558

Re: v7.13.2 [stable] is released!

No, hAP ac2 is finished. The flash space has run out and MikroTik is unwilling to do something about it (see discussion in 7.14beta topic). Seems that MT finally admitted that hAP ac2 is a great wireless-less router. With only system bundle of 7.13 installed and without any wireless/wifi package, f...
by mkx
Thu Jan 18, 2024 5:11 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 142960

Re: v7.14beta [testing] is released!

Multiply that by all routing protocols and on 16MB devices most likely you will not be able to install routing package at all. That's the point: almost nobody will want to run routing protocols (none but static routing, which should not require any executable to run) on devices with only 16MB flash...
by mkx
Thu Jan 18, 2024 4:59 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 885
Views: 233558

Re: v7.13.2 [stable] is released!

None of my devices is suffering from random reboots, so this is probably dependant on your specific configuration. Many of us are having this issue, so I guess you don't have openvpn tunnel configured and/or wireguard tunnel ? So it's not entirely random, it's tied to some particular configuration....
by mkx
Thu Jan 18, 2024 4:49 pm
Forum: Wireless Networking
Topic: hAP ax lite no WiFi in default config? [solved] [SOLVED]
Replies: 2
Views: 618

Re: hAP ax lite no WiFi in default config? [SOLVED]

Since 7.13 wireless hardware on your device requires installation of optional package called wifi-qcom (part of extras archive ,available from https://mikrotik.com/download/ ... mind, it's not wifi-qcom -ac ). After you install it (upload the npk file and reboot device), reset the device to factory ...
by mkx
Thu Jan 18, 2024 10:25 am
Forum: General
Topic: Static and dynamic IPs on the same modem?
Replies: 4
Views: 580

Re: Static and dynamic IPs on the same modem?

The problem with dynamic IP addresses, when handed out using DHCP protocol, is that these are most often linked to client's identity (which is almost always reflecting MAC address). So you can't simply run multiple DHCP clients off same ethernet interface as they will all use same MAC address and DH...
by mkx
Thu Jan 18, 2024 10:15 am
Forum: General
Topic: Routerboard b951ui-2nd eror
Replies: 1
Views: 486

Re: Routerboard b951ui-2nd eror

This indicates that RB might be in reboot loop. One probable cause for it is failing power adapter, so I'd first try with a new power adapter. Next would be to try to netinstall the device. Beware that netinstall is very fragile process and it's really important to follow the instructions ... and it...
by mkx
Thu Jan 18, 2024 9:58 am
Forum: Beginner Basics
Topic: Worth it to change private IP address early in setup process?
Replies: 13
Views: 2800

Re: Worth it to change private IP address early in setup process?

Is there a time when Safe Mode must be off? I operate a lot in Safe Mode after being forced to revert to factory defaults many times. Safe mode must be off whenever management connection, which enabled safe mode, breaks for legitimate reason. E.g. when you manually close connection (winbox might as...
by mkx
Thu Jan 18, 2024 9:40 am
Forum: Beginner Basics
Topic: Bridge VLAN Filtering
Replies: 24
Views: 2194

Re: Bridge VLAN Filtering

You're configuring VLANs in an awkward way (essentially you're not using bridge as VLAN-aware entity). Consequently you can not use hybrid port (which your ether1 is passing tagged VLAN20 and untagged one ... where it doesn't matter how other end treats it (untagged VID1 ... if it's untagged, then V...
by mkx
Thu Jan 18, 2024 9:32 am
Forum: Beginner Basics
Topic: NTP stuck on Waiting....
Replies: 91
Views: 23374

Re: NTP stuck on Waiting....

... if mikrotik cannot act as ntp client and get an upstream time correctly, it will not work as ntp server . Setting to use local time has no effect. This is correct behaviour and is the same in all NTP server implementations. The notable exception is possibility to use localclock as reference (in...
by mkx
Thu Jan 18, 2024 9:27 am
Forum: Beginner Basics
Topic: Port Forwarding to Reverse Proxy Not Working
Replies: 1
Views: 500

Re: Port Forwarding to Reverse Proxy Not Working

A general remark: you're using in-interface in most rules, but there are remnants of default config which users in-interface-list. It is easier to make any change in WAN interface (if needed) if firewall rules use in-interface-list because in case of change it's only necessary to make change in one ...
by mkx
Wed Jan 17, 2024 7:36 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 885
Views: 233558

Re: v7.13.2 [stable] is released!

I still use the "antena gain correction factor", which normally also is supposed to take care of the frequency specific limit and the needed reduction for higher MCS. Antenna gain settings indeed kick in with frequency specific limit. But why would you want that? E.g. ETSI limit for part ...
by mkx
Wed Jan 17, 2024 12:21 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 885
Views: 233558

Re: v7.13.2 [stable] is released!

I upgraded hAP ax³ to 7.13.2. Since I upgraded to this version I can't change the tx power. 2.4ghz always runs at tx16. Even if I change the country, it always works at tx 16 on the status screen and I cannot change it manually. 16dBm in 2.4 GHz is correct for European countries. (20dBm EIRP -4dBm ...
by mkx
Wed Jan 17, 2024 8:55 am
Forum: RouterBOARD hardware
Topic: CCR1009 - connecting to console port using Cisco console cable [SOLVED]
Replies: 6
Views: 1193

Re: CCR1009 - connecting to console port using Cisco console cable [SOLVED]

The cable you linked won't do. It's essentially only converting from proper USB connector to RJ45 connector. But doesn't do anything about protocol conversion and if you plug the USB end into a computer, then RJ45 will still "talk" USB. The problem with RJ45 console cables is that they lar...
by mkx
Wed Jan 17, 2024 8:39 am
Forum: RouterBOARD hardware
Topic: Wifi connection deteriorated with USB device attached
Replies: 9
Views: 1230

Re: Wifi connection deteriorated with USB device attached

Maybe there's also a todo for the Mikrotik team, this seems like a pretty standard use case for a device with only 128 MB internal storage, so maybe they could add an additional MMC card slot for storage extension if USB 3.0 is problematic, shield the port better against stuff like this or make it ...
by mkx
Wed Jan 17, 2024 7:31 am
Forum: General
Topic: RB951G-2HnD can't upgrade routeros from 7.13 to 7.13.1 or 7.13.2
Replies: 4
Views: 650

Re: RB951G-2HnD can't upgrade routeros from 7.13 to 7.13.1 or 7.13.2

RB951G doesn't utilize RAM disk. So whatever gets downloaded when running built-in upgrade function, lands on flash disk as well. Disk usage would thus be a problem in both cases (manual and ROS). However, if an upgrade fails, like it did for @OP, the first thing to check is logs. As the npk disapea...
by mkx
Tue Jan 16, 2024 11:30 pm
Forum: RouterBOARD hardware
Topic: Wifi connection deteriorated with USB device attached
Replies: 9
Views: 1230

Re: Wifi connection deteriorated with USB device attached

Internet is full of articles about USB3 interfering WiFi on 2.4GHz. In a nutshell: problem is insufficient shielding of connectors and cables, sometimes even USB devices' printed circuit leaks RF energy into WiFi spectrum. Solution is to use different USB device which is hopefully better designed a...
by mkx
Tue Jan 16, 2024 11:13 pm
Forum: Wireless Networking
Topic: LoRa in CRS125 not work
Replies: 2
Views: 440

Re: LoRa in CRS125 not work

Did you install optional iot package, available in extra packages archive from Mikrotik's download page? Make sure you download archive, suitable for your device (architecture of CRS125 is MIPSBE) and for exactly the same ROS version as your device is running. In recent versions, lora functionality ...
by mkx
Tue Jan 16, 2024 11:05 pm
Forum: Wireless Networking
Topic: Provisioning not respecting name-format setting when provisioning local interfaces
Replies: 5
Views: 654

Re: Provisioning not respecting name-format setting when provisioning local interfaces

Local radios have (default) names before provisioning even starts, so they don't need (new) names on CAPsMAN device (unlike remote radios which don't exist on CAPsMAN until they get provisioned). And since local radios exist as soon as driver is loaded, you can rename them (simply set different name...
by mkx
Tue Jan 16, 2024 10:56 pm
Forum: Wireless Networking
Topic: Exceptionally high number of links down on hAP ax2 [SOLVED]
Replies: 5
Views: 962

Re: Exceptionally high number of links down on hAP ax2 [SOLVED]

You can set disable-running-check=yes on all wireless interfaces and then observe if link-down numbers still change. Read up in wifi help page about what's this property about. As explained before, when wireless interface transitions to not running , this means for bridge port the same as if etherne...
by mkx
Tue Jan 16, 2024 10:17 pm
Forum: General
Topic: Netinstall or reset cofiguration?
Replies: 13
Views: 892

Re: Netinstall or reset cofiguration?

But apparently users who installed OpenWRT were still able to switch back to ROS again. As far as I know (I'm mot OpenWRT user, but I did read some docs about installing OpenWRT on MT hardware a few years ago), there are two ways of running OpenWRT on MT hardware: boot it from TFTP ... this way not...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 39