Community discussions

MikroTik App

Search found 6022 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 21
by mkx
Sun Jun 20, 2021 12:39 pm
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 308

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

I don't think you can reduce number of firewall rules in input chain.
by mkx
Sun Jun 20, 2021 9:42 am
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 308

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

Indeed one has to filter access to router from certain subnets. But as I wrote the filter has to cover all router's interfaces, not only the "native" one ... and in this case the approach of "ultimate drop all rule" comes handy. This means that input chain contains a few rules al...
by mkx
Sun Jun 20, 2021 12:15 am
Forum: Beginner Basics
Topic: Slow navigation/browsing speeds
Replies: 12
Views: 470

Re: Slow navigation/browsing speeds

For sure you don't want to see any of "ether1 link down" messages ... I don't know what has to be done to stabilise the ethernet link. And you can try to set /interface detect-internet set detect-interface-list=none . While in theory functionality of detect internet should be fine in pract...
by mkx
Sat Jun 19, 2021 10:24 pm
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 308

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

a. seems this way b. my limited experience says yes c. as I wrote: ROS basically treats all packets (connections) targeting any of its IP interfaces the same way. The only difference that might show is due to different firewall rules (both raw and filter). This is pretty clear even from default fire...
by mkx
Sat Jun 19, 2021 10:15 pm
Forum: Beginner Basics
Topic: Initial Internet configuration ( via SFP port)
Replies: 22
Views: 665

Re: Initial Internet configuration ( via SFP port)

Actually, I'm thinking whether the ip-scan tool is showing everything that ever got an IP while the Leases menu shows only the active ones? IP scan tool is supposed to probe (ping or something) some address range and only display active devices. Doesn't matter how those devices obtained their IP ad...
by mkx
Sat Jun 19, 2021 1:52 pm
Forum: General
Topic: Home IoT Vlan setup
Replies: 18
Views: 605

Re: Home IoT Vlan setup

This is not exported configuration, this might be something you pushed into device which already had some config. So do what @anav asked to do ... execute /export hide-sensitive and post output.
by mkx
Sat Jun 19, 2021 1:49 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 14
Views: 442

Re: CAPsMAN on layer2 + vlans

The bridge does the tagging/untagging for every interface in the vlan table - or so I tought. The bridge does tagging/unragging for ports which are untagged members of VLANs. Bridge does nothing on trunk ports (ports that are tagged members of VLANs). With wlan interfaces they can either be tagged ...
by mkx
Sat Jun 19, 2021 1:32 pm
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 308

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

ROS treats every own address (i.e. addresses configured as router's own regardless the interface or subnet) pretty much the same way ... and they're all treated in chain=input (unless connection is DST-NATed). If you want to block connections to "the wrong router's address" (e.g. ping from...
by mkx
Sat Jun 19, 2021 1:24 pm
Forum: Beginner Basics
Topic: Slow navigation/browsing speeds
Replies: 12
Views: 470

Re: Slow navigation/browsing speeds

You went int some quite advanced configuration because you wanted some QoS ... but if that isn't done quite right, it might actually make things worse. I'd try to introduce RB to your network with configurations as default as it gets. If it will behave more or less nicely, then you'll know it's the ...
by mkx
Sat Jun 19, 2021 1:08 pm
Forum: Beginner Basics
Topic: Initial Internet configuration ( via SFP port)
Replies: 22
Views: 665

Re: Initial Internet configuration ( via SFP port)

There are plenty of devices whose MAC addresses start with cc:50:e3 and which aren't on the DHCP lease list ... that MAC address range belongs to Espressif Inc, seems like they produce smart home gadgets. How these devices obtained their IP addresses is beyond my imagination. One reason might be tha...
by mkx
Fri Jun 18, 2021 11:32 pm
Forum: General
Topic: mikrotik redirect based on domain to internal ip [SOLVED]
Replies: 6
Views: 209

Re: mikrotik redirect based on domain to internal ip [SOLVED]

but it seems I should use reverse proxy and the included reverse proxy of mikrotik cannot do this

That's because ROS includes normal proxy, not reverse proxy. While they might both seem similar they operate differently.
by mkx
Fri Jun 18, 2021 11:11 am
Forum: General
Topic: Cant Open Ports
Replies: 9
Views: 247

Re: Cant Open Ports

First verify that internal server is actually accepting connections on TCP port 25. Then you can enable LOG flag, try remote connection and see if log contains anything. One thing you should be aware: some ISPs block port 25 (SMTP) towards clients because SMTP protocol is often used for malicious ac...
by mkx
Fri Jun 18, 2021 11:03 am
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 14
Views: 442

Re: CAPsMAN on layer2 + vlans

The wlan1, wlan2, wlan24, wlan25 devices are added under the correct vlan id, but they are added as tagged ports. I would like them to be untagged. (Otherwise dumb WiFi clients won't be able to connect.) That's correct and won't cause any problem ... wlan interfaces are tagged from bridge point of ...
by mkx
Thu Jun 17, 2021 11:33 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 14
Views: 442

Re: CAPsMAN on layer2 + vlans

As @biomesh wrote, the trick is to set discovery interface to some vlan interface. For example, I have VLAN 42 intended for usual LAN traffic and I allow CAP to CAPsMAN communication via that VLAN. So on CAP device I have the following: /interface bridge add name=bridge vlan-filtering=yes /interface...
by mkx
Thu Jun 17, 2021 9:22 am
Forum: Beginner Basics
Topic: Coping with slow download speeds on my home LAN
Replies: 8
Views: 314

Re: Coping with slow download speeds on my home LAN

Did you try speedtest by connecting PC instead of netgear AP? The goal is to narrow down posible problems. If speedtest without netgear in the way shows decent speeds, this would indicate either problem with netgear itself or some interaction problem between netgear and mikrotik. If speedtest is sti...
by mkx
Wed Jun 16, 2021 10:14 pm
Forum: General
Topic: 1:1 NAT DDoS protection?
Replies: 7
Views: 295

Re: 1:1 NAT DDoS protection?

Right.
by mkx
Wed Jun 16, 2021 8:26 pm
Forum: General
Topic: 1:1 NAT DDoS protection?
Replies: 7
Views: 295

Re: 1:1 NAT DDoS protection?

Also, it's to help hide the real IP so it can't be targeted directly. What good does it make? If NAT device performs 1:1, then every single packet, destined to "fake" IP will reach "real" IP. Just as there wasn't NAT, only with a hop more. NAT, combined with firewall, is differe...
by mkx
Wed Jun 16, 2021 7:34 pm
Forum: General
Topic: 1:1 NAT DDoS protection?
Replies: 7
Views: 295

Re: 1:1 NAT DDoS protection?

Device simply performing NAT (any kind) does not recognize malicious packet and thus passes such packet along with all others. Hence a 1:1 NAT can not protect you from DDoS ...
Only stateful firewall or DPI can make that distinction and protect devices behind.
by mkx
Wed Jun 16, 2021 6:58 pm
Forum: Beginner Basics
Topic: VLAN setting [SOLVED]
Replies: 1
Views: 174

Re: VLAN setting [SOLVED]

Here's great tutorial about how to configure VLANs. When you think you're done, post config of both router and switch. From which stable id AP? I presume it's not Mikrotik.
by mkx
Wed Jun 16, 2021 6:54 pm
Forum: Beginner Basics
Topic: Coping with slow download speeds on my home LAN
Replies: 8
Views: 314

Re: Coping with slow download speeds on my home LAN

Just one more check: is netgear AP acting only as switch/AP and clients, connected to it, receive IP addresses from mikrotik LAN address space? And when you ran tests, you connected PC eith UTP cable and netgear acted as a switch? If you connect PC to the wire otherwise used to connect netgear, do y...
by mkx
Wed Jun 16, 2021 1:59 pm
Forum: Beginner Basics
Topic: Coping with slow download speeds on my home LAN
Replies: 8
Views: 314

Re: Coping with slow download speeds on my home LAN

A few errors in your configuration: /ip address add address=192.168.2.1/24 interface=ether4 network=192.168.2.0 add address=192.168.3.1/24 interface=ether4 network=192.168.3.0 If you really need these two subnets, then you really should set addresses on bridge and not on member port (ether4). /ip fi...
by mkx
Wed Jun 16, 2021 8:11 am
Forum: General
Topic: hap ac3 bandwidth test to 127.0.0.1 TCP both direction utilises only 85% of CPU
Replies: 5
Views: 295

Re: hap ac3 bandwidth test to 127.0.0.1 TCP both direction utilises only 85% of CPU

What does profile of CPU usage (execute /tool profile cpu=all ) show? Are all CPUs loaded equally? I'd expect come CPU cores to be (almost) idle while others loaded 100%. The reason is that ROS is handling TCP connections by using same CPU core for all packets (reason is keeping packets in-order, IP...
by mkx
Wed Jun 16, 2021 8:05 am
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 552

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

I'm not sure about antibodies, but I'm sure I'm allergic ... to dummies :-P
by mkx
Tue Jun 15, 2021 10:45 pm
Forum: RouterBOARD hardware
Topic: SFP module is extremely hot
Replies: 48
Views: 24381

Re: SFP module is extremely hot

If you want to keep SFP temperature down and use 10Gbps links, then go with normal fibre SFPs and fibre patch cords. Fibre SFPs consume much less power and consequentially produce much less heat. Fibre patch cords tend to be less bulky than CAT7 cables or DAC cables which is good as it's easier to o...
by mkx
Tue Jun 15, 2021 10:32 pm
Forum: General
Topic: RouterBOARD 750G
Replies: 1
Views: 152

Re: RouterBOARD 750G

Product brochure states that 750g can route "up to 580Mbps throughput with larger packets, and up to 91500pps with small packets". The text doesn't go into specifics about what kind of traffic that would be, I'd assume they are absolute maximum numbers posible. If you compare it to test re...
by mkx
Tue Jun 15, 2021 8:22 pm
Forum: Beginner Basics
Topic: Setting Up small home network with MikroTik hEX RB750Gr3
Replies: 19
Views: 952

Re: Setting Up small home network with MikroTik hEX RB750Gr3

@zedoxx: what I'd do is the following: reset to default config use quickset to configure WAN ... PPPoE go into "normal" GUI and mnever ever go back to quickset unless you repeat config from step #1 remove ether5 from bridge add IP address to ether5. Configure additional address pool and DH...
by mkx
Tue Jun 15, 2021 6:31 pm
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 552

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

second covid dose

Which one, Pfizer? I opted for Biontech and had only minor (next to none) side effects. It's been almost 3 weeks since second shot and I'm almost certified to resume normal life ;-)
by mkx
Tue Jun 15, 2021 8:41 am
Forum: RouterBOARD hardware
Topic: Battery driven RB get bricked
Replies: 6
Views: 444

Re: Battery driven RB get bricked

IMO whenever one runs some device off a battery, it's good thing to install under-voltage cut-off device. Not to protect powered device but to protect battery itself. None of battery chemistries (lead-acid, nickel, lithium) don't like being completely depleted and one has to protect them from gettin...
by mkx
Tue Jun 15, 2021 8:23 am
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 354

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Bridge is the only port member of these VLANs. At least for VLAN 99 you should add ether1 as tagged port or else you'll almost definitely loose management access. Nope, there is a vlan interface that is added to the brige, vlan 99, with static IP 192.168.19.252. I was managing the router through th...
by mkx
Tue Jun 15, 2021 8:05 am
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 552

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

Isn't buying lottery ticket a prerequisite for winning the lottery? Are you doing anything about it? Or you rather spend the dime on Canadian rye? ;-)
by mkx
Mon Jun 14, 2021 11:16 pm
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 354

Re: Howto use HAP AC2 as switch+AP on vlan(s)

My dear @anav, as always you're one step ahead of me ... you already forgot you're forgetting things :-P
by mkx
Mon Jun 14, 2021 11:12 pm
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 552

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

I am itching to try a newer wifi6 620 or 660 at some point.

Oh please ... stop whining and do it already. And don't forget to throw your beloved 245's in my direction real hard.
by mkx
Mon Jun 14, 2021 10:55 pm
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 354

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Access ports won't work until you enable vkan-filtering on bridge. Without that bridge does not add VLAN tag on ingress as per pvid settings nor does it strip VLAN tags on egress as per untagged vlan membership. So: take a deep breathe, enable safe mode and enable vlan-filtering on bridge. If your m...
by mkx
Mon Jun 14, 2021 10:47 pm
Forum: Beginner Basics
Topic: Initial Internet configuration ( via SFP port)
Replies: 22
Views: 665

Re: Initial Internet configuration ( via SFP port)

Btw I'm paying to have a static IPv4 and to not be anymore under their CGNAT That doesn't mean you should not allow automatic IP address acquisition. Depends how your ISP delivers internet, but they should instruct you what to do. I don't think you can actually statically set IP address when using ...
by mkx
Mon Jun 14, 2021 10:32 pm
Forum: Wireless Networking
Topic: Dual VS Triple Chain and 80Mhz
Replies: 1
Views: 196

Re: Dual VS Triple Chain and 80Mhz

Number of used chains is only indirectly connected to number of channels ... the property which links them is Tx power. In most countries regulations limit radiated power (EIRP) and that power is then divided between chains (tripple chain transmiter can spend 1/3 of power for each chain while dual c...
by mkx
Mon Jun 14, 2021 8:01 pm
Forum: Beginner Basics
Topic: RB960PSG max POE output
Replies: 5
Views: 213

Re: RB960PSG max POE output

I can reach the maximum with 48POW No, you can't. You want 4x450mA=1800mA peak power, while 48POW is rated at 1460mA which makes it short by one PoE device (if you consider RB960PGS own consumption as well). Either use an even higher-power power adapter or go with some other PoE switch. Or use dual...
by mkx
Mon Jun 14, 2021 6:53 pm
Forum: General
Topic: Stacked VLAN bridges and interfaces
Replies: 1
Views: 166

Re: Stacked VLAN bridges and interfaces

One of ways to achieve QinQ in ROS is to use multiple bridges in layered manner. Probably that's not the only way ... In your case you'd use one layer since you only have one interface carrying QinQ traffic. So what yoz can do is: create number of VLAN interfaces, one per remote location. All anchor...
by mkx
Mon Jun 14, 2021 6:19 pm
Forum: General
Topic: Next-hop and NAT
Replies: 4
Views: 226

Re: Next-hop and NAT

If you follow your initial thought, you would easily run into some routing triangle problems. They would not necessarily cause any problems initially, but could cause issued that would be hard to track. If you'd follow my suggestion, then mikrotik would just route, nothing more (no firewall no NAT)....
by mkx
Mon Jun 14, 2021 8:45 am
Forum: RouterBOARD hardware
Topic: Fans on MikroTik Cloud Router Switch 354-48G-4S+2Q+RM - volume level?
Replies: 5
Views: 338

Re: Fans on MikroTik Cloud Router Switch 354-48G-4S+2Q+RM - volume level?

Personally I don't have any CRS354 ... but since it's actively cooled and given the diameter (and RPM) of those fans I guess I wouldn't like to have that beast anywhere near my bed nor living room sofa (nor normal office working space). And I guess closing it in some sealed mini rack would work agai...
by mkx
Mon Jun 14, 2021 8:36 am
Forum: General
Topic: Next-hop and NAT
Replies: 4
Views: 226

Re: Next-hop and NAT

If you don't need any filtering of traffic between different subnets (which would require firewall rules), then you don't need 4 VLANs on the connection between mikrotik and fortigate. Instead you should use fifth subnet for that connection. It can have longer subnet mask if you wish, e.g. 192.168.5...
by mkx
Sun Jun 13, 2021 4:53 pm
Forum: RouterBOARD hardware
Topic: Fans on MikroTik Cloud Router Switch 354-48G-4S+2Q+RM - volume level?
Replies: 5
Views: 338

Re: Fans on MikroTik Cloud Router Switch 354-48G-4S+2Q+RM - volume level?

BTW is not ROS overkill on a Switch?

It probably is. But some people adore CLI for management and SNMP for supervision.
by mkx
Sat Jun 12, 2021 2:02 pm
Forum: General
Topic: CRS328 - can't ping device, packet sniffer shows no ICMP packets
Replies: 3
Views: 218

Re: CRS328 - can't ping device, packet sniffer shows no ICMP packets

To use packet sniffer on CRS you need to disable HW offload for the port of interest. Otherwise I don't see anything wrong with config. In some rare cases some devices misbehaved even though config seemed right. Some cleansing action was needed, you might want to try one of these (you can try all fr...
by mkx
Sat Jun 12, 2021 11:03 am
Forum: General
Topic: Port Forwarding Problem [SOLVED]
Replies: 16
Views: 799

Re: Port Forwarding Problem [SOLVED]

You need hairpin nat.
by mkx
Sat Jun 12, 2021 10:59 am
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 593

Re: dhcp on vlan trunk not working

why would anybody want to tag all packets on a trunk port, except for a very specific one? On trunk port one would not tag/untag any of packets and would thus configure such port with frame-types=admit-only-vlan-tagged ingress-filtering=yes (when using bridge vlan filtering and appropriate setting ...
by mkx
Fri Jun 11, 2021 10:22 pm
Forum: General
Topic: Route reachable but timeout??
Replies: 6
Views: 408

Re: Route reachable but timeout??

Torch is one of tools that can help you. And no, couter increasing in one direction doesn't mean the port is not dammaged.
by mkx
Fri Jun 11, 2021 10:16 pm
Forum: General
Topic: Firewall rules to secure CHR
Replies: 4
Views: 396

Re: Firewall rules to secure CHR

Something like that. If you need to add some accept rules later, push them just below the "drop invalid" rules and above the new "drop all" ones. I wouldn't log all hits of "drop all rules", there might be many entries due to bots scanning the network. A missing accept ...
by mkx
Fri Jun 11, 2021 4:10 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 717

Re: Preserve client IP when dst-nat to other server

By referring to "another subnet for NTP server" I was thinking of this LAN setup: --> LAN (10.0.0.0/16 or whatever the subnet mask) / | internet <--> router | \ --> "NTP lan" (NTP server with IP address e.g. 10.254.254.2/24 or any other IP address outside LAN subnet mask) The bes...
by mkx
Fri Jun 11, 2021 9:15 am
Forum: General
Topic: Route reachable but timeout??
Replies: 6
Views: 408

Re: Route reachable but timeout??

And the strange thing, it can run if I switch the function from ether 2 to ether 5. If that's the case then you might want to thoroughly check potential differences in configuration of those two ports. Next thing would be doing some elaborate tests to try to pinpoint the device where stuff breaks. ...
by mkx
Fri Jun 11, 2021 8:41 am
Forum: General
Topic: Route reachable but timeout??
Replies: 6
Views: 408

Re: Route reachable but timeout??

Sorry, crystal ball is defunct currently. What I want to write: it's impossible to tell why something stopped working while nothing supposedly changed. In this case it's only possible to find the reason by extensively debugging the whole setup. And you're the only one able to do it.
by mkx
Fri Jun 11, 2021 8:30 am
Forum: Beginner Basics
Topic: Winbox 64 bits ?
Replies: 3
Views: 289

Re: Winbox 64 bits ?

Probably a stupid quesiton... but what's the point of a 64bits Winbox ? what use case / config would require it ? Even though the name of tool is win box which implies it's a tool running in windows (and that's even true) that doesn't mean it can't be run in other environments. Such as under wine i...
by mkx
Fri Jun 11, 2021 8:18 am
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 717

Re: Preserve client IP when dst-nat to other server

@rextended: I'll just ignore your last post, it's quite off topic already. The post is directed at me (concrete examples of "right" choices) and I think I can master my own subnet of NTP servers just fine (I've been running public NTP servers for the last 25 years). You don't know the reas...
by mkx
Thu Jun 10, 2021 10:20 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 717

Re: Preserve client IP when dst-nat to other server

You're right ... as long as it works, we don't need any logs, debugging information or any other nonsense. But sometimes it doesn't work ... and then we need all the noise we can get ... and if there's no noise to filter, we're in troubles.
by mkx
Thu Jun 10, 2021 9:51 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 717

Re: Preserve client IP when dst-nat to other server

observability of NTP server in ROS I do not understand how traduce that on Italian but... I'm talking about .... [user@MTrouter] > /system ntp client print enabled: yes mode: unicast primary-ntp: 192.168.42.10 secondary-ntp: 2001:1470:8000::92 dynamic-servers: status: synchronized versus user@192.1...
by mkx
Thu Jun 10, 2021 8:13 pm
Forum: RouterOS v7 BETA
Topic: Driver bug on 7.1b6 and rtl8153b ethernet chipset
Replies: 2
Views: 354

Re: Driver bug on 7.1b6 and rtl8153b ethernet chipset

You can download previous versions if you hand-craft download links similar to the current one. For example: download link for x86 7.1beta6 Extra packages is h ttps://download.mikrotik.com/routeros/ 7.1beta6 /all_packages-x86- 7.1beta6 .zip If you change it to h ttps://download.mikrotik.com/routeros...
by mkx
Thu Jun 10, 2021 7:59 pm
Forum: Wireless Networking
Topic: CAPSman Controller device
Replies: 7
Views: 533

Re: CAPSman Controller device

I'd be careful about running CAPs manager off site. If CAP devices loose connectivity towards manager (can be even a very short period of time) they shut down their radios.
by mkx
Thu Jun 10, 2021 7:54 pm
Forum: General
Topic: How get access in to vlan from mikrotik bridge mode with tagged port?
Replies: 12
Views: 393

Re: How get access in to vlan from mikrotik bridge mode with tagged port?

OK, since you're not going to describe your environment here's my last post in this thread. Here's a great tutorial on how VLANs are done in mikrotik. Won't help you if your actual LAN layout is as is on your drawing (i.e. your mikrotik completely outside of VLAN 20 area) though.
by mkx
Thu Jun 10, 2021 7:42 pm
Forum: General
Topic: How get access in to vlan from mikrotik bridge mode with tagged port?
Replies: 12
Views: 393

Re: How get access in to vlan from mikrotik bridge mode with tagged port?

Network ... It's simple and flat, it's a local area network with one router 10.10.0.1. Since we're discussing VLANs here and those are L2 (or L2.5 if you want), it still isn't simple and flat. For sure there are managed switches with configuration regarding VLANs (port membership etc.) which have m...
by mkx
Thu Jun 10, 2021 7:32 pm
Forum: Beginner Basics
Topic: locking band R11e-LTE6 [SOLVED]
Replies: 6
Views: 485

Re: locking band R11e-LTE6 [SOLVED]

If modem drops off network when you lock it to some cell, then don't do it. If your favourite MNO does at least half decent job with optimisation of their LTE network then there are very few reasons to lock to some cell instead of letting network do it's job.
by mkx
Thu Jun 10, 2021 7:28 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 717

Re: Preserve client IP when dst-nat to other server

Not sure what you mean by own NTP server?

A raspberry pi, running NTP service ... or something like that. Or even own atomic clock, why not? After all, observability of NTP server in ROS is nil, but some of us do care about proper functioning of services.
by mkx
Thu Jun 10, 2021 6:50 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 717

Re: Preserve client IP when dst-nat to other server

When you're doing dst-nat to server (10.0.0.100) which is in the same subnet as original client (10.0.0.10), then it is essential to perform src-nat as well (without it, server would reply to client directly and client would reject replies because they would be coming back from IP address it did not...
by mkx
Thu Jun 10, 2021 6:40 pm
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 593

Re: dhcp on vlan trunk not working

Your setup of VLAN ports and interfaces is hosed ... suggest you to read this nice tutorial to see where you failed.
by mkx
Thu Jun 10, 2021 6:37 pm
Forum: General
Topic: How get access in to vlan from mikrotik bridge mode with tagged port?
Replies: 12
Views: 393

Re: How get access in to vlan from mikrotik bridge mode with tagged port?

Mikrotik is fully capable of working with VLANs. But it has to be configured properly and attached to a port in the network which allows access to VLAN 200.

But again, you don't provide usable network information so you don't get usable advice.
by mkx
Thu Jun 10, 2021 6:33 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 264
Views: 26242

Re: v7.1beta6 [development] is released!

If you read what @raimondsp wrote it's clear that it's constraint in current L3 HW offload implementation . Not the configuration (because it's not something user can change) nor attached devices. CRS can take jumbo frames, but they will pass CPU which offers severely low throughput ... which is wha...
by mkx
Thu Jun 10, 2021 6:30 pm
Forum: General
Topic: How get access in to vlan from mikrotik bridge mode with tagged port?
Replies: 12
Views: 393

Re: How get access in to vlan from mikrotik bridge mode with tagged port?

VLAN with different ID is just like different physical network ... to reach it, one needs router which connects to both sides. Your diagram does not show any such border device, it only shows a device sitting inside VLAN 20. If border device is properly configured, you can't just add VLAN tags to fr...
by mkx
Thu Jun 10, 2021 6:17 pm
Forum: General
Topic: Firewall rules to secure CHR
Replies: 4
Views: 396

Re: Firewall rules to secure CHR

A pretty safe approach when constructing firewall rules is to have ultimate rule in both input and forward chan which drops everything not accepted by previous rules. Your setup only drops invalid packets which doesn't really protect your router (or network behind that router). Remember: implicit la...
by mkx
Thu Jun 10, 2021 6:05 pm
Forum: RouterOS v7 BETA
Topic: OSPF routing syntax
Replies: 10
Views: 694

Re: OSPF routing syntax

New filtering rule syntax will be introduced in the next beta. Or, to be precise, v7.1Beta7 will be released when the new syntax is ready.
Ok thank you, can you tell an approximative date for the Beta7 ?

Which part of post by @raimondsp is not clear?
by mkx
Thu Jun 10, 2021 8:06 am
Forum: Beginner Basics
Topic: Router Firewall
Replies: 1
Views: 256

Re: Router Firewall

Screenshot doesn't show everything, next time create text export by executing command /export hide-sensitive file=anynameyouwish from terminal window. Open resulting file in text editor, copy-paste contents ... With firewall filter rules everything (except chain and action) is optional, specifying m...
by mkx
Thu Jun 10, 2021 7:47 am
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 264
Views: 26242

Re: v7.1beta6 [development] is released!

There was a thread about L3 HW performance (or rather lack of it) and it was said that L3 HW offload for jumbo frames was not there yet. I'm not sure if that limitation is already lifted. So you might try to test similar scenario but using standard MTU values ...
by mkx
Wed Jun 09, 2021 9:57 pm
Forum: Beginner Basics
Topic: Problem routing traffic from one lan to another
Replies: 6
Views: 548

Re: Problem routing traffic from one lan to another

I'll assume the network subnets are real even if IP addresses aren't. So ... there are two potential problems: Does router 219.7.221.254 have static route towards 128.136.0.0/16 via 219.7.221.252? Does router 219.7.221.254 run stateful firewall? You are possibly creating routing triangle between mik...
by mkx
Wed Jun 09, 2021 9:37 pm
Forum: RouterBOARD hardware
Topic: VLAN problem with CRS112-8P-4S
Replies: 9
Views: 530

Re: VLAN problem with CRS112-8P-4S

As @mada3k wrote: remove switch1-cpu from all vlan pirt grouos under /interface ethernet switch vlan except for VLAN 255. That's only necessary for VLANs with which ROS interacts and it interacts through appropriate vlan interface. Admitting otger VLANs to CPU only alliws broadcasts to flood the CPU...
by mkx
Wed Jun 09, 2021 9:01 am
Forum: SwOS
Topic: Port Isolation
Replies: 2
Views: 318

Re: Port Isolation

Switches don't have notion of connections ... they only see frames. So with switch it's not possible what you're after. Some switches support ACLs where you can select certain L3/L4 properties of frames which should be dropped. You can try to use that functionality to mimic connection-awareness. For...
by mkx
Wed Jun 09, 2021 8:27 am
Forum: Beginner Basics
Topic: Port 443
Replies: 4
Views: 359

Re: Port 443

Even though you might have some success by constructing L7 filter rules it probably won't last ... The encrypted connection protocols are evolving. Currently there's some initial connection metadata passed unencrypted (namely SNI field) and it is possible to construct L7 filter to fetch that data an...
by mkx
Tue Jun 08, 2021 11:24 pm
Forum: RouterBOARD hardware
Topic: Which router/switch for distributing to 10 individual RouterBOARDs 951-2n?? [SOLVED]
Replies: 4
Views: 553

Re: Which router/switch for distributing to 10 individual RouterBOARDs 951-2n?? [SOLVED]

I wasn't sure if crs328 was able to handle such a load With some luck it will ... but there's no guarantee. If you look at official test results ... and concentrate on Ethernet test results table, you'll see some routing performance numbers. Experience goes that if you have to pick a number from th...
by mkx
Tue Jun 08, 2021 11:08 pm
Forum: Wireless Networking
Topic: Using 40 Mhz wide channels in a 2.4 Ghz wireless network deployment
Replies: 9
Views: 657

Re: Using 40 Mhz wide channels in a 2.4 Ghz wireless network deployment

Just in case you decide to go with option #2 from my post above ... you can argument that professional networks, consisting of multiple base stations (APs in WiFi talk) and operating using single frequency channel, use pretty complicated mechanisms to overcome inter-base-station interference: exampl...
by mkx
Tue Jun 08, 2021 9:52 pm
Forum: Wireless Networking
Topic: Using 40 Mhz wide channels in a 2.4 Ghz wireless network deployment
Replies: 9
Views: 657

Re: Using 40 Mhz wide channels in a 2.4 Ghz wireless network deployment

Due to lack of any serious advice, I'll resort to sarcasm. So you have 3 options: resign from your job immediately fight with senior staffer and resign from your job a bit later leave wireless config according to senior's "law" ... and move around the premises wearing paper bag over your h...
by mkx
Tue Jun 08, 2021 8:12 pm
Forum: Wireless Networking
Topic: Using 40 Mhz wide channels in a 2.4 Ghz wireless network deployment
Replies: 9
Views: 657

Re: Using 40 Mhz wide channels in a 2.4 Ghz wireless network deployment

Honestly I don't see how you could possibly win this argument. He is obviously very confident about his own knowledge (so he won't take any technical arguments) and he is senior to you (so you can't force your view on him).
by mkx
Tue Jun 08, 2021 12:20 pm
Forum: RouterBOARD hardware
Topic: 3 routerboards bricked this week
Replies: 27
Views: 1421

Re: 3 routerboards bricked this week

Netinstall is very fragile process. Often netinstall seemingly does its job (returning to ready in very short time) but actually doing nothing .... proper netinstall process takes some time (IIRC something around 10-30 seconds, depending on device's storage size and platform). So it is really vital ...
by mkx
Tue Jun 08, 2021 12:12 pm
Forum: General
Topic: no routerboards bricked from 2007 [SOLVED]
Replies: 6
Views: 649

Re: no routerboards bricked from 2007 [SOLVED]

Just to clarify: term "bricked" in my previous post describes router/switch which doesn't boot after user performs some action permitted by ROS itself ... either that's ROS upgrade in one of supported ways or change of configuration which is not rejected by ROS or something else. The fact ...
by mkx
Tue Jun 08, 2021 12:05 pm
Forum: Beginner Basics
Topic: Access LAN computer from a 4G Network
Replies: 2
Views: 245

Re: Access LAN computer from a 4G Network

Not sure if it's the same in your case, but I'll mention regardless: cellular networks in general are not as transparent as fixed networks. Could be that MNO is doing some funky stuff (firewalling of outgoing connections, DPI, rate limiting, FUP, ...) which breaks NAS access for you.
by mkx
Tue Jun 08, 2021 9:22 am
Forum: Beginner Basics
Topic: Very large amount of data on WAN being blocked by defconf firewall rule (Hex S)
Replies: 11
Views: 527

Re: Very large amount of data on WAN being blocked by defconf firewall rule (Hex S)

I would think that with this decent amount of data getting sucked up my ISP would be doing something about it? I know that it'd always be a losing battle, but across thousands of customers wouldn't it add up pretty quickly? The lost data is inconsequential in regards to my data cap and my bandwidth...
by mkx
Tue Jun 08, 2021 9:09 am
Forum: Beginner Basics
Topic: Very large amount of data on WAN being blocked by defconf firewall rule (Hex S)
Replies: 11
Views: 527

Re: Very large amount of data on WAN being blocked by defconf firewall rule (Hex S)

In my browser (FF 89 in ubuntu linux) the second code block isn't limited in a frame (with vertical scroll bar), contents rendering is slightly weird as well. The same in chrome/android on my phone.

Well, I'm quite sure this is not something you or I can fix ...
by mkx
Tue Jun 08, 2021 8:38 am
Forum: General
Topic: no routerboards bricked from 2007 [SOLVED]
Replies: 6
Views: 649

Re: no routerboards bricked from 2007 [SOLVED]

Understand my point of view now? Your point of view might be valid in certain circumstances. The problem with your point of view is that MT tries to be a player in SOHO market segment where expecting users to be anything but dummies is unrealistic. It is understandable that people less tech savvy g...
by mkx
Tue Jun 08, 2021 8:29 am
Forum: Beginner Basics
Topic: Very large amount of data on WAN being blocked by defconf firewall rule (Hex S)
Replies: 11
Views: 527

Re: Very large amount of data on WAN being blocked by defconf firewall rule (Hex S)

Its better to include config and logs in the post using code tags:

Just make sure you have some little "normal" text (at least a dot or two) between two [code] [/code] blocks ... or else forum will improperly render the second (and subsequent) blocks making the effort useless.
by mkx
Tue Jun 08, 2021 8:15 am
Forum: Beginner Basics
Topic: ISP PPPOE with VLAN filtering [SOLVED]
Replies: 32
Views: 1443

Re: ISP PPPOE with VLAN filtering [SOLVED]

Question though, if I'm assigning a pvid to a bridge port would that then be added as tagged or untagged on the bridge vlan configuration? Brdige comes with multiple personalities, they are very well explained in this thread . When assigning PVID to bridge, you're assigning it to bridge port and br...
by mkx
Mon Jun 07, 2021 11:28 am
Forum: Beginner Basics
Topic: After applied filter rule internet connect not stable
Replies: 6
Views: 567

Re: After applied filter rule internet connect not stable

Question 1 add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)" how to get this IP address 127.0.0.1? It's there, implicitly set. But it's hidden from you, you can't see it anywhere. However it's not really usable for many things, e...
by mkx
Mon Jun 07, 2021 11:16 am
Forum: Beginner Basics
Topic: Connecting several CRS: Bad transfer rate
Replies: 7
Views: 467

Re: Connecting several CRS: Bad transfer rate

...for such a simple setup, I wouldn't bother finding the flaws in the remains of an old configuration. The problem I was mentioning (LCD display affecting performance) doesn't seem to be due to configuration (so it seemed at the time many users were affected by it), but rather due to interaction b...
by mkx
Mon Jun 07, 2021 11:11 am
Forum: General
Topic: someone hack my routrs - can someone help?
Replies: 15
Views: 1260

Re: someone hack my routrs - can someone help?

All but high-end devices (which includes CCR, CRS and RB1100 devices) come with set of default firewall rules. One can see default settings by executing command /system default-configuration print (just beware that lines are truncated rather than wrapped around, so make sure you have really wide ter...
by mkx
Sun Jun 06, 2021 6:00 pm
Forum: Beginner Basics
Topic: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stead
Replies: 11
Views: 657

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Subnets? I really don't get why? To ensure packets flow in both directions via same path ... otherwise things can get messy. I agree that this seems unsolicited complication, but in long term it it would save you some time ... ISP > > Zyxel FW @ 192.168.1.2 (Cabling channels all the traffic through...
by mkx
Sun Jun 06, 2021 12:13 pm
Forum: Beginner Basics
Topic: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stead
Replies: 11
Views: 657

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Proper thing to do would be the following: use one IP subnet for LAN devices (right of MT router) and one subnet for MT-FW "subnet". Ideally you would keep using same IP subnet for LAN (in case you have any static configuration on any of LAN devices). MT would simply have two interfaces, c...
by mkx
Sun Jun 06, 2021 11:56 am
Forum: General
Topic: two cpe's
Replies: 2
Views: 283

Re: two cpe's

Which particular RB750 do you have? There are a few models, some current and some discontinued. Ability to power both SXTs depends on particular model. As to the data connectivity setup: any of RB750 will nicely route traffic. The oldest midels might have hard time to actually route at 60Mbps (both ...
by mkx
Sat Jun 05, 2021 7:52 pm
Forum: General
Topic: CPU high utilization due to the Queue .CCR
Replies: 5
Views: 373

Re: CPU high utilization due to the Queue .CCR

Usual sugestion is to go with latest version from "long-term" channel, currently that's 6.47.10.
by mkx
Sat Jun 05, 2021 10:51 am
Forum: General
Topic: ROS upgrade failed on CRS328-4C-20S-4S+ now stuck in SWOS?
Replies: 3
Views: 333

Re: ROS upgrade failed on CRS328-4C-20S-4S+ now stuck in SWOS?

My guess is that you'll need physical access to the switch. And netinstall it.

SwOS doesn't have any MAC-something service, only way to manage it is via web interface.
by mkx
Sat Jun 05, 2021 10:48 am
Forum: General
Topic: DIfferent port-forwarding based on domain
Replies: 1
Views: 247

Re: DIfferent port-forwarding based on domain

It can't be done with mikrotik only. L7 is too late in the game to make redirection working (it works fine as firewall rule because it can break connection at some later stage) and other criteria don't care about SNI (Server Name Indication) which is the only way of getting domain name of intended s...
by mkx
Sat Jun 05, 2021 10:40 am
Forum: General
Topic: Bounding 802.3ad
Replies: 7
Views: 411

Re: Bounding 802.3ad

...in my opinion a single ppoe connection will not be balanced across all ports in the bond. Indeed. PPPoE is protocol on top of ethernet, hence bonding policies will only hash according to L2 ... as PPPoE server is only one (single MAC address), the only remaining variable is client MAC address.
by mkx
Sat Jun 05, 2021 10:37 am
Forum: General
Topic: DNS Forwarding is not working anymore
Replies: 4
Views: 422

Re: DNS Forwarding is not working anymore

My guess: you need properly configured hair-pin NAT for DNS resolver.

To give you better advice, post output of at least /ip firewall nat export hide-sensitive ... complete config would be better.
by mkx
Fri Jun 04, 2021 11:34 pm
Forum: Wireless Networking
Topic: hAP ac2 can't connect 5Ghz -N/AC mode
Replies: 15
Views: 8519

Re: hAP ac2 can't connect 5Ghz -N/AC mode

By the way every time I use one of your posts, I drink a beer in your honour. I hope that is payment enough ;-P So far I am still sober................... conclusion ;-PPPPP

Conclusion: next time your better half lets you to the grocery store, try to find some non-alcohol-free beer :-P
by mkx
Fri Jun 04, 2021 11:24 pm
Forum: General
Topic: Can't access network [SOLVED]
Replies: 3
Views: 401

Re: Can't access network [SOLVED]

So essentially you want to use mikrotik to wirelessly bridge multiple wired devices on L2. In short: it can't work if both wireless devices are from different vendors due to missing piece in 802.11 standard. You can read more in this nice article . There are some workarounds but all come with gotchas.
by mkx
Fri Jun 04, 2021 3:00 pm
Forum: RouterBOARD hardware
Topic: GPeR
Replies: 4
Views: 682

Re: GPeR

You could use RBGPOE passive injector from one side to power GPeR ... I guess.
by mkx
Fri Jun 04, 2021 2:56 pm
Forum: Wireless Networking
Topic: hAP ac2 can't connect 5Ghz -N/AC mode
Replies: 15
Views: 8519

Re: hAP ac2 can't connect 5Ghz -N/AC mode

Also, other suckers like me may actually look at the thread with geniune 5Ghz issues and could benefit from my unique and amazing settings . Indeed. Sometimes I have a feeling that you use this forum as a scratchpad to scrabble your settings only to come back at some later time to find them to re-a...
by mkx
Fri Jun 04, 2021 2:47 pm
Forum: Beginner Basics
Topic: RouterOS on CRS326 - upgrade from USB flash drive
Replies: 2
Views: 300

Re: RouterOS on CRS326 - upgrade from USB flash drive

Usual mode of manual upgrading ROS is to copy npk file to root of device's storage. After that reboot device and it should pick the file. The trick in your case is how to move/copy file from flash drive to device's storage. I don't think there's command to actually copy file from one directory (or m...
by mkx
Fri Jun 04, 2021 2:42 pm
Forum: Beginner Basics
Topic: Internet fiber on switch to router
Replies: 8
Views: 463

Re: Internet fiber on switch to router

Can I connect the internet fiber to the CRS328 (who has 4 SFP+ ports) and configure the RB4011 to use that as default destination? This would however mean that all traffic from LAN to WAN has to go through the CRS328 - RB4011 connection to be routed and back to go to the internet. Assuming internet...
by mkx
Fri Jun 04, 2021 2:29 pm
Forum: General
Topic: VLAN Routing is slow on hex S
Replies: 10
Views: 557

Re: VLAN Routing is slow on hex S

Don't mix intra-VLAN switching and inter-VLAN routing . Better switch (CSS3xx or CRS3xx) can help with former (intra-VLAN switching) but not with the later (switches suck at routing even if they run ROS, like CRS3xx does). hEX S is not a very powerful router. Real-life routing performance with prett...
by mkx
Fri Jun 04, 2021 12:27 pm
Forum: Beginner Basics
Topic: Access Webserver inside Lan - Hairpin NAT [SOLVED]
Replies: 3
Views: 473

Re: Access Webserver inside Lan - Hairpin NAT [SOLVED]

Assuming your whole LAN is behind ether2 ... you'll have to add ether2 to interface list LAN:
/interface list
add interface=ether2 list=LAN

BTW, current entry to LAN interface list (add list=LAN) does nothing and would best be removed not to offer base for any wrong assumptions.
by mkx
Fri Jun 04, 2021 12:10 pm
Forum: Beginner Basics
Topic: Connecting several CRS: Bad transfer rate
Replies: 7
Views: 467

Re: Connecting several CRS: Bad transfer rate

why all interface have set [ find default-name=xxx ] speed=100Mbps ??? My guess: config started with ancient ROS version where 100Mbps was default (comment on bridge of CRS2 saying "created from master port" indicates this). This setting, however, should not affect performance if auto-neg...
by mkx
Fri Jun 04, 2021 9:26 am
Forum: Beginner Basics
Topic: L3 switch configuration
Replies: 1
Views: 266

Re: L3 switch configuration

Here's VLAN config manual for CRS1xx. Beware that routing capacity of CRS1xx devices is nowhere near wirespeed. If you need any decent throughput between VLANs you better buy proper router for that.
by mkx
Fri Jun 04, 2021 9:19 am
Forum: General
Topic: 2x CRS328-24P-4S+ with broken ports - short circuit
Replies: 4
Views: 349

Re: 2x CRS328-24P-4S+ with broken ports - short circuit

Use gigabit PoE surge protector, sometime parasite currents can happen between two devices in 100+ network devices? Perhaps not all 100+ devices, but that's up to qualified electrician to decide. It very much depends on earthing done on both ends of UTP cable. If earthing point is common for both e...
by mkx
Fri Jun 04, 2021 9:07 am
Forum: RouterOS v7 BETA
Topic: Vlan on switch vs Vlan on interface
Replies: 5
Views: 498

Re: Vlan on switch vs Vlan on interface

@Tulga described requirements: eth3 and eth5 are members of same LAN (switching traffic between ports) - LAN1: 192.168.1.0/24 (I'm guessing subnet mask) eth7 and eth9 are members of LAN2: 192.168.2.0/24 ethX (other than 3,5,7,9 and WAP port) are members of LAN3: 192.168.100.0/24 One can do it using ...
by mkx
Tue Jun 01, 2021 9:17 am
Forum: Beginner Basics
Topic: No ping to device from AP ?
Replies: 2
Views: 299

Re: No ping to device from AP ?

Post full configuration export from station. If all ports are bridged, then firewall rules likely don't do anything... but there are other settings that can affect behaviour.
by mkx
Mon May 31, 2021 8:11 am
Forum: Wireless Networking
Topic: Help with Setup
Replies: 5
Views: 436

Re: Help with Setup

It can be done if you configure VLANs on link between the two cAPs. You'll need some general knowledge about VLANs, this tutorial nicely describes how it's done on Mikrotik devices.
by mkx
Sun May 30, 2021 11:01 pm
Forum: General
Topic: Firewall NAT logging!
Replies: 9
Views: 503

Re: Firewall NAT logging!

As the failed login attempts appear from a NAT router ( unless the address is spoofed !) I don't believe address seen by SSH daemon (on radius server) is spoofed. If it was, the connection would not go farther than to second step of 3-step TCP handshake (server reply with SYN ACK), so you wouldn't ...
by mkx
Sun May 30, 2021 8:19 pm
Forum: General
Topic: Firewall NAT logging!
Replies: 9
Views: 503

Re: Firewall NAT logging!

So somebody from internet (or LAN?) is trying to get into your not-so-well hidden SSH service. As all failed logins appear to originate from your NAT router, you probably have one src-nat too many (or some too greedy src-nat). If you fix that src-nat rule, you'll see actual src addresses of those lo...
by mkx
Sun May 30, 2021 8:12 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+ PoE in seems to need a jump-start
Replies: 12
Views: 675

Re: RB4011iGS+ PoE in seems to need a jump-start

PoE standard 802.3 af/at defines some elaborate procedure when PSE (power source) applies power to port. And if PD (powered device) does not respond appropriately, PSE should assume that connected device is not 802.3 af/at compliant and should not enable full power. RB4011 supports only passive PoE ...
by mkx
Sun May 30, 2021 1:53 pm
Forum: Wireless Networking
Topic: RB2011 wireless speed very low?
Replies: 4
Views: 523

Re: RB2011 wireless speed very low?

Even if it's "only" 802.11n, it should still be able to give realistic throughput around 100Mbps ... given reasonably interference-free environment (which might be mission impossible in certain areas). However, oficial test results indicate that realistic wired routing speed might peak at ...
by mkx
Sun May 30, 2021 11:02 am
Forum: RouterBOARD hardware
Topic: RB4011iGS+ PoE in seems to need a jump-start
Replies: 12
Views: 675

Re: RB4011iGS+ PoE in seems to need a jump-start

Only thinking aloud: starlink brick specifies output voltage at 56V. That might be nominal voltage while in reality (specially while unloaded) it might be a tad higher. Mikrotik OTOH might refuse to start when fed by voltage higger than exactly the upper limit (57V). If, after starting up, mikrotik ...
by mkx
Sat May 29, 2021 9:07 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 838

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

Ethernet technology is point to multipoint technology. It works the same regardless of how layer above (e.g. IP) is configured, frames are still sent to destination MAC address and that one still has to be learned somehow, normally using ARP who has mechanism and in order to learn destination MAC ad...
by mkx
Sat May 29, 2021 8:54 pm
Forum: Beginner Basics
Topic: Can't Access Netgear Modem Management hEX S
Replies: 4
Views: 388

Re: Can't Access Netgear Modem Management hEX S

The problem is in subnetting you have: subnet set on netgear overlaps with mikrotik's LAN (10.0.1.0/24 is upper half of 10.0.0.0/23) and that's a problem for both mikrotik and netgear. From the sketch of network layout it's not very clear how mikrotik is actually configured so it's impossible to tel...
by mkx
Sat May 29, 2021 6:03 pm
Forum: General
Topic: Mikroitk Router OS (Trial Version Limits) [SOLVED]
Replies: 3
Views: 422

Re: Mikroitk Router OS (Trial Version Limits) [SOLVED]

You can check about limitations of particular ROS license levels in this document . AFAIK ROS x86 is 32-bit and is thus limited to using 2GB RAM (usual limitation of "straight" 32-bit linux kernel). I don't know about issues with exceeding certain number of PPPoE active sessions. I wouldn'...
by mkx
Sat May 29, 2021 5:52 pm
Forum: Beginner Basics
Topic: Setting up VLAN/Firewall with Mikrotik Router (RB4011)
Replies: 5
Views: 500

Re: Setting up VLAN/Firewall with Mikrotik Router (RB4011)

please no CLI, I have seen that users post the code of the configuration and while I could some portions of it, it is too advanced for my level Just FYI: basic configuration structure (tree if you want) is mostly the same both in GUI (either winbox or webfig) and in CLI. It's much easier and more r...
by mkx
Sat May 29, 2021 5:44 pm
Forum: Announcements
Topic: v6.48.3 [stable] is released!
Replies: 105
Views: 14456

Re: v6.48.3 [stable] is released!

But 30ms really seems to be over the top for this value. Screenshot in post #51 above shows winbox UI displaying "ms" as unit for that field. Nobody said we really wanted to have such a short setting, it was just part of debugging process ... CLI error mesage implies that setting resoluti...
by mkx
Fri May 28, 2021 10:47 pm
Forum: Wireless Networking
Topic: NV2 Sync
Replies: 7
Views: 1488

Re: NV2 Sync

The NTP server itself doesn't even have to be very accurate, as it is the relative timing between APs that matters. You're right, absolute time is not important. However, clocks on co-located APs should be synchronized to a few ten nanoseconds ... remember, standard duration of guard period in 802....
by mkx
Fri May 28, 2021 3:01 pm
Forum: General
Topic: Tapatalk support lost?
Replies: 4
Views: 510

Re: Tapatalk support lost?

Being tapatalk-ignorant I find current situation very pleasing. In the past sometimes tapatalk plugin aggressively offered me to use tapatalk app and it was really pissing me off.
by mkx
Fri May 28, 2021 2:56 pm
Forum: Beginner Basics
Topic: differences between WAN RX & LAN TX
Replies: 3
Views: 339

Re: differences between WAN RX & LAN TX

There is no help, it's how queues work. Get over it. When ingress throughput exceeds allowed egress throughput, then traffic shaper (queue) buffers some traffic. If ingress traffic rate continues to exceed allowed egress throughput and buffers get full, some packets are dropped. Normal TCP streams a...
by mkx
Fri May 28, 2021 1:16 pm
Forum: Announcements
Topic: v6.48.3 [stable] is released!
Replies: 105
Views: 14456

Re: v6.48.3 [stable] is released!

minor problem ipv6 nd reachable time (this also happen in previous version) Seems to me that it's (esthetic) problem of winbox ... on my 6.47.9 default setting is "unspecified" and if I try to set it to "30ms", I get [admin@router] /ipv6 nd> set 0 reachable-time=30ms Warning: va...
by mkx
Thu May 27, 2021 6:15 pm
Forum: General
Topic: What's wrong with the rb750r2??
Replies: 30
Views: 11998

Re: What's wrong with the rb750r2??

@easycoms: not only that you dug a dead thread (post last before your reply is dated in September 2019 ), you also posted incorrect information. Official product page of RB750r2 states that input voltage range is between 6V and 30V and explicitly defines same range for both power input methods. Volt...
by mkx
Thu May 27, 2021 8:33 am
Forum: General
Topic: any working dhcp - client ipv6 working example?
Replies: 8
Views: 562

Re: any working dhcp - client ipv6 working example?

There is generally no need to use IPv6 DHCP to hand out addresses like with IPv4 DHCP - this can be accomplished with SLAAC. So how do you perform any remote connections to SLAAC-configured clients? There are legitimate reasons to do it. Even if client OS uses the anonymizing mechanisms (selecting ...
by mkx
Wed May 26, 2021 10:14 pm
Forum: Beginner Basics
Topic: Lan ports 10Mbps only, and cannot access the router when tagged port1 switch
Replies: 11
Views: 532

Re: Lan ports 10Mbps only, and cannot access the router when tagged port1 switch

Post configuration export of your RB (execute /export hide-sensitive file=anynameyouwish in terminal window, fetch resulting file, open it with text editor and copy-paste conrents inside [ code] [/code] environment). As to trunk config: usage of VLAN ID 1 is highly discouraged. That VID is implicit ...
by mkx
Tue May 25, 2021 10:35 pm
Forum: General
Topic: HEX PoE leds
Replies: 5
Views: 390

Re: HEX PoE leds

Use black adhesive tape (or even "metalized"), that works for all hardware that I tried it on (including my RB2011).
Dos it work for the blue LED of RB4011 as well? Or does that one burn through adhesive tape? LOL
by mkx
Tue May 25, 2021 10:30 pm
Forum: Beginner Basics
Topic: Can web [reverse] proxy redirect to different local computers based on host header ?
Replies: 11
Views: 475

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Redirecting stuff is complicating things and it is visible to user. For example: if server1 replies to both https://host1.example.com/ and https://host2.example.com/, it needs installed certificate which works for both FQDNs. Then if sole function of server1 for requests for https://host2.example.co...
by mkx
Tue May 25, 2021 8:26 pm
Forum: Beginner Basics
Topic: Can web [reverse] proxy redirect to different local computers based on host header ?
Replies: 11
Views: 475

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

instruct the browser to redirect the connection to 2.3.4.5:82. That's against OP's requirement that it should be hidden from clients. Additionally using non-standard ports may break things for some clients (some corporate firewalls are quite restrictive when it comes to uncommon/nonstandard ports)....
by mkx
Tue May 25, 2021 8:18 pm
Forum: Beginner Basics
Topic: Can web [reverse] proxy redirect to different local computers based on host header ?
Replies: 11
Views: 475

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

The 2nd part: install a proper reverse proxy on one of internal servers (e.g. haproxy, nginx or apache) and configure it to forward requests to the rest of servers.
by mkx
Tue May 25, 2021 8:08 pm
Forum: General
Topic: PWR-LINE PRO
Replies: 24
Views: 3695

Re: PWR-LINE PRO

Here's my experience with another vendor's PLC devices but since PLC is same standard for everybody it probably applies to MT gadgets as well: they work mostly equally good/bad with or without PE wire they operate best if they're on the same circuit (i.e. no fuses either blow or automatic in the way...
by mkx
Tue May 25, 2021 7:47 pm
Forum: RouterOS v7 BETA
Topic: Feature Request : IPv6 Fasttrack
Replies: 17
Views: 1542

Re: Feature Request : IPv6 Fasttrack

+1

IPv6 is among us already for ages, lack of performance in ROS is unbearable.
by mkx
Tue May 25, 2021 7:17 pm
Forum: Beginner Basics
Topic: hAP Lite as switch + AP Client
Replies: 2
Views: 276

Re: hAP Lite as switch + AP Client

The problem you have is that both devices have statically set default gateway (e.g. 192.168.88.1). But that host is not available when your little setup becomes island connected via phone hotspot. If you want to have both machines working without any change, hAP would have to change its own IP addre...
by mkx
Tue May 25, 2021 9:32 am
Forum: Announcements
Topic: Newsletter March 2021 (#99)
Replies: 38
Views: 13368

Re: Newsletter March 2021 (#99)

Product brochure, available for download here , says that two fibre strands are needed (connector type: Dual LC UPC ). Picture implies that as well. Quick look at products list gives only S+2332LC10D to be able to work over single fibre strand. I'm sure there are plenty of compatible 3rd party DFP m...
by mkx
Mon May 24, 2021 8:41 pm
Forum: Beginner Basics
Topic: RB750gr3 vs RB760IGS?
Replies: 4
Views: 405

Re: RB750gr3 vs RB760IGS?

As you deducted yourself, any suggestions of particular router models for particular use cases is highly subjective and one has to verify how tgey compare to facts.

BTW, number of clients/hosts doesn't have much to do with router performance.
by mkx
Mon May 24, 2021 4:07 pm
Forum: Wireless Networking
Topic: CAP - change settings after initial config
Replies: 4
Views: 444

Re: CAP - change settings after initial config

@anav, is it a QuickSet option? No, I didn't think so either. ;-) But then I guess your setup is what @OP wanted, but couldn't describe his requirements ... in plain words (as you like to put it). I guess we should make MT devs to add a "plain AP" mode to the list of QuickSet configurations.
by mkx
Mon May 24, 2021 4:04 pm
Forum: RouterBOARD hardware
Topic: Add +1 here if you liked "white brick" mikrotik design
Replies: 10
Views: 664

Re: Add +1 here if you liked "white brick" mikrotik design

+1

Boxy cases can stack quite ideally. The "fancy" rounded gadgets not so much.

And I'd add another plea/request: devices which come with (optional) rack-mounting ears should be 1U high natively (no more RB4011 ugliness).
by mkx
Mon May 24, 2021 3:59 pm
Forum: General
Topic: reboot command to network device from RB [SOLVED]
Replies: 6
Views: 548

Re: reboot command to network device from RB [SOLVED]

For me it works like this: one only needs 2 key files as created in linux running command ssh-keygen -m PEM -f forMT Append contents of .pub file to file authorized_keys on your RPI, e.g. cat forMT.pub >>/root/.ssh/authorized_keys Then copy both forMT* files over to mikrotik. In ROS and import them ...
by mkx
Mon May 24, 2021 1:22 pm
Forum: Wireless Networking
Topic: hAP ac lite unable to see mobile 5GHz hotspot
Replies: 2
Views: 289

Re: hAP ac lite unable to see mobile 5GHz hotspot

Check which channel your mobile hotspot is using (by scanning from device that does see it) and whether country setting on hAP ac lite might prevent using that channel ...
by mkx
Mon May 24, 2021 1:18 pm
Forum: General
Topic: Bandwidth issues with WireGuard and 7.1beta6
Replies: 9
Views: 581

Re: Bandwidth issues with WireGuard and 7.1beta6

The TCP window settings on both client and server still apply aven if WG is run over UDP (which explains why UDP tests can saturate link). Not sure how that's affected by WG properties. But then Tx drops indicate that WG link is not perfect and that will definitely affect performance of TCP connecti...
by mkx
Mon May 24, 2021 1:11 pm
Forum: Beginner Basics
Topic: Mikrotik reset button is broken
Replies: 10
Views: 739

Re: Mikrotik reset button is broken

Perhaps not the issue, but do try to use different power adapter. PAs age and can become marginal after a while. In such cases electronic devices might enter a boot loop (because PA is not capable of delivering power needed for normal operation) or become unstable (experiencing random reboots when P...
by mkx
Mon May 24, 2021 12:47 pm
Forum: RouterBOARD hardware
Topic: DISC Lite5 ac PtP NV2 Hickups and generally disapointing performance
Replies: 19
Views: 8194

Re: DISC Lite5 ac PtP NV2 Hickups and generally disapointing performance

(more or less proportional to more or less third power of distance) I thought the received power reduces with the second power of the distance ... (sorry for some RF basics, but I want description to become more clear also to those less RF-experienced. I guess I'll fail due to being non-native Engl...
by mkx
Mon May 24, 2021 12:17 pm
Forum: Wireless Networking
Topic: CAP - change settings after initial config
Replies: 4
Views: 444

Re: CAP - change settings after initial config

WISP mode means that cAP can only be administered over WAN link ... because in this mode device is considered as ISP's border device. It's been long time since I used QuickSet, but I'd say HomeAP is the mode you want. Just a warning: if you switch over to normal webfig/winbox (as opposed to QuickSet...
by mkx
Mon May 24, 2021 12:11 pm
Forum: General
Topic: Bandwidth issues with WireGuard and 7.1beta6
Replies: 9
Views: 581

Re: Bandwidth issues with WireGuard and 7.1beta6

Just a general observation: TCP doesn't work great with large delays out-of-the-box. That's where TCP windows comes into play and with 40ms delay, TCP window size should be larger than around 5 MB to be able to reach 1Gbps throughput. Default window size of 64kB is only enough for around 13Mbps with...
by mkx
Mon May 24, 2021 11:45 am
Forum: Beginner Basics
Topic: PPPOE slow upload only
Replies: 5
Views: 600

Re: PPPOE slow upload only

First a warning: your firewall is non existing and thus your router is most probably very much exposed to attacks from internet. The sole "chain=input action=drop" doesn't guarantee anything. One thing missing from your firewall rules is enabling fasttrack, which normally helps with firewa...
by mkx
Sun May 23, 2021 12:50 pm
Forum: General
Topic: missing basic router protocols
Replies: 10
Views: 499

Re: missing basic router protocols

Mikrotiks that come with default firewall settings (your RB951 included) don't allow conections from WAN directly to LAN IP addresses and that's for good reason (namely security). Even more, for IPv4 whole LAN is hidden behind router's WAN IP address, router performs NAT ... Before allowing connecti...
by mkx
Sat May 22, 2021 5:57 pm
Forum: General
Topic: CRS326-24S+2Q+RM and FAN
Replies: 4
Views: 606

Re: CRS326-24S+2Q+RM and FAN

I can't say anything about design decissions by MT. But IMHO fibre connections should be used for anything faster than 1Gbps. If not for other things, UTP cables fit for speeds 2.5Gbps and higher are quite bulky compared to anything else. And power consumption per connection is considerably lower wi...
by mkx
Fri May 21, 2021 10:41 pm
Forum: General
Topic: CRS326-24S+2Q+RM and FAN
Replies: 4
Views: 606

Re: CRS326-24S+2Q+RM and FAN

Screen shot shows SFP temperature to be at "modest" 68 °C. Without fans spinning as if pushing jet plane during takeoff SFP temperature would be nearer 90 °C. The S+RJ10s modules produce a lot of heat and that's officially a big problem.
by mkx
Fri May 21, 2021 10:34 pm
Forum: General
Topic: Winbox for linux
Replies: 15
Views: 751

Re: Winbox for linux

You're free to run whatever you want on your boxes and if you find running winbox inside snap environment a simple and effective way, then great for you. Personally I try to avoid installing some 3rd party wrapper environment if running same stuff without that environment provides same (or even bett...
by mkx
Fri May 21, 2021 4:41 pm
Forum: General
Topic: Could my NAT rules be better?
Replies: 3
Views: 337

Re: Could my NAT rules be better?

I don't see how the first 3 rules (src-nat masquerade for internet-bound traffic) are different from each other, but likely one would suffice. And no need to explicitly set to-ports on dst-nat rule, that is only necessary if translated port (property dst-port ) is different than target port (propert...
by mkx
Fri May 21, 2021 4:32 pm
Forum: General
Topic: Winbox for linux
Replies: 15
Views: 751

Re: Winbox for linux

I guess what @rextended wanted to say is: how hard is it to install wine from your favourite source (e.g. linux distro repositories) and then download winbox directly from mikrotik and simply run it? winbox is pretty simple application, doesn't need any installation procedure, simply execute " ...
by mkx
Fri May 21, 2021 4:20 pm
Forum: General
Topic: 3011 and 4011 port flapping
Replies: 3
Views: 360

Re: 3011 and 4011 port flapping

Guys, please keep talking in English. We the rest don't want to miss the party.

POE 24V 1A on ETH1 as secondary power.
And what is primary power? Power adapter connected to barrel-connector? What voltage?

And what is connected to eth10?
by mkx
Fri May 21, 2021 4:07 pm
Forum: General
Topic: reboot command to network device from RB [SOLVED]
Replies: 6
Views: 548

Re: reboot command to network device from RB [SOLVED]

It is possible to ssh from ROS device to remote host and execute a command there. It is possible to use key authentication (instead of password) and it is possible to do that from within a ROS script.
by mkx
Fri May 21, 2021 12:04 pm
Forum: SwOS
Topic: Issues with creating VLAN's
Replies: 2
Views: 528

Re: Issues with creating VLAN's

I'm not using SwOS, but "port isolation" sounds like it might interfere with traffic between ports.
by mkx
Fri May 21, 2021 12:15 am
Forum: General
Topic: Router OS higher than Long Term Release!
Replies: 14
Views: 626

Re: Router OS higher than Long Term Release!

Wait for a few weeks and some ROS/firmware version higher than your factory version will become long term.
by mkx
Thu May 20, 2021 4:22 pm
Forum: Beginner Basics
Topic: PPPOE slow upload only
Replies: 5
Views: 600

Re: PPPOE slow upload only

I can upload the configuration file

Without seeing configuration file we can't tell what might be the problem.
by mkx
Fri May 14, 2021 11:11 am
Forum: General
Topic: Bonding Technology
Replies: 3
Views: 500

Re: Bonding Technology

This is user forum, not support portal. So sometimes it takes some time (even few days) until some user with knowledge and experience about particular problem stumbles upon a post.
by mkx
Thu May 13, 2021 3:09 pm
Forum: Beginner Basics
Topic: Routing between two networks [SOLVED]
Replies: 3
Views: 624

Re: Routing between two networks [SOLVED]

Add LAN2 IP address to ether5. And add src-nat rule for traffic exiting via ether5: /ip firewall nat add chain=srcnat action=src-nat to-addresses=<LAN2 IP address of MT device> out-interface=ether5 This way hikvision gear will see all connection as if coming from router (with LAN2 address inside the...
by mkx
Thu May 13, 2021 2:54 pm
Forum: Beginner Basics
Topic: Making use of /31 public IP addresses assigned via PPPoE [SOLVED]
Replies: 1
Views: 527

Re: Making use of /31 public IP addresses assigned via PPPoE [SOLVED]

The big problem is on the other machine. Let's say you get (public) IP addresses 10.20.30.40 and 10.20.30.41 and you use 10.20.30.40 for router's own WAN address (bound to pppoe-out1 interface). If you configure another box with 10.20.30.41/32 ... you need to tell it which IP address has its upstrea...
by mkx
Thu May 13, 2021 2:39 pm
Forum: Beginner Basics
Topic: Firewall drop everything rule vs rules for not nat and internet [SOLVED]
Replies: 2
Views: 432

Re: Firewall drop everything rule vs rules for not nat and internet [SOLVED]

@lnulzer: what you have is inherently more safe. The code in first block (as you write it's from some MT documentation) uses multiple drop rules and when using such rules it's only too easy to forget to drop something and omission to drop something is very hard to notice ... until after it's too lat...
by mkx
Thu May 13, 2021 2:30 pm
Forum: Beginner Basics
Topic: Two SIMS in one modem.
Replies: 5
Views: 688

Re: Two SIMS in one modem.

As @CZFan already wrote: only one SIM card can be in use by LTE modem at a time. Purpose of having two (or more) SIM cards is to change active SIM card by simple configuration change. If one wants to double the bandwidth, another modem is needed. Then some advanced configuration to enable load-shari...
by mkx
Thu May 13, 2021 2:25 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 32
Views: 2851

Re: v7 launch date

Shift from an heavy customized kernel 3.3.5 to a new heavy customized kernel 5.6.3 Hopefully less heavy customized kernel. As the rumours go, wireless drivers in v6 were all in-house development. Seems like MT is going to use stock (wireless chip vendors') drivers at least for wave2-capable wireles...
by mkx
Thu May 13, 2021 8:44 am
Forum: Beginner Basics
Topic: vlan'ing home lab network [SOLVED]
Replies: 4
Views: 672

Re: vlan'ing home lab network [SOLVED]

Don't set PVID on bridge: /interface bridge add fast-forward=no name=vlan-bridge pvid=30 vlan-filtering=yes You're using said bridge as tagged further down the config and PVID seting messes that. BTW, you don't use vlan-bridge as interface (other than underlying interface for VLAN interfaces) and he...
by mkx
Thu May 13, 2021 8:39 am
Forum: Beginner Basics
Topic: Buying - RB1100AHx4 Dude Edition - Questions about Firewall
Replies: 22
Views: 1507

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

I think we're rather having fun with our favourite on-line translating tools.
by mkx
Thu May 13, 2021 8:32 am
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 32
Views: 2851

Re: v7 launch date

There are two things that are not great with ROSv7: stability and functionality which is already available in v6. This is the important one and should definitely be worked on first to roll out v7 (sort of a stable release). It will form a good base for further development which was increasingly trou...
by mkx
Tue May 11, 2021 11:36 pm
Forum: Beginner Basics
Topic: Forward SSH from static IP to internal network [SOLVED]
Replies: 10
Views: 937

Re: Forward SSH from static IP to internal network [SOLVED]

@vds, I'd like to draw your attention to what @anav already asked: are you actually trying to connect from WAN side of your router? Because your current config won't do for connecting to public address from LAN side of your router.
by mkx
Tue May 11, 2021 11:31 pm
Forum: General
Topic: Understanding firmware version vs router OS version
Replies: 5
Views: 444

Re: Understanding firmware version vs router OS version

Mostly yes. Except: firmware comes with ROS and bears same version number (firmware seldomly changes, hence different version numbers don't necessarily mean different firmware). After you upgrade (or downgrade) ROS, you'll see "Upgrade Firmware" different from "Current Firmware" ...
by mkx
Tue May 11, 2021 9:56 pm
Forum: Beginner Basics
Topic: Buying - RB1100AHx4 Dude Edition - Questions about Firewall
Replies: 22
Views: 1507

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

You meant to write "Normis ir ģēnijs"?
by mkx
Tue May 11, 2021 6:46 pm
Forum: Beginner Basics
Topic: Buying - RB1100AHx4 Dude Edition - Questions about Firewall
Replies: 22
Views: 1507

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

No kidding, one can actually click on icon? Who ever came up with that great idea must be a genious ;-)
by mkx
Tue May 11, 2021 5:17 pm
Forum: Beginner Basics
Topic: Too many address in /ip dns static
Replies: 5
Views: 576

Re: Too many address in /ip dns static

Default configuration has none static DNS entries. So you'll have to find out how these landed on your mikrotik to decide whether it's OK to delete them or not.
by mkx
Tue May 11, 2021 5:09 pm
Forum: RouterBOARD hardware
Topic: PWR-LINE PRO Speed
Replies: 1
Views: 503

Re: PWR-LINE PRO Speed

Pwr-line devices are much like wifi: they have theoretical maximum speed which is almost never achievable. Actual speed depends very much on actual electrical wiring, fuse type and placement, star alignment, etc. My (limited) experience says your actual result (60 Mbps) is not that bad.
by mkx
Tue May 11, 2021 4:55 pm
Forum: Beginner Basics
Topic: Buying - RB1100AHx4 Dude Edition - Questions about Firewall
Replies: 22
Views: 1507

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

@mkx can you send me an email please.
where to? ;-)
by mkx
Tue May 11, 2021 4:52 pm
Forum: Beginner Basics
Topic: How to disable firewall completely
Replies: 11
Views: 870

Re: How to disable firewall completely

No just one. I am trying to split my single IP, home internet connection into two segments immediately after the modem. In case you only have single WAN IP address, your device will have to perform NAT and port forwarding for both segments. In ROS NAT is actually function of firewall so you won't g...
by mkx
Mon May 10, 2021 11:17 pm
Forum: Beginner Basics
Topic: Buying - RB1100AHx4 Dude Edition - Questions about Firewall
Replies: 22
Views: 1507

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

What would be the SOHO line of routers in your opinion?

All devices apart from: CHR, CRS line, CCR line, RB1100 line and possibly RB3011 (not sure about this one).

I'm not talking about SwOS devices here.
by mkx
Mon May 10, 2021 11:13 pm
Forum: Beginner Basics
Topic: Differences between RB with multiple switch chips [SOLVED]
Replies: 3
Views: 489

Re: Differences between RB with multiple switch chips [SOLVED]

Switch chip vlan filtering is obviously limited to single chip. Inter-chip communication passes CPU where one can use bridge (in it's non-vlan configuration) to merge multiple ports. However, making configuration on both switch chips consistent is router admin's responsibility, ROS doesn't enforce i...
by mkx
Mon May 10, 2021 7:50 pm
Forum: Wireless Networking
Topic: Caps-man with vlans and cAP with vlans on switch chip problem
Replies: 8
Views: 737

Re: Caps-man with vlans and cAP with vlans on switch chip problem

Which interface did you remove, the mgmt_int_vlan4? Not sure what's your current config, but that interface should probably stay there. In case when you configure VLAN stuff on switch chip you should not enable vlan filtering on brudge and hence you can not set up management IP address directly on b...
by mkx
Mon May 10, 2021 7:39 pm
Forum: General
Topic: MAC based vlan and guests
Replies: 4
Views: 326

Re: MAC based vlan and guests

Assuming clients are using untagged frames (or else MAC-based VLANs would not work anyway), they can bi-directionally directly communicate only inside single VLAN ... switch has to tag frames on ingress and mostly doesn't perform any frame analysis apart from frame headers. Which means it doesn't ha...
by mkx
Mon May 10, 2021 7:23 pm
Forum: Beginner Basics
Topic: Buying - RB1100AHx4 Dude Edition - Questions about Firewall
Replies: 22
Views: 1507

Re: Buying - RB1100AHx4 Dude Edition - Questions about Firewall

Best thing is to accept the default firewalls as they work out of the box quite safely. SOHO-line of Mikrotik routers comes with very decent default firewall rule set. RB1100AHx4, however, is not from that line and comes with pretty plain defaults, hence it's wise to get some decent starting settti...
by mkx
Mon May 10, 2021 7:13 pm
Forum: Beginner Basics
Topic: How to disable firewall completely
Replies: 11
Views: 870

Re: How to disable firewall completely

I just bought the MikroTIK HEX S and would like to split my internet connection into 2 segments with NO FIREWALL on either since I have a firewall on
my trusted LAN that I want to use instead.

So essentially you need an ethernet switch.
by mkx
Mon May 10, 2021 4:34 pm
Forum: Beginner Basics
Topic: Routing between Bridges (?)
Replies: 2
Views: 410

Re: Routing between Bridges (?)

Either using single bridge as per suggestion by @anav or using two bridges, the issue is the same. What you have to keep in mind is the following: bridge and VLAN are L2 entities. Subnets belonging to different L2 entities can not communicate without aide of L3 entity, which is router. Router is cha...
by mkx
Sun May 09, 2021 5:51 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta5 [development] is released!
Replies: 293
Views: 44893

Re: v7.1beta5 [development] is released!

Are you an immigrant?

No, not AFAIK. But in the troll mode (again after some quiet time LOL).
by mkx
Sun May 09, 2021 3:31 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta5 [development] is released!
Replies: 293
Views: 44893

Re: v7.1beta5 [development] is released!

@anav, I'm still waiting for you to buy a couple of EAP6xxs and throw your existing EAP245s ... just throw them in azimuth around 58° real hard. Aim for my hand.
by mkx
Sun May 09, 2021 12:36 pm
Forum: General
Topic: Bonding Technology
Replies: 3
Views: 500

Re: Bonding Technology

See my answer in your other thread. No need to create multiple threads with essentially same question.
by mkx
Sun May 09, 2021 12:32 pm
Forum: RouterBOARD hardware
Topic: LtAP LTE6
Replies: 3
Views: 733

Re: LtAP LTE6

In short: no. Bonding means two or more physical links are configured to form single logical link, but that has to be done on both ends. Usually ISPs don't offer bonding ... If using two physical links without possibility to configure them into bond it is possible to configure load sharing, but conf...
by mkx
Sat May 08, 2021 5:29 pm
Forum: General
Topic: rb4011 vlan filtering and dhcp issues [SOLVED]
Replies: 8
Views: 832

Re: rb4011 vlan filtering and dhcp issues [SOLVED]

However why are your WAN connections on Vlans? THe only reason to do that is if the ISP provider sends the data to you on a VLAN. No, it's not the only reason. One can connect ISP's border device (router, media converter, ...) to access port of some switch and use VLAN to carry it to router. No nee...
by mkx
Sat May 08, 2021 5:25 pm
Forum: General
Topic: Mesh for 2g and 5g Wifi on same LAN with 3 hAP ac3 [SOLVED]
Replies: 3
Views: 508

Re: Mesh for 2g and 5g Wifi on same LAN with 3 hAP ac3 [SOLVED]

For clients I tested this, two AP's same frequency, same ssid and client connects to one that has stronger signal, but I didn't think it could be simple like that just to bridge it. For roaming, adjacent APs don't need to be on the same frequency. When wireless client decides to change AP, it'll sc...
by mkx
Sat May 08, 2021 2:01 pm
Forum: General
Topic: Mesh for 2g and 5g Wifi on same LAN with 3 hAP ac3 [SOLVED]
Replies: 3
Views: 508

Re: Mesh for 2g and 5g Wifi on same LAN with 3 hAP ac3 [SOLVED]

Your setup is not mesh, mesh is when APs use same radio for both offering service to clients and for backhauling (connecting towards upstream). In your case it's simple: configure all APs with identical wireless security profiles and same SSIDs. And configure them to simply bridge wireless with wire...
by mkx
Sat May 08, 2021 1:57 pm
Forum: General
Topic: WeBfig as default page in the management page [SOLVED]
Replies: 3
Views: 482

Re: WeBfig as default page in the management page [SOLVED]

It does for me ... I don't think I had to do anything about that so I don't know what made devices to stick with webfig.
by mkx
Sat May 08, 2021 1:50 pm
Forum: General
Topic: Very high sector writes
Replies: 43
Views: 6047

Re: Very high sector writes

My hAP ac2 collected 5.5M sector writes so far, bad blocks is still at 0.0%. This device is my main home router. My RB951G collected 96k sector writes in 12 weeks, 16.3M in total, bad blocks are at 0.5% since long time ago (pretty sure predates the massive sector write feature). This device is used ...
by mkx
Sat May 08, 2021 1:22 pm
Forum: Beginner Basics
Topic: do you let 1U between routers and switches? [SOLVED]
Replies: 7
Views: 1131

Re: do you let 1U between routers and switches? [SOLVED]

With passive cooled devices the main problem with setup in your photograph is adjacent placement of S-RJ modules. Specially the 10Gbps modules (1G modules as well but to slightly lesser extent) produce quite a lot of heat and passively cooled devices can not deal with it efficiently. MT published re...
by mkx
Sat May 08, 2021 12:04 pm
Forum: Beginner Basics
Topic: Product advice for a SOHO
Replies: 19
Views: 1183

Re: Product advice for a SOHO

Not really sure about what benefits comes with the extra M.2 storage and how it helps The Dude, The Dude needs some storage to deal with statistical data from controlled/monitored devices. While every ROS device comes with some permanent storage that storage comes with one or two problems: As with ...
by mkx
Sat May 08, 2021 10:33 am
Forum: General
Topic: Mikrotik Audience vlan filtering and dhcp issues [SOLVED]
Replies: 6
Views: 540

Re: Mikrotik Audience vlan filtering and dhcp issues [SOLVED]

When you configure a wireless interface with a VLAN ID in the wireless settings, the tag is added by the wireless interface itself. In other words, by setting vlan-id in a wireless interface settings, you are making that wireless interface a trunk port instead of an access port. So if this is on yo...
by mkx
Sat May 08, 2021 10:24 am
Forum: General
Topic: Very high sector writes
Replies: 43
Views: 6047

Re: Very high sector writes

My hAP ac2 recorded 1.5M sector writes since boot ... which was 90 days ago, so it's averaging more than 15k sector writes per day.
by mkx
Sat May 08, 2021 10:14 am
Forum: Beginner Basics
Topic: Read Everything, Followed Guides - Still Does Not Work (IPTV + IGMP Proxy + Firewall)
Replies: 4
Views: 607

Re: Read Everything, Followed Guides - Still Does Not Work (IPTV + IGMP Proxy + Firewall)

While config by @vuli works, it's not the recomended way of doing it ... one should be using single bridge with properly configured VLANs.

Never the less, either mention your ISP so that some fellow victim of same ISP shares working setup or explain your use case more in depth.
by mkx
Sat May 08, 2021 10:10 am
Forum: Beginner Basics
Topic: do you let 1U between routers and switches? [SOLVED]
Replies: 7
Views: 1131

Re: do you let 1U between routers and switches? [SOLVED]

You need 1U cable organizer for every switch/rourer .. which solves your problem as well.
by mkx
Fri May 07, 2021 10:30 pm
Forum: Beginner Basics
Topic: IPv6 behind CRS326 [SOLVED]
Replies: 2
Views: 684

Re: IPv6 behind CRS326 [SOLVED]

IGMP snooping and IPv6 don't go well together on Mikrotik ...
by mkx
Fri May 07, 2021 6:20 pm
Forum: General
Topic: Decrease in software quality from mikrotik?
Replies: 16
Views: 1526

Re: Decrease in software quality from mikrotik?

WiFi OTOH is technical problem and technically it would be failry easy to use 6GHz band instead of 5.5GHz. Unfortunately 6GHz is assigned to licensed fixed point-to-point networks here (in Europe). Exactly ... so when regulators are in doubt from whom to take, decision is easy: from the one who pay...
by mkx
Fri May 07, 2021 6:13 pm
Forum: General
Topic: rb4011 vlan filtering and dhcp issues [SOLVED]
Replies: 8
Views: 832

Re: rb4011 vlan filtering and dhcp issues [SOLVED]

VLANs on bridge are not exactly trivial and tutorial, linked by @erlinden, is truly a great resource. Read it, understand it, and you'll get it done. If not, post exact configuration (less vlan-filtering) and we'll check where's the problem.
by mkx
Fri May 07, 2021 3:17 pm
Forum: General
Topic: Decrease in software quality from mikrotik?
Replies: 16
Views: 1526

Re: Decrease in software quality from mikrotik?

As you wrote, the damage has already been done and the only thing remaining is damage control. Weather radars have been using their frequencies for decades and constraint is physics (reflection off water droplets) so it can't be changed (unlike air traffic radars). WiFi OTOH is technical problem and...
by mkx
Fri May 07, 2021 2:07 pm
Forum: General
Topic: Decrease in software quality from mikrotik?
Replies: 16
Views: 1526

Re: Decrease in software quality from mikrotik?

As many of you could guess, the influence is not one-way (radars affecting wifi APs), stray wifi APs affect weather radar measurements as well. A weather radar image, showing the scale of the problem: https://www.mkx.si/radar-wifi.png Image shows measurements of otherwise "benign" atmosphe...
by mkx
Fri May 07, 2021 1:35 pm
Forum: General
Topic: Decrease in software quality from mikrotik?
Replies: 16
Views: 1526

Re: Decrease in software quality from mikrotik?

Another issue is that we receive RADAR all over the band at an access point placed at 220m height in a radio transmitter tower, located about 20km from a weather radar. It does not matter what channel is used, DFS detects radar everywhere. Likely a case of saturation of the receiver as well. Weathe...
by mkx
Fri May 07, 2021 1:23 pm
Forum: SwOS
Topic: LAGG with pfsense Setup
Replies: 5
Views: 1549

Re: LAGG with pfsense Setup

Well, the setup you outlined in your original post will work ... but as I described, certain connections will be capped at 1Gbps. If there are many connections, their cumulative throughput will likely hit the cap your ISP is (or will be) provisioning to you.
by mkx
Fri May 07, 2021 1:19 pm
Forum: RouterBOARD hardware
Topic: hAP AC PoE-Out Limits?
Replies: 3
Views: 597

Re: hAP AC PoE-Out Limits?

What kind of PoE splitter is it? All MT devices will output same voltage as they are powered with ... which is, as per your diagram, 48V. If PoE splitter is not active device (e.g. reducing voltage to 12V), fiber converter is getting 48V on it's power input.
by mkx
Fri May 07, 2021 12:47 pm
Forum: RouterBOARD hardware
Topic: CRS326-24G-2S+, hybrid ports, ipv6 problem/bug
Replies: 2
Views: 630

Re: CRS326-24G-2S+, hybrid ports, ipv6 problem/bug

One possible explanation: ND and SLAAC are broadcast by router. Which means switch will push them through all active ports carrying appropriate VLAN (tagged or untagged). Which is fine. But then there are OSes with NIC drivers, which silently strip off VLAN tags (in particular Windows OS with many N...
by mkx
Fri May 07, 2021 12:37 pm
Forum: Wireless Networking
Topic: Caps-man with vlans and cAP with vlans on switch chip problem
Replies: 8
Views: 737

Re: Caps-man with vlans and cAP with vlans on switch chip problem

@mkx I set an interface in /interface bridge on the cAPs in vlan4 to have an ip assigned there for management purposes to be accessed on vlan4. For this lab, it was convenient to have an ip in vlan 4 on all equipment. There are two (very distinct) places for VLAN to be configured: /interface bridge...
by mkx
Fri May 07, 2021 11:47 am
Forum: General
Topic: Decrease in software quality from mikrotik?
Replies: 16
Views: 1526

Re: Decrease in software quality from mikrotik?

(I often see that it only sees RADAR during business hours not during weekends, so it clearly is caused by users) I guess that's caused by Rx pre-amplifier not being able to lower gain enough ... which in turn saturates actual receiver causing all sorts of distortions. Those than can translate into...
by mkx
Fri May 07, 2021 11:28 am
Forum: Beginner Basics
Topic: How to forward VLAN as a switch on routerboard? Looking to solve IPTV
Replies: 1
Views: 378

Re: How to forward VLAN as a switch on routerboard? Looking to solve IPTV

Depends on how exactly your ISP delivers services. But let's assume its like this: you get PPPoE untagged and IPTV tagged vith VLAN ID 1000. Both services are passed over same physical connection. Now you have to create something that will pass VLAN ID 1000 to port where you have IPTV clients. Ideal...
by mkx
Fri May 07, 2021 12:20 am
Forum: General
Topic: Decrease in software quality from mikrotik?
Replies: 16
Views: 1526

Re: Decrease in software quality from mikrotik?

Apparently the regulators and manufacturers don't understand that making the system unworkable will only result in users running ancient software or enable hidden workarounds to disable DFS. Apparently regulators did not understand the reason for having certain frequencies reserved for special purp...
by mkx
Fri May 07, 2021 12:14 am
Forum: General
Topic: Very high sector writes
Replies: 43
Views: 6047

Re: Very high sector writes

What I'm saying is that I also see enormous number of sector writes, but my devices all have the separate ntp package installed. AFAIK separate ntp package provides different ntp client than system package. So if it's ntp client that causes high sector writes, it's ntp client from separate package d...
by mkx
Thu May 06, 2021 10:39 am
Forum: Wireless Networking
Topic: Caps-man with vlans and cAP with vlans on switch chip problem
Replies: 8
Views: 737

Re: Caps-man with vlans and cAP with vlans on switch chip problem

In addition to what @mducharme wrote ... get rid of any VLAN setting in /interface bridge and sub-tree. VLANs should only be configured in one place, either on bridge or on switch chip. Settings on bridge currently don't have any impact because you don't have vlan-filtering=yes set on bridge, but if...
by mkx
Thu May 06, 2021 10:16 am
Forum: Beginner Basics
Topic: Managing /29 network
Replies: 8
Views: 890

Re: Managing /29 network

Regardless the way you're going to solve the problem (sollutions by @Hominidae and by @rextended) you should take care to have firewall up&running. If you're not entirely sure that device's own firewall is OK you can use firewall on RB. But you'll have to enable use-ip-firewall=yes on relevant b...
by mkx
Wed May 05, 2021 11:02 pm
Forum: SwOS
Topic: LAGG with pfsense Setup
Replies: 5
Views: 1549

Re: LAGG with pfsense Setup

Switch between pfsense and cable modem will always see only 2 MAC addresses (1 of cable modem and very probably only 1 of pfsense - linux bonding always uses MAC address of first active bond member as bond MAC - for all bond members, I'm not sure about other implementations but they are probably the...
by mkx
Wed May 05, 2021 7:27 pm
Forum: SwOS
Topic: LAGG with pfsense Setup
Replies: 5
Views: 1549

Re: LAGG with pfsense Setup

Something in that line. There's just a gotcha with LAG in general (and MT can't be any different): all packets belonging to single connection will pass same bond member, hence single connection throughput is limited to speed of bond member (in your case 1Gbps). Same may apply to muktiple connections...
by mkx
Wed May 05, 2021 6:23 pm
Forum: Beginner Basics
Topic: NAT from inside the LAN
Replies: 9
Views: 889

Re: NAT from inside the LAN

Some wireless clients (mobile phones specifically, others might as well) perform "mini sleeps" of wifi module to save power. During sleeps AP has to buffer frames until client wakes up and accepts packets. The same behaviour affects broadcasts as well, mikrotik by default just sends broadc...
by mkx
Tue May 04, 2021 10:54 pm
Forum: RouterOS v7 BETA
Topic: Warning: cpu not running at default frequency [SOLVED]
Replies: 4
Views: 2100

Re: Warning: cpu not running at default frequency [SOLVED]

RBM11G product page specifies default frequency to be 880MHz. If your unit is not set to this frequency, set it and the warning should go away (after a reboot).
by mkx
Tue May 04, 2021 9:26 pm
Forum: Beginner Basics
Topic: NAT from inside the LAN
Replies: 9
Views: 889

Re: NAT from inside the LAN

So one of PCs is wireless client. I'd say you should check wireless: is there much of interference (other APs nearby), is the connection with decent signal strength, etc.
by mkx
Tue May 04, 2021 7:34 pm
Forum: Beginner Basics
Topic: Turning my router into the WAN itself. [SOLVED]
Replies: 4
Views: 728

Re: Turning my router into the WAN itself. [SOLVED]

If setup of SXT is pretty much default, then the following should work: use winbox and mac connection. Before removing ether1 from bridge add ether1 to interface list called LAN.
by mkx
Tue May 04, 2021 3:02 pm
Forum: Wireless Networking
Topic: Tree's obstructing CPE LOS to AP ~ bandwidth!
Replies: 19
Views: 1695

Re: Tree's obstructing CPE LOS to AP ~ bandwidth!

Or thoroughly apply the German solution.
by mkx
Tue May 04, 2021 2:56 pm
Forum: Wireless Networking
Topic: Vlan hopping check and mitigation !
Replies: 5
Views: 532

Re: Vlan hopping check and mitigation !

These settings improve security. E.g. if port doesn't have ingress-filtering=yes set and tagged frames are allowed on ingress, attacker could inject packets into arbitrary VLAN (also into VLANs which have nothing to do with this particular port). It's one way again (replies are not delivered), but i...
by mkx
Tue May 04, 2021 2:49 pm
Forum: General
Topic: Very high sector writes
Replies: 43
Views: 6047

Re: Very high sector writes

If this indeed has anything to do with SNTP client, then it's NTP client from stand-alone ntp package guilty as well.
by mkx
Tue May 04, 2021 2:34 pm
Forum: Beginner Basics
Topic: Turning my router into the WAN itself. [SOLVED]
Replies: 4
Views: 728

Re: Turning my router into the WAN itself. [SOLVED]

Something similar is topic of this post. Does it help?

Just be sure to use VLAN IDs in range between 2 and 4000 (inclusive) ... stay away from VID 1 (using it is a recipe for troubles).
by mkx
Tue May 04, 2021 2:22 pm
Forum: Beginner Basics
Topic: NAT from inside the LAN
Replies: 9
Views: 889

Re: NAT from inside the LAN

Local traffic between 192.168.64.65 and 192.168.64.64 should go directly without going via router unless there's some weird configuration on either of hosts involved. Hard to tell without seeing actual network configuration of both. Your example would indicate misconfiguration on 192.168.64.65 becau...
by mkx
Tue May 04, 2021 2:16 pm
Forum: Beginner Basics
Topic: Simple queue does not work...
Replies: 11
Views: 781

Re: Simple queue does not work...

Could be that indeed IP firewall has to be involved for queuing to work. It is not very common to have traffic shaping enabled between bridged/switched ports.
by mkx
Tue May 04, 2021 11:31 am
Forum: Beginner Basics
Topic: Combine more Vlan's traffice to one acces port
Replies: 3
Views: 464

Re: Combine more Vlan's traffice to one acces port

As I wrote: it's simple to untag multiple VLANs on a single port. E.g. if there are 3 VLANs with multicast streams with VLAN IDs 100, 200 and 300 ... and you have fourth VLAN for other IP communication of said device (e.g. management) with ID 999, then you would configure a bridge like this: /interf...
by mkx
Mon May 03, 2021 11:43 pm
Forum: General
Topic: Bandwidth test from Mikrotik to client
Replies: 1
Views: 304

Re: Bandwidth test from Mikrotik to client

There's bandwidth test , comes as standard function in ROS and windows counterpart is available for download . Beware, however, that running bandwidth test software on router is generally not a good idea. Test is pretty CPU intensive and router's CPU is often the bottleneck. Better aporoach is to ru...
by mkx
Mon May 03, 2021 10:22 pm
Forum: Beginner Basics
Topic: NAT from inside the LAN
Replies: 9
Views: 889

Re: NAT from inside the LAN

You need hairpin NAT
by mkx
Mon May 03, 2021 6:59 pm
Forum: Beginner Basics
Topic: Simple queue does not work...
Replies: 11
Views: 781

Re: Simple queue does not work...

ether 1, 2 and 3 are bridged as WAN, ether1 connects to internet, ether 2 and 3 to two Dell PowerEdge systems. For queues to work, traffic has to be handled by ROS in software. Which means it should not be HW offloaded. Every ROS device having a switch chip (RB750G has one) can HW offload one bridg...
by mkx
Mon May 03, 2021 6:43 pm
Forum: Beginner Basics
Topic: Combine more Vlan's traffice to one acces port
Replies: 3
Views: 464

Re: Combine more Vlan's traffice to one acces port

Any of RouterOS devices can untag multiple VLANs on single ethernet port. The problem you might encounter is this: usually multicast clients have to subscribe to streams and that has to be done through correct VLAN. It is only possible to tag for single VLAN on ingress, hence multicast client will o...
by mkx
Mon May 03, 2021 4:03 pm
Forum: General
Topic: IPv6 ICMP ok but no TCP traffic
Replies: 20
Views: 961

Re: IPv6 ICMP ok but no TCP traffic

/ipv6 dhcp-client add add-default-route=yes comment="Rostelecom IPv6 DHCP" interface=pppoe-out1 pool-name=rtelecomv6 pool-prefix-length=56 request=prefix use-peer-dns=no Don't set pool prefix length. It's not about prefix length you're getting from ISP (they give you whatever they decide ...
by mkx
Mon May 03, 2021 3:54 pm
Forum: Beginner Basics
Topic: How to isolate both subnets on a cascade router setup?
Replies: 2
Views: 349

Re: How to isolate both subnets on a cascade router setup?

Either construct a "routing" subnet for connection between both routers (if physical connection is a problem, simply using another IP subnet would mostly do). Or disable NAT on Linksys and let MT do it for subnet B as well. You'll have to add static route on router A towards subnet B using...
by mkx
Mon May 03, 2021 3:46 pm
Forum: Beginner Basics
Topic: Do I need to Upgrade my Mikrotik to Take Advantage of Fiber?
Replies: 5
Views: 569

Re: Do I need to Upgrade my Mikrotik to Take Advantage of Fiber?

The 25 simple queues is more representative of home setup throughput ...

How so? I'd expect most home users to have zero queues defined and at least default firewall filter rules (around 10 IIRC).
by mkx
Mon May 03, 2021 3:43 pm
Forum: RouterOS v7 BETA
Topic: Feature Request: CAPsMAN - Add dynamic bridge VLAN entries for Access List Rules
Replies: 4
Views: 684

Re: Feature Request: CAPsMAN - Add dynamic bridge VLAN entries for Access List Rules

The big problem about what OP requested is that CAPsMAN only provisions wireless interface of a cAP. When dynamic VID appears on bridge it's not because capsman would provision bridge, it's because this is how bridge reacts to addition of a new bridge port with PVID set. The only solution would be t...
by mkx
Mon May 03, 2021 3:31 pm
Forum: Wireless Networking
Topic: Vlan hopping check and mitigation !
Replies: 5
Views: 532

Re: Vlan hopping check and mitigation !

Can't say anything about TP link gear. MT (most probably) can't be exploted this way, at least if bridge vlan-filtering is used (some HW offloaded VLAN setup might be vulnerable but it very much depends on how switch chip operates - I'm not going to study that now) ... if set up properly. The thing ...
by mkx
Mon May 03, 2021 8:22 am
Forum: Beginner Basics
Topic: Purpose of VLAN Mode on wireless interfaces [SOLVED]
Replies: 2
Views: 477

Re: Purpose of VLAN Mode on wireless interfaces [SOLVED]

Before ROS 6.42 (or something) bridge did not have VLAN related functionality, hence VLAN functions had to be performed by member ports (in this case wlan interface). Using vlan interfaces doesn't help in this case, using multiple bridges does (but that's awkward). Capsman still uses wlan vlan-funct...
by mkx
Sat May 01, 2021 9:05 pm
Forum: Wireless Networking
Topic: Capsman - Not getting IP on slave-interface [SOLVED]
Replies: 7
Views: 2198

Re: Capsman - Not getting IP on slave-interface [SOLVED]

OP did it using single bridge: /caps-man datapath add bridge=bridge local-forwarding=yes name=datapathVlan20 vlan-id=20 vlan-mode=use-tag add bridge=bridge local-forwarding=yes name=datapathVlan30 vlan-id=30 vlan-mode=use-tag Both data paths are using same bridge (named bridge). They are using diffe...
by mkx
Sat May 01, 2021 8:55 pm
Forum: General
Topic: DHCP-client script can't send (external) email because there is no internet connection
Replies: 2
Views: 432

Re: DHCP-client script can't send (external) email because there is no internet connection

Why don't you insert a delay (e.g. of 30 seconds) at the beginning of your script?
by mkx
Sat May 01, 2021 8:51 pm
Forum: Beginner Basics
Topic: Erratic device behaviour on WLAN
Replies: 3
Views: 567

Re: Erratic device behaviour on WLAN

There are a few settings which might affect the way wireless clients behave. I suggest you to re-post about the problem in forum section about wireless. There are a few users very knowledgeable about wireless woes but they might not follow topics in this part of forum.
by mkx
Sat May 01, 2021 1:15 pm
Forum: Wireless Networking
Topic: Capsman - Not getting IP on slave-interface [SOLVED]
Replies: 7
Views: 2198

Re: Capsman - Not getting IP on slave-interface [SOLVED]

It can't be done without bridges. wlan interface (even when provisioned by capsman) is interface, physical ethernet interface is interface (and vlan interface is interface as well) and only way to connect two (or more) interfaces is using a bridge.
by mkx
Sat May 01, 2021 12:32 pm
Forum: Beginner Basics
Topic: Erratic device behaviour on WLAN
Replies: 3
Views: 567

Re: Erratic device behaviour on WLAN

Anything about erratic device in logs? Copy-paste output of command /log print (run it in terminal window) to a text editor and search through logs for device's MAC address and/or IP address.
by mkx
Sat May 01, 2021 12:20 pm
Forum: Beginner Basics
Topic: What is purpose of VLAN's Parent Interface? [SOLVED]
Replies: 3
Views: 711

Re: What is purpose of VLAN's Parent Interface? [SOLVED]

(small hint for you mkx, bookmark good posts!) I'll let you find those via google multiple times so that google bookmarks them for me. It took a few weeks for google to bookmark thread about bridge vkan filtering by @pcunite, now it's on top of result list when I'm searching for "pcunite vlan ...
by mkx
Sat May 01, 2021 12:31 am
Forum: Wireless Networking
Topic: Tree's obstructing CPE LOS to AP ~ bandwidth!
Replies: 19
Views: 1695

Re: Tree's obstructing CPE LOS to AP ~ bandwidth!

I don't think nv2 being invisible to 802.11 devices has anything to do with CSMA/CA. I'm not an expert in nv2 but I guess beacons used in nv2 are incompatible with 802.11 beacons and 802.11 stations don't recognise nv2 AP.
by mkx
Sat May 01, 2021 12:18 am
Forum: Beginner Basics
Topic: What is purpose of VLAN's Parent Interface? [SOLVED]
Replies: 3
Views: 711

Re: What is purpose of VLAN's Parent Interface? [SOLVED]

vlan interface (created under /interface vlan ) is kind of a pipe with two ends. One end is anchored to underlying interface , accepts tagged frames (the ones tagged with aporopriate VID that is) and transmits tagged frames. The other end can be used as untagged interface (e.g. set IP address to it)...
by mkx
Fri Apr 30, 2021 1:36 pm
Forum: Wireless Networking
Topic: Tree's obstructing CPE LOS to AP ~ bandwidth!
Replies: 19
Views: 1695

Re: Tree's obstructing CPE LOS to AP ~ bandwidth!

I think you should do some spectrum analysis during hours with reduced throughput. The problem with nv2 is that standard 802.11 devices don't detect it other than some noise and can thus cause some considerable interference to each other ... which gets worse when both nerworks (your nv2 and other 80...
by mkx
Thu Apr 29, 2021 8:28 pm
Forum: Beginner Basics
Topic: Internet low speed
Replies: 15
Views: 825

Re: Internet low speed

Sorry, your config is OK, but i do not understand why you cap to 100M... Maybe the new device will help? What is an actually model? As test results indicate, your device caps at around 150Mbps (give or take) routed throughput in real life scenarios. Wireless can consume quite a lot of CPU when util...
by mkx
Thu Apr 29, 2021 9:56 am
Forum: General
Topic: Installing RouterOS on Protectli Vault 6-Port Hardware
Replies: 2
Views: 449

Re: Installing RouterOS on Protectli Vault 6-Port Hardware

x86 (and x86-64) breed of ROS v6 is pretty outdated when it comes to available drivers and can thus be very picky about hardware it successfully runs on. So it seems that most often professionals use CHR breed. This does cause some performance loss, but that can be offset by selection of faster hard...
by mkx
Wed Apr 28, 2021 11:11 pm
Forum: Wireless Networking
Topic: VLAN with 2 Wifi networks on the same AP.
Replies: 3
Views: 558

Re: VLAN with 2 Wifi networks on the same AP.

Basic decission to make is about local forwarding VS capsman forwarding. If you're going with capsman forwarding, then you only have to set up VLANs for discovery interface. All the traffic will flow through this VLAN encapsulated in a sort of a tunnel regardless the VIDs associated with SSIDs. If y...
by mkx
Wed Apr 28, 2021 8:58 pm
Forum: General
Topic: Fasttrack Question Decision
Replies: 2
Views: 338

Re: Fasttrack Question Decision

Mangle rules don't work with fast-track.
It is possible to use both mangling and fast-tracking, but one has to exclude from fast-track everything that has to be mangled.
by mkx
Wed Apr 28, 2021 4:57 pm
Forum: Wireless Networking
Topic: RB951G-2HND DDOS
Replies: 3
Views: 720

Re: RB951G-2HND DDOS

Hi, not sure if this topic belongs to wireless networking but anyway... Another possibility is to mess with wireless. Either hack it to gain access to LAN or create enough interference for clients (door lock, CCTV) to drop off wireless network. Either is hard to defend against determined attacker (...
by mkx
Wed Apr 28, 2021 4:48 pm
Forum: Beginner Basics
Topic: What is the issue with DUDE and SNMP?
Replies: 7
Views: 511

Re: What is the issue with DUDE and SNMP?

A few days ago, I first upgraded my RouterOS to version 6.48.2 on my hap ac2, I then downloaded DUDE client 6.48.2 too. I had already DUDE server installed on my Mikrotik before I upgraded RouterOS. Was Dude server also upgraded with the system automatically? How can I check that? In principle all ...
by mkx
Wed Apr 28, 2021 4:42 pm
Forum: Beginner Basics
Topic: Two segmented networks access to one shared network [SOLVED]
Replies: 11
Views: 916

Re: Two segmented networks access to one shared network [SOLVED]

Beyond my scope of knowlege.

Undoubtedly.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 21