MikroTik

mkx

The problematic devices are all ARM ac devices, so they are running wifi-qcom-ac driver package. The SquashFS file has size of 2744320 bytes (uncompressed size is around 7.6MB). There are a two firmware directories for different WiFi hardware, one is for IPQ4018/4019 and the other for QCA9984. Uncom...

mkx

# 24 : The user usually is not able to follow or understand multiple information in a single post, so either he only considers the first one or the last one ignores all the previous ones. Hmmm, true. The other extreme case is: user comes with a problem, a few random users of forum respond, each wit...

mkx

There were similar reports ... and it often turned out that the I2C bus got locked by some attached device (mostly it was a not-very-well-supported SFP module with DDM) ... and communication between router's management function and hardware modules was interrupted making management function to panic...

mkx

The temperature reaches 60° Celsius in the hottest days. While both hAP ac3 and wAP ax are specced for operation in environment temperature up to 70°C (so they won't just stop working during your summer heat waves), such a high environment temperature does mean that device ages much faster than nor...

mkx

However, the customer already had an electrician check it, and according to his measurements, the cable was deemed to be “in good condition” ... I've seen a good deal of "qualified electricians" doing disastrous UTP cable work ... so I wouldn't take electrician's word as pure gold ... spe...

mkx

B20, mentioned in your screenshot, is 800MHz band. None of Miktotik's antennas are particularly good at sub-GHz frequencies (to put it mildly). And I imagine there isn't any usable signal in higher frequency bands (B3-1800MHz, B1-2100MHz, B7-2600MHz, etc) or else your ATL would already be using it. ...

mkx

As @holvoetn mentioned (but in mismatched context): wifi-qcom-ac doesn't support working with VLANs ... so it also can't carry over VLAN setting when station does roaming (e.g. FT). In a nutshell: when you have wifi-qcom-ac device in a mix, you can't use any of fancy VLAN features (e.g. setting vid ...

mkx

None of MT PoE devices regulate voltage, all of them work as "voltage in - voltage out". So it's not possible to have mix of PoE clients connected at the same time. Only a few rare MT devices accept two power inputs of different voltage and it is then possible to select which voltage to ap...

mkx

If it's indeed bug in DHCP relay, then it's highly unlikely to get it fixed in ROS v6. So what I'd do is to upgrade one of devices (the expendable one) to v7 (7.19.1 at this time) and see if DHCP relay in v7 behaves equally wrong (IIRC there were some entries related to DHCP in change logs ... I did...

mkx

When running new wifi-qcom drivers (as opposed to old wireless drivers), CAPsMAN settings are under /interface/wifi ... e.g. /interface/wifi/capsman . If things are set "according to the book" (i.e. using proper profiles), then settings are shared between CAPsMAN (for provisioning remote C...

mkx

Which MT device is running DHCP relay? Which ROS version is running on said device? You could verify that DHCP relay is indeed "eating" DHCP NACK responses by running /tool/sniffer (with filters appropriate set) on said MT device ... if everything is fine, you should see DHCP packets at le...

mkx

I need a Mikrotik rock solid documentation

In this case you'll have to ask directly MT via official support channels ... this forum is not one of them.

mkx

Difference between beta and RC is very small ... RC is beta that developers consider to be almost ready for release. Neither are stable and RC doesn't have to be any better than preceeding betas. Active development still goes on during beta testing, it's just that focus shifts (or at least should IM...

mkx

I can always see and manage the main router from winbox, but not the second router. It does not even appear on the list. Winbox builds the list of compatible devices using broadcast packets. The problem is that this only works inside same IP subnet (i.e. switched ethernet network). But you have a r...

mkx

So those ports are trunks. You have to decide: either ports ether7, ether17, ether 22 and ether24 are untagged for VLAN 69 ... in which case they should keep PVID settings (customer-vid=0 new-customer-vid=69) but should not be set as tagged ports on egress. Or they are tagged ports for VLAN 69 ... ...

mkx

mAP is MIPSBE ... and routeros packages for architectures anything but ARM/ARM64 are quite a bit smaller. Probably also due to smaller number of supported device models (which may require different drivers). Or perhaps due to smaller executables for those platforms ... I'd expect packages for 64-bit...

mkx

This setup was working fine for about 20 years with Windows/ISA and is working fine for 3 years with Mikrotik (albeit with Windows DHCP) - VPN clients receive addresses in the range 172.6.0.31-40, LAN clients receive addresses in the range 172.6.0.1-254 (with the exclusion of 31-40) and can communi...

mkx

More generally: bridge port is a CPU-facing port created automatically with every bridge ... and it functions the same way as the rest of bridge ports. It's special because it's created and added implicitly and carries the same name as bridge switch-like entity, again named with same name as the swi...

mkx

Maybe it had nothing to do with the bridges at all and more to do with being on a different subnet? This. If internal server and internal client are not in same IP subnet, then hair-pin NAT is not necessary. Because they have to "talk" via your router anyway and firewall is able to un-do ...

mkx

Back in time, when I worked as radio engineer for incumbent MNO, we had very good experience when using yagi or log-periodic "beasts" for the "low-band" wireless broadband. Such as Iskra P-40 MIMO (for a multi-band variant, look at their antennas with model name P56 or higher). T...

mkx

Nope. It sends traffic appropriate according to network address. /31 does this, /32 does not If you statically add i.e. IP address of 10.0.0.1 with network address of 10.1.1.2 onto an interface, you will not be able to communicate. You will need to manually add a route saying that 10.1.1.2 is on i....

mkx

/32 sends to 'the interface' its on with no regard for subnet Nope. It sends traffic appropriate according to network address. Which is true also when using "normal" subnet masks, like /24. The big difference is that when using "normal" subnets, the network address is calculated...

mkx

Your device has two switch chips built in ... you're setting port 10 under /interface ethernet switch port ... but you want to check (using print command) that it actually belongs to same switch chip (i.e. is it switch 1 -cpu) as other (ether) ports. Other than that: your router does respond to ICMP...

mkx

If there is a CPU-load-balancing issue with ixgbe that somehow also only gets triggered when paired with connection tracking ...

Just a random idea: could it be triggered (or made much worse) due to fasttracking? Having it active does affect how NIC drivers work ...

mkx

Please post your interface configuration (/interface/export) for us to see how exactly did you "inject" VLAN configuration.

mkx

What like a Lada, yes I know there are starving children in the world as well, ... ... and there are (abundant) number of ICT equipnent vendors who already offer what you're looking for. We can't know what's MT's business decission but so far it seems that they're focusing on "small hatchbacks...

mkx

Yes most of our 'Home' pc/server stuff is all 2.5Gbps, Most BB services here are moving or beta testing 2GB internet services as well. In most of the world, a small hatchback is a standard car for vast majority of users. In some other areas (or shoukd I put it in singular), a mini van / SUV cross-o...

mkx

If you find you can do -65dB or better using higher frequencies with the ATL, then they might hold. -65dB is the lowest I would go for LTE if I were connecting into a PTP link. There are two dignal strength quantities in LTE: RSSI (which includes all the signal in the used frequency channel and is ...

mkx

At home I have 1Gbps WAN. I have a small server which serves media (e.g. HD movies coded at 10Mbps average and sound clips coded at up to 300kbps) to one TV and one home cinema. It also works as (low utilization) torrent peer and web server for a few hobby projects. I have s few wired laptops, avera...

mkx

What is untracked? I know what established and related are but I don't know what untracked traffic is. Packets that are not tracked by connection tracking machinery. ROS supports tracking IPv4 and IPv6, in theory there could be other protocols routed ... but not in practice as ROS doesn't support a...

mkx

The "indoor" per regulations is about trandmitting on certsin frequencies outdoors ... without having building walls as signal attenuators. And wireless station does transmit at same frequency as AP and at same EIRP levels. Can even transmit larger share of time than AP depending on share ...

mkx

SXTsq5ax is declared as "outdoor CPE" ... which in MT parlance might mean that it can only use frequencies, marked for outdoor or any use (as opposed to indoor-only use). So do check, what /interface/wifi/radio/reg-info country=<your country> number=0 shows. It might show that lower part o...

mkx

Deleting a post here has never worked (for me). I always get a page with Error 505. ¯\_(ツ)_/¯

It did work a few years ago ... IIRC MT upgraded PHPBB and deleting posts doesn't work afterwards.

mkx

Check which frequencies are used by hAP ac and compare it to the list of frequenices allowed on SXT for your particular country setting. Not every device supports the same set of frequencies and not in every country. Just checked on my AX device (wAP ax) - controlled by capsman but never the less - ...

mkx

I'm new to MikroTik and still learning how to use RouterOS. I just got a hAP ac² and followed a few tutorials to set up NAT and basic firewall rules, but now none of the connected devices can access the internet. [snip] Can anyone suggest what I might have missed? I'd really appreciate your help! A...

mkx

QuickSet is pretty incomplete in ROS v7 with regards to configuration profiles. So unfortunately, you're on your own here.

mkx

Check versions of both RouterOS (system->packages) and RouterBoot (system->routerboard) ... I'm willing to bet they are not the same on both devices ... and the one which works with module has newer versions installed. "nearly the same" doesn't count.

mkx

This is probably the only thing I find irksome with the 1mbit limit ....

If it irks you that much, then scratch yourself (with a $45 license). It's not fair to expect that MT will scratch you.

mkx

... VLAN1000 (or any other number) untagged. Regarding "any other number": range for VLAN number is 0-4095 (a 12-bit unsigned integer). However, to avoid problems, usable range is from 2 to 4094 (both included). Syntactically it is correct also to use 1 but since it's used in default conf...

mkx

Also do monitor disk usage on those 16MB flash devices. If free space drops below 100kB (or something like that, depends on complexity of configuration), then there's danger of getting device into a no-change state (because running config can no longer be written to flash before the old one gets era...

mkx

I am not sure to understand how the NVR buzzer works (how it can be heard from the kitchen), is it *somehow* extended to the kitchen (or the sound has to go through the Cat5/6 link and goes to the monitor speaker)? The "IP KVM"s I'm familiar with can transport over ethernet the following:...

mkx

You really have to think about it yourself. You can go overboard and assign one VLAN per device. If you don't limit connectivity between VLANs using firewall inside router, then all devices will be able to communicate with all others ... unless some on-device firewall blocks it because it sees commu...

mkx

Funny how you mention "Software without subscriptions". But yet, MikroTik sells Level4-6 licenses, along with CHR licenses.. I'm not native English speaker, so it may be my poor understanding ... but isn't purchase (one-time payment ... in MT case with life-time support) a bit different t...

mkx

... but we've moved on from my original question ... ... because the answer was given (Tx power depends on actual Tx frequency used so you'll have to manage frequencies manually to optimize coverage). But some of us, forum members, are close to chatterboxes so we tend to continue with discussion ev...

mkx

Cellular (GSM/LTE/5G) people get away with such things because their radios are synchronized to one another - either they are in the same device/chassis or they use a precision GPS clock. And up until 5G (even in LTE) these systems used FDD - Frequency Division Duplex ... with duplex gab large enou...

mkx

I’m using a CCR1072 with RouterOS v6.49.10 (long-term), and I’ve been consistently running into this issue: It could be device-speciffic issue (i.e. tied to CCR1xxx family of devices). Other than that, I'm running a few devices with ROS 6.49.18 (latest long-term), all with uptimes beyond 31 days .....

mkx

LHGG LTE6 kit is s device with 16MB storage ... and thus prone to starvation and random problems. The likelyhood of happening it is increasing with rising version number as ROS gets some belly fat with each release.

mkx

/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 this? Yes, but I don't think that that is the default because that's what I changed it to. No, this is default. BTW, you can always check default config of your device and running ROS version by executing command /system/default-con...

mkx

... like a wise man once said: "More gain usually means more interference. For consumer wifi the thing that limits wifi performance is never a lack of transmission power." That "wise man" obviously didn't know/think about country limitations ... which are expressed as EIRP ... a...

mkx

Country regulations - EIRP limitations - won't allow a device with directional radiation pattern to provide higher signal level than a (high Tx power) omnidirectional one - in the rirection of highest antenna gain. However, directional device will support higher uplink speeds because station Tx powe...

mkx

I agree that MT's marketing and quick reference documents could be much better. Like not resorting to "poetic" descriptions when technical data doesn't agree ("access point that looks beautiful on both walls and ceilings" versus antenna radiation patterns). And like publishing al...

mkx

Grok and ChatGPT disagree. They say "wAP" means wireless access point. I suspect Grok & ChatGPT are wrong as all access points are wireless. When an esteemed member of MT support team says something and LLMs disagree ... then in my mind there's no doubt who to trust ... And your wordi...

mkx

I figured NAT rule might work on port level but now I've learned it got to be done on interface level. Considering that NAT is L3 operation (works on IP addresses and optionally on TCP/UDP ports) it's got to be on interface level (the router/firewall property which carries IP address). You can have...

mkx

As for the higher frequencies on 5Ghz, any posted range to stick to, in your experience? Stick to U-NII-1 and U-NII-2 ... so up to and including channel 136 for 20MHz channels, 132 for 40MHz channels and 116 for 80MHz channels (that's center frequencies 5680, 5660 and 5580 MHz respectively). Lower ...

mkx

Adding to post by @itimo01 above: the other thing is the bug about handling VLANs between switch chip and CPU, addressed by 7.20beta: *) bridge - added dynamic tagged entry named “switch-cpu” in scenarios where the same VLAN spans multiple switch chips or is used on both HW and SW ports; Doesn't men...

mkx

I had to downgrade to RouterOS v 7.18.2 from 7.19.x

I certainly hope you did save supout.rif file while device was running 7.19.1 and you opened trouble ticket with MT support.

mkx

Does this help ? https://tiktube.com/w/gwMqv7r2AwB3zLAoeWP7FT It only talks about the new connectivity app. No explanation on how to use another ISP besides Mikrotik . Mikrotik is not ISP, it's equipment vendor. When using device with eSIM, it has to be provisioned even with the first MNO to whose ...

mkx

When fasttrack is active for certain connection, then most of packets belonging to that connection won't be processed by normal firewall rules, instead they will be handled by special (fasttrack) functions. Which means that changing rules won't affect the connection. You have to remove "infring...

mkx

(my hAP ac2 with wireless and working only as an access point now has about 850kB free) If one wants to squeeze a bit more life out of hAP ac2, then IMO it's better to use it without any wireless/wifi drivers ... i.e. as wired-only router. It performs marvelously, much better than hEX refresh (or L...

mkx

Except for "run this only after next restart", wouldn't scheduler entry with "start-time=startup" and without setting "interval" do the trick? The problem with running commands "as quickly as possible" can be that hardware might not be fully initialized at the...

mkx

The phones and the laptops in the room (less than 3-5 m from the router) see the 5 GHz network at very good signal levels: -45 to -55, but when they connect, the registration table shows their signals at much worse level, -78 to -88 Registration table shows signal levels, measured by AP on client's...

mkx

The list of packages now shows all packages available for device's architecture. Your router is ARM and there are plethora of different ARM devices. For example: there's wifi-qcom package available, your router does not have required hardware (AX-generation of wifi cards) ... but it's listed. And yo...

mkx

If NIC buffer is problem, needs queues and flow-control or whatever, then how do you explain mirolm’s report of “it works fine for me”? He did not indicate he had to do anything at all special… When it comes to buffers timing is pretty important. In certain cases timing of the link partner might be...

mkx

One could conclude that MT does not conduct UPLOAD tests at all when producing throughput tests on their charts. I say this because one might assume they use ether1 for testing and this issue would have been discovered long ago, prior to distribution. Or it could be that they only look at cumulativ...

mkx

The answer is similar to the question "I have my Windows fully configured. Will I loose my configuration if I switch to Linux?". Yes, settings won't be carried over to the other OS. With some luck ROS settings will remain intact while running SwOS and if you decide to revert back to ROS, y...

mkx

If you use FO network provider's ONT which offers a 10Gbps RJ45 port, then you need one on your edge device (router, switch) as well. Whether it's provided as built-in ethernet port or by using RJ45 SFP+ module doesn't really matter from functionality point of view. But, as you wrote yourself, SFP+ ...

mkx

Product page says that max power consumption without attachments (e.g. without SFP+ modules inserted) can be up to 21W. So what you see is definitely inside expected values. I highly doubt that any (noteworthy) power consumption reduction is possible by changes in software. I checked a random Taiwa...

mkx

My personal opinion is that whatever ONT is provided by FO infrastructure owner should be good enough for the service you're subscribed to. And having provider's ONT in place you can argue with provider if the service is not adequate (by temporarily connecting an unrelated equipment for troubleshoot...

mkx

AFAIK none of current Mikrotik devices come with fiber ports built-in ... the plethora of devices, which eventually support FO, require installation of appropriate SFP/SFP+ module. Vast majority of single-mode SFP modules are intended to be used with blue optical connectors. And as I mentioned, find...

mkx

A change to Router OS isn't possible? There was no answer to this question yet... No, on C S S devices SwOS is the only option. Main difference between C R S devices and C S S is that the later lack general-purpose CPU (and storage and RAM), capable of running a more complex OS (while L2 capabiliti...

mkx

I have a question about the SFP+ port. My provider uses GPON technology to connect a fiber optic cable with a SC/APC (green) connector, hence on the router for direct connection to avoid intermediate equipment (media converter) there must be a corresponding port, also marked green with SC/APC. What...

mkx

Changing L3 MTU on internet links is particularly tricky ... because 1500 bytes is a global de-facto standard. If you use large MTU on your link but next hop link (or even server your client is connecting) uses standard MTU, then somebody will either have to fragment packets (which most of times mea...

mkx

If radios get damnaged due to antennas not being attached, then the dammage would be on analog side of wifi chip, in particular to the RF power amplifier. And I don't think that low-cost devices include supervision of that part (it'd require measuring Tx power using a dedicated un-corelated circuitr...

mkx

L3 MTU (as in: IP MTU) has to be the same for every single device in same IP subnet ... in your case that includes ISP's router handling that /21 address space. Which likely means that you'll have to conform to whatever your ISP is using (and my bet would be on 1500 bytes + VLAN overhead). BTW, L3 M...

mkx

If you decided to use VLANs, then use one VLAN per PPPoE user. You can use 4094 VLANs. I wouldn't configure that many PPPoE servers on a single device though. Max sustainable number depends on particular device type and max rate per user, probably a few hundred users per (powerful) device is reallis...

mkx

Use DHCPv6 to obtain a delegated prefix only. Some ISPs require the WAN address to also be obtained with DHCPv6, rather than SLAAC, on IPoE connections. ... and in such case configure DHCPv6 client to require both prefix and address in a single handshake (set request=prefix,address on DHCPv6 client...

mkx

Also: when uploading upgrade packages (NPKs) manually, it's your responsibility to upload all the required packages. For many devices, uploading single file (named e.g. routeros-7.18.2-arm.npk) is enough, some require additional packages (such as wifi driver pack). Those package files are distribute...

mkx

Product page for NetPower 16p says: Device itself does not have an onboard voltage converter. You need 24V PSU to have 24V PoE out and/or 48V PSU to have 48V PoE out (IEEE 802.3 at/af). * Power supply is NOT included with the product. You are welcome to use your preferred power option, like battery...

mkx

It seems that basically you can either do L3HW routing or L3HW fasttracking ... but not both. And the reason is as already hinted by @chechito: when L3HW engine takes care of a packet, it's no longer seen by CPU. But CPU has to see packets in order to correctly perform connection tracking, which is ...

mkx

The problem is that I want to declare VLAN ID 80 on ports 3 and 4 of the CRS328 so that those ports function as access mode for the segment range corresponding to VLAN 80. So far, I haven't been able to get it working. Did you check this tutorial? https://forum.mikrotik.com/viewtopic.php?t=143620 Y...

mkx

Start off by explaining what is your definition of "slow LTE". Also check what kind of connection has LTE card with LTE network: RSRP, RSRQ, SINR, band, band width, etc. Also try to test during small hours, public wireless networks can be pretty congested at times and statistics is saying ...

mkx

Does this apply to both the CRS318-16P-2S+OUT as well as the crs328_24p_4s_rm? The former is half the price of the latter. It does apply to both. But for netpower you need to purchase two power adapters (with MSRP of $18 each making price difference a bit less) and the rest of hassles mentioned. An...

mkx

Error 2 is not yet completely fixed. Issue is that although SSID has multiple security methods assigned (wpa2, wpa3) fallback to wpa2 if devices dont support wpa3 doenst work reliable. That's not the problem with AP, it's a problem with client device. AP broadcasts capability values and it's up to ...

mkx

L3HW fasttrack can only make a difference on devices running firewall. If you use your CCR as "plain" router, "simple" L3HW should be enough.

mkx

Which device model is used as CAp? There are 3 different possibilities, each requires slightly differen VLAN setup.

Also post config of capsman section of CAPsMAN device and full config of a CAP device.

mkx

I guess that at least part of price premium can be explained/excused by dual PoE-out nature: each port can either act as 802.3 af/at PoE port or as passive PoE port (at 26V), it's software-selectable. So ideal if one has to power a mix of MT devices and standard 802.3 af/at devices. All of that by u...

mkx

Hm, but looking at OP's config export, they have a hEX refresh (E50UG), which means with ether1 being the WAN port, putting it in the bridge will still result in everything involving that port using the CPU (no HW offload), including VLAN filtering and bridging. Yes, it will use CPU. But when addin...

mkx

why configure the vlan using bridge filtering whilst this kind of device the vlan should be config in switch menu? or the vlan tagged interface could also attach directly to ether1, i'm just curious thanks! Whether to use switch menu or bridge mostly depends on device model. Some older devices (tho...

mkx

What's the length of Cat6 cable connecting both switches?

mkx

Additionally: L3HW offloaded routing (and fasttracking) is bound to on-chip memory (and not to on-board RAM) which can't be changed. And the routing table limits are thus hard limits. If L3HW offload can't deal with all the different routes, CPU has to perform routing for those excess destinations ....

mkx

Also beware that wAP ax does not provide omni-directional wifi coverage, front-to-back ratio is around 20dB and main lobe beam width is around 60°. Which makes wAP ax ideal for placing in a corner of a square room or on the short wall of rectangular room. Or, if placed inside a house/flat, off-cente...

mkx

When using CAPsMAN to provision a CAP, also virtual APs have to be set-up via CAPsMAN. No local configuration of wireless should be necessary (except perhaps VLANs on wifi-qcom -ac -driven devices). By default, virtual APs are made members of same bridge as master interface. If you want to separate ...

mkx

1. May i know how to get into /system/device-mode/ to adjust the CPU frequency, please? It seems to me that it's a CLI-only setting. I can't find it neither in WebFig (7.18.2) nor in legacy WinBox (3.41). And the new WinBox (4.0beta20) doesn't work for me, Linux version insists on having GL extensi...

mkx

Short version: this isn't about the client software but the poor decisions that your network administrator did in managing a dual wan setup. Why would that be ? If other sites do work correctly this one not, than i guess problem is here or not ? As you confirmed yourself, using same OS/browser/vers...

mkx

None of pictures from previous post are visible to me.

mkx

I have in the back of may mind (but can't find a reference to it) that ultimate bridge priority gets defined by merging the following fields: <VLAN ID> <STP priority> <bridge MAC address> When everybody is in the same VLAN, the deciding factor is STP priority ... if additionally everybody has same S...

mkx

I don't think upgrade of backup routerboot (factory firmware) has anything to do with available flash space.. nope, it definitely does ..take a second look at my picture Not sure what your picture is saying. What I do know is that not all devices are supported gor upgrading factory firmware (my Aud...

mkx

Product page of SXT LTE6 kit does indicate that unit is capable of PoE daisy-chaining with max PoE out up to 19W (0.4A PoE-out limit when powered with 30V+ PoE-in ... when powered with 48V calculation yields those 19W). It's explicitly stating "max power consumption 21W, max power consumption ...

mkx

None of MT PoE gear will guess/regulate voltage ... it's "what comes in, goes out". Now: specs on product page are often incomplete (if not misleading) to people not familiar with PoE gotchas. Because PoE is not one single thing (standard 802.3 af/at/bt), there are many. All MT gear so far...

mkx

Hello, sorry for bumping this. Have you managed to do it OP?

Reply in post #2 is still true.

mkx

..[CUT].. Remember when something goes wrong during the upgrade, your device is bricked. And do not bother trying to upgrade 16MB flash devices .. I don't think upgrade of backup routerboot (factory firmware) has anything to do with available flash space ... one uploads the package to device (in ca...

mkx

Yeah, that does look worth a try.

Did you? What were results?

mkx

Every ROS device running v7.13 or higher has "new" CAPsMAN available in core ROS package. What device are you using as CAPsMAN client? Generations of CAPsMAN sever and client have to match (the new CSPsMAN works only with clients running wifi-qcom* drivers and likewise the old CAPsMAN only...

mkx

That mini rant brings me to a question: how can I roll back to the previous, legacy web GUI? You don't get to choose web GIU style, there's only one shipped with ROS version. So if you want legacy web GUI, then you have to downgrade ROS to version with legacy web GUI (could be somewhere around 7.16...

mkx

Note that the procedure to update the backup bootloader at https://help.mikrotik.com/docs/spaces/ROS/pages/40992878/RouterBOARD#RouterBOARD-Protectedbootloader has now been updated to support version 7.18.2 Doc says it's universal ... but doesn't seem to be that universal ... it fails on my Audienc...

mkx

Since you're running "real" DNS server on a dedicated device in your LAN, you may as well use same device to run DHCP server ... and set it to update DNS records for DHCP hosts. This way you'll skip using one mediocre ROS service (DHCP server is not bad but it's not great either) and one b...

mkx

Does your setup involve VLANs? VLANs can screw bridge priorities ... if not configured properly.

mkx

connection tracking table full Fasttrack HW table utilization 100% The connection tracking table doesn't depend solely on number of "CGNAT users" but also on activity of those users (total connection tracking table length is sum of all connections of all users). And yes, HW table is typic...

mkx

I suggest you to contact MT support directly. Either through web page https://mikrotik.com/support or via e-mail support@mikrotik.com (this forum is not official means of support, it's more like an AAA group of MT users). If you get any useful snswer, pkease rrmember to come back and post it ... for...

mkx

Ether1/mgmt port on this router is connected directly to CPU with a dedicated 1Gbps link. SFP+/SFP28 ports are handled through PIPE (some sort of port extender), sharing 2x25Gbps bandwidth. As shown by block diagram: https://cdn.mikrotik.com/web-assets/product_files/CCR2004-1G-12Splus2XS_200459.png ...

mkx

A bit of DNS theory: DNS doesn't know concept of "primary" or "secondary" server, in principle all are equal. Setting DNS server addresses in DHCP server config might make DHCP server to place those DNS addresses in a particular order inside DHCP lease metadata, but DHCP client c...

mkx

I can get 470Mbps on 40Mhz. However, if I bump that up to 80 Mhz I get slightly less. What are signal strengths reported by both sides? Beware that doubling the bandwidth (from 40MHz to 80MHz) will decrease signal strength by 3dB. And if signal strengths are not great (read: above -60dBm or so). th...

mkx

I have each switch configured with one bridge that carries all VLANs (1-4094). At the bridge level, VLAN Filtering and Ingress filtering is enabled, and Frame Types is set to "admit only tagged" [snip] The only access port is my PC, and the access port is set to PVID 1337 (since it's VLAN...

mkx

ether1 is not connected to switch chip, it's rather connected to CPU directly. Which means it behaves differently than the rest of ports. When device is used in router mode it's practically required to use ether1 as WAN interface. And it has some quirks when it comes to congestion handling (one dire...

mkx

The off-shore "omni directional" device might experience lots of interference. And if that device is running in AP mode (you didn't specify this aspect) it might refuse to select any of channels due to that. If this is indeed the case, then you may get it work better if the on-shore device...

mkx

The download file would likely work fine on your RB3011 ... but if insisting on using netinstall version which matches wanted ROS version it would limit you to ROS v6.48.6 (which is not even latest v6 long-term). If you'd use that version of netinstall to install any other ROS version, then you're b...

mkx

Hi, I've currently got a RB951Ui-2HnD that I'm running as a router for my home network (with wireless turned off - just running a single Unifi AP currently). It's running DHCP and DNS for my network, plus doing firewalling/routing duties for IPv4/IPv6. I'm thinking of upgrading, but I'm not 100% su...

mkx

However, the strong interference isn't really correct. I was talking about AGC of Rx preamplifier. The gain is automatically set according to strongest signal received (in worst case in the whole band, in best case in actual Rx frequency window). Strong interference will cause AGC to reduce gain an...

mkx

OFDMA is part of 802.11ax standard. And as such it only works when both AP and station are ax (won't do any good if station is ac only). And will only be able to do something when interference is reasonably strong (not much stronger than received useful signal ... so it doesn't overwhelm receiver's...

mkx

That NVR has 10/100Mbps ethernet interfaces ... both for cameras and LAN. So hEX will have to handle 100Mbps full duplex at most. It'll do it without a sweat. Even if L2 HW offload for some reason doesn't kick in.

mkx

Rules by @MTNick do the job just fine. Just beware of raw rules performance: while raw rules appear as a economical solution (raw rules are evaluated before connection tracking machinery does the job ... which is a single most expensive feature run by firewall), but raw rules are evaluated for every...

mkx

Just guessing ... I think that wifiX bridge ports should be set as tagged members of relevant VLANs ... all that are used in multi-passphrase configuration.

mkx

Use DHCPv6 client and configure it to receive a prefix on WAN interface. Also configure it with pool name. After you receive a pool into the pool named in configuration, you'll be able to assign IPv6 addresses from this pool to router's LAN interfaces. This will in turn allow router to announce appr...

mkx

I don't understand the ingress filtering option. From what I read with ingress filtering turned on non VLAN tagged packets will be ignored. How is this option different on the bridge and port pages? Does it have any effect when frame types is set to admit all? Properties pvid, ingress-filtering (an...

mkx

Why expensive android tablets with omnidirectional antennas inside behaves BETTER than all 4G modems I had? Probably because those tablets use most recent 4G and 5G modems with much better ability to perform "Carrier Aggregation". Vast majority of cell towers nowdays use multiple frequenc...

mkx

There is no such thing as "cross-vendor standard wireless bridging" which would be required for wifi bridge to act as a transparent connection between two wired "islands" (similar to UTP cable between two switches). Read more about it in this article . It's about use case where s...

mkx

Must be config dependent. No issues on my rb750gr3. But it's being used practically as switch, so no special config or even routing. I wrote that my gr3 worked fine for about 1 hour until the data transfer started via the connected l2tp over ipsec. So this really doesn't happen everywhere and not a...

mkx

• Is there a compatibility issue between wifiwave2 AP mode and older MikroTik clients? Yes. True "station-bridge" mode is not possible if AP and station are using different generations of wifi/wireless driver. One possibility is to try with station-pseudobridge (but has some limitations)....

mkx

With all due respect: you started a few topics in last few weeks/months where we tried to explain a few "basics" with many plain English words (as far as we, non-native speakers, could) where you didn't understand explanation put forward using "tech talk" phrases. Part of reasons...

mkx

But you're right the default includes "untracked" — that is not in the normal default configuration, It is in normal default configuration, just checked my hAP ac2 running 7.18.2. "untracked" is accepted both for chain=input and chain=forward (the later by the non-fasttracked ru...

mkx

No apparent reason if not - maybe - that the furthest tower was installed more recently and thus had "better/faster" devices than the nearer one. More likely: the closer, elevated, tower covers more subscribers and is thus much more utilized. Hence less radio resources available for each ...

mkx

A "smart" antivirus running on clients' PCs?

mkx

I took another IP range from provider and did same nmap scan.

Does WAN IP address, shown on your RB, by any chance fall into range between 100.64.0.0 and 100.127.255.255? This is CGNAT address range and is not universally routable.

mkx

I already stated it couple of times. I run nmap from internet, from another computer, from another ISP towards Mikrotik. Do you know what CGNAT is ? And to determine what you can do to see if that is the what causes the problem. Even if MNO doesn't use CGNAT (which is becoming a rarity), it still m...

mkx

My hope is also that these discussions help develop the language to use to communicate more effectively about these topics. I hate to disappoint you, but the language is already developed, established and wildly used ... one simply has to learn it. Pretty much the same as every toddler has to learn...

mkx

MTU: maximum size of IP packet (including headers). All IP devices in same IP subnet (as defined with IP address/netmask pair) must use same MTU. If not, then packets larger than MTU setting will be dropped by receiver (smaller packets are fine). Mind tgat no IP packet fragmentation takes place for ...

mkx

I hope, MikroTik Team will backport this fix to a near future 7.18.3 release also. I wouldn't count on it. When released, 7.19 will immediatelly become "stable" release ("stealing" the title from 7.18.2) ... and there is no "long term" release which would warrant backp...

mkx

Can you post output of

/interface/list/member/export

And indicate which interface is actually connecting your internet.

mkx

That logic seems to me more awkward to implement compared to just a dropdown list (or input box) to specify VLAN ID. As already said: it depends on switch vendor's "ingenuity". E.g. my D-link has "L2 features" -> "VLAN" -> "Management VLAN" and there I can en...

mkx

add action=dst-nat chain=dstnat comment="zabbix-agent dst-port=10650 in-interface-list=WAN log=yes log-prefix=\ nat-zbx-agent-zabbix-win-hp protocol=tcp src-address=x.x.x.x to-addresses=192.168.8.251 to-ports=10050 If your post is actually copy-paste of actual dst-nat rule, then everything, in...

mkx

Switches I've seen so far (not many models, I admit) have option to select "management VLAN" ... and if set properly, switch would then only receive IP from the correct VLAN. If the option is not set, then switch might try to obtain IP address from all VLANs it detects (or is configured wi...

mkx

I suppose, therefore, that the diagram (the original, not my monstrousity) shows the 5022/5022 connections to the switch chip component of the 6010 ... Diagram shows physical connections between 5022/5052 parts and main chip. Which part of it (CPU or switch chip) is not clear and it would only be p...

mkx

As @anav already hinted: the red box should enclose everything on the left side of its current extents and on the right side (including those tridents on the far right side of amplifiers ... they denote wifi antennas).

The rest is right.

mkx

Sometimes it's good to write up problem, your brain will figure it out eventually. And the crucial detail (WLAN being in the mix) was missing from your initial description. If you didn't get to the right conclusion yourself, somebody else might have spotted the reason ... but only in case when all ...

mkx

For clarification of one aspect of the origin and intent of my quesiton: I was thinking specifically about whether frames between wifi and etherports could exclusively use the switch chip. That is, the use of a dumb switch would not be applicable. You can always have a look at block diagram of a pa...

mkx

Just a thought: it could be that your public address is not actually completely transparently presented to you. I have static public IP address (via PPPoE) and in my case, nmap scan from internet side shows a few ports open. Apart from the expected ones (which I explicitly configured in my router) i...

mkx

At the point that an unsolicited connection request to TCP port 22 comes into your router from the outside, "src-address" is the IP of the host making the SSH connection attempt to your server, and "dst-address" is your router's WAN IP. So if you want the rule to trigger when a ...

mkx

I use my ax3 with vlan filtering .......

... which is done by software/CPU, so no HW offloading. Hence no problems snd high CPU load (but still wirespeed).

mkx

Is ASIC the same as the switch chip?

For the sake of argument: yes.

mkx

About this setup, I do not regard it as bells and wissels. Objectively your setup is not very special indeed. But from the hurdles you're describing it seems you're not very well versed in ROS. So having multiple "independent" connections from a switch upstream, doing some routing, etc. ....

mkx

No I do not think a loop is possible. In my network there are multiple vlans. RSTP is unaware of VLANs. It's a protocol directly on ethernet and if two bridges/switches are connected using multiple links, even of they are trunks for distict VLANs, RSTP will detect a loop. I'd recommend you to simpl...

mkx

Try to connect actual PC directly to the management port. The way connections are shown on image they possibly make a loop ... if "pfSense & switches" allow that. And RSTP (enabled by default on ROS bridges) will break the loop by disabling one of links forming a loop, by default the s...

mkx

But in short: /interface/bridge is sbout swich-lije entity (called brudge), its ports including CPU-facing btidge port. And VLANs allowed accross those pirrs. /interface/vlan is about CPU ability to interact with tagged VLANs whichever CPU interface it might be, eithrr etherX inzetdsces, bridge, etc...

mkx

Another good tutorial which explains different bridge "personalities": viewtopic.php?t=173692

mkx

I suggest you to go through this tutorial about VLANing using ROS device: viewtopic.php?t=143620

It may clear some misconceptions you might have.

mkx

The config regarding ether1 is mighty weird ... it's added as port to the "grand" bridge, srt as access port of VLAN 88. Then you have br10 which is configured as tagged member of VLAN 10 of "grand bridge" but it's not even set as port of same bridge?? A side note: ROS can HW off...

mkx

'Controller Bridge and Port Extender', but it seems too late as the help pages seem to suggest this function has been removed from OS7.18. What's replaced it, if anything? Or is there another way of achieving the same? Nothing replaced it. The concept is a (very poor) approximation to switch stacki...

mkx

As you noted, frames are passed (switched) only between ports of same bridge. Having two bridges in same device is (from L2 perspective) the same as having two devices. But I wonder: if sole purpose of the second bridge is to give emergency management access via the sole bridge port (ether1), then y...

mkx

I believe this is due to L3HW being disabled across the board

Again: if enabling L3HW oflload will solve your issue, then your CRSes are not configured as switches.

mkx

I actually had previously been aware of the "INTL/US" products that are the non-locked, non-US devices (always wireless, since this is about FCC regulations) yet packaged with a US power adapter, but had forgotten about it. NEMA power plugs are used in countries other than USA and Canada ...

mkx

Received signal strength (-62dB) indicates that "interferer" is either "ordinary AP" physically placed very close to your hAP ax2 ... or a high-gain PtP link (probably operating at illegsl Tx power levels) with line betwern link peers going right through your hAP ax2. And either ...

mkx

Is there anything that would be causing this?

Nothing in logs, not even suspicious log-ins? A script which does something to leds?

mkx

/export terse CRS504.rsc

Please, don't use terse, my eyes hurt when reading terse output. Ordinary export will do just fine.

mkx

Switches should not experience any significant CPU load. As you see CPU pegged at 100%, this means your switches are misconfigured.

mkx

I didn't see anything obviously wrong ... but I don't know much about using multiple routing talbes, so I can't comment on that aspect of your confiugration. Checks done so far: When I ping PUBLIC_IP.67 from outside the network, with tcpdump on both machines (mine and the 10.190.0.12) ICMP is fine, ...

mkx

Post actual configuration, not a novel.

mkx

How could I recommend a router to anyone for enterprise use if it introduces unintended, undocumented behavior that can easily take hours to rule out? Well ... whether you intended it or not, you had feature called "detect internet" enabled. And based on feature name and using common sens...

mkx

But why?

Because wifi-qcom-ac drivers are missing some crucial functionalities ... which were missing also in wifi-qcom but were eventually implemented there. MT keeps acting deaf to our pleads to implement them in wifi-qcom-ac as well.

mkx

Manual says "... load balancing based on Layer2, Layer3 and Layer4 hashing". Not specifically for "dynamic" LAG, but I'd take that it applies to both LAG modes. So L3+L4 hash ...

mkx

chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN "We are dropping all non-dstnated IPv4 packets to protect direct attacks on the clients if the attacker knows the internal LAN network. Typically this rule would not be necessary since RAW filters...

mkx

You'll want to sniff beacons because most of interesting data is broadcast ... try to filter according to BSSIDs that belong to your WiFi network to reduce amount of chatter. Ony when your station decides to roam there will be some unicast exchange with old and new APs.

mkx

Typically rated power of a device is only used during certain periods of time, one being powering-up. The problem in your case might be just that: if PowerBox Pro enables PoE-out for both connected cameras (you said you'll connect 2) at the same time and they both hit the peak usage at the same time...

mkx

My ROS installations generally have 2 servers configured and up to 7.18.2 I never saw such error logged.

mkx

These are custom firewall rules ... the ones you don't even look at

I didn't even bother looking past these two rules ... make me think I'd be looking at some pretty butchered firewall setup.

mkx

PoE Max. Power Per Port 25W This gives you power budget for PowerBox Pro and all connected cameras. PowerBox Pro is specced at 6W max (it might have typical consuption a Watt or two less). So around 20W will remain for powering attached cameras. What is rated power consumption of those? And don't f...

mkx

"L3HW routing" would be fine as well :), but it can be confusing, I invented the "almost switching" just for having it in the order of speed: But it's confusing ... as @mbovenka wrote: routing is routing bexause it's L3 function. And switching is switching because it's L2 functi...

mkx

MAC telnet (application) works only with ethernet frames without VLAN tags (I suspect it's using ethertype 0x0800 IPv4(. So it can't be used off bridge which is trunk port, VLAN interface(s) are needed to strip/add VLAN tags.

mkx

The top two firewall filter rules: /ip firewall filter add action=passthrough chain=input dst-port=5246 in-interface=ether1 \ in-interface-list=WAN log=yes protocol=udp add action=passthrough chain=input dst-port=5247 in-interface=ether1 \ in-interface-list=WAN log=yes protocol=udp They explicitly a...

mkx

On the other hand CRS520-4XS-16XQ-RM ... switch with so powerful CPU that even beeing "a switch", the traffic throughput may satisfy datacenter needs. It might. But it would likely collide with expectations ... which usually are "wirespeed routing" and if routing on CRS520 is do...

mkx

How many NTP servers are configured in /system/ntp/client? I don't know if there's a limit in RouterOS's NTP implementation, but I don't think more than 3 quality servers are necessary (3 is kind of a minimum to form a meaningful quorum).

mkx

Well, the fact that logs are written by CAPsMAN (topic caps,info) indicates that firewall of your router is not effective. Default firewall setup would block attempts to connect to CAPsMAN through WAN port and CAPsMAN would not even see those attempts. If there were log entries about that, they woul...

mkx

Set dhcp client to bridge Plug ethernet cable from NVR in powerbox port 1 Just for the record: you have to connect NVR to port ether1 because it's the PoE-in port. With the outlined configuration, all the ports are equal regarding ethernet traffic (and hence IP traffic). E.g. DHCP client would be a...

mkx

3) VLAN routing is a handled by the bridge (and therefore a switching function). Switch doesn't do any routing ... and "VLAN routing" is either "routing" or "VLAN switching" (depending on the way you abuse phrase VLAN routing). If you're talking about the later, then s...

mkx

In short: any RouterOS device, which has more than a single IP address configured (used only for management), can eventually become a router. So a switch should never have more than one IP address configured, if configuring additional IP address solves a traffic problem, it means that switch became ...

mkx

Does this mean that there is no automated solution to download the required files (wifi-qcom-7.18.2-arm64.npk) to the CAPsMAN v2 device? Do I have to do it manually? And also before updating the CAPsMAN v2 device? No, there's no automated way of downloading additional packages to capsman device. I ...

mkx

Upload all the relevant packages (base routeros and necessary optional packages, such as wifi-qcom) for all relevant architectures (ARM, ARM64) to capsman device ... I recomend you to create a dedicated folder on flash storage). Then set package-path to the correct folder and set upgrade-policy to s...

mkx

Yes, radio stats are available on capsman ... but with wifi drivers amount of stats is small compared to wireless stats.

mkx

Mobile broadband networks (LTE, 5G) don't work the way you seem to think. There are two major modes: idle and active. When device is in idle mode, device can choose to "listen" to any cell it wants (but has to perform Tracking Area Update if it selects to listen to cell which is in differe...

mkx

Wireless bridge is the same as normal AP/station. And AP setting security.mode affects encryption. It's pretty easy to enable it ... set mode=dynamic-keys , authentication-types to e.g. "wpa2-psk" and set wpa2-pre-shared-key ... first on remote side of link (if managing over same link) and...

mkx

No special config, just static ip set, but can't reach them.

If this statement is about cube devices ... then they need at least default route set with UDM's address as gateway. Without this setting (and probably DNS settings as well) it's not possible to use built-in package upgrader ...

mkx

Try to set sfp-sfpplus1 port speed to 2.5Gbps and disable autonegotiation. But it could be you won't be able to make things work ... Mikrotik devices are notorious for poor support for SFP modules (including RJ45 ones) and it's best to get a module which is known to work well with your particular Mi...

mkx

I'm sorry, I don't follow the layout of your network. You may want to make a simple diagram of your network (router, PTMP link devices, wireguard) ...

mkx

Ideally you want to have "the middle" mANTbox configured as AP and the other two as station-bridge ... you'll have the least problems. Mind that AP doesn't have to be closest to router, it can be anywhere ... L2 traffic flows symmetrical over a WiFi connection, only L1 control is done by A...

mkx

Just to get things straight: ... download and deploy the latest available RouterOS. I believe it was 7.12.1 Actually the latest version marked as stale is the 7.18.2. If original ROS version on device was <= 7.11, then upgrader built in ROS will first upgrade to 7.12(.1) ... only upgrader in 7.12 wi...

mkx

If speedtest is fast, but nothing else is fast - your ISP is limiting you and setting an exception on speedtest :) Common practice in some areas You are reading my mind :-) They say they don't. Of course they are saying that. Does your local telecommunication regulatory agency (probably Bundesnetza...

mkx

You missed the point, there was no warnings before upgrade or i ever touched CPU freq on this fresh unpacked device , its the upgrade which changed freq or whatever it did and now complains about "it self" The upgrade didn´t change frequency. I can't say about this particular device, but ...

mkx

If you sniff the broadcast traffic, does src-mac-address tell you anything? Likewise src-IP-address?

mkx

This one:

/interface vlan
add comment=vlan32 interface=ether1 name=vlan32 vlan-id=32

It should be interface=bridge ... it took me 0 seconds (recognized it while reading config).

mkx

Is this normal behavior or bug? Good morning. Yes, since 7.17 one has to allow routerboard uder /system/device-mode to be able to change anything under /system/routerboard ... which includes CPU frequency. Before you join the choir: there were lenghty and loud complaints about extensive use of devi...

mkx

I understand about MSRP, my question was more oriented to the real market picture that I see I guess that "real market picture" depends both on MT's policy (do they drop their own device prices after a while or not) and your local distributors (do they tend to keep prices high "just ...

Search found 14414 matches