Community discussions

MikroTik App

Search found 6240 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 21
by mkx
Sat Jul 31, 2021 9:38 pm
Forum: General
Topic: LTE interfaces cannot be bridged?
Replies: 8
Views: 238

Re: LTE interfaces cannot be bridged?

One thing is what ROS sees and how it reacts ... now it sees RNDIS and reacts with creation of lte interface. Another thing is whar rPi can show. There are a few protocols for transporting ethernet frames over USB, RNDIS is one of them, CDC-ECM is another one. If @OP can make rPi show something else...
by mkx
Sat Jul 31, 2021 6:49 pm
Forum: General
Topic: LTE interfaces cannot be bridged?
Replies: 8
Views: 238

Re: LTE interfaces cannot be bridged?

Try to set rPi USB into some other mode, e.g. CDC-ECM. RNDIS seems to be MS proprietary protocol and it might be supported in Linux by some third party drivers. Mikrotik does their own stuff and likely did not (and will not) support RNDIS for ethernet. LTE is not ethernet, hence you can not bridge i...
by mkx
Sat Jul 31, 2021 4:55 pm
Forum: Wireless Networking
Topic: Wireless Performance - RB4011iGS+5HacQ2HnD-IN
Replies: 12
Views: 595

Re: Wireless Performance - RB4011iGS+5HacQ2HnD-IN

Wireless Tx power capability of device is stated on product page. For RB4011 wifi version it's up to 29dBm on 2.4GHz and up to 33dBm for 5GHz. Country regulations are much lower. You can get the regulation limits, as hard-coded in ROS, by running /interface wireless info country-info germany from CL...
by mkx
Sat Jul 31, 2021 12:25 pm
Forum: Wireless Networking
Topic: Wireless Performance - RB4011iGS+5HacQ2HnD-IN
Replies: 12
Views: 595

Re: Wireless Performance - RB4011iGS+5HacQ2HnD-IN

The reason RB4011 originally had lower signal strength than your old Fritz is that RB is conforming to your country regulations while old Fritz does not. By setting to "superchannel" and "no_country_set" you're in violation of said regulations (again). The right thing to do is to...
by mkx
Sat Jul 31, 2021 12:11 pm
Forum: Wireless Networking
Topic: Buy AC3 or can I fix old RB951G-2HnD?
Replies: 4
Views: 289

Re: Buy AC3 or can I fix old RB951G-2HnD?

Try 5GHz settings of
Band: 5ghz-n/ac
Channel Width: 20/40mhz-Ce

OP is currently using RB951G-2HnD ... when I last checked my own devices of same model, they didn't have 5GHz radio?
by mkx
Sat Jul 31, 2021 12:04 pm
Forum: General
Topic: Multiple bridge interfaces with different MTU causes out of memory problem
Replies: 5
Views: 176

Re: Multiple bridge interfaces with different MTU causes out of memory problem

Use of jumbo frames between end devices is largely overrated these days with fast switches and capable NICs and you should have a very good reason for insisting on using them. Do some (real life!) benchmarks to assess the difference between using standard 1500-byte MTU and jumbo frames to see if dif...
by mkx
Sat Jul 31, 2021 11:50 am
Forum: General
Topic: LTE DHCP over VLAN
Replies: 7
Views: 287

Re: LTE DHCP over VLAN

I don't think you can set VLANs on LTE interfaces because LTE interfaces are not L2 ethernet interfaces. @mkx the OP wants to use the passthrough feature... ( if i understood right ) In post #4 @OP is mentioning mPCIe modems which provide lte interfaces and he's not able to add those to bridge. So ...
by mkx
Sat Jul 31, 2021 11:36 am
Forum: RouterOS v7 BETA
Topic: Bridge to Wireguard interface [SOLVED]
Replies: 14
Views: 597

Re: Bridge to Wireguard interface [SOLVED]

You can route between devices, connected to ethernet ports, and wireguard. You just can't have both LAN and wireguard in same IP subnet. At the same time you don't really want to extend broadcast domain over some (relatively low speed and high delay) tunnel. Unless you have very specific reasons for...
by mkx
Fri Jul 30, 2021 8:57 pm
Forum: General
Topic: Bridge vlan solution without adding interface vlan
Replies: 3
Views: 151

Re: Bridge vlan solution without adding interface vlan

No. IP layer (L3) in mikrotik can only work with untagged frames. If frames are tagged, then you absolutely need VLAN interface to do the tagging/untagging, one for each VLAN ID. If you use bridge only to pass frames between member ports, then VLAN interfaces aren't needed. BTW, if router is suppose...
by mkx
Fri Jul 30, 2021 4:57 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 107
Views: 9281

Re: MikroTik RB5009UG+S+IN

It looks like the switch chip supports L3 switching/routing:) But does it support IPv6 hardware offloading as well? One thing is switch chip support for L3 switching and for sure IPv6 is different than IPv4 in this regard. Another question is if ROS can configure switch chip to do it. And for now t...
by mkx
Fri Jul 30, 2021 4:07 pm
Forum: General
Topic: LTE DHCP over VLAN
Replies: 7
Views: 287

Re: LTE DHCP over VLAN

I don't think you can set VLANs on LTE interfaces because LTE interfaces are not L2 ethernet interfaces.

What in particular is that you want to achieve?
by mkx
Fri Jul 30, 2021 2:17 pm
Forum: Wireless Networking
Topic: Chateau LTE12 antenna gain [SOLVED]
Replies: 21
Views: 480

Re: Chateau LTE12 antenna gain [SOLVED]

Your post above is not correct. :D Which part of my post is not correct? I even found the correct value for the 5GHz antenna gain (even though it's burried inside product brochure). So you can't claim my post is not correct, you can claim (and complain to MT) that their informations are not correct...
by mkx
Fri Jul 30, 2021 2:02 pm
Forum: Wireless Networking
Topic: Chateau LTE12 antenna gain [SOLVED]
Replies: 21
Views: 480

Re: Chateau LTE12 antenna gain [SOLVED]

I hate your habit of changing your own posts after some other user tells you it's not correct. In long run you're making users telling your posts are wrong look idiots because later readers won't see what was wrong. And, please, tell me which part of my post #9 above is not correct. If you're making...
by mkx
Fri Jul 30, 2021 1:56 pm
Forum: Wireless Networking
Topic: Chateau LTE12 antenna gain [SOLVED]
Replies: 21
Views: 480

Re: Chateau LTE12 antenna gain [SOLVED]

Your answer Because on your country is set that max TX power. relates to question in a post above yours Still I do not understand, why it is not allowed to set "antenna-gain" to 4 on wlan2? So this is the reason I think your answer is not correct. And instead of reasoning why it's wrong I ...
by mkx
Fri Jul 30, 2021 1:34 pm
Forum: Wireless Networking
Topic: Chateau LTE12 antenna gain [SOLVED]
Replies: 21
Views: 480

Re: Chateau LTE12 antenna gain [SOLVED]

The post by @rextended above is not correct. This post together with this post by Normis tell everything about how actual Tx power takes into account different constraints (from wireless chip capability to country regulations). Which means that ability to set certain antenna gain has nothing to do w...
by mkx
Fri Jul 30, 2021 1:05 pm
Forum: General
Topic: CRS Switches License Levels
Replies: 2
Views: 145

Re: CRS Switches License Levels

Those switches have capacity of servicing large number of users/tunnels/etc because they typically come with decent amount of RAM. And their CPU performance can easily exceed the CPU performance of some older SOHO and mid-end professional routers. However, their CPU is too weak to route traffic at t...
by mkx
Fri Jul 30, 2021 12:53 pm
Forum: Beginner Basics
Topic: Unable to access router settings (Webfig or WinBox) [SOLVED]
Replies: 7
Views: 254

Re: Unable to access router settings (Webfig or WinBox) [SOLVED]

If you didn't configure your router yet (i.e. it's new out of the box), then you have to connect your management PC to WAN port. Later, when it's configured, you have to use any other interface (other ethernet ports, wireless). It is very unwise to leave router without password set, your device migh...
by mkx
Fri Jul 30, 2021 10:28 am
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 107
Views: 9281

Re: MikroTik RB5009UG+S+IN

It has a USB connector, so likely you can make a console port by plugging in a USB-RS232 cable. Or better yet a woobm . OTOH, for me having both RJ45 and SFP+ served by single switch chip is a benefit for SOHO installations. This way unit can really be used as combination of router/switch and traff...
by mkx
Fri Jul 30, 2021 9:55 am
Forum: General
Topic: DNS request coming from gateway IP
Replies: 8
Views: 280

Re: DNS request coming from gateway IP

Adapt your masq-rules and include the outgoing ISP interface ?? I agree that masquerade rules should include outgoing ISP interface. But if masq rules are changed that way, you can probably only keep one and omit specifying the src-address. This way router will masq anything going out of ISP interf...
by mkx
Thu Jul 29, 2021 3:35 pm
Forum: Wireless Networking
Topic: Wifi net work for home with Iot (50 devices)
Replies: 43
Views: 1181

Re: Wifi net work for home with Iot (50 devices)

However if everything is done in the bridge menu one has to remember exactly what settings can be offloaded, and what - not

Hmmm ... you know that by heart? I have to check if bridge port still shows "H" among status flags all the time ;-)
by mkx
Thu Jul 29, 2021 2:48 pm
Forum: General
Topic: Block Ping request
Replies: 31
Views: 15530

Re: Block Ping request

If we started to nitpick over your numbers, it would be interesting to see the malicious_ping-per-capita table/ranking ... I guess that would completely change the ranking. Vatican might end up on top (not sure if there's actually any IP address space allocated to that country?). Seems like French w...
by mkx
Thu Jul 29, 2021 2:38 pm
Forum: General
Topic: Block Ping request
Replies: 31
Views: 15530

Re: Block Ping request

Actually the worst country is OTHER. Just can't find it on the Globe. ;-)

Oh, I forgot to include the [sarcasm] [/sarcasm] block ... again.
by mkx
Thu Jul 29, 2021 1:36 pm
Forum: Beginner Basics
Topic: No connection after wrong backup file loaded [SOLVED]
Replies: 3
Views: 205

Re: No connection after wrong backup file loaded [SOLVED]

Seems like (the botched) configuration is kept intact ... netinstall manual offers cmd-line parameter
-r	resets the configuration upon reinstallation procedure, optional

Try using this parameter and see if you can get device to blank (out of factory) state.
by mkx
Thu Jul 29, 2021 12:44 pm
Forum: RouterBOARD hardware
Topic: Hardware recommendation for Internet gateway
Replies: 7
Views: 466

Re: Hardware recommendation for Internet gateway

Or the RB5009 looks more future proof and a better buy It does look more future proof, but as with all new models I expect it to experience some teething problems which should be polished in a few months (hopefully). Hence I wouldn't suggest this model for immediate use in production environment.
by mkx
Thu Jul 29, 2021 12:40 pm
Forum: General
Topic: Does quouting quotes of quotes in consecutive post make any sense?
Replies: 76
Views: 6089

Re: Does quouting quotes of quotes in consecutive post make any sense?

My view on this matter is that no amount of automated restrictions will make this problem go away (and keep forum usable for discussions), the only feasible way is to enforce certain level of netiquette on users. I'm with @BartoszP on that, I just don't know if his way of doing it is the best (but I...
by mkx
Thu Jul 29, 2021 12:37 pm
Forum: General
Topic: Does quouting quotes of quotes in consecutive post make any sense?
Replies: 76
Views: 6089

Re: Does quouting quotes of quotes in consecutive post make any sense?

This change might help but not in most of cases. It seems that one of typical Reply abuses is when users hit Reply to a lengthy post just to express their agreement (one-liner). Reducing number of nested quotes wouldn't help in this case. OTOH sometimes it is really useful to be able to nest more th...
by mkx
Thu Jul 29, 2021 12:08 pm
Forum: Wireless Networking
Topic: Wifi net work for home with Iot (50 devices)
Replies: 43
Views: 1181

Re: Wifi net work for home with Iot (50 devices)

If one can be done, then why not the other? I guess that's because on CRS3xx everything can be offloaded (if one uses single bridge; IIRC when the whole bridge HW offloading was introduced, it was said that HW offloading of multiple bridges might come in some future), but it can't be on other switc...
by mkx
Thu Jul 29, 2021 11:55 am
Forum: General
Topic: CRS 2XX Management VLAN Question
Replies: 8
Views: 452

Re: CRS 2XX Management VLAN Question

You're right, you did have trunk configured right, my bad (disclaimer: I don't have a CRS2xx switch to test things myself). You still have to verify that configuration of device, connected via the two trunked ether ports, matches the trunking functionality. Manual says that matching configuration on...
by mkx
Thu Jul 29, 2021 11:40 am
Forum: General
Topic: Block Ping request
Replies: 31
Views: 15530

Re: Block Ping request

@sindy, if your post is reply to mine ... I guess I should have put the whole post inside [sarcasm] [/sarcasm] block. I'm fully aware of the facts you're describing (but your post is till welcome to remind us all of those facts).
by mkx
Thu Jul 29, 2021 11:08 am
Forum: General
Topic: CRS125-24G-1S going offline
Replies: 7
Views: 308

Re: CRS125-24G-1S going offline

If you think it's a bug in CRS, then probably the best would be to open trouble ticket with Mikrotik support, either via support portal or via email support@mikrotik.com. They'll almost certainly request you to generate supout.rif file and include it with trouble ticket. They might find out something.
by mkx
Thu Jul 29, 2021 8:55 am
Forum: General
Topic: Block Ping request
Replies: 31
Views: 15530

Re: Block Ping request

Top Country pinging me last 7 days

Which proves that USA is cyber-crime infested country, possibly many of those criminals are state sponsored or outright state agencies employees.

Ummm ... wait, isn't western world saying that about Russia and China? Now I'm confused.
by mkx
Thu Jul 29, 2021 8:48 am
Forum: General
Topic: CRS125-24G-1S going offline
Replies: 7
Views: 308

Re: CRS125-24G-1S going offline

In case you verify that there are indeed no loops created when connecting the incriminating CSS to CRS, you can fine-tune RSTP a bit. Instead of setting protocol-mode=none on bridge, you can set it back to default value ( protocol-mode=rstp ), but set edge=yes property on port, connecting the incrim...
by mkx
Thu Jul 29, 2021 8:27 am
Forum: General
Topic: CRS125-24G-1S going offline
Replies: 7
Views: 308

Re: CRS125-24G-1S going offline

ROS version 6.48.3 has default setting bridge-mode=rstp . And I guess that as with all handlers for protocols it might be buggy. And bug can be either in CRS or CSS. So you can verify SwOS versions on both your CSS devices, perhaps the working one is running different SwOS version than the one makin...
by mkx
Thu Jul 29, 2021 8:22 am
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 107
Views: 9281

Re: MikroTik RB5009UG+S+IN

There are still some places to fix. E.g. user manual says "The device supports RouterOS software version 7.0.04.". In downloads section of product page the "Download" button of "RouterOS current release" points to routeros-arm64- 6.48.3 .npk ... SFP compatibility list d...
by mkx
Thu Jul 29, 2021 8:08 am
Forum: General
Topic: CRS125-24G-1S going offline
Replies: 7
Views: 308

Re: CRS125-24G-1S going offline

My guess is that xSTP freaks out for some reason. You can try to set protocol-mode=none on bridge and see if it helps. This setting disables loop detection and is not recommended to disable it. If it makes difference, then you really have to verify that there are no loops in your network.
by mkx
Thu Jul 29, 2021 8:00 am
Forum: General
Topic: Semi-randomly change src-port originating from ROS - is it possible?
Replies: 2
Views: 183

Re: Semi-randomly change src-port originating from ROS - is it possible?

Even though UDP protocol is stateless per se , applications using it usually take care of state tracking. Which means that application (in your case WG) knows that combination of {src-address1, src-port1, dst-address, dst-port} properties identify a particular WG connection and any packets having th...
by mkx
Thu Jul 29, 2021 12:01 am
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 107
Views: 9281

Re: MikroTik RB5009UG+S+IN

Yeah. For the money they'd like to get for 4 units, I could get the new CCR2004-16G-2S+ (which would look much nicer and more professional in my home networking rack). If I'd be missing ether ports, I could throw in a CRS326-24G-2S+RM (OK, now we're talking about 2U already, but hey, I'd have 40 Gig...
by mkx
Wed Jul 28, 2021 11:37 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 107
Views: 9281

Re: MikroTik RB5009UG+S+IN

I checked ISP Supplies Canada and they do not have stock .... A Polish distributor states 2021-09-03 as date of availability. Let's wait and see. Could be a nice present on the eve of N-th wave of COVID-19. Another thing - a question for MT staff I guess: MT is selling rack-mount kit for this route...
by mkx
Wed Jul 28, 2021 11:16 pm
Forum: General
Topic: iam have 6.47.8 (stable) on x86 but some time its shutdown suddenly
Replies: 4
Views: 220

Re: iam have 6.47.8 (stable) on x86 but some time its shutdown suddenly

What exactly is asxi? Or do you mean ESXi (VMware)? Having a hole in ROS graph does not prove router was actually shut down. So if it was actually shut down (you had to restart it manually) and there's nothing in ROS logs nor anything in logs of hypervisor, then you'll have some long days troublesho...
by mkx
Wed Jul 28, 2021 10:55 pm
Forum: Beginner Basics
Topic: layer 7 port forwarding
Replies: 17
Views: 660

Re: layer 7 port forwarding

I'm sorry, never did manual configuration of traefik. It's used at my employers in a Kubernetes installation where Kubernetes itself makes basic configuration of traefik (or perhaps Kubernetes admin did it once), while forwarding to backend containers is done automatically when starting those backen...
by mkx
Wed Jul 28, 2021 8:40 pm
Forum: Beginner Basics
Topic: Hap ac2 can't use peer dns from isp [SOLVED]
Replies: 11
Views: 463

Re: Hap ac2 can't use peer dns from isp [SOLVED]

what do you use besides winbox

I thought it was obvious ... ssh client.
by mkx
Wed Jul 28, 2021 8:29 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 124
Views: 13705

Re: v7 launch date

Red are administrators (e.g. @normis), green are moderators. I might be wrong, but I think @nz_monkey is not MT staffer.
by mkx
Wed Jul 28, 2021 8:01 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 107
Views: 9281

Re: MikroTik RB5009UG+S+IN

From the Quick Guide of that beast: This device needs to be upgraded to the v7.0.2 or the latest software version to ensure compliance with local authority regulations! Looks like MikroTik is preparing something powerful to announce... 👀 This is silly ... the warning continues with second paragraph...
by mkx
Wed Jul 28, 2021 7:48 pm
Forum: Beginner Basics
Topic: Hap ac2 can't use peer dns from isp [SOLVED]
Replies: 11
Views: 463

Re: Hap ac2 can't use peer dns from isp [SOLVED]

1) DHCP server will try as hell to provide some DNS server address in DHCP lease unless router admin knows better ;-) 2) Where's setting "Allow remote Servers"? If you're talking about "Allow remote Requests " ... then it's got everything about client requests. If this is set, th...
by mkx
Wed Jul 28, 2021 6:42 pm
Forum: General
Topic: Is blocking websites by URL really impossible?
Replies: 12
Views: 365

Re: Is blocking websites by URL really impossible?

@mkx, please check if redacted version is better

Much better :-)
by mkx
Wed Jul 28, 2021 6:37 pm
Forum: General
Topic: Two providers. Unstable behavior. [SOLVED]
Replies: 9
Views: 339

Re: Two providers. Unstable behavior. [SOLVED]

@BlackRat, the setting you highlited is IMO invalid. It's not logical to have address with network address set to same value. If bridge-inet should use both addresses 85.xxx.xxx.20 and 85.xxx.xxx.21 and when router uses either of WAN addresses it can directly connect to the same subnet (which is log...
by mkx
Wed Jul 28, 2021 6:30 pm
Forum: General
Topic: Is blocking websites by URL really impossible?
Replies: 12
Views: 365

Re: Is blocking websites by URL really impossible?

@anav writes IDP because he doesn't like what DPI stands for: Deep Pocket Inspection LOL
by mkx
Wed Jul 28, 2021 6:29 pm
Forum: General
Topic: Is blocking websites by URL really impossible?
Replies: 12
Views: 365

Re: Is blocking websites by URL really impossible?

Instead of writing "impossible because use Encrypted SNI (ESNI)" you could have written "will become increasingly hard because of ESNI" and the answer would be correct.
by mkx
Wed Jul 28, 2021 6:23 pm
Forum: General
Topic: Is blocking websites by URL really impossible?
Replies: 12
Views: 365

Re: Is blocking websites by URL really impossible?

On HTTPS with TLS 1.3 or higher: impossible because use Encrypted SNI (ESNI) TLS 1.3 implements ESNI but doesn't enforce it (over SNI), so even if https connection is using TLS v1.3 (enhanced ciphers, ...) it might still use SNI. ESNI requires some additional setup (on DNS servers for web server's ...
by mkx
Wed Jul 28, 2021 6:07 pm
Forum: General
Topic: vlan by mac address on LAN with multiple mikrotik switches
Replies: 19
Views: 632

Re: vlan by mac address on LAN with multiple mikrotik switches

MT should implement HW offload bridges on all capable devices (i.e. on all devices that have decent switch chip). But I guess the problem is that some switch chips simply lack needed functionality for certain operations. E.g. I guess MAC-based VLANs could be done in hardware using ACLs but not all s...
by mkx
Wed Jul 28, 2021 5:54 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 124
Views: 13705

Re: v7 launch date

this has the disadvantage that posts can only be edited by the author.
AFAIK all forum moderators can directly edit all posts. AFAIK all MT staffers present on forum are moderators.

But yes, manually keeping bug-list current is RPITA and I guess MT won't go into this.
by mkx
Wed Jul 28, 2021 5:42 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 124
Views: 13705

Re: v7 launch date

No, forum-hosted bug-tracking won't do ... unless the initial post is actually edited every time bug state changes. Discussions, interleaved with bug-tracking announcements, will make finding bug-tracking list even harder. If MT us using internal issue tracking tools, it would be nice if the page wa...
by mkx
Wed Jul 28, 2021 5:30 pm
Forum: Beginner Basics
Topic: Hap ac2 can't use peer dns from isp [SOLVED]
Replies: 11
Views: 463

Re: Hap ac2 can't use peer dns from isp [SOLVED]

1) Users will bypass router's DNS service if they are not told to use it. Either: - set DNS server addresses (other than router's own address) in DHCP network - set DHCP server to send empty DNS list (but that will make unhappy a lot of DHCP clients) - set DNS servers statically on every LAN device ...
by mkx
Wed Jul 28, 2021 2:55 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 107
Views: 9281

Re: MikroTik RB5009UG+S+IN

Indeed. We all know shortcomings of such design: RB2011, RB3011, RB4011 ... let's just hope it doesn't continue to RB501x ...
by mkx
Wed Jul 28, 2021 2:28 pm
Forum: General
Topic: RB2011UiAS bridge mode
Replies: 1
Views: 178

Re: RB2011UiAS bridge mode

You need to enable DHCP client and configure it to run on bridge interface. If "bridge mode" setup doesn't do it already, I'm not familiar with various QuickSet modes.
by mkx
Wed Jul 28, 2021 1:19 pm
Forum: Beginner Basics
Topic: Hap ac2 can't use peer dns from isp [SOLVED]
Replies: 11
Views: 463

Re: Hap ac2 can't use peer dns from isp [SOLVED]

There are approximately 4 places which affect use of DNS by router and in LAN clients (not mentioning static settings on LAN clients which is fifth place): setting of property use-peer-dns=yes/no of a PPPoE client. At least on my ROS 6.48.3 setting to no seems to be default. This setting affects whe...
by mkx
Tue Jul 27, 2021 11:36 pm
Forum: Wireless Networking
Topic: Low wifi coverage in bedroom
Replies: 9
Views: 516

Re: Low wifi coverage in bedroom

Sure, go ahead and post config of both APs. Somebody might give some advice.
by mkx
Tue Jul 27, 2021 11:26 pm
Forum: Beginner Basics
Topic: IPv6 for home
Replies: 12
Views: 554

Re: IPv6 for home

No, ROS does prefix delegation through RAs (Router Advertisements). RAs are completely different function than DHCPv6. Android doesn't support DHCPv6 (as a whole) and yet android devices do receive prefixes ... through RAs.
by mkx
Tue Jul 27, 2021 11:19 pm
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1666

Re: VLANS & Management VLAN

I can see your MT legacy doesn't go far, @anav (or you started to forget). The example I wrote used to be called "bridge per VLAN" and was only way of dealing with VLANs on devices without switch chips (or only fraction of ports were switched) before ROS 6.42. It is necessary to unearth su...
by mkx
Tue Jul 27, 2021 5:13 pm
Forum: Beginner Basics
Topic: IPv6 for home
Replies: 12
Views: 554

Re: IPv6 for home

2) there IS DHCPv6 that is somewhat similar to DHCPv4, but it's mostly used for prefix sharing, not end-client addresses sharing Not true. As I wrote in my post above, full implementation of DHCPv6 server will send to end device almost same set of settings as DHCPv4, including IPv6 address to be di...
by mkx
Tue Jul 27, 2021 9:07 am
Forum: Beginner Basics
Topic: IPv6 for home
Replies: 12
Views: 554

Re: IPv6 for home

Mikrotik doesn't actually implement DHCPv6 server. So you have to use SLAAC. Let's assume you're getting IPv6 prefix from ISP via DHCPv6. So you need: /ipv6 dhcp-client add add-default-route=yes interface=WAN pool-name=ipv6-pool request=prefix /ipv6 address add address=::1 eui-64=yes from-pool=ipv6-...
by mkx
Tue Jul 27, 2021 8:47 am
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1666

Re: VLANS & Management VLAN

If you have a Router and a Switch, lets say the switch is a CRS so you apply VLANs with Bridge filtering method, on the router side ( no switch chip ), why is it bad or wrong to create your Vlans directly on the interface that connects these two ? Without any Bridge interface or anything.. I'm not ...
by mkx
Mon Jul 26, 2021 11:46 pm
Forum: RouterBOARD hardware
Topic: Adding a cooling fan to CRS326
Replies: 49
Views: 10097

Re: Adding a cooling fan to CRS326

Hmmm, I am no electronic designer, but usually a fan on router / switch / pc is used to " extract " the heat out of the casing.... Designing air flow is not something electronic designers do, one would need an expert on fluid dynamics to do that (that's part of physics in my part of unive...
by mkx
Mon Jul 26, 2021 11:04 pm
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1666

Re: VLANS & Management VLAN

For @anav: /interface vlan add name=e1v100 interface=ether1 vlan-id=100 add name=e2v100 interface=ether2 vlan-id=100 /interface bridge add name=bridge_v100 /interface bridge port add bridge=bridge_v100 port=e1v100 add bridge=bridge_v100 port=e2v100 add bridge=bridge_v100 port=ether3 Frames tagged wi...
by mkx
Mon Jul 26, 2021 10:59 pm
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1666

Re: VLANS & Management VLAN

There are 3 ways you can do that, 1. Bridge VLAN Filtering ( it will consume CPU resources for devices that do not support it ), 2. Switch Chip VLANs ( for devices with Switch Chip, old methodm configuration depends on the switch chip model ) 3. Software VLANs ( /Interface VLAN ) Actually there are...
by mkx
Mon Jul 26, 2021 10:20 pm
Forum: Beginner Basics
Topic: Drop Invalid vs. Drop "all"
Replies: 16
Views: 722

Re: Drop Invalid vs. Drop "all"

And if the server do not receive ACK, close the connection after some time, depend on settings, on meantime the connection resources still busy. Right, in Linux such connection state is called FIN_WAIT or FIN_WAIT2. I still fail to see how not dropping non-NATed ACK (or whatever is sent) helps serv...
by mkx
Mon Jul 26, 2021 6:25 pm
Forum: Beginner Basics
Topic: Drop Invalid vs. Drop "all"
Replies: 16
Views: 722

Re: Drop Invalid vs. Drop "all"

Stopping that packet cause the service use more memory because from 30s to 30m the connection is still considerered open for lack of ACK (or RST). I don't think this is correct. According to ROS packet flow , both connection tracking and SRC-NAT are part of prerouting part of packet flow ... but co...
by mkx
Mon Jul 26, 2021 3:36 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 107
Views: 9281

Re: MikroTik RB5009UG+S+IN

And in video RB5009 is compared to RB4011iGS+5HacQ2HnD-IN, not to RB4011iGS+RM. Test results, as published on respective product pages, are almost the same for both variants of RB4011. Which shouldn't be a surprise as they differ only that wireless version has two radios added, the rest of hardware...
by mkx
Mon Jul 26, 2021 2:20 pm
Forum: Wireless Networking
Topic: WI-FI ROAMING 802.11r QUESTION
Replies: 41
Views: 22780

Re: WI-FI ROAMING 802.11r QUESTION

Wireless clients scan for other APs from time to time (probably more frequently when signal strength of currently used AP drops below some threshold). If client finds AP with same SSID and with better signal strength, it will change to the new one. Device will assume same SSID means same LAN, so it ...
by mkx
Mon Jul 26, 2021 1:46 pm
Forum: General
Topic: How to install CloudFlare origin SSL certificate on mikrotik
Replies: 4
Views: 276

Re: How to install CloudFlare origin SSL certificate on mikrotik

You need SSL certificate on device, which terminates connections. For HTTPS it's web service (or reverse proxy if one is used), not the router performing NAT. So even for HTTPS you only have to port forward external TCP port 443 to your internal server (preferably port 443 as well) which will handle...
by mkx
Mon Jul 26, 2021 1:42 pm
Forum: General
Topic: vlan by mac address on LAN with multiple mikrotik switches
Replies: 19
Views: 632

Re: vlan by mac address on LAN with multiple mikrotik switches

I don't think you can do it just like that without 802.1X, which is standard solution towards wired per-port security. While there are some hooks in mikrotik's DHCP server to work with radius, this doesn't cut the corner because at the end of the day, it's the access switch (where some end device is...
by mkx
Mon Jul 26, 2021 1:26 pm
Forum: Beginner Basics
Topic: layer 7 port forwarding
Replies: 17
Views: 660

Re: layer 7 port forwarding

Just save yourself some nerves and don't think of doing it on mikrotik. As @andrys already explained, it's a hack and as with all hacks, it might not work very well. If, OTOH, you go for proper solution[*], you'll have it done in no time and live happily ever after. [*] There are tons of proper reve...
by mkx
Mon Jul 26, 2021 1:19 pm
Forum: Wireless Networking
Topic: WI-FI ROAMING 802.11r QUESTION
Replies: 41
Views: 22780

Re: WI-FI ROAMING 802.11r QUESTION

So it is funny that now they would decide not to have basic functionality of a WiFi access point in "old" equipment (I presume that would be the "new" equipment discussed above, because really old equipment has enough space), "due to space restrictions". It's not that ...
by mkx
Mon Jul 26, 2021 1:09 pm
Forum: Beginner Basics
Topic: Hex vs Hex S [SOLVED]
Replies: 22
Views: 754

Re: Hex vs Hex S [SOLVED]

hEX (and hEX S) is a pretty good device for its money. But when thinking about dual WAN of decent speeds (as implied by fibre infrastructure), hEX might be slightly underpowered as it can route at around 1Gbps (full duplex). If you foresee total routing throughput of more than 1Gbps, you'll have to ...
by mkx
Mon Jul 26, 2021 1:06 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 124
Views: 13705

Re: v7 launch date

RB5009 was not officially announced yet. So far it took quite some months between official announcement and availability on the street for any new device in last few years. If this tradition remains, we might see stable ROS v7 (for all supported devices) at around same time as street availability of...
by mkx
Mon Jul 26, 2021 10:58 am
Forum: Beginner Basics
Topic: Hex vs Hex S [SOLVED]
Replies: 22
Views: 754

Re: Hex vs Hex S [SOLVED]

Using xPON SFPs in Mikrotik devices directly is not supported. Sometimes it works, but mostly it doesn't. If you don't want to loose much time (and money), I suggest you to plan to use the ISP-provided ONU as a media converter. Both devices you're mentioning (hEX and hEX S) are more or less identica...
by mkx
Mon Jul 26, 2021 10:04 am
Forum: Beginner Basics
Topic: Routing different networks unstable
Replies: 4
Views: 427

Re: Routing different networks unstable

Setting wireless frequency manually is sometimes a good thing. Disabling RTSP is good when you know there can't be any loops in your network. But the underlying problem one might see with RSTP in conjunction with wireless is the following: when there are no active clients of wireless, by default wir...
by mkx
Mon Jul 26, 2021 10:00 am
Forum: General
Topic: pi hole after mikrotik router - get remote IP?
Replies: 8
Views: 643

Re: pi hole after mikrotik router - get remote IP?

change the Ether1 IP to 10.0.0.253/29 change WiFi IP to 10.0.0.50/28 (and setup the pool to 50-60) route 0.0.0.0/0 to fortigate 10.0.0.254 (as now) No, that wouldn't do, because neither 10.0.0.150 (pihole) nor 10.0.0.254 (router) are members of subnet 10.0.0.50/28 (which covers IP addresses between...
by mkx
Mon Jul 26, 2021 9:21 am
Forum: RouterBOARD hardware
Topic: Hardware recommendation for Internet gateway
Replies: 7
Views: 466

Re: Hardware recommendation for Internet gateway

I agree with what @mducharme wrote. Only ... hAP ac 2 with performance similar to the one of hAP ac 3 is quite cheaper. RB3011 is a decent device, but based on slightly older CPU etc. Still decent performer, specially with 10 ethernet ports. One just have to be careful, there are two switch chips ru...
by mkx
Mon Jul 26, 2021 8:55 am
Forum: Beginner Basics
Topic: Drop Invalid vs. Drop "all"
Replies: 16
Views: 722

Re: Drop Invalid vs. Drop "all"

Re. drop invalid: invalid packets are not the ones that don't have corresponding entry in conntrack table (in principle those are "new" packets), but those which don't have valid characteristics. That could either be invalid according to existing conntrack entry (i.e. too low sequence numb...
by mkx
Sun Jul 25, 2021 9:26 pm
Forum: RouterBOARD hardware
Topic: Powerbox Pro overload detection
Replies: 13
Views: 4977

Re: Powerbox Pro overload detection

If you can live without having observability and control of the remote device, then you could try using either RBPOE or RBGPOE passive injectors instead of using RB960GSP PoE out. RBGPOE is rated at 2A, I'm not sure about short circuit protection ...
by mkx
Sun Jul 25, 2021 6:08 pm
Forum: Beginner Basics
Topic: hAP ac3 - VLAN & inter-VLAN
Replies: 21
Views: 1305

Re: hAP ac3 - VLAN & inter-VLAN

For starters read (and understand) tge VLAN tutorial, @anav posted link in post #2 above. Nowdays it's the most versatile way of doing it (perhaps not the most resource friendly but with hAP ac3 this shouldn't be a problem). Remember, VLANs are sort of LANs. When it comes to connectivity between dif...
by mkx
Sun Jul 25, 2021 5:18 pm
Forum: Wireless Networking
Topic: Low wifi coverage in bedroom
Replies: 9
Views: 516

Re: Low wifi coverage in bedroom

You could position the 1st floor AP centrally, but that might mean loosing backyard coverage. So probably you'll have to add the third AP somewhere close to master bedrom. You might want to go with 5GHz only. You might be able to decrease Tx power of AP slightly, but not too much, you want that AP's...
by mkx
Sun Jul 25, 2021 4:12 pm
Forum: General
Topic: Input firewall filter prioritization [SOLVED]
Replies: 29
Views: 1005

Re: Input firewall filter prioritization [SOLVED]

@anav, but how do they come to your mind? :)))

Could be his finger hurts due to exposition to a nutcracker? ;-)
by mkx
Sun Jul 25, 2021 3:45 pm
Forum: General
Topic: Input firewall filter prioritization [SOLVED]
Replies: 29
Views: 1005

Re: Input firewall filter prioritization [SOLVED]

Try not to always think badly, I understand that sometimes I deserve a kick in the balls, but really this time there was nothing wrong... Your first post in this thread (the #4) was all about why OP should not do something and nothing about how OP could achieve what he wanted to do. Even if your go...
by mkx
Sun Jul 25, 2021 12:44 pm
Forum: General
Topic: vlan by mac address on LAN with multiple mikrotik switches
Replies: 19
Views: 632

Re: vlan by mac address on LAN with multiple mikrotik switches

Radius can help, but only if LAN forces authentication process for all devices. The authentication process then needs to invilve radius server and might be WiFi WPA2 (the enterprise version) or 802.1X. If the network doesn't enforce authentication, then you could configure MAC-based VLAN on all acce...
by mkx
Sun Jul 25, 2021 12:36 pm
Forum: General
Topic: Input firewall filter prioritization [SOLVED]
Replies: 29
Views: 1005

Re: Input firewall filter prioritization [SOLVED]

what are you writing? When I start to write reply, sometimes it takes some time to formulate it so that it fits the question as much as possible (trying to verify things on the go). It seems like you are much faster at writing your posts. But then, when I finished the answer and tried to post it, f...
by mkx
Sun Jul 25, 2021 12:44 am
Forum: General
Topic: Input firewall filter prioritization [SOLVED]
Replies: 29
Views: 1005

Re: Input firewall filter prioritization [SOLVED]

If WG is running on router itself, then you might have a problem ... normally only one service can use a protocol/port number (e.g. TCP/53). When another service tries to acquire access to already used port, it's denied. In linux it is possible to attach service to one of configured IP addresses and...
by mkx
Sat Jul 24, 2021 8:57 pm
Forum: RouterOS v7 BETA
Topic: CRS317 l3hw + firewall question
Replies: 3
Views: 410

Re: CRS317 l3hw + firewall question

If I set the ports back to hw accelerated = yes, within 2-3seconds speeds go up to linerate and cpu down to 2%

So where exactly is the problem? HW offload of fasttracked connectiobs also require l3-hw-offloading=yes.
by mkx
Sat Jul 24, 2021 11:20 am
Forum: RouterBOARD hardware
Topic: 48-Volt POE-Out switches
Replies: 19
Views: 2194

Re: 48-Volt POE-Out switches

http://www.microset.net/componenti.php?modid=160&imgid=33&lang=en Interesting ... for Italian-speaking users the efficiency of these units is 85%-90% and for the rest it's >90% (which I read as "more than 90%" and according to my understanding 85%-90% is mostly "less than 90%...
by mkx
Fri Jul 23, 2021 9:52 pm
Forum: Wireless Networking
Topic: Mikrotik - Early Access beta hardware?
Replies: 13
Views: 775

Re: Mikrotik - Early Access beta hardware?

@anav, so you became a mind reader after all, you know what @rextended had in mind when he wrote what he wrote. However, OP in his initial post expressly asked about "...for early access hardware or beta testing." So I took the whole sentence to be about hardware as we all have opportunity...
by mkx
Fri Jul 23, 2021 9:46 pm
Forum: General
Topic: CRS 2XX Management VLAN Question
Replies: 8
Views: 452

Re: CRS 2XX Management VLAN Question

Your setup seems fine with regard to vlan100 ... the switch chip settings, bridge and vlan interface. However, you have a small mess with trunked ports ether23 and ether24. The basic idea is that when ports become members of trunk, they are not referred by configuration anymore. Instead port trunk1 ...
by mkx
Fri Jul 23, 2021 6:24 pm
Forum: General
Topic: time of last config change
Replies: 4
Views: 377

Re: time of last config change

No, time of last change is not available.

There are tools to show differences in (text) files, it's possible to automate process.
by mkx
Fri Jul 23, 2021 6:22 pm
Forum: General
Topic: CRS 2XX Management VLAN Question
Replies: 8
Views: 452

Re: CRS 2XX Management VLAN Question

Post configuratiin for review: /export hide-sensitive file=anynameyouwish and copy-paste contents.
by mkx
Fri Jul 23, 2021 6:04 pm
Forum: Wireless Networking
Topic: Mikrotik - Early Access beta hardware?
Replies: 13
Views: 775

Re: Mikrotik - Early Access beta hardware?

Just one... correction... I disagree. Most devices older than 2 or 3 years are quite stable. Perhaps the newest in the roster (those depending on v7) will take a while longer to stabilize due to ROS v7 own instability. Unless devices are actually flawed by design (one might say that about e.g. RB40...
by mkx
Fri Jul 23, 2021 5:57 pm
Forum: General
Topic: Auto Run script on reset
Replies: 4
Views: 309

Re: Auto Run script on reset

Sure, almost nothing is really fool-proof. But I'd assume most tennants fiddling would simply push reset button and for that netinstall with custom configuration script is good enough. As soon as tennants get hold of admin password it's game over.
by mkx
Fri Jul 23, 2021 3:17 pm
Forum: General
Topic: Auto Run script on reset
Replies: 4
Views: 309

Re: Auto Run script on reset

You can install your own default configuration (which gets applied after device reset) when using netinstall for "bare metal" software install ... read description of Configure script property.
by mkx
Fri Jul 23, 2021 2:41 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 107
Views: 9281

Re: MikroTik RB5009UG+S+IN

The routing performance increase compared to RB4011, as indicated in RB5009 propaganda, is not true. E.g. number under "Routing -> 25 ip filter rules -> 512 byte packets" shown in RB5009 propaganda is 624.3 kpps / 2557.1 Mbps. Official RB4011iGS+RM test results have in same "table cel...
by mkx
Fri Jul 23, 2021 2:23 pm
Forum: RouterBOARD hardware
Topic: The big CCR2004 reboot thread (was 2004 hardware issues?)
Replies: 192
Views: 25376

Re: The big CCR2004 reboot thread (was 2004 hardware issues?)

... and they are now asking me shitty CLI things... ... why network guys suggest it ? Mikrotik devices (running ROS in particular) are not really something to recommend to people with attitude towards CLI as you have. Most network guys, who know their stuff (be it Cisco, Juniper, ... or Mikrotik), ...
by mkx
Fri Jul 23, 2021 2:13 pm
Forum: Beginner Basics
Topic: Allow Remote DNS Requests
Replies: 6
Views: 527

Re: Allow Remote DNS Requests

... you will get in real trouble sooner or later!

Rather sooner than later.
by mkx
Fri Jul 23, 2021 11:45 am
Forum: Wireless Networking
Topic: Can't get started with mAP lite [SOLVED]
Replies: 4
Views: 360

Re: Can't get started with mAP lite [SOLVED]

You could try using WinBox with MAC connectivity to get into mAP lite. Before you ask: WinBox runs happily under Wine in Linux (and in similar windows-like environment in MacOS).
by mkx
Fri Jul 23, 2021 8:38 am
Forum: Wireless Networking
Topic: Mikrotik - Early Access beta hardware?
Replies: 13
Views: 775

Re: Mikrotik - Early Access beta hardware?

Yup ... buy new model devices from your local MT distributor and you're hooked up for beta testing. Or so it seems ...
by mkx
Fri Jul 23, 2021 8:28 am
Forum: Wireless Networking
Topic: Weird speed problem, bridged network
Replies: 7
Views: 475

Re: Weird speed problem, bridged network

b-c using 5230/20/an, f-g using 5220/20/an. I thought I was guaranteed no mutual interference between single 5GHz channels. ROS lets one set things which are not exactly according to standards / best practice. If you check the list of 5GHz channels you'll see that valid channel frequencies for 20MH...
by mkx
Thu Jul 22, 2021 4:27 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 871

Re: CAP AC, HAP AC2, CAPSMAN and channels

Thanks. I've learned another way of setting per-CAP settings (apart from making it in /capsman provisioning).
by mkx
Thu Jul 22, 2021 4:18 pm
Forum: Beginner Basics
Topic: CRS309 slow internet
Replies: 9
Views: 473

Re: CRS309 slow internet

No, CCR20xx devices are very fast with regard to routing and firewalling. CRS309 is a switch with low routing/firewalling speed. The speed difference between CCR20xx and CRS309 is more than 10-fold. What I wrote about CRS309 running ROS v7 is a future prospect which will become true in yet unknown t...
by mkx
Thu Jul 22, 2021 12:11 pm
Forum: Beginner Basics
Topic: CRS309 slow internet
Replies: 9
Views: 473

Re: CRS309 slow internet

When it comes to routing, both routers will dance circles around CRS309. Both routers might even route at 10Gbps depending on usage pattern. With ROSv7 CRS309 will become a great wire-speed router, when used as firewall it will depend on usage pattern (might be wire-speed or as slow as it is with RO...
by mkx
Thu Jul 22, 2021 11:57 am
Forum: Beginner Basics
Topic: CRS309 slow internet
Replies: 9
Views: 473

Re: CRS309 slow internet

Depending on amount of packet processing, needed to forward a packet between two router's interfaces, the net throughput can vary quite a lot. However, in typical SOHO environment a pretty good indication of device's performance is the number under "Ethernet Test Results -> Routing 25 ip filter...
by mkx
Thu Jul 22, 2021 10:57 am
Forum: Wireless Networking
Topic: The best simple way for multiSSID (guest) in Capsman
Replies: 3
Views: 349

Re: The best simple way for multiSSID (guest) in Capsman

True guest network is more than additional SSID ... it needs additional LAN setup (VLAN for L2 separation, IP setup on that VLAN). CAPsMAN is only there to provision radio interfaces (with VLAN IDs if needed), the rest has to be done manually ... most of it on router, depending on particular scenari...
by mkx
Thu Jul 22, 2021 10:54 am
Forum: Wireless Networking
Topic: Weird speed problem, bridged network
Replies: 7
Views: 475

Re: Weird speed problem, bridged network

Can you try UDP throughput test (e.g. using iperf)? I'm guessing that double RTT combined with power save kicking in makes TCP performance drop to floor while UDP performance might remain high. If that's so, you might want to look into WMM priorities...
by mkx
Wed Jul 21, 2021 3:26 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 107
Views: 9281

Re: MikroTik RB5009UG+S+IN

But if there was a RB5018UG+S+RM ... I'd be in the line for one already ;-) A passively cooled CCR2004 with 16x 1Gbit and 2x SFP+ is coming. Not really the same. Specifications of RB5009 include a very fine switch chip (Marvell 88E6393), while CCR doesn't have one (PIPE is not switch chip, it's a d...
by mkx
Wed Jul 21, 2021 12:33 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 871

Re: CAP AC, HAP AC2, CAPSMAN and channels

Can you show export of such setup? I'm intrigued ;-)
by mkx
Wed Jul 21, 2021 12:29 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 107
Views: 9281

Re: MikroTik RB5009UG+S+IN

I guess that enclosure as it is is to offer enough cooling surface ... for device being passively cooled and intended to be mounted in a dense pack (two one above another, two side-by-side) it needs some smartly designed enclosure. But if there was a RB5018UG+S+RM ... I'd be in the line for one alre...
by mkx
Wed Jul 21, 2021 12:22 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 871

Re: CAP AC, HAP AC2, CAPSMAN and channels

But does this way of setting things survive reboots (of either CAPsMAN or CAP)? The way I described settings are there for good. Configuration export and backup file has it as well ...
by mkx
Wed Jul 21, 2021 12:19 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 340
Views: 47051

Re: v7.1beta6 [development] is released!

We have such routing switches at work, and they are routing between VLANs inside an office. Do you enforce firewall filter for inter-VLAN connections? Without firewall enabled, those connections would be purely routed and for inter-VLAN routing the L3HW routing table is plenty large. OTOH, when I w...
by mkx
Wed Jul 21, 2021 11:29 am
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 871

Re: CAP AC, HAP AC2, CAPSMAN and channels

@gotsprings: how exactly do you adjust settings for particular CAP? It is possible to set particular parameters for a CAP even if create-dynamic-enabled if you create per-CAP provisioning rules ... for this to work several provisioning rules are needed: a general catch-all rule and several specific ...
by mkx
Wed Jul 21, 2021 8:21 am
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 340
Views: 47051

Re: v7.1beta6 [development] is released!

if i may ask, what is the expected use case of offloading fasttracked connections? Wirespeed routing with firewall enabled? I agree that 4k connections is small number even for a small business let alone for an ISP, but that doesn't mean the functionality should not be developed. It's just that one...
by mkx
Wed Jul 21, 2021 8:08 am
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 107
Views: 9281

Re: MikroTik RB5009UG+S+IN

This one is a prime candidate for 4+ anennae WiFi version. Ugly as a sin, but it seems that's the way gameboys like it. On the serious note: if it had wireless, then the argumentation about particular form factor is not valid anymore. So if it came as wireless version, it would likely come in larger...
by mkx
Wed Jul 21, 2021 7:53 am
Forum: RouterOS v7 BETA
Topic: L3HW User Manual Updated
Replies: 16
Views: 1986

Re: L3HW User Manual Updated

I still don't fully understand why PVID setting is mandatory in practice. @raimondsp writes that omitting to set it keeps the default setting of pvid=1 (which we already know very well), but the argument about bridging the port with other ports with pvid=1 seems moot to me if frame-types property i...
by mkx
Tue Jul 20, 2021 9:11 am
Forum: RouterBOARD hardware
Topic: Constantly 'poe-status: power_reset' in hEX PoE [SOLVED]
Replies: 3
Views: 564

Re: Constantly 'poe-status: power_reset' in hEX PoE [SOLVED]

As I found out somewhere else, the reason they ship hEX pOE with 24V supply is to support passive PoE (which does not work with 48V power supply). As a matter of fact passive PoE does work with 48V power supply. It's that many (older) Mikrotik devices don't support supply voltages above around 30V,...
by mkx
Tue Jul 20, 2021 9:00 am
Forum: RouterOS v7 BETA
Topic: Fastpath with Input rules
Replies: 5
Views: 908

Re: Fastpath with Input rules

I guess that the thing is that when there are any firewall filter rules (which by definition enables stateful firewall), connection tracking has to be performed (because that's how connection state is determined). Connection tracking result is one of inputs for routing decision which in turn decides...
by mkx
Mon Jul 19, 2021 10:39 pm
Forum: RouterBOARD hardware
Topic: Constantly 'poe-status: power_reset' in hEX PoE [SOLVED]
Replies: 3
Views: 564

Re: Constantly 'poe-status: power_reset' in hEX PoE [SOLVED]

The PD complies with IEEE 802.3af and draws max. 3W at 24V. 802.3af/at and 24V don't go together. If you want to power an af/at PD, then you need a 48V power supply for RB960PGS. RB doesn't convert voltages, only passes whatever it receives from power adapter ... and don't start another round of qu...
by mkx
Mon Jul 19, 2021 5:43 pm
Forum: General
Topic: How to connect 2 networks
Replies: 7
Views: 446

Re: How to connect 2 networks

From functional point of view any mikrotik with at least 2 ethernet ports will do. From performance point of view they are not same after all, you will use it as router/firewall, which does stress device more than simple switching traffic. So it depends on what kind of performance you expect from it.
by mkx
Mon Jul 19, 2021 5:34 pm
Forum: Beginner Basics
Topic: Port 2 deletion in year 2021
Replies: 8
Views: 739

Re: Port 2 deletion in year 2021

It's better to change bridge MAC address. Physical ports have each one factory default (tied to hardware) while bridge is always "inventing" its own MAC address ... this way or another. One way is to use MAC of ether2 but replace second hex-digit from left with one of 2,6,A,E. E.g. if MAC ...
by mkx
Mon Jul 19, 2021 10:14 am
Forum: Beginner Basics
Topic: Port 2 deletion in year 2021
Replies: 8
Views: 739

Re: Port 2 deletion in year 2021

It brings down the network because bridge MAC address changes. By default bridge takes MAC address of first active member port and by default that's ether2. When you remove ether2 from bridge, it takes another MAC address (possibly of ether3 if that port is still member of bridge) and because of tha...
by mkx
Mon Jul 19, 2021 10:04 am
Forum: Beginner Basics
Topic: Having trouble blocking Port 22
Replies: 1
Views: 262

Re: Having trouble blocking Port 22

By default IP firewall doesn't filter traffic passing between bridged ports. If you want to enforce firewall rules on that traffic, you need in general two additional settings: set use-ip-firewall=yes in /interface bridge settings make sure traffic passing particular port (in your case ether1 with s...
by mkx
Sun Jul 18, 2021 7:41 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1247

Re: Precision Time Protocol (PTP, IEEE 1588) Support

This is a forum for networking devices and not about my personal toying with time synchronization. Right. So you came to forum asking for PtP support on ridiculously cheap devices but when asked for you don't want to explain use case. So far all use cases requiring PtP (more than one) I know requir...
by mkx
Sun Jul 18, 2021 4:22 pm
Forum: Beginner Basics
Topic: Using sign § in password [SOLVED]
Replies: 5
Views: 503

Re: Using sign § in password [SOLVED]

As I wrote: there are nany character encodings out there. Nowdays there's no reason not to use UTF-8 everywhere, but for historical reason many different encodings are used in various places and inter-working is not always smooth. The most frequent problem is assumption that applucation's "nati...
by mkx
Sun Jul 18, 2021 4:12 pm
Forum: Beginner Basics
Topic: Using sign § in password [SOLVED]
Replies: 5
Views: 503

Re: Using sign § in password [SOLVED]

OP is writing about "paragraph" sign, not about "dollar" sign.
by mkx
Sun Jul 18, 2021 3:32 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1247

Re: Precision Time Protocol (PTP, IEEE 1588) Support

@2bn2t: I still fail to see use case for PtP support on low-end devices such as hAP ac2 or RB4011 (or even CCR routers for that matter). Can you kindly describe one for me (something that doesn't involve professional use where I'd expect professional devices in use)?
by mkx
Sun Jul 18, 2021 3:27 pm
Forum: Beginner Basics
Topic: Using sign § in password [SOLVED]
Replies: 5
Views: 503

Re: Using sign § in password [SOLVED]

Non-ascii characters have multiple diferent encodings and if both parties don't (actively) agree about which encoding is used, then there are problems. Winbox quite likely (implicitly) uses encoding associated to your windows language settings while webfig (and TikApp) uses some kind of http-encoded...
by mkx
Sun Jul 18, 2021 2:17 pm
Forum: General
Topic: ASK [current tx power]
Replies: 2
Views: 306

Re: ASK [current tx power]

Seems like it never worked on ac wireless chips. Whether the functionality (reporting) is not available from chipsets or MT didn't implement reading on those chips is question for MT devs.
by mkx
Sun Jul 18, 2021 1:18 pm
Forum: General
Topic: Port trunking problems [SOLVED]
Replies: 3
Views: 409

Re: Port trunking problems [SOLVED]

Post current (non-working) config and the diagram. Post text export (execute /export hide-sensitive file=anynameyouwish and copy-paste file contents).
by mkx
Sun Jul 18, 2021 1:15 pm
Forum: Beginner Basics
Topic: Have two SXTSQ lite5, nont would reinstall
Replies: 1
Views: 229

Re: Have two SXTSQ lite5, nont would reinstall

I guess only advice is to keep trying with netinstall. Netinstall process is highly fragile and you have to observe all requirenents as set forth in netinstall manual . Often the cause of faling to do process correctly lies in (slightly) incompatible hardware and settings of PC used in the process. ...
by mkx
Sun Jul 18, 2021 1:07 pm
Forum: Beginner Basics
Topic: RouterOS do not drop unknown vlans?
Replies: 5
Views: 575

Re: RouterOS do not drop unknown vlans?

The thing is that with setting vlan-filtering=yes on bridge, ROS enforces certain level of security. One notable setting is subtree /interface bridge vlan which defines egress filtering. If you want to make CRS transparent to VLANs (and agree to move VLAN security to connected devices), then set vla...
by mkx
Sun Jul 18, 2021 12:16 pm
Forum: RouterOS v7 BETA
Topic: Routing speeds on v7 RB4011
Replies: 11
Views: 1529

Re: Routing speeds on v7 RB4011

... use under 15W ... Just bolt loads of Turbos and Superchargers to it and make it ludicrous! In the world where turbos and superchargers are meant verbatim, bolting those almost every time means that owner doesn't want to think about energy consumption (which is reflected to MPG which, in contrar...
by mkx
Sat Jul 17, 2021 11:41 pm
Forum: General
Topic: wireless client issue
Replies: 2
Views: 382

Re: wireless client issue

In short: either configure hAP lite as "client-pseudobridge" or "client-pseudobridge-clone" mode. But the result won't be ideal either way.

You can read longer article about the problrms with setup like yours here.
by mkx
Sat Jul 17, 2021 7:26 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 871

Re: CAP AC, HAP AC2, CAPSMAN and channels

Channels "which do nothing" are DFS channels. When AP selects one of those channels as candidate for operations, it has to monitor activity on channel for 1 to 10 minutes and be silent during that period of time.
by mkx
Sat Jul 17, 2021 12:34 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 871

Re: CAP AC, HAP AC2, CAPSMAN and channels

The problem with CAPsMAN provisioned wireless network is that CAPs still autonomously select channels to operate (out of list of allowed channels provisioned by CAPsMAN) - unless you manualy configure provisioning rules for each CAP. If all CAPs do the frequency scans at the very same time (e.g. aft...
by mkx
Sat Jul 17, 2021 12:17 pm
Forum: General
Topic: The problem with changing the ROS version
Replies: 1
Views: 296

Re: The problem with changing the ROS version

I suggest you to perform full netinstall . This procedure formats flash storage and removes all configuration. As you're mentioning multiple IP addresses it seems like you're using the device as router. There are multiple problems with such usage: CRS3xx devices are primarily switches. While they ca...
by mkx
Sat Jul 17, 2021 12:11 pm
Forum: General
Topic: PowerboxPro VLAN switching
Replies: 4
Views: 518

Re: PowerboxPro VLAN switching

You could use switch chip to do the tagging/untagging on ether ports and use bridge without vlan-filtering. This way bridge would act as dumb switch and SFP port would be trunk port for all VLANs available to CPU. Which is not all VLANs on switched ports, you can set VLAN membership for switch-cpu1 ...
by mkx
Fri Jul 16, 2021 3:35 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1247

Re: Precision Time Protocol (PTP, IEEE 1588) Support

I find it hard to believe that any LTE base station (except picocells) would not have sufficient GPS reception to synchronize time. ... Only indoor installations could have problems with that. In some LTE networks, indoor installations make up for more than 50% of locations. Go figure. I use the se...
by mkx
Fri Jul 16, 2021 8:09 am
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1247

Re: Precision Time Protocol (PTP, IEEE 1588) Support

What exactly in typical office environment requires timing precission better than milisecond? Not all environments are office environments! I think he is hinting that it may be e.g. a recording studio environment. OP was asking about PTP availability on hAP ac2 ... personally I wouldn't use this un...
by mkx
Fri Jul 16, 2021 7:59 am
Forum: Beginner Basics
Topic: need to assign vlan to a bridge
Replies: 2
Views: 346

Re: need to assign vlan to a bridge

You want to go through this tutorial to get more or less complete overview of how to configure VLANs properly.
by mkx
Thu Jul 15, 2021 11:34 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1247

Re: Precision Time Protocol (PTP, IEEE 1588) Support

I hope I understand you. I think that’s sarcasm? Yes, it is sarcasm, but only partially. IEEE1588v2 is essentially NTP with HW support. The net effect is higher time precission, both as absolute time and jitter. But one has to put thing into perspective: plain old NTP can give precission in order o...
by mkx
Thu Jul 15, 2021 8:46 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1247

Re: Precision Time Protocol (PTP, IEEE 1588) Support

Why would you ever need PTP on a home-device (hAP ac2)?

To have log entties with timestamps with nano-second precission?
by mkx
Thu Jul 15, 2021 6:28 pm
Forum: General
Topic: CAPS Man & different WIFI channel config
Replies: 22
Views: 1123

Re: CAPS Man & different WIFI channel config

But you do see different channels used on 2.4GHz: 1, 6 and 11. If you browse the document about chanels (I posted the link in one of my previous posts) and jump to 2.4GHz section, you'll se a nice illustration showing that in 2.4GHz channels are in fact overlapping (and thus interfering with each ot...
by mkx
Wed Jul 14, 2021 7:30 pm
Forum: General
Topic: Firewall drop all !LAN is not the same as drop all WAN
Replies: 15
Views: 837

Re: Firewall drop all !LAN is not the same as drop all WAN

I don't think it's exception for me, I never asked for one.

However, there is exception for me: my ISP delegates reverse queries for my (static) IPv6 prefix to my own DNS server. :-)
by mkx
Wed Jul 14, 2021 7:25 pm
Forum: Announcements
Topic: MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!
Replies: 58
Views: 95373

Re: MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!

I guess Latvian women are state of art hardware running complex code and Latvian men like to deal with them ;-)
by mkx
Wed Jul 14, 2021 7:22 pm
Forum: General
Topic: Firewall drop all !LAN is not the same as drop all WAN
Replies: 15
Views: 837

Re: Firewall drop all !LAN is not the same as drop all WAN

Some ports, such as 53 ... we do not open them for any reason.

I'm glad I'm not your customer. I'm running DNS server authoritative for my personal domain at home. My ISP is letting me break my own balls ;-)
by mkx
Wed Jul 14, 2021 6:17 pm
Forum: Beginner Basics
Topic: checkout for optimization
Replies: 1
Views: 289

Re: checkout for optimization

In networking world in general there are no tools which automatically optimize everything to achieve superb throughput. So manual optimization is what remains. ROS offers quite some tools for observability, one can use specialized probes and tools for analyzing the traffic patterns and possible prob...
by mkx
Wed Jul 14, 2021 5:40 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 124
Views: 13705

Re: v7 launch date

I'd rather say it's channel=frustrated_support_engineers ... frustrated by incompetent users who can't read warnings, written with letters of usual size and colour.
by mkx
Wed Jul 14, 2021 5:34 pm
Forum: RouterBOARD hardware
Topic: microSD vs USB
Replies: 3
Views: 538

Re: microSD vs USB

hEX S is built around MediaTek MT7621A chip, which supports USB 3.0 and SDXC. However hEX S implements USB 2.0 which means up to 480 Mbps. SDXC OTOH (the initial revision) means up to 104 MBps (which is around 830 Mbps). Meaning that SD is likely faster. But these are maximum numbers and storage imp...
by mkx
Wed Jul 14, 2021 4:48 pm
Forum: General
Topic: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware
Replies: 9
Views: 618

Re: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware

The problem with current fleet of Mikrotik devices is that while CRS3xx will be great for wirespeed routing, they likely don't have CPU powerful enough for firewalling at, say, 1Gbps (even if many connections will get fasttracked and thus HW offloaded). And I expect that users with 10Gbps LAN would ...
by mkx
Wed Jul 14, 2021 4:37 pm
Forum: Beginner Basics
Topic: Problem to see source address - port forward
Replies: 3
Views: 344

Re: Problem to see source address - port forward

add action=masquerade chain=srcnat src-address=192.168.100.0/24 add action=masquerade chain=srcnat src-address=10.6.0.0/21 add action=masquerade chain=srcnat You messed with src-nat royaly. Default src-nat rule is single one: add action=masquerade chain=srcnat comment="defconf: masquerade"...
by mkx
Wed Jul 14, 2021 4:23 pm
Forum: Beginner Basics
Topic: inquiry about bonding
Replies: 5
Views: 423

Re: inquiry about bonding

Bonding multiple physical links into single logical link means that if sender randomly (or using some deterministic algorithm) selects one of links to send a packet, then receiver knows how to deal with it. In your case that means router might decide to send packet with destination IP address 172.16...
by mkx
Wed Jul 14, 2021 8:57 am
Forum: General
Topic: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware
Replies: 9
Views: 618

Re: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware

Right. As long as that device comes with price tag friendly to one's budget constraints. Right? ;-)
by mkx
Wed Jul 14, 2021 8:54 am
Forum: General
Topic: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware
Replies: 9
Views: 618

Re: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware

... just wait for v7 which comes with HW offload for L3

which will (very likely) work on CRS3xx line of devices (not others). And perhaps future devices, built around similar ASICs.
by mkx
Wed Jul 14, 2021 8:52 am
Forum: General
Topic: CRS328-4C-20S-4S High CPU
Replies: 3
Views: 347

Re: CRS328-4C-20S-4S High CPU

Are you running a recent version of ROS? According to manual , CRS3xx is the only device family which can HW offload MSTP. Could be that this was added in some recent ROS version. Could be there's a bug regarding MSTP HW offload as well. If you're running one of recent ROS versions, then I suggest y...
by mkx
Wed Jul 14, 2021 8:44 am
Forum: Beginner Basics
Topic: inquiry about bonding
Replies: 5
Views: 423

Re: inquiry about bonding

Bonding is Layer 2 (ethernet) feature. All links, parts of bond, have to run between same logical link partners. Usually that means single device on each end. Stacked switches are logically single device, in this case bond links are connected to different physical switches. But in any case, bond is ...
by mkx
Tue Jul 13, 2021 6:13 pm
Forum: General
Topic: CAPS Man & different WIFI channel config
Replies: 22
Views: 1123

Re: CAPS Man & different WIFI channel config

There are local AP settings and there are CAPsMAN settings. When device is used as CAP device, certain (most notably wireless) settings on local device are overriden with CAPsMAN settings. If CAPsMAN setup limits devices to certain frequencies, devices will (automatically) select one of frequencies ...
by mkx
Tue Jul 13, 2021 2:45 pm
Forum: General
Topic: wireless bridge between two Mikrotiks for IPTV STB
Replies: 23
Views: 1369

Re: wireless bridge between two Mikrotiks for IPTV STB

The reason it's done is because they want to allow low data rate protocols like mDNS through but to prevent things like IPTV from clogging the precious shared broadcast medium that is WiFi. Not really, this constraint is not payload-specific, it's the same for all multicast and broadcast. And exact...
by mkx
Tue Jul 13, 2021 2:33 pm
Forum: General
Topic: wireless bridge between two Mikrotiks for IPTV STB
Replies: 23
Views: 1369

Re: wireless bridge between two Mikrotiks for IPTV STB

... iptv over wifi really works for me but only if I use BCP bridge over pptp or station-wds mode. If I use station-bridge as described here it doesn't work as I expected. That's because from wireless point of view, BCP is unicast (between AP and client) and is thus "bufferable". Even if ...
by mkx
Tue Jul 13, 2021 11:07 am
Forum: General
Topic: CAPS Man & different WIFI channel config
Replies: 22
Views: 1123

Re: CAPS Man & different WIFI channel config

AFAIK CAPsMAN does not really affect the way CAP works, it only provisions CAPs. Which means that CAPs are free to select any frequency channel from the provisioned list of channels. And this in turn means that frequency channel co-ordination between CAPs is not better than between usual APs. It als...
by mkx
Tue Jul 13, 2021 10:49 am
Forum: General
Topic: wireless bridge between two Mikrotiks for IPTV STB
Replies: 23
Views: 1369

Re: wireless bridge between two Mikrotiks for IPTV STB

There is no such thing as "reliable wireless" in a shared spectrum (such as WiFi). There will always be possibility for some interferer to kill the performance of your wireless link. There are two problems when sending broadcasts over wireless: wireless clients go to sleep. It's a big prob...
by mkx
Mon Jul 12, 2021 8:24 pm
Forum: RouterBOARD hardware
Topic: hEX PoE RB960PGS does not power Netgear WAX214 [SOLVED]
Replies: 7
Views: 949

Re: hEX PoE RB960PGS does not power Netgear WAX214 [SOLVED]

I guess because in the vast majority of cases these boxes are used to power other Mikrotik branded devices most of which accept Passive PoE, in which case the default 24V power supply is sufficuent. Yes, but a higher voltage wouldn't hurt either, right? Actually it would hurt. Many Mikrotik devices...
by mkx
Mon Jul 12, 2021 3:15 pm
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 1052

Re: Block internet from all but one user

So we have different attitude towards this forum. Personally I try to offer technical support for whatever poster asks and I'm generally not suggesting a completely different approach to solving the problem. Unless it's different approach but still technical by means of using (preferably MT) device....
by mkx
Mon Jul 12, 2021 3:06 pm
Forum: Beginner Basics
Topic: Siemens PLC, KEpware, cant get destination NAT working [SOLVED]
Replies: 3
Views: 500

Re: Siemens PLC, KEpware, cant get destination NAT working [SOLVED]

Yes, I was thinking of port forwarding. Example: if PLC is accepting connections on TCP port number 8123, and you only want to forward connections from single management machine, then you actually need NAT rule like this: /ip firewall nat add action=dst-nat chain=dstnat src-address=10.20.30.40/32 ds...
by mkx
Mon Jul 12, 2021 1:01 pm
Forum: General
Topic: Find hostname between vlan
Replies: 12
Views: 779

Re: Find hostname between vlan

But do you have tips to make smooth connection while user from AP1 moving to area AP2 Using CAPsMAN does not enhance roaming experience. The only real benefit of using CAPsMAN is easier deployment of multiple CAPs with identical (or almost identical) configuration. There's a feature of CAPsMAN that...
by mkx
Mon Jul 12, 2021 12:49 pm
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 1052

Re: Block internet from all but one user

@rextended: I think your last answer was un-needed. OP asked for help with technical issue while you're telling him how to live his personal life (and that's none of business of any of forum members). It wasn't the first time where your answers were way out of scope. If I were @hillelana, I'd report...
by mkx
Mon Jul 12, 2021 12:42 pm
Forum: Beginner Basics
Topic: Siemens PLC, KEpware, cant get destination NAT working [SOLVED]
Replies: 3
Views: 500

Re: Siemens PLC, KEpware, cant get destination NAT working [SOLVED]

Does the PLC device know to use 172.30.1.5 as default gateway (or at least for specific subnet where KEpware host resides)? If not, then you'll have to add src-nat for KEpware traffic: /ip firewall nat add action=masquerade chain=srcnat dst-address=172.30.1.2 so that packets will appear to originate...
by mkx
Mon Jul 12, 2021 8:14 am
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 1052

Re: Block internet from all but one user

One thing to keep in mind: once a connection is fasttracked, it (mostly) bypasses any firewall filter and the drop rules won't break it. Only new connections won't be able to establish. If you want to break existing connections, then either disable fasttrack (not a very good idea from performance po...
by mkx
Sun Jul 11, 2021 11:58 pm
Forum: General
Topic: 1 Gbit/s with active mangle rules and queues?
Replies: 2
Views: 327

Re: 1 Gbit/s with active mangle rules and queues?

You just have to exclude connections which need to be mangled or queued from being fasttracking. This can be achieved either by changing the general "fasttrack all" firewall filter rule so that it excludes wanted connections by creating specific accept rules for wanted connections and plac...
by mkx
Sun Jul 11, 2021 1:09 pm
Forum: Beginner Basics
Topic: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN
Replies: 11
Views: 664

Re: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN

Not many SOHO routers can be configured the way you are describing ... MT is a rare exception because even entry-level routers run full-featured ROS (which means that it comes with associated configuration complexity which puzzles most newbies). Which means that most probably D-link doesn't allow to...
by mkx
Sat Jul 10, 2021 8:42 pm
Forum: Beginner Basics
Topic: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN
Replies: 11
Views: 664

Re: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN

It might be possible, but as @anav already wrote, it mostly depends on what D-link allows you to do and how exactly ISP delivers internet to you. Here's my example: my ISP gave me xDSL/router/wifi all-in-one box (some minor vendor) while internet service is on top of PPPoE. In this case using that d...
by mkx
Sat Jul 10, 2021 6:32 pm
Forum: Beginner Basics
Topic: Parsec Port Forwarding
Replies: 4
Views: 447

Re: Parsec Port Forwarding

I guess this article should give enough information for anyone half-capable of setting ROS port forwarding to get it done.
by mkx
Sat Jul 10, 2021 4:42 pm
Forum: General
Topic: Help MT constantly sending request to Google
Replies: 22
Views: 893

Re: Help MT constantly sending request to Google

You obfuscated the screenshot a tad too much. But src-mac printed starts with F0:9F:C and if it continues with "2", this means some Ubiquiti in your LAN is actually misbehaving.

And it does look suspicious, requests are highly periodic. Usual usages don't look as periodical.
by mkx
Sat Jul 10, 2021 12:00 am
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 1567

Re: RB260GSP, sort circuit error

Max power consumption of hAP ac2 is rated at 16W (21W with attachments whatever that means) and I guess that it really can draw that much power at some stage during boot time. Add 5 Watts of power consumption of the cascaded RB260GSP to get total power draw of 21W. And with supply voltage around 22 ...
by mkx
Fri Jul 09, 2021 11:24 pm
Forum: RouterOS v7 BETA
Topic: L3HW User Manual Updated
Replies: 16
Views: 1986

Re: L3HW User Manual Updated

If I understood @raimondsp's explanation correctly, then it's the same for all devices and kind of makes sense: when bridge port has PVID set (and it always has one, if nothing else the implicit pvid=1), then it gets automatically added as untagged member of corresponding VLAN. Unless it's explicitl...
by mkx
Fri Jul 09, 2021 11:05 pm
Forum: Beginner Basics
Topic: edit or change interface configuration [SOLVED]
Replies: 4
Views: 576

Re: edit or change interface configuration [SOLVED]

Command "set" takes number of parameters but only single one is used as "change settings of this item" and even that parameter is optional (if omitted, command asks for numbers). The rest of parameters are actions. Your example command changes values of the following properties: ...
by mkx
Fri Jul 09, 2021 1:07 am
Forum: General
Topic: Exclude Address Lists from Export? [SOLVED]
Replies: 8
Views: 691

Re: Exclude Address Lists from Export? [SOLVED]

Dynamic entries in lists don't get exported. So if you can make all (most?) list entries dynamic, it won't bloat configuration exports.
by mkx
Fri Jul 09, 2021 12:53 am
Forum: RouterOS v7 BETA
Topic: L3HW User Manual Updated
Replies: 16
Views: 1986

Re: L3HW User Manual Updated

pvid property of /in/br/port is mandatory. If you omit it, the default pvid=1 is used, meaning the port gets bridged with other ports with VLAN ID 1. We do not want this, so we explicitly set pvid=20. Setting port's pvid leads to a dynamic vlan creation where the port is untagged by default. But we...
by mkx
Thu Jul 08, 2021 4:09 pm
Forum: RouterOS v7 BETA
Topic: L3HW User Manual Updated
Replies: 16
Views: 1986

Re: L3HW User Manual Updated

IMO there's an error in the "VLAN configuration example": /interface/bridge/port add bridge=bridge interface=ether2 pvid=20 /interface/bridge/vlan add bridge=bridge tagged=bridge,ether2 vlan-ids=20 Doesn't first line of this example set ether2 as access port for VID 20 and should thus be s...
by mkx
Thu Jul 08, 2021 2:38 pm
Forum: Wireless Networking
Topic: CAP ac + PoE IpCamera
Replies: 5
Views: 529

Re: CAP ac + PoE IpCamera

No, it's not WISP. AFAIK WISP mode uses one of wlan interfaces as WAN interface (instead of ether1), sets firewall almost as standard except for management access which is allowed from WAN and not from LAN (other modes set it just the opposite). As I wrote, I don't think there's QuickSet mode approp...
by mkx
Thu Jul 08, 2021 2:32 pm
Forum: RouterOS v7 BETA
Topic: mDNS repeater feature
Replies: 51
Views: 2782

Re: mDNS repeater feature

It's not entire nonsense, sometimes it's not possible to do it differently. Here's example: you have an IoT gadget. It might not need internet, so you want to block internet access for it. Fine, you can use IP firewall filter if you know gadget's IP address. The later part can be tricky with IPv6 an...
by mkx
Thu Jul 08, 2021 12:23 pm
Forum: Wireless Networking
Topic: CAP ac + PoE IpCamera
Replies: 5
Views: 529

Re: CAP ac + PoE IpCamera

I guess cAP ac devices could be configured as simple ethernet switch / AP combo, i.e. both attached IP cameras and wireless clients become part of common LAN segment, fully governed by main router (RB2011). @Normis, when can we expect to see a "ethernet switch / AP" QuickSet profile? The c...
by mkx
Thu Jul 08, 2021 12:15 pm
Forum: Beginner Basics
Topic: DHCP on bridge, only offer on eth1 [SOLVED]
Replies: 1
Views: 474

Re: DHCP on bridge, only offer on eth1 [SOLVED]

Since both network subnets (10.108.0.0/16 and 10.101.0.0/16) don't overlap you already need routing between those two subnets. In this case you can ditch the bridge, configure both ports as individual interfaces and allow routing between them. Depending on the rest of network infrastructure some rou...
by mkx
Thu Jul 08, 2021 8:24 am
Forum: General
Topic: Using one MT box to sign TLS certs for another
Replies: 11
Views: 684

Re: Using one MT box to sign TLS certs for another

Disclaimer: never tried myself.

Did you import the private key that goes with certificate as well? This thread contains some hints on what needs to be done ...
by mkx
Thu Jul 08, 2021 8:01 am
Forum: Beginner Basics
Topic: How do I start troubleshooting an "I - invalid" configuration?
Replies: 8
Views: 621

Re: How do I start troubleshooting an "I - invalid" configuration?

Generally ROS doesn't accept configuration stanza which is profoundly broken. But then there are configuration stanzas which are syntactically correct but don't make sense in current context of overall configuration. The thing is that with ROS one can do many things that are not really possible with...
by mkx
Wed Jul 07, 2021 7:46 pm
Forum: RouterBOARD hardware
Topic: SFP+ on the small devices
Replies: 14
Views: 1215

Re: SFP+ on the small devices

I'm not saying that nobody will need more than Gbps in near future. But, in home environment, how often do we really see need for 2.5Gbps+ connections? E.g. can your home NAS sustain transfer speeds considerably exceeding 1Gbps (125MBps) for extended periods of time? And are you willing to pay bonus...
by mkx
Wed Jul 07, 2021 4:11 pm
Forum: RouterBOARD hardware
Topic: SFP+ on the small devices
Replies: 14
Views: 1215

Re: SFP+ on the small devices

The 2.5Gbps RJ port variant would then be a ...4P+1S+ (according to official naming guide).
by mkx
Wed Jul 07, 2021 2:30 pm
Forum: Beginner Basics
Topic: (silly) question how does DNS query forwarded / DCHP DNS settings
Replies: 20
Views: 1219

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Adresse IPv6 locale du lien : fe80::997f:70f6:408e:ac18%18 Adresse IPv4 : 10.99.99.243 Serveurs DNS IPv4 : 10.99.99.1 The highlited information from your LAN computer indicates that it is receiving router's IP address to be used as DNS server. This setting is configured in /ip dhcp-server network ,...
by mkx
Wed Jul 07, 2021 12:21 pm
Forum: Beginner Basics
Topic: How do I start troubleshooting an "I - invalid" configuration?
Replies: 8
Views: 621

Re: How do I start troubleshooting an "I - invalid" configuration?

A good place to start looking would be system logs ... not everything is recorded, but something might pop up. But my experience is that there isn't a single way to troubleshoot configuration problems and one often has to deduct the problems.
by mkx
Tue Jul 06, 2021 11:12 pm
Forum: Wireless Networking
Topic: Wap ac as router
Replies: 3
Views: 442

Re: Wap ac as router

CAPsMAN comes handy if you have many APs. I wouldn't deploy it for one or two APs (actually I am doing it at home ... purely as a lab setup). And it's certainly overkill to use it for provisioning wireless on very same device (it's possible to do it with some tinkering). I'm not sure which Quick Set...
by mkx
Tue Jul 06, 2021 10:53 pm
Forum: RouterBOARD hardware
Topic: Repurposing old FibreChannel SFP transceivers [SOLVED]
Replies: 4
Views: 1070

Re: Repurposing old FibreChannel SFP transceivers [SOLVED]

If they work, they'll work at 1Gbps. And they'll likely overheat, older SFPs consumed more power than modern ones while Mikrotik devices generally are not known to be good at heat dissipation (specially so the passively cooled ones).
by mkx
Tue Jul 06, 2021 5:54 pm
Forum: Wireless Networking
Topic: Wap ac as router
Replies: 3
Views: 442

Re: Wap ac as router

Yes, wAP ac can be a very capable router (routing up to around 1 Gbps, depending on complexity of firewall filter rules). Beware though that current Mikrotik devices are not the fastest when it comes to wireless. If configured properly (sometimes some tweaking is needed, what exactly depends on part...
by mkx
Tue Jul 06, 2021 5:44 pm
Forum: Beginner Basics
Topic: Import a Filterlist?
Replies: 1
Views: 321

Re: Import a Filterlist?

There are many ways to filter traffic with ROS, one would be to use address lists. However, the lists on link you posted are lists of domains and filtering the domains (more or less straight-forward) can be done only in L7 filters ... And L7 filters are becoming more and more useless because everyth...
by mkx
Tue Jul 06, 2021 5:37 pm
Forum: Beginner Basics
Topic: hostname to ip:port
Replies: 3
Views: 416

Re: hostname to ip:port

I need hostname "hello.website.com" to forward to 192.168.10.25:5520 in my LAN. How to accomplish that on my mikrotik? I'm guessing you're after a slightly more complicated setup than he one explained by @erlinden and @anav ... so in case you want to forward hello.website.com (TCP port 80...
by mkx
Mon Jul 05, 2021 7:05 pm
Forum: General
Topic: free space discrepancy between hap models
Replies: 7
Views: 516

Re: free space discrepancy between hap models

If you really want to be sure both devices are in same (vanilla) state, you should check disk free status right after netinstall without backups uploaded and restored. But, as previous posters already explained, SMIPS packages are waaay smaller than others (e.g. ARM). For example: in ROS 6.48.3 syst...
by mkx
Sun Jul 04, 2021 10:46 pm
Forum: Wireless Networking
Topic: CAPsMAN Help
Replies: 14
Views: 1165

Re: CAPsMAN Help

CAP packets are encapsulated in ethernet frames and are treated by switch the same way as IP packets (encapsulated in ethernet frames). For CAP device to communicate with CAPsMAN in usual cases the connection has to be transparrent and playing with VLANs on all 3 devices doesn't help if you don't re...
by mkx
Sun Jul 04, 2021 3:47 pm
Forum: General
Topic: Could I know how router is powered via Winbox?
Replies: 3
Views: 370

Re: Could I know how router is powered via Winbox?

The way mikrotik devices (most of them, some need explicitly distinct voltage levels for supporting diverse PoE out options) combine different power sources is pretty simple: they are all fed via simple diodes and then joined together. Diodes prevent power from leaking out. That also explains the fa...
by mkx
Sat Jul 03, 2021 4:09 pm
Forum: General
Topic: NAT, masquerading, src, dst? Confused (picture) [SOLVED]
Replies: 5
Views: 673

Re: NAT, masquerading, src, dst? Confused (picture) [SOLVED]

You can't use single mAP. It would have to connect to two APs at the same time. Both APs will likely use different channels and client which has single radio can not deal with it.
by mkx
Sat Jul 03, 2021 3:52 pm
Forum: Beginner Basics
Topic: Mikrotik + freeradius auth with /etc/shadow
Replies: 2
Views: 381

Re: Mikrotik + freeradius auth with /etc/shadow

Mikrotik doesn't know anything about your /etc/shadow file. The problem is thus completely related to configuration of whatever radius implementation you're using.
by mkx
Sat Jul 03, 2021 3:46 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 124
Views: 13705

Re: v7 launch date

Anyone care to comment if that means the 7.1 beta might well be "stable" enough for me with my RB4001, CRS328 and 4x cAP AC? Really? You didn't read to the end of post you quoted part of? @raimondsp clearly wrote that (everything) still needs polishing. I wonder how you'd deal with rough ...
by mkx
Tue Jun 29, 2021 3:40 pm
Forum: General
Topic: Missing Firewall ACTION at Logs
Replies: 9
Views: 470

Re: Missing Firewall ACTION at Logs

If you only enable logging for sigle rule, you know the action from rule definition. If you enable logging of multiple rules, then add appropriate log prefixes. If you're going into troubleshooting, then adding logging prefixes is the least problem you have at that point. BTW, packets not triggering...
by mkx
Tue Jun 29, 2021 3:17 pm
Forum: General
Topic: Missing Firewall ACTION at Logs
Replies: 9
Views: 470

Re: Missing Firewall ACTION at Logs

You don't want to log everything, you just want to log things while debugging certain rules.
by mkx
Wed Jun 23, 2021 11:11 pm
Forum: General
Topic: wireless bridge between two Mikrotiks for IPTV STB
Replies: 23
Views: 1369

Re: wireless bridge between two Mikrotiks for IPTV STB

I'd replace the pwr-line AP with some at least half-decent AP in this setup ....
by mkx
Wed Jun 23, 2021 3:05 pm
Forum: General
Topic: Problems with VLAN and Bridge
Replies: 6
Views: 621

Re: Problems with VLAN and Bridge

You have to be ware that hEX S is not really a beast of a router. It can realistically route at around 0.5 Gbps depending on amount and complexity of firewall rules. It's been mentioned on this forum before, that some devices in certain conditions seem to struggle tagging and untagging packets passi...
by mkx
Wed Jun 23, 2021 2:35 pm
Forum: General
Topic: So why do I want to run ROS on a Switch when SWOS is just fine?
Replies: 17
Views: 1239

Re: So why do I want to run ROS on a Switch when SWOS is just fine?

If one can (safely?) assume that switch performance is the same when running either of supported OSes (ROS, SwOS), and one doesn't need L3 functions, then it boils down to personal preference regarding administrative UI. Some users, very well acquainted to CLI and ROS, will obviously prefer running ...
by mkx
Wed Jun 23, 2021 8:22 am
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 340
Views: 47051

Re: v7.1beta6 [development] is released!

One last question along these lines. Will existing CCR products get hardware/fasttrack/any accellerated IPv6 support or is this only happening in the new devices with the newer switch hardware? Fasttrack is software feature, so yes, when IPv6 fasttrack gets (finally) implemented, it will be on all ...
by mkx
Tue Jun 22, 2021 7:53 pm
Forum: General
Topic: Problems with VLAN and Bridge
Replies: 6
Views: 621

Re: Problems with VLAN and Bridge

If you haven't already, I suggest you to read through this nice tutorial.

The problem when using VLAN 1 is that VID=1 is (implicit) default PVID setting for all bridge ports and if you're not careful, you get mix of tagged and untagged traffic.
by mkx
Tue Jun 22, 2021 3:12 pm
Forum: General
Topic: Problems with VLAN and Bridge
Replies: 6
Views: 621

Re: Problems with VLAN and Bridge

add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 As ports ether3 and ether5 are hybrid ports carrying both untagged (VLAN1) and ...
by mkx
Tue Jun 22, 2021 1:54 pm
Forum: Beginner Basics
Topic: mAP Lite cap configuration
Replies: 1
Views: 353

Re: mAP Lite cap configuration

In short: no.

What you want is called "wireless bridge", which transparently connects two wired "islands" into a homogenous network. Wireless standard (802.11) doesn't allow for enough transparency, you can read more about the reasons and possible work-arounds in this article.
by mkx
Tue Jun 22, 2021 8:17 am
Forum: RouterBOARD hardware
Topic: CCR2004 real routing performance?
Replies: 3
Views: 1080

Re: CCR2004 real routing performance?

Official test results have many numbers in the table, ranging anything between 600 Mbps and 40 Gbps. Which means that routing performance very much depends on particular configuration. It's hard to tell how much LACP hits performance unless one performs two tests with LACP being the only difference...
by mkx
Tue Jun 22, 2021 8:06 am
Forum: General
Topic: VLANs and address assignment
Replies: 8
Views: 535

Re: VLANs and address assignment

I'm not avoiding the question, I'm just trying to stay on topic. And you're extrapolating too much for your own good ;-) . But anyway: a. ether1 attached as a bridge port to a bridge c. can separately assign an IP address to the interface and host a subnet on t he ether1 port all separate from the b...
by mkx
Mon Jun 21, 2021 11:09 pm
Forum: General
Topic: VLANs and address assignment
Replies: 8
Views: 535

Re: VLANs and address assignment

So where in original post does @Cablenut9 mention a bridge? Let's read together:

If I have some interface, like ether1, and a bunch of VLAN interfaces on it, like vlan2 and vlan3, does ether1's IP address "carry over" to the VLANs?

Nope, still no bridge ...
by mkx
Mon Jun 21, 2021 8:36 pm
Forum: General
Topic: VLANs and address assignment
Replies: 8
Views: 535

Re: VLANs and address assignment

If I have some interface, like ether1, and a bunch of VLAN interfaces on it, like vlan2 and vlan3, does ether1's IP address "carry over" to the VLANs? No, IP address is bound to interface . In your case ether1 is interface for untagged frames passing ether1 port . For VLAN interfaces ethe...
by mkx
Mon Jun 21, 2021 11:32 am
Forum: RouterBOARD hardware
Topic: RB3011 keeps rebooting when ethernet 1 is connected to gigabit capable device
Replies: 8
Views: 1556

Re: RB3011 keeps rebooting when ethernet 1 is connected to gigabit capable device

Did you try with different power adapter? Marginal (almost but not entirely failed) power adapter could supply some power but not enough. And ethernet port running at higher speed draws a little more power which might push power adapter over its limit ... at that point PA might drop the voltage belo...
by mkx
Sun Jun 20, 2021 10:10 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 1151

Re: CAPsMAN on layer2 + vlans

It is just an arbitrary decision of the CAPsMAN package to do this in the wireless driver.

Actually it's not an arbitrary decission ... up till ROS version 6.41 bridge was not VLAN aware, hardware (or low level drivers) had to deal with VLAN tagging/untagging/filtering.
by mkx
Sun Jun 20, 2021 12:39 pm
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 770

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

I don't think you can reduce number of firewall rules in input chain.
by mkx
Sun Jun 20, 2021 9:42 am
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 770

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

Indeed one has to filter access to router from certain subnets. But as I wrote the filter has to cover all router's interfaces, not only the "native" one ... and in this case the approach of "ultimate drop all rule" comes handy. This means that input chain contains a few rules al...
by mkx
Sun Jun 20, 2021 12:15 am
Forum: Beginner Basics
Topic: Slow navigation/browsing speeds [SOLVED]
Replies: 15
Views: 1308

Re: Slow navigation/browsing speeds [SOLVED]

For sure you don't want to see any of "ether1 link down" messages ... I don't know what has to be done to stabilise the ethernet link. And you can try to set /interface detect-internet set detect-interface-list=none . While in theory functionality of detect internet should be fine in pract...
by mkx
Sat Jun 19, 2021 10:24 pm
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 770

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

a. seems this way b. my limited experience says yes c. as I wrote: ROS basically treats all packets (connections) targeting any of its IP interfaces the same way. The only difference that might show is due to different firewall rules (both raw and filter). This is pretty clear even from default fire...
by mkx
Sat Jun 19, 2021 10:15 pm
Forum: Beginner Basics
Topic: Initial Internet configuration ( via SFP port)
Replies: 22
Views: 1133

Re: Initial Internet configuration ( via SFP port)

Actually, I'm thinking whether the ip-scan tool is showing everything that ever got an IP while the Leases menu shows only the active ones? IP scan tool is supposed to probe (ping or something) some address range and only display active devices. Doesn't matter how those devices obtained their IP ad...
by mkx
Sat Jun 19, 2021 1:52 pm
Forum: General
Topic: Home IoT Vlan setup
Replies: 18
Views: 1095

Re: Home IoT Vlan setup

This is not exported configuration, this might be something you pushed into device which already had some config. So do what @anav asked to do ... execute /export hide-sensitive and post output.
by mkx
Sat Jun 19, 2021 1:49 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 1151

Re: CAPsMAN on layer2 + vlans

The bridge does the tagging/untagging for every interface in the vlan table - or so I tought. The bridge does tagging/unragging for ports which are untagged members of VLANs. Bridge does nothing on trunk ports (ports that are tagged members of VLANs). With wlan interfaces they can either be tagged ...
by mkx
Sat Jun 19, 2021 1:32 pm
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 770

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

ROS treats every own address (i.e. addresses configured as router's own regardless the interface or subnet) pretty much the same way ... and they're all treated in chain=input (unless connection is DST-NATed). If you want to block connections to "the wrong router's address" (e.g. ping from...
by mkx
Sat Jun 19, 2021 1:24 pm
Forum: Beginner Basics
Topic: Slow navigation/browsing speeds [SOLVED]
Replies: 15
Views: 1308

Re: Slow navigation/browsing speeds [SOLVED]

You went int some quite advanced configuration because you wanted some QoS ... but if that isn't done quite right, it might actually make things worse. I'd try to introduce RB to your network with configurations as default as it gets. If it will behave more or less nicely, then you'll know it's the ...
by mkx
Sat Jun 19, 2021 1:08 pm
Forum: Beginner Basics
Topic: Initial Internet configuration ( via SFP port)
Replies: 22
Views: 1133

Re: Initial Internet configuration ( via SFP port)

There are plenty of devices whose MAC addresses start with cc:50:e3 and which aren't on the DHCP lease list ... that MAC address range belongs to Espressif Inc, seems like they produce smart home gadgets. How these devices obtained their IP addresses is beyond my imagination. One reason might be tha...
by mkx
Fri Jun 18, 2021 11:32 pm
Forum: General
Topic: mikrotik redirect based on domain to internal ip [SOLVED]
Replies: 6
Views: 652

Re: mikrotik redirect based on domain to internal ip [SOLVED]

but it seems I should use reverse proxy and the included reverse proxy of mikrotik cannot do this

That's because ROS includes normal proxy, not reverse proxy. While they might both seem similar they operate differently.
by mkx
Fri Jun 18, 2021 11:11 am
Forum: General
Topic: Cant Open Ports
Replies: 9
Views: 563

Re: Cant Open Ports

First verify that internal server is actually accepting connections on TCP port 25. Then you can enable LOG flag, try remote connection and see if log contains anything. One thing you should be aware: some ISPs block port 25 (SMTP) towards clients because SMTP protocol is often used for malicious ac...
by mkx
Fri Jun 18, 2021 11:03 am
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 1151

Re: CAPsMAN on layer2 + vlans

The wlan1, wlan2, wlan24, wlan25 devices are added under the correct vlan id, but they are added as tagged ports. I would like them to be untagged. (Otherwise dumb WiFi clients won't be able to connect.) That's correct and won't cause any problem ... wlan interfaces are tagged from bridge point of ...
by mkx
Thu Jun 17, 2021 11:33 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 1151

Re: CAPsMAN on layer2 + vlans

As @biomesh wrote, the trick is to set discovery interface to some vlan interface. For example, I have VLAN 42 intended for usual LAN traffic and I allow CAP to CAPsMAN communication via that VLAN. So on CAP device I have the following: /interface bridge add name=bridge vlan-filtering=yes /interface...
by mkx
Thu Jun 17, 2021 9:22 am
Forum: Beginner Basics
Topic: Coping with slow download speeds on my home LAN
Replies: 8
Views: 670

Re: Coping with slow download speeds on my home LAN

Did you try speedtest by connecting PC instead of netgear AP? The goal is to narrow down posible problems. If speedtest without netgear in the way shows decent speeds, this would indicate either problem with netgear itself or some interaction problem between netgear and mikrotik. If speedtest is sti...
by mkx
Wed Jun 16, 2021 10:14 pm
Forum: General
Topic: 1:1 NAT DDoS protection?
Replies: 7
Views: 543

Re: 1:1 NAT DDoS protection?

Right.
by mkx
Wed Jun 16, 2021 8:26 pm
Forum: General
Topic: 1:1 NAT DDoS protection?
Replies: 7
Views: 543

Re: 1:1 NAT DDoS protection?

Also, it's to help hide the real IP so it can't be targeted directly. What good does it make? If NAT device performs 1:1, then every single packet, destined to "fake" IP will reach "real" IP. Just as there wasn't NAT, only with a hop more. NAT, combined with firewall, is differe...
by mkx
Wed Jun 16, 2021 7:34 pm
Forum: General
Topic: 1:1 NAT DDoS protection?
Replies: 7
Views: 543

Re: 1:1 NAT DDoS protection?

Device simply performing NAT (any kind) does not recognize malicious packet and thus passes such packet along with all others. Hence a 1:1 NAT can not protect you from DDoS ...
Only stateful firewall or DPI can make that distinction and protect devices behind.
by mkx
Wed Jun 16, 2021 6:58 pm
Forum: Beginner Basics
Topic: VLAN setting [SOLVED]
Replies: 1
Views: 627

Re: VLAN setting [SOLVED]

Here's great tutorial about how to configure VLANs. When you think you're done, post config of both router and switch. From which stable id AP? I presume it's not Mikrotik.
by mkx
Wed Jun 16, 2021 6:54 pm
Forum: Beginner Basics
Topic: Coping with slow download speeds on my home LAN
Replies: 8
Views: 670

Re: Coping with slow download speeds on my home LAN

Just one more check: is netgear AP acting only as switch/AP and clients, connected to it, receive IP addresses from mikrotik LAN address space? And when you ran tests, you connected PC eith UTP cable and netgear acted as a switch? If you connect PC to the wire otherwise used to connect netgear, do y...
by mkx
Wed Jun 16, 2021 1:59 pm
Forum: Beginner Basics
Topic: Coping with slow download speeds on my home LAN
Replies: 8
Views: 670

Re: Coping with slow download speeds on my home LAN

A few errors in your configuration: /ip address add address=192.168.2.1/24 interface=ether4 network=192.168.2.0 add address=192.168.3.1/24 interface=ether4 network=192.168.3.0 If you really need these two subnets, then you really should set addresses on bridge and not on member port (ether4). /ip fi...
by mkx
Wed Jun 16, 2021 8:11 am
Forum: General
Topic: hap ac3 bandwidth test to 127.0.0.1 TCP both direction utilises only 85% of CPU [SOLVED]
Replies: 8
Views: 974

Re: hap ac3 bandwidth test to 127.0.0.1 TCP both direction utilises only 85% of CPU [SOLVED]

What does profile of CPU usage (execute /tool profile cpu=all ) show? Are all CPUs loaded equally? I'd expect come CPU cores to be (almost) idle while others loaded 100%. The reason is that ROS is handling TCP connections by using same CPU core for all packets (reason is keeping packets in-order, IP...
by mkx
Wed Jun 16, 2021 8:05 am
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 1100

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

I'm not sure about antibodies, but I'm sure I'm allergic ... to dummies :-P
by mkx
Tue Jun 15, 2021 10:45 pm
Forum: RouterBOARD hardware
Topic: SFP module is extremely hot
Replies: 48
Views: 26193

Re: SFP module is extremely hot

If you want to keep SFP temperature down and use 10Gbps links, then go with normal fibre SFPs and fibre patch cords. Fibre SFPs consume much less power and consequentially produce much less heat. Fibre patch cords tend to be less bulky than CAT7 cables or DAC cables which is good as it's easier to o...
by mkx
Tue Jun 15, 2021 10:32 pm
Forum: General
Topic: RouterBOARD 750G
Replies: 1
Views: 311

Re: RouterBOARD 750G

Product brochure states that 750g can route "up to 580Mbps throughput with larger packets, and up to 91500pps with small packets". The text doesn't go into specifics about what kind of traffic that would be, I'd assume they are absolute maximum numbers posible. If you compare it to test re...
by mkx
Tue Jun 15, 2021 8:22 pm
Forum: Beginner Basics
Topic: Setting Up small home network with MikroTik hEX RB750Gr3
Replies: 20
Views: 1698

Re: Setting Up small home network with MikroTik hEX RB750Gr3

@zedoxx: what I'd do is the following: reset to default config use quickset to configure WAN ... PPPoE go into "normal" GUI and mnever ever go back to quickset unless you repeat config from step #1 remove ether5 from bridge add IP address to ether5. Configure additional address pool and DH...
by mkx
Tue Jun 15, 2021 6:31 pm
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 1100

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

second covid dose

Which one, Pfizer? I opted for Biontech and had only minor (next to none) side effects. It's been almost 3 weeks since second shot and I'm almost certified to resume normal life ;-)
by mkx
Tue Jun 15, 2021 8:41 am
Forum: RouterBOARD hardware
Topic: Battery driven RB get bricked
Replies: 6
Views: 1275

Re: Battery driven RB get bricked

IMO whenever one runs some device off a battery, it's good thing to install under-voltage cut-off device. Not to protect powered device but to protect battery itself. None of battery chemistries (lead-acid, nickel, lithium) don't like being completely depleted and one has to protect them from gettin...
by mkx
Tue Jun 15, 2021 8:23 am
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 589

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Bridge is the only port member of these VLANs. At least for VLAN 99 you should add ether1 as tagged port or else you'll almost definitely loose management access. Nope, there is a vlan interface that is added to the brige, vlan 99, with static IP 192.168.19.252. I was managing the router through th...
by mkx
Tue Jun 15, 2021 8:05 am
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 1100

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

Isn't buying lottery ticket a prerequisite for winning the lottery? Are you doing anything about it? Or you rather spend the dime on Canadian rye? ;-)
by mkx
Mon Jun 14, 2021 11:16 pm
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 589

Re: Howto use HAP AC2 as switch+AP on vlan(s)

My dear @anav, as always you're one step ahead of me ... you already forgot you're forgetting things :-P
  • 1
  • 2
  • 3
  • 4
  • 5
  • 21