Community discussions

MikroTik App

Search found 6204 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 21
by mkx
Thu Jul 29, 2021 12:01 am
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 72
Views: 6662

Re: MikroTik RB5009UG+S+IN

Yeah. For the money they'd like to get for 4 units, I could get the new CCR2004-16G-2S+ (which would look much nicer and more professional in my home networking rack). If I'd be missing ether ports, I could throw in a CRS326-24G-2S+RM (OK, now we're talking about 2U already, but hey, I'd have 40 Gig...
by mkx
Wed Jul 28, 2021 11:37 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 72
Views: 6662

Re: MikroTik RB5009UG+S+IN

I checked ISP Supplies Canada and they do not have stock .... A Polish distributor states 2021-09-03 as date of availability. Let's wait and see. Could be a nice present on the eve of N-th wave of COVID-19. Another thing - a question for MT staff I guess: MT is selling rack-mount kit for this route...
by mkx
Wed Jul 28, 2021 11:16 pm
Forum: General
Topic: iam have 6.47.8 (stable) on x86 but some time its shutdown suddenly
Replies: 3
Views: 67

Re: iam have 6.47.8 (stable) on x86 but some time its shutdown suddenly

What exactly is asxi? Or do you mean ESXi (VMware)? Having a hole in ROS graph does not prove router was actually shut down. So if it was actually shut down (you had to restart it manually) and there's nothing in ROS logs nor anything in logs of hypervisor, then you'll have some long days troublesho...
by mkx
Wed Jul 28, 2021 10:55 pm
Forum: Beginner Basics
Topic: layer 7 port forwarding
Replies: 17
Views: 470

Re: layer 7 port forwarding

I'm sorry, never did manual configuration of traefik. It's used at my employers in a Kubernetes installation where Kubernetes itself makes basic configuration of traefik (or perhaps Kubernetes admin did it once), while forwarding to backend containers is done automatically when starting those backen...
by mkx
Wed Jul 28, 2021 8:40 pm
Forum: Beginner Basics
Topic: Hap ac2 can't use peer dns from isp
Replies: 10
Views: 243

Re: Hap ac2 can't use peer dns from isp

what do you use besides winbox

I thought it was obvious ... ssh client.
by mkx
Wed Jul 28, 2021 8:29 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 122
Views: 12683

Re: v7 launch date

Red are administrators (e.g. @normis), green are moderators. I might be wrong, but I think @nz_monkey is not MT staffer.
by mkx
Wed Jul 28, 2021 8:01 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 72
Views: 6662

Re: MikroTik RB5009UG+S+IN

From the Quick Guide of that beast: This device needs to be upgraded to the v7.0.2 or the latest software version to ensure compliance with local authority regulations! Looks like MikroTik is preparing something powerful to announce... 👀 This is silly ... the warning continues with second paragraph...
by mkx
Wed Jul 28, 2021 7:48 pm
Forum: Beginner Basics
Topic: Hap ac2 can't use peer dns from isp
Replies: 10
Views: 243

Re: Hap ac2 can't use peer dns from isp

1) DHCP server will try as hell to provide some DNS server address in DHCP lease unless router admin knows better ;-) 2) Where's setting "Allow remote Servers"? If you're talking about "Allow remote Requests " ... then it's got everything about client requests. If this is set, th...
by mkx
Wed Jul 28, 2021 6:42 pm
Forum: General
Topic: Is blocking websites by URL really impossible?
Replies: 12
Views: 223

Re: Is blocking websites by URL really impossible?

@mkx, please check if redacted version is better

Much better :-)
by mkx
Wed Jul 28, 2021 6:37 pm
Forum: General
Topic: Two providers. Unstable behavior. [SOLVED]
Replies: 9
Views: 176

Re: Two providers. Unstable behavior. [SOLVED]

@BlackRat, the setting you highlited is IMO invalid. It's not logical to have address with network address set to same value. If bridge-inet should use both addresses 85.xxx.xxx.20 and 85.xxx.xxx.21 and when router uses either of WAN addresses it can directly connect to the same subnet (which is log...
by mkx
Wed Jul 28, 2021 6:30 pm
Forum: General
Topic: Is blocking websites by URL really impossible?
Replies: 12
Views: 223

Re: Is blocking websites by URL really impossible?

@anav writes IDP because he doesn't like what DPI stands for: Deep Pocket Inspection LOL
by mkx
Wed Jul 28, 2021 6:29 pm
Forum: General
Topic: Is blocking websites by URL really impossible?
Replies: 12
Views: 223

Re: Is blocking websites by URL really impossible?

Instead of writing "impossible because use Encrypted SNI (ESNI)" you could have written "will become increasingly hard because of ESNI" and the answer would be correct.
by mkx
Wed Jul 28, 2021 6:23 pm
Forum: General
Topic: Is blocking websites by URL really impossible?
Replies: 12
Views: 223

Re: Is blocking websites by URL really impossible?

On HTTPS with TLS 1.3 or higher: impossible because use Encrypted SNI (ESNI) TLS 1.3 implements ESNI but doesn't enforce it (over SNI), so even if https connection is using TLS v1.3 (enhanced ciphers, ...) it might still use SNI. ESNI requires some additional setup (on DNS servers for web server's ...
by mkx
Wed Jul 28, 2021 6:07 pm
Forum: General
Topic: vlan by mac address on LAN with multiple mikrotik switches
Replies: 19
Views: 459

Re: vlan by mac address on LAN with multiple mikrotik switches

MT should implement HW offload bridges on all capable devices (i.e. on all devices that have decent switch chip). But I guess the problem is that some switch chips simply lack needed functionality for certain operations. E.g. I guess MAC-based VLANs could be done in hardware using ACLs but not all s...
by mkx
Wed Jul 28, 2021 5:54 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 122
Views: 12683

Re: v7 launch date

this has the disadvantage that posts can only be edited by the author.
AFAIK all forum moderators can directly edit all posts. AFAIK all MT staffers present on forum are moderators.

But yes, manually keeping bug-list current is RPITA and I guess MT won't go into this.
by mkx
Wed Jul 28, 2021 5:42 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 122
Views: 12683

Re: v7 launch date

No, forum-hosted bug-tracking won't do ... unless the initial post is actually edited every time bug state changes. Discussions, interleaved with bug-tracking announcements, will make finding bug-tracking list even harder. If MT us using internal issue tracking tools, it would be nice if the page wa...
by mkx
Wed Jul 28, 2021 5:30 pm
Forum: Beginner Basics
Topic: Hap ac2 can't use peer dns from isp
Replies: 10
Views: 243

Re: Hap ac2 can't use peer dns from isp

1) Users will bypass router's DNS service if they are not told to use it. Either: - set DNS server addresses (other than router's own address) in DHCP network - set DHCP server to send empty DNS list (but that will make unhappy a lot of DHCP clients) - set DNS servers statically on every LAN device ...
by mkx
Wed Jul 28, 2021 2:55 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 72
Views: 6662

Re: MikroTik RB5009UG+S+IN

Indeed. We all know shortcomings of such design: RB2011, RB3011, RB4011 ... let's just hope it doesn't continue to RB501x ...
by mkx
Wed Jul 28, 2021 2:28 pm
Forum: General
Topic: RB2011UiAS bridge mode
Replies: 1
Views: 73

Re: RB2011UiAS bridge mode

You need to enable DHCP client and configure it to run on bridge interface. If "bridge mode" setup doesn't do it already, I'm not familiar with various QuickSet modes.
by mkx
Wed Jul 28, 2021 1:19 pm
Forum: Beginner Basics
Topic: Hap ac2 can't use peer dns from isp
Replies: 10
Views: 243

Re: Hap ac2 can't use peer dns from isp

There are approximately 4 places which affect use of DNS by router and in LAN clients (not mentioning static settings on LAN clients which is fifth place): setting of property use-peer-dns=yes/no of a PPPoE client. At least on my ROS 6.48.3 setting to no seems to be default. This setting affects whe...
by mkx
Tue Jul 27, 2021 11:36 pm
Forum: Wireless Networking
Topic: Low wifi coverage in bedroom
Replies: 5
Views: 250

Re: Low wifi coverage in bedroom

Sure, go ahead and post config of both APs. Somebody might give some advice.
by mkx
Tue Jul 27, 2021 11:26 pm
Forum: Beginner Basics
Topic: IPv6 for home
Replies: 12
Views: 407

Re: IPv6 for home

No, ROS does prefix delegation through RAs (Router Advertisements). RAs are completely different function than DHCPv6. Android doesn't support DHCPv6 (as a whole) and yet android devices do receive prefixes ... through RAs.
by mkx
Tue Jul 27, 2021 11:19 pm
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 26
Views: 1372

Re: VLANS & Management VLAN

I can see your MT legacy doesn't go far, @anav (or you started to forget). The example I wrote used to be called "bridge per VLAN" and was only way of dealing with VLANs on devices without switch chips (or only fraction of ports were switched) before ROS 6.42. It is necessary to unearth su...
by mkx
Tue Jul 27, 2021 5:13 pm
Forum: Beginner Basics
Topic: IPv6 for home
Replies: 12
Views: 407

Re: IPv6 for home

2) there IS DHCPv6 that is somewhat similar to DHCPv4, but it's mostly used for prefix sharing, not end-client addresses sharing Not true. As I wrote in my post above, full implementation of DHCPv6 server will send to end device almost same set of settings as DHCPv4, including IPv6 address to be di...
by mkx
Tue Jul 27, 2021 9:07 am
Forum: Beginner Basics
Topic: IPv6 for home
Replies: 12
Views: 407

Re: IPv6 for home

Mikrotik doesn't actually implement DHCPv6 server. So you have to use SLAAC. Let's assume you're getting IPv6 prefix from ISP via DHCPv6. So you need: /ipv6 dhcp-client add add-default-route=yes interface=WAN pool-name=ipv6-pool request=prefix /ipv6 address add address=::1 eui-64=yes from-pool=ipv6-...
by mkx
Tue Jul 27, 2021 8:47 am
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 26
Views: 1372

Re: VLANS & Management VLAN

If you have a Router and a Switch, lets say the switch is a CRS so you apply VLANs with Bridge filtering method, on the router side ( no switch chip ), why is it bad or wrong to create your Vlans directly on the interface that connects these two ? Without any Bridge interface or anything.. I'm not ...
by mkx
Mon Jul 26, 2021 11:46 pm
Forum: RouterBOARD hardware
Topic: Adding a cooling fan to CRS326
Replies: 49
Views: 9856

Re: Adding a cooling fan to CRS326

Hmmm, I am no electronic designer, but usually a fan on router / switch / pc is used to " extract " the heat out of the casing.... Designing air flow is not something electronic designers do, one would need an expert on fluid dynamics to do that (that's part of physics in my part of unive...
by mkx
Mon Jul 26, 2021 11:04 pm
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 26
Views: 1372

Re: VLANS & Management VLAN

For @anav: /interface vlan add name=e1v100 interface=ether1 vlan-id=100 add name=e2v100 interface=ether2 vlan-id=100 /interface bridge add name=bridge_v100 /interface bridge port add bridge=bridge_v100 port=e1v100 add bridge=bridge_v100 port=e2v100 add bridge=bridge_v100 port=ether3 Frames tagged wi...
by mkx
Mon Jul 26, 2021 10:59 pm
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 26
Views: 1372

Re: VLANS & Management VLAN

There are 3 ways you can do that, 1. Bridge VLAN Filtering ( it will consume CPU resources for devices that do not support it ), 2. Switch Chip VLANs ( for devices with Switch Chip, old methodm configuration depends on the switch chip model ) 3. Software VLANs ( /Interface VLAN ) Actually there are...
by mkx
Mon Jul 26, 2021 10:20 pm
Forum: Beginner Basics
Topic: Drop Invalid vs. Drop "all"
Replies: 16
Views: 512

Re: Drop Invalid vs. Drop "all"

And if the server do not receive ACK, close the connection after some time, depend on settings, on meantime the connection resources still busy. Right, in Linux such connection state is called FIN_WAIT or FIN_WAIT2. I still fail to see how not dropping non-NATed ACK (or whatever is sent) helps serv...
by mkx
Mon Jul 26, 2021 6:25 pm
Forum: Beginner Basics
Topic: Drop Invalid vs. Drop "all"
Replies: 16
Views: 512

Re: Drop Invalid vs. Drop "all"

Stopping that packet cause the service use more memory because from 30s to 30m the connection is still considerered open for lack of ACK (or RST). I don't think this is correct. According to ROS packet flow , both connection tracking and SRC-NAT are part of prerouting part of packet flow ... but co...
by mkx
Mon Jul 26, 2021 3:36 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 72
Views: 6662

Re: MikroTik RB5009UG+S+IN

And in video RB5009 is compared to RB4011iGS+5HacQ2HnD-IN, not to RB4011iGS+RM. Test results, as published on respective product pages, are almost the same for both variants of RB4011. Which shouldn't be a surprise as they differ only that wireless version has two radios added, the rest of hardware...
by mkx
Mon Jul 26, 2021 2:20 pm
Forum: Wireless Networking
Topic: WI-FI ROAMING 802.11r QUESTION
Replies: 41
Views: 22646

Re: WI-FI ROAMING 802.11r QUESTION

Wireless clients scan for other APs from time to time (probably more frequently when signal strength of currently used AP drops below some threshold). If client finds AP with same SSID and with better signal strength, it will change to the new one. Device will assume same SSID means same LAN, so it ...
by mkx
Mon Jul 26, 2021 1:46 pm
Forum: General
Topic: How to install CloudFlare origin SSL certificate on mikrotik
Replies: 4
Views: 147

Re: How to install CloudFlare origin SSL certificate on mikrotik

You need SSL certificate on device, which terminates connections. For HTTPS it's web service (or reverse proxy if one is used), not the router performing NAT. So even for HTTPS you only have to port forward external TCP port 443 to your internal server (preferably port 443 as well) which will handle...
by mkx
Mon Jul 26, 2021 1:42 pm
Forum: General
Topic: vlan by mac address on LAN with multiple mikrotik switches
Replies: 19
Views: 459

Re: vlan by mac address on LAN with multiple mikrotik switches

I don't think you can do it just like that without 802.1X, which is standard solution towards wired per-port security. While there are some hooks in mikrotik's DHCP server to work with radius, this doesn't cut the corner because at the end of the day, it's the access switch (where some end device is...
by mkx
Mon Jul 26, 2021 1:26 pm
Forum: Beginner Basics
Topic: layer 7 port forwarding
Replies: 17
Views: 470

Re: layer 7 port forwarding

Just save yourself some nerves and don't think of doing it on mikrotik. As @andrys already explained, it's a hack and as with all hacks, it might not work very well. If, OTOH, you go for proper solution[*], you'll have it done in no time and live happily ever after. [*] There are tons of proper reve...
by mkx
Mon Jul 26, 2021 1:19 pm
Forum: Wireless Networking
Topic: WI-FI ROAMING 802.11r QUESTION
Replies: 41
Views: 22646

Re: WI-FI ROAMING 802.11r QUESTION

So it is funny that now they would decide not to have basic functionality of a WiFi access point in "old" equipment (I presume that would be the "new" equipment discussed above, because really old equipment has enough space), "due to space restrictions". It's not that ...
by mkx
Mon Jul 26, 2021 1:09 pm
Forum: Beginner Basics
Topic: Hex vs Hex S [SOLVED]
Replies: 22
Views: 517

Re: Hex vs Hex S [SOLVED]

hEX (and hEX S) is a pretty good device for its money. But when thinking about dual WAN of decent speeds (as implied by fibre infrastructure), hEX might be slightly underpowered as it can route at around 1Gbps (full duplex). If you foresee total routing throughput of more than 1Gbps, you'll have to ...
by mkx
Mon Jul 26, 2021 1:06 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 122
Views: 12683

Re: v7 launch date

RB5009 was not officially announced yet. So far it took quite some months between official announcement and availability on the street for any new device in last few years. If this tradition remains, we might see stable ROS v7 (for all supported devices) at around same time as street availability of...
by mkx
Mon Jul 26, 2021 10:58 am
Forum: Beginner Basics
Topic: Hex vs Hex S [SOLVED]
Replies: 22
Views: 517

Re: Hex vs Hex S [SOLVED]

Using xPON SFPs in Mikrotik devices directly is not supported. Sometimes it works, but mostly it doesn't. If you don't want to loose much time (and money), I suggest you to plan to use the ISP-provided ONU as a media converter. Both devices you're mentioning (hEX and hEX S) are more or less identica...
by mkx
Mon Jul 26, 2021 10:04 am
Forum: Beginner Basics
Topic: Routing different networks unstable
Replies: 4
Views: 339

Re: Routing different networks unstable

Setting wireless frequency manually is sometimes a good thing. Disabling RTSP is good when you know there can't be any loops in your network. But the underlying problem one might see with RSTP in conjunction with wireless is the following: when there are no active clients of wireless, by default wir...
by mkx
Mon Jul 26, 2021 10:00 am
Forum: General
Topic: pi hole after mikrotik router - get remote IP?
Replies: 8
Views: 557

Re: pi hole after mikrotik router - get remote IP?

change the Ether1 IP to 10.0.0.253/29 change WiFi IP to 10.0.0.50/28 (and setup the pool to 50-60) route 0.0.0.0/0 to fortigate 10.0.0.254 (as now) No, that wouldn't do, because neither 10.0.0.150 (pihole) nor 10.0.0.254 (router) are members of subnet 10.0.0.50/28 (which covers IP addresses between...
by mkx
Mon Jul 26, 2021 9:21 am
Forum: RouterBOARD hardware
Topic: Hardware recommendation for Internet gateway
Replies: 4
Views: 209

Re: Hardware recommendation for Internet gateway

I agree with what @mducharme wrote. Only ... hAP ac 2 with performance similar to the one of hAP ac 3 is quite cheaper. RB3011 is a decent device, but based on slightly older CPU etc. Still decent performer, specially with 10 ethernet ports. One just have to be careful, there are two switch chips ru...
by mkx
Mon Jul 26, 2021 8:55 am
Forum: Beginner Basics
Topic: Drop Invalid vs. Drop "all"
Replies: 16
Views: 512

Re: Drop Invalid vs. Drop "all"

Re. drop invalid: invalid packets are not the ones that don't have corresponding entry in conntrack table (in principle those are "new" packets), but those which don't have valid characteristics. That could either be invalid according to existing conntrack entry (i.e. too low sequence numb...
by mkx
Sun Jul 25, 2021 9:26 pm
Forum: RouterBOARD hardware
Topic: Powerbox Pro overload detection
Replies: 13
Views: 4849

Re: Powerbox Pro overload detection

If you can live without having observability and control of the remote device, then you could try using either RBPOE or RBGPOE passive injectors instead of using RB960GSP PoE out. RBGPOE is rated at 2A, I'm not sure about short circuit protection ...
by mkx
Sun Jul 25, 2021 6:08 pm
Forum: Beginner Basics
Topic: hAP ac3 - VLAN & inter-VLAN
Replies: 21
Views: 1140

Re: hAP ac3 - VLAN & inter-VLAN

For starters read (and understand) tge VLAN tutorial, @anav posted link in post #2 above. Nowdays it's the most versatile way of doing it (perhaps not the most resource friendly but with hAP ac3 this shouldn't be a problem). Remember, VLANs are sort of LANs. When it comes to connectivity between dif...
by mkx
Sun Jul 25, 2021 5:18 pm
Forum: Wireless Networking
Topic: Low wifi coverage in bedroom
Replies: 5
Views: 250

Re: Low wifi coverage in bedroom

You could position the 1st floor AP centrally, but that might mean loosing backyard coverage. So probably you'll have to add the third AP somewhere close to master bedrom. You might want to go with 5GHz only. You might be able to decrease Tx power of AP slightly, but not too much, you want that AP's...
by mkx
Sun Jul 25, 2021 4:12 pm
Forum: General
Topic: Input firewall filter prioritization [SOLVED]
Replies: 29
Views: 789

Re: Input firewall filter prioritization [SOLVED]

@anav, but how do they come to your mind? :)))

Could be his finger hurts due to exposition to a nutcracker? ;-)
by mkx
Sun Jul 25, 2021 3:45 pm
Forum: General
Topic: Input firewall filter prioritization [SOLVED]
Replies: 29
Views: 789

Re: Input firewall filter prioritization [SOLVED]

Try not to always think badly, I understand that sometimes I deserve a kick in the balls, but really this time there was nothing wrong... Your first post in this thread (the #4) was all about why OP should not do something and nothing about how OP could achieve what he wanted to do. Even if your go...
by mkx
Sun Jul 25, 2021 12:44 pm
Forum: General
Topic: vlan by mac address on LAN with multiple mikrotik switches
Replies: 19
Views: 459

Re: vlan by mac address on LAN with multiple mikrotik switches

Radius can help, but only if LAN forces authentication process for all devices. The authentication process then needs to invilve radius server and might be WiFi WPA2 (the enterprise version) or 802.1X. If the network doesn't enforce authentication, then you could configure MAC-based VLAN on all acce...
by mkx
Sun Jul 25, 2021 12:36 pm
Forum: General
Topic: Input firewall filter prioritization [SOLVED]
Replies: 29
Views: 789

Re: Input firewall filter prioritization [SOLVED]

what are you writing? When I start to write reply, sometimes it takes some time to formulate it so that it fits the question as much as possible (trying to verify things on the go). It seems like you are much faster at writing your posts. But then, when I finished the answer and tried to post it, f...
by mkx
Sun Jul 25, 2021 12:44 am
Forum: General
Topic: Input firewall filter prioritization [SOLVED]
Replies: 29
Views: 789

Re: Input firewall filter prioritization [SOLVED]

If WG is running on router itself, then you might have a problem ... normally only one service can use a protocol/port number (e.g. TCP/53). When another service tries to acquire access to already used port, it's denied. In linux it is possible to attach service to one of configured IP addresses and...
by mkx
Sat Jul 24, 2021 8:57 pm
Forum: RouterOS v7 BETA
Topic: CRS317 l3hw + firewall question
Replies: 2
Views: 267

Re: CRS317 l3hw + firewall question

If I set the ports back to hw accelerated = yes, within 2-3seconds speeds go up to linerate and cpu down to 2%

So where exactly is the problem? HW offload of fasttracked connectiobs also require l3-hw-offloading=yes.
by mkx
Sat Jul 24, 2021 11:20 am
Forum: RouterBOARD hardware
Topic: 48-Volt POE-Out switches
Replies: 19
Views: 2079

Re: 48-Volt POE-Out switches

http://www.microset.net/componenti.php?modid=160&imgid=33&lang=en Interesting ... for Italian-speaking users the efficiency of these units is 85%-90% and for the rest it's >90% (which I read as "more than 90%" and according to my understanding 85%-90% is mostly "less than 90%...
by mkx
Fri Jul 23, 2021 9:52 pm
Forum: Wireless Networking
Topic: Mikrotik - Early Access beta hardware?
Replies: 13
Views: 683

Re: Mikrotik - Early Access beta hardware?

@anav, so you became a mind reader after all, you know what @rextended had in mind when he wrote what he wrote. However, OP in his initial post expressly asked about "...for early access hardware or beta testing." So I took the whole sentence to be about hardware as we all have opportunity...
by mkx
Fri Jul 23, 2021 9:46 pm
Forum: General
Topic: CRS 2XX Management VLAN Question
Replies: 5
Views: 268

Re: CRS 2XX Management VLAN Question

Your setup seems fine with regard to vlan100 ... the switch chip settings, bridge and vlan interface. However, you have a small mess with trunked ports ether23 and ether24. The basic idea is that when ports become members of trunk, they are not referred by configuration anymore. Instead port trunk1 ...
by mkx
Fri Jul 23, 2021 6:24 pm
Forum: General
Topic: time of last config change
Replies: 4
Views: 270

Re: time of last config change

No, time of last change is not available.

There are tools to show differences in (text) files, it's possible to automate process.
by mkx
Fri Jul 23, 2021 6:22 pm
Forum: General
Topic: CRS 2XX Management VLAN Question
Replies: 5
Views: 268

Re: CRS 2XX Management VLAN Question

Post configuratiin for review: /export hide-sensitive file=anynameyouwish and copy-paste contents.
by mkx
Fri Jul 23, 2021 6:04 pm
Forum: Wireless Networking
Topic: Mikrotik - Early Access beta hardware?
Replies: 13
Views: 683

Re: Mikrotik - Early Access beta hardware?

Just one... correction... I disagree. Most devices older than 2 or 3 years are quite stable. Perhaps the newest in the roster (those depending on v7) will take a while longer to stabilize due to ROS v7 own instability. Unless devices are actually flawed by design (one might say that about e.g. RB40...
by mkx
Fri Jul 23, 2021 5:57 pm
Forum: General
Topic: Auto Run script on reset
Replies: 4
Views: 247

Re: Auto Run script on reset

Sure, almost nothing is really fool-proof. But I'd assume most tennants fiddling would simply push reset button and for that netinstall with custom configuration script is good enough. As soon as tennants get hold of admin password it's game over.
by mkx
Fri Jul 23, 2021 3:17 pm
Forum: General
Topic: Auto Run script on reset
Replies: 4
Views: 247

Re: Auto Run script on reset

You can install your own default configuration (which gets applied after device reset) when using netinstall for "bare metal" software install ... read description of Configure script property.
by mkx
Fri Jul 23, 2021 2:41 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 72
Views: 6662

Re: MikroTik RB5009UG+S+IN

The routing performance increase compared to RB4011, as indicated in RB5009 propaganda, is not true. E.g. number under "Routing -> 25 ip filter rules -> 512 byte packets" shown in RB5009 propaganda is 624.3 kpps / 2557.1 Mbps. Official RB4011iGS+RM test results have in same "table cel...
by mkx
Fri Jul 23, 2021 2:23 pm
Forum: RouterBOARD hardware
Topic: The big CCR2004 reboot thread (was 2004 hardware issues?)
Replies: 190
Views: 24757

Re: The big CCR2004 reboot thread (was 2004 hardware issues?)

... and they are now asking me shitty CLI things... ... why network guys suggest it ? Mikrotik devices (running ROS in particular) are not really something to recommend to people with attitude towards CLI as you have. Most network guys, who know their stuff (be it Cisco, Juniper, ... or Mikrotik), ...
by mkx
Fri Jul 23, 2021 2:13 pm
Forum: Beginner Basics
Topic: Allow Remote DNS Requests
Replies: 6
Views: 462

Re: Allow Remote DNS Requests

... you will get in real trouble sooner or later!

Rather sooner than later.
by mkx
Fri Jul 23, 2021 11:45 am
Forum: Wireless Networking
Topic: Can't get started with mAP lite [SOLVED]
Replies: 4
Views: 285

Re: Can't get started with mAP lite [SOLVED]

You could try using WinBox with MAC connectivity to get into mAP lite. Before you ask: WinBox runs happily under Wine in Linux (and in similar windows-like environment in MacOS).
by mkx
Fri Jul 23, 2021 8:38 am
Forum: Wireless Networking
Topic: Mikrotik - Early Access beta hardware?
Replies: 13
Views: 683

Re: Mikrotik - Early Access beta hardware?

Yup ... buy new model devices from your local MT distributor and you're hooked up for beta testing. Or so it seems ...
by mkx
Fri Jul 23, 2021 8:28 am
Forum: Wireless Networking
Topic: Weird speed problem, bridged network
Replies: 7
Views: 396

Re: Weird speed problem, bridged network

b-c using 5230/20/an, f-g using 5220/20/an. I thought I was guaranteed no mutual interference between single 5GHz channels. ROS lets one set things which are not exactly according to standards / best practice. If you check the list of 5GHz channels you'll see that valid channel frequencies for 20MH...
by mkx
Thu Jul 22, 2021 4:27 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 803

Re: CAP AC, HAP AC2, CAPSMAN and channels

Thanks. I've learned another way of setting per-CAP settings (apart from making it in /capsman provisioning).
by mkx
Thu Jul 22, 2021 4:18 pm
Forum: Beginner Basics
Topic: CRS309 slow internet
Replies: 9
Views: 405

Re: CRS309 slow internet

No, CCR20xx devices are very fast with regard to routing and firewalling. CRS309 is a switch with low routing/firewalling speed. The speed difference between CCR20xx and CRS309 is more than 10-fold. What I wrote about CRS309 running ROS v7 is a future prospect which will become true in yet unknown t...
by mkx
Thu Jul 22, 2021 12:11 pm
Forum: Beginner Basics
Topic: CRS309 slow internet
Replies: 9
Views: 405

Re: CRS309 slow internet

When it comes to routing, both routers will dance circles around CRS309. Both routers might even route at 10Gbps depending on usage pattern. With ROSv7 CRS309 will become a great wire-speed router, when used as firewall it will depend on usage pattern (might be wire-speed or as slow as it is with RO...
by mkx
Thu Jul 22, 2021 11:57 am
Forum: Beginner Basics
Topic: CRS309 slow internet
Replies: 9
Views: 405

Re: CRS309 slow internet

Depending on amount of packet processing, needed to forward a packet between two router's interfaces, the net throughput can vary quite a lot. However, in typical SOHO environment a pretty good indication of device's performance is the number under "Ethernet Test Results -> Routing 25 ip filter...
by mkx
Thu Jul 22, 2021 10:57 am
Forum: Wireless Networking
Topic: The best simple way for multiSSID (guest) in Capsman
Replies: 3
Views: 280

Re: The best simple way for multiSSID (guest) in Capsman

True guest network is more than additional SSID ... it needs additional LAN setup (VLAN for L2 separation, IP setup on that VLAN). CAPsMAN is only there to provision radio interfaces (with VLAN IDs if needed), the rest has to be done manually ... most of it on router, depending on particular scenari...
by mkx
Thu Jul 22, 2021 10:54 am
Forum: Wireless Networking
Topic: Weird speed problem, bridged network
Replies: 7
Views: 396

Re: Weird speed problem, bridged network

Can you try UDP throughput test (e.g. using iperf)? I'm guessing that double RTT combined with power save kicking in makes TCP performance drop to floor while UDP performance might remain high. If that's so, you might want to look into WMM priorities...
by mkx
Wed Jul 21, 2021 3:26 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 72
Views: 6662

Re: MikroTik RB5009UG+S+IN

But if there was a RB5018UG+S+RM ... I'd be in the line for one already ;-) A passively cooled CCR2004 with 16x 1Gbit and 2x SFP+ is coming. Not really the same. Specifications of RB5009 include a very fine switch chip (Marvell 88E6393), while CCR doesn't have one (PIPE is not switch chip, it's a d...
by mkx
Wed Jul 21, 2021 12:33 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 803

Re: CAP AC, HAP AC2, CAPSMAN and channels

Can you show export of such setup? I'm intrigued ;-)
by mkx
Wed Jul 21, 2021 12:29 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 72
Views: 6662

Re: MikroTik RB5009UG+S+IN

I guess that enclosure as it is is to offer enough cooling surface ... for device being passively cooled and intended to be mounted in a dense pack (two one above another, two side-by-side) it needs some smartly designed enclosure. But if there was a RB5018UG+S+RM ... I'd be in the line for one alre...
by mkx
Wed Jul 21, 2021 12:22 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 803

Re: CAP AC, HAP AC2, CAPSMAN and channels

But does this way of setting things survive reboots (of either CAPsMAN or CAP)? The way I described settings are there for good. Configuration export and backup file has it as well ...
by mkx
Wed Jul 21, 2021 12:19 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 334
Views: 44521

Re: v7.1beta6 [development] is released!

We have such routing switches at work, and they are routing between VLANs inside an office. Do you enforce firewall filter for inter-VLAN connections? Without firewall enabled, those connections would be purely routed and for inter-VLAN routing the L3HW routing table is plenty large. OTOH, when I w...
by mkx
Wed Jul 21, 2021 11:29 am
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 803

Re: CAP AC, HAP AC2, CAPSMAN and channels

@gotsprings: how exactly do you adjust settings for particular CAP? It is possible to set particular parameters for a CAP even if create-dynamic-enabled if you create per-CAP provisioning rules ... for this to work several provisioning rules are needed: a general catch-all rule and several specific ...
by mkx
Wed Jul 21, 2021 8:21 am
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 334
Views: 44521

Re: v7.1beta6 [development] is released!

if i may ask, what is the expected use case of offloading fasttracked connections? Wirespeed routing with firewall enabled? I agree that 4k connections is small number even for a small business let alone for an ISP, but that doesn't mean the functionality should not be developed. It's just that one...
by mkx
Wed Jul 21, 2021 8:08 am
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 72
Views: 6662

Re: MikroTik RB5009UG+S+IN

This one is a prime candidate for 4+ anennae WiFi version. Ugly as a sin, but it seems that's the way gameboys like it. On the serious note: if it had wireless, then the argumentation about particular form factor is not valid anymore. So if it came as wireless version, it would likely come in larger...
by mkx
Wed Jul 21, 2021 7:53 am
Forum: RouterOS v7 BETA
Topic: L3HW User Manual Updated
Replies: 16
Views: 1912

Re: L3HW User Manual Updated

I still don't fully understand why PVID setting is mandatory in practice. @raimondsp writes that omitting to set it keeps the default setting of pvid=1 (which we already know very well), but the argument about bridging the port with other ports with pvid=1 seems moot to me if frame-types property i...
by mkx
Tue Jul 20, 2021 9:11 am
Forum: RouterBOARD hardware
Topic: Constantly 'poe-status: power_reset' in hEX PoE [SOLVED]
Replies: 3
Views: 430

Re: Constantly 'poe-status: power_reset' in hEX PoE [SOLVED]

As I found out somewhere else, the reason they ship hEX pOE with 24V supply is to support passive PoE (which does not work with 48V power supply). As a matter of fact passive PoE does work with 48V power supply. It's that many (older) Mikrotik devices don't support supply voltages above around 30V,...
by mkx
Tue Jul 20, 2021 9:00 am
Forum: RouterOS v7 BETA
Topic: Fastpath with Input rules
Replies: 5
Views: 847

Re: Fastpath with Input rules

I guess that the thing is that when there are any firewall filter rules (which by definition enables stateful firewall), connection tracking has to be performed (because that's how connection state is determined). Connection tracking result is one of inputs for routing decision which in turn decides...
by mkx
Mon Jul 19, 2021 10:39 pm
Forum: RouterBOARD hardware
Topic: Constantly 'poe-status: power_reset' in hEX PoE [SOLVED]
Replies: 3
Views: 430

Re: Constantly 'poe-status: power_reset' in hEX PoE [SOLVED]

The PD complies with IEEE 802.3af and draws max. 3W at 24V. 802.3af/at and 24V don't go together. If you want to power an af/at PD, then you need a 48V power supply for RB960PGS. RB doesn't convert voltages, only passes whatever it receives from power adapter ... and don't start another round of qu...
by mkx
Mon Jul 19, 2021 5:43 pm
Forum: General
Topic: How to connect 2 networks
Replies: 7
Views: 400

Re: How to connect 2 networks

From functional point of view any mikrotik with at least 2 ethernet ports will do. From performance point of view they are not same after all, you will use it as router/firewall, which does stress device more than simple switching traffic. So it depends on what kind of performance you expect from it.
by mkx
Mon Jul 19, 2021 5:34 pm
Forum: Beginner Basics
Topic: Port 2 deletion in year 2021
Replies: 8
Views: 649

Re: Port 2 deletion in year 2021

It's better to change bridge MAC address. Physical ports have each one factory default (tied to hardware) while bridge is always "inventing" its own MAC address ... this way or another. One way is to use MAC of ether2 but replace second hex-digit from left with one of 2,6,A,E. E.g. if MAC ...
by mkx
Mon Jul 19, 2021 10:14 am
Forum: Beginner Basics
Topic: Port 2 deletion in year 2021
Replies: 8
Views: 649

Re: Port 2 deletion in year 2021

It brings down the network because bridge MAC address changes. By default bridge takes MAC address of first active member port and by default that's ether2. When you remove ether2 from bridge, it takes another MAC address (possibly of ether3 if that port is still member of bridge) and because of tha...
by mkx
Mon Jul 19, 2021 10:04 am
Forum: Beginner Basics
Topic: Having trouble blocking Port 22
Replies: 1
Views: 224

Re: Having trouble blocking Port 22

By default IP firewall doesn't filter traffic passing between bridged ports. If you want to enforce firewall rules on that traffic, you need in general two additional settings: set use-ip-firewall=yes in /interface bridge settings make sure traffic passing particular port (in your case ether1 with s...
by mkx
Sun Jul 18, 2021 7:41 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1126

Re: Precision Time Protocol (PTP, IEEE 1588) Support

This is a forum for networking devices and not about my personal toying with time synchronization. Right. So you came to forum asking for PtP support on ridiculously cheap devices but when asked for you don't want to explain use case. So far all use cases requiring PtP (more than one) I know requir...
by mkx
Sun Jul 18, 2021 4:22 pm
Forum: Beginner Basics
Topic: Using sign § in password [SOLVED]
Replies: 5
Views: 437

Re: Using sign § in password [SOLVED]

As I wrote: there are nany character encodings out there. Nowdays there's no reason not to use UTF-8 everywhere, but for historical reason many different encodings are used in various places and inter-working is not always smooth. The most frequent problem is assumption that applucation's "nati...
by mkx
Sun Jul 18, 2021 4:12 pm
Forum: Beginner Basics
Topic: Using sign § in password [SOLVED]
Replies: 5
Views: 437

Re: Using sign § in password [SOLVED]

OP is writing about "paragraph" sign, not about "dollar" sign.
by mkx
Sun Jul 18, 2021 3:32 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1126

Re: Precision Time Protocol (PTP, IEEE 1588) Support

@2bn2t: I still fail to see use case for PtP support on low-end devices such as hAP ac2 or RB4011 (or even CCR routers for that matter). Can you kindly describe one for me (something that doesn't involve professional use where I'd expect professional devices in use)?
by mkx
Sun Jul 18, 2021 3:27 pm
Forum: Beginner Basics
Topic: Using sign § in password [SOLVED]
Replies: 5
Views: 437

Re: Using sign § in password [SOLVED]

Non-ascii characters have multiple diferent encodings and if both parties don't (actively) agree about which encoding is used, then there are problems. Winbox quite likely (implicitly) uses encoding associated to your windows language settings while webfig (and TikApp) uses some kind of http-encoded...
by mkx
Sun Jul 18, 2021 2:17 pm
Forum: General
Topic: ASK [current tx power]
Replies: 2
Views: 284

Re: ASK [current tx power]

Seems like it never worked on ac wireless chips. Whether the functionality (reporting) is not available from chipsets or MT didn't implement reading on those chips is question for MT devs.
by mkx
Sun Jul 18, 2021 1:18 pm
Forum: General
Topic: Port trunking problems [SOLVED]
Replies: 3
Views: 366

Re: Port trunking problems [SOLVED]

Post current (non-working) config and the diagram. Post text export (execute /export hide-sensitive file=anynameyouwish and copy-paste file contents).
by mkx
Sun Jul 18, 2021 1:15 pm
Forum: Beginner Basics
Topic: Have two SXTSQ lite5, nont would reinstall
Replies: 1
Views: 183

Re: Have two SXTSQ lite5, nont would reinstall

I guess only advice is to keep trying with netinstall. Netinstall process is highly fragile and you have to observe all requirenents as set forth in netinstall manual . Often the cause of faling to do process correctly lies in (slightly) incompatible hardware and settings of PC used in the process. ...
by mkx
Sun Jul 18, 2021 1:07 pm
Forum: Beginner Basics
Topic: RouterOS do not drop unknown vlans?
Replies: 5
Views: 515

Re: RouterOS do not drop unknown vlans?

The thing is that with setting vlan-filtering=yes on bridge, ROS enforces certain level of security. One notable setting is subtree /interface bridge vlan which defines egress filtering. If you want to make CRS transparent to VLANs (and agree to move VLAN security to connected devices), then set vla...
by mkx
Sun Jul 18, 2021 12:16 pm
Forum: RouterOS v7 BETA
Topic: Routing speeds on v7 RB4011
Replies: 11
Views: 1390

Re: Routing speeds on v7 RB4011

... use under 15W ... Just bolt loads of Turbos and Superchargers to it and make it ludicrous! In the world where turbos and superchargers are meant verbatim, bolting those almost every time means that owner doesn't want to think about energy consumption (which is reflected to MPG which, in contrar...
by mkx
Sat Jul 17, 2021 11:41 pm
Forum: General
Topic: wireless client issue
Replies: 2
Views: 340

Re: wireless client issue

In short: either configure hAP lite as "client-pseudobridge" or "client-pseudobridge-clone" mode. But the result won't be ideal either way.

You can read longer article about the problrms with setup like yours here.
by mkx
Sat Jul 17, 2021 7:26 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 803

Re: CAP AC, HAP AC2, CAPSMAN and channels

Channels "which do nothing" are DFS channels. When AP selects one of those channels as candidate for operations, it has to monitor activity on channel for 1 to 10 minutes and be silent during that period of time.
by mkx
Sat Jul 17, 2021 12:34 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 803

Re: CAP AC, HAP AC2, CAPSMAN and channels

The problem with CAPsMAN provisioned wireless network is that CAPs still autonomously select channels to operate (out of list of allowed channels provisioned by CAPsMAN) - unless you manualy configure provisioning rules for each CAP. If all CAPs do the frequency scans at the very same time (e.g. aft...
by mkx
Sat Jul 17, 2021 12:17 pm
Forum: General
Topic: The problem with changing the ROS version
Replies: 1
Views: 280

Re: The problem with changing the ROS version

I suggest you to perform full netinstall . This procedure formats flash storage and removes all configuration. As you're mentioning multiple IP addresses it seems like you're using the device as router. There are multiple problems with such usage: CRS3xx devices are primarily switches. While they ca...
by mkx
Sat Jul 17, 2021 12:11 pm
Forum: General
Topic: PowerboxPro VLAN switching
Replies: 4
Views: 465

Re: PowerboxPro VLAN switching

You could use switch chip to do the tagging/untagging on ether ports and use bridge without vlan-filtering. This way bridge would act as dumb switch and SFP port would be trunk port for all VLANs available to CPU. Which is not all VLANs on switched ports, you can set VLAN membership for switch-cpu1 ...
by mkx
Fri Jul 16, 2021 3:35 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1126

Re: Precision Time Protocol (PTP, IEEE 1588) Support

I find it hard to believe that any LTE base station (except picocells) would not have sufficient GPS reception to synchronize time. ... Only indoor installations could have problems with that. In some LTE networks, indoor installations make up for more than 50% of locations. Go figure. I use the se...
by mkx
Fri Jul 16, 2021 8:09 am
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1126

Re: Precision Time Protocol (PTP, IEEE 1588) Support

What exactly in typical office environment requires timing precission better than milisecond? Not all environments are office environments! I think he is hinting that it may be e.g. a recording studio environment. OP was asking about PTP availability on hAP ac2 ... personally I wouldn't use this un...
by mkx
Fri Jul 16, 2021 7:59 am
Forum: Beginner Basics
Topic: need to assign vlan to a bridge
Replies: 2
Views: 299

Re: need to assign vlan to a bridge

You want to go through this tutorial to get more or less complete overview of how to configure VLANs properly.
by mkx
Thu Jul 15, 2021 11:34 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1126

Re: Precision Time Protocol (PTP, IEEE 1588) Support

I hope I understand you. I think that’s sarcasm? Yes, it is sarcasm, but only partially. IEEE1588v2 is essentially NTP with HW support. The net effect is higher time precission, both as absolute time and jitter. But one has to put thing into perspective: plain old NTP can give precission in order o...
by mkx
Thu Jul 15, 2021 8:46 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1126

Re: Precision Time Protocol (PTP, IEEE 1588) Support

Why would you ever need PTP on a home-device (hAP ac2)?

To have log entties with timestamps with nano-second precission?
by mkx
Thu Jul 15, 2021 6:28 pm
Forum: General
Topic: CAPS Man & different WIFI channel config
Replies: 22
Views: 1054

Re: CAPS Man & different WIFI channel config

But you do see different channels used on 2.4GHz: 1, 6 and 11. If you browse the document about chanels (I posted the link in one of my previous posts) and jump to 2.4GHz section, you'll se a nice illustration showing that in 2.4GHz channels are in fact overlapping (and thus interfering with each ot...
by mkx
Wed Jul 14, 2021 7:30 pm
Forum: General
Topic: Firewall drop all !LAN is not the same as drop all WAN
Replies: 15
Views: 824

Re: Firewall drop all !LAN is not the same as drop all WAN

I don't think it's exception for me, I never asked for one.

However, there is exception for me: my ISP delegates reverse queries for my (static) IPv6 prefix to my own DNS server. :-)
by mkx
Wed Jul 14, 2021 7:25 pm
Forum: Announcements
Topic: MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!
Replies: 58
Views: 94720

Re: MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!

I guess Latvian women are state of art hardware running complex code and Latvian men like to deal with them ;-)
by mkx
Wed Jul 14, 2021 7:22 pm
Forum: General
Topic: Firewall drop all !LAN is not the same as drop all WAN
Replies: 15
Views: 824

Re: Firewall drop all !LAN is not the same as drop all WAN

Some ports, such as 53 ... we do not open them for any reason.

I'm glad I'm not your customer. I'm running DNS server authoritative for my personal domain at home. My ISP is letting me break my own balls ;-)
by mkx
Wed Jul 14, 2021 6:17 pm
Forum: Beginner Basics
Topic: checkout for optimization
Replies: 1
Views: 233

Re: checkout for optimization

In networking world in general there are no tools which automatically optimize everything to achieve superb throughput. So manual optimization is what remains. ROS offers quite some tools for observability, one can use specialized probes and tools for analyzing the traffic patterns and possible prob...
by mkx
Wed Jul 14, 2021 5:40 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 122
Views: 12683

Re: v7 launch date

I'd rather say it's channel=frustrated_support_engineers ... frustrated by incompetent users who can't read warnings, written with letters of usual size and colour.
by mkx
Wed Jul 14, 2021 5:34 pm
Forum: RouterBOARD hardware
Topic: microSD vs USB
Replies: 3
Views: 447

Re: microSD vs USB

hEX S is built around MediaTek MT7621A chip, which supports USB 3.0 and SDXC. However hEX S implements USB 2.0 which means up to 480 Mbps. SDXC OTOH (the initial revision) means up to 104 MBps (which is around 830 Mbps). Meaning that SD is likely faster. But these are maximum numbers and storage imp...
by mkx
Wed Jul 14, 2021 4:48 pm
Forum: General
Topic: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware
Replies: 9
Views: 604

Re: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware

The problem with current fleet of Mikrotik devices is that while CRS3xx will be great for wirespeed routing, they likely don't have CPU powerful enough for firewalling at, say, 1Gbps (even if many connections will get fasttracked and thus HW offloaded). And I expect that users with 10Gbps LAN would ...
by mkx
Wed Jul 14, 2021 4:37 pm
Forum: Beginner Basics
Topic: Problem to see source address - port forward
Replies: 3
Views: 277

Re: Problem to see source address - port forward

add action=masquerade chain=srcnat src-address=192.168.100.0/24 add action=masquerade chain=srcnat src-address=10.6.0.0/21 add action=masquerade chain=srcnat You messed with src-nat royaly. Default src-nat rule is single one: add action=masquerade chain=srcnat comment="defconf: masquerade"...
by mkx
Wed Jul 14, 2021 4:23 pm
Forum: Beginner Basics
Topic: inquiry about bonding
Replies: 5
Views: 385

Re: inquiry about bonding

Bonding multiple physical links into single logical link means that if sender randomly (or using some deterministic algorithm) selects one of links to send a packet, then receiver knows how to deal with it. In your case that means router might decide to send packet with destination IP address 172.16...
by mkx
Wed Jul 14, 2021 8:57 am
Forum: General
Topic: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware
Replies: 9
Views: 604

Re: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware

Right. As long as that device comes with price tag friendly to one's budget constraints. Right? ;-)
by mkx
Wed Jul 14, 2021 8:54 am
Forum: General
Topic: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware
Replies: 9
Views: 604

Re: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware

... just wait for v7 which comes with HW offload for L3

which will (very likely) work on CRS3xx line of devices (not others). And perhaps future devices, built around similar ASICs.
by mkx
Wed Jul 14, 2021 8:52 am
Forum: General
Topic: CRS328-4C-20S-4S High CPU
Replies: 3
Views: 339

Re: CRS328-4C-20S-4S High CPU

Are you running a recent version of ROS? According to manual , CRS3xx is the only device family which can HW offload MSTP. Could be that this was added in some recent ROS version. Could be there's a bug regarding MSTP HW offload as well. If you're running one of recent ROS versions, then I suggest y...
by mkx
Wed Jul 14, 2021 8:44 am
Forum: Beginner Basics
Topic: inquiry about bonding
Replies: 5
Views: 385

Re: inquiry about bonding

Bonding is Layer 2 (ethernet) feature. All links, parts of bond, have to run between same logical link partners. Usually that means single device on each end. Stacked switches are logically single device, in this case bond links are connected to different physical switches. But in any case, bond is ...
by mkx
Tue Jul 13, 2021 6:13 pm
Forum: General
Topic: CAPS Man & different WIFI channel config
Replies: 22
Views: 1054

Re: CAPS Man & different WIFI channel config

There are local AP settings and there are CAPsMAN settings. When device is used as CAP device, certain (most notably wireless) settings on local device are overriden with CAPsMAN settings. If CAPsMAN setup limits devices to certain frequencies, devices will (automatically) select one of frequencies ...
by mkx
Tue Jul 13, 2021 2:45 pm
Forum: General
Topic: wireless bridge between two Mikrotiks for IPTV STB
Replies: 23
Views: 1336

Re: wireless bridge between two Mikrotiks for IPTV STB

The reason it's done is because they want to allow low data rate protocols like mDNS through but to prevent things like IPTV from clogging the precious shared broadcast medium that is WiFi. Not really, this constraint is not payload-specific, it's the same for all multicast and broadcast. And exact...
by mkx
Tue Jul 13, 2021 2:33 pm
Forum: General
Topic: wireless bridge between two Mikrotiks for IPTV STB
Replies: 23
Views: 1336

Re: wireless bridge between two Mikrotiks for IPTV STB

... iptv over wifi really works for me but only if I use BCP bridge over pptp or station-wds mode. If I use station-bridge as described here it doesn't work as I expected. That's because from wireless point of view, BCP is unicast (between AP and client) and is thus "bufferable". Even if ...
by mkx
Tue Jul 13, 2021 11:07 am
Forum: General
Topic: CAPS Man & different WIFI channel config
Replies: 22
Views: 1054

Re: CAPS Man & different WIFI channel config

AFAIK CAPsMAN does not really affect the way CAP works, it only provisions CAPs. Which means that CAPs are free to select any frequency channel from the provisioned list of channels. And this in turn means that frequency channel co-ordination between CAPs is not better than between usual APs. It als...
by mkx
Tue Jul 13, 2021 10:49 am
Forum: General
Topic: wireless bridge between two Mikrotiks for IPTV STB
Replies: 23
Views: 1336

Re: wireless bridge between two Mikrotiks for IPTV STB

There is no such thing as "reliable wireless" in a shared spectrum (such as WiFi). There will always be possibility for some interferer to kill the performance of your wireless link. There are two problems when sending broadcasts over wireless: wireless clients go to sleep. It's a big prob...
by mkx
Mon Jul 12, 2021 8:24 pm
Forum: RouterBOARD hardware
Topic: hEX PoE RB960PGS does not power Netgear WAX214 [SOLVED]
Replies: 7
Views: 782

Re: hEX PoE RB960PGS does not power Netgear WAX214 [SOLVED]

I guess because in the vast majority of cases these boxes are used to power other Mikrotik branded devices most of which accept Passive PoE, in which case the default 24V power supply is sufficuent. Yes, but a higher voltage wouldn't hurt either, right? Actually it would hurt. Many Mikrotik devices...
by mkx
Mon Jul 12, 2021 3:15 pm
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 992

Re: Block internet from all but one user

So we have different attitude towards this forum. Personally I try to offer technical support for whatever poster asks and I'm generally not suggesting a completely different approach to solving the problem. Unless it's different approach but still technical by means of using (preferably MT) device....
by mkx
Mon Jul 12, 2021 3:06 pm
Forum: Beginner Basics
Topic: Siemens PLC, KEpware, cant get destination NAT working [SOLVED]
Replies: 3
Views: 428

Re: Siemens PLC, KEpware, cant get destination NAT working [SOLVED]

Yes, I was thinking of port forwarding. Example: if PLC is accepting connections on TCP port number 8123, and you only want to forward connections from single management machine, then you actually need NAT rule like this: /ip firewall nat add action=dst-nat chain=dstnat src-address=10.20.30.40/32 ds...
by mkx
Mon Jul 12, 2021 1:01 pm
Forum: General
Topic: Find hostname between vlan
Replies: 12
Views: 671

Re: Find hostname between vlan

But do you have tips to make smooth connection while user from AP1 moving to area AP2 Using CAPsMAN does not enhance roaming experience. The only real benefit of using CAPsMAN is easier deployment of multiple CAPs with identical (or almost identical) configuration. There's a feature of CAPsMAN that...
by mkx
Mon Jul 12, 2021 12:49 pm
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 992

Re: Block internet from all but one user

@rextended: I think your last answer was un-needed. OP asked for help with technical issue while you're telling him how to live his personal life (and that's none of business of any of forum members). It wasn't the first time where your answers were way out of scope. If I were @hillelana, I'd report...
by mkx
Mon Jul 12, 2021 12:42 pm
Forum: Beginner Basics
Topic: Siemens PLC, KEpware, cant get destination NAT working [SOLVED]
Replies: 3
Views: 428

Re: Siemens PLC, KEpware, cant get destination NAT working [SOLVED]

Does the PLC device know to use 172.30.1.5 as default gateway (or at least for specific subnet where KEpware host resides)? If not, then you'll have to add src-nat for KEpware traffic: /ip firewall nat add action=masquerade chain=srcnat dst-address=172.30.1.2 so that packets will appear to originate...
by mkx
Mon Jul 12, 2021 8:14 am
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 992

Re: Block internet from all but one user

One thing to keep in mind: once a connection is fasttracked, it (mostly) bypasses any firewall filter and the drop rules won't break it. Only new connections won't be able to establish. If you want to break existing connections, then either disable fasttrack (not a very good idea from performance po...
by mkx
Sun Jul 11, 2021 11:58 pm
Forum: General
Topic: 1 Gbit/s with active mangle rules and queues?
Replies: 2
Views: 319

Re: 1 Gbit/s with active mangle rules and queues?

You just have to exclude connections which need to be mangled or queued from being fasttracking. This can be achieved either by changing the general "fasttrack all" firewall filter rule so that it excludes wanted connections by creating specific accept rules for wanted connections and plac...
by mkx
Sun Jul 11, 2021 1:09 pm
Forum: Beginner Basics
Topic: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN
Replies: 11
Views: 615

Re: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN

Not many SOHO routers can be configured the way you are describing ... MT is a rare exception because even entry-level routers run full-featured ROS (which means that it comes with associated configuration complexity which puzzles most newbies). Which means that most probably D-link doesn't allow to...
by mkx
Sat Jul 10, 2021 8:42 pm
Forum: Beginner Basics
Topic: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN
Replies: 11
Views: 615

Re: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN

It might be possible, but as @anav already wrote, it mostly depends on what D-link allows you to do and how exactly ISP delivers internet to you. Here's my example: my ISP gave me xDSL/router/wifi all-in-one box (some minor vendor) while internet service is on top of PPPoE. In this case using that d...
by mkx
Sat Jul 10, 2021 6:32 pm
Forum: Beginner Basics
Topic: Parsec Port Forwarding
Replies: 4
Views: 405

Re: Parsec Port Forwarding

I guess this article should give enough information for anyone half-capable of setting ROS port forwarding to get it done.
by mkx
Sat Jul 10, 2021 4:42 pm
Forum: General
Topic: Help MT constantly sending request to Google
Replies: 22
Views: 875

Re: Help MT constantly sending request to Google

You obfuscated the screenshot a tad too much. But src-mac printed starts with F0:9F:C and if it continues with "2", this means some Ubiquiti in your LAN is actually misbehaving.

And it does look suspicious, requests are highly periodic. Usual usages don't look as periodical.
by mkx
Sat Jul 10, 2021 12:00 am
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 1484

Re: RB260GSP, sort circuit error

Max power consumption of hAP ac2 is rated at 16W (21W with attachments whatever that means) and I guess that it really can draw that much power at some stage during boot time. Add 5 Watts of power consumption of the cascaded RB260GSP to get total power draw of 21W. And with supply voltage around 22 ...
by mkx
Fri Jul 09, 2021 11:24 pm
Forum: RouterOS v7 BETA
Topic: L3HW User Manual Updated
Replies: 16
Views: 1912

Re: L3HW User Manual Updated

If I understood @raimondsp's explanation correctly, then it's the same for all devices and kind of makes sense: when bridge port has PVID set (and it always has one, if nothing else the implicit pvid=1), then it gets automatically added as untagged member of corresponding VLAN. Unless it's explicitl...
by mkx
Fri Jul 09, 2021 11:05 pm
Forum: Beginner Basics
Topic: edit or change interface configuration [SOLVED]
Replies: 4
Views: 509

Re: edit or change interface configuration [SOLVED]

Command "set" takes number of parameters but only single one is used as "change settings of this item" and even that parameter is optional (if omitted, command asks for numbers). The rest of parameters are actions. Your example command changes values of the following properties: ...
by mkx
Fri Jul 09, 2021 1:07 am
Forum: General
Topic: Exclude Address Lists from Export? [SOLVED]
Replies: 8
Views: 676

Re: Exclude Address Lists from Export? [SOLVED]

Dynamic entries in lists don't get exported. So if you can make all (most?) list entries dynamic, it won't bloat configuration exports.
by mkx
Fri Jul 09, 2021 12:53 am
Forum: RouterOS v7 BETA
Topic: L3HW User Manual Updated
Replies: 16
Views: 1912

Re: L3HW User Manual Updated

pvid property of /in/br/port is mandatory. If you omit it, the default pvid=1 is used, meaning the port gets bridged with other ports with VLAN ID 1. We do not want this, so we explicitly set pvid=20. Setting port's pvid leads to a dynamic vlan creation where the port is untagged by default. But we...
by mkx
Thu Jul 08, 2021 4:09 pm
Forum: RouterOS v7 BETA
Topic: L3HW User Manual Updated
Replies: 16
Views: 1912

Re: L3HW User Manual Updated

IMO there's an error in the "VLAN configuration example": /interface/bridge/port add bridge=bridge interface=ether2 pvid=20 /interface/bridge/vlan add bridge=bridge tagged=bridge,ether2 vlan-ids=20 Doesn't first line of this example set ether2 as access port for VID 20 and should thus be s...
by mkx
Thu Jul 08, 2021 2:38 pm
Forum: Wireless Networking
Topic: CAP ac + PoE IpCamera
Replies: 5
Views: 470

Re: CAP ac + PoE IpCamera

No, it's not WISP. AFAIK WISP mode uses one of wlan interfaces as WAN interface (instead of ether1), sets firewall almost as standard except for management access which is allowed from WAN and not from LAN (other modes set it just the opposite). As I wrote, I don't think there's QuickSet mode approp...
by mkx
Thu Jul 08, 2021 2:32 pm
Forum: RouterOS v7 BETA
Topic: mDNS repeater feature
Replies: 50
Views: 2675

Re: mDNS repeater feature

It's not entire nonsense, sometimes it's not possible to do it differently. Here's example: you have an IoT gadget. It might not need internet, so you want to block internet access for it. Fine, you can use IP firewall filter if you know gadget's IP address. The later part can be tricky with IPv6 an...
by mkx
Thu Jul 08, 2021 12:23 pm
Forum: Wireless Networking
Topic: CAP ac + PoE IpCamera
Replies: 5
Views: 470

Re: CAP ac + PoE IpCamera

I guess cAP ac devices could be configured as simple ethernet switch / AP combo, i.e. both attached IP cameras and wireless clients become part of common LAN segment, fully governed by main router (RB2011). @Normis, when can we expect to see a "ethernet switch / AP" QuickSet profile? The c...
by mkx
Thu Jul 08, 2021 12:15 pm
Forum: Beginner Basics
Topic: DHCP on bridge, only offer on eth1 [SOLVED]
Replies: 1
Views: 453

Re: DHCP on bridge, only offer on eth1 [SOLVED]

Since both network subnets (10.108.0.0/16 and 10.101.0.0/16) don't overlap you already need routing between those two subnets. In this case you can ditch the bridge, configure both ports as individual interfaces and allow routing between them. Depending on the rest of network infrastructure some rou...
by mkx
Thu Jul 08, 2021 8:24 am
Forum: General
Topic: Using one MT box to sign TLS certs for another
Replies: 11
Views: 666

Re: Using one MT box to sign TLS certs for another

Disclaimer: never tried myself.

Did you import the private key that goes with certificate as well? This thread contains some hints on what needs to be done ...
by mkx
Thu Jul 08, 2021 8:01 am
Forum: Beginner Basics
Topic: How do I start troubleshooting an "I - invalid" configuration?
Replies: 8
Views: 595

Re: How do I start troubleshooting an "I - invalid" configuration?

Generally ROS doesn't accept configuration stanza which is profoundly broken. But then there are configuration stanzas which are syntactically correct but don't make sense in current context of overall configuration. The thing is that with ROS one can do many things that are not really possible with...
by mkx
Wed Jul 07, 2021 7:46 pm
Forum: RouterBOARD hardware
Topic: SFP+ on the small devices
Replies: 14
Views: 1129

Re: SFP+ on the small devices

I'm not saying that nobody will need more than Gbps in near future. But, in home environment, how often do we really see need for 2.5Gbps+ connections? E.g. can your home NAS sustain transfer speeds considerably exceeding 1Gbps (125MBps) for extended periods of time? And are you willing to pay bonus...
by mkx
Wed Jul 07, 2021 4:11 pm
Forum: RouterBOARD hardware
Topic: SFP+ on the small devices
Replies: 14
Views: 1129

Re: SFP+ on the small devices

The 2.5Gbps RJ port variant would then be a ...4P+1S+ (according to official naming guide).
by mkx
Wed Jul 07, 2021 2:30 pm
Forum: Beginner Basics
Topic: (silly) question how does DNS query forwarded / DCHP DNS settings
Replies: 20
Views: 1206

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Adresse IPv6 locale du lien : fe80::997f:70f6:408e:ac18%18 Adresse IPv4 : 10.99.99.243 Serveurs DNS IPv4 : 10.99.99.1 The highlited information from your LAN computer indicates that it is receiving router's IP address to be used as DNS server. This setting is configured in /ip dhcp-server network ,...
by mkx
Wed Jul 07, 2021 12:21 pm
Forum: Beginner Basics
Topic: How do I start troubleshooting an "I - invalid" configuration?
Replies: 8
Views: 595

Re: How do I start troubleshooting an "I - invalid" configuration?

A good place to start looking would be system logs ... not everything is recorded, but something might pop up. But my experience is that there isn't a single way to troubleshoot configuration problems and one often has to deduct the problems.
by mkx
Tue Jul 06, 2021 11:12 pm
Forum: Wireless Networking
Topic: Wap ac as router
Replies: 3
Views: 392

Re: Wap ac as router

CAPsMAN comes handy if you have many APs. I wouldn't deploy it for one or two APs (actually I am doing it at home ... purely as a lab setup). And it's certainly overkill to use it for provisioning wireless on very same device (it's possible to do it with some tinkering). I'm not sure which Quick Set...
by mkx
Tue Jul 06, 2021 10:53 pm
Forum: RouterBOARD hardware
Topic: Repurposing old FibreChannel SFP transceivers [SOLVED]
Replies: 4
Views: 937

Re: Repurposing old FibreChannel SFP transceivers [SOLVED]

If they work, they'll work at 1Gbps. And they'll likely overheat, older SFPs consumed more power than modern ones while Mikrotik devices generally are not known to be good at heat dissipation (specially so the passively cooled ones).
by mkx
Tue Jul 06, 2021 5:54 pm
Forum: Wireless Networking
Topic: Wap ac as router
Replies: 3
Views: 392

Re: Wap ac as router

Yes, wAP ac can be a very capable router (routing up to around 1 Gbps, depending on complexity of firewall filter rules). Beware though that current Mikrotik devices are not the fastest when it comes to wireless. If configured properly (sometimes some tweaking is needed, what exactly depends on part...
by mkx
Tue Jul 06, 2021 5:44 pm
Forum: Beginner Basics
Topic: Import a Filterlist?
Replies: 1
Views: 314

Re: Import a Filterlist?

There are many ways to filter traffic with ROS, one would be to use address lists. However, the lists on link you posted are lists of domains and filtering the domains (more or less straight-forward) can be done only in L7 filters ... And L7 filters are becoming more and more useless because everyth...
by mkx
Tue Jul 06, 2021 5:37 pm
Forum: Beginner Basics
Topic: hostname to ip:port
Replies: 3
Views: 406

Re: hostname to ip:port

I need hostname "hello.website.com" to forward to 192.168.10.25:5520 in my LAN. How to accomplish that on my mikrotik? I'm guessing you're after a slightly more complicated setup than he one explained by @erlinden and @anav ... so in case you want to forward hello.website.com (TCP port 80...
by mkx
Mon Jul 05, 2021 7:05 pm
Forum: General
Topic: free space discrepancy between hap models
Replies: 7
Views: 513

Re: free space discrepancy between hap models

If you really want to be sure both devices are in same (vanilla) state, you should check disk free status right after netinstall without backups uploaded and restored. But, as previous posters already explained, SMIPS packages are waaay smaller than others (e.g. ARM). For example: in ROS 6.48.3 syst...
by mkx
Sun Jul 04, 2021 10:46 pm
Forum: Wireless Networking
Topic: CAPsMAN Help
Replies: 14
Views: 1015

Re: CAPsMAN Help

CAP packets are encapsulated in ethernet frames and are treated by switch the same way as IP packets (encapsulated in ethernet frames). For CAP device to communicate with CAPsMAN in usual cases the connection has to be transparrent and playing with VLANs on all 3 devices doesn't help if you don't re...
by mkx
Sun Jul 04, 2021 3:47 pm
Forum: General
Topic: Could I know how router is powered via Winbox?
Replies: 3
Views: 356

Re: Could I know how router is powered via Winbox?

The way mikrotik devices (most of them, some need explicitly distinct voltage levels for supporting diverse PoE out options) combine different power sources is pretty simple: they are all fed via simple diodes and then joined together. Diodes prevent power from leaking out. That also explains the fa...
by mkx
Sat Jul 03, 2021 4:09 pm
Forum: General
Topic: NAT, masquerading, src, dst? Confused (picture) [SOLVED]
Replies: 5
Views: 655

Re: NAT, masquerading, src, dst? Confused (picture) [SOLVED]

You can't use single mAP. It would have to connect to two APs at the same time. Both APs will likely use different channels and client which has single radio can not deal with it.
by mkx
Sat Jul 03, 2021 3:52 pm
Forum: Beginner Basics
Topic: Mikrotik + freeradius auth with /etc/shadow
Replies: 2
Views: 377

Re: Mikrotik + freeradius auth with /etc/shadow

Mikrotik doesn't know anything about your /etc/shadow file. The problem is thus completely related to configuration of whatever radius implementation you're using.
by mkx
Sat Jul 03, 2021 3:46 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 122
Views: 12683

Re: v7 launch date

Anyone care to comment if that means the 7.1 beta might well be "stable" enough for me with my RB4001, CRS328 and 4x cAP AC? Really? You didn't read to the end of post you quoted part of? @raimondsp clearly wrote that (everything) still needs polishing. I wonder how you'd deal with rough ...
by mkx
Tue Jun 29, 2021 3:40 pm
Forum: General
Topic: Missing Firewall ACTION at Logs
Replies: 9
Views: 465

Re: Missing Firewall ACTION at Logs

If you only enable logging for sigle rule, you know the action from rule definition. If you enable logging of multiple rules, then add appropriate log prefixes. If you're going into troubleshooting, then adding logging prefixes is the least problem you have at that point. BTW, packets not triggering...
by mkx
Tue Jun 29, 2021 3:17 pm
Forum: General
Topic: Missing Firewall ACTION at Logs
Replies: 9
Views: 465

Re: Missing Firewall ACTION at Logs

You don't want to log everything, you just want to log things while debugging certain rules.
by mkx
Wed Jun 23, 2021 11:11 pm
Forum: General
Topic: wireless bridge between two Mikrotiks for IPTV STB
Replies: 23
Views: 1336

Re: wireless bridge between two Mikrotiks for IPTV STB

I'd replace the pwr-line AP with some at least half-decent AP in this setup ....
by mkx
Wed Jun 23, 2021 3:05 pm
Forum: General
Topic: Problems with VLAN and Bridge
Replies: 6
Views: 606

Re: Problems with VLAN and Bridge

You have to be ware that hEX S is not really a beast of a router. It can realistically route at around 0.5 Gbps depending on amount and complexity of firewall rules. It's been mentioned on this forum before, that some devices in certain conditions seem to struggle tagging and untagging packets passi...
by mkx
Wed Jun 23, 2021 2:35 pm
Forum: General
Topic: So why do I want to run ROS on a Switch when SWOS is just fine?
Replies: 17
Views: 1220

Re: So why do I want to run ROS on a Switch when SWOS is just fine?

If one can (safely?) assume that switch performance is the same when running either of supported OSes (ROS, SwOS), and one doesn't need L3 functions, then it boils down to personal preference regarding administrative UI. Some users, very well acquainted to CLI and ROS, will obviously prefer running ...
by mkx
Wed Jun 23, 2021 8:22 am
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 334
Views: 44521

Re: v7.1beta6 [development] is released!

One last question along these lines. Will existing CCR products get hardware/fasttrack/any accellerated IPv6 support or is this only happening in the new devices with the newer switch hardware? Fasttrack is software feature, so yes, when IPv6 fasttrack gets (finally) implemented, it will be on all ...
by mkx
Tue Jun 22, 2021 7:53 pm
Forum: General
Topic: Problems with VLAN and Bridge
Replies: 6
Views: 606

Re: Problems with VLAN and Bridge

If you haven't already, I suggest you to read through this nice tutorial.

The problem when using VLAN 1 is that VID=1 is (implicit) default PVID setting for all bridge ports and if you're not careful, you get mix of tagged and untagged traffic.
by mkx
Tue Jun 22, 2021 3:12 pm
Forum: General
Topic: Problems with VLAN and Bridge
Replies: 6
Views: 606

Re: Problems with VLAN and Bridge

add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 As ports ether3 and ether5 are hybrid ports carrying both untagged (VLAN1) and ...
by mkx
Tue Jun 22, 2021 1:54 pm
Forum: Beginner Basics
Topic: mAP Lite cap configuration
Replies: 1
Views: 351

Re: mAP Lite cap configuration

In short: no.

What you want is called "wireless bridge", which transparently connects two wired "islands" into a homogenous network. Wireless standard (802.11) doesn't allow for enough transparency, you can read more about the reasons and possible work-arounds in this article.
by mkx
Tue Jun 22, 2021 8:17 am
Forum: RouterBOARD hardware
Topic: CCR2004 real routing performance?
Replies: 3
Views: 1025

Re: CCR2004 real routing performance?

Official test results have many numbers in the table, ranging anything between 600 Mbps and 40 Gbps. Which means that routing performance very much depends on particular configuration. It's hard to tell how much LACP hits performance unless one performs two tests with LACP being the only difference...
by mkx
Tue Jun 22, 2021 8:06 am
Forum: General
Topic: VLANs and address assignment
Replies: 8
Views: 522

Re: VLANs and address assignment

I'm not avoiding the question, I'm just trying to stay on topic. And you're extrapolating too much for your own good ;-) . But anyway: a. ether1 attached as a bridge port to a bridge c. can separately assign an IP address to the interface and host a subnet on t he ether1 port all separate from the b...
by mkx
Mon Jun 21, 2021 11:09 pm
Forum: General
Topic: VLANs and address assignment
Replies: 8
Views: 522

Re: VLANs and address assignment

So where in original post does @Cablenut9 mention a bridge? Let's read together:

If I have some interface, like ether1, and a bunch of VLAN interfaces on it, like vlan2 and vlan3, does ether1's IP address "carry over" to the VLANs?

Nope, still no bridge ...
by mkx
Mon Jun 21, 2021 8:36 pm
Forum: General
Topic: VLANs and address assignment
Replies: 8
Views: 522

Re: VLANs and address assignment

If I have some interface, like ether1, and a bunch of VLAN interfaces on it, like vlan2 and vlan3, does ether1's IP address "carry over" to the VLANs? No, IP address is bound to interface . In your case ether1 is interface for untagged frames passing ether1 port . For VLAN interfaces ethe...
by mkx
Mon Jun 21, 2021 11:32 am
Forum: RouterBOARD hardware
Topic: RB3011 keeps rebooting when ethernet 1 is connected to gigabit capable device
Replies: 8
Views: 1481

Re: RB3011 keeps rebooting when ethernet 1 is connected to gigabit capable device

Did you try with different power adapter? Marginal (almost but not entirely failed) power adapter could supply some power but not enough. And ethernet port running at higher speed draws a little more power which might push power adapter over its limit ... at that point PA might drop the voltage belo...
by mkx
Sun Jun 20, 2021 10:10 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 1099

Re: CAPsMAN on layer2 + vlans

It is just an arbitrary decision of the CAPsMAN package to do this in the wireless driver.

Actually it's not an arbitrary decission ... up till ROS version 6.41 bridge was not VLAN aware, hardware (or low level drivers) had to deal with VLAN tagging/untagging/filtering.
by mkx
Sun Jun 20, 2021 12:39 pm
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 756

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

I don't think you can reduce number of firewall rules in input chain.
by mkx
Sun Jun 20, 2021 9:42 am
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 756

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

Indeed one has to filter access to router from certain subnets. But as I wrote the filter has to cover all router's interfaces, not only the "native" one ... and in this case the approach of "ultimate drop all rule" comes handy. This means that input chain contains a few rules al...
by mkx
Sun Jun 20, 2021 12:15 am
Forum: Beginner Basics
Topic: Slow navigation/browsing speeds [SOLVED]
Replies: 15
Views: 1299

Re: Slow navigation/browsing speeds [SOLVED]

For sure you don't want to see any of "ether1 link down" messages ... I don't know what has to be done to stabilise the ethernet link. And you can try to set /interface detect-internet set detect-interface-list=none . While in theory functionality of detect internet should be fine in pract...
by mkx
Sat Jun 19, 2021 10:24 pm
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 756

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

a. seems this way b. my limited experience says yes c. as I wrote: ROS basically treats all packets (connections) targeting any of its IP interfaces the same way. The only difference that might show is due to different firewall rules (both raw and filter). This is pretty clear even from default fire...
by mkx
Sat Jun 19, 2021 10:15 pm
Forum: Beginner Basics
Topic: Initial Internet configuration ( via SFP port)
Replies: 22
Views: 1120

Re: Initial Internet configuration ( via SFP port)

Actually, I'm thinking whether the ip-scan tool is showing everything that ever got an IP while the Leases menu shows only the active ones? IP scan tool is supposed to probe (ping or something) some address range and only display active devices. Doesn't matter how those devices obtained their IP ad...
by mkx
Sat Jun 19, 2021 1:52 pm
Forum: General
Topic: Home IoT Vlan setup
Replies: 18
Views: 1075

Re: Home IoT Vlan setup

This is not exported configuration, this might be something you pushed into device which already had some config. So do what @anav asked to do ... execute /export hide-sensitive and post output.
by mkx
Sat Jun 19, 2021 1:49 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 1099

Re: CAPsMAN on layer2 + vlans

The bridge does the tagging/untagging for every interface in the vlan table - or so I tought. The bridge does tagging/unragging for ports which are untagged members of VLANs. Bridge does nothing on trunk ports (ports that are tagged members of VLANs). With wlan interfaces they can either be tagged ...
by mkx
Sat Jun 19, 2021 1:32 pm
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 756

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

ROS treats every own address (i.e. addresses configured as router's own regardless the interface or subnet) pretty much the same way ... and they're all treated in chain=input (unless connection is DST-NATed). If you want to block connections to "the wrong router's address" (e.g. ping from...
by mkx
Sat Jun 19, 2021 1:24 pm
Forum: Beginner Basics
Topic: Slow navigation/browsing speeds [SOLVED]
Replies: 15
Views: 1299

Re: Slow navigation/browsing speeds [SOLVED]

You went int some quite advanced configuration because you wanted some QoS ... but if that isn't done quite right, it might actually make things worse. I'd try to introduce RB to your network with configurations as default as it gets. If it will behave more or less nicely, then you'll know it's the ...
by mkx
Sat Jun 19, 2021 1:08 pm
Forum: Beginner Basics
Topic: Initial Internet configuration ( via SFP port)
Replies: 22
Views: 1120

Re: Initial Internet configuration ( via SFP port)

There are plenty of devices whose MAC addresses start with cc:50:e3 and which aren't on the DHCP lease list ... that MAC address range belongs to Espressif Inc, seems like they produce smart home gadgets. How these devices obtained their IP addresses is beyond my imagination. One reason might be tha...
by mkx
Fri Jun 18, 2021 11:32 pm
Forum: General
Topic: mikrotik redirect based on domain to internal ip [SOLVED]
Replies: 6
Views: 633

Re: mikrotik redirect based on domain to internal ip [SOLVED]

but it seems I should use reverse proxy and the included reverse proxy of mikrotik cannot do this

That's because ROS includes normal proxy, not reverse proxy. While they might both seem similar they operate differently.
by mkx
Fri Jun 18, 2021 11:11 am
Forum: General
Topic: Cant Open Ports
Replies: 9
Views: 553

Re: Cant Open Ports

First verify that internal server is actually accepting connections on TCP port 25. Then you can enable LOG flag, try remote connection and see if log contains anything. One thing you should be aware: some ISPs block port 25 (SMTP) towards clients because SMTP protocol is often used for malicious ac...
by mkx
Fri Jun 18, 2021 11:03 am
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 1099

Re: CAPsMAN on layer2 + vlans

The wlan1, wlan2, wlan24, wlan25 devices are added under the correct vlan id, but they are added as tagged ports. I would like them to be untagged. (Otherwise dumb WiFi clients won't be able to connect.) That's correct and won't cause any problem ... wlan interfaces are tagged from bridge point of ...
by mkx
Thu Jun 17, 2021 11:33 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 1099

Re: CAPsMAN on layer2 + vlans

As @biomesh wrote, the trick is to set discovery interface to some vlan interface. For example, I have VLAN 42 intended for usual LAN traffic and I allow CAP to CAPsMAN communication via that VLAN. So on CAP device I have the following: /interface bridge add name=bridge vlan-filtering=yes /interface...
by mkx
Thu Jun 17, 2021 9:22 am
Forum: Beginner Basics
Topic: Coping with slow download speeds on my home LAN
Replies: 8
Views: 666

Re: Coping with slow download speeds on my home LAN

Did you try speedtest by connecting PC instead of netgear AP? The goal is to narrow down posible problems. If speedtest without netgear in the way shows decent speeds, this would indicate either problem with netgear itself or some interaction problem between netgear and mikrotik. If speedtest is sti...
by mkx
Wed Jun 16, 2021 10:14 pm
Forum: General
Topic: 1:1 NAT DDoS protection?
Replies: 7
Views: 538

Re: 1:1 NAT DDoS protection?

Right.
by mkx
Wed Jun 16, 2021 8:26 pm
Forum: General
Topic: 1:1 NAT DDoS protection?
Replies: 7
Views: 538

Re: 1:1 NAT DDoS protection?

Also, it's to help hide the real IP so it can't be targeted directly. What good does it make? If NAT device performs 1:1, then every single packet, destined to "fake" IP will reach "real" IP. Just as there wasn't NAT, only with a hop more. NAT, combined with firewall, is differe...
by mkx
Wed Jun 16, 2021 7:34 pm
Forum: General
Topic: 1:1 NAT DDoS protection?
Replies: 7
Views: 538

Re: 1:1 NAT DDoS protection?

Device simply performing NAT (any kind) does not recognize malicious packet and thus passes such packet along with all others. Hence a 1:1 NAT can not protect you from DDoS ...
Only stateful firewall or DPI can make that distinction and protect devices behind.
by mkx
Wed Jun 16, 2021 6:58 pm
Forum: Beginner Basics
Topic: VLAN setting [SOLVED]
Replies: 1
Views: 622

Re: VLAN setting [SOLVED]

Here's great tutorial about how to configure VLANs. When you think you're done, post config of both router and switch. From which stable id AP? I presume it's not Mikrotik.
by mkx
Wed Jun 16, 2021 6:54 pm
Forum: Beginner Basics
Topic: Coping with slow download speeds on my home LAN
Replies: 8
Views: 666

Re: Coping with slow download speeds on my home LAN

Just one more check: is netgear AP acting only as switch/AP and clients, connected to it, receive IP addresses from mikrotik LAN address space? And when you ran tests, you connected PC eith UTP cable and netgear acted as a switch? If you connect PC to the wire otherwise used to connect netgear, do y...
by mkx
Wed Jun 16, 2021 1:59 pm
Forum: Beginner Basics
Topic: Coping with slow download speeds on my home LAN
Replies: 8
Views: 666

Re: Coping with slow download speeds on my home LAN

A few errors in your configuration: /ip address add address=192.168.2.1/24 interface=ether4 network=192.168.2.0 add address=192.168.3.1/24 interface=ether4 network=192.168.3.0 If you really need these two subnets, then you really should set addresses on bridge and not on member port (ether4). /ip fi...
by mkx
Wed Jun 16, 2021 8:11 am
Forum: General
Topic: hap ac3 bandwidth test to 127.0.0.1 TCP both direction utilises only 85% of CPU [SOLVED]
Replies: 8
Views: 963

Re: hap ac3 bandwidth test to 127.0.0.1 TCP both direction utilises only 85% of CPU [SOLVED]

What does profile of CPU usage (execute /tool profile cpu=all ) show? Are all CPUs loaded equally? I'd expect come CPU cores to be (almost) idle while others loaded 100%. The reason is that ROS is handling TCP connections by using same CPU core for all packets (reason is keeping packets in-order, IP...
by mkx
Wed Jun 16, 2021 8:05 am
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 1093

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

I'm not sure about antibodies, but I'm sure I'm allergic ... to dummies :-P
by mkx
Tue Jun 15, 2021 10:45 pm
Forum: RouterBOARD hardware
Topic: SFP module is extremely hot
Replies: 48
Views: 26072

Re: SFP module is extremely hot

If you want to keep SFP temperature down and use 10Gbps links, then go with normal fibre SFPs and fibre patch cords. Fibre SFPs consume much less power and consequentially produce much less heat. Fibre patch cords tend to be less bulky than CAT7 cables or DAC cables which is good as it's easier to o...
by mkx
Tue Jun 15, 2021 10:32 pm
Forum: General
Topic: RouterBOARD 750G
Replies: 1
Views: 310

Re: RouterBOARD 750G

Product brochure states that 750g can route "up to 580Mbps throughput with larger packets, and up to 91500pps with small packets". The text doesn't go into specifics about what kind of traffic that would be, I'd assume they are absolute maximum numbers posible. If you compare it to test re...
by mkx
Tue Jun 15, 2021 8:22 pm
Forum: Beginner Basics
Topic: Setting Up small home network with MikroTik hEX RB750Gr3
Replies: 20
Views: 1676

Re: Setting Up small home network with MikroTik hEX RB750Gr3

@zedoxx: what I'd do is the following: reset to default config use quickset to configure WAN ... PPPoE go into "normal" GUI and mnever ever go back to quickset unless you repeat config from step #1 remove ether5 from bridge add IP address to ether5. Configure additional address pool and DH...
by mkx
Tue Jun 15, 2021 6:31 pm
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 1093

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

second covid dose

Which one, Pfizer? I opted for Biontech and had only minor (next to none) side effects. It's been almost 3 weeks since second shot and I'm almost certified to resume normal life ;-)
by mkx
Tue Jun 15, 2021 8:41 am
Forum: RouterBOARD hardware
Topic: Battery driven RB get bricked
Replies: 6
Views: 1219

Re: Battery driven RB get bricked

IMO whenever one runs some device off a battery, it's good thing to install under-voltage cut-off device. Not to protect powered device but to protect battery itself. None of battery chemistries (lead-acid, nickel, lithium) don't like being completely depleted and one has to protect them from gettin...
by mkx
Tue Jun 15, 2021 8:23 am
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 578

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Bridge is the only port member of these VLANs. At least for VLAN 99 you should add ether1 as tagged port or else you'll almost definitely loose management access. Nope, there is a vlan interface that is added to the brige, vlan 99, with static IP 192.168.19.252. I was managing the router through th...
by mkx
Tue Jun 15, 2021 8:05 am
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 1093

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

Isn't buying lottery ticket a prerequisite for winning the lottery? Are you doing anything about it? Or you rather spend the dime on Canadian rye? ;-)
by mkx
Mon Jun 14, 2021 11:16 pm
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 578

Re: Howto use HAP AC2 as switch+AP on vlan(s)

My dear @anav, as always you're one step ahead of me ... you already forgot you're forgetting things :-P
by mkx
Mon Jun 14, 2021 11:12 pm
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 1093

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

I am itching to try a newer wifi6 620 or 660 at some point.

Oh please ... stop whining and do it already. And don't forget to throw your beloved 245's in my direction real hard.
by mkx
Mon Jun 14, 2021 10:55 pm
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 578

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Access ports won't work until you enable vkan-filtering on bridge. Without that bridge does not add VLAN tag on ingress as per pvid settings nor does it strip VLAN tags on egress as per untagged vlan membership. So: take a deep breathe, enable safe mode and enable vlan-filtering on bridge. If your m...
by mkx
Mon Jun 14, 2021 10:47 pm
Forum: Beginner Basics
Topic: Initial Internet configuration ( via SFP port)
Replies: 22
Views: 1120

Re: Initial Internet configuration ( via SFP port)

Btw I'm paying to have a static IPv4 and to not be anymore under their CGNAT That doesn't mean you should not allow automatic IP address acquisition. Depends how your ISP delivers internet, but they should instruct you what to do. I don't think you can actually statically set IP address when using ...
by mkx
Mon Jun 14, 2021 10:32 pm
Forum: Wireless Networking
Topic: Dual VS Triple Chain and 80Mhz
Replies: 1
Views: 627

Re: Dual VS Triple Chain and 80Mhz

Number of used chains is only indirectly connected to number of channels ... the property which links them is Tx power. In most countries regulations limit radiated power (EIRP) and that power is then divided between chains (tripple chain transmiter can spend 1/3 of power for each chain while dual c...
by mkx
Mon Jun 14, 2021 8:01 pm
Forum: Beginner Basics
Topic: RB960PSG max POE output
Replies: 5
Views: 467

Re: RB960PSG max POE output

I can reach the maximum with 48POW No, you can't. You want 4x450mA=1800mA peak power, while 48POW is rated at 1460mA which makes it short by one PoE device (if you consider RB960PGS own consumption as well). Either use an even higher-power power adapter or go with some other PoE switch. Or use dual...
by mkx
Mon Jun 14, 2021 6:53 pm
Forum: General
Topic: Stacked VLAN bridges and interfaces
Replies: 1
Views: 314

Re: Stacked VLAN bridges and interfaces

One of ways to achieve QinQ in ROS is to use multiple bridges in layered manner. Probably that's not the only way ... In your case you'd use one layer since you only have one interface carrying QinQ traffic. So what yoz can do is: create number of VLAN interfaces, one per remote location. All anchor...
by mkx
Mon Jun 14, 2021 6:19 pm
Forum: General
Topic: Next-hop and NAT
Replies: 4
Views: 393

Re: Next-hop and NAT

If you follow your initial thought, you would easily run into some routing triangle problems. They would not necessarily cause any problems initially, but could cause issued that would be hard to track. If you'd follow my suggestion, then mikrotik would just route, nothing more (no firewall no NAT)....
by mkx
Mon Jun 14, 2021 8:45 am
Forum: RouterBOARD hardware
Topic: Fans on MikroTik Cloud Router Switch 354-48G-4S+2Q+RM - volume level?
Replies: 17
Views: 1486

Re: Fans on MikroTik Cloud Router Switch 354-48G-4S+2Q+RM - volume level?

Personally I don't have any CRS354 ... but since it's actively cooled and given the diameter (and RPM) of those fans I guess I wouldn't like to have that beast anywhere near my bed nor living room sofa (nor normal office working space). And I guess closing it in some sealed mini rack would work agai...
by mkx
Mon Jun 14, 2021 8:36 am
Forum: General
Topic: Next-hop and NAT
Replies: 4
Views: 393

Re: Next-hop and NAT

If you don't need any filtering of traffic between different subnets (which would require firewall rules), then you don't need 4 VLANs on the connection between mikrotik and fortigate. Instead you should use fifth subnet for that connection. It can have longer subnet mask if you wish, e.g. 192.168.5...
by mkx
Sun Jun 13, 2021 4:53 pm
Forum: RouterBOARD hardware
Topic: Fans on MikroTik Cloud Router Switch 354-48G-4S+2Q+RM - volume level?
Replies: 17
Views: 1486

Re: Fans on MikroTik Cloud Router Switch 354-48G-4S+2Q+RM - volume level?

BTW is not ROS overkill on a Switch?

It probably is. But some people adore CLI for management and SNMP for supervision.
by mkx
Sat Jun 12, 2021 2:02 pm
Forum: General
Topic: CRS328 - can't ping device, packet sniffer shows no ICMP packets
Replies: 3
Views: 347

Re: CRS328 - can't ping device, packet sniffer shows no ICMP packets

To use packet sniffer on CRS you need to disable HW offload for the port of interest. Otherwise I don't see anything wrong with config. In some rare cases some devices misbehaved even though config seemed right. Some cleansing action was needed, you might want to try one of these (you can try all fr...
by mkx
Sat Jun 12, 2021 11:03 am
Forum: General
Topic: Port Forwarding Problem [SOLVED]
Replies: 16
Views: 1055

Re: Port Forwarding Problem [SOLVED]

You need hairpin nat.
by mkx
Sat Jun 12, 2021 10:59 am
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 784

Re: dhcp on vlan trunk not working

why would anybody want to tag all packets on a trunk port, except for a very specific one? On trunk port one would not tag/untag any of packets and would thus configure such port with frame-types=admit-only-vlan-tagged ingress-filtering=yes (when using bridge vlan filtering and appropriate setting ...
by mkx
Fri Jun 11, 2021 10:22 pm
Forum: General
Topic: Route reachable but timeout??
Replies: 7
Views: 688

Re: Route reachable but timeout??

Torch is one of tools that can help you. And no, couter increasing in one direction doesn't mean the port is not dammaged.
by mkx
Fri Jun 11, 2021 10:16 pm
Forum: General
Topic: Firewall rules to secure CHR
Replies: 4
Views: 554

Re: Firewall rules to secure CHR

Something like that. If you need to add some accept rules later, push them just below the "drop invalid" rules and above the new "drop all" ones. I wouldn't log all hits of "drop all rules", there might be many entries due to bots scanning the network. A missing accept ...
by mkx
Fri Jun 11, 2021 4:10 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 1038

Re: Preserve client IP when dst-nat to other server

By referring to "another subnet for NTP server" I was thinking of this LAN setup: --> LAN (10.0.0.0/16 or whatever the subnet mask) / | internet <--> router | \ --> "NTP lan" (NTP server with IP address e.g. 10.254.254.2/24 or any other IP address outside LAN subnet mask) The bes...
by mkx
Fri Jun 11, 2021 9:15 am
Forum: General
Topic: Route reachable but timeout??
Replies: 7
Views: 688

Re: Route reachable but timeout??

And the strange thing, it can run if I switch the function from ether 2 to ether 5. If that's the case then you might want to thoroughly check potential differences in configuration of those two ports. Next thing would be doing some elaborate tests to try to pinpoint the device where stuff breaks. ...
by mkx
Fri Jun 11, 2021 8:41 am
Forum: General
Topic: Route reachable but timeout??
Replies: 7
Views: 688

Re: Route reachable but timeout??

Sorry, crystal ball is defunct currently. What I want to write: it's impossible to tell why something stopped working while nothing supposedly changed. In this case it's only possible to find the reason by extensively debugging the whole setup. And you're the only one able to do it.
by mkx
Fri Jun 11, 2021 8:30 am
Forum: Beginner Basics
Topic: Winbox 64 bits ?
Replies: 3
Views: 528

Re: Winbox 64 bits ?

Probably a stupid quesiton... but what's the point of a 64bits Winbox ? what use case / config would require it ? Even though the name of tool is win box which implies it's a tool running in windows (and that's even true) that doesn't mean it can't be run in other environments. Such as under wine i...
by mkx
Fri Jun 11, 2021 8:18 am
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 1038

Re: Preserve client IP when dst-nat to other server

@rextended: I'll just ignore your last post, it's quite off topic already. The post is directed at me (concrete examples of "right" choices) and I think I can master my own subnet of NTP servers just fine (I've been running public NTP servers for the last 25 years). You don't know the reas...
by mkx
Thu Jun 10, 2021 10:20 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 1038

Re: Preserve client IP when dst-nat to other server

You're right ... as long as it works, we don't need any logs, debugging information or any other nonsense. But sometimes it doesn't work ... and then we need all the noise we can get ... and if there's no noise to filter, we're in troubles.
by mkx
Thu Jun 10, 2021 9:51 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 1038

Re: Preserve client IP when dst-nat to other server

observability of NTP server in ROS I do not understand how traduce that on Italian but... I'm talking about .... [user@MTrouter] > /system ntp client print enabled: yes mode: unicast primary-ntp: 192.168.42.10 secondary-ntp: 2001:1470:8000::92 dynamic-servers: status: synchronized versus user@192.1...
by mkx
Thu Jun 10, 2021 8:13 pm
Forum: RouterOS v7 BETA
Topic: Driver bug on 7.1b6 and rtl8153b ethernet chipset
Replies: 2
Views: 754

Re: Driver bug on 7.1b6 and rtl8153b ethernet chipset

You can download previous versions if you hand-craft download links similar to the current one. For example: download link for x86 7.1beta6 Extra packages is h ttps://download.mikrotik.com/routeros/ 7.1beta6 /all_packages-x86- 7.1beta6 .zip If you change it to h ttps://download.mikrotik.com/routeros...
by mkx
Thu Jun 10, 2021 7:59 pm
Forum: Wireless Networking
Topic: CAPSman Controller device
Replies: 7
Views: 1016

Re: CAPSman Controller device

I'd be careful about running CAPs manager off site. If CAP devices loose connectivity towards manager (can be even a very short period of time) they shut down their radios.
by mkx
Thu Jun 10, 2021 7:54 pm
Forum: General
Topic: How get access in to vlan from mikrotik bridge mode with tagged port?
Replies: 12
Views: 530

Re: How get access in to vlan from mikrotik bridge mode with tagged port?

OK, since you're not going to describe your environment here's my last post in this thread. Here's a great tutorial on how VLANs are done in mikrotik. Won't help you if your actual LAN layout is as is on your drawing (i.e. your mikrotik completely outside of VLAN 20 area) though.
by mkx
Thu Jun 10, 2021 7:42 pm
Forum: General
Topic: How get access in to vlan from mikrotik bridge mode with tagged port?
Replies: 12
Views: 530

Re: How get access in to vlan from mikrotik bridge mode with tagged port?

Network ... It's simple and flat, it's a local area network with one router 10.10.0.1. Since we're discussing VLANs here and those are L2 (or L2.5 if you want), it still isn't simple and flat. For sure there are managed switches with configuration regarding VLANs (port membership etc.) which have m...
by mkx
Thu Jun 10, 2021 7:32 pm
Forum: Beginner Basics
Topic: locking band R11e-LTE6 [SOLVED]
Replies: 6
Views: 804

Re: locking band R11e-LTE6 [SOLVED]

If modem drops off network when you lock it to some cell, then don't do it. If your favourite MNO does at least half decent job with optimisation of their LTE network then there are very few reasons to lock to some cell instead of letting network do it's job.
by mkx
Thu Jun 10, 2021 7:28 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 1038

Re: Preserve client IP when dst-nat to other server

Not sure what you mean by own NTP server?

A raspberry pi, running NTP service ... or something like that. Or even own atomic clock, why not? After all, observability of NTP server in ROS is nil, but some of us do care about proper functioning of services.
by mkx
Thu Jun 10, 2021 6:50 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 1038

Re: Preserve client IP when dst-nat to other server

When you're doing dst-nat to server (10.0.0.100) which is in the same subnet as original client (10.0.0.10), then it is essential to perform src-nat as well (without it, server would reply to client directly and client would reject replies because they would be coming back from IP address it did not...
by mkx
Thu Jun 10, 2021 6:40 pm
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 784

Re: dhcp on vlan trunk not working

Your setup of VLAN ports and interfaces is hosed ... suggest you to read this nice tutorial to see where you failed.
by mkx
Thu Jun 10, 2021 6:37 pm
Forum: General
Topic: How get access in to vlan from mikrotik bridge mode with tagged port?
Replies: 12
Views: 530

Re: How get access in to vlan from mikrotik bridge mode with tagged port?

Mikrotik is fully capable of working with VLANs. But it has to be configured properly and attached to a port in the network which allows access to VLAN 200.

But again, you don't provide usable network information so you don't get usable advice.
by mkx
Thu Jun 10, 2021 6:33 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 334
Views: 44521

Re: v7.1beta6 [development] is released!

If you read what @raimondsp wrote it's clear that it's constraint in current L3 HW offload implementation . Not the configuration (because it's not something user can change) nor attached devices. CRS can take jumbo frames, but they will pass CPU which offers severely low throughput ... which is wha...
by mkx
Thu Jun 10, 2021 6:30 pm
Forum: General
Topic: How get access in to vlan from mikrotik bridge mode with tagged port?
Replies: 12
Views: 530

Re: How get access in to vlan from mikrotik bridge mode with tagged port?

VLAN with different ID is just like different physical network ... to reach it, one needs router which connects to both sides. Your diagram does not show any such border device, it only shows a device sitting inside VLAN 20. If border device is properly configured, you can't just add VLAN tags to fr...
by mkx
Thu Jun 10, 2021 6:17 pm
Forum: General
Topic: Firewall rules to secure CHR
Replies: 4
Views: 554

Re: Firewall rules to secure CHR

A pretty safe approach when constructing firewall rules is to have ultimate rule in both input and forward chan which drops everything not accepted by previous rules. Your setup only drops invalid packets which doesn't really protect your router (or network behind that router). Remember: implicit la...
by mkx
Thu Jun 10, 2021 6:05 pm
Forum: RouterOS v7 BETA
Topic: OSPF routing syntax
Replies: 10
Views: 1289

Re: OSPF routing syntax

New filtering rule syntax will be introduced in the next beta. Or, to be precise, v7.1Beta7 will be released when the new syntax is ready.
Ok thank you, can you tell an approximative date for the Beta7 ?

Which part of post by @raimondsp is not clear?
by mkx
Thu Jun 10, 2021 8:06 am
Forum: Beginner Basics
Topic: Router Firewall
Replies: 1
Views: 413

Re: Router Firewall

Screenshot doesn't show everything, next time create text export by executing command /export hide-sensitive file=anynameyouwish from terminal window. Open resulting file in text editor, copy-paste contents ... With firewall filter rules everything (except chain and action) is optional, specifying m...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 21