MikroTik

mkx

In principle you don't want to set bridge port as tagged member of a VLAN if you don't intend CPU to interact with that VLAN over that bridge. [...] So I'm eager to hear use case for such setup. Huh? That's just not true. .... Let's take a very simple example: a guest WiFi network in a small office...

mkx

Depending on amount of other tasks that hAP ac2 has to perform, loosing bridge HW offload may not cause loss of wirespeed (on wired ports). Quite a while ago (I guess it was in 6.47 times) I did some tests and found out that hAP ac2 was able to bridge two ethernet ports at wirespeed with HW offload ...

mkx

So it works as expected and is maxing out your 1Gbps link as the CrystalDiskMark is represented in MB/s vs Mbps which is a good thing ... and it's a black magic (pun intended) as to why it only works at half speed when SMB client is MAC device. Personally I wouldn't consider 50MB/s (give or take) &...

mkx

What I take this changelog entry to mean is, on 7.16 or newer, if you create an /interface/vlan interface with a bridge as the parent interface, it will simply also add your bridge as a tagged member under /interface/bridge/vlan of whatever VLAN-ID you set in your vlanX interface. Sounds like a nic...

mkx

I've got CAPsMAN running in x86_64 hardware. Here, I've got 4 cAP ax devices connected. It's currently in 7.12.1 environment. In CAPsMAN, I've got 3 packages installed. 1. routeros 2. user-manager 3. wifiwave2 When I click "Download&Install" button, I get below error. wifi-qcom-ac-7.1...

mkx

Since 7.16 we have this: *) bridge - added dynamic tagged entry when VLAN interface is created on vlan-filtering bridge; That removes the risk of forgetting to add the bridge CPU port to the "tagged" list of VLANs (which in older versions means no L3 access to the router through those VLA...

mkx

is capsman known to interfere with bridges/vlans? If that's a problem I'm happy to remove it. It's not. WiFi only attaches to bridge (on CAP device), when it comes to VLANs there might be a complication if CAP is running wifi-qcom -ac driver. Running CAPsMAN definitely doesn't affect the way wired ...

mkx

Presence of LTE modem has nothing to do with WiFi Tx power. But I'll be damned: I went to check reg-info for Australia on different wifi devices, all running ROS 7.18.2. As I already mentioned, on Audience regulatory limit is set at 20dBm. But when checking on wAP ax I was mighty surprised, there re...

mkx

Any reason to choose 1 over the other?

If nothing else helps, ask your personal numerologist

List of features of used switch chips is more or less the same, so it really is the dilemma between 8 extra ports and 8 PoE++ ports.

mkx

Do not forget that WiFi is a two-way protocol, so actual speed also depends on client device's capabilities ... Indeed. Device's Tx power can limit upload speeds, but I guess this is not a huge issue (until the asymmetry is not too big) because most wireless stations use data in asymmetrical manner...

mkx

Actual transmitted power depends on: chipset capability (e.g. hAP ax lite can do up to 22dBm, but it gets reduced with higher interface speeds - more complex modulation schemes require tighter power control and seems that most WiFi chips are not capable of doing it at highest Tx power, hence Tx powe...

mkx

I am very interested to understand why we use the term "personality." You can call them "functionality" if you wish. But, as already mentioned, term "bridge" is overloaded with (actually) 3 distinct features with only vague connection (but they are strongly connected)....

mkx

On my Audience, running 7.18.2, country regulatory limit for 2.4GHz band (which is all what hAP ax lite has) for Australia is the same as for Italy (and the rest of ETSI countries) ... which is 20dBm EIRP. Alas, Brazil has limit at 30dBm ... making Copacabana my place of choice for 2.4GHz band.

mkx

As a bonus, many of them do not differentiate vlan 1 tagged and untagged traffic correctly. Something like this: /interface/bridge add name=bridge vlan-filtering=yes frame-types=admit-all pvid=1 /interface/bridge/port add bridge=bridge interface=ether1 frame-types=admit-all pvid=1 add bridge=bridge...

mkx

1) ADD BRIDGE: "/interface/bridge add" creates a bridge with one or two roles (sometimes the word used is "personality"): (1) Switch-like and/or (2) bridge-between-CPU-and-switch (understood as #2 role when property includes "interface," "tagged," or "un...

mkx

But, if the (wireless or wired) smartTVs are on VLAN10, and wifi users are on VLAN20, then am I right that for those users to use an app on their smartphones then (1) inter-vlan routing is necessary, and (2) this inter-vlan routing must take place on the RB5009? Same question for printers. Routers ...

mkx

Perhaps someone from Mikrotik can comment on this officially?

Only if you open support ticket with Mikrotik ... e.g. by sending e-mail to support@mikrotik.com .

mkx

It's not quite correct, the second rule should be:

Right. Thanks for correcting me.

mkx

Agree with @sindy that point #1 might not be critical. But makes me think: is it possible that L7 matcher keeps collecting packets before breaking connection long enough for (web) server to log request from client ... but connection gets broken before the whole L7 interaction is finished? I'd guess ...

mkx

Though that did make me look again, and I'm going to take out these rules Blocking the whole of ICMP can cause troubles (like breaking PMTUD) ... ICMP is much more than "echo request" and "echo reply". And blocking "echo request" is "security through obscurity&quo...

mkx

Regarding the package file size on 16MB devices. Is there a current 'best practice' for this? I havn't actually had a significant problem until now but I could not load wifiwave2 drivers on any 16MB devices with latest firmware. Would start by uninstalling Wireless, but there's just not enough spac...

mkx

There are at least two reasons for L7 filters not to work as expected: filters only work on individual packets. If the matcher string is (inconveniently) broken into two successive packets, then matcher won't match that. It is unlikely that URL would exceed normal value of MTU (which is at or almost...

mkx

/ip firewall filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed" The idea is to drop all packets, which represent a new connection, in chain=forward, surviving rules so far, except f...

mkx

Per vlan you should have the bridge tagged as well I'm a bit confused on that part as I'm not quite sure what you mean. More direction would be greatly appreciated. In ROS bridge has multiple (more or less distinct) functions, one is CPU-facing bridge port and you have to configure it properly to a...

mkx

I've noticed majority of his devices are older and only use 2.4ghz :( He's getting around -60dBm to -70dBm . The basic idea of a "well performing WiFi repeater" is to use separate radios for serving local clients and for linking to upstream AP. It's easiest to run those radios in differen...

mkx

Imagine having a single button called “Check for updates” that would do all that for you. Crazy, huh? yes, indeed! A single button that checks for updates and lets you choose which version you wish you upgrade to would be super fab! Imagine that it already exists! With a gotcha: it doesn't read you...

mkx

wAP ac or wAP ax might in your case work a bit better because of mild directivity of built-in antennas. But that won't do miracles. In any case, go to your neighbours and measure signal if your current AP at the spot where you'd place the WiFi repeater. Whatever you'll see, it'll be the base line an...

mkx

They're about 250 feet away with minimal obstructions between our properties. This is very far (even without any obstructions in between) for usual APs with omnidirectional antennas, intended to cover full circke around APs with radius of around 10m/30ft. You want to build point-to-point (PtP) link...

mkx

Let a router be a router, let an access point be an access point.

Don't tell me ... you'd also add "let a NAS be a NAS, let a switch be a switch"?

mkx

and my current setup is hotspot with ttl 1 so no one can share the wifi from thier phone...or tether.. my problem is i have a extra access point and setup to repeater through wireless mode. while i repeat the signal through wifi the repeater device cant provide internet cuz of the ttl set to 1. so ...

mkx

I am still hoping that someone from Mikrotik will chime in here and state that none of that is necessary and that the Netmetal is indeed designed to be weatherproof with the HGO antennas attached to the top. Even if they do it ... there are number of reports about problems with water ingress in ano...

mkx

I was not suspecting it could have such an influence on other ports and other settings. The chain of dependencies goes like this: L3MTU has to be lower than L2MTU with maximum possible size (L2MTU - additional L2 overhead). With plain ethernet, there's no additional L2 overhead and with standard IP...

mkx

Is it possible to set IP address instead of FQDN in remote property? The problem could be that logging is set-up before interfaces are enabled and thus resolving FQDN fails ... and that router doesn't re-try resolving it until configuration is re-done. BTW, it might help if you simply disabled/enabl...

mkx

I started it to (1) vent and (2) beg for help due to the massive cognitive-pain being caused by VLANs. You're asking questions ... and there are two ways of answering, each appropriate to two distinct goals of asking those questions: simple "yes" or "no" or perhaps a simple &quo...

mkx

I'm not sure about what you mean by "different switching capability"? If you look at test results (Switching -> Non blocking Layer 2 throughput) you can see that both devices do wire-speed switching except for small frames (64-byte) where they peak at certain rate of packets (PPS). AFAIK s...

mkx

But is the Netmetal okay using HGO antennas screwed to the SMA connectors at the top with the device located outdoors? Even if connectors on netmetal itself won't leak water into the case, I'd be wary of connector corrosion as well. And water ingress into connectors themselves. For long-term optima...

mkx

Also as an aside, there is absolutely no reason to set the MTU of your VLANs to 1496. Don't do that, either. The L2MTU of the ethernet interfaces can more than handle the additional 4 bytes for the VLAN tag / ethertype prefixed to each tagged frame. I am pretty sure, I did not manually set those MT...

mkx

Wi-Fi 7 (It says Quad-Band. Personally, no clue what that means) If one runs radio in, e.g. 80+80MHz (with frequency and slave-frequency properties properly set), then this counts as two bands. In 3GPP (mobile broadband, such as 4G or 5G, calls this "non-contiguous multi-carrier intra band CA)...

mkx

For this topic, where VLAN Filtering is the goal, Fast Forward's status is irrelevant, it would be inactive anyway. When omitted from /interface bridge the fast-forward value defaults to yes so adding fast-forward=no is at least prudent and sometimes necessary. As written in manual, for fast-forwar...

mkx

I think that for outdoor use it's recommended to use antennas with (short) jumper cables, which should be pretty flexible ... and use netmetal's cap again. Like this: https://www.linkshop.gr/images/thumbnails/460/460/detailed/3/MikroTik_Routerboard_NetMetal_5-5HPacD-NM-2.jpg (the blue wires on pictu...

mkx

In /ip/dhcp-server/network the address property should be set to network address and subnet mask. You're using 192.168.1.0/24 ... The point of this setting is to match DHCP lease address and add corresponding additional settings ... and is used when there are multiple subnets (or DHCP address pools)...

mkx

Is it possible that devices got slightly rotated on their mounting supports? E.g. wood swells/shrinks if humidity changes for longer period of time (during winter with low temperatures absolute humidity is low and wood dries). Or strong wind can move device, clamped to a pole .. either due to sheer ...

mkx

If CRS will be used as purely L2 device (VLAN-enabled switch), then SwOS is perfectly fine (if it runs without any problems that is). If you want to use any of L3 features, then you have to run ROS on it. Performance-wise, if configuration under ROS is correct, OS choice should not matter, in both c...

mkx

As soon as I select the CRS the ROS file is removed.

This sounds as mismatch in device architecture (the one reported by device to netinstall and the one of the npk file). CRS317-1G-16S+ is arm (the 32-bit one, not arm64).

mkx

Trying with another words: "/interface bridge vlan" defines egress (leaving) behavior ... what tagged= and untagged= means Ethernet frames, transmitted by (e.g.) RJ45 port over UTP cable, have certain structure. First come some low-level bits, then comes header, then comes payload and fram...

mkx

Generally IPv4 and IPv6 have independent paths across the globe. So sometimes paths will be same, sometimes one of them will be longer than the other. I don't think there's a systematic difference though. Regarding ping times: first of all, they are only indicative as devices usually process ICMP pa...

mkx

Owning a private vehicle, let along driving one, is a capital offense in NYC.

It sure is capital offense ... since NYC is capital of republic of NY ... ummm, what? No republic of NY and NYC is not a capital of anything? In what weird place do you live?

mkx

... I will to if needed ...

Unfortunately it is needed. And if you can't make config or installation slimer, then the problem will re-occur.

mkx

Regardless the instructions in my previous post: be prepared for failure. It cpuld well be that your RB951G reached the end of its flash disk life and if that is so, no amount of netinstalling will get it healthy again. I realky don't like the number of "total sector writes" being that low...

mkx

I guess that netinstall, being fragile, is best run on "bare metal" computer. Many forum users reported that linux (CLI) version is a bit less problematic. You can try booting your computer from a USB disk in "live demo" mode (or whatever it's called) and run netinstall from ther...

mkx

wifi-qcom-ac does support bridge configuration ... it's just not compatible with wireless' bridge mode. And no, wireless package support for radio hardware ends at AC-class devices. You can't install it on AX-class device such as L22UGS-5H AX D2H AX D. station-pseudobridge doesn't require any specia...

mkx

Well ... files section, by default, should contain a couple of directories at least (pub/ and skins/), yours is empty. It's hard to tell what's wrong. I'd go for netinstall.

mkx

When trying to upload files, are you logged in as user with admin rights? Can you change any other setting (e.g. disable WAN port)? If the answer to first question is yes and to second question no, then your router is "owned", hacked ... and you no longer have admin rights. The only way ou...

mkx

Which package do you have installed on SXTSQ 5 AC: wireless or wifi-qcom-ac? Your mANTBox ax 15s runs wifi-qcom and that one is not compatible with wireless when it comes to various *-bridge modes. OTOH, SXTSQ 5 AC has only 16MB flash which is pretty tight for routeros+wifi-qcom-ac when ROS is 7.18....

mkx

hAP ac2 without wireless or wifi-qcom-ac is not a reasonably expected use of that device. Normally you would buy a hEX for that use-case. Well, for 33% of price increase one gets 300% faster device (when comparing RBD52G and RB750Gr3) ... OK, with half of RAM, but mine is one of the early ones with...

mkx

The green, blue and red can be actually single bridge. The orange is a complication as @lurker wrote. To me it's moot as to why it's necessary to use two different VLANs from "the lower SwitchY" to CRS if they are eventually merged into same broadcast domain.

mkx

16 MB devices should not be used as routers any more. For me, hAP ac2 without wireless or wifi-qcom-ac works great as router. With around 2MB flash free. But with admittedly pretty simple config. So it's not "not as router" or "not as AP", rather it's "pretty barebone"...

mkx

I will but, one should not think that more slaps are better!!
https://www.youtube.com/watch?v=IhJQp-q ... xhcA%3D%3D

mkx

The circle with 3db smaller radius is a circle with half the radius, which is what I have drawn (there are two circles drawn over the image, one with Dia 1 and one with Dia 0.5). No, you drew circle with maximum gain (+7dBi) and circle with approx -12dBi (so 19dB difference in power which is factor...

mkx

Unfortunately I need to return the box to supplier since my set up needs multiple bridges. Do you care to elaborate the need? So far I can only think of a single case when more than one bridge would be needed (when VLANs are in use, two distinct subnets use same VID and switch admin doesn't have an...

mkx

That is to say, there appears to be a bug in the member ranking system.

Many of forum members had the same thought when @anav became Guru

mkx

Try applying the 0.5 circle on that pattern image, and you will see that (according to the half power definition) it is apparently an omnidirectional (which it isn't). The definition talks about "main lobe" ... and each antenna has exactly one main lobe, on your diagram the one pointing d...

mkx

I tend to agree with @tombs. I see MT stuff as a cross-over between serious stuff (e.g. cisco) and cheap home-rated stuff (e.g. Dlink), which takes good things from each of worlds. Do I use it at home? Yes, absolutely, and I'm happy with feature set and prices. Would I use it in corporate environmen...

mkx

@Josephny ask a good question - even if the "why" is immaterial under GPL Another benefit, is that tools like GitHub (or any static code analyzer) can be used to "double check" that the specific patches don't contain obvious vulnerabilities. Of course that only forks if vendor p...

mkx

Oh my ... So you need to fast-track DNS connections. Since normal clients will only connect DNS server when they need to resolve FQDN into IP address (and that's not even necessary for each connection, e.g web browsers tend to open multiple parallel connections towards the same server ... and perhap...

mkx

I would say that while interference from 120* extremely close neighbor antennas is typically not the problem It can be depending on geometry. Devices don't like "being shouted at" and two close APs operating on same frequency will be shouting at each other. APs, operating on diffetent fre...

mkx

It is debatable whether is 90° or more like 120*. Not really. By definition (see wikipedia article width/height of antenna beam is defined by width/height of main lobe, which is the angle at which radiated power drops to half of maximum (i.e. 3dB lower than max). And judging from the radiation patt...

mkx

You can recompile the kernel to update or load third-party software and hardware drivers. Don't forget that kernel features need to be configured and/or coupled with userland tools and services. Those are not bound by GPL covering kernel. So it would be extremely hard to replace kernel and still ha...

mkx

The default configuration has /interface/wifi/channel/add name=5GHz width=20/40/80/160mhz I doubt that default config would include bits not supported by hardware. Default config (you can always check it by running /system/default-configuration/print ) in my wAP ax has channel.band=5ghz-ax channel....

mkx

The rule you're mentioning is "rule of thumb". But it comes with disclaimer: actual performance very much depends on actual confuguration and it's possible that actual performance will be a lot higher than the rule of thumb estimation. I believe that MT considers hEX refresh a true gigabit...

mkx

Make sure that you'll be operating within frequencies allowed in your country. For example, in ETSI countries GSM/LTE/5G uses frequencies around the 900MHz WiFi (band 8: 880MHz – 915MHz and 925MHz – 960MHz) ... and you really don't want to interfere with mobile networks, you may receive a visit of o...

mkx

The product you're asking about (RDS) is not yet wildely available. So normal users don't have experience with it. And this forum is user-user forum, it's not official MT means of support or marketing. Which means that to get answers to your questions, you should contact MT support directly (e.g. vi...

mkx

... Wireless (that gets/got installed automatically and is updated together with RouterOS ?). That's a remnant of pre-7.13 setup where contents of modern "wireless" package were integral part of routeros package. Upgrader inside ROS is not particularly smart so it can't drtermine if some ...

mkx

2) The CLI really did not like "2g-probe-delay=yes" and I can't find the option in the GUI either. *shrug* You never posted full config ... with the initial "comment" lines ... so the actual ROS versions runing on your CAPsMAN and CAP are not known. The property 2g-probe-delay i...

mkx

Wireless clients always decide on their own when to abandon old BSSID. The benefit of having proper roaming set up on infrastructure side is a) clients get a list of "good roaming candidates" so they can measure other BSSIDs faster - no need to read SSID names on all supported WiFi channel...

mkx

I can only confirm that on my LHG 5ac the problem persists on 7.18.2: I'm not sure your post illustrates the persistence of the problem. The way things are supposed to work: print of routerboard settings will didpkay warning if CPU frequency is not set to default. And setting CPU frequency on ROS v...

mkx

I'd go with v6 ... some of later versions (6.49.x). If those wireless chipsets are supported by that ROS version, they should be most stable. I wouldn't expect too much of performance using 900MHz WiFi ... depending on country there's between 1MHz and 8MHz if bandwidth available (in some countries e...

mkx

QQ: is it safe to upgrade routerboard firmware to v7.18.2 in RB4011? In the past I've had stability issues and I've found that "firmware" 7.7 to be behaving okay. I don't see too many reports regarding instability of recent ROS/routerboard versions on RB4011 ... so your observations might...

mkx

Regarding HW offload: there are two places with similar setting ... bridge and individual ports. In case there are more bridges than switch chips or of port layout doesn't follow physical layout, then ROS will decide which bridge will be offloaded (and which won't). Sometimes such automatic decissio...

mkx

My guess: supporting H2 blows the ROS bundle out of 16MB flash.
This can be allocated as a separate option or package or made disabled by default with a warning that by enabling ...

Installed but disabled feature still occupies flash storage ... which is the only point of post by @infabo

mkx

How about starting support for HTTP2 ? Mind that whichever HTTP version is supported in ROS, it's only used for management (and proxy). It doesn't affect ability to route "unknown" protocols. So I have a question: what benefits does HTTP/2 have over HTTP/1.1 (with TLS1.3) in context of ma...

mkx

There are two distinct pieces of software in Routerboard devices: routerboot, referred as "firmware" ... in PC world this is like BIOS/UEFI /system/routerboard routerOS, referred as "software" ... in PC world this is like Windows or Linux /system/resources Up until around 6.45 ea...

mkx

Devices concieved in last 10 years have minimum ROS version set. I'm pretty sure RB4011 can't run anything older than around 6.40 (or a bit newer), anything older will almost definitely lack some drivers or even lack support for CPU architecture. I'm actually surprised that netinstall allowed you to...

mkx

Steering only works for radios, controlled by same entity. That can be two radios (on individual device with dual-band support) or many radios if controlled by CAPsMAN.

mkx

Just set IPIP tunnel's property mtu to 1500 ... it'll handle the necessary fragmentation and defragmentation (on the receiver side) just fine.

mkx

If one configures single bridge and VLANs span both switch chips ... then sure, CPU will work a bit to pass frames between both switch chips. Other than that this setup should not pose a bottleneck as both CPU-switch interconnects are 10Gbps (while each switch chip runs 8x 1Gbps port). So yes, sugge...

mkx

And I'd say that all multi-byte characters (UTF-8 or any other multi-byte encoding) are problematic as well. Guys do you have a comprehensive list about it? Regarding characters: just take the basic US ASCII characters ... and exclude the characters mentioned by @pe1chl ... and you should be safe. ...

mkx

Reselect might choose a different Control channel, still the same frequencies. Technically 80MHz channel on e.g. AX is one 20MHz "full featured" channel (marked with C in ROS) plus supplemental channels (adjacent, which side depends on actual channel layout; marked with e in ROS). And the...

mkx

In any system that involves things like scripting languages, web interfaces, etc I at least avoid these characters all the time: @ % " $ & # + < > (space) That never hurts even when it is not really necessary. And I'd say that all multi-byte characters (UTF-8 or any other multi-byte encodi...

mkx

I'm out of ideas ...

mkx

I guess it's time to clean up the CAPsMAN configuration ... all of it. I strongly recommend you to use profiles properly. And to set things explicitly instead of leaving them on defaults, ROS sometimes makes poor decisions if let on auto. E.g. /interface wifi channel add frequency=5500 name=5GHz-550...

mkx

For what it matters, the passwords I'm using there is very strong and come with a very special characters, so maybe the upgrade didn't appreciate some of those special characters ... It could be the issue between GUI and ROS regarding character coding. IIRC MT is doing some minor tweaks in this reg...

mkx

What would be the point of it? License levels 0-6 only apply to MT's own hardware and all of their hardware comes installed with license level at least 3 (most devices 5, some 4, some 6). x86 (bare metal) homelab mostly, but I realize that’s an edge case. Since ROS support for hardware is mediocre ...

mkx

That probably means that you have to set one IPv6 address from that prefix on your WAN interface. You're mentioning PPPoE, I'm not sure if you can set static IPv6 address on that interface, never tried. And then you'd have to set advertise=yes for that IPv6 address. I can see one problem (which migh...

mkx

My advice: Get your Chateau Pro into working state (reboot or whatever it tskes), take supout file as reference (when it works). Then wait for Chateau Pro to fail again. Create another supout file. Then restart wifi interfaces (to see the dreaded message) and create the third supout file. When you h...

mkx

Let me check my crystall ball .... nah, I can't see anything, it's all foggy.

Sorry, you'll have to give us much more details. Preferrably actual device config as a starting point (and test case which shows the problem).

mkx

it should work with prefix delegation, they route over the dynamic address.

in this case please elaborate on

From my provider i got an fixed ipv6 prefix ::/48

How exactly did you get that "fixed" prefix?

mkx

For IoT you'll have to add bridge port as tagged member of VLAN 6: /interface bridge vlan add bridge=bridge comment=IOT tagged= bridge, ether5,ether7 untagged=ether6 vlan-ids=6 If you want CRS to participate in GUEST VLAN (so far I don't see any need for it, your firewall handkes it), then you have ...

mkx

Want it or not, there are very slim chances to get it changed. We've been complaining about missing features (including spectral scans, connection details, lack of nv2 and/or nstreme) ever since wifiwave2 existed ... and these features are still missing. To be fair, some were implemented (at least i...

mkx

Ask your ISP about how is your fixed ::/48 being delivered to you (they might have mentioned a static IPv6 address to be set on router or something like that). The fact is that ISP's router needs to know your router's wan LLA to route your prefix towards you ... and setting addresses on your side do...

mkx

ever upgraded a linux server? A milion times (literally). nearly every package is also downloaded via HTTP (e.g. in "apt upgrade"...) Not on my servers, I always edit sources.list and change http to https. Just to be clear: personally I don't see any issue with http for fetching packages....

mkx

For chain=input, obviously out interface will always be unknown (because there isn't one). Your problem lies elsewhere but I don't know where. It could be the way SNMP engine works with clients, but I'm not using SNMP on my MT devices. Just a trivial check: you do have "action=accept chain=inpu...

mkx

Ah. In all my years of using ROS I never created backup without explicitly specifying file name...

mkx

1. To add guest SSID, you have to set slave-configurations to appropriate items in wifi/provisioning ... I was trying to set it as a master on the 2.4 which isn't being used right now. I'd prefer that MAIN be only 5Ghz and GUEST be only 2.4Ghz. So is it "master" per frequency? Or is it &q...

mkx

So the new WiFi driver has less features that the old Wireless driver

Yes. Get used to it.

mkx

Is the upgrade packages are really downloaded via http? Why? Why not? If https is used, then client can verify authenticity of server it's talking to. Yes, npk files do have some verification built in (I believe that packages are digitally signed by MT so it's not trivial to alter the contents). Bu...

mkx

But I cannot create a "Backup" as it automatically tries to save the .backup file to flash, which fails when it hits 16/16MB. Are you sure about it? When I save backup, the resulting file ends up on the very same location as export does (which on devices with only 16MB flash and 64+MB RAM...

mkx

I love how we are attacked for reporting a behaviour that seems odd and it takes a mikrotik and 10 minutes to test. The problem with discussion so far is that I still don't know which kind of device @OP was working with (and when I asked him to provide details, he outright rejected to give them). I...

mkx

What would be the point of it? License levels 0-6 only apply to MT's own hardware and all of their hardware comes installed with license level at least 3 (most devices 5, some 4, some 6). If you're thinking about CHR (to be run in virtual machine), then look one table lower ... license levels Free, ...

mkx

VLANs were so simple with CapsMan V2. Are VLANs impossible with CapsMan V3? The problem lies in wifi-qcom-ac driver, which you had to use on hAP ac3 ... it doesn't support manipulations of VLAN tags. The other driver (wifi-qcom ... for AX and newer CAPs) does support manipulating VLANs in similar f...

mkx

Why not to FTTH? Because it's for multi mode fiber and FTTH (or any MAN) uses single mode fiber. And there are a few technologies for WAN fiber: FTTH using two fiber cores (one per direction), most often used wavelength is 1310 nm ... BiDi FTTH, where single fiber core carries traffic in both direc...

mkx

Should I upgrade to 7.18.x? ... Do we hold by the "if it's working, don't touch it" approach? As @anav already hinted: have a look at new features, introduced since your running ROS version. If your current setup is running fine ,then you don't really have to look at bug-fixes since any b...

mkx

here is information from an official source
https://box.mikrotik.com/f/1f880747e77346a3bf7f/

And this is a slightly different model according to the photo.

I'd say it's the same model. PDF contains a render, you showed a photo.

mkx

Manual provision can be done under /interface/wifi/capsman/remote-cap/provision to provision all radios associated with specific CAPs, it can also be done under /interface/wifi/radio/provision , to provision specific radios. Thanks for this ... I'll try it next time something won't be provisioned a...

mkx

You don't need my config Which I translate into: you don't need my help. Out of courtesy, here's explanation: if you have a problem and can't solve it yourself, then you're not really competent to decide which information is crucial for problem analysis and which is not. If you are sure I don't nee...

mkx

Removing dynamic entry is not needed. Just reprovision. Same result but the way of handling it is different (re-apply versus destroying, I prefer the positive approach )

I'd probably do it as well ... but so far I didn't find the right command. Can you enlighten me?

mkx

Can you post full config of the switch (redact sensitive information, like serial number, but don't overdo it)? And leave model number in it, some devices have some quirks due to hardware layout.

mkx

... if the cost of this unit is between 18 to 20 USD ...

Not likely ... device looks like hEX refresh with wireless and GPON interface. And hEX refresh has MSRP of 60 USD.

mkx

mkv you are correct ether 1 pvid should be 1 not 2 ... that doesn't change anything because on ether 1 device there is only vids 2, 5, 145 So to clarify the gateway 10.0.2.1 which has the DHCP comes in on VID 2 on ether 1 So you're saying that device, connected to ether1, talks tagged VLAN 2? In th...

mkx

1. To add guest SSID, you have to set slave-configurations to appropriate items in wifi/provisioning ... And you'll have to make ether7 (interconnect between CAPsMAN and CAP) a hybrid port to allow it to pass tagged frames from guest wifi. Datapath for main also mentions tagging frames, ypu'll have ...

mkx

802.11k/v instead should work among APs off different vendors. At least in theory. Alas in practice one should then manually set list of possible roaming targets (on the other vendor's equipment), but that in ROS is not possible (yet?). As it is now, CAPsMAN does it via steering groups (either auto...

mkx

OK, now you have basics working. If you want to add guest wifi network, then you'll have to add VLANs into the game. And that will involve: CAPsMAN device, all switches, main router and optionally CAP device. It seems that you have one switch which is CAPsMAN as well (so that brings down number of d...

mkx

As you are using the exact range of channel 36, no need to do a reselect. Since width property doesn't define channel layout any more (in old times that would be equivalent to setting XXXX), AP could reselect e.g. from 5180-Ceee to e.g. 5200-eCee. It does seem that MT jumped (or was, by using chips...

mkx

Configuration of ether1 is contradictory: /interface bridge port add bridge=bridge interface=ether1 pvid=2 /interface bridge vlan add bridge=bridge tagged=ether1 vlan-ids=2 So ether1 it will tag untagged frames with PVID on ingress but won't untag them on egress. It will accept tagged frames, tagged...

mkx

So let's try to do some cleaning ... first on CAPsMAN device. We're still not focusing on correct radio provisioning, we're just focusing on getting CAP communicating with CAPsMAN. The red text with strikethrough are parts to be removed, green parts are to be added (or property value changed). /inte...

mkx

It seems your ISP is "faking" MAC address of BRAS ... 00:00:5E is registered to "ICANN, IANA Department" ...

mkx

Your CRS should behave same as other ROS devices with regard to reset button behaviour. Unless that was explicitly configured differently.

mkx

If it works for you, then yes, settings should be fine. As long as you make sure that interface list memberships are maintained properly (no, LAN on WAN interface lists aren't anything magical, it's up to device admin to maintain lists). I wonder though why you decided to ditch default setup and go ...

mkx

I'd check antenna cables ... for water ingress. That's the common thing between Rx and Tx (and antenna itself).

mkx

If you run

/interface/pppoe-client/monitor 0 once

then you'll see MAC address of BRAS (ac-mac) ... which might indicate venfor of BRAS. Some ISPs even disclose some technical info in ac-name (my ISP included "ASR9910" and name of their core location in ac-name).

mkx

@sohrab: if you want to prevent reset button from wiping away the custom config, then you can construct "custom default" config and upload it while using netinstall (option "Configure script"): https://help.mikrotik.com/docs/spaces/R ... Netinstall

mkx

There's one big problem with settings: unless you try real hard, country regulations regarding Tx power will kick in. On 5GHz different channels have different limits, e.g. in ETSI countries 5170-5330MHz allow 23dBm, 5490-5730 allow 30dBm and 5730-5875 allow only 14dBm. And that's EIRP ... substract...

mkx

On my 7.18.1 devices, setting parameter user on ssh command does work (it does connect as another user on remote side ... but I'm using passwords to authenticate). Which opens a question about whether you properly installed public SSH key on RouterB. If you're running ssh command as user1 on routerA...

mkx

But after uploading the older routeros .npk into Files and running /system/packages/downgrade, and rebooting, the version does not change. Does anything with regard to this appear in /log ? One thing to worry: if you're downgrading, you have to upload .npk files for all packages installed ... for R...

mkx

GPON - True or false.

Why the question?

mkx

Worse, I cannot downgrade.

If you upgraded to 7.19beta from 7.17.x or older, then you may have to properly set-up device mode prior to downgrading https://help.mikrotik.com/docs/spaces/R ... evice-mode

mkx

Searching for Mikrotik HGO yields this: https://mikrotik.com/product/hgo_antenna_out ... it's a mediocre omni-directional antenna, not fit for long range point-to-point links that @OP seems to want to build. I already explained the problem in another thread , but @OP doesn't seem to accept the reali...

mkx

Which device's config is the one you posted in preceding post? You're mixing CAPsMAN and CAP config.

Why do you add bridgeLocal? I don't think it's needed on either device.

mkx

Can someone explain what does this mean? *) dhcpv4-server - "Relay-Agent-Information" (82) option moved at the end of option list in response packets; It's about structure of DHCP server's response packet ... some DHCP clients are sensitive regarding order in which different DHCP options ...

mkx

Product brochure says: We’ve made massive improvements to the wireless radio and antennas. Chateau 5G ax supports MIMO 4x4 on 5G and LTE. There are 6 built-in LTE/5G antennas. One pair of external antennas provides even better wireless network coverage in the largest homes, and the other - improved ...

mkx

Wireless wire pair acts as transparent UTP connection. So it should work for you. But (a big one): it needs line of sight ... which indoors is not always possible. Even if there are no permanent obstacles between both points, beware of people walking cross the link. IMO it's always better to try wit...

mkx

/console/clear-history

I tried this on my hAP ac2 running 7.18.1 (without wifi or wireless). The effect: free-hdd-space went from 2492.0KiB to 2556.0KiB ... so 64KiB freed ... not too bad.

mkx

You simply don't combine a 24 port switch with wireless. While it might have made some sense with 802.11n @2.4GHz, it certainly doesn't make sense for more modern standards (e.g. 802.11ax @5GHz) snd even less for oncoming standards (WiFi7 @6GHz) where it's a must to bring AP really close to station...

mkx

cant upgrade .. have u found a solution without netinstall the device ?

There is no other solution. No free space ... game over. It's not possible even to cleanly reboot/shutdown device.

mkx

... I connected Mikrotik Net Metal as with 2 HGO antennas out with a LAN cable. However, at 50m from this AP, at 5 GHz, my signal has a strength of -80 dBm, and according to the calculation it should be about -48 dBm. Using the mentioned setup it's impossible to see signal strength of -48dBm at tha...

mkx

Any resetting of ROS device into "some other" mode will wipe most configuration. If your needs are outside some (simple) predefined use cases, then you're completely on your own. You can start off from a profile whuch is close to what you need and change it where it needs to be changed. AF...

mkx

The test with RB2011 almost definitely proves that there's something weird going on with your RB951Ui ...

mkx

Check settings under /tool/graphing/interface /tool/graphing/queue /tool/graphing/resource I think that if your management device is not on the lust of allowed addresses, it doesn't even see the graphing section. [edit] Hmmm, just checked ... availability of graphs for all 3 resource categories (CPU...

mkx

winbox MAC connection can be controlled with settings under /tool/mac-server (MAC telnet and MAC winbox are configured separately) ... indeed default is allowed-interface-list=all , but it's easy to change it to anything else, including none (I've seen posts on this forum where posters claimed this ...

mkx

All about serial ports on Routerboards: https://help.mikrotik.com/docs/spaces/R ... al+Console

mkx

One should never assume that any of devices will do its job wirespeed ... one should always check.

mkx

The reason I want to access the wlan interfaces is to set the frequency-mode to superchannel and wireless-protocol to nv2, which are not available on the wifi interfaces. No other wireless protocol then 802.11 on AX devices. Any reason you want to use this? Also: ap-bridge mode (which in wifi is me...

mkx

BPDUs for STP and RSTP are untagged (because unlike MSTP, STP and RSTP are VLAN-agnostic). It's then up to switch-chip magic about how to deal with untagged frames (including BPDUs) so that they're delivered to (software) bridge ... untagged.

Of course, when VLANs are not used, this is not an issue.

mkx

Do you have multicast-enhance (or whatever the equivalent on your AP) enabled? RAs are technically multicast ... which is s problem with battery-powered WiFi clients (i.e. smart phones) which tend to switch off radios when idle to save battery life. APs transmit multicasts (and broadcasts) as they a...

mkx

Do you use same L3 (IP) MTU on both subnets (when talking about VLAN routing)? I don't think that L3HW can deal with different L3 MTUs. As I wrote: make sure that device uses L3HW offload for routing. Without using it, it can't do any decent throughput ... I'm actually (positively) surprised that yo...

mkx

A few things: only one bridge can be handled in switch chip, the other will be handled by (slow) CPU. You can partition your switch by using vlan-filtering and assigning ports, belongong to different partitons, different PVID. Added benefit (or not) is ability to use trunk towards core router (over ...

mkx

Can you tell ignorant me why L3HW offload is important? It allows to use switch chip for routing (and some switches also fasttracking) which means routing/fasttracking can be done wirespeed without much load on CPU. Article about it: https://help.mikrotik.com/docs/spaces/ROS/pages/62390319/L3+Hardw...

mkx

Yes ... if switch chip supports L3 HW offload ... which switch chip in L009 doesn't. RTL8367, 88E6393X, 88E6191X, 88E6190 , MT7621, MT7531, EN7562CT switch chips can use HW offloaded vlan-filtering since RouterOS v7." @anav, pay attention to details. I was talking about L3 HW offload, VLANs ar...

mkx

But it extends futher: even if a device has "Mbps" value in "Test results" which exceeds (slightly?) the threshold (e.g. 1000), it doesn't necessarily mean that router is capable of push all the data through single port. Table column header says "all port test" and I se...

mkx

If a faulty gpon works, then the router that it works on, is garbage as it should be more discriminating. The whole thread is about compatibility between devices on different side of SFP cage. So CCR seems a bit more troublesome than some other RouterBoards. And GPON modules seem a bit more trouble...

mkx

Wouldn't it be better to use one port from the hardware offload chip as a WAN port as long as I have it logically separated from the rest of the bridged LAN ports?

Yes ... if switch chip supports L3HW offload ... which switch chip in L009 doesn't.

mkx

Your main problem is currently L2 setup - VLANs. /interface wifi capsman set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no upgrade-policy=require-same-version You set capsman to listen for connections from CAPs on bridge ... but in your setup bridge interface do...

mkx

/interface wifi capsman set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none The quoted part seems to be the only capsman-related config on your device. Which is very far from enough. You have to do everything under /interface/wifi ... the security, datapath, co...

mkx

My experience is that some clients do properly roam (verified by checking logs on capsman), but auth type doesn't have ft- prefix after roaming is complete (and no, client doesn't disconnect/reconnect, it just roams). OTOH I see both ft-wpa2-psk and ft-wpa3-psk. Which all might indicate, that ft- pa...

mkx

So I added a scan list of 5180-5720. First question, is this okay? No. You should enter it in Frequency property. But I'm wondering: you're mentioning "hAP ax" (which should be running wifi-qcom driver), but your screenshot shows "ap bridge" as AP mode (and that mode doesn't exi...

mkx

Certainly something to carefully look at and consider a netinstall!

Thanks for you considerations. Since devices work as intended, without any noticeable problems, I'll skip further actions (for now).

mkx

In such scenario you better place some quality metal sheets between APs' backs ... and ground those metal sheets. Otherwise the back lobes of antennas will feed lots of interference from one transmitter to other receivers. Placing APs a few meters apart does the job nicely, spacing them vertically a...

mkx

You're allowed to use DFS channels as long as the device carries out the CAC check. If you live near a war zone, there will be plenty of actual radars around (even if you're hundreds of kms away from current front line) ... so CAC might never produce a working DFS channel. So it's better to avoid t...

mkx

... netinstalled device will jump from 1.1.1970... That's no longer true. With recent versions you can not go before release build date. Whatever. It's been a while since I last netinstalled a device (more than a couple of weeks for sure ;-) ). The point is: there's no need for initial time step to...

mkx

I think VLAN 1 is the default LAN for most routers supporting VLAN's. Besides, if I try not to use it (as in not assigb any bridges to VLAN1), I get locked out. Using VLAN 1 is somehow in same category as using QuickSet: it's fine if left alone. But when you start tinkering with settings, you bette...

mkx

Well, in your case it would have been valuable when you were warned because what happened is likely not what you intended! E.g. a device was powercycled without clean shutdown ... Nope, device was cleanly rebooted due to ROS upgrade. I can't explain the few hours jump myself, usually it is, as ever...

mkx

He has all ethernet ports set to 100Mbps. I don't know if it's deliberate. But auto-negotiation seems to still be enabled. That's a leftover from even older ROS versions when default setting was speed=100M-baseT-full ... with not so ancient versions, default changed to speed=1G-baseT-full , but run...

mkx

I guess I have to put an entry into IP:Routes, but don't know what it should look like. As for my understanding anything the router does not know should go to 192.168.88.1 – but it is not working. It goes both ways: Mikrotik4 has to know that default route is via 192.168.88.1 ... but Mikrotik1 has ...

mkx

Is OP saying not to use VLAN1 as in PVID1? Not use for what? Forwarding? Admin VLAN? Its confusing...

See? That's exactly why one should stay away from VLAN 1 in any incarnation (PVID, VID, anything).

mkx

Well, actually a change of time-of-day is a very critical event, but one could argue that in a device without built-in clock it could be labeled a little less severe when the time adjustment is forward, and less than 5 minutes. When upgrading my fleet from 7.17.2 to 7.18.1 ... I saw time jump of a ...

mkx

... had to manually download and copy 7.17.2 version to them ( fortunately had enough space ) ... Regarding the space for upgrade packages, it's exactly the same regardless the method of upgrade (via ROS upgrader versus manual download), they are downloaded (or uploaded) to whatever is considered r...

mkx

But that's my choice to do it this way.

Agree that it's a good way. And it seems that it's the correct way (considering that may people will likely end up using multiple APs and hence CAPsMAN).

mkx

... in the spirit of learn to walk first, it does make sense to first have the basic wifi part digested before moving to capsman. I agree with the concept "walk first, run later". The only problem here is that it's possible to set up the whole config for local radio directly on /interface...

mkx

But you may have to ask yourself WHY you want capsman setup ? If it's only for controlling 2 to 3 devices, don't bother. I think we have to revise the "it's only sensible to bother with CAPsMAN if there are 4 or more APs in game" stance. Ever since we got wifi (qcom / qcom-ac) with 802.11...

mkx

To add to what @lurker888 wrote: Case 1 Using 'ether1': Winbox can still connect using the device's MAC address. DHCP-Client still retrieves leases, and DHCP-Server still provides leases. Winbox MAC access is another function which works directly with raw sockets ... so it escapes IP firewall. Unlik...

mkx

... a callout on the netinstall-cli docs referencing at what point flashing has finished and when its safe to <C-c>. I generally agree that clearer description in docs would be welcome. However, it's (?) common knowledge that after device being netinstalled reboots, the process is over and done. Ne...

mkx

Are there any other parts of RouterOS that bypass Netfilter filter chains? DNS maybe?

No, DNS is completely normal IP (UDP or TCP) service. It's only DHCP that uses raw sockets.

mkx

Just wanted to report a success story: I just installed ROS 7.18.1 and have set 2g-probe-delay=yes ... I have a Huawei tablet, which otherwise stubbornly connects to 2.4GHz BSSID. After enabling the property (and kicking tablet off wireless) it connected to 5GHz BSSID.

mkx

I can confirm that ROS 7.18.1 on ARM uses around 200kB more of flash storage than 7.17.2 ... on hAP ac2 with only base (routeros) package installed.

mkx

The problem of high ambient temperatures is that this means higher temperature of internal components. And higher component temperature means faster aging ... so even if device doesn't die immediately it may die "of old age" prematurely. Capacitors are specially prone to faster aging.

mkx

My question is whether I can use it in an environment that can reach up to 50 degrees. When vendor provides some information, then it most of times means something. If MT says that wifi variant of RB4011 works in ambient temperatures up to 45°C, then it means it's likely that device will survive fo...

mkx

That's interesting. ROS is the same on all devices. I see the old webfig on two CAPs, and on one it switches by itself. Browser caches contents on "per server" basis. It never uses cached item, obtained from one server, on page served by another server. So if you're seeing mixed contents,...

mkx

Also 3, 7, B and F have private bit on... The "even" numbers are multicast MAC addresses ... so in principle should not be used by "normal" devices for unicast communication (which is vast majority) ... and "randomised MAC" is used in context of unicast communications....

mkx

Overheating SFPs are rather a novelty (it really began with 10Gbps RJ-45 modules) ... and hopefully new generations will make the problem go away.

mkx

... in a 50 person office ... The problem with "50 person office" and 5-7GHz frequency band is that the higher the frequency the bigger signal loss ... and "50 person office" is large enough and has enough of obstacles that one needs multiple APs to provide coverage good enough ...

mkx

I don't know exactly, only judging from photographs ... but device seems to have majority of holes on the top surface and only little elsewhere. With fan covering all top holes, air is pushed out through (scarce) holes at other parts of device, so air speed might be relatively low. With smaller fan ...

mkx

It's hot glue ... so you'll have to remove it physically, e.g. by using a scalpel or a similar knife.

mkx

viewtopic.php?t=175513

In short: IPv6 fasttrack is available since ROS v7.18.

mkx

system upgraded to version Y7 (partition 1). This version Y7 has allowed versions: X10+, Y5+ If the partition 2 backup is made active and system rebooted, will it boot the X5 version on this partition? As far as I understand, the allowed versions setting is supposed to be about downgrade process (R...

mkx

... if STP comes into play then it has to be chosen properly if STP comes into play, then one really should set bridge priorities according to topology. One never knows when some "genious" will set MAC 01:00:00:00:00:00 to his bridge while bridge ports are set to default value of edge=aut...

mkx

New version is out = MT no longer wants to hear about bugs in previous one because they will not be hotfixing that one anymore = topic closed. Yeah, that’s my guess too: topic closed = branch closed . But I’m still not convinced about the actual when and why . Maybe it’s just as simple as there bei...

mkx

When it comes to "non-VLAN" switches (power-line devices are switches with one "weird" ethernet port) ... they will all happily pass VLAN tags (they are plain L2 devices and don't look into "ethertype" header, even less they look any further into payload) ... but they h...

mkx

Which device model is your Mikrotik?

mkx

Default firewall filter rules already block everything from WAN side. Do you have any reason not to stick to them? BTW, BTH is connection which in principle starts ftom your router if you enable BTH. Connection is done towards MT's servers and by doing that, you delegate care about a bit of your sec...

mkx

DHCP server (any of them) will re-assign address already assigned only to device with same client-id ... in principle it doesn't care about MAC address. I think that MAC address only matters to DHCP server if client doesn't provide client-id. So as long as your gadget is inventing new client-id, it ...

Search found 14114 matches