MikroTik

mkx

Yes, forgot to mention ...

... because I was writing it as you posted your suggestion.

mkx

Looks fine. So next step would be to create a supout.rif file, make a configuration change, create another supout.rif, reboot, verify that configuration change did not stick, create another supout.rif ... and open ticket with support via support portal or e-mail suport@mikrotik.com ... provide them ...

mkx

Is there a way to test for bad blocks? Just checked ... and the information doesn't seem to be available any more in v7. Here's info from v6: [ name ] > /system resource print uptime: 13w5d4h53m3s version: 6.49.15 (stable) build-time: Apr/24/2024 13:04:23 factory-software: 6.29.1 free-memory: 25.7M...

mkx

With your config it shouldn't matter which port connects ONT, ether1 or ether8 ... verify that this is indeed so.

Does it matter, if PPPoE on RB doesn't start (so try connecting Fritz with disabled PPPoE client on RB)? It could be that ISP is limiting number of active PPPoE sessions per ONT?

mkx

In such situations when I want physically "block" port I put an unclamped RJ45 connector into it :) Apart from being cheap, I think this method has potential to cause physical damage to port (if somebody cares about it). Uncrimped connector's contact pins are higher than surrounding plast...

mkx

Post config of 4011 ... the /interface/export part. There are a few gotchas with bridges, VLANs and HW offload ... and some combinations can bite one's arse.

Another question: if you connect Fritz directly to ONT, its PPPoE works?

mkx

The reset pad, which you discovered under ruber foot, has same function as reset button. So keep those pads shorted while applying power (and then for a while more) until netinstall starts to show signs. From own experience I can tell you it's hard to keep pads shorted and plug power at the same tim...

mkx

Whenever it's up to user to select appropriate equipment, it's that user's homework to find out any constraints, such as extremely low signal strength available. And then search for appropriate solutions, such as need for using external directional antennas, consequently need for modem which makes a...

mkx

You have to clean up file system and heavy config items. My experience is that when free space dtops to 0 (or slightly above 0) and ROS starts to complain about not being able to save config changes, then one can not release any space by removing config items (which includes certificates and simila...

mkx

Do you know, or better, can you describe, what tjat line works and what represents? No idea why exactly that setting needs to be that way, I don't recal reading any good explanation of what it does. It was discovered and reported by other forum members quite a while ago so I guess it's a public sec...

mkx

If RSC is used as "run after reset", it may be necessary to include a short delay right at the top, e.g.

:delay 10

The need for delay comes from the fact that ROS kernel needs a few seconds to start drivers, until that's done not all interfaces are available.

mkx

Are any of resources tight? Flash storage, RAM? Excessive bad blocks on flash?

mkx

Just to be clear, what sits above the CRS is a PFSense firewall with 8 ports on it. If you connect two ports of same bridge to same upstream device, even if those ports are set as access ports to different VLANs, there might be problems with loop detection (xSTP). Because xSTP (except MSTP) are not...

mkx

They're both r2 ... and the cooler runs at higher frequency which is a bit counter intuitive.

So it may be about dried thermal paste/pads in hotter's cooling path.

mkx

Because where property of print command expects textual argument but [ find where ...] provides list of interfaces in format alien to where ... and print simply ignores it (try running "/interface/print where" ).

mkx

The WAN associated VLAN is distinct and separate from data vlans behind the router. Yes. If it's possible to physically connect WAN line directly to router's port. Sometimes it's not, instead WAN line is connected to a port of managed switch, from where traffic is passed towards router using trunk ...

mkx

What I often do is to run wireshark ... and I can see if/when device starts to communicate with netinstall binary on PC. Then and only then it's time to let go the button.

mkx

I'm not saying that definitely everything is fine. But with passively cooled devices it's kind of normal to see high temperatures of parts which generate heat. Are you sure that both are same model? Check /system/routerboard/print output ...

mkx

ok, so I can maintain separation for VLAN710 from everything else on the uplink?

By explicitly setting ports to right VLAN membership you keep the separation between VLANs.

One setting which many people neglect: ingress-filtering=yes on all ports does help with VLANs integrity.

mkx

I think the antennas of this little hap ax are too weak. Agree. I've yet to see MT device with at least half decent antennas for frequencies lower than 2GHz. If that Chinese device has antennas with 0dBi gain, then it's likely better than MT by a few dBi. But these LTE things are hard to troublesho...

mkx

7.17.2 (logs are double ... because I have two log destinations, memory and disk) 2025-02-08 09:04:49 wireless,info 34:F0:43:B4:80:B0@cap-audience-2g-42 connected, signal strength -41 2025-02-08 10:14:06 wireless,info 34:F0:43:B4:80:B0@cap-audience-2g-42 roamed to 34:F0:43:B4:80:B0@cap-audience-5g-...

mkx

Just had a look at CRS config ... and it's lacking a lot vith regards to VLAN setup. Did you ever go through this tutorial? https://forum.mikrotik.com/viewtopic.php?t=143620 Read the "router" section, that's what CRS should become eventually. The biggest issue: bridge1 CPU-facing port has ...

mkx

I was told to create a separate bridge IMO this is bad advice. Properly configured VLANs offer enough separation even within same bridge. The only thing you may have to configure on WAN port is to disable xSTP on it (set edge=yes on that port). Remember, only one bridge can be HW offloaded to one s...

mkx

You sure did.

mkx

You deal with it using netinstall ... unfortunately.

mkx

makes it hard to judge which is the bigger performance issue. i.e. V6+IPSec vs. V7+WG For RAM I'd say WG definitely ... because IPsec is part of ROS since ages and I'm sure they did whatever possible to reduce its memory footprint. I don't think they put the same amount of energy into WG so far. I'...

mkx

Your use case, with all due respect, falls into "device abuse" category.
Where is abuse here? It was using default config. I've only added WireGuard ...

This. It's a lite, for Deity's sake.

mkx

(I didn't add all static routes to the CRS VLANs yet) Well, you'll have to. You can't expect the "jolly new roundabout" fully functional if you're letting traffic reach it via some old goat path. And even if traffic does flow somehow (partly via new roundabout, partly old goat path), you ...

mkx

Post output of /export command (redact sensitive information, such as serial number) ... print's show running config but not how it ended up being like that. Re. L009 CPU load: L009 has moderate routing capacity (for today's standards) of something between 300Mbps and 2Gbps depending on the actual c...

mkx

For me, last time this happened on my hAP ac2 (yesterday :? ), it wouldn't even reboot properly (by executing reboot command) or shutdown. You can believe me that I'm following these kinds of discussions for quite some time. This problem is plaguing my device ever since I installed v7, so it's been ...

mkx

If I do not want the devices to be able to communicate between these 2 networks, do I have to have blocking FW rules in place, or is it blocked by default being on different VLANs already? Yes an No. VLANs prevent devices from communicating directly (via switch alone). So you have a router ... and ...

mkx

After device is restored with binary backup, it should also have users and passwords restored. So whatever was password at the time of creating backup should become password after restoring. And restoring device does require reboot (just mentioning in case it didn't happen).

mkx

I think the AI is right with this: 5. Antenna design: The CPE106-E might have a superior antenna design, allowing for better signal reception and, consequently, higher speeds[1]. I was about to write that I disagree with assessment by @infabo: rsrp isn't that bad. But your sinr is quite low. RSRP a...

mkx

Disabling hw-offload on the RB4011 worked. Replacing the RB4011 with an old RB962 also worked fine. And of course, knowing what the issue now, there are many other ways to resolve (e.g. put everything on the same switch chip at the RB4011 if I still want hw-offload). Which version of ROS is running...

mkx

Re. "Management Protection" setting: it used to be so that if it wasn't set, then default value was different when different security setups were in use (for WPA2 it was "disabled" and for WPA3 it was "allowed"). This doesn't work the same with setting explicitly set. O...

mkx

It's hard to follow your reasoning without seeing actual device config. Default config doesn't have any raw firewall rules and we can only guess what you have added to interfere with traffic. BTW, I hate seeing add-on rules (even if they're published in official articles) abusing comment "defco...

mkx

Did you perform Files -> Backup (so you ended up with .backup file?). If so, upload the file (if it's not already on device), in Files click it and select Restore from possible actions.

mkx

On "16MB" devices (like hAP lite) much bigger issue is RAM. There are two distinct types of 16MB flash devices: generally base-line devices, such as hAP lite ... which lack RAM and fast CPU. However, as long as their CPU architecture is not ARM (hAP lite has SMIPS), those 16MB are not as ...

mkx

Would you mind adding the best way to "reset to blank config?" How about: in webfig, open System->Reset Configuration and check "No Default Configuration" . Optionally you can even upload your RSC before opening Reset Config and set it as "Run After Reset" action. I'm ...

mkx

how to downgrade back to 7.16.2? when i downgrade my hap ax2, it does'nt downgrade even when i paste the downgrade file and hit downgrade... What was factory ROS version on your hAP ax2? Itbcan't ge downgraded below that. Did you upload all the necessary package files? hAP ax2 needs at least router...

mkx

If you don't care about default config, then it doesn't really matter. ROS upgrade in principle doesn't change running config on the device. And default config is only applied when device is reset to defaults. Given a free choice I'd upgrade first, then reset to blank config and then apply custom co...

mkx

What is setup of port to which laptop is connected? Access or trunk? If access, which VLAN? Where is DHCP server which serves that VLAN. Or do you have DHCP relay on CRS? Any reason for two addresses on bridge on L009? I'd remove pirt, connecting CRS, from bridge and set address directly. Or run con...

mkx

But the LTE router doesn't work @ether8 with PoE, it seems to need active PoE as you mentioned,

Did you try to set PoE out on ether8 to "forced on"? L009 might not be able to properly negotiate 802.3 af/at, but with forced PoE-out the connected powered device might work just fine.

mkx

But as far as I understand the architecture there is some overhead for having a package, and thus the situation in a 16MB flash device where all the packages are loaded by default there will be even less available space. Of course joe the average user will never remove the packages they do not need...

mkx

Even CCR2004-1G-12S+2XS at over $500 is not what I would classify as entry level...

Like it or not, but router at around 1k$ is nowdays entry level for 10Gbps. It's only that many of us consider 10Gbps to be far from entry level.

mkx

On the winbox screenshot, everything is set-up to click connect (when connect to is filled with MAC address, winnix will try to connect without using IP). But there are a few problems: ROS version is extremely old, your winbox can't connect to it due to change of how password is communicated. You'd ...

mkx

Style of webfig is locked with ROS version on a particular device. If you alternately see old and new, then it's web browser playing tricks on you (serving cached contents). Clear the cache and you'll have consistent UI. Of course, if you're switching between different ROS drvices, you'll see differ...

mkx

You know, when neighbouring guys gather around the BBQ and compare wifi speed between each other? It'll be the same, we'll just have to move to each front porch to hearvthat "Oh, you've got WiFi7. Damn!"

mkx

Try 9600 baud modem dialup ... roughly 20 years ago.

More likely 30 years ago. 20 years ago we were already past ISDN (at 2x64kbps) and 2G (with HSCSD/GPRS at around 64kbps) into ADSL (1Mbps/128kbps or something in that ballpark) and (legacy) 3G/UMTS with 384/64kbps speeds.

mkx

I had a while ago a similar problem with wAP AX and L009. wAP AX requires 802.3 at/af. You sure about that? wAP ax ships with (passive PoE injector) RBGPOE and 24V power adapter. In my installation UTP cables cause 1V drop and wAP ax happily humms along with 23V supply volrage: [device] > /system/h...

mkx

Its going forward when the deployment pipeline starts with routeros versions where the default device-mode does not allow the setting to be changed. The argument reminds me of discussion when devices started to ship with random admin password. Yes, it does hinder automatic configuration and deploym...

mkx

The internal configuration database handling seems to be as clear as mud. It seems to contain some kind of history but it seems that in certain cases it can be cleared. My recent experience: hAP ac2, running 7.17 without wifi/wireless drivers, some 2.7MB flash free. Device did have it's history of u...

mkx

Backup files are intended to be restored on very same device. They might be restored on different device of very same model ... and if they are used to restore service after hardware breakdown, that works ... by keeping MAC addresses even better, other networked devices even won't notice hardware re...

mkx

Well IMHO, 32MB would have been enough Experience with some newer devices (e.g. Audience) is that even 128MB might not be enough to allow for partitioning ... because upgrade packets get downloaded to flash. If the "RAM-disk as root of storage" strategy was revised to not depend on flash ...

mkx

... read other forum topics, where MTik users/admins listed a lot of problematic scenarios, to which the manufacturer did not respond in any meaningful way, or not at all, just repeatedly asking, "what scenario cause problem", we answered most of them with compelling arguments, and that's...

mkx

As always - if a stable version is "okay", then after a while it is re-published as long-term. How long is "after a while"? Last long-term is 6.49.13. Previous stable was 6.49.17, released on 2024-08-07 ... which is quite a bit longer than half a year ago. Are you saying that ha...

mkx

The switch data is derived from CDP packets, which are periodically broadcast by switch via all (active) ports. Why fluke received those during one session and not during the other session is beyond my knowledge.

mkx

Is that the case even if I don't use the wireless packages? If you go the upgrade path using ROS buolt-in package updater, then 7.12.1 is required step. It's tge version which "knows" to install separate wireless package, existing from 7.13 onwards (which can then be uninstalled if you do...

mkx

Export of default config creates non-empty RSC.

Which means that such export can't be applied to device with already applied default config - it causes errors about items already existing, etc.

Which in turn means that any exported RSC can only be applied to device with empty config.

mkx

Generally, dst-port range has no relation with to-ports range. So I'm affraid that 100 rules it is.

mkx

It may clarify the motive ... but doesn't make it any more doable.

And when I was asking about network description, I had technical details in mind, not sociological description.

mkx

Bullet #3 is completely unnecessary in your case. If DHCP client was to receive a lease (from another DHCP server in same ethernet network), then other devices, connected to bridged ports, would as well. Since you need DHCP server I'm assuming there is no other DHCP server available, so bullet #3 sh...

mkx

Do i start with the defaul config or an empty/blank/non-existent config? Since default config creates non-empty export, it's a sign that applying it requires blank starting state. And no, you can't instruct ROS to set something statically (e.g. bridge MAC address) without explicitly setting the val...

mkx

Your L009 is still slightly faster than CRS when it comes to CPU-based routing/firewalling (according to official test results around 40%), so it still makes sense to use it as border gateway for your home network (while using CRS as core router). Keep in mind that number of L3HW offloaded connectio...

mkx

Exported config is mostly troublesome for setting static MAC addresses. You can simply remove that particular property setting from rsc and ROS will come up with one automatically. For the bridge MAC also remove auto-mac=no setting. You can then manually set MAC addresses later on. Alternatively you...

mkx

Generally with bridge which is vlan enabled, there are two halves of the story, both halves are more or less unrelated (whether more or less depends on some config details): /interface/bridge/port is about ingress. PVID is set there and it affects the ingress untagged frames. If frame-types is set e...

mkx

Generally you don't. DHCP handshake partly works over broadcasts and those pass throughout L2 broadcast domain (and bridge does transparrently join parts of network into same L2 broadcast domain). There are some tricks on how to block DHCP handshake with certain clients or via certain parts of netwo...

mkx

One last question, if I setup all like that, does the firewall rules on the L009 still apply between the CRS VLANs? No, inter-VLAN traffic will bypass L009. If you want to control inter-VLAN traffic, you have to do it on CRS .. either routing rules (these are pretty coarse, but consume way less res...

mkx

So, after remote upgrade to 7.17, install-any-version is disabled and it's impossible to downgrade without physical access if there are any issues found? It's partially true: no, it's not that you can't downgrade, you're just limited to certain minimum version. Default 7.17 setting is allowed-versi...

mkx

Post config of hEX PoE (execute /export in terminal window ...). Without seeing config it's not possible to say what's wrong.

Generally DHCP server doesn't care about availability of WAN.

mkx

I guess that part of PoE-in, there are capacitors on each line between PoE-in power "ejector" and ethernet transformers. And broken capacitor (not shorted but burned) would effectively isolate that particular line. Or some soldered point simply developed a crack. I don't think it's easy to...

mkx

When you consider that bad, look at my situation: I have a RB4011, once considered to be the flagship home router, 3.5 times as expensive as the ac2, but cannot use the new Wi-Fi driver because 2GHz Wi-Fi does not work then. Well, to paraphrase certain @pe1chl: install wifi-qcom-ac and move it to a...

mkx

IIRC if pins 4,5,7 or 8 aren't properly connected to the peer, then switch will show only speeds up to 100Mbps as advertised by peer ... even if peer advertises faster speeds. My guess is some (electrical?) damage to ether1. Does PoE-in still work? The passive PoE-in uses same cable pairs as are nee...

mkx

It seems that access-list subtree should allow to set device in station mode to behave similarly to legacy wireless with connect-list, I seem to remember a few discussions about it. Sadly I din't find any useful topic right now ... and I never tried it myself. So let's hope that somebody with right ...

mkx

So... do you suggest that ....

With 16MB ARM devices there are two choices: either run device as wired-only router (by uninstalling either of wireless/wifi drivers) or run device as simple AP without sny kind of routing/firewalling setup.
It's sad, but that's how it is.

mkx

I tried to create a subinterface and make it in station mode.

Only master interface can realistically be used in station mode ... because only master interface can scan frequencies for APs.

mkx

As I already explained, VLAN ID 1 is used in implicit configuration which makes it non-obvious and even non-transparent. And that makes it insecure. Having the NoOp VLAN interface again makes things a bit muddy, users who don't understand how bridge and L2HW offload works might jump into wrong concl...

mkx

... nobody understands the device mode on the routers ... I think many (or even most?) of us understand the device mode but most (almost all?) of us disagree with MT on how to handle upgrades other than netinstall. I guess this is what you're saying as well, but IMO your choice of words makes it so...

mkx

Your setup probably works fine for you and I'm glad for it. But the problem is when it gets published as a general template for newcomers to grab and blindly apply. Because generally it has a few problems and those will bite a few of those users. And that's the reason for it getting quite some negat...

mkx

Oh, and I forgot, the NoOp VLAN interface gives you a traffic monitor that only includes LAN traffic ... ... if that traffic hits CPU-facing bridge port (either due to being CPU communicating with devices on same VLAN or if it's broadcast traffic). Most of traffic between devices, connected to brid...

mkx

Just for illustration: two problems with your template: /interface bridge add ingress-filtering=no name=bridge vlan-filtering=yes /interface vlan add comment="1 LAN" interface=bridge name=lan vlan-id=1 Implicit configuration has bridge CPU-facing port set with pvid=1. Which makes bridge un...

mkx

Will it ever be unified into one version? No. It seems that MT will just let the legacy wireless CAPsMAN die of old age together with devices running legacy wireless driver. The main thing of the new wifi CAPsMAN is enhanced mobility (802.11 r/k/v) ... which is not supported by legacy wireless driv...

mkx

... VLAN 1 on Mikrotik devices has well-defined behavior. The main point for this particular configuration is that it is transparent. You're right about well-defined behaviour. The problem is that it's not apparent, default VLAN 1 config is not shown in exported config nor in most GUI screens (apar...

mkx

>> PoE switch, 15 watts per port - maybe it is not enough for RB951 to start? RB951Ui is rated for input voltage 10V-28V and "passive PoE" ... So if your switch is 802.3 af (that's consistent with 15W power output), then it is using 48V and has potential to fry your RB951Ui. If your switc...

mkx

But some dual-band devices prefer 2.4GHz and don't roam to 5GHz if they're left to their own will and no amount of support for WiFi mobility (802.11 r/k/v) changes that. One example of such devices is Huawei MediaPad T5 ... which does work with 5GHz-only SSIDs just fine.

mkx

@mkx: And, as I already mentioned, the idea is to have gridge as complete as it gets. If certain L2 functions have to be configured elsewhere this doesn't mean that bridge can be left only partially built This is exactly my point here - the bridge makes sense if you want bridge on the CPU side. How...

mkx

is there a reason why there are no L3 hardware offloaded tests here: So far it seems that official benchmark is only done when device is introduced and they are not re-done after that. So it is likely that L3HW did not exist in ROS when CRS326 was introduced and they could not test it. The fact tha...

mkx

You want L3HW offload functional on CRS, so study this help document: https://help.mikrotik.com/docs/spaces/ROS/pages/62390319/L3+Hardware+Offloading You'll have to add IP address to every VLAN where you want CRS to route between. And set devices in those VLANs to use CRS's address as default gatewa...

mkx

What folder is the config in?

The running config is on the part of built-in storage which is not accessible for users. So you can't delete it just like that.

mkx

I forgot to add that users will get dynamic VLAN assignemt from RADIUS server.

Which means that VLANs are in the mix already. IMO another point in favour of VLAN-enabled bridges (and against DHCP relay).

mkx

... but now I have an issue with excessive retries. Retransmissions are one of ways for TCP to throttle back. And they indicate that it's not the first leg from transmitter which has (performance) problems. You can try with UDP connectivity ... start with modest bandwidth setting (e.g. 2Gbps) and g...

mkx

It would be under Tx stats and Rx stats ...

mkx

IMO configuration from your latest post doesn't explain the extremely low throughput in download direction.

Can you check the stats on ether1 port? Does it show any errors?

mkx

Netinstall is the only way out.

mkx

If you can use one VLAN per building ... and bring them to main router, then this would give you most flexibility ... building routers would become switches (bridges). With bridge there might be more traffic on the connection towards main router (broadcasts mainly) then with routed traffic. If capac...

mkx

Disabling fasttrack can have "delayed effect", the existing connectiins are still fasttracked. It's best to reboot router to get things reset to (new) settings. BTW, your router's test results indicate routing speed at around 900Mbps. But depending on actual configuration it can be much lo...

mkx

So it would be a bad thing to plop an antenna like this on my roof, attach it to ANT2 and call it a day? https://www.pctel.com/antenna-product/wlq-4g-directional-cellular-antenna-2g-3g-4g-5g-nb-iot-m2m-smart-city-smart-metering-sma/ Because the receiver hardware expects a certain signal from the bu...

mkx

Mangle rules and fasttrack don't cooperate. So disable the fasttrack rule in firewall filter.

mkx

The basic idea, mentioned everywhere in the docs, is that switched ports are members of bridge. The fact, that it works for you if not all ports are bridge members, is some kind of gray area ... and hence behaviour might change from version to version. And yes, it is normal that bridge config does a...

mkx

With MIMO radio systems (WiFi from N onwards, mobile broadband from 4G/LTE onwards) the distinction between "main" antenna and "aux"/"diversity" antenna doesn't exist any more. All antennas are equally important. Some chipsets/drivers simply hate it when signal levels, ...

mkx

Some basics: L2 offload works between different ports within same VLAN. Router is needed to pass between different VLANs. Only a few devices can do L3 (routing) HW ofgload and it'll work if that device is set up as router and other devices use it as their gateway. So it won't work by simply dropping...

mkx

**... it also means if you add a new bridge at the CLI — either from blank or even a 2nd bridge — any new bridge added will have auto-mac=yes ... which will use lowest MAC address as the bridge MAC automatically. With a pretty convoluted config this will end up having multiple bridges with same MAC...

mkx

I'd explicitly add all interfaces as bridge ports onenvy one instead of using interface=all. It might or might not make any difference.

mkx

QuickSet is supported as far as initial/simple setup. If you have to set up anything outside QuickSet, you should never ever return to QuickSet page. Not even for unrelated things.

mkx

So why is this interface listed when the dropped packet does not pass this interface ? Because egress interface is not known when FW drops connection/packet. Why? It depends on rule itself and L3 networks layout on your router. So without knowing that and full log line it's impossible for us to tel...

mkx

Under device mode, you need routerboard=yes to be able to change anything in routerboard config menu.

mkx

However, connecting to the guest and iot WiFi doesn't grant me access to the internet now. Could be it's because you're blocking access to DNS server on router itself from !LAN subnets (blocked by general "drop input all not from LAN"). You'll have to create allow rules for both TCP and U...

mkx

You've got this right (as far the scope of this topic).

mkx

... but then it shouldn't allowed me to change the frequency from "Auto" in the first place.

At which ROS version did you set CPU frequency to 1400MHz? Versions lower than 7.17 allowed that without a hiccup ...

mkx

It was a constant traffic (60-180kb/s) with no clients on CAP, too. Hmmm ... are you sure that it's all CAP<->CAPsMAN traffic? I just checked in my network with 2 CAPs (one Audience, one wAP ax) and CAPsMAN (hAP ac2 without wifi-qcom-ac driver, so essentially wired router) .... and traffic on manag...

mkx

Why did they add this kind of status message, if local forwarding is the default and the only one mode in wifi-qcom-ac...? :D It's very misleading... I disagreeabout being misleading. It's saying that "traffic is bring processed on CAP". I guess they added the message to always inform use...

mkx

Technically yes.

It largely depends on currently running version of ROS how exactly the installation will go.

mkx

One of the reasons I like the 300' roll is the lack of joints. When they laid GPON in my area, they joined shorter stretches of protective tubes into approx 1km stretches ... where they put in shallow shafts ... concrete sections of pipes placed verically,1m deep and 50cm of diameter (covered with ...

mkx

You'll have to press that button to get your device into netinstall mode ... and that involves prolonged depression of button. So you can start practicing :wink: As to netinstall machine: if you have access to a x86 laptop (regardless OS), you can try to boot it off a live linux USB stick ... with s...

mkx

Could be temperature related ... IIRC your ATL is high in the mountains where night temperatures might be quite low. And if some moisture entered ATL, it could add water condensation to the "happy mix".

mkx

With the short distance, you can go for a super flexible multimode ... @OP mentioned 1.3km distance ... and that's direct distance. Which is way longer than 550m limit for multimode fiber. So if @OP decides for digging, it should be single-mode ... which is most often laid inside protective tube. D...

mkx

My main suspect is fastrack too, but there is no option to disable fastrack via Winbox. It's a firewall filter rule with action=fasttrack-connection ... disable it (or remove it). Just beware, existing connections, which are already fasttracked, will remain fasttracked even if said rule is disabled...

mkx

So any ideas on why going from tagged to untagged worked? My Virtual Wireless interfaces are tagged, but my ethernet interface is untagged. I would be grateful for help in understanding this. The tagged/untagged setting is about how frames are seen on the cable side of ethernet port. Unless device,...

mkx

So your hAP ac lite still has some config but seems not all of it. But who knows which part of config still works (or messes with you). First option is to perform configuration reset ... if that one fails, it's netinstall time. I'm just mentioning reset because of your "mac only" handicap ...

mkx

What exactly are the symptoms? Device doesn't show any signs of life? Or device starts to do something but never boots up properly? If the later: devices often draw more power at boot time than later when operating normally. Inadequate power source might not be able to provide power needed for booti...

mkx

@kovacspro are you saying that with 7.16.2 you don't see traffic between CAP s and CAPsMAN on port 5246?

In principle there will be some traffic between them due to station steering etc. Quite probably station registration is also controlled by CAPsMAN and possibly other things.

mkx

You adapt CAPsMAN configuration to VLANs, not the other way around. So do the VLANs properly first, then worry about CAPsMAN. And yes, if one doesn't know exactly what he's doing, he will break things ... and probably break them hard. So it's questionable if it's worth doing things only partially in...

mkx

Genrally multiple bonds work fine on ROS devices. So it might be domething about how you set them up ... both on CCR and both CRSes.

If you post config from all 3 devices (the /interface part will probably be enough), we may spot domething off ...

mkx

Settings in ROS and SwOS are completely separate, as if they were running on different devices.

IP address shown as 0.0.0.0 is s sign of no address at all (it's just the way of winbox saying it doesn't have any information about that).

mkx

... IGMP snooping on both bridges and both devices on the latest 7.18-beta4

RAs are multicast ... so IGMP snooping might be playing foul game here. Try to disable it to see if that's the case.

mkx

Che differenza fa?
[What difference does it make?]

My ego isn't getting food to grow ...

mkx

that gave me healthy 2.8MB of free space before filling up the address lists ok, and that amount of free space does not "autonomously" change, i.e. remains the same unless you cnahge something in the configuration? The free space remained constant for some 4 months while running 7.16 (wit...

mkx

As in "the wifi-qcom-ac driver may have nothing to do with that". In my particular case the reason was obvious: with advent of 7.13 I felt adventurous and went ahead with replacing wireless with wifi-qcom-ac. After installation of base ROS and wifi-qcom-ac package only some 300kB of flash...

mkx

The big problem of hAP ac2 and wifi-qcom-driver is lack of flash storage. @mkx, would you mind creating a dedicated topic to discuss the points above outside this 7.17.x related one? Actually I do. My use case for my hAP ac2 doesn't require any wireless driver and it's not available for experimenti...

mkx

And ... what does /log/print have to say about 2.4GHz interface?

mkx

It's actually a bug in how GUIs (both winbox and webfig) handles missing information. If you check IRQ distribution in CLI, you may see something like this: [device] > /system/resource/irq/print Flags: o - READ-ONLY Columns: IRQ, USERS, CPU, ACTIVE-CPU, COUNT # IRQ USERS CPU ACTIVE-CPU COUNT 0 o 20 ...

mkx

Its strange that MT's favorite chip supplier MARVELL didn't offer MT one of there chips that has MACSEC integrated, as they have boat-loads of supported switching chips with it available. I'm pretty sure that Marvell isn't denying MT to use some of their MACSEC-enabled switch chips ... it's probabl...

mkx

Re blocking: since DHCP is typically done inside L2 broadcast domain, DHCP handshake doesn't go past routers. Which generally means that any DHCP handshake with ZTE thingy will generally originate from router itself (and not from some devices, connected to router's LAN segment). Unless you have all ...

mkx

You need to find out how exactly your ISP delivers internet (you're mentioning PPPoE so this probably says it all) and how IPTV. Then you need to find out how ONT gets configured the ports. And you need to find out if IPTV boxes require untagged IPTV.

Then we'll be able to discuss things.

mkx

... you normally get a /64 or /52 prefix that is enough for all your connected devices. /64 is most often not enough ... each LAN subnet needs separate /64 prefix while those brain-dead ISP who provide only /64 prefix often require that router uses one address from the same prefix on WAN interface ...

mkx

I can't comment on 100BaseTx and SFP modules. So it remains to comment on compatibility with MT gear: if their solutions are truly L2 compatible with ethernet, then it shouldn't be a problem at all to use any kind of ethernet switch in between (apart from the timing constraints ... every switch can ...

mkx

Try to use winbox and MAC access to device. It could be that default ROS config was deleted from your devices for some reason which would lead to device not being set up with any IP address. Winbox MAC connection works fine in such case.

mkx

Do you have please any feedback how hap ac2 "cooperates" with 7.17+wifiwave2 ? I have some spare devices which i need to deploy, thinking about this config+capsman for one AP. Im just wondering how does it perform (registered in this topic some reboot issues during beta phase). The big pr...

mkx

You can display the defconf using: /system/default-configuration/print The fasttrack rule does not exist in the default configuration (you have to create it), it is not clear to me in which position it should go. If you follow advice by @pe1chl, you'll place it as the very first rule in chain=forwa...

mkx

Disclaimer: I don't know a thing about dSNAKE. Once I had a closer look at a pair of USB/DP extender which uses UTP cables between them. They speak ethernet frames, so placing switch in between (with dedicated VLAN as well) still allowed them to communicate. Even though officially using ethernet swi...

mkx

You're right, config doesn't contain anything which would explain behaviour you're observing.

mkx

Writing that mikrotik locked out 3rd party OSes is quite a heavy statement. Not publishing bootloader specs is effectively the same thing as locking out IMO "locking out" is deliberate and active act, "not publishing" can only be called "negligence" towards 3rd parties...

mkx

Mikrotik locked out 3rd party OS with RouterBOARD firmware version 7... Writing that mikrotik locked out 3rd party OSes is quite a heavy statement. Judging on MT's track record I'd rather say that with v7 MT introduced changes in routerboot (OS loader) which are in a way incompatible and nobody rev...

mkx

Is your CRS running ROS or SwOS? In principle devices running ROS don't have problems with LLAs. Unless there's some config interfering. You may post switch config so we can check for anything suspicious (execute /export file=anynameyouwish in terminal window, fetch file off device, open it with a t...

mkx

Your switch is one of devices with too little flash space ... and since you need optional package wireless to run old CAPsMAN, you'll have to consider moving legacy CAPsMAN elsewhere (and uninstall wireless package from switch). You can set up legacy CAPsMAN on one of devices which are currrenty CAP...

mkx

/ip fi co tr pr IMO your post would be much better if you used full commands and properties instead of these obfuscated code snippets. If not for other thing, these snipets might stop working if some future ROS would add new configuration branch/command with name beginning with same two characters ...

mkx

VLAN traffic is traffic between device's IP stack and that device. If device is used as a switch, then traffic shown for VLAN interfaces will be low.

Or is sfp-sfpplus1 being used in a "router on a stick" manner?

mkx

- why use interface lists without firewall ? Also conceptually, why connect WAN interface to bridge ? There is no WAN since everything is to be bridged... Even if we put concepts aside ... script makes both wlan1 and ether1 bridge ports ... and it's wrong to use slave interfaces (i.e. btidge ports)...

mkx

It's perfectly fine to obfuscate sensitive parts of config ... if that's done in consistent matter .... e.g. replace actual IP address with, say, X.Y.Z.W ... as long as all occurences of same IP address is replaced by same string of characters. And if you have different IPs, obfuscate them with diff...

mkx

I thought that the new PoE switches were "smart" using “active” PoE (802.11af)and could negotiate power requirements with their "end user", so would automatically cater for 48V-12V step-down. Standard 802.3 af/at/bt/... PoE specifies voltage around nominal value of 48V (dependin...

mkx

Not saying it's not already ... but defconf is only applied when device is reset to factory defaults (where "factory" part is a bit misleading because it's not config applied in factory when manufacturing device, it's config set as default in any particular ROS version). I am still hoping...

mkx

It's perfectly normal for DHCP client to try to renew DHCP lease after half of lifetime expires. When doing it, DHCP client offers to renew lease with its current IP address. Normally DHCP server ACKs that and thing is done for another half of lease lifetime. DHCP server may decide to NAK client's &...

mkx

Both tables, mentioned by @panisk0 ... with addition of /interface/ethernet/switch/host ... are serving different roles: /ip/arp (and /ipv6/neighbor for IPv6) lists hosts with which IP (or IPv6) stack of router communicated in near past. It contains both IP (or IPv6) address and MAC address of that ...

mkx

If you set frame-types=admit-only-vlan-tagged , then pvid property of bridge port is entirely ignored ... so you can either leave it unset (in which case default setting of pvid=1 remains) or you can set it to some distinct unused value to have visual cue about that. Just be careful if you set same ...

mkx

Download from ... FAILED: Idle timeout - receiving content
executing script ... from scheduler failed, please check it manually

What a meaningful trouble report. No context, no nothing. Damn, my crystal ball failed again.

mkx

Please add fasttrack ipv6 in defconf Not saying it's not already ... but defconf is only applied when device is reset to factory defaults (where "factory" part is a bit misleading because it's not config applied in factory when manufacturing device, it's config set as default in any parti...

mkx

If vlan-filtering on bridge is disabled, then all the vlan-related stuff is ignored by bridge. Which means that PVID won't get applied to untagged frames on ingress, VLAN headr won't be stripped on egress and no vlan-filtering is done (so effectively as frame-types=admit-all and allowed VLANs are 1-...

mkx

1. The interface to monitor is eth1 which has id 0, if I configure "const int graph_interface = 0" esp32 show me only a black screen; Index numbers (e.g. 0, 1, ...) ... are only valid after executing print command ... and are valid only until another print command is executed (even if in ...

mkx

In principle it's possible to force device to connect to specific BSSID using ACL (in wifi/access-list) ... setting station-roaming=no to configuration does help afterwards (so that station doesn't even consider roaming to another BSSID).

mkx

Prefixes are handed out by pool sequentially. And ROS somehow remembers their assignment ... which is good because generally same prefixes are reassigned to same interface (e.g. after reboot). So it seems that while you were playing (or should we say: learning), some prefixes were assigned to interf...

mkx

Because this time with device-mode s–t no one want lock his devices, so less persons than before do tests... I almost don't want to report this... But noticed "cloud" or "file-share" are not selectable in device-mode. I agree with complaint about "cloud" not being sele...

mkx

Excellent analysis. I dont know, why the packet loss is higher, when I download from my gamer than my laptop. My guess: it's likely that your gamer is pretty much faster than your laptop, so it could ACK packets with considerably lower latency ... and hence use (a bit) more of available bandwidth. I...

mkx

While waiting for config: generally it's good practice (required actually) to drop everything except bare minimum of allowed services (e.g. wireguard/IPsec tunnels from whitelisted remote addresses). And it's normal not to log dropped attempts ... because those log entries don't give any information...

mkx

... and I think I have Rule #7:

I agree ...

mkx

After reading this thread... I'm wondering... does Mikrotik actually TEST these updates on *actual* devices? As always: some tens of users, who have problems after upgrade, did come here and report problems. Hundreds (thousands), who upgraded and didn't have any problems, didn't write any praise. M...

mkx

Directory flash/ is present on devices with less than 64MB flash disk and more than 64MB RAM ... where root of file storage is on RAM disk instead of flash. On those systems, the remaining portion of flash disk is mounted under flash directory (and is thus root of non-volatile storage). Since RB5009...

mkx

The FTC21 appears to be a 48v native device (and offers some more functions if you need it). It seems as 48V native as FTC11 ... both support passive PoE as well (FTC11 goes lower with minimum voltage). It's only that FTC21 seems to properly support 802.3 af/at (possibly both Alternatives as a dece...

mkx

Following up on this: Yes, it is poorly written. I reached out to Mikrotik and they explicitly suggested that I should use a crossover cable. I guess that everybody is puzzled as to how the "crossover" cable could possibly work in this scenario. The thing is the following: in normal cable...

mkx

What @normis is saying (but in more words): in principle every device, running ROS, offers same functionality (apart from models with 16MB flash which is tight and doesn't allow to install all the optional ROS packages). But devices differ wildly when it comes to capacity when running those function...

mkx

Hmmm ... did you try to enable the wifi1 interface on CRS? I think this is one of "settings", which can be set on CAP itself and are in power even if interface is provisioned/controlled by CAPsMAN.

mkx

Even with just two, 8631, EEB5, CA8E, 468F are nowhere to be found in this list: Right, these are all locally administered MAC addresses . So it's anybody's guess where they are coming from, could be ROS as well. Let me know if this approach is indeed the right one. Yes, it is the right approach.

mkx

What do you mean by "the same generation of drivers"? Either legacy wireless ... which is required on older generation of hardware, up to and (mostly) including AC. Or wifi (in particular either wifi-qcom and wifi-qcom-ac) ... which is rewuired on newest generatiin of devices ... AX and s...

mkx

After discussing with someone on the forum, it seems we’re not supposed to create multiple bridges. I don’t understand—why allow the possibility to do so then? It is possible and legitimate to create multiple bridges ... it's just that since ROS version 6.42 or there abouts (which added vlan-filter...

mkx

The whole concept of templates is riddled with bugs. Another one is that winbox will not keep inheritance of parameters from templates, it will just copy them (e.g. into the connection). The problem is similar with templates/profiles under /interface/wifi and is not exclusive for winbox ... in CLI ...

mkx

As far as my experience goes, there are two things: capsman has to listen on interface where cap will eventually try to connect (see next bullet). Most often that's management interface but can ve multiple. They are set in /interface/wifi/capsman/set interfaces=<interface1>,<interface2> ... cap devi...

mkx

I have no experience with Securityonion, so I'm just speculating here ... Are you sure that the mini PC is able to process in real time whatever software requires? Unlike actual HTTP/FTP/etc protocol between client and server, where any of parties can slow down the transfer, your "sniffer"...

mkx

This is feasible way of doing it. As to wifi radio modes ... it's up to you, constraints are: both AP and station have to run same generation of drivers (wifi or wireless), mixed drivers are not compatible in station -bridge mode. Since each device can only run one generation of drivers, in case dep...

mkx

So does that mean there’s basically no difference in this particular scenario between using a wAP ax or the MikroTik Wireless Wire with 60 GHz? If you're thinking about going through concrete floors/ceilings, then lower frequency is likely to fare better ... and IMO 60GHz is guaranteed to go nowher...

mkx

@MKX for the version 7 ECMP it uses L3 hash policy as depicted below. Can you explain these further?? I don't have any experience or knowledge of ECMP. The terms you're asking about sound similar to some terms from (L2) bonding (which I believe I understand well enough), but I've no idea whether th...

mkx

How about using a pair of PLC devices? MT doesn't have any contemporary offering, but there are other vendors offering it.

If there happens to be a (neglected) coaxial cable available, you could use a pair of MoCA devices (usually works way better than PLC ... again no MT offering).

mkx

And if you, despite advice by @sid5632, decide to beam data up ... you might have more success by using reflection from neighbouring building than through two concrete floors/ceilings ... if neighbouring building has large vertical surface facing towards "your" building and is not too far ...

mkx

Wanted to transition to (dual-stack) default IPv6 everywhere to check if there are any bugs in the long run. Perhaps it will give you a bit of incentive in this direction: I've been using IPv6 at home for almost 10 years and I've had no problems with it, all devices I use work with IPv6 just fine. ...

mkx

OK, so it's not possible to block RAs towards individual devices. But it is possible to block all IPv6 frames from individual devices using switch ACL. Drawback is that device in question will see RAs, it will configure self with GUA (based on SLAAC) but won't be able to use it. Which can cause a sl...

mkx

with Fasttrack you can get Full Speed with the 750GR3
and with 7.18beta this is also working with IPv6

In some use cases fasttrack can't be used. E.g. in case by @OP.

mkx

I was just looking at the hap lite tc test specifications. Its speed is very close to hex. It's really stupid. Hex has a 2-core, 2-thread processor, but hap lite has a single core with a low frequency! They are different architectures and hAP lite just might be using CPU which does more per core sn...

mkx

No, not when device is running ROS. You'll simply have to accept that ROS is not the most performing OS on many of supported devices.

mkx

Not sure why would EoIP be required? WiFi interfaces are L2 interfaces already, couldn't they be directly used as bond members? The only gothcha I can think of is link-monitoring setting, in this case it would probably have to be "arp" instead of "mii". Since such bonding will be...

mkx

Your previous switch was 1Gbps (if I understand your opening post right) and your CRS304 is 10Gbps. Which is a huge difference when it comes to UTP cable. Even though you're using a cat7 cable (indicated on your chart), it might be of low quality, it might be improperly terminated, it might be (slig...

mkx

You want to have a dual-band device as AP with wireless backhaul. Having both stations and backhaul on same radio creates major performance bottleneck (each frame gets transmitted over same radio twice, together with all the wireless overhead which increases with multiple devices trying to use airti...

mkx

Which particular model of router are you using? Not all models can do switch rules (even if the config subtree exists).

mkx

There are many possible reasons for device to misbehave. Unfortunately one of them is (invisible) configuration corruption which is also saved in binary backup. If such backup is restored on (newly installed) device, corrupt setup is back in place and waiting to screw things. So if the problem will ...

mkx

CPU in hEX Gr3 is not exactly speed monster. It's got 2 CPU cores (with 4 threads altogether but I don't know how ROS utilizes that). And the gotcha: all packets of same connection are handled by same CPU core/thread (processing may move between cores, but there's no parallel processing). And window...

mkx

It could be the new 'security' feature introduced in 7.17 - /system device-mode has been changed. By default install-any-version is set to no which prevents installation of anything with a lesser version than listed in allowed-versions ... Right, but default setting for allowed-versions is 7.13+ .....

mkx

I didn't try ... but how about /interface/wifi/access-list on CAPsMAN device?

mkx

You can't block advertisments to some clients at the source, being multicast they are sent to all devices within a layer2 network Just to double-check, is it possible to block on L2 level via /interface ethernet switch rule, or multicast cannot be blocked per client (per MAC) even there? It might b...

mkx

For minimum ROS version you have to check this: /system/resource/print Sometimes it can be different than routerboot (I have a wAP ax with factory-firmware: 7.15.2 and factory-software: 7.15.1 ). Anyway, proper way for downgrading is to get list of installed packages (disabled as well) upload all co...

mkx

So what's the Influence of clientid in the defintion of DHCP leases? In principle modern DHCP servers (I can't say anything about tens of years old DHCP servers) assign leases according to client ID value ... which is provided by clients. Vast majority of clients indicate that CLient ID is MAC addr...

mkx

The problem is that on ports with 1003 vlan I cant get any traffic... accept if I add vlan as an interface to the bridge... then some how the traffic starts.. Config should allow switching between ports ether2, ether3 and ether4 without problems. The problem is probably communication to device(s) c...

mkx

It’s a shame they saved a few cents on this motherboard architecture. Quite often, even in cheap devices, the WAN port is connected directly to the SoC, but that’s not the case here. :( It's a feature: this way any of ports can be assigned any role and it's then done equally well. Which adds to ver...

mkx

The only issue I observe is the band steering from 2 to 5 and back that does not work very well and I would have liked to see some parameters I could tune myself. My experience goes that band steering works very well for some (mostly that's newer) stations and doesn't work for some (in particular H...

Search found 13821 matches