MikroTik

mkx

I use my ax3 with vlan filtering .......

... which is done by software/CPU, so no HW offloading. Hence no problems snd high CPU load (but still wirespeed).

mkx

Is ASIC the same as the switch chip?

For the sake of argument: yes.

mkx

About this setup, I do not regard it as bells and wissels. Objectively your setup is not very special indeed. But from the hurdles you're describing it seems you're not very well versed in ROS. So having multiple "independent" connections from a switch upstream, doing some routing, etc. ....

mkx

No I do not think a loop is possible. In my network there are multiple vlans. RSTP is unaware of VLANs. It's a protocol directly on ethernet and if two bridges/switches are connected using multiple links, even of they are trunks for distict VLANs, RSTP will detect a loop. I'd recommend you to simpl...

mkx

Try to connect actual PC directly to the management port. The way connections are shown on image they possibly make a loop ... if "pfSense & switches" allow that. And RSTP (enabled by default on ROS bridges) will break the loop by disabling one of links forming a loop, by default the s...

mkx

But in short: /interface/bridge is sbout swich-lije entity (called brudge), its ports including CPU-facing btidge port. And VLANs allowed accross those pirrs. /interface/vlan is about CPU ability to interact with tagged VLANs whichever CPU interface it might be, eithrr etherX inzetdsces, bridge, etc...

mkx

Another good tutorial which explains different bridge "personalities": viewtopic.php?t=173692

mkx

I suggest you to go through this tutorial about VLANing using ROS device: viewtopic.php?t=143620

It may clear some misconceptions you might have.

mkx

The config regarding ether1 is mighty weird ... it's added as port to the "grand" bridge, srt as access port of VLAN 88. Then you have br10 which is configured as tagged member of VLAN 10 of "grand bridge" but it's not even set as port of same bridge?? A side note: ROS can HW off...

mkx

'Controller Bridge and Port Extender', but it seems too late as the help pages seem to suggest this function has been removed from OS7.18. What's replaced it, if anything? Or is there another way of achieving the same? Nothing replaced it. The concept is a (very poor) approximation to switch stacki...

mkx

As you noted, frames are passed (switched) only between ports of same bridge. Having two bridges in same device is (from L2 perspective) the same as having two devices. But I wonder: if sole purpose of the second bridge is to give emergency management access via the sole bridge port (ether1), then y...

mkx

I believe this is due to L3HW being disabled across the board

Again: if enabling L3HW oflload will solve your issue, then your CRSes are not configured as switches.

mkx

I actually had previously been aware of the "INTL/US" products that are the non-locked, non-US devices (always wireless, since this is about FCC regulations) yet packaged with a US power adapter, but had forgotten about it. NEMA power plugs are used in countries other than USA and Canada ...

mkx

Received signal strength (-62dB) indicates that "interferer" is either "ordinary AP" physically placed very close to your hAP ax2 ... or a high-gain PtP link (probably operating at illegsl Tx power levels) with line betwern link peers going right through your hAP ax2. And either ...

mkx

Is there anything that would be causing this?

Nothing in logs, not even suspicious log-ins? A script which does something to leds?

mkx

/export terse CRS504.rsc

Please, don't use terse, my eyes hurt when reading terse output. Ordinary export will do just fine.

mkx

Switches should not experience any significant CPU load. As you see CPU pegged at 100%, this means your switches are misconfigured.

mkx

I didn't see anything obviously wrong ... but I don't know much about using multiple routing talbes, so I can't comment on that aspect of your confiugration. Checks done so far: When I ping PUBLIC_IP.67 from outside the network, with tcpdump on both machines (mine and the 10.190.0.12) ICMP is fine, ...

mkx

Post actual configuration, not a novel.

mkx

How could I recommend a router to anyone for enterprise use if it introduces unintended, undocumented behavior that can easily take hours to rule out? Well ... whether you intended it or not, you had feature called "detect internet" enabled. And based on feature name and using common sens...

mkx

But why?

Because wifi-qcom-ac drivers are missing some crucial functionalities ... which were missing also in wifi-qcom but were eventually implemented there. MT keeps acting deaf to our pleads to implement them in wifi-qcom-ac as well.

mkx

Manual says "... load balancing based on Layer2, Layer3 and Layer4 hashing". Not specifically for "dynamic" LAG, but I'd take that it applies to both LAG modes. So L3+L4 hash ...

mkx

chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN "We are dropping all non-dstnated IPv4 packets to protect direct attacks on the clients if the attacker knows the internal LAN network. Typically this rule would not be necessary since RAW filters...

mkx

You'll want to sniff beacons because most of interesting data is broadcast ... try to filter according to BSSIDs that belong to your WiFi network to reduce amount of chatter. Ony when your station decides to roam there will be some unicast exchange with old and new APs.

mkx

Typically rated power of a device is only used during certain periods of time, one being powering-up. The problem in your case might be just that: if PowerBox Pro enables PoE-out for both connected cameras (you said you'll connect 2) at the same time and they both hit the peak usage at the same time...

mkx

My ROS installations generally have 2 servers configured and up to 7.18.2 I never saw such error logged.

mkx

These are custom firewall rules ... the ones you don't even look at

I didn't even bother looking past these two rules ... make me think I'd be looking at some pretty butchered firewall setup.

mkx

PoE Max. Power Per Port 25W This gives you power budget for PowerBox Pro and all connected cameras. PowerBox Pro is specced at 6W max (it might have typical consuption a Watt or two less). So around 20W will remain for powering attached cameras. What is rated power consumption of those? And don't f...

mkx

"L3HW routing" would be fine as well :), but it can be confusing, I invented the "almost switching" just for having it in the order of speed: But it's confusing ... as @mbovenka wrote: routing is routing bexause it's L3 function. And switching is switching because it's L2 functi...

mkx

MAC telnet (application) works only with ethernet frames without VLAN tags (I suspect it's using ethertype 0x0800 IPv4(. So it can't be used off bridge which is trunk port, VLAN interface(s) are needed to strip/add VLAN tags.

mkx

The top two firewall filter rules: /ip firewall filter add action=passthrough chain=input dst-port=5246 in-interface=ether1 \ in-interface-list=WAN log=yes protocol=udp add action=passthrough chain=input dst-port=5247 in-interface=ether1 \ in-interface-list=WAN log=yes protocol=udp They explicitly a...

mkx

On the other hand CRS520-4XS-16XQ-RM ... switch with so powerful CPU that even beeing "a switch", the traffic throughput may satisfy datacenter needs. It might. But it would likely collide with expectations ... which usually are "wirespeed routing" and if routing on CRS520 is do...

mkx

How many NTP servers are configured in /system/ntp/client? I don't know if there's a limit in RouterOS's NTP implementation, but I don't think more than 3 quality servers are necessary (3 is kind of a minimum to form a meaningful quorum).

mkx

Well, the fact that logs are written by CAPsMAN (topic caps,info) indicates that firewall of your router is not effective. Default firewall setup would block attempts to connect to CAPsMAN through WAN port and CAPsMAN would not even see those attempts. If there were log entries about that, they woul...

mkx

Set dhcp client to bridge Plug ethernet cable from NVR in powerbox port 1 Just for the record: you have to connect NVR to port ether1 because it's the PoE-in port. With the outlined configuration, all the ports are equal regarding ethernet traffic (and hence IP traffic). E.g. DHCP client would be a...

mkx

3) VLAN routing is a handled by the bridge (and therefore a switching function). Switch doesn't do any routing ... and "VLAN routing" is either "routing" or "VLAN switching" (depending on the way you abuse phrase VLAN routing). If you're talking about the later, then s...

mkx

In short: any RouterOS device, which has more than a single IP address configured (used only for management), can eventually become a router. So a switch should never have more than one IP address configured, if configuring additional IP address solves a traffic problem, it means that switch became ...

mkx

Does this mean that there is no automated solution to download the required files (wifi-qcom-7.18.2-arm64.npk) to the CAPsMAN v2 device? Do I have to do it manually? And also before updating the CAPsMAN v2 device? No, there's no automated way of downloading additional packages to capsman device. I ...

mkx

Upload all the relevant packages (base routeros and necessary optional packages, such as wifi-qcom) for all relevant architectures (ARM, ARM64) to capsman device ... I recomend you to create a dedicated folder on flash storage). Then set package-path to the correct folder and set upgrade-policy to s...

mkx

Yes, radio stats are available on capsman ... but with wifi drivers amount of stats is small compared to wireless stats.

mkx

Mobile broadband networks (LTE, 5G) don't work the way you seem to think. There are two major modes: idle and active. When device is in idle mode, device can choose to "listen" to any cell it wants (but has to perform Tracking Area Update if it selects to listen to cell which is in differe...

mkx

Wireless bridge is the same as normal AP/station. And AP setting security.mode affects encryption. It's pretty easy to enable it ... set mode=dynamic-keys , authentication-types to e.g. "wpa2-psk" and set wpa2-pre-shared-key ... first on remote side of link (if managing over same link) and...

mkx

No special config, just static ip set, but can't reach them.

If this statement is about cube devices ... then they need at least default route set with UDM's address as gateway. Without this setting (and probably DNS settings as well) it's not possible to use built-in package upgrader ...

mkx

Try to set sfp-sfpplus1 port speed to 2.5Gbps and disable autonegotiation. But it could be you won't be able to make things work ... Mikrotik devices are notorious for poor support for SFP modules (including RJ45 ones) and it's best to get a module which is known to work well with your particular Mi...

mkx

I'm sorry, I don't follow the layout of your network. You may want to make a simple diagram of your network (router, PTMP link devices, wireguard) ...

mkx

Ideally you want to have "the middle" mANTbox configured as AP and the other two as station-bridge ... you'll have the least problems. Mind that AP doesn't have to be closest to router, it can be anywhere ... L2 traffic flows symmetrical over a WiFi connection, only L1 control is done by A...

mkx

Just to get things straight: ... download and deploy the latest available RouterOS. I believe it was 7.12.1 Actually the latest version marked as stale is the 7.18.2. If original ROS version on device was <= 7.11, then upgrader built in ROS will first upgrade to 7.12(.1) ... only upgrader in 7.12 wi...

mkx

If speedtest is fast, but nothing else is fast - your ISP is limiting you and setting an exception on speedtest :) Common practice in some areas You are reading my mind :-) They say they don't. Of course they are saying that. Does your local telecommunication regulatory agency (probably Bundesnetza...

mkx

You missed the point, there was no warnings before upgrade or i ever touched CPU freq on this fresh unpacked device , its the upgrade which changed freq or whatever it did and now complains about "it self" The upgrade didn´t change frequency. I can't say about this particular device, but ...

mkx

If you sniff the broadcast traffic, does src-mac-address tell you anything? Likewise src-IP-address?

mkx

This one:

/interface vlan
add comment=vlan32 interface=ether1 name=vlan32 vlan-id=32

It should be interface=bridge ... it took me 0 seconds (recognized it while reading config).

mkx

Is this normal behavior or bug? Good morning. Yes, since 7.17 one has to allow routerboard uder /system/device-mode to be able to change anything under /system/routerboard ... which includes CPU frequency. Before you join the choir: there were lenghty and loud complaints about extensive use of devi...

mkx

I understand about MSRP, my question was more oriented to the real market picture that I see I guess that "real market picture" depends both on MT's policy (do they drop their own device prices after a while or not) and your local distributors (do they tend to keep prices high "just ...

mkx

With old capsman, you have local-forwarding=no ... which means that all traffic for all CAPs' radios will be handled by CAPsMAN's cap interfaces and bridge. This mode of forwarding is not available in wave2 capsman. Instead all traffic will be handled by CAP's bridge. In order to transport traffic o...

mkx

RouterOS version 5.21 is hopelessly outdated.

You may want to upgrade to some more recent version. Which one would be optimal depends very much on model of your device. So which one is it?

mkx

How could I know if the device is locked to US wireless channels/power? Mikrotik adds a "-US" in product code. Example: product page of hAP ac² mentions US variant ... product code is not mentioned, but other sources know US variant by code RBD52G-5HacD2HnD-TC -US (as opposed to "sim...

mkx

Mikrotik never changes MSRP of a device ... not even when being discontinued. I have no idea what happens to real price (distributors paying to Mikrotik) and it's up to distributors to do something about it if they are left with warehouse full of obsolete devices. And your right is to choose between...

mkx

should I be worried that the power BOx Pro will try to power my PC and burn it? In theory all kinds of PoE perform (sometimes minimalistic) check if connected device is PoE compatible or not, and if connected device doesn't respond according to protocol, PoE switch won't provide power. But in pract...

mkx

Regarding access from management subnet to other subnets, you have these rules: /ip firewall filter add action=accept chain=forward comment="forward - established - accept" \ connection-state=established add action=accept chain=forward comment="forward - related - accept" \ conne...

mkx

PowerBox Pro has a decent switch chip built in which controls ether1-ether5. So those ports can be used as a switch without bothering CPU (if you need VLANs, you'll have to configure VLAN under /interface/ethernet, not under bridge). https://cdn.mikrotik.com/web-assets/product_files/RB960PGS-PB_1711...

mkx

I think the only "compact" Mikrotik router that supports multi-gig routing, is CCR2004-16G-2S+PC. The price is not that compact (but that's subjective depending on magnitude of one's cash flow).

mkx

When sourcing wireless devices from abroad, one has to be careful about devices intended for US market ... they are often locked to channels and power allowed in US. Even if powered by EU or UK external power adapters :wink: Devices sold elsewhere are "international" out from factory (but ...

mkx

I don't think that any of MT's switches can provide PoE to connected devices while being powered via PoE. All of switches require powering via power jack (if using external power adapters) to provide PoE due to required high power source.

mkx

I doubt it. The 7R (R stands for "reverse") model can be powered by multiple PoE sources and can provide PoE one powered device (connected to ether8). On top of it, it's passive PoE which is not really compatible with standard PoE.

mkx

My older 256MB devices have 6.40.5 (2017-10-31) as the default version

So it seems like there were multiple (at least two) batches of 256MB RAM hAP ac2 ... my device has factory firmware 6.42.3 (ROS changelog says it's release time was 2018-May-24 09:20).

mkx

...BUT I can't ping or get in to the cube60's from network? Why? do I have to make some vlan config on the cube's to get this working?

Which network? 192.168.1.0/24 ?

mkx

It will check if ingress port is member of VLAN that ingressing frame belongs to. As per your example: on ether1 if ingressing frame is tagged with VID=32, then it'll be accepted. If, OTOH, ingressing frame is tagged with e.g. VID=666, then it will be dropped (because ether1 is not set as member of...

mkx

The 256MB report themselves as "-TC" I have one 256MB unit and it identifies itself as model: RBD52G-5HacD2HnD (no -TC) ... that's in /system/routerboard and in output of /export ... is there any other location where device identifies itself? It does have -TC on device sticker though. I a...

mkx

Is there a reason why it starts from the highest and not the lowest (.2)? No, there's no actual reason. All addresses in DHCP pool are equal. Server could assign leases randomly ... but that would require more CPU resources (choosing a random number, verifying that address is not taken as per DHCP ...

mkx

"When ingresss-filtering=YES, port will actually look at VLAN ID of ingressing frame and will drop frames where VID is not one of port's VLANs (as configured under bridge/vlan)." What parameter exactly in the bridge/vlan config is checked to see if a frame can ingress? It will check if in...

mkx

You're trying to upgrade from which to which version? If version difference is minor, then what you're seeing might be due to some bug. If the difference between original and new ROS version (e.g. upgrade from v6 to v7), then it could be incompatibility of your particular configuration. You might wa...

mkx

As I wrote: when radio is controlled by capsman, then ROS on cap doesn't really know what's going on. In reality running monitor on such radio should just refuse to output anything.

mkx

Yes. Just add the ingress-filtering=yes and you're golden.

mkx

@Dangles: post (sanitized and anonymized) output of /export ... so we can see what exactly is configured.

mkx

Is there a way to make this work with static settings? Thank you for your help. Not likely. It could well be that ISP's router has settings which require it's downstream clients to acquire address via DHCP (yes, that's possible ... also on ROS devices). If you want to by-pass ISP's DNS servers, the...

mkx

Latest devices like hEXs have a custom password from factory, this should be normal for all devices. Yes, those devices are for kids, hence they come preconfigured with (safe and sane) defaults. CCR, on the other hand, is device for professionals ... who know better than rush down the wrong lane.

mkx

I don't remember how exactly those things are related in old capsman ... but there's always chance of seeing some setting in configuration export which is actually ignored/overriden ... so you should check output of monitor command, excuted on "controlling entity" ... that's capsman device...

mkx

Basically that's it for ether1, it would work. But using VLANs is also about segregation of traffic belonging to different VLANs and enforcing that connected devices stick to their designated VLANs. The big problem is ingress, egress is configured on bridge and connected devices can't do much about ...

mkx

Is my understanding correct?

Yes.

Of course you need corresponding config for ether1 under bridge/port and appropriate config of bridge port (but that's not subject of this topic, right?)

mkx

guest wlan is only on RB4011, so it should work also ? I'm pretty sure that either forwarding on RB4011 doesn't make any difference ... traffic will end up in wireless interface on RB4011 in any case. Regarding provisioning of radios on RB4011: legacy capsman gladly works with local radios just fin...

mkx

can i try it for one AP first ? Sure you can. ... and most of the wifi traffic goes through the AP of the rb4011 which is capsman ... does that still make a performance difference ? Yes. The most slowdown, caused by capsman-forwarding, is due to processing overhead of tunneling all traffic between ...

mkx

Alternatively, it may be possible to do this with hardware switch rules on the Hap AC2 ... No, switch chip in this case would not help. It only kicks in when passing traffic directly between two ethernet ports and that's what @OP doesn't want (as far he explained in opening post). Yes, it would be ...

mkx

Routerboard firmware (mostly) up-to-date? Does another reboot change anything? no idea how to check firmware. /system/routerboard/print If it shows upgrade-firmware and it's notably newer than current-firmware, then upgrade it. Since quite many versions ago, routerboard firmware is shipped together...

mkx

What's up with that?

Routerboard firmware (mostly) up-to-date? Does another reboot change anything?

mkx

However only if one first installs latest beta. So it doesn't help devices, running older ROS versions, already in the "doomed" state.

mkx

"bridge mode" means that ports are switched ... and thus members of same L2 broadcast domain. And in vast majority of cases this means single IP subnet.

mkx

The bridge port listing shows nothing which would concern me regarding switch over to local-forwarding=yes ...

mkx

I checked config of RB4011 and one of CAPs (bad). It seems that it should be possible to go with local-forwarding=yes setting. You do have added the cap-* interfaces to several interface lists, but it doesn't seem to me that you're then using those interface lists ... apart from using WLAN-any and W...

mkx

🤔 hmmm…. Untagged vlan 1 on edgeswitch port 1? Really sure about that? This is the trunk that goes through The cube 60 from downlink vlan 1 on udm…. No, I'm not sure about that, I'd be sure if I'd ever have to deal with edgeswitch myself. But based on my (limited) experience, I'd definitely try tha...

mkx

Just a quick answer to the question ... I'll review the configs later.

station-roaming is enabled by default. But, as I already explained: it's irrelevant for device running in AP mode ... and CAP device is running in AP mode.

mkx

Ubiquiti UDM PRO with native "default" vlan on port 3. (also made networks for vlan 500 and 1000) When (almost) any vendor says it's "native" VLAN ... this means that frames on wire side of port are untagged, but get tagged on ingress and untagged on egress, so on internal bridg...

mkx

Since ROS support for hardware is mediocre at best, it's better to go with CHR, running in a VM. Such setup does impose a slight performance hit. Debatable that it is "better" in 100% of cases, and so I'm very thankful that MT continues to offer the non-CHR version of ROS for x86/x64. Buy...

mkx

License levels 0-6 only apply to MT's own hardware and all of their hardware comes installed with license level at least 3 (most devices 5, some 4, some 6). Well this is of course not true. If you want to license a non-virtualized x86 install, those also get the older-style, non-transferable (bound...

mkx

And enable ingress-filtering on all the bridge ports (it's the default value in RouterOS 7). I'm on 7.18.2 and all my ingress filters are no. I think that flow control by default is disabled on most devices. RB951Ui-2HnD running ROS v6 has both Rx and Tx flow control disabled (and since setting is ...

mkx

I asked for full config ... capsman and wireless config is not enough to answer your question about going for local forwarding. station-roaming setting is only relevant if device is operating in station mode, your devices are operating in ap mode. radio-mac property in capsman is used to match a par...

mkx

Do you have single SSID per radio on CAP ... which is then made full member of LAN? If that's so, then it should be enough to simply change to "local-forwarding=yes". As you can see, I'm guessing a bit. If you can post full config from CAPsMAN and from one of CAP devices, we can check and ...

mkx

Are the wifiwave2 available for most devices? We have LHG 2, LHG5 and Sxt radios for clients.

wifi(wave2) drivers are available for all AX (and newer) devices. They are also available for ARM-based AC devices, but LHG2, LHG5 or SXT Lite5 are neither.

mkx

Given that RB5009 server starts with 192.168.88.1 if we assign the ISP router in diagram to do be on same segment meaning the isp router dhcp server also assigns rb5009 a address of 192.168.88.X in wan port will that solve the issue and then once we open the wan port for remote management we change...

mkx

It depends on how your "house" LAN is done. If it's "flat" LAN (i.e. only switches used, all devices use same IP subnet), then you don't have to change anything, wireless clients will still receive DHCP leases from central DHCP server, they will still use same gateway router, etc...

mkx

EDIT: By "ring topology" I ment the four switches connection (purple), not the whole thing going out. That would be true if the bottom two switches would not have any special configuration of "purple" ports. If those ports are configured as LACP bond, then those ports don't crea...

mkx

I'm curious if I enable ping watchdog, if that reboots the cAPs faster. My experience is that ping watchdog reboots device real fast ... when pings start to fail. Beware that it'll trip also when "reference" device becomes unavailable for some reason. The question remains whether pings wi...

mkx

Sorry to say this, but your responses were not helpful. Personally, I would have preferred no reply over the kind of answer I received. My redponse to @OP was to netinstall device. You later chimed in with claim that there's bug in flash handling in ROS (etc.) about which I expressed my doubts. Oth...

mkx

* If I disable hardware offload, ..... This result is reproducibly better than the same tests with hardware offload enabled! My guess is that on the RB750Gr3 not using the switch chip gives two 1Gbps links from the CPU to the ports (my tests are between ether2 and ether3), why with hardware offload...

mkx

local-forwarding = no This one is killing (at least some if not lots of) performance, that's known since ages. If you don't have a great use case for having it disabled, then don't disable it. And a question: you're only mentioning single device (RB4011) ... if that's "the whole truth", t...

mkx

But the most "juicy" part (redundant connections between 4 switches) won't work this way (as far as I imagine it correctly - if someone knows something more I would be glad to hear and educate myself :) ). You've got a logical ring topology ... No, connections are not forming a ring. Each...

mkx

Do you perhaps have logging action (defined in /system/logging) that writes logs to disk - to that particular file? Do you perhaps have firewall filter rule (could have action=accept) with log=yes configured? I'm not familiar with routing protocols setup, but configuration of those might also includ...

mkx

We have a SW issue for sure here. As I explained, and output of your files confirms it, that the remaining (which is 0) of flash is mounted under flash/ ... and if you create any file to root (i.e. not under flash/), that file is in RAM disk. And RAM disk does get wiped at reboot (or power off). An...

mkx

[ babling ]

mkx

I know that I could script something, but that would introduce a variable time delay, and I was hoping to have a consistently accurate time source. Does MC7750 provide and does ROS facilitate PPS? If not and only NMEA telegrams are available, then there's already variability in timing information ....

mkx

That make sense, given they've long implemented the now ratified RFC-9759

In my own timezone, your post was too late for April fools' day (posted on 2nd of April at 3am DST) ... but I appreciate it anyway.

mkx

... just to change de cpu speed, i need to visit all the country for do that.

Consider yourself lucky. France is not so big. Imagine @anav visiting e.g. Whitehorse suburbs to change cpu speed

mkx

/caps-man datapath add name=guestpath vlan-id=30 Since new CAPsMAN can only do "local forwarding", you may want to configure also legacy CSPsMAN in same manner. I don't know what's default setting, but my (old) export has explicit setting local-forwarding=yes . The config is also missing ...

mkx

IIRC there was routerboot change sometime around 6.48, which was (later?) required for proper support of newer kernel, present in v7. Where exactly is this stated or documented? I don't remember and I'm not going to search it now. I seem to remember it was in some forum discussion. And I wouldn't b...

mkx

Beta7 still does not fix fast track for me on my CCR2116. It apparently works for many other users (or else there would be a massive outrage going on). It works for me on 7.18 (and .1 and .2). So it must be something in your particular config. And I'm sure you're aware that fasttrack is only enable...

mkx

If you're telling us you're trying to use Mikrotik SFPONU module ... then it's officially discontinued. Do you expect to support their discontinued product in conjunction with their newest products from every vendor? If you purchased the SFPONU recently, then return it to seller ... because they sol...

mkx

I'm sure you're aware that both CAPsMAN instances are completely unrelated even if running on same device. Meaning that /caps-man/datapath settings have nothing to do with /interface/wifi/datapath settings. If you want both families of CAPs to behave similarly, then you have to replicate all setting...

mkx

CCMP in wifi should be identical to AES CCM on wireless. But there are other things which might upset your S2, e.g. FT ... if I'm not much mistaken, FT is only available for WPA2 and WPA3, but not for old WPA. So do check that FT tab and try to disable it if it's enabled. Generally it seems that som...

mkx

But when I enable these services it also allows the ports to be reachable from my WAN. How do you test reachability from WAN? As @panisk0 wrote: ports are open, connections are only sanctioned after initial TCP handshake is done and first service request is sent to the server. And online port check...

mkx

Just a short nag: discussion in this thread so far proves that @OP really should get acquainted with ROS before attempting remote configuration of ROS router. ROS has quite a few (quite well known) defaults and if @OP tried to get acquainted with a device, he would likely get to know them. Getting a...

mkx

I personally have never seen mismatched RouterOS and RouterBOOT cause the symptoms described (how strange would that be, especially given that you have to upgrade RouterOS first before you can upgrade RouterBOOT, so logically there has to be AT LEAST one time that a successful boot occurs with a mi...

mkx

I had to manually specify the network under DHCP -> Networks - I assumed that specifying it in IP -> Addresses was enough. In ROS, settings in /ip/dhcp-server are independent from settings in /ip/address ... and your netmask (/8 a.k.a. 255.0.0.0) is default for subnet addresses used (10.0.0.0 is tr...

mkx

Access via WebFig remains, but I changed port to another one. So far no bruteforce attempts as per logs ... I wish to keep connection to it. So far uses SSH connection via unusual port. Using non-standard ports is not protection ... a lot of port scanning is going on and somebody will discover the ...

mkx

I think (it could have changed in very recent ROS versions) that when manually configuring wifi interfaces (as opposed to using CAPsMAN), they have to be made btidge ports manually as well.

mkx

If it would be saved on RAM the files would be gone when the system reboots. But they survived "hard" power off (removing power cable as I can not shutdown/reboot the system anymore)

I have hard time believing the above sentence.

mkx

Is there any solution for that? ONU is alive because it is getting power from MT router through SFP/SFP+ port. But as you deducted by yourself, support in ROS is missing. There's no immediate solution to that, the path towards solution is to open ticket with support (e.g. via e-mail address support...

mkx

@mkx, Skift is avoiding potential ax3 problems by having ax2. :-) Ah ... while writing reply I've had in mind that @skift mentioned hAP axN ... but wasn't sure whether N was 2 or 3. And didn't bother to check. My fault. The recommendation to upgrade CAP devices to recent ROS v7 is still standing bu...

mkx

thanks :) ill look into those. ya upgrading to 7.16.2 or higher ya definitely planning on doing that. honestly i didn't know the routerboard file could be upgraded so ill look into that for sure! If it's telling you that "upgrade firmware" is available, then it's possible to upgrade it .....

mkx

Not really sure, but I also believe that whatever signal is processed then that is the lowest commen denominator. AKA if our processing B, then all other connections after will connect at B speeds only, but not sure. Nope. Each station can have it's own processing (one B, one AX, at "near"...

mkx

Hi, I'm at a friend's house trying to setup his hap ax2 units as aps (6 of them). The setup he has now is rb2011 with a router switch configured as a switch only and the aps to be connected to it. I'm trying to set caps but they do not show on the CAPsMAN (configured on the rb2011). I'm thinking th...

mkx

If you see I have been able to remote access the ISP router page at house1 under CGNAT this arrangement I did myself as DIY, that too remotely I didn't have any access to remote lan. What others tried to pass to you is that ROS does have quite a bit steeper learning curve than most of other vendors...

mkx

looking at /system/routerBOARD it displays factory frmware: 6.45.9 current firmware: 6.45.9 upgrade firmware 7.16 The routerboot firmware is pretty ancient. I'd run command /system/routerboard/upgrade followed by reboot. I'd also upgrade to 7.16.2 (if you want to remain at 7.16.*), it contains a fe...

mkx

Set up logging to disk (default logs to RAM only) to see if there's something in logs after they survive reboot.
Is routerboot firmware (under /system/routerboard) at same version as your ROS? If not, upgrade it.

mkx

[admin@KK_Home_Router_4] > /file/print # NAME TYPE SIZE LAST-MODIFIED 0 pre-netinstall.backup backup 286.8KiB 2025-03-30 18:18:31 1 router4.backup backup 286.8KiB 2025-03-30 18:16:45 2 router4.rsc script 51.9KiB 2025-03-30 18:16:45 3 flash disk 2025-03-30 15:24:17 4 flash/pub directory 2019-04-22 1...

mkx

ROS 32bit vs 64bit? In x86 world, in typical desktop configuration system running x86-64 consumes around 30% more memory than similarly used i686/x86 system. But this is more or less statistical average, in particular use case (e.g. ROS v7) difference could be larger or smaller. However due to how ...

mkx

It is possible to install the old drivers on this device?

No. Legacy wireless package lacks support for AX hardware.

Actually it is possible to install that package but it would only provide support for running legacy CAPsMAN without support for local radio(s).

mkx

The PVID in the wifi bridge ports is mandatory btw. I hope that doesn´t cause any problems. PVID might be mandatory but it's customary not to set it explicitly on trunk (tagged-only) bridge ports ... and to set frame-types=allow-only-vlan-tagged on those ports. The end result is that PVID is set to...

mkx

@mkx -- the results are in my original post : the slaves (wifi3 and wifi4) are dynamic and have PID=1

If they are, they are hidden from me. I'm asking about output of /interface/bridge/vlan/print ... while I can see output of /interface/bridge/port/print in your initial post.

mkx

BUT fails to assign the slave interfaces to the configured VLANs : /interface/bridge/port print Can you check also output of /interface/bridge/vlan/print on wAP ax? Setting PVID to value of vlan-id by CAPsMAN on CAP wifi interface is superfluous as wifi-qcom driver sctually does the VLAN tagging. O...

mkx

New wifi drivers for AX (and select AC) have a few differences compared to legacy wireless drivers: AP-bridge mode is merged into AP mode they only support protocol=802.11 ... no more support for (proprietary) nstreme or nv2 station-bridge mode in wifi is not compatible with station-bridge in wirele...

mkx

We really need a topic "ROS Best Practice, Guidelines, Folklore, Myths, FUD, Dogma, and Lies"

It'd be (another) flame war. Something could be a myth or FUD for some and good practice for others. Example is recent discussion about explicit use of VLAN ID 1.

mkx

You should not set PVID in wifi bridge ports since you've configured them to handle VLAN tags by wifi driver. Also you shoild add wifi interfaced as tagged members of respective VLANs. Bridge_Trusted intertace doesn't have to be member of LAN interface list ... rather all the VLAN interfaces have to...

mkx

RB2011UiAS-Rm is a very old router that can route at around 250Mbps with moderately complex configuration. Your description of config makes it pretty complex so performance is likely even lower. And there's nothing much to be done about it, you're simply using an old family sedan on a WRC track. Whe...

mkx

Once I tried to do it this way on my hAP ac2 ... but ended up with a bunch of bridges (one per VLAN used by radios), it was ugly (to put it mildly). How did you make interfaces in different bridges communicate between each other? Wouldn't creating a separate bridge create an isolated L2 domain? Let...

mkx

I don't think that 16MB of storage on LMP 5G is that critical. Since it hasn't got wifi, ROS installation is imediatelly around 2.5MB slimmer. And with "only" 256MB RAM iz's also not prime candidate for running containers ... I hope. The above is also true for CRS309 though. So that 32MB-f...

mkx

For anyone who reads this post and is looking to do something similar. There is a nice blog entry from linitx explaining the options and a new feature in 7.17. https://blog.linitx.com/mikrotik-vlan-aware-pppoe-server-routeros-7-17/ be aware this is old style config ("new" bridge vlan filt...

mkx

Interesting, this is not indicated on the product page (yet?). They might want to wait for old stock at distributors to drain before announcing larger flash ... to avoid complaints from people receiving devices with smaller flash. Nobody (except you ;-) ) complains about getting more than expected ...

mkx

You can use some cheap Routerboard device and achive ISP-provided speeds. A hAP ax2 would do it (you can disable wifi interfaces if you don't want/need wireless). And use CRS as a switch (which it is).

mkx

So basically: on a 0815 CAP traffic usually enters on ether1, goes straight via CPU to wifi interfaces - and back. There is no switch offload possible anyway, right? Right. May be a different case, when someone connects something on ether2 on a "cap ac" and does vlaning. In such a case, d...

mkx

In the WIFI docs for VLAN + CAP using "wifi-qcom-ac" package they use the bridge method. And I am asking myself if it could improve or make sense to additionally configure VLANs on "/interface ethernet switch" as well? Or is this unnecessary as wifi interfaces traffic go through...

mkx

a firewall rule in forward chain droping invalid traffic can help ? src-nat is executed after firewall filter ... so dropping invalid traffic with firewall filter rules won't work. Raw filters only have "prerouting" and "output" chains, but something in "postrouting" w...

mkx

Good, it sounds like we’ve learned something about Spectrum. 1. Should I be getting an IPv6 address on my client? All of the forum posts I've read left out requesting an address and just requested a client. And I don't know why, none of them explained. Do you mean “request an IPv6 address for inter...

mkx

... is there any way to make it drop the first packet too? No, not with L7 filters ... the way they work is they are collecting payload (up to configured size) but they are passing packets forth and back. When filter collects enough payload, it evaluates the regexp and breaks connection if filter t...

mkx

Your PPPoE clinets are in different IP subnet than DLNA server, so traffic between those is routed. DLNA discovery (and announcement) uses multicast. Which is not routed without enabling (and configuring) some helpers (PIM, IGMP). I'm guessing: IGMP has to be configured on PPPoE client side as well ...

mkx

In principle you don't want to set bridge port as tagged member of a VLAN if you don't intend CPU to interact with that VLAN over that bridge. [...] So I'm eager to hear use case for such setup. Huh? That's just not true. .... Let's take a very simple example: a guest WiFi network in a small office...

mkx

Depending on amount of other tasks that hAP ac2 has to perform, loosing bridge HW offload may not cause loss of wirespeed (on wired ports). Quite a while ago (I guess it was in 6.47 times) I did some tests and found out that hAP ac2 was able to bridge two ethernet ports at wirespeed with HW offload ...

mkx

So it works as expected and is maxing out your 1Gbps link as the CrystalDiskMark is represented in MB/s vs Mbps which is a good thing ... and it's a black magic (pun intended) as to why it only works at half speed when SMB client is MAC device. Personally I wouldn't consider 50MB/s (give or take) &...

mkx

What I take this changelog entry to mean is, on 7.16 or newer, if you create an /interface/vlan interface with a bridge as the parent interface, it will simply also add your bridge as a tagged member under /interface/bridge/vlan of whatever VLAN-ID you set in your vlanX interface. Sounds like a nic...

mkx

I've got CAPsMAN running in x86_64 hardware. Here, I've got 4 cAP ax devices connected. It's currently in 7.12.1 environment. In CAPsMAN, I've got 3 packages installed. 1. routeros 2. user-manager 3. wifiwave2 When I click "Download&Install" button, I get below error. wifi-qcom-ac-7.1...

mkx

Since 7.16 we have this: *) bridge - added dynamic tagged entry when VLAN interface is created on vlan-filtering bridge; That removes the risk of forgetting to add the bridge CPU port to the "tagged" list of VLANs (which in older versions means no L3 access to the router through those VLA...

mkx

is capsman known to interfere with bridges/vlans? If that's a problem I'm happy to remove it. It's not. WiFi only attaches to bridge (on CAP device), when it comes to VLANs there might be a complication if CAP is running wifi-qcom -ac driver. Running CAPsMAN definitely doesn't affect the way wired ...

mkx

Presence of LTE modem has nothing to do with WiFi Tx power. But I'll be damned: I went to check reg-info for Australia on different wifi devices, all running ROS 7.18.2. As I already mentioned, on Audience regulatory limit is set at 20dBm. But when checking on wAP ax I was mighty surprised, there re...

mkx

Any reason to choose 1 over the other?

If nothing else helps, ask your personal numerologist

List of features of used switch chips is more or less the same, so it really is the dilemma between 8 extra ports and 8 PoE++ ports.

mkx

Do not forget that WiFi is a two-way protocol, so actual speed also depends on client device's capabilities ... Indeed. Device's Tx power can limit upload speeds, but I guess this is not a huge issue (until the asymmetry is not too big) because most wireless stations use data in asymmetrical manner...

mkx

Actual transmitted power depends on: chipset capability (e.g. hAP ax lite can do up to 22dBm, but it gets reduced with higher interface speeds - more complex modulation schemes require tighter power control and seems that most WiFi chips are not capable of doing it at highest Tx power, hence Tx powe...

mkx

I am very interested to understand why we use the term "personality." You can call them "functionality" if you wish. But, as already mentioned, term "bridge" is overloaded with (actually) 3 distinct features with only vague connection (but they are strongly connected)....

mkx

On my Audience, running 7.18.2, country regulatory limit for 2.4GHz band (which is all what hAP ax lite has) for Australia is the same as for Italy (and the rest of ETSI countries) ... which is 20dBm EIRP. Alas, Brazil has limit at 30dBm ... making Copacabana my place of choice for 2.4GHz band.

mkx

As a bonus, many of them do not differentiate vlan 1 tagged and untagged traffic correctly. Something like this: /interface/bridge add name=bridge vlan-filtering=yes frame-types=admit-all pvid=1 /interface/bridge/port add bridge=bridge interface=ether1 frame-types=admit-all pvid=1 add bridge=bridge...

mkx

1) ADD BRIDGE: "/interface/bridge add" creates a bridge with one or two roles (sometimes the word used is "personality"): (1) Switch-like and/or (2) bridge-between-CPU-and-switch (understood as #2 role when property includes "interface," "tagged," or "un...

mkx

But, if the (wireless or wired) smartTVs are on VLAN10, and wifi users are on VLAN20, then am I right that for those users to use an app on their smartphones then (1) inter-vlan routing is necessary, and (2) this inter-vlan routing must take place on the RB5009? Same question for printers. Routers ...

mkx

Perhaps someone from Mikrotik can comment on this officially?

Only if you open support ticket with Mikrotik ... e.g. by sending e-mail to support@mikrotik.com .

mkx

It's not quite correct, the second rule should be:

Right. Thanks for correcting me.

mkx

Agree with @sindy that point #1 might not be critical. But makes me think: is it possible that L7 matcher keeps collecting packets before breaking connection long enough for (web) server to log request from client ... but connection gets broken before the whole L7 interaction is finished? I'd guess ...

mkx

Though that did make me look again, and I'm going to take out these rules Blocking the whole of ICMP can cause troubles (like breaking PMTUD) ... ICMP is much more than "echo request" and "echo reply". And blocking "echo request" is "security through obscurity&quo...

mkx

Regarding the package file size on 16MB devices. Is there a current 'best practice' for this? I havn't actually had a significant problem until now but I could not load wifiwave2 drivers on any 16MB devices with latest firmware. Would start by uninstalling Wireless, but there's just not enough spac...

mkx

There are at least two reasons for L7 filters not to work as expected: filters only work on individual packets. If the matcher string is (inconveniently) broken into two successive packets, then matcher won't match that. It is unlikely that URL would exceed normal value of MTU (which is at or almost...

mkx

/ip firewall filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed" The idea is to drop all packets, which represent a new connection, in chain=forward, surviving rules so far, except f...

mkx

Per vlan you should have the bridge tagged as well I'm a bit confused on that part as I'm not quite sure what you mean. More direction would be greatly appreciated. In ROS bridge has multiple (more or less distinct) functions, one is CPU-facing bridge port and you have to configure it properly to a...

mkx

I've noticed majority of his devices are older and only use 2.4ghz :( He's getting around -60dBm to -70dBm . The basic idea of a "well performing WiFi repeater" is to use separate radios for serving local clients and for linking to upstream AP. It's easiest to run those radios in differen...

mkx

Imagine having a single button called “Check for updates” that would do all that for you. Crazy, huh? yes, indeed! A single button that checks for updates and lets you choose which version you wish you upgrade to would be super fab! Imagine that it already exists! With a gotcha: it doesn't read you...

mkx

wAP ac or wAP ax might in your case work a bit better because of mild directivity of built-in antennas. But that won't do miracles. In any case, go to your neighbours and measure signal if your current AP at the spot where you'd place the WiFi repeater. Whatever you'll see, it'll be the base line an...

mkx

They're about 250 feet away with minimal obstructions between our properties. This is very far (even without any obstructions in between) for usual APs with omnidirectional antennas, intended to cover full circke around APs with radius of around 10m/30ft. You want to build point-to-point (PtP) link...

mkx

Let a router be a router, let an access point be an access point.

Don't tell me ... you'd also add "let a NAS be a NAS, let a switch be a switch"?

mkx

and my current setup is hotspot with ttl 1 so no one can share the wifi from thier phone...or tether.. my problem is i have a extra access point and setup to repeater through wireless mode. while i repeat the signal through wifi the repeater device cant provide internet cuz of the ttl set to 1. so ...

mkx

I am still hoping that someone from Mikrotik will chime in here and state that none of that is necessary and that the Netmetal is indeed designed to be weatherproof with the HGO antennas attached to the top. Even if they do it ... there are number of reports about problems with water ingress in ano...

mkx

I was not suspecting it could have such an influence on other ports and other settings. The chain of dependencies goes like this: L3MTU has to be lower than L2MTU with maximum possible size (L2MTU - additional L2 overhead). With plain ethernet, there's no additional L2 overhead and with standard IP...

mkx

Is it possible to set IP address instead of FQDN in remote property? The problem could be that logging is set-up before interfaces are enabled and thus resolving FQDN fails ... and that router doesn't re-try resolving it until configuration is re-done. BTW, it might help if you simply disabled/enabl...

mkx

I started it to (1) vent and (2) beg for help due to the massive cognitive-pain being caused by VLANs. You're asking questions ... and there are two ways of answering, each appropriate to two distinct goals of asking those questions: simple "yes" or "no" or perhaps a simple &quo...

mkx

I'm not sure about what you mean by "different switching capability"? If you look at test results (Switching -> Non blocking Layer 2 throughput) you can see that both devices do wire-speed switching except for small frames (64-byte) where they peak at certain rate of packets (PPS). AFAIK s...

mkx

But is the Netmetal okay using HGO antennas screwed to the SMA connectors at the top with the device located outdoors? Even if connectors on netmetal itself won't leak water into the case, I'd be wary of connector corrosion as well. And water ingress into connectors themselves. For long-term optima...

mkx

Also as an aside, there is absolutely no reason to set the MTU of your VLANs to 1496. Don't do that, either. The L2MTU of the ethernet interfaces can more than handle the additional 4 bytes for the VLAN tag / ethertype prefixed to each tagged frame. I am pretty sure, I did not manually set those MT...

mkx

Wi-Fi 7 (It says Quad-Band. Personally, no clue what that means) If one runs radio in, e.g. 80+80MHz (with frequency and slave-frequency properties properly set), then this counts as two bands. In 3GPP (mobile broadband, such as 4G or 5G, calls this "non-contiguous multi-carrier intra band CA)...

mkx

For this topic, where VLAN Filtering is the goal, Fast Forward's status is irrelevant, it would be inactive anyway. When omitted from /interface bridge the fast-forward value defaults to yes so adding fast-forward=no is at least prudent and sometimes necessary. As written in manual, for fast-forwar...

mkx

I think that for outdoor use it's recommended to use antennas with (short) jumper cables, which should be pretty flexible ... and use netmetal's cap again. Like this: https://www.linkshop.gr/images/thumbnails/460/460/detailed/3/MikroTik_Routerboard_NetMetal_5-5HPacD-NM-2.jpg (the blue wires on pictu...

mkx

In /ip/dhcp-server/network the address property should be set to network address and subnet mask. You're using 192.168.1.0/24 ... The point of this setting is to match DHCP lease address and add corresponding additional settings ... and is used when there are multiple subnets (or DHCP address pools)...

mkx

Is it possible that devices got slightly rotated on their mounting supports? E.g. wood swells/shrinks if humidity changes for longer period of time (during winter with low temperatures absolute humidity is low and wood dries). Or strong wind can move device, clamped to a pole .. either due to sheer ...

mkx

If CRS will be used as purely L2 device (VLAN-enabled switch), then SwOS is perfectly fine (if it runs without any problems that is). If you want to use any of L3 features, then you have to run ROS on it. Performance-wise, if configuration under ROS is correct, OS choice should not matter, in both c...

mkx

As soon as I select the CRS the ROS file is removed.

This sounds as mismatch in device architecture (the one reported by device to netinstall and the one of the npk file). CRS317-1G-16S+ is arm (the 32-bit one, not arm64).

mkx

Trying with another words: "/interface bridge vlan" defines egress (leaving) behavior ... what tagged= and untagged= means Ethernet frames, transmitted by (e.g.) RJ45 port over UTP cable, have certain structure. First come some low-level bits, then comes header, then comes payload and fram...

mkx

Generally IPv4 and IPv6 have independent paths across the globe. So sometimes paths will be same, sometimes one of them will be longer than the other. I don't think there's a systematic difference though. Regarding ping times: first of all, they are only indicative as devices usually process ICMP pa...

mkx

Owning a private vehicle, let along driving one, is a capital offense in NYC.

It sure is capital offense ... since NYC is capital of republic of NY ... ummm, what? No republic of NY and NYC is not a capital of anything? In what weird place do you live?

Search found 14267 matches