Community discussions

MikroTik App

Search found 13646 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 46
by mkx
Sun Jan 26, 2025 11:44 am
Forum: SwOS
Topic: Packet loss on mirror port on CRS326-24G-2S+ Rev. 2
Replies: 1
Views: 197

Re: Packet loss on mirror port on CRS326-24G-2S+ Rev. 2

I have no experience with Securityonion, so I'm just speculating here ... Are you sure that the mini PC is able to process in real time whatever software requires? Unlike actual HTTP/FTP/etc protocol between client and server, where any of parties can slow down the transfer, your "sniffer"...
by mkx
Sun Jan 26, 2025 11:26 am
Forum: Wireless Networking
Topic: Dual-band wireless repeater
Replies: 1
Views: 104

Re: Dual-band wireless repeater

This is feasible way of doing it. As to wifi radio modes ... it's up to you, constraints are: both AP and station have to run same generation of drivers (wifi or wireless), mixed drivers are not compatible in station -bridge mode. Since each device can only run one generation of drivers, in case dep...
by mkx
Sat Jan 25, 2025 7:43 pm
Forum: Wireless Networking
Topic: Best Way to Wireless Bridge 1st and 3rd Floor in an old apartment building (Thick Floors/Walls)
Replies: 10
Views: 1359

Re: Best Way to Wireless Bridge 1st and 3rd Floor in an old apartment building (Thick Floors/Walls)

So does that mean there’s basically no difference in this particular scenario between using a wAP ax or the MikroTik Wireless Wire with 60 GHz? If you're thinking about going through concrete floors/ceilings, then lower frequency is likely to fare better ... and IMO 60GHz is guaranteed to go nowher...
by mkx
Sat Jan 25, 2025 7:38 pm
Forum: General
Topic: speed problem with Mikrotik Hex model RB750Gr3
Replies: 24
Views: 862

Re: speed problem with Mikrotik Hex model RB750Gr3

@MKX for the version 7 ECMP it uses L3 hash policy as depicted below. Can you explain these further?? I don't have any experience or knowledge of ECMP. The terms you're asking about sound similar to some terms from (L2) bonding (which I believe I understand well enough), but I've no idea whether th...
by mkx
Sat Jan 25, 2025 7:18 pm
Forum: Wireless Networking
Topic: Best Way to Wireless Bridge 1st and 3rd Floor in an old apartment building (Thick Floors/Walls)
Replies: 10
Views: 1359

Re: Best Way to Wireless Bridge 1st and 3rd Floor in an old apartment building (Thick Floors/Walls)

How about using a pair of PLC devices? MT doesn't have any contemporary offering, but there are other vendors offering it.

If there happens to be a (neglected) coaxial cable available, you could use a pair of MoCA devices (usually works way better than PLC ... again no MT offering).
by mkx
Sat Jan 25, 2025 7:07 pm
Forum: Wireless Networking
Topic: Best Way to Wireless Bridge 1st and 3rd Floor in an old apartment building (Thick Floors/Walls)
Replies: 10
Views: 1359

Re: Best Way to Wireless Bridge 1st and 3rd Floor in an old apartment building (Thick Floors/Walls)

And if you, despite advice by @sid5632, decide to beam data up ... you might have more success by using reflection from neighbouring building than through two concrete floors/ceilings ... if neighbouring building has large vertical surface facing towards "your" building and is not too far ...
by mkx
Sat Jan 25, 2025 6:50 pm
Forum: General
Topic: Best way to disable IPv6 advertisement only to specific clients? [SOLVED]
Replies: 13
Views: 603

Re: Best way to disable IPv6 advertisement only to specific clients? [SOLVED]

Wanted to transition to (dual-stack) default IPv6 everywhere to check if there are any bugs in the long run. Perhaps it will give you a bit of incentive in this direction: I've been using IPv6 at home for almost 10 years and I've had no problems with it, all devices I use work with IPv6 just fine. ...
by mkx
Sat Jan 25, 2025 4:17 pm
Forum: General
Topic: Best way to disable IPv6 advertisement only to specific clients? [SOLVED]
Replies: 13
Views: 603

Re: Best way to disable IPv6 advertisement only to specific clients? [SOLVED]

OK, so it's not possible to block RAs towards individual devices. But it is possible to block all IPv6 frames from individual devices using switch ACL. Drawback is that device in question will see RAs, it will configure self with GUA (based on SLAAC) but won't be able to use it. Which can cause a sl...
by mkx
Sat Jan 25, 2025 4:08 pm
Forum: General
Topic: speed problem with Mikrotik Hex model RB750Gr3
Replies: 24
Views: 862

Re: speed problem with Mikrotik Hex model RB750Gr3

with Fasttrack you can get Full Speed with the 750GR3
and with 7.18beta this is also working with IPv6

In some use cases fasttrack can't be used. E.g. in case by @OP.
by mkx
Sat Jan 25, 2025 2:48 pm
Forum: General
Topic: speed problem with Mikrotik Hex model RB750Gr3
Replies: 24
Views: 862

Re: speed problem with Mikrotik Hex model RB750Gr3

I was just looking at the hap lite tc test specifications. Its speed is very close to hex. It's really stupid. Hex has a 2-core, 2-thread processor, but hap lite has a single core with a low frequency! They are different architectures and hAP lite just might be using CPU which does more per core sn...
by mkx
Sat Jan 25, 2025 2:46 pm
Forum: General
Topic: speed problem with Mikrotik Hex model RB750Gr3
Replies: 24
Views: 862

Re: speed problem with Mikrotik Hex model RB750Gr3

No, not when device is running ROS. You'll simply have to accept that ROS is not the most performing OS on many of supported devices.
by mkx
Sat Jan 25, 2025 2:22 pm
Forum: Wireless Networking
Topic: Bonding 2.4G and 5G Wifi together for backhaul creation
Replies: 3
Views: 201

Re: Bonding 2.4G and 5G Wifi together for backhaul creation

Not sure why would EoIP be required? WiFi interfaces are L2 interfaces already, couldn't they be directly used as bond members? The only gothcha I can think of is link-monitoring setting, in this case it would probably have to be "arp" instead of "mii". Since such bonding will be...
by mkx
Sat Jan 25, 2025 2:13 pm
Forum: Beginner Basics
Topic: Setting crs304-4xg-in as layer 2 switch
Replies: 14
Views: 697

Re: Setting crs304-4xg-in as layer 2 switch

Your previous switch was 1Gbps (if I understand your opening post right) and your CRS304 is 10Gbps. Which is a huge difference when it comes to UTP cable. Even though you're using a cat7 cable (indicated on your chart), it might be of low quality, it might be improperly terminated, it might be (slig...
by mkx
Sat Jan 25, 2025 2:04 pm
Forum: Beginner Basics
Topic: Extending my CAPsMAN network wirelessly
Replies: 2
Views: 138

Re: Extending my CAPsMAN network wirelessly

You want to have a dual-band device as AP with wireless backhaul. Having both stations and backhaul on same radio creates major performance bottleneck (each frame gets transmitted over same radio twice, together with all the wireless overhead which increases with multiple devices trying to use airti...
by mkx
Sat Jan 25, 2025 12:56 pm
Forum: General
Topic: Best way to disable IPv6 advertisement only to specific clients? [SOLVED]
Replies: 13
Views: 603

Re: Best way to disable IPv6 advertisement only to specific clients? [SOLVED]

Which particular model of router are you using? Not all models can do switch rules (even if the config subtree exists).
by mkx
Sat Jan 25, 2025 12:30 pm
Forum: RouterBOARD hardware
Topic: CRS310-8G-2S-N All ports dead
Replies: 8
Views: 760

Re: CRS310-8G-2S-N All ports dead

There are many possible reasons for device to misbehave. Unfortunately one of them is (invisible) configuration corruption which is also saved in binary backup. If such backup is restored on (newly installed) device, corrupt setup is back in place and waiting to screw things. So if the problem will ...
by mkx
Sat Jan 25, 2025 12:08 pm
Forum: General
Topic: speed problem with Mikrotik Hex model RB750Gr3
Replies: 24
Views: 862

Re: speed problem with Mikrotik Hex model RB750Gr3

CPU in hEX Gr3 is not exactly speed monster. It's got 2 CPU cores (with 4 threads altogether but I don't know how ROS utilizes that). And the gotcha: all packets of same connection are handled by same CPU core/thread (processing may move between cores, but there's no parallel processing). And window...
by mkx
Fri Jan 24, 2025 9:42 pm
Forum: General
Topic: Unable to Downgrade RouterOS from 7.18beta2 to 7.16.2 on hAP ax3 ARM 64 [SOLVED]
Replies: 10
Views: 466

Re: Unable to Downgrade RouterOS from 7.18beta2 to 7.16.2 on hAP ax3 ARM 64 [SOLVED]

It could be the new 'security' feature introduced in 7.17 - /system device-mode has been changed. By default install-any-version is set to no which prevents installation of anything with a lesser version than listed in allowed-versions ... Right, but default setting for allowed-versions is 7.13+ .....
by mkx
Fri Jan 24, 2025 9:26 pm
Forum: Wireless Networking
Topic: CAPSMAN access lists [SOLVED]
Replies: 3
Views: 231

Re: CAPSMAN access lists [SOLVED]

I didn't try ... but how about /interface/wifi/access-list on CAPsMAN device?
by mkx
Fri Jan 24, 2025 9:19 pm
Forum: General
Topic: Best way to disable IPv6 advertisement only to specific clients? [SOLVED]
Replies: 13
Views: 603

Re: Best way to disable IPv6 advertisement only to specific clients? [SOLVED]

You can't block advertisments to some clients at the source, being multicast they are sent to all devices within a layer2 network Just to double-check, is it possible to block on L2 level via /interface ethernet switch rule, or multicast cannot be blocked per client (per MAC) even there? It might b...
by mkx
Fri Jan 24, 2025 9:13 pm
Forum: General
Topic: Unable to Downgrade RouterOS from 7.18beta2 to 7.16.2 on hAP ax3 ARM 64 [SOLVED]
Replies: 10
Views: 466

Re: Unable to Downgrade RouterOS from 7.18beta2 to 7.16.2 on hAP ax3 ARM 64 [SOLVED]

For minimum ROS version you have to check this: /system/resource/print Sometimes it can be different than routerboot (I have a wAP ax with factory-firmware: 7.15.2 and factory-software: 7.15.1 ). Anyway, proper way for downgrading is to get list of installed packages (disabled as well) upload all co...
by mkx
Fri Jan 24, 2025 3:58 pm
Forum: General
Topic: Influence of clientid in defintion of IPv4 DHCP leases
Replies: 1
Views: 124

Re: Influence of clientid in defintion of IPv4 DHCP leases

So what's the Influence of clientid in the defintion of DHCP leases? In principle modern DHCP servers (I can't say anything about tens of years old DHCP servers) assign leases according to client ID value ... which is provided by clients. Vast majority of clients indicate that CLient ID is MAC addr...
by mkx
Fri Jan 24, 2025 3:43 pm
Forum: General
Topic: VLAN config RB760iGS??
Replies: 4
Views: 239

Re: VLAN config RB760iGS??

The problem is that on ports with 1003 vlan I cant get any traffic... accept if I add vlan as an interface to the bridge... then some how the traffic starts.. Config should allow switching between ports ether2, ether3 and ether4 without problems. The problem is probably communication to device(s) c...
by mkx
Fri Jan 24, 2025 2:53 pm
Forum: Announcements
Topic: Newsletter #121 | October 2024
Replies: 58
Views: 11306

Re: Newsletter #121 | October 2024

It’s a shame they saved a few cents on this motherboard architecture. Quite often, even in cheap devices, the WAN port is connected directly to the SoC, but that’s not the case here. :( It's a feature: this way any of ports can be assigned any role and it's then done equally well. Which adds to ver...
by mkx
Fri Jan 24, 2025 12:01 pm
Forum: Wireless Networking
Topic: New PPSK functionality
Replies: 69
Views: 7525

Re: New PPSK functionality

The only issue I observe is the band steering from 2 to 5 and back that does not work very well and I would have liked to see some parameters I could tune myself. My experience goes that band steering works very well for some (mostly that's newer) stations and doesn't work for some (in particular H...
by mkx
Fri Jan 24, 2025 11:56 am
Forum: Wireless Networking
Topic: CAPsMAN layout
Replies: 2
Views: 191

Re: CAPsMAN layout

My question is where to run CAPsMAN to obtain the best performance. As @holvoetn already explained (using different words): CAPsMAN does very little[*] so it doesn't matter much which device runs it. I agree that some central router (or edge router in installations without central routers) would be...
by mkx
Fri Jan 24, 2025 11:38 am
Forum: General
Topic: Default values [SOLVED]
Replies: 15
Views: 743

Re: Default values [SOLVED]

You can reset it to default by running same set command with different value. Finding out the default value for certain settings can be tricky though. One of them is e.g. L2MTU which can vary wildly depending on hardware type (and even device model, there are cases where different device models use ...
by mkx
Fri Jan 24, 2025 11:36 am
Forum: General
Topic: Router sends DHCPDISCOVER when it shouldn't.
Replies: 2
Views: 173

Re: Router sends DHCPDISCOVER when it shouldn't.

There's service "detect internet" which in theory helps to set router correctly for people who don't fiddle with manual settings (too much), but has potential to screw things up ... One of mechanizms is using DHCP client procedures even on interfaces where DHCP client is not configured. So...
by mkx
Fri Jan 24, 2025 11:09 am
Forum: General
Topic: VLAN config RB760iGS??
Replies: 4
Views: 239

Re: VLAN config RB760iGS??

It looks almost right (apart from the fact that ports ether1, ether5, sfp1 and bridge (the CPU-facing bridge port) accept untagged frames with PVID=1).

So what exactly are those "strange errors"?
by mkx
Fri Jan 24, 2025 9:23 am
Forum: Beginner Basics
Topic: Boundary Clocks on CRS317
Replies: 9
Views: 558

Re: Boundary Clocks on CRS317

I expect enabled CRS317 coming onlline may become grandmaster if none is present or current grandmaster loses an election. I'd expect that as well ... but I certainly hope that PtP implementation does check if device (which is about to become boundary clock) has a reliable and stable clock source. ...
by mkx
Thu Jan 23, 2025 8:25 pm
Forum: Wireless Networking
Topic: Powering of CubeSA 60Pro ac
Replies: 4
Views: 246

Re: Powering of CubeSA 60Pro ac

CubeSA 60Pro ac brochure says that PoE in can go up to 57V. Both btochure and product page mention 802.3 af/at which mandates input voltage range up to 57V. So the product page is likely incorrect.
by mkx
Thu Jan 23, 2025 8:14 pm
Forum: General
Topic: Extender gper
Replies: 10
Views: 472

Re: Extender gper

If it bothers you that GPeR acts as PoE pass-through ... then follow advice by @sindy about PoE pass-through jumpers on GPeR device. SWITCH is CATALYST 9200L POE, and if i attach poe device on port out of GPER it ok, but if attach LAN PC gper it off. So I'll ask one last time: did you disable PoE p...
by mkx
Thu Jan 23, 2025 4:10 pm
Forum: Beginner Basics
Topic: Boundary Clocks on CRS317
Replies: 9
Views: 558

Re: Boundary Clocks on CRS317

Boundary clocks will have holdover capabilities to handle temporary loss of GM connection. So they can master time. So the question is: can boundary clock (cold) boot without seeing GM clock? IMO by definition it can't, but some implementations might allow it. Just like NTP server can't start servi...
by mkx
Thu Jan 23, 2025 2:40 pm
Forum: General
Topic: Extender gper
Replies: 10
Views: 472

Re: Extender gper

You do have PoE switch (on the left of your diagram), which acts as PoE PSE. And you have PoE device (GPeR), which acts as PoE PD. So PoE negotiation (this way or another) will happen on the left segment of your "network". If it bothers you that GPeR acts as PoE pass-through ... then follo...
by mkx
Thu Jan 23, 2025 2:32 pm
Forum: General
Topic: Any hope for OAM CFM / 802.1ag support?
Replies: 2
Views: 177

Re: Any hope for OAM CFM / 802.1ag support?

I'm doubting that RouterOS 7.x has yet hit kernel version 6.x... but if and when it does, could this be looked at? Experience with move from ROS v6 to v7 shows that ROS v7 series will keep same kernel as it is in use now (5.6.3) until the end of series (just like v6 is still at kernel 3.3.5). So yo...
by mkx
Thu Jan 23, 2025 11:23 am
Forum: General
Topic: Extender gper
Replies: 10
Views: 472

Re: Extender gper

GPeR has to be powered over PoE. But it's pretty flexible as what kind of PoE. It takes 802.3 af/at powering, it also takes passive PoE with voltage range between 24V and 57V. The gotcha with powering over long lines is that PoE load detection might not work reliably due to added UTP cable resistanc...
by mkx
Thu Jan 23, 2025 9:02 am
Forum: Announcements
Topic: v7.18beta [testing] is released!
Replies: 231
Views: 23067

Re: v7.18beta [testing] is released!

I guess that L2MTU setting affect number of frame buffers available. E.g.: if switch chip has 1MB of memory, if L2MTU is set to 1516 bytes, then this means space for 691 frames buffered. Setting L2MTU to 2000 bytes reduces number of buffered frames to maximum of 524. Not only that, it will halve th...
by mkx
Thu Jan 23, 2025 8:23 am
Forum: Beginner Basics
Topic: Boundary Clocks on CRS317
Replies: 9
Views: 558

Re: Boundary Clocks on CRS317

Boundary clocks are by definition only relays (smart because they include/add information about delay induced by device but nothing more) ... If there isn't an external GM device in your network, then you want your device to become GM. Then the only remaining question is what kind of timing source i...
by mkx
Thu Jan 23, 2025 8:12 am
Forum: Announcements
Topic: v7.18beta [testing] is released!
Replies: 231
Views: 23067

Re: v7.18beta [testing] is released!

Please stop setting MTU underlay as "just enough"! I guess that L2MTU setting affect number of frame buffers available. E.g.: if switch chip has 1MB of memory, if L2MTU is set to 1516 bytes, then this means space for 691 frames buffered. Setting L2MTU to 2000 bytes reduces number of buffe...
by mkx
Wed Jan 22, 2025 9:49 pm
Forum: Wireless Networking
Topic: Difference "Bridge Port" view using WiFi CapsMan and Wireless CapsMan
Replies: 1
Views: 191

Re: Difference "Bridge Port" view using WiFi CapsMan and Wireless CapsMan

When using old CAPsMAN, do/did you use capsman forwarding in datapath? It doesn't exist in new (wifi) CAPsMAN ...
by mkx
Wed Jan 22, 2025 9:20 pm
Forum: Beginner Basics
Topic: Optimizing Server Placement: MikroTik Router vs. Switch
Replies: 12
Views: 596

Re: Optimizing Server Placement: MikroTik Router vs. Switch

Not exactly an echo, rather explanation.
by mkx
Wed Jan 22, 2025 6:41 pm
Forum: General
Topic: CCR2004-16G-2S+ shows wrong cpu mhz
Replies: 9
Views: 1370

Re: CCR2004-16G-2S+ shows wrong cpu mhz

You can't set CPU frequency like this?
/system/routerboard/settings/set cpu-frequency=auto

(or press <TAB> before entering auto to see possible values)
by mkx
Wed Jan 22, 2025 6:30 pm
Forum: Beginner Basics
Topic: Optimizing Server Placement: MikroTik Router vs. Switch
Replies: 12
Views: 596

Re: Optimizing Server Placement: MikroTik Router vs. Switch

Generally speaking switches have switching capacity larger than any individual port (including swirch-router or switch-switch interconnect). Which means that connecting server to switch, which also directly connects "main" clients (or large subset of clients) of server, generally offers be...
by mkx
Wed Jan 22, 2025 6:23 pm
Forum: Beginner Basics
Topic: VLAN on a single port
Replies: 9
Views: 717

Re: VLAN on a single port

The RB2011 is a "special" device that has two switch chips: https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features Atheros8327 (ether1-ether5+sfp1); Atheros8227 (ether6-ether10) The "modern" way to do what you want to accomplish (good on *any* Mikrotik har...
by mkx
Wed Jan 22, 2025 3:58 pm
Forum: Announcements
Topic: v7.18beta [testing] is released!
Replies: 231
Views: 23067

Re: v7.18beta [testing] is released!

> *) net - added initial support for automatic multicast tunneling (AMT) interface; Is this the solution to route mDNS over WireGuard without using an EOIP tunnel? AMT is a tunnel by itself ... not encrypted, only encapsulated into unicast UDP packets. My employer is using it to receive certain mul...
by mkx
Wed Jan 22, 2025 7:45 am
Forum: Beginner Basics
Topic: Hardware Switching on CCR2004-16G-2S+
Replies: 6
Views: 637

Re: Hardware Switching on CCR2004-16G-2S+

There's a general standard caveat in documentation saying only one ROS bridge can do hardware offloading, and default best-practice is "only one bridge total unless you know you need more". I actually kinda wonder if that's an accurate description of ROS software limitation, or is it a bi...
by mkx
Tue Jan 21, 2025 11:15 pm
Forum: General
Topic: Problem Scenario Regarding NAT in Mikrotik Router
Replies: 2
Views: 200

Re: Problem Scenario Regarding NAT in Mikrotik Router

NAT is connection tracking thing and as long as connection is active, NAT will do its job. And will do the inverse for return packets if they get delivered to router. There are two possibilities for SRC NAT: action=src-nat and action=masquerade. There are two important differences between both possi...
by mkx
Tue Jan 21, 2025 11:55 am
Forum: Wireless Networking
Topic: Help with Dual Band Steering and Roaming using Qcom Package (WiFi Wave 2)
Replies: 8
Views: 442

Re: Help with Dual Band Steering and Roaming using Qcom Package (WiFi Wave 2)

Haven't seen it yet, you should be using CAPsMAN to get this to work seamlessly.

Indeed to get roaming between different APs one needs CAPsMAN up and running. But to get roaming between radios of same AP one doesn't need CAPsMAN, relatively default config should suffice.
by mkx
Tue Jan 21, 2025 11:49 am
Forum: Wireless Networking
Topic: Help with Dual Band Steering and Roaming using Qcom Package (WiFi Wave 2)
Replies: 8
Views: 442

Re: Help with Dual Band Steering and Roaming using Qcom Package (WiFi Wave 2)

It's not OK to force devices to roam to certain APs. The problem is that whatever is configured (including the whole 802.11 r/k/v), it's still device which decides to move to another AP. The only difference between simply using same SSID and using the whole mobility suite is that in later case devic...
by mkx
Tue Jan 21, 2025 11:33 am
Forum: Beginner Basics
Topic: Can't log into switch from a Macintosh.
Replies: 8
Views: 376

Re: Can't log into switch from a Macintosh.

I remember a couple of reports of people that needed to reset the unit before being able to access it, you can try that, you have nothing to lose. Or it may be the opposite. I've received my brand new wAP ax and initially the password from the sticker worked, I've used it to log in using winbox 3.x...
by mkx
Tue Jan 21, 2025 11:28 am
Forum: Beginner Basics
Topic: Struggling to receive IPv6 prefix delegation from ISP [SOLVED]
Replies: 65
Views: 4424

Re: Struggling to receive IPv6 prefix delegation from ISP [SOLVED]

Well, I got it working. For some reason, setting the prefix hint to 0 fixed it. Nice to read that you have it now working ... I'm very curiouse as to the prefix size they actually gave you because a prefix hint to 0 in the IPv6 prefix field indicates that the requesting router has no preference for...
by mkx
Tue Jan 21, 2025 9:14 am
Forum: RouterBOARD hardware
Topic: RTFC11: how to power with PoE 802.11at/af?
Replies: 4
Views: 471

Re: RTFC11: how to power with PoE 802.11at/af?

Yup. Product page says



(emphasis is mine)
In addition to emphasis, can you also translate from Mikrotikish?

What (the heck) is a cross cable?
I've no idea ... perhaps @OP should ask MT support directly (and post their answer here, it should be interesting).
by mkx
Tue Jan 21, 2025 9:08 am
Forum: Wireless Networking
Topic: Is/Would be there support for client roaming (802.11k,802.11r,802.11v,802.11w) ...
Replies: 4
Views: 560

Re: Is/Would be there support for client roaming (802.11k,802.11r,802.11v,802.11w) ...

And on certain models of AC devices ... those which can run wifi-qcom-ac driver. As to how it works: mobility works between radios, controlled by same entity. Basic setup is single dual-radio device which controls both/all radios and mobility works between those radios. Advanced setup is network of ...
by mkx
Tue Jan 21, 2025 8:55 am
Forum: General
Topic: Understanding config /interface ethernet on Atheros8327 RBD52G HapAC2
Replies: 2
Views: 218

Re: Understanding config /interface ethernet on Atheros8327 RBD52G HapAC2

Question on the Atheros 8237 switch chip that is in my hap2ac (rdb52G). The documentation at this page https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features#SwitchChipFeatures-Introduction indicates that you can change the advertised speed of an interface to multip different...
by mkx
Tue Jan 21, 2025 8:29 am
Forum: General
Topic: CPU Problem with CRS112-8P-4S after Update to 7.17
Replies: 2
Views: 275

Re: CPU Problem with CRS112-8P-4S after Update to 7.17

You have vlan-filtering=yes on bridge and CRS1xx can't offload such bridge to underlying switch chip. So all traffic passes CPU. This was the case since forever, nothing changed with 7.17 ... so you can consider yourself lucky that it didn't bite you earlier. You have to configure VLAN stuff on swit...
by mkx
Mon Jan 20, 2025 6:14 pm
Forum: RouterBOARD hardware
Topic: RTFC11: how to power with PoE 802.11at/af?
Replies: 4
Views: 471

Re: RTFC11: how to power with PoE 802.11at/af?

In theory a 802.3af/at compliant PD should accept both Mode A and mode B (it is the PSE that decides on which pins to apply power). Your Cisco most probably uses mode A (1,2+/3,6-). It is possible that either the thingy is not fully 802.3af/at compatible or that (for whatever reasons) it is defecti...
by mkx
Mon Jan 20, 2025 6:09 pm
Forum: RouterBOARD hardware
Topic: hEX refresh (E50UG) - router for gigabit internet?
Replies: 30
Views: 6176

Re: hEX refresh (E50UG) - router for gigabit internet?

Is hAP AC2 free of the "ether1 as uplink" problem?

I stand by @holvoetn and his answer.

And a spoiler: hAP ac2 doesn't suffer from same problem, all of its wired ports are equal, all are controlled by (same) switch chip.
by mkx
Mon Jan 20, 2025 2:59 pm
Forum: General
Topic: USB port doesnt work on hAP ac lite
Replies: 4
Views: 334

Re: USB port doesnt work on hAP ac lite

You can verify that USB port works and that USB device attached does present to RouterOS kernel by running command /system/resource/usb/print It should shown your attached device along with a few devices with name xHCI Host Controller . Yet another thing is to get USB device working ... and with ROS...
by mkx
Sun Jan 19, 2025 2:23 pm
Forum: General
Topic: Hot take on Botnets - How do you secure your Mikrotik while setting it up?
Replies: 40
Views: 2192

Re: Hot take on Botnets - How do you secure your Mikrotik while setting it up?

@jaclaz: even if that was possible, how would you do it for architecture you don't have at home (e.g. ampere)?
by mkx
Sun Jan 19, 2025 2:13 pm
Forum: Announcements
Topic: v7.17 [stable] is released!
Replies: 304
Views: 46713

Re: v7.17 [stable] is released!

running 2 hAP ac2 (one with the 256MB and one with the 128MB flash storage) this model is supposed to have 16MB of flash, how did you get 128 or 256MB? I guess poster is confusing flash and RAM (early units came with 256MB RAM, the rest came with 128MB RAM as it was always advertised). All units AF...
by mkx
Sun Jan 19, 2025 10:38 am
Forum: Beginner Basics
Topic: Setting up DHCP for beginners
Replies: 5
Views: 604

Re: Setting up DHCP for beginners

New pool won't be created automatically. So if you expect to have more than around 200 devices in your network, then you have to make subnet larger than /24 ... /23 allows for 510 addresses, /22 adds another 512, etc. Increasing subnet requires some dilligence (selecting the right DHCP address range...
by mkx
Sat Jan 18, 2025 11:35 pm
Forum: General
Topic: wifi CAPsMAN, wifi-qcom-ac CAPs and slave interfaces in VLAN environnent [SOLVED]
Replies: 4
Views: 486

Re: wifi CAPsMAN, wifi-qcom-ac CAPs and slave interfaces in VLAN environnent [SOLVED]

Ah, when looking at /interface/wifi/cap I wasn't looking good enough ... and didn't see the slaves-static setting. Thank you for pointing it out.
by mkx
Sat Jan 18, 2025 11:16 pm
Forum: General
Topic: wifi CAPsMAN, wifi-qcom-ac CAPs and slave interfaces in VLAN environnent [SOLVED]
Replies: 4
Views: 486

Re: wifi CAPsMAN, wifi-qcom-ac CAPs and slave interfaces in VLAN environnent [SOLVED]

  • 1×RB5009 as main router and CAPsMAN + 3×hAP ac² as APs and bridges,

So how do you handle slave wifi interfaces in this scenario?
by mkx
Sat Jan 18, 2025 11:05 pm
Forum: General
Topic: Two bridges, two devices sharing the same MAC but one on bridge1 and another on bridge2
Replies: 19
Views: 1938

Re: Two bridges, two devices sharing the same MAC but one on bridge1 and another on bridge2

I believe your guess-work is far more educated than mine. I've no idea about how ROS works around such cases.
by mkx
Sat Jan 18, 2025 10:59 pm
Forum: General
Topic: Unable to upgrade
Replies: 2
Views: 287

Re: Unable to upgrade

After upgrade-induced reboot, log usually has something about upgrade process outcome ... if it fails, log tells the reason (insufficient storage space is one of reasons, various problems with optional packages are showstoppers ad well).
by mkx
Sat Jan 18, 2025 10:53 pm
Forum: General
Topic: wifi CAPsMAN, wifi-qcom-ac CAPs and slave interfaces in VLAN environnent [SOLVED]
Replies: 4
Views: 486

wifi CAPsMAN, wifi-qcom-ac CAPs and slave interfaces in VLAN environnent [SOLVED]

So I've got this scenario: my LAN is fully VLAN tagged, all MT gear is running 7.16.2 except wAP ax which is running 7.17 I have hAP ac2 configured as main router and lately CAPsMAN. It doesn't have wifi-qcom-ac drivers installed, so it's wired-only I have wAP ax which runs wifi-qcom and can, thus, ...
by mkx
Sat Jan 18, 2025 10:35 pm
Forum: General
Topic: Two bridges, two devices sharing the same MAC but one on bridge1 and another on bridge2
Replies: 19
Views: 1938

Re: Two bridges, two devices sharing the same MAC but one on bridge1 and another on bridge2

@mkx, let me disagree - it is actually not the same ...

I agree it's not the same, I used word "similar" ...
by mkx
Sat Jan 18, 2025 10:11 pm
Forum: General
Topic: Two bridges, two devices sharing the same MAC but one on bridge1 and another on bridge2
Replies: 19
Views: 1938

Re: Two bridges, two devices sharing the same MAC but one on bridge1 and another on bridge2

It's similar problem to having two devices with same IPv4 address (albeit with different MAC addresses) ... it's possible to have it but involves NAT and multiple routing tables. Since NAT in IPv6 is a different beast, I'm not sure if (and how) your problem can be solved.
by mkx
Sat Jan 18, 2025 10:02 pm
Forum: General
Topic: Routing Traffic Based on CNAME Addresses in MikroTik RouterOS [solved]
Replies: 1
Views: 228

Re: Routing Traffic Based on CNAME Addresses in MikroTik RouterOS [solved]

Just to be precise:

edit: I figured it out, I'm routing my traffic through nginx proxy manager that handles the domain based routing

nginx doesn't "domain route" traffic, it (reverse) proxies it. Which is L7 operation - contrasted to routing which is L3 operation.
by mkx
Fri Jan 17, 2025 5:43 pm
Forum: General
Topic: Ether1 (NetInstall) port - danger for WAN?
Replies: 14
Views: 631

Re: Ether1 (NetInstall) port - danger for WAN?

It can only be an issue when: IMO none of ifs help with OP's considerations ... because they're out of device admin's hands. But there's an up side: netinstall is not triggered without doing a few things and all involve physical access to device at some point: button press while cold booting device...
by mkx
Fri Jan 17, 2025 2:54 pm
Forum: Beginner Basics
Topic: CAP bend set to B/G and not B/G/N [SOLVED]
Replies: 8
Views: 726

Re: CAP bend set to B/G and not B/G/N [SOLVED]

The problem with using capsman is that checking config locally doesn't actually have to reflect running values. One thing that CAPsMAN definitely doesn't do is overwrite configuration stored on CAP devices. So running export doesn't show any of CAPsMAN-provisioned settings. Running "monitor&quo...
by mkx
Fri Jan 17, 2025 2:44 pm
Forum: Announcements
Topic: v7.17 [stable] is released!
Replies: 304
Views: 46713

Re: v7.17 [stable] is released!

But the only reason I have that is because I can't remember which South American country is better :D Was it Panama? Brazil is better than ETSI most of times: 30dBm vs 20dBm on 2.4GHz, 30dBm vs. 14dBm on 5735-5875 MHz ... but not always: ETSI has 30dBm vs. 24dBm on 5490-5730 MHz. According to reg-i...
by mkx
Mon Jan 13, 2025 9:26 am
Forum: General
Topic: fetch error since 7.13: "failure: ERROR parsing http: there was no content-length or transfer-encoding"
Replies: 22
Views: 4176

Re: fetch error since 7.13: "failure: ERROR parsing http: there was no content-length or transfer-encoding"

Have you been handed over a 7.18 nightly build amongst whose feature the aim was to fix this issue you also faced? No, @timemaster seems to have received it this time. And I know it happened before (although rarely). So you have nothing to worry, there are no 'exceptional' forum members which recei...
by mkx
Mon Jan 13, 2025 9:21 am
Forum: Announcements
Topic: v7.17rc [testing] is released!
Replies: 408
Views: 141061

Re: v7.17rc [testing] is released!

Can we get v7.17 out the door and move to v7.18 beta so we can see what's new..... this version dragging now. I do appreciate stability and rigorous testing but I also want movement and new features as there are stuff I'm waiting for which may or may not be in next version. A counter proposal: can ...
by mkx
Mon Jan 13, 2025 9:18 am
Forum: General
Topic: fetch error since 7.13: "failure: ERROR parsing http: there was no content-length or transfer-encoding"
Replies: 22
Views: 4176

Re: fetch error since 7.13: "failure: ERROR parsing http: there was no content-length or transfer-encoding"

Where do you got your source then that 7.18 would feature a fix for this issue?
See my second paragraph (add while you were posting your latest post).
by mkx
Mon Jan 13, 2025 9:15 am
Forum: General
Topic: fetch error since 7.13: "failure: ERROR parsing http: there was no content-length or transfer-encoding"
Replies: 22
Views: 4176

Re: fetch error since 7.13: "failure: ERROR parsing http: there was no content-length or transfer-encoding"

Would you happen to have a link to the changelog to expectat in 7.18? Nightly builds are alpha/developers' versions and nothing is guaranteed to enter to beta of same version. So there's never any changelog for nightly builds. We've seen stuff removed from beta versions (rarely, but it did happen) ...
by mkx
Mon Jan 13, 2025 9:12 am
Forum: General
Topic: Mikrotik and APs VLAN
Replies: 26
Views: 2615

Re: Mikrotik and APs VLAN

UniFi: vlan 1, 400, 401 (tagged) Mikrotik port 4: tagged with vlan 1,400,401. vlan 400 and vlan 401 works fine (seperated dhcp servers on Mikrotik interfaces) But vlan 1 does not work - i I bind the ip address on Mikrotik to vlan 1 interface, the connection to the Unifi will be lost. Unifi expects ...
by mkx
Mon Jan 13, 2025 9:08 am
Forum: Virtualization
Topic: Dell R610 and x86 RouterOS
Replies: 5
Views: 716

Re: Dell R610 and x86 RouterOS

Everything works except VLANs.
Without posting your config nobody will be able to help you. So either post it or, if you know better, go ask help somewhere else (yes, it sounds rude, but that's how it is).
by mkx
Sun Jan 12, 2025 8:23 pm
Forum: RouterBOARD hardware
Topic: New/better router with old config
Replies: 2
Views: 644

Re: New/better router with old config

At least wireless config can't be applied in any of two mentiobed ways. hAP ax3 runs wifi-qcom driver while your old hAP lite runs wireless driver ... and configuration of both is completely different.
by mkx
Sun Jan 12, 2025 5:19 pm
Forum: Beginner Basics
Topic: Is there a simple way to hang a virtual "Out of order" sign?
Replies: 13
Views: 988

Re: Is there a simple way to hang a virtual "Out of order" sign?

All employees have a cell phone......

How about using good ole public announcement system incude office building to announce internet outages? Those announcements will automatically reach only people physically present inside offices without them being stalked.
by mkx
Sun Jan 12, 2025 5:12 pm
Forum: Beginner Basics
Topic: Is there a simple way to hang a virtual "Out of order" sign?
Replies: 13
Views: 988

Re: Is there a simple way to hang a virtual "Out of order" sign?

Simple captive portals (almost) never work for intercepting anything encrypted. They work nicely when "a friendly" device first obrains connectivity and starts to check if it can access (certain servers on) internet. Captive portals appropriately block connectivity and direct client to ope...
by mkx
Sun Jan 12, 2025 4:53 pm
Forum: General
Topic: Mikrotik DDNS not working
Replies: 5
Views: 553

Re: Mikrotik DDNS not working

Are you, otherwise, able to access internet sites from router?

And another consideration: right now this forum feels sluggish to me (with 500 errors as well) which likely means that MT servers are under some kind of DDoS attack. And that likely includes DDNS servers as well.
by mkx
Sun Jan 12, 2025 3:42 pm
Forum: General
Topic: Brocade ICX 6450-24P w/ Mikrotik 5009: InterVLAN routing
Replies: 1
Views: 423

Re: Brocade ICX 6450-24P w/ Mikrotik 5009: InterVLAN routing

Your Brocade config indicates that Brocade will do the routing between VLANs. Are you sure about it? If yes, then you'll have to configure DHCP relay on Brocade. If not, then Brocade needs "router interface" only on management VLAN.
by mkx
Sun Jan 12, 2025 10:57 am
Forum: Beginner Basics
Topic: SSH out via dst-nat [SOLVED]
Replies: 3
Views: 1466

Re: SSH out via dst-nat [SOLVED]

I expected NAT rule with action dst-nat not to catch any connection from my local network unless it is changed to src-nat. So I guess connections outside goes thru both src-nat and then dst-nat? SRC-NAT and DST-NAT are very distinct operations, they happen at very different times (dst-nat is pretty...
by mkx
Sat Jan 11, 2025 7:30 pm
Forum: Beginner Basics
Topic: Auto Redirect IP with Port [SOLVED]
Replies: 6
Views: 908

Re: Auto Redirect IP with Port [SOLVED]

a dstnat port remapping seems like a possible solution, it should be something *like*: Very likely full hair-pin NAT is required as well if the non-standard port is to mapped to standard one for LAN access as well. And hair-pin NAT comes with a bag of annoyances (e.g. "why don't I see real cli...
by mkx
Sat Jan 11, 2025 4:05 pm
Forum: Beginner Basics
Topic: Auto Redirect IP with Port [SOLVED]
Replies: 6
Views: 908

Re: Auto Redirect IP with Port [SOLVED]

Not really (@OP is asking how to instruct browser to connect to non-standard port). Whenever client app needs to access server app, it has to know which port to use. In your case client app is browser and they assume standard port for http (80) and lately they assume https (443). Browsers are perfec...
by mkx
Sat Jan 11, 2025 1:25 pm
Forum: General
Topic: Throughput issues with PPPoE over 10Gbit XGS-PON
Replies: 11
Views: 3535

Re: Throughput issues with PPPoE over 10Gbit XGS-PON

It's strange some ISPs hold on to 20 year old concepts. I guess it suits them well for a few purposes ... one of them is user management (less fuss to e.g. assign static IP address and IPv6 prefix). And obviously they don't bother about (under)performance of 3rd party routers, they just care about ...
by mkx
Sat Jan 11, 2025 12:03 pm
Forum: Wireless Networking
Topic: Problems connecting to Wifi as a client - hAP AX lite LTE6 [SOLVED]
Replies: 2
Views: 835

Re: Problems connecting to Wifi as a client - hAP AX lite LTE6 [SOLVED]

If you want to use hAP ax as client to hotel's wireless network, then wifi interface has to be running in mode=station. Also channel settings have to be on default (auto) settings. And then there are higher-level settings which are wrong/missing, e.g. DHCP client tunning on wifi1 interface (now it's...
by mkx
Sat Jan 11, 2025 12:18 am
Forum: Beginner Basics
Topic: Mgmt vlan not available (Crs 328 24p 4s)
Replies: 20
Views: 1712

Re: Mgmt vlan not available (Crs 328 24p 4s)

You have to set pvid=99 on ether8 ... currently these are not correctly related: /interface bridge port add bridge=Bridge interface=ether8 /interface bridge vlan add bridge=Bridge comment=MGMT tagged=ether23,Bridge,ether1 untagged=ether8 \ vlan-ids=99 Default pvid setting (and thus not shown in expo...
by mkx
Fri Jan 10, 2025 6:38 pm
Forum: RouterBOARD hardware
Topic: HEX S sometimes fails to start properly [SOLVED]
Replies: 13
Views: 3440

Re: HEX S sometimes fails to start properly [SOLVED]

the adapter is OK (24V). Idle or under load? Marginal power adapter might output close to 24V when idle but drop voltage under load. And failing capacitors also mean very uneven output voltage which isn't shown by normal voltmeters, oscilloscope does OTOH. The uneven supply voltage can disrupt devi...
by mkx
Fri Jan 10, 2025 3:47 pm
Forum: Beginner Basics
Topic: Struggling to receive IPv6 prefix delegation from ISP [SOLVED]
Replies: 65
Views: 4424

Re: Struggling to receive IPv6 prefix delegation from ISP [SOLVED]

I'm using 6to4, but I'm assuming there's probably a way to switch it to 6to6 as I can get a single IP6 address and it's probably going to be a little better? Actually not likely. No because IPv6 (the outer layer added by tunnel) has larger headers which means lower payload per same MTU ... which ul...
by mkx
Fri Jan 10, 2025 3:41 pm
Forum: Beginner Basics
Topic: Struggling to receive IPv6 prefix delegation from ISP [SOLVED]
Replies: 65
Views: 4424

Re: Struggling to receive IPv6 prefix delegation from ISP [SOLVED]

Their network team cannot see the ONT (cryptic wall box) and the IP allocation is not coming through it anymore. They cannot see very much because of this. This is wrong …. If the network team cannot see the ONT …. Another possibility (very common where optical network owner is different than ISP) ...
by mkx
Fri Jan 10, 2025 3:36 pm
Forum: General
Topic: Won't connect without DHCP...?
Replies: 6
Views: 665

Re: Won't connect without DHCP...?

While waiting to see configuration export, just a comment: "static ARP" is calling for problems ... while it doesn't really provide any security (setting MAC address on interface is only too easy).
by mkx
Fri Jan 10, 2025 3:29 pm
Forum: General
Topic: DHCP Server - Domain [SOLVED]
Replies: 3
Views: 843

Re: DHCP Server - Domain [SOLVED]

This setting sets DHCP Option 15 (the domain name that client should use as suffix when resolving hostnames via the Domain Name System) ... and it's entirely up to clients on how they use them. Definitely nothing to do with DHCP server or DHCP client. So normally yes, <my.domain.tld> can be "ho...
by mkx
Fri Jan 10, 2025 3:25 pm
Forum: General
Topic: Automatically updating DST NAT when IP changes
Replies: 8
Views: 954

Re: Automatically updating DST NAT when IP changes

I suggest using/setting CNAME records in your main DNS for each DDNSed router item. This only helps with naming (e.g. when router changes, it's DDNS name changes ... and it then has to be changed in many places. If one uses CNAME records, then change has to be done only for that particular CNAME). ...
by mkx
Fri Jan 10, 2025 3:10 pm
Forum: Announcements
Topic: v7.17rc [testing] is released!
Replies: 408
Views: 141061

Re: v7.17rc [testing] is released!

... so IGMP Snooping is now disabled again. And it's a feature that I actually need (IPTV usage). It depends. My ISP offers IPTV over tagged VLAN ... so I pass that VLAN only to required ports (connecting TV boxes). Even without IGMP snooping, only those few ports get active streams. Indeed all act...
by mkx
Fri Jan 10, 2025 9:08 am
Forum: Wireless Networking
Topic: WIFI won't turn on(R) after upgrade and downgrade [SOLVED]
Replies: 2
Views: 978

Re: WIFI won't turn on(R) after upgrade and downgrade [SOLVED]

wireless interface shows "R" status only if there's at least one wireless client (station) connected to it. Are you saying that SSID is actually not broadcasted? This is best verified by using some kind of wireless debugging application on wireless client (there are plenty of usable apps f...
by mkx
Fri Jan 10, 2025 9:02 am
Forum: Wireless Networking
Topic: old and new Capsmann with VLAN- no conecction with the new Capsmann
Replies: 6
Views: 1388

Re: old and new Capsmann with VLAN- no conecction with the new Capsmann

New CCMP is same as old AES CCM ... CCMP256 and GCMP* are new ones (not widely supported by wireless stations though, some even barf on seeing these supported by AP).
by mkx
Fri Jan 10, 2025 8:55 am
Forum: General
Topic: Mikrotik and APs VLAN
Replies: 26
Views: 2615

Re: Mikrotik and APs VLAN

UniFi: vlan 1, 400, 401 (tagged) Mikrotik port 4: tagged with vlan 1,400,401. "Native VLANs" (whatever that means) should never be tagged on wires ... also devices on both ends of same cable have to have same config ... and in your case UniFi has "native" (whichever that is) VLA...
by mkx
Fri Jan 10, 2025 8:52 am
Forum: General
Topic: DHCP Server - Domain [SOLVED]
Replies: 3
Views: 843

Re: DHCP Server - Domain [SOLVED]

Domain is domain name ... without leading dot. So if your host names are e.g. "host.my.domain.tld", then you should set domain property of DHCP server network entries to domain=my.domain.tld
by mkx
Fri Jan 10, 2025 8:46 am
Forum: Beginner Basics
Topic: Printer on different VLAN
Replies: 18
Views: 1633

Re: Printer on different VLAN

Unfortunately I receive the following error message: "failure: incoming interface matching not possible in output and postrouting chains". Any ideas? Then just omit the in-interface property from NAT rule definition. You can instead use src-address property (e.g. src-address=!192.168.30.0...
by mkx
Thu Jan 09, 2025 8:15 pm
Forum: Wireless Networking
Topic: wAP ax?
Replies: 290
Views: 37902

Re: wAP ax?

I'm waiting the day when @anav will post that he replaced tplink APs with Mikrotiks and want some advice on CAPsMAN :D :lol:

That will follow the act of Canada becoming part of US a.k.a. when the hell freezes :lol:
by mkx
Thu Jan 09, 2025 8:09 pm
Forum: Beginner Basics
Topic: Struggling to receive IPv6 prefix delegation from ISP [SOLVED]
Replies: 65
Views: 4424

Re: Struggling to receive IPv6 prefix delegation from ISP [SOLVED]

Just to make sure: your WAN is connected to ether1?
by mkx
Thu Jan 09, 2025 6:10 pm
Forum: General
Topic: Automatically updating DST NAT when IP changes
Replies: 8
Views: 954

Re: Automatically updating DST NAT when IP changes

.. why not just set the dst-nat rule to use in-interface where the in-interface = your WAN interface?

Hairpin-NAT doesn't work with in-interface, it's got to be dst-address.
by mkx
Thu Jan 09, 2025 12:19 pm
Forum: Beginner Basics
Topic: Printer on different VLAN
Replies: 18
Views: 1633

Re: Printer on different VLAN

You need a second firewall rule that also allows the traffic from IOT / Print as in interface to the out interface home. Basically the "return traffic". It's already there, this is the one: add action=accept chain=forward comment=\ "accept established,related,untracked" connecti...
by mkx
Thu Jan 09, 2025 12:16 pm
Forum: General
Topic: DHCP server problem
Replies: 6
Views: 739

Re: DHCP server problem

How in particular did you export and import config? Did you use backup and restore commands ... or export and import ? If the former ... then it's known (apparently not well though) that binary backups (results of backup ) are not intended to move config from one device to another one. Specially so ...
by mkx
Thu Jan 09, 2025 12:11 pm
Forum: Announcements
Topic: v7.16.2 [stable] is released!
Replies: 506
Views: 226503

Re: v7.16.2 [stable] is released!

- Dude server (I can confirm that after upgrading it to 7.16.2 you can upgrade routerOS devices from Dude (it does not upgrade the routerboard though and in my case I had to install extra packages manually (upgrading from 7.12.1 to 7.16.2) - but I was doing it for the first time, maybe I don't know...
by mkx
Thu Jan 09, 2025 11:24 am
Forum: Announcements
Topic: v7.17rc [testing] is released!
Replies: 408
Views: 141061

Re: v7.17rc [testing] is released!

You could try to change some memory settings in BIOS regarding mapping memory of PCI peripherial devices ... Another thing to try is to increase memory size on PC, the number says it needs a bit less than 4M of contiguous space (not sure if that's possible with your hardware). But the error does see...
by mkx
Thu Jan 09, 2025 11:17 am
Forum: SwOS
Topic: VLANs, port isolation in switch OS - how does it all fit? [SOLVED]
Replies: 17
Views: 2138

Re: VLANs, port isolation in switch OS - how does it all fit? [SOLVED]

SPF connection is no-go for me, as the infrastructure is already buried in the walls.

It's always option to take down the walls :wink:

You never mentioned how the 3 devices are placed physically, so I (wrongly it seems) assumed they are in same place.
by mkx
Thu Jan 09, 2025 11:12 am
Forum: Wireless Networking
Topic: Wi-Fi unstable hAP ax3
Replies: 6
Views: 906

Re: Wi-Fi unstable hAP ax3

Which SSID is used while you experience problems? What is signal strength, indicated by wireless station at the spot you normally use it? If you check WiFi environment (use some WiFi diagnostic AP on your phone), are there many other APs seen? You have left channel selection to automatic ... does it...
by mkx
Thu Jan 09, 2025 11:01 am
Forum: General
Topic: Routing issue
Replies: 3
Views: 686

Re: Routing issue

You don't need any additional routing on switch (as all packets outside it's own subnet - 192.168.88.0/24 - will have to pass over router anyway). Do you have appropriate SRC-NAT rules established on router? Not that when both routes are up and running, the "normal" masquerade rule will li...
by mkx
Thu Jan 09, 2025 9:18 am
Forum: Wireless Networking
Topic: iPhone bouncing between AP's
Replies: 6
Views: 814

Re: iPhone bouncing between AP's

Signal strength, mentioned in CAPsMAN's logs, is signal strength of station as received by CAP. Ideally it should be quite similar to what station receives from AP but can be lower due to lower device Tx power (battery-powered devices are entitled to use lower power in order to prolong battery life ...
by mkx
Thu Jan 09, 2025 8:58 am
Forum: General
Topic: My LHG - LTE18 is having a Stroke. :D
Replies: 13
Views: 1281

Re: My LHG - LTE18 is having a Stroke. :D

It's hard to trouble shoot behaviour which happens only rarely. When it happens next time, don't forget to thoroughly check the logs, there might be something in it. Another thing to do is to create supout.rif file and send it to Mikrotik support ... they might decode the device state and comment on...
by mkx
Thu Jan 09, 2025 8:50 am
Forum: General
Topic: Automatically updating DST NAT when IP changes
Replies: 8
Views: 954

Re: Automatically updating DST NAT when IP changes

Solution will work ... but with some delay which depends on DDNS provider settings. Mikrotik's own DDNS solution, which creates <serial_number>.sn.mynetname.net DNS entries, have TTL set to 60 seconds. And option with adding DNS name as member of address lists does observe TTL. Which means that if o...
by mkx
Wed Jan 08, 2025 9:41 pm
Forum: Beginner Basics
Topic: Struggling to receive IPv6 prefix delegation from ISP [SOLVED]
Replies: 65
Views: 4424

Re: Struggling to receive IPv6 prefix delegation from ISP [SOLVED]

/ipv6/settings/set accept-router-advertisements: yes expected end of command (line 1 column 20) Sorry, it should be /ipv6/settings/set accept-router-advertisements=yes If it doesn't allow you to unset prefix-length, then set it to 64. You can omit requesting address ... it's not always needed and s...
by mkx
Wed Jan 08, 2025 9:30 pm
Forum: Beginner Basics
Topic: Hotspot on Bridge VLAN
Replies: 12
Views: 1571

Re: Hotspot on Bridge VLAN

You have quite some settings on L2 entities (bridge ports, etc.), which IMO border on paranoia ... and might affect hotspot operations. You might want to create a very simplified lab setup, starting from defaults and then add settings toward your intended setup ... while checking if hotspot still wo...
by mkx
Wed Jan 08, 2025 9:16 pm
Forum: Beginner Basics
Topic: Struggling to receive IPv6 prefix delegation from ISP [SOLVED]
Replies: 65
Views: 4424

Re: Struggling to receive IPv6 prefix delegation from ISP [SOLVED]

I don't know if that would fix the problem, but: don't create IPv6 pool manually. DHCPv6 client will create it automatically after it receives prefix. don't use prefix-length=48 (either set it to 64 or omit it altogether), it doesn't do what you probabky think it does. It's about prefix length when ...
by mkx
Wed Jan 08, 2025 7:56 pm
Forum: SwOS
Topic: VLANs, port isolation in switch OS - how does it all fit? [SOLVED]
Replies: 17
Views: 2138

Re: VLANs, port isolation in switch OS - how does it all fit? [SOLVED]

Regarding loop between yellow and green parts: if you're careful not to pass same VLAN (tagged or as native) via multiple ports, then there won't be a loop. RSTP or plain STP would detect a loop (their BPDUs disregard VLAN IDs), MSTP would be fine. Another remark (it can be called personal preferenc...
by mkx
Wed Jan 08, 2025 7:38 pm
Forum: General
Topic: NORMUNDS FOR PRIME MINISTER
Replies: 14
Views: 2265

Re: NORMUNDS FOR PRIME MINISTER

Attempt4: Why did I volunteer to attend this event for Viktors......
I think the PM's drug-sniff dogs excluded him from the event.
... it reads "volunteer" ... which begs for question: whom did drug-sniffing dogs exclude: Normunds, Viktors, both or themselves?
by mkx
Wed Jan 08, 2025 7:25 pm
Forum: General
Topic: NORMUNDS FOR PRIME MINISTER
Replies: 14
Views: 2265

Re: NORMUNDS FOR PRIME MINISTER

I heard they were discussing Latvia buying Cloudflare...

Or is it the other way around? :lol:
by mkx
Wed Jan 08, 2025 7:15 pm
Forum: Beginner Basics
Topic: Hotspot on Bridge VLAN
Replies: 12
Views: 1571

Re: Hotspot on Bridge VLAN

this device does not have a switch chip you can use multiple bridges if you do not use STP. True. But then there will be a ton of vlan interfaces (one per VLAN and per port) plus multitude of bridges (one per vlan) ... compared to one bridge and few vlan interfaces (one per VLAN with which device h...
by mkx
Wed Jan 08, 2025 7:00 pm
Forum: Wireless Networking
Topic: wAP ax?
Replies: 290
Views: 37902

Re: wAP ax?

wAP ax Christmas edition season 2024/2025 :D :D Decorated by me, approved by wife :lol: As Christmass season 2024/25 is almost over, is there any new decoration available? I have my wAP ax ordered and I'm wondering if I have to order some WAF enhancement kit as well? I guess it'll be a close call s...
by mkx
Wed Jan 08, 2025 2:36 pm
Forum: SwOS
Topic: VLANs, port isolation in switch OS - how does it all fit? [SOLVED]
Replies: 17
Views: 2138

Re: VLANs, port isolation in switch OS - how does it all fit? [SOLVED]

EDIT2 : Would a proper term be, that instead of saying native VLAN or VLAN 1, I should rather say, that tv boxes require also untagged traffic? Maybe this way it makes more sense - from ISP the iptv broadcast comes on VLAN 5 as tagged frames, and ISP performed updates and configuration of the tvbox...
by mkx
Wed Jan 08, 2025 2:23 pm
Forum: SwOS
Topic: VLANs, port isolation in switch OS - how does it all fit? [SOLVED]
Replies: 17
Views: 2138

Re: VLANs, port isolation in switch OS - how does it all fit? [SOLVED]

So, it still boils down to "do not use VLAN1" (unless you really know where your towel is), right? :lol:

That's about it. So when in doubt, it's 42.
by mkx
Wed Jan 08, 2025 1:29 pm
Forum: RouterBOARD hardware
Topic: CCR1009-7G-1C-1S+ ethernet status led not working
Replies: 4
Views: 926

Re: CCR1009-7G-1C-1S+ ethernet status led not working

I saw that netinstall flash does not affect bootloader. Do you happen to know if its the OS containing firmware that controls these leds or its something else other that could be flashed ? Flash is updated from within ROS via system-> routerboard submenu. ROS will always contain routerboot flash im...
by mkx
Wed Jan 08, 2025 9:25 am
Forum: SwOS
Topic: VLANs, port isolation in switch OS - how does it all fit? [SOLVED]
Replies: 17
Views: 2138

Re: VLANs, port isolation in switch OS - how does it all fit? [SOLVED]

Native VLAN doesn't necessarily mean VLAN1, do you mean that your ISP is using VLAN1 as "native"? Well, I'm not sure how to check that. When I was trying to find out which VLANs they use, I simply ran a torch on input interface to see which VLANs appear there. Most often "Native VLAN...
by mkx
Wed Jan 08, 2025 9:12 am
Forum: RouterBOARD hardware
Topic: CCR1009-7G-1C-1S+ ethernet status led not working
Replies: 4
Views: 926

Re: CCR1009-7G-1C-1S+ ethernet status led not working

The device you're looking at is pretty old now. It's likely that it's starting to fail ... there have been numerous cases where capacitors (both in power adapter and on device's board) have bulged and then device experienced very random ways of misbehaviour. It's likely that configuration isn't at f...
by mkx
Tue Jan 07, 2025 8:21 pm
Forum: Beginner Basics
Topic: Bridge usage with VLAN setups
Replies: 10
Views: 1337

Re: Bridge usage with VLAN setups

IMO it doesn't make much sense to use bridge with single port. The only functionality bridge could offer are bridge filters ... for simplicity sake most things done by bridge filters can be done by L3 firewall. But using bridge does insert additional step in frame/packet processing (even if CPU cycl...
by mkx
Tue Jan 07, 2025 7:18 pm
Forum: General
Topic: Can somebody help me understand IPv6 subnets?
Replies: 6
Views: 1087

Re: Can somebody help me understand IPv6 subnets?

I set request=address,prefix, and I'm getting both a /60 prefix and an unrelated /128 address for my router. Do I need the address? Could I (and should I) just use request=prefix instead? Is there a benefit to my router having both? From what I remember of how layer-3 works, from the ISP's perspect...
by mkx
Tue Jan 07, 2025 6:46 pm
Forum: Beginner Basics
Topic: Bridge usage with VLAN setups
Replies: 10
Views: 1337

Re: Bridge usage with VLAN setups

How I understood: If you want to benefit from HW offload where possible (for those devices where it is supported), using bridge for setting up VLANs is the default way already for quite some years. I'm specifically talking about the use-case where I have a Trunk Port on my MikroTik Router which goe...
by mkx
Tue Jan 07, 2025 3:38 pm
Forum: RouterBOARD hardware
Topic: RB260GSP POE Switch
Replies: 6
Views: 1003

Re: RB260GSP POE Switch

In shoret: very likely RB260GSP can't be used to power your camera. There are two kinds of PoE: standard 802.3 af/at/bt It operates at 48V, different generations (af vs. at vs. bt) differ in maximum power allowed (and number of UTP pairs used to pass power) and in some minor details. Your camera is ...
by mkx
Tue Jan 07, 2025 9:06 am
Forum: General
Topic: Can somebody help me understand IPv6 subnets?
Replies: 6
Views: 1087

Re: Can somebody help me understand IPv6 subnets?

To add subnets, should I just add more /ipv6 addresses but instead of ::1 do ::1:0000:0000:0000:0001, ::2:0000:0000:0000:0001, etc. for each subnet? Unfortunately it's not really possible to set those "S" bits in IPv6 address assignment. So you have to go with example by @ConradPino above...
by mkx
Mon Jan 06, 2025 7:17 pm
Forum: Beginner Basics
Topic: bridge mac address flooding on all the vlans passed in crs
Replies: 1
Views: 765

Re: bridge mac address flooding on all the vlans passed in crs

Bridge doesn't "flood" its MAC address on trafgic passing via debice ... because MAC address (neither src nor dst) doesn't get rewritten by bridge or switch. So you'll have to be more speciffic as to what you think is a problem. Could be STP/RSTP BPDU frames ... those aren't VLAN tagged by...
by mkx
Sun Jan 05, 2025 12:01 pm
Forum: Beginner Basics
Topic: Did the Mikrotik firewall block the open ports?
Replies: 38
Views: 3418

Re: Did the Mikrotik firewall block the open ports?

Because of this rule, all incoming tcp traffic to port 443 is answered by the router: add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp The input chain is used for traffic to the router, the forward chain for traffice between networks (like WAN and LAN). Not com...
by mkx
Sun Jan 05, 2025 11:50 am
Forum: Announcements
Topic: Newsletter #122 | December 2024
Replies: 80
Views: 42166

Re: Newsletter #122 | December 2024

Probably price is just a matter of scale for the ONT, but of course they are more complex. Less cabling and less active components however are definitely cheaper. Well ... I don't think they can be cheaper to manufacture than plain FTTH SFPs ... no matter the production scale. The price may come cl...
by mkx
Sat Jan 04, 2025 10:44 pm
Forum: General
Topic: Chateau Pro AX slow speed [SOLVED]
Replies: 17
Views: 2128

Re: Chateau Pro AX slow speed [SOLVED]

It is not (completely) default config. I.e. the IPv6 rules are not there by default. No problem...
Yes they are in ROS v7 (where IPv6 is not optional any more). And yes they are if ipv6 optional package in v6 is installed and enabled when ROS config is reset to factory default.
by mkx
Sat Jan 04, 2025 10:26 pm
Forum: Wireless Networking
Topic: Use SXT6 LTE units as point to points
Replies: 5
Views: 1265

Re: Use SXT6 LTE units as point to points

SXT LTE kit and SXT LTE6 kit devices come with ROS licence level 3 ... which doesn't allow to configure its wifi interface as AP or AP-bridge. So these units are only usable for PtP links (one is bridge, the other is station-bridge) or as spoke devices in PtMP (where hub is AP-bridge and spokes are ...
by mkx
Sat Jan 04, 2025 10:16 pm
Forum: Beginner Basics
Topic: Reduce wifi signal strength [SOLVED]
Replies: 5
Views: 1608

Re: Reduce wifi signal strength [SOLVED]

1. Suggestion to increase antenna gain was the best available option before ROS version around 6.44 (or something like that) ... until that certain version, setting Tx power in absolute numbers had been both complicated (it had to be a table with different powers for different rates) and had potenti...
by mkx
Sat Jan 04, 2025 10:04 pm
Forum: Announcements
Topic: Newsletter #122 | December 2024
Replies: 80
Views: 42166

Re: Newsletter #122 | December 2024

PON is way cheaper than individual links. Especially in rural areas, deploying PON is also extremly fast&easy. The cost of the last mile is very high, especially if you consider the economy of scale (1user for 1 link). PON saves costs on "the first mile" part of it ... single optical ...
by mkx
Fri Jan 03, 2025 2:14 pm
Forum: General
Topic: NTP Synchronization Issue with HMI in a Router-Switch Setup
Replies: 6
Views: 1639

Re: NTP Synchronization Issue with HMI in a Router-Switch Setup

It could be that your ISP is blocking UDP traffic with dst port 123 towards your router. Have a look at this thread for a work around: viewtopic.php?t=208791
by mkx
Fri Jan 03, 2025 2:03 pm
Forum: General
Topic: Supported SSH MACs
Replies: 3
Views: 2591

Re: Supported SSH MACs

Now at https://help.mikrotik.com/docs/spaces/ROS/pages/132350014/SSH or https://wiki.mikrotik.com/Manual:IP/SSH . But it doesn't seem to work on RouterOS v6 (tested with v6.49.8 ). Unfortunately Mikrotik's documentation doesn't include history ... e.g. which ROS version brought certain feature or c...
by mkx
Fri Jan 03, 2025 12:50 pm
Forum: General
Topic: Connect and Disconnect (continuing)
Replies: 14
Views: 2282

Re: Connect and Disconnect (continuing)

... especially because you use the complete bandwidth of wifi at 2.4GHz.

Half (give or take) actually. 2.4GHz band (for anything newer than 802.11B) is 70MHz wide (in NA and related parts of universe) or 80MHz wide (elsewhere) ... and 2462/n/eC channel is 40MHz wide.
by mkx
Fri Jan 03, 2025 12:38 pm
Forum: General
Topic: MT Firewall & DST NAT question [SOLVED]
Replies: 10
Views: 2124

Re: MT Firewall & DST NAT question [SOLVED]

A bit annoying and uncommon to do security related filtering on the NAT side of things.. One thing to keep in mind: NAT is not about security ... although it does seem to help some times. So one thing is to introduce NAT rules and a separate thing is to add appropriate firewall rules. It's up to ad...
by mkx
Thu Jan 02, 2025 4:17 pm
Forum: General
Topic: MT Firewall & DST NAT question [SOLVED]
Replies: 10
Views: 2124

Re: MT Firewall & DST NAT question [SOLVED]

are there supposed to be hits on DST NAT rules for traffic that is not permitted by the FW? Yes, there are. According to packet flow , DST-NAT is part of pre-routing ... and firewall filter rules are part of either input or forward packet path ... which both come after pre-routing. Sometimes it's p...
by mkx
Tue Dec 31, 2024 7:11 pm
Forum: General
Topic: Troubles with performance of CAPsMAN-managed WIFI on RoS 7.16.2 with vlans
Replies: 19
Views: 1789

Re: Troubles with performance of CAPsMAN-managed WIFI on RoS 7.16.2 with vlans

On networks with any kind of problems (real or perceived, e.g. packet loss or large RTT), TCP and UDP connections behave very much differently. For UDP connections packet drop is fine and stats show high throughput with high packet loss. Usually throughput shown on Tx side reflects throughput of fir...
by mkx
Tue Dec 31, 2024 1:06 pm
Forum: Beginner Basics
Topic: IPv6 struggle
Replies: 3
Views: 1080

Re: IPv6 struggle

Two things: disable add-default-gateway on /ipv6 dhcp-client . The way it's now might work (depends on how your ISP does things), but it's not the correct way. Instead set accept-router-advertisements=yes under /ipv6/settings . more crucially: assign IPv6 address to LAN interface (bridge) to enable ...
by mkx
Tue Dec 31, 2024 10:45 am
Forum: Beginner Basics
Topic: Router and Switch configuration. Why can I ping the router but not the switch?
Replies: 2
Views: 999

Re: Router and Switch configuration. Why can I ping the router but not the switch?

In short: being able to access router's IP address via "non-native" interface is more or less cosmetic thing. A longer explanation: looking at packet flow it becomes obvious that one of early things that stateful firewall does is to classify ingress packets to firewall chains. If packet is...
by mkx
Mon Dec 30, 2024 5:18 pm
Forum: Wireless Networking
Topic: CAPsMAN DHCP Server for CAP AX Client
Replies: 15
Views: 2698

Re: CAPsMAN DHCP Server for CAP AX Client

Are those HP switches configured with VLANs? No sir, this unmanaged switch, As @holvoetn already wrote, unmanaged / non-VLAN-aware switches are a problem in your intended setup. Managed switches are not absolute requirement in VLANed network, but they have to be able to pass "mini-jumbo" ...
by mkx
Mon Dec 30, 2024 3:34 pm
Forum: Announcements
Topic: Newsletter #122 | December 2024
Replies: 80
Views: 42166

Re: Newsletter #122 | December 2024

PON is used to limit the amount of equipment in street cabinets, which reduces costs. If FTTx is regulated, then PON makes more sense to infrastructure owner ... because in this case competitor can't lease dark fiber, it can only rent bit stream and infrastructure owner has more control over whatev...
by mkx
Sun Dec 29, 2024 4:49 pm
Forum: General
Topic: CCR2004-16G-2S+ shows wrong cpu mhz
Replies: 9
Views: 1370

Re: CCR2004-16G-2S+ shows wrong cpu mhz

Also check settings in /system/device-mode ... I think you have to enable routerboard property to change cpu frequency setting ... just don't know which particular ROS version started to require that (could be it's 7.17).
by mkx
Sun Dec 29, 2024 2:57 pm
Forum: General
Topic: DOH certificate verify issue
Replies: 7
Views: 2389

Re: DOH certificate verify issue

which is, to be frank, unnecessary to know about half of millions revoked certificates :-)

They were revoked for a reason and it's only the right thing to be able to verify if certificate of server our device is talking to is one of those. If you don't care, then that's your problem (or wisdom).
by mkx
Sun Dec 29, 2024 2:49 pm
Forum: General
Topic: dstnat doesn't work on L009UiGS-RM Router [SOLVED]
Replies: 40
Views: 3020

Re: dstnat doesn't work on L009UiGS-RM Router [SOLVED]

Okay, in this case, I can see that all my ports are open, but is this the right way to open ports?

If you want ports open, then this is the right way. If you're concerned about security, then don't open them. Or restrict access to those ports.
by mkx
Sun Dec 29, 2024 1:48 pm
Forum: General
Topic: CCR2004-16G-2S+ shows wrong cpu mhz
Replies: 9
Views: 1370

Re: CCR2004-16G-2S+ shows wrong cpu mhz

Nominal CPU frequency is 1700MHz. But it's possible to overclock it by setting /system/routerboard/settings set cpu-frequency=<value> . Nowdays default setting is auto which allows ROS to scale frequency up or down depending on CPU core load. Sometimes this doesn't work too well (it takes sone time ...
by mkx
Sun Dec 29, 2024 12:20 pm
Forum: General
Topic: Where are the packages
Replies: 2
Views: 893

Re: Where are the packages

How do I remove the packages from RouterOS now?

If they are not listed under Packages, then they are not installed. New CAPsMAN is included in core (routeros) package since version 7.13 (so running new CAPsMAN doesn't require any optional package).
by mkx
Sat Dec 28, 2024 1:25 pm
Forum: Wireless Networking
Topic: CAPsMAN DHCP Server for CAP AX Client
Replies: 15
Views: 2698

Re: CAPsMAN DHCP Server for CAP AX Client

Are those HP switches configured with VLANs? BTW, as soon as cAP is provisioned by CAPsMAN, local settings under /interface/wifi largrly don't sppky. Which includes datapath. Settings from CAPsMAN apply, including bridge name (and yours don't match). So I wonder how on earth could anything work actu...
by mkx
Sat Dec 28, 2024 1:10 pm
Forum: General
Topic: DHCPv6 client not assigning the received address on NIC
Replies: 5
Views: 1065

Re: DHCPv6 client not assigning the received address on NIC

Which ROS version? Only newer v7 versions correctly display dynamic IPv6 addresses and routes, older versions (including all v6 versions) omit them from print command. Addresses and routes are there or else IPv6 wouldn't work in certain aspects.
by mkx
Sat Dec 28, 2024 1:00 pm
Forum: General
Topic: [solved] Restrict IPv6 access
Replies: 7
Views: 1309

Re: Restrict IPv6 access

What I don't understand: why reply-only work for IPv4, but not for IPv6 ? Because address acquisition for IPv6 works very differently than for IPv4. For starters there's SLAAC (which is based on RAs and those are elementary for getting routing working) and networked devices assign addresses them se...
by mkx
Fri Dec 27, 2024 4:58 pm
Forum: Wireless Networking
Topic: Mikrotik AX PTP Netmetal AX
Replies: 38
Views: 4962

Re: Mikrotik AX PTP Netmetal AX

Check setting of property configuration.distance . Here's description: The distance is setted for 22km, check the first photo in the first message. This was replying to @MulderSK. Looking at ping responses is mostly useless. I don't agree. You have every right to disagree. But so do I :wink: Did yo...
by mkx
Fri Dec 27, 2024 4:45 pm
Forum: Wireless Networking
Topic: CAPsMAN DHCP Server for CAP AX Client
Replies: 15
Views: 2698

Re: CAPsMAN DHCP Server for CAP AX Client

Your network is obviously not as flat as you're trying to imply. There are 3 VLANs mentioned next to CAPsMAN device (and possibly the "untagged" subnet). You're also writing about "hubs" ... these days nobody uses ethernet hubs, everybody is using ethernet switches, quite possibl...
by mkx
Thu Dec 26, 2024 9:30 pm
Forum: Wireless Networking
Topic: Audience backhaul issues
Replies: 8
Views: 2110

Re: Audience backhaul issues

As far as I can tell, you're heading in the right direction with the latest config snippet.
by mkx
Tue Dec 24, 2024 11:58 pm
Forum: Wireless Networking
Topic: Mikrotik AX PTP Netmetal AX
Replies: 38
Views: 4962

Re: Mikrotik AX PTP Netmetal AX

not only does the ping drop, but the connection is also interrupted
Which connection? The wireless link? Winbox management connection?
by mkx
Tue Dec 24, 2024 3:51 pm
Forum: Wireless Networking
Topic: Mikrotik AX PTP Netmetal AX
Replies: 38
Views: 4962

Re: Mikrotik AX PTP Netmetal AX

Looking at ping responses is mostly useless. If link is fully utilized, then those pings will get queued and seemingly dropped ... in reality they will likely get around but with round trip delay larger than 1s (which is usual timeout value), responses will be ignored by ping application. Try to run...
by mkx
Tue Dec 24, 2024 3:33 pm
Forum: Announcements
Topic: v7.17rc [testing] is released!
Replies: 408
Views: 141061

Re: v7.17rc [testing] is released!

New beta 7.18 for christmas? I wish Not likely. So far, beta only came out after previous version was released as stable. 7.17 is still Release Candidate and folks @MT are running out of time ... it's almost Christmas eve, Latvia is at UTC+2 which means it's 3:30 PM and almost end of office time.
by mkx
Tue Dec 24, 2024 12:09 pm
Forum: General
Topic: Question related to "RouterOS bridge mysteries explained"
Replies: 8
Views: 1266

Re: Question related to "RouterOS bridge mysteries explained"

@HeptaZ, did you read through excellent Using RouterOS to VLAN your network tutorial?

Because most of discussion in this thread is about VLANs and they are explained pretty well in the tutorial I linked above.
by mkx
Tue Dec 24, 2024 12:02 pm
Forum: General
Topic: Problem with smtp gmail and tls setting
Replies: 3
Views: 1033

Re: Problem with smtp gmail and tls setting

There are things to be set-up on gmail side, check their article: https://support.google.com/a/answer/2520500?hl=en

Then it could be TLS support mismatch. AFAIK ROS supports up to TLS 1.2 and some sites already require minimum of TLS 1.3 (not sure if gmail does).
by mkx
Tue Dec 24, 2024 11:23 am
Forum: Wireless Networking
Topic: Mikrotik AX PTP Netmetal AX
Replies: 38
Views: 4962

Re: Mikrotik AX PTP Netmetal AX

Check setting of property configuration.distance . Here's description: distance () Maximum link distance in kilometers, needs to be set for long-range outdoor links. The value should reflect the distance to the AP or station that is furthest from the device. Unconfigured value allows usage of 2 km l...
by mkx
Tue Dec 24, 2024 11:18 am
Forum: General
Topic: access to MKT even though its offline
Replies: 6
Views: 1114

Re: access to MKT even though its offline

If there's a chain of accessibility (i.e. you can access R1 but cant access R2 directly, while R1 can access R2), then you can use CLI (ssh, MAC telnet, normal telnet) if any of these is allowed on R2. ROS includes clients for all mentioned protocols. The only issue is with MAC telnet, ancient versi...
by mkx
Tue Dec 24, 2024 11:13 am
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 192
Views: 27360

Re: hap ax3 random wireless disconnects

Mikrotik app for Android shows the following value of dtim-period setting:

It might be artifact (by Tik app) for not having property set at all ... in which case default value (1) would be used.

When in doubt, always use CLI to verify ... and report a bug in UI to MT to get it fixed.
by mkx
Tue Dec 24, 2024 10:36 am
Forum: Wireless Networking
Topic: HAP ax3 : still support 2.4G standard B or not ?
Replies: 8
Views: 1299

Re: HAP ax3 : still support 2.4G standard B or not ?

Setting of band property on new wifi actually only limits the newest generation of wifi technology but allows all the older. So by setting band=2ghz-n one is allowing B, G and N, but not AX. When constructing AP for really old devices, one has to be extra careful with security settings: B-only devic...
by mkx
Tue Dec 24, 2024 9:27 am
Forum: General
Topic: Rb 951 configuration
Replies: 2
Views: 851

Re: Rb 951 configuration

I'm trying to configure my rb951 to access Internet from ISP router but after setting the static IP ( 192.168.100.100/24) and checking routes and when I try to ping google.com Does your ISP support DHCP as means of obtaining IP config for clients? If it does, then use it, it's usually less error-pr...
by mkx
Tue Dec 24, 2024 9:15 am
Forum: Beginner Basics
Topic: Help needed - How to mitigate DDOS atacks with dns
Replies: 21
Views: 2744

Re: Help needed - How to mitigate DDOS atacks with dns

I’m sure I listened to a MuM talk once that forwarding a packet to black hole takes less CPU than dropping? If there's a very effective way of doing it. Otherwise I doubt it. But whatever one does, packets definitely have to be silently dropped (as opposed to rejecting them with ICMP port unavailab...
by mkx
Mon Dec 23, 2024 2:23 pm
Forum: General
Topic: hap ax3 random wireless disconnects
Replies: 192
Views: 27360

Re: hap ax3 random wireless disconnects

Had same issues, changed DTIM values to 3 for 5GHz (it was 10 by default), the same was proposed upper in the thread, 2 days - no disconnects so far. A random thread from quite some time ago ... which concluded that DTIM interval longer than around 3 can (and will) cause problems with certain stati...
by mkx
Mon Dec 23, 2024 12:58 pm
Forum: Announcements
Topic: Newsletter #122 | December 2024
Replies: 80
Views: 42166

Re: Newsletter #122 | December 2024

But it seems the CRS304 can FastTrack at 1700 which would be acceptable for a 2.5G WAN. Not in my book. I'm paying monthly fee to ISP and I certainly want to have hardware which can use all of what I'm paying for. Otherwise I can save a few euros (every month) and live with slightly slower WAN link...
by mkx
Mon Dec 23, 2024 12:50 pm
Forum: Announcements
Topic: v7.17rc [testing] is released!
Replies: 408
Views: 141061

Re: v7.17rc [testing] is released!

Don't know how far 2.4ghz interference can go for USB3. The test computer is around 2/3 meters away from the next AP. The big problem is interference between locally connected interfaces (i.e. hAP ax3 with flakey USB3 stick plugged in and 2.4GHz radio ... USB3 activity will interfere with Rx path o...
by mkx
Mon Dec 23, 2024 12:26 pm
Forum: RouterBOARD hardware
Topic: Expanding the storage capacity of CRS520 [SOLVED]
Replies: 4
Views: 2616

Re: Expanding the storage capacity of CRS520 [SOLVED]

I'm here with @chechito wondering why TF? CRS520 comes with list price of almost 2200$ and power consumption exceeding 120W. So one doesn't really save much by not adding a small server to the network, a high-end raspberry pi would dance around CRS520 when it comes to server functions (stock samba v...
by mkx
Mon Dec 23, 2024 12:14 pm
Forum: Wireless Networking
Topic: WiFi Access Points Maxes at 300mbps D/L
Replies: 18
Views: 1812

Re: WiFi Access Points Maxes at 300mbps D/L

... so I don't see how the hEX could have any influence on the problem Some interference in form of timing jitter affecting TCP window scaling? Experience with official test results says that figure listed under "Ethernet test results -> Routing -> 25 ip filter rules -> 512 bytes [packet size]...
by mkx
Mon Dec 23, 2024 11:54 am
Forum: Announcements
Topic: v7.17rc [testing] is released!
Replies: 408
Views: 141061

Re: v7.17rc [testing] is released!

CPU in hAP ax3 can shuffle around 2.5Gbps (look at test results for bridging) and that's pretty lean on CPU (no packet processing, only passing between two ethernet interfaces). With SMB there's plenty of processing involved. And USB in SoC IPQ-6010 is 3.0, so max 5Gbps (including overhead) possible...
by mkx
Mon Dec 23, 2024 11:45 am
Forum: Announcements
Topic: Newsletter #122 | December 2024
Replies: 80
Views: 42166

Re: Newsletter #122 | December 2024

What you showed looks like a really old product for legacy customers. 40G and very slow at routing. CRS devices are switches (remember this fact by heart!) ... and many can route at wirespeed if properly configured for L3HW offload (with certain limitations which are device class dependent). If any...
by mkx
Mon Dec 23, 2024 10:51 am
Forum: General
Topic: Question related to "RouterOS bridge mysteries explained"
Replies: 8
Views: 1266

Re: Question related to "RouterOS bridge mysteries explained"

When port is used as stand-alone, then switch-chip passes frames to CPU (via cpu-facing bridge port) as they are ... then CPU does VLAN header manipulations (via VLAN interfaces attached to such stand alone port). So in this case no L2HW offload. It's rather similar when bridge is used ... and L2HW ...
by mkx
Mon Dec 23, 2024 9:25 am
Forum: Announcements
Topic: Newsletter #122 | December 2024
Replies: 80
Views: 42166

Re: Newsletter #122 | December 2024

One can get a 2x 25G card for 135 euro. Add processing power, necessary to route at 25+ Gbps and price tag is easily around 1000€ ... and you've got a mere 2-port router. And I'm pretty sure that such price tag is outside of MT users' comfort zone. So my guess is that we won't be seeing full 10Gbps...
by mkx
Sun Dec 22, 2024 6:57 pm
Forum: Wireless Networking
Topic: Audience backhaul issues
Replies: 8
Views: 2110

Re: Audience backhaul issues

What do I need to consider for the additional units? The problem is that one wireless station can only be connected to one bridge at a time. This problem kicks in when e.g. you need a chain of APs like this: ethernet -> AP1 <- wireless1 -> AP2 <- wireless2 -> AP3 <- wireless3 -> AP4 (etc) Let's say...
by mkx
Sun Dec 22, 2024 5:01 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 93
Views: 36792

Re: RouterOS bridge mysteries explained

@sindy if I understood correctly, there should be two "entities" capable of switching, the switch chip and the switching functional block in the cpu? In the context of bridge nyszeries explanation forget about switch chip (the real, piece of hardware). In this context, there's only switch...
by mkx
Sun Dec 22, 2024 4:25 pm
Forum: RouterBOARD hardware
Topic: Run Multiple VLAN With Single DHCP Server
Replies: 3
Views: 1112

Re: Run Multiple VLAN With Single DHCP Server

Because we use existing device from several brand on our client, we need follow their default VID for their management. If it's only management, then you can bridge all 3 VLANs. I'll assume you have ether5 off-bridge and have something like this: /interface/vlan add interface=ether5 vlan-id=98 name...
by mkx
Sun Dec 22, 2024 4:07 pm
Forum: Wireless Networking
Topic: Audience backhaul issues
Replies: 8
Views: 2110

Re: Audience backhaul issues

Also 50 cm can be too close. This. Depending on channel selected, but ... As I mentioned, I've got single Audience, so the 4x4 radio is used in AP mode as well ... and my tablet, which currently resides around 3m away (and 1.5m below) with LOS, shows signal strength of -35dBm. Which is on the highe...
by mkx
Sat Dec 21, 2024 1:06 pm
Forum: General
Topic: Problem with lower ports on CGNAT LTE conn
Replies: 4
Views: 1001

Re: Problem with lower ports on CGNAT LTE conn

IMO it would be smart to ask MNO if they can give a public IP address and how much would that cost. I know a few MNOs who provide public IP addresses to those asking for one at small cost (or no cost at all).
by mkx
Sat Dec 21, 2024 11:16 am
Forum: General
Topic: How to reach a router behind a CGNAT? [SOLVED]
Replies: 23
Views: 3797

Re: How to reach a router behind a CGNAT? [SOLVED]

BTH function is done exactly for such cases.
by mkx
Sat Dec 21, 2024 11:08 am
Forum: General
Topic: Problem with lower ports on CGNAT LTE conn
Replies: 4
Views: 1001

Re: Problem with lower ports on CGNAT LTE conn

Some MNOs run firewall blocking certain types of traffic (typically with low destination port numbers because these are often used by servers). And some do CGNAT in a senseless manner. When those two worlds collide, anything can happen. Basically wireless broadband is mostly not fit for anything els...
by mkx
Fri Dec 20, 2024 11:52 pm
Forum: General
Topic: Moving Audience CAPsMAN config to RB5009 while retaining mesh functionality
Replies: 4
Views: 1109

Re: Moving Audience CAPsMAN config to RB5009 while retaining mesh functionality

Using CAPsMAN to provision audiences' "public radios" (i.e. the ones serving normal client devices) gives opportunity of better client mobility ... APs, participating in client mobility, have to be controlled by single entity (e.g. CAPsMAN) for all the mobility features (802.11 r/k/v) to w...
by mkx
Fri Dec 20, 2024 11:41 pm
Forum: Beginner Basics
Topic: Unale to get OpenVPN to work on RBD52G-5HacD2HnD (Firmware: 6.49.17)
Replies: 9
Views: 1534

Re: Unale to get OpenVPN to work on RBD52G-5HacD2HnD (Firmware: 6.49.17)

hAP ac2 can run v7 pretty fine. But : its 16MB flash is tiny and it's very likely it'll get full (and then all sorts of funny things start to happen). Base routeros v7 uses around 13MB of it, any wireless (legacy or new wifi) another 2MB or slightly more ... so not much free for config and/or additi...
by mkx
Fri Dec 20, 2024 1:46 pm
Forum: Wireless Networking
Topic: difference between vlan tag on wifi driver and bridge
Replies: 2
Views: 940

Re: difference between vlan tag on wifi driver and bridge

Generally it doesn't matter which way you do it if you configure wifi manually. In this case the only difference is if one uses multiple VLANs with single SSID, such scenario can't be implemented with bridge handling all VLAN tagging. If you use CAPsMAN and VLANs, then it takes lots of fussing (and ...
by mkx
Fri Dec 20, 2024 1:36 pm
Forum: General
Topic: The IP of the bridge is occasionally unavailable [SOLVED]
Replies: 16
Views: 2737

Re: The IP of the bridge is occasionally unavailable [SOLVED]

How does profile output look like while pings are timing out?
by mkx
Fri Dec 20, 2024 1:31 pm
Forum: General
Topic: Moving Audience CAPsMAN config to RB5009 while retaining mesh functionality
Replies: 4
Views: 1109

Re: Moving Audience CAPsMAN config to RB5009 while retaining mesh functionality

CAPsMAN doesn't configure backhaul ... which in usual AP installation is ethernet while in mesh it's the 4x4 radio (I guess it's called wlan2 when running wireless drivers, it's wifi2 when running wifi-qcom-ac drivers). Further more, radios loose their setup if they loose connectivity towards CAPsMA...
by mkx
Fri Dec 20, 2024 10:18 am
Forum: General
Topic: NAT cannot record real IP addresses
Replies: 8
Views: 1188

Re: NAT cannot record real IP addresses

The second rule hints at use of hairpin NAT because in-interface=bridge to-addresses=192.168.88.244 ... default config has 192.168.88.0/24 on LAN and bridge is the interface used by roouter to talk to LAN. And if that's how you need it, then you need the masquerade rule which obfuscates actual src-a...
by mkx
Fri Dec 20, 2024 9:23 am
Forum: General
Topic: NAT cannot record real IP addresses
Replies: 8
Views: 1188

Re: NAT cannot record real IP addresses

It's the last rule (masquerade) which messes src-address. In principle it's not needed unless you require "hairpin NAT" ... in which case thrte's no way around it.

Unless you create separate IP subnet fot the server.
by mkx
Fri Dec 20, 2024 9:17 am
Forum: Beginner Basics
Topic: RB5009 in the hands of a newbie, Gateway problem
Replies: 19
Views: 2719

Re: RB5009 in the hands of a newbie, Gateway problem



Don't think so.
Not on RB5009 with 8 ether ports :lol:
Then they should have called it the RB5008 LOL
Then use port 8, use your imagination, drink some moose milk!!!
5009 is indeed an odd number for a router ... specially because it's even :lol:
by mkx
Thu Dec 19, 2024 11:08 pm
Forum: General
Topic: NTP Synchronization Issue with HMI in a Router-Switch Setup
Replies: 6
Views: 1639

Re: NTP Synchronization Issue with HMI in a Router-Switch Setup

Verify on Mikrotik that NTP client is properly synchronized. Without that, NTP server won't allow further clients to synchronize to it. ROS NTP server doesn't use own RTC as time source (among other reasons because MT hardware doesn't have RTC).
by mkx
Thu Dec 19, 2024 7:23 pm
Forum: Beginner Basics
Topic: Wireless Bridge
Replies: 9
Views: 1389

Re: Wireless Bridge

Move DHCP client from ether1 to "JJMarketing Wireless Bridge". Also remove comment on DHCP client as your device doesn't have WAN interface. Two other minor things: remove bridge with name bridge1 ... it's not used at all setting names of items to settings with spaces in them makes config ...
by mkx
Thu Dec 19, 2024 4:28 pm
Forum: Beginner Basics
Topic: Wireless Bridge
Replies: 9
Views: 1389

Re: Wireless Bridge

As I wrote: provide us with actual configuration and we'll proceed from there.
by mkx
Thu Dec 19, 2024 4:27 pm
Forum: Beginner Basics
Topic: problem with vlan configuration
Replies: 10
Views: 1262

Re: problem with vlan configuration

You've set 192.168.10.1/24 to one interface and 192.168.10.2/24 to the other interface. Every normal device will assume these two addresses are in same subnet and hence directly accessible without explicitly using router. And bridge is here to pass traffic from ether1 to ether2 (with appropriate VLA...
by mkx
Thu Dec 19, 2024 4:17 pm
Forum: General
Topic: Issues with MikroTik Router Upgrades
Replies: 6
Views: 1140

Re: Issues with MikroTik Router Upgrades

I have some problems with my MikroTik Routers. I plan to upgrade all MKT devices from version 6.46.6 to 7.16.1. I think that MT would recommend you to use ROS built-in updater (under /system/packages/update). As already mentioned, there will be a few steps: while running 6.46.6, upgrade it to lates...
by mkx
Thu Dec 19, 2024 4:05 pm
Forum: Beginner Basics
Topic: Wireless Bridge
Replies: 9
Views: 1389

Re: Wireless Bridge

Basically your list of tasks performed seems about right for an AP/switch combo ... which then needs another device acting as router / DHCP server / etc in same ethernet network. Can you post current configuration? Open terminal window (from GUI) or connect to device using SSH. Then execute command ...
by mkx
Thu Dec 19, 2024 11:01 am
Forum: RouterBOARD hardware
Topic: 5009 version with wifi ?
Replies: 63
Views: 5737

Re: 5009 version with wifi ?

I have no closet solution. There are devices with better form factor (and WAF) than RB5009 when it comes to placing/mounting anywhere else than inside rack. To be absolutely clear: I'm not saying that there's no place for wireless routers any more ... my main point being that RB5009 / L009 form fac...
by mkx
Thu Dec 19, 2024 10:59 am
Forum: General
Topic: Is my routerboard RB750r2 Bricked? No response from router for netinstall
Replies: 4
Views: 938

Re: Is my routerboard RB750r2 Bricked? No response from router for netinstall

I have tried doing a netinstall as follows: 1. Press and hold reset button 2. Insert power cable. 3. Wait for flashing act light, continue to wait for On act light, continue to wait act light off. then release reset button. [snip] Running wireshark on the used ethernet I can see the routerboard sen...
by mkx
Thu Dec 19, 2024 8:33 am
Forum: RouterBOARD hardware
Topic: 5009 version with wifi ?
Replies: 63
Views: 5737

Re: 5009 version with wifi ?

IMO the big problem with powerfull wireless routers is the fact that with increasing "mainstream" wifi frequencies (5GHz now, 6GHz coming) it's necessary to deploy multiple APs on the same area where with 2.4GHz APs it was enough to have single AP. And those multiple APs have to be positio...
by mkx
Thu Dec 19, 2024 8:08 am
Forum: Wireless Networking
Topic: CapsMan - can't get 20Mhz channels on 2.4Ghz [SOLVED]
Replies: 6
Views: 1749

Re: CapsMan - can't get 20Mhz channels on 2.4Ghz [SOLVED]

About 160MHz channel width, that's for APs capable of using it. First one which can is wAP AX (and it works just fine 8) ). Actually ... audience was first 8) : 2 L radio-mac=2C:C8:1B:77:DE:EA tx-chains=0,1,2,3 rx-chains=0,1,2,3 bands=5ghz-a:20mhz,5ghz-n:20mhz,20/40mhz,5ghz-ac:20mhz,20/40mhz, 20/40...
by mkx
Wed Dec 18, 2024 11:39 pm
Forum: General
Topic: The IP of the bridge is occasionally unavailable [SOLVED]
Replies: 16
Views: 2737

Re: The IP of the bridge is occasionally unavailable [SOLVED]

To the topic: so basically your core switch doesn't respond to every ping sent at, regardless of where it was sent from. So it might be something about core switch IP configuration (or it might actually be overloaded ... run CPU profiler and see if that might be the case). CPU total is about 16-24 ...
by mkx
Wed Dec 18, 2024 4:01 pm
Forum: General
Topic: The IP of the bridge is occasionally unavailable [SOLVED]
Replies: 16
Views: 2737

Re: The IP of the bridge is occasionally unavailable [SOLVED]

Is it normal that the first interface has the same mac as the bridge? This is default behaviour if you don't set bridge MAC manually (bridge assumes MAC address of first member port). To the topic: so basically your core switch doesn't respond to every ping sent at, regardless of where it was sent ...
by mkx
Wed Dec 18, 2024 8:46 am
Forum: Beginner Basics
Topic: Assign IP address to a bridge?
Replies: 5
Views: 1380

Re: Assign IP address to a bridge?

Can you provide some basic real world examples on when I need L3 access to the bridge from the CPU?

Management of said device (used as switch) from network connected to one of bridged ports.

Routing between single off-bridge port (WAN) and bridged ports (LAN).

Etc.
by mkx
Tue Dec 17, 2024 10:53 pm
Forum: Beginner Basics
Topic: Assign IP address to a bridge?
Replies: 5
Views: 1380

Re: Assign IP address to a bridge?

Bridge has a few personalities, neatly explained in this tutorial: https://forum.mikrotik.com/viewtopic.php?t=173692 One of personalities is interface allowing CPU to communicate with L2 network joined together by bridge (the switch-like personality). If CPU is to communicate on L3 with devices memb...
by mkx
Tue Dec 17, 2024 8:42 pm
Forum: Wireless Networking
Topic: Help with creating wireless access to switch with managment VLAN
Replies: 3
Views: 947

Re: Help with creating wireless access to switch with managment VLAN

The DE FACTO guide on setting up VLAN for ROS https://forum.mikrotik.com/viewtopic.php?t=143620 Configuration, based on linked tutorial, will work fine ... but sloooowly because CRS1xx can't offload bridge config to switch chip. Instead one has to configure things directly on switch chip: https://h...
by mkx
Tue Dec 17, 2024 8:34 pm
Forum: General
Topic: When the WAN network card is bound to multiple IPs, there is an issue with the source IP for system remote logging
Replies: 6
Views: 1118

Re: When the WAN network card is bound to multiple IPs, there is an issue with the source IP for system remote logging

It's possible to set pref-src property on static routes, e.g. /ip/route add dst-address=0.0.0.0/0 gateway=172.16.1.1 pref-src=172.16.1.30 Then router uses this address when making new connection using that particular route. But I don't know if the same selection applies if destination is in same IP ...
by mkx
Mon Dec 16, 2024 9:48 pm
Forum: General
Topic: "no enough permission" Error
Replies: 5
Views: 941

Re: "no enough permission" Error

... restore config from export (not backup!).

Or, better yet, start from default config and apply minimum changes required. It's possible that flakey config allowed exploit to succeed.
by mkx
Mon Dec 16, 2024 9:45 pm
Forum: Wireless Networking
Topic: No CAPsMan forwarding on new CAPsMan?
Replies: 17
Views: 2107

Re: No CAPsMan forwarding on new CAPsMan?

Whatever datapath settings from capsman config are enforced on CAP side. E.g. bridge name ...

How to split traffic? Most straight forward using VLANs (if not using wifi-qcom-ac driver on CAP) or some L2 tunneling (e.g. EoIP) if VLANs absolutely aren't possible.
by mkx
Mon Dec 16, 2024 9:37 pm
Forum: Wireless Networking
Topic: Replaced Router, must re-enter WiFi passphrase? [SOLVED]
Replies: 6
Views: 1552

Re: Replaced Router, must re-enter WiFi passphrase? [SOLVED]

Some devices try to identify the network to set appropriate firewall setup (e.g. home/work/public) ... e.g. winfows does that. And among other information gateway's MAC address is taken into account. And I guess some (paranoid) devices might require re-entering pass phrase simply to make owner aware...
by mkx
Mon Dec 16, 2024 9:26 pm
Forum: Wireless Networking
Topic: CAPsMAN DHCP Server for CAP AX Client
Replies: 15
Views: 2698

Re: CAPsMAN DHCP Server for CAP AX Client

... when using the previous generation access point, I only need to configure a profile in CAPsMAN that goes to each datapath. As I wrote: with new CAPsMAN there is no capsman-forwarding any more. Wireless interfaces, even though provisioned by CAPsMAN, are attached locally to CAP's bridge and loca...
by mkx
Mon Dec 16, 2024 9:04 pm
Forum: Beginner Basics
Topic: DHCP client - keep having link down [SOLVED]
Replies: 13
Views: 2230

Re: DHCP client - keep having link down [SOLVED]

Can you please point me where are the defaults firewall rules?
Open terminal and execute
/system/default-configuration/print

(as user with admin privileges)
by mkx
Mon Dec 16, 2024 8:57 am
Forum: RouterBOARD hardware
Topic: hEX refresh (E50UG) - router for gigabit internet?
Replies: 30
Views: 6176

Re: hEX refresh (E50UG) - router for gigabit internet?

wifi-qcom is an extra package. Dont install it. No drivers - no radio. I think the point is that WiFi module costs money that could have been spent elsewhere (better CPU, 2 Gbps eth1-CPU link etc) or just excluded to make the price less. Commodity hardware, used as heart of MT devices, often alread...
by mkx
Mon Dec 16, 2024 8:49 am
Forum: Wireless Networking
Topic: CAPsMAN DHCP Server for CAP AX Client
Replies: 15
Views: 2698

Re: CAPsMAN DHCP Server for CAP AX Client

New wifi CAPsMAN doesn't offer capsman forwarding. Which means that without VLANs CAP is joining normal LAN. And traffic then normally doesn't hit CAPsMAN. When it comes to DHCP ... when DHCP client (WiFi station in your case) sends out DHCP Discovery , every DHCP server in same L2 broadcast domain ...
by mkx
Mon Dec 16, 2024 8:39 am
Forum: Wireless Networking
Topic: Band steering - "priority" to 5Ghz [SOLVED]
Replies: 55
Views: 42436

Re: Band steering - "priority" to 5Ghz [SOLVED]

Seems that connect-priority 0/1 improved the situation. Devices now do switch to 5ghz, but it does not seem due to actual steering, but because they eventually take that decision themselves. WiFi standards (802.11 anything ) don't standardize handovers (at decision of network entity), they standard...
by mkx
Mon Dec 16, 2024 8:24 am
Forum: General
Topic: ROS 6.49 - Device Discovery issue when VLAN is used
Replies: 4
Views: 1946

Re: ROS 6.49 - Device Discovery issue when VLAN is used

Does this problem still exist in Ros 7? This problem never existed for me, neither in v6 nor in v7. I cannot delete PVID on the bridge interface. You can't delete PVID ... but if you set bridge CPU-facing port with frame-types=admit-only-vlan-tagged , then PVID setting will become irrelevant. After...
by mkx
Sat Dec 14, 2024 8:57 pm
Forum: Wireless Networking
Topic: wAP ax?
Replies: 290
Views: 37902

Re: wAP ax?

It shows who has everything to say in your household.

As if it's not the same in your household :-P


We are speaking about WAF here, not about HAlF :wink:
by mkx
Sat Dec 14, 2024 8:50 pm
Forum: General
Topic: L009 - don't like it...
Replies: 16
Views: 1980

Re: L009 - don't like it...

Set aside the whining, I don't see a difference between hexs and L009: I don't have either hEX S nor L009 ... so only guessing: it could be that L009 doesn't allow PoE out if it's powered via PoE in ... while hEX S did? The fact is that PoE 802.3 comes with some stringent spcifications (which MT mo...
by mkx
Sat Dec 14, 2024 8:36 pm
Forum: General
Topic: How to configure bond with 2 switches and NAS [SOLVED]
Replies: 8
Views: 1723

Re: How to configure bond with 2 switches and NAS [SOLVED]

What are my options to achieve 20gbps speeds ? I thought 802.3ad would give this with layer3+4 hashing, but even with multiple-streams (iperf3 -P) I get capped at 10gbps. I noticed that iperf3 is using same port for all streams, so I guess that can explain it. IMO you should stick to 802.3ad ... wi...
by mkx
Sat Dec 14, 2024 8:21 pm
Forum: Beginner Basics
Topic: DHCP client - keep having link down [SOLVED]
Replies: 13
Views: 2230

Re: DHCP client - keep having link down [SOLVED]

Generally I'd say that your current firewall is .... inadequate. IMO default rules are much better than yours. So I guess you have very good reasons for ditching default and implementing .... what you have now. However, it does seem weird if DDoS attack would cause your router to drop ethernet link....
by mkx
Sat Dec 14, 2024 12:16 am
Forum: General
Topic: How to configure bond with 2 switches and NAS [SOLVED]
Replies: 8
Views: 1723

Re: How to configure bond with 2 switches and NAS [SOLVED]

My other Linux server that is 2x2.5G bonded on Linux side and is connected to Layer3 TP-link switch. I didn't have to do any config changes on switch to make this bond work. There are some bond modes, available in linux, which don't require switch to know there's bond involved ... but it works well...
by mkx
Sat Dec 14, 2024 12:03 am
Forum: Beginner Basics
Topic: DHCP client - keep having link down [SOLVED]
Replies: 13
Views: 2230

Re: DHCP client - keep having link down [SOLVED]

I can't see anything weird...

One line above the message about loosing DHCP lease it mentions link down on ether8-WAN ... so you'll have to investigate why link between your router and ISP device drops. There are plenty of possible reasons for that ...
by mkx
Fri Dec 13, 2024 4:55 pm
Forum: Beginner Basics
Topic: DHCP client - keep having link down [SOLVED]
Replies: 13
Views: 2230

Re: DHCP client - keep having link down [SOLVED]

... but randomly appears
dhcp-client on ether8-WAN lost IP address 89.XXX.XX.18 - lease stopped locally

Can you show us log lines immediately preceding the quoted message (a few tens of seconds of history should do it) ... in general anything related to ether8-WAN port or DHCP.
by mkx
Fri Dec 13, 2024 4:49 pm
Forum: General
Topic: CCR2004-1G-12S+2XS - Hardware switching features
Replies: 4
Views: 4904

Re: CCR2004-1G-12S+2XS - Hardware switching features

I bought this thing. It has 25G interfaces to be a typical bridge, but there is no way to transfer even 10G in bridge mode. Is this some kind of joke? You bought router which happens to have 2x 25Gbps ports (and some others). Official test results tell that thing can route at speeds between 5Gbps a...
by mkx
Fri Dec 13, 2024 3:34 pm
Forum: General
Topic: How to configure bond with 2 switches and NAS [SOLVED]
Replies: 8
Views: 1723

Re: How to configure bond with 2 switches and NAS [SOLVED]

So nothing to be done on Linux itself ? Of course there is, bonds have to be configured on both sides of logical link. And bond mode (e.g. 802.3ad) has to match (Tx hash strategy can be different on both ends). I guess you didn't get feedback on linux-side config because that is largely of scope of...
by mkx
Fri Dec 13, 2024 8:26 am
Forum: RouterBOARD hardware
Topic: Where is the Audience AX?
Replies: 10
Views: 2021

Re: Where is the Audience AX?

Let's assume they are working on it.

You know what they say: assumption is mother of all f**ups. So let's not assume anything ... not with Mikrotik :wink:
by mkx
Fri Dec 13, 2024 8:18 am
Forum: General
Topic: Still no TLS 1.3?
Replies: 11
Views: 1540

Re: Still no TLS 1.3?

As long as TLS 1.2 is still considered secure and ROS supports secure ciphers, I couldn't care less. Everything else is compliance BS. It's is not just about security, TLS 1.3 have more optimal handshake, less round trips. True. But when it comes to managing your router/switch/AP, how many hundreds...
by mkx
Fri Dec 13, 2024 8:14 am
Forum: Beginner Basics
Topic: Is device damage possible when using PoE switch?
Replies: 5
Views: 1139

Re: Is device damage possible when using PoE switch?

... if for whatever reasons you applied an excessive voltage to ether1 I would expect It to fry, not the other ports.

If this happened, then this is quite a problem ... because netinstall works only ether1.
by mkx
Thu Dec 12, 2024 6:52 pm
Forum: RouterBOARD hardware
Topic: Where is the Audience AX?
Replies: 10
Views: 2021

Re: Where is the Audience AX?

I don't understand why mikrotik doesn't have some kind of roadmap...

Wait ... Mikrotik has a roadmap?

I'd love to buy an Audience ax or two as long as it's as good as current Audience (I simply love it).
by mkx
Thu Dec 12, 2024 6:44 pm
Forum: RouterBOARD hardware
Topic: CCR1016 / Temperature sensor defect?
Replies: 2
Views: 1109

Re: CCR1016 / Temperature sensor defect?

There have been previous reports on this forum about CCRs with similar symptoms. All have been resolved by replacing capacitors in PSU and/or main board, which showed signs of failing (bulged ends). When doing it, make sure that replacement capacitors match capacity of original ones (too big differe...
by mkx
Thu Dec 12, 2024 9:09 am
Forum: Wireless Networking
Topic: mANT Box 52 15s setup
Replies: 1
Views: 673

Re: mANT Box 52 15s setup

Are ether1 and wlan2 members of same bridge? Broadcast packets are in principle not routed, only switched/bridged.

And possible misconception: if only traffic flowing is broadcast, then it'll only affect Tx counters not Rx (only port connecting to broadcast source(s) will show Rx activity).
by mkx
Thu Dec 12, 2024 9:06 am
Forum: Beginner Basics
Topic: Share 10Gb Internet connection ccr2004-1G-12S+2XS
Replies: 7
Views: 1318

Re: Share 10Gb Internet connection ccr2004-1G-12S+2XS

Bridge is only necessary if one wants to switch between bridge member ports. If device is used as pure router (strictly routing between ports), then bridge is not needed (and if it's used then one has to take extra steps to block L2 communication between different ports).
by mkx
Thu Dec 12, 2024 8:37 am
Forum: Beginner Basics
Topic: RB960PGS as internal routers
Replies: 1
Views: 720

Re: RB960PGS as internal routers

Post textual export of configuration of your RB960PGS. I suspect that the problem is in routing indeed. Either you have to add routes to different remote locations on main router or you have to configure SRC-NAT on each of remote location routers. Personally I'd go for first option as it allows you ...
by mkx
Wed Dec 11, 2024 12:19 pm
Forum: General
Topic: IP Cloud (Dynamic DNS) down?
Replies: 101
Views: 16065

Re: mynetname is down ?

just use your own dns, set up a cname to the ugly domain name and problem solved. Is not. Even if your own DNS server can reply with CNAME record, clients still won't be able to resolve the serial.sn.mynetname.net ... the only way around it is to actually update A record on your DNS server whenever...
by mkx
Wed Dec 11, 2024 12:15 pm
Forum: Beginner Basics
Topic: Issue with Layer7 Protocol and Address List in RouterOS v7.16
Replies: 11
Views: 1548

Re: Issue with Layer7 Protocol and Address List in RouterOS v7.16

It should match http://youtube.com but not a lot more.
AFAIK not even protocol (http), only host name, e.g. youtube.com ...
by mkx
Wed Dec 11, 2024 12:14 pm
Forum: Beginner Basics
Topic: Issue with Layer7 Protocol and Address List in RouterOS v7.16
Replies: 11
Views: 1548

Re: Issue with Layer7 Protocol and Address List in RouterOS v7.16

As I already wrote: if those domain names are not sent from client towards server in plain text, then L7 matcher won't be able to match them. You can verify if this is indeed a problem by doing a wireshark recording (on client machine would be fine) and check initial few packets, sent from client to...
by mkx
Wed Dec 11, 2024 11:43 am
Forum: RouterBOARD hardware
Topic: Has Mikrotik finally solved port flapping issue in the newer hardware?
Replies: 43
Views: 21273

Re: Has Mikrotik finally solved port flapping issue in the newer hardware?

I have mentioned about this problem in 2019, fife years passed and still the same. CRS326 is unusable at all. Do you actually have problems with CRS326 or is only the stats which are worrying you? And an idea: screenshot shows really low port speeds (10Mbps, 100Mbps) for ports with most link downs....
by mkx
Wed Dec 11, 2024 11:29 am
Forum: General
Topic: Blocking Static IP assignments
Replies: 3
Views: 919

Re: Blocking Static IP assignments

Only on the bridge, as that's what the IP stack is linked to. The Ethernet interfaces are just member ports of the bridge in this setup. ... which also means that access to other networks (including internet) can be controlled in this way. But: communication between devices on same IP subnet (even ...
by mkx
Wed Dec 11, 2024 11:28 am
Forum: Beginner Basics
Topic: Issue with Layer7 Protocol and Address List in RouterOS v7.16
Replies: 11
Views: 1548

Re: Issue with Layer7 Protocol and Address List in RouterOS v7.16

Almost definitely the two rules you showed are not full firewall config. Or is it? Regarding L7: almost everything now days works over encrypted communications (httpS) and almost every server/client combination supports TLS v1.3. In TLS v1.3 also SNI is encrypted, hence L7 regex rule in ROS can not ...
by mkx
Wed Dec 11, 2024 8:53 am
Forum: RouterBOARD hardware
Topic: Serving GPS data from a LAN-connected receiver?
Replies: 2
Views: 1110

Re: Serving GPS data from a LAN-connected receiver?

Unfortunately, one drawback of my setup is that my location data is random. At one point websites think I'm in southern California, and then a day or two later I'm supposedly outside Chicago. AFAIK this has nothing to do with your actual physical location, it's got to do with some GeoIP databases ....
by mkx
Wed Dec 11, 2024 8:42 am
Forum: General
Topic: Limited Bandwidth on Thunderbird? [SOLVED]
Replies: 6
Views: 1493

Re: Limited Bandwidth on Thunderbird? [SOLVED]

My experience with Gmail and IMAP is that when there are many messages in inbox (several thousand which in my case translates into a couple of gigabytes of space consumed), then sync rate plummets. IMO nothing to do with router.
by mkx
Tue Dec 10, 2024 3:42 pm
Forum: General
Topic: Winbox on arm64
Replies: 8
Views: 1807

Re: Winbox on arm64

Drawback: you probably can not use MAC access (I'm not even sure you can do that using Wine, never used it myself). It's possible to use winbox over MAC using wine (just tried winbox 3.35 x64 in linux). For CLI over MAC I guess there's no real option now, MT doesn't provide MAC telnet client for wi...
by mkx
Tue Dec 10, 2024 12:24 pm
Forum: General
Topic: VLAN Experts' help needed
Replies: 14
Views: 1752

Re: VLAN Experts' help needed

Can you set one of ISP router ports as trunk port? Routers, provided by Telekom Slovenije, have option to set each port as either "data", "IPTV" or "both" ... the later being trunk mode. This way you'll get IPTV already (natively) VLAN tagged (and internet probably unta...
by mkx
Tue Dec 10, 2024 12:15 pm
Forum: General
Topic: VLAN Experts' help needed
Replies: 14
Views: 1752

Re: VLAN Experts' help needed

Just seeing lots of devices on the interface with torch that should not be there at all, nothing to do with IPTV multicast. If IPTV of Makedonski Telekom is anything similar to same thing of Telekom Slovenije, then VLAN for IPTV is switched for many IPTV customers ... and you will be able to see so...
by mkx
Tue Dec 10, 2024 9:23 am
Forum: General
Topic: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2 [SOLVED]
Replies: 14
Views: 3938

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2 [SOLVED]

... translating it to new CAPsMAN and wave2 will most likely be the next challenge once I've established a working VALN setup. So one step at a time... :) Well ... support for VLANs in wifi-qcom-ac package is next to none (while wireless has pretty good support), so if you're struggling with VLANs ...
by mkx
Tue Dec 10, 2024 9:08 am
Forum: General
Topic: Do AP's come with all router functions?
Replies: 29
Views: 3389

Re: Do AP's come with all router functions?

Normally "AP" are strictly AP's. All Mikrotik's APs (all are running ROS) are "wireless router" in parlance of many other vendors. Mikrotik doesn't have any "AP only" device at the moment (and never did so far, can't say anything about future models). However, it's pos...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 46