Community discussions

MikroTik App

Search found 12914 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 44
by mkx
Wed Oct 09, 2024 6:10 pm
Forum: Beginner Basics
Topic: IPv6 ULA DHCP Issue
Replies: 4
Views: 203

Re: IPv6 ULA DHCP Issue

What @tdw wrote is about MT's DHCPv6 server (it doesn't hand out addresses to devices, only prefixes) and not about address types (ULA vs. GUA).
by mkx
Wed Oct 09, 2024 5:55 pm
Forum: Beginner Basics
Topic: Advice on (M)STP settings
Replies: 4
Views: 165

Re: Advice on (M)STP settings

Yes ... either MSTP or RSTP or STP (in this order of preference), which ever is supported by all L2 devices in your network.
by mkx
Wed Oct 09, 2024 5:49 pm
Forum: General
Topic: Proxy
Replies: 1
Views: 113

Re: Proxy

Generally HTTPS clients absolutely have to be aware that they're connecting to proxy server and not directly to target. And that's done through configuration of clients ...
With HTTP it may be possible to do "transparent proxy" with port forwarding.
by mkx
Wed Oct 09, 2024 5:23 pm
Forum: Beginner Basics
Topic: Advice on (M)STP settings
Replies: 4
Views: 165

Re: Advice on (M)STP settings

First off: don't mix different STP modes, they simply don't interwork.
by mkx
Sun Oct 06, 2024 10:41 pm
Forum: SwOS
Topic: CRS305-1G-4S+IN: SwOS Management Interface Not Responding to Tagged VLAN 1 Traffic
Replies: 1
Views: 544

Re: CRS305-1G-4S+IN: SwOS Management Interface Not Responding to Tagged VLAN 1 Traffic

You can't communicate both using tagged and untagged frames (where PVID / default VID for untagged is same as the tagged). Frames can egress either tagged or untagged, not both. And switch has no idea whether the other direction uses tagged or untagged for some particular session. So if you insist o...
by mkx
Sun Oct 06, 2024 9:13 am
Forum: General
Topic: Exclude fasttrack from specif ip [SOLVED]
Replies: 4
Views: 264

Re: Exclude fasttrack from specif ip [SOLVED]

You can exclude something from fasttrack by explicitly accepting that using a rule which is placed above fasttrack rule.
by mkx
Sat Oct 05, 2024 10:51 pm
Forum: General
Topic: DHCP works, but NO Internet [SOLVED]
Replies: 17
Views: 555

Re: DHCP works, but NO Internet [SOLVED]

Address on "LAN" side is wrong:
/ip address
add address=192.168.4.0/24 interface=ether4 network=192.168.4.0

Address should be 192.168.4.1/24 instead.
by mkx
Sat Oct 05, 2024 9:18 am
Forum: Wireless Networking
Topic: RB5009 > CAP xl ac > CapsMan
Replies: 1
Views: 130

Re: RB5009 > CAP xl ac > CapsMan

Also, the caps are supposed to be able to daisy chained correct? If you're talking about PoE ... then likely no. Visit product page, check powering and PoE out data for all involved devices and do the power budget calculation. Also allow for power losses in cables (meaning that you have to consider...
by mkx
Fri Oct 04, 2024 10:08 pm
Forum: Wireless Networking
Topic: All my wAP 60G AP default to 58320
Replies: 2
Views: 170

Re: All my wAP 60G AP default to 58320

Ideally they would not even hear each other if both are mounted at least half decently. Or do they sense high interference?
by mkx
Fri Oct 04, 2024 3:34 pm
Forum: General
Topic: Switch bleeding tagged multicast/broadcast frames from other vlan. Bug?
Replies: 8
Views: 407

Re: Switch bleeding tagged multicast/broadcast frames from other vlan. Bug?

I prefer having 2 independent tables for my vlans, so I don't run into issues when the same MAC appears in both vlans. Independent learning is not about same MAC in different VLANs (in majority of implementations that's the way it is anyway). Independent learning might be about MSTP (or something l...
by mkx
Fri Oct 04, 2024 9:00 am
Forum: Wireless Networking
Topic: Signal Strength Weakens for Each New Access Point Connected to CAPsMAN (RouterOS 7.16) [SOLVED]
Replies: 8
Views: 915

Re: Signal Strength Weakens for Each New Access Point Connected to CAPsMAN (RouterOS 7.16) [SOLVED]

As @neki already hinted: Tx power is not constant over devices and channels. If you look at device product pages ( cAP ax and hAP ax3 ), section "Wireless specifications", it becomes obvious that hAP ax3 has, in principle, higher Tx power available. When, e.g. talking about 2.4GHz ax, it's...
by mkx
Fri Oct 04, 2024 12:03 am
Forum: Wireless Networking
Topic: Issues with SSID Visibility on MikroTik Router (RB2011UiS 2hnd-IN)
Replies: 1
Views: 145

Re: Issues with SSID Visibility on MikroTik Router (RB2011UiS 2hnd-IN)

When master interface is mode=station (or any station derivative) and virtual interface(s), enslaved to that master, are in mode=ap (or bridge), then master has to be connected to some AP before virtuals can be shown on air. The reason being: only master interface can control properties of radio (fr...
by mkx
Thu Oct 03, 2024 11:55 pm
Forum: Wireless Networking
Topic: New PPSK functionality
Replies: 33
Views: 1779

Re: New PPSK functionality

Another thing to try: set disable-running-check=yes on all wifi interfaces and see if wireless station behaves any different. Alternate tedt would be to connect second station using same PPSK passphrase while first one is successfully connected (if the "running check" is the culprit, then ...
by mkx
Wed Oct 02, 2024 11:29 pm
Forum: RouterBOARD hardware
Topic: SFP transceivers to connect L009 & RB5009
Replies: 21
Views: 7045

Re: SFP transceivers to connect L009 & RB5009

I really don’t know what transceivers MikroTik want us to use for the L009.

Optical ones ... those may even work with forced speed as per documentation.
by mkx
Wed Oct 02, 2024 11:22 pm
Forum: General
Topic: Switch rule to block out everything but 1 mac, not working as expected
Replies: 9
Views: 352

Re: Switch rule to block out everything but 1 mac, not working as expected

Comments are a linguistic category and since we're coming from different language families (and we're both non-native English speakers), I think we can agree that we don't understand your comments in the same meaning :wink:
by mkx
Wed Oct 02, 2024 11:17 pm
Forum: General
Topic: DDoS protection without DDoSing oneself?
Replies: 7
Views: 382

Re: DDoS protection without DDoSing oneself?

I would say that any kind of DDoS protection is mostly futile and the only realistic goal in such case is to keep router/firewall alive ... in a sense that it doesn't start passing forbidden traffic in wrong direction and in a sense that it recovers soon after DDoS attack stops. Pulling WAN cable ou...
by mkx
Wed Oct 02, 2024 11:01 pm
Forum: Wireless Networking
Topic: New PPSK functionality
Replies: 33
Views: 1779

Re: New PPSK functionality

Let me rephrase my last question ... If I understand your comment in one of previous posts, this is what happens: When you try to connect station using "non-standard" password, connection initially fails. When you try to do it second time (a few seconds later), entering very same non-stand...
by mkx
Wed Oct 02, 2024 10:51 pm
Forum: General
Topic: Switch rule to block out everything but 1 mac, not working as expected
Replies: 9
Views: 352

Re: Switch rule to block out everything but 1 mac, not working as expected

So, there is the need of two "monodirectional" rules: comment="Allow from 00:E0:4C:00:03:A7 to ether5" and: comment="Allow to 00:E0:4C:00:03:A7 from ether5" ? :?: Make those "from/to ether5" read "via ether5" to make comment more precise. It seems t...
by mkx
Wed Oct 02, 2024 10:39 pm
Forum: General
Topic: Masquerade with VLANs [SOLVED]
Replies: 5
Views: 422

Re: Masquerade with VLANs [SOLVED]

A question I have to you, mkx, is what do you mean by default setup. Do you mean the default setup as provided by mikrotik when setting up the device? Yes, I was talking about config which is available if device is "reset to factory default". You can always see it if you open terminal win...
by mkx
Wed Oct 02, 2024 10:31 pm
Forum: General
Topic: DDoS protection without DDoSing oneself?
Replies: 7
Views: 382

Re: DDoS protection without DDoSing oneself?

xdp, bpf & co want to replace the whole kernel packet handling (i.e. everything drawn in nftables diagram) with a different (simplified) implementation of packet handling. And you're right, ROS doesn't do any of it, so just forget about it. Next the DDoS handling in the pre-ingress: that would b...
by mkx
Wed Oct 02, 2024 10:14 pm
Forum: General
Topic: problème de NAT
Replies: 3
Views: 195

Re: problème de NAT

The problem is this: DST-NAT rule is evaluated for every packet[*] passing router in any direction. Which means that also packets for connections, originating in LAN and targeting internet, will trigger NAT rule evaluation. It's then the selecting properties of each NAT rule to narrow down selection...
by mkx
Wed Oct 02, 2024 9:59 pm
Forum: General
Topic: error DHCP
Replies: 4
Views: 204

Re: error DHCP

Now Mikrotik's DHCP assigns an IP, rejects it after 2 seconds, .... [*]dhcp1 client AE:F3:2B:D0:37:79 declines IP address 172.17.44.181 The log says that client rejects offer. Which most likely means that it detects IP being in use. If not all of those IP addresses are actually in use, this likely ...
by mkx
Wed Oct 02, 2024 9:55 pm
Forum: Beginner Basics
Topic: In absence of other internet connection, does it make sense to practice configuring RB5009ÙPr using... [SOLVED]
Replies: 4
Views: 666

Re: In absence of other internet connection, does it make sense to practice configuring RB5009ÙPr using... [SOLVED]

When I wrote "If that switch behaves as it should" I was thinking about possible effects one additional switch in packet path might have. E.g. a sligtly increased latency (normally we're talking about fractions of a millisecond). A misbehaving switch could corrupt frames, drop frames, dela...
by mkx
Wed Oct 02, 2024 5:27 pm
Forum: Wireless Networking
Topic: New PPSK functionality
Replies: 33
Views: 1779

Re: New PPSK functionality

After a station with non-default PSK (and hence custom VLAN ID) connects to AP, does wifi interface become member of that non-default VLAN? No, error message is displayed almost immediately so nothing is visible in bridge/vlans. I was asking about the state of CAP after second try (you wrote that c...
by mkx
Wed Oct 02, 2024 5:25 pm
Forum: Announcements
Topic: v7.17beta [testing] is released!
Replies: 381
Views: 40663

Re: v7.17beta [testing] is released!

From 7.16. The problem is that the forwarder will not try to ask 10.6.10.221 when 220 is not answering. The basic premise in whole DNS system is that if there are more than one DNS server available (configured), it is assumed that all of them would give the same answer. And answer "no such dom...
by mkx
Wed Oct 02, 2024 5:13 pm
Forum: General
Topic: DDoS protection without DDoSing oneself?
Replies: 7
Views: 382

Re: DDoS protection without DDoSing oneself?

The idea about creating address lists is to avoid sending any feedback to attacking nodes ... which helps to save at least uplink bandwidth. Using the lists in raw firewall also helps to reduce amount of packet processing (even if normal firewall filter rules would eventually drop those packets) ......
by mkx
Wed Oct 02, 2024 5:07 pm
Forum: General
Topic: List of devices that no longer recieve updates
Replies: 2
Views: 185

Re: List of devices that no longer recieve updates

The rule of thumb is: if architecture (e.g. MMIPS or ARM or SMIPS) of device is receiving new ROS versions, then device is still supported. And this is a big feature of MT (as compared to other vendors who drop support quite soon after end of selling). However (and it's a big however): ROS v7 doesn'...
by mkx
Wed Oct 02, 2024 5:01 pm
Forum: General
Topic: problème de NAT
Replies: 3
Views: 195

Re: problème de NAT

What do you mean by "When the destination address (10.10.11.2) is specified in the microtik's NAT rule, some web pages are not displayed" .... which web pages, where are they hosted? Just to clarify: you are setting dst-address=10.10.11.2 on DST-NAT rule? What if you set in-interface=<WAN ...
by mkx
Wed Oct 02, 2024 4:42 pm
Forum: General
Topic: Switch rule to block out everything but 1 mac, not working as expected
Replies: 9
Views: 352

Re: Switch rule to block out everything but 1 mac, not working as expected

The way I read the ACLs, the second rule matches also "return" traffic ... which has dst-mac-address set to MAC address of allowed device. So perhaps you have to introduce another rule and push it between existing two rules: add comment="Allow 00:E0:4C:00:03:A7 on ether5" ports=e...
by mkx
Wed Oct 02, 2024 4:29 pm
Forum: General
Topic: PTP Boundary clock not working when IGMP is enabled in bridge
Replies: 2
Views: 175

Re: PTP Boundary clock not working when IGMP is enabled in bridge

The problem is that IGMP snooping in ROS (as well as many other vendors) is shitty. A few years ago, when I tried, IGMP snooping on both ROS and Dlink effectively blocked IPv6. And PTP works using multicasts. So IMO it's a bug in IGMP snooping in ROS. So nothing we, forum members, can help you with....
by mkx
Wed Oct 02, 2024 4:18 pm
Forum: General
Topic: Mikrotik Service ports open/filtered nmap
Replies: 1
Views: 148

Re: Mikrotik Service ports open/filtered nmap

My guessing: when you have list of allowed source IP addresses set in service definition, then access from any other IP address will be rejected on service level. Which means that some alien, trying to connect to ssh (TCP port 22), will perform the initial 3-way TCP handshake ... and after that SSH ...
by mkx
Wed Oct 02, 2024 3:57 pm
Forum: Beginner Basics
Topic: Sharing between two Networks LAN/WIFI
Replies: 1
Views: 153

Re: Sharing between two Networks LAN/WIFI

There are two basic things for this inter-LAN sharing to happen: there has to be device (router), which connects to both networks and is willing to pass packets (i.e. route) between both networks. Additional requirement is that if the before mentioned device is not default gateway for both LAN netwo...
by mkx
Wed Oct 02, 2024 12:01 pm
Forum: Announcements
Topic: v7.17beta [testing] is released!
Replies: 381
Views: 40663

Re: v7.17beta [testing] is released!

Well, I should mention that I was quite surprised the first time when I confirmed a device mode change with pressing the reset button that the device actually cold booted... Device mode gets set into routerboot (could be it's even baked into permanent storage just like the rest of routerboot conten...
by mkx
Wed Oct 02, 2024 11:54 am
Forum: Beginner Basics
Topic: [RB5009 v7.16] I cannot make 2.5Gbps port work with a specific device (NAS)
Replies: 4
Views: 292

Re: [RB5009 v7.16] I cannot make 2.5Gbps port work with a specific device (NAS)

I can see the link is up and running (see screenshot).

It seems that autonegotiation failed to do proper thing. The lower part (link partner advertising) stops at 1G baseT full ... and yet RB somehow ended up enabling 2.5G baseT ...
by mkx
Wed Oct 02, 2024 9:24 am
Forum: Beginner Basics
Topic: In absence of other internet connection, does it make sense to practice configuring RB5009ÙPr using... [SOLVED]
Replies: 4
Views: 666

Re: In absence of other internet connection, does it make sense to practice configuring RB5009ÙPr using... [SOLVED]

Would there be any benefit in powering the U6 LR using a separate POE injector and connecting the AP directly to the RB5009UPr?
If that switch behaves as it should, then there's no performance benefit in doing what you wrote (and I quoted).
by mkx
Tue Oct 01, 2024 8:08 pm
Forum: General
Topic: L3 Hardware Routing and Router Setup [SOLVED]
Replies: 4
Views: 333

Re: L3 Hardware Routing and Router Setup [SOLVED]

CRS317 is an absolute beast for L3 HW offloading, it would do offloaded firewall as well. The CRS326-24S is a very decent device as well, but not a beast. You may want to read about L3 HW offload and its limitations (device dependent): https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloadin...
by mkx
Tue Oct 01, 2024 7:56 pm
Forum: General
Topic: SSH Log-in using ED25519 public/private key not working from bash
Replies: 4
Views: 243

Re: SSH Log-in using ED25519 public/private key not working from bash

It works for me. Although I did not use "-a" command line parameter of ssh-keygen. It could be that ROS implementation doesn't support that high value (ssh-keygen manual says the default is 16).
by mkx
Tue Oct 01, 2024 7:49 pm
Forum: Announcements
Topic: Newsletter #120 | September 2024
Replies: 56
Views: 12092

Re: Newsletter #120 | September 2024

Why no SFP+ port (or two)? There are comparable all-SFP+ devices available. I see this one as device for those who don't have SFP+ interconnects in their LAN. This is an "office switch" and not very often there's fiber on the office desk. And not many times office desk is next to closet w...
by mkx
Tue Oct 01, 2024 11:17 am
Forum: Wireless Networking
Topic: New PPSK functionality
Replies: 33
Views: 1779

Re: New PPSK functionality

One thing I noticed. When I forget network (so I can connect with another password) first time entering password it displays an error on the phone to enter password again. When I enter password second time it connects immediately. I can think of several reasons for that but not necessarily any of t...
by mkx
Tue Oct 01, 2024 11:03 am
Forum: General
Topic: L3 Hardware Routing and Router Setup [SOLVED]
Replies: 4
Views: 333

Re: L3 Hardware Routing and Router Setup [SOLVED]

Yes, it is possible. You would set up CRS with as many VLANs as necessary for LAN side, set IP address on corresponding vlan interfaces, set up L3HW offloading ... and configure all devices to use CRS' IP addresses as their default gateway (e.g. make appropriate changes to DHCP server settings). The...
by mkx
Tue Oct 01, 2024 10:55 am
Forum: General
Topic: MAke the RouterOS reachable over VLAN?
Replies: 3
Views: 216

Re: MAke the RouterOS reachable over VLAN?

Sorry. One picture (can be hand drawn and photographed with a phone) of topology and export of current configuration would make the (mental) picture much more clear.
by mkx
Tue Oct 01, 2024 10:50 am
Forum: Beginner Basics
Topic: hAP ax^2 as AP - add ethernet port to VLAN [SOLVED]
Replies: 8
Views: 536

Re: hAP ax^2 as AP - add ethernet port to VLAN [SOLVED]

According to setup shown, ether2 should be part of VLAN 3 as well (probably as dynamic member with comment set to "added by pvid"), but it's not shown in the screenshot. I wonder why's that? Perhaps it gets added when ether2 gets up (something active is plugged in) ... or is ether2 active ...
by mkx
Tue Oct 01, 2024 9:20 am
Forum: Wireless Networking
Topic: New PPSK functionality
Replies: 33
Views: 1779

Re: New PPSK functionality

You always need one datapath (simply to add CAPsMAN-provisioned wifi radio to CAP's bridge) ... either as datapath profile or static datapath. settings on wifi interface directly (which with CAPsMAN-provisioned CAPs isn't an option obviously). And I guess if CAP is simply configured to be CAPsMAN-dr...
by mkx
Tue Oct 01, 2024 9:10 am
Forum: General
Topic: MAke the RouterOS reachable over VLAN?
Replies: 3
Views: 216

Re: MAke the RouterOS reachable over VLAN?

Unless you configured firewall to block access, your CRS is available for connections on every IP address it's got. For clients in different IP subnet (and/or VLAN) a router is necessary. So answer to your question depends very much on both network topology you have and configuration of CRS. Without...
by mkx
Tue Oct 01, 2024 8:41 am
Forum: Wireless Networking
Topic: New PPSK functionality
Replies: 33
Views: 1779

Re: New PPSK functionality

Ah, so bridge is ignorant about VLANs on CAP device ... just as I thought. So as long as L2MTU is higher than around 1518, it'll blindly pass ethernet frames left and right without ever looking at VLAN ID in 802.1Q headers ... which means you have to be careful about vlan-id setting on datapath (it ...
by mkx
Tue Oct 01, 2024 8:33 am
Forum: Wireless Networking
Topic: New PPSK functionality
Replies: 33
Views: 1779

Re: New PPSK functionality

Tested PPSK with CAPsMAN and it's working like a charm. Only modification is to tag port where CAPs are connected, create datapath with PVID1 and interface bridge and add that into configuration.

How does /interface/bridge/vlan/print look like on CAP device?
by mkx
Tue Oct 01, 2024 8:21 am
Forum: Beginner Basics
Topic: Slow internet when change IP pool address and DHCP server
Replies: 5
Views: 371

Re: Slow internet when change IP pool address and DHCP server

This firewall filter rule add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related src-address=192.168.88.0/24 means that traffic gets fasttracked if LAN address is from router's default range. And it thus skips the mangling rules .....
by mkx
Mon Sep 30, 2024 4:49 pm
Forum: General
Topic: Mikrotik setup for private home -> Switch + AccessPoints
Replies: 7
Views: 370

Re: Mikrotik setup for private home -> Switch + AccessPoints

(I need at least 8 PoE+ ports)

PoE+ is often used as a synonym for 802.3at ... and that one defines max output current of 600mA. But CRS328-24P-4S+RM is specced only with 450mA (which is halfway between PoE 802.3af specced at max 350mA and PoE+).
by mkx
Mon Sep 30, 2024 4:39 pm
Forum: General
Topic: hexS with PoE 20°C warmer?
Replies: 7
Views: 326

Re: hexS with PoE 20°C warmer?

Product page for hEX S sys it's got
PCB temperature monitor
. So it's not CPU temperature, it's somewhere on board and only board inspection can tell which of other elements are around to affect the readings.
by mkx
Mon Sep 30, 2024 4:35 pm
Forum: Beginner Basics
Topic: [SOLVED] Cannot connect to RB5009 V7.16
Replies: 5
Views: 384

Re: Cannot connect to RB5009 V7.16

Is there any risk I netinstall the wrong device? Or shall I run netinstall on a PC directly linked to the RB5009? You can't netinstall the wrong device, device has to be put in netinstall mode for that. However I'd recommned you to do direct connections ... netinstall is a pretty fragile process an...
by mkx
Mon Sep 30, 2024 4:28 pm
Forum: Beginner Basics
Topic: Missing WLAN in OS 7 [SOLVED]
Replies: 12
Views: 6059

Re: Missing WLAN in OS 7 [SOLVED]

My experience so far is that each new Mikrotik device is better (but backward compatible). No, backwards compatibility is not always guaranteed. One example: curently we're using capsman v2 (nowdays called legacy capsman) and capsman v3 (the new, wifi, capsman). And capsman v1 was not compatible wi...
by mkx
Mon Sep 30, 2024 4:08 pm
Forum: Beginner Basics
Topic: hAP ax^2 as AP - add ethernet port to VLAN [SOLVED]
Replies: 8
Views: 536

Re: hAP ax^2 as AP - add ethernet port to VLAN [SOLVED]

On cAP ax you have /interface wifi datapath add bridge=bridge client-isolation=yes name="GME IoT" vlan-id=3 (and similar for "GME guest" datapath). and that setting allows wifi driver to tag/untag frames by itself (without any intervention by bridge). Just as does switch chip on ...
by mkx
Mon Sep 30, 2024 1:49 pm
Forum: Announcements
Topic: v7.17beta [testing] is released!
Replies: 381
Views: 40663

Re: v7.17beta [testing] is released!

Just like PPPoE is an ephemeral interface that exists while tunnel is active, a dynamic sub-if of a stacked vlan is an ephemeral interface that exist while exists traffic that specifies it. Sorry, I simply don't agree that having plethora of dynamic interfaces is a good thing ... just to work aroun...
by mkx
Mon Sep 30, 2024 12:30 pm
Forum: General
Topic: hexS with PoE 20°C warmer?
Replies: 7
Views: 326

Re: hexS with PoE 20°C warmer?

It looks like DC-DC regulator working from 48V (or there around, which is likely PoE voltage thrown at hEX S) is much less effective than working from 24V (included power adapter output). And I guess (I don't have the device to check myself) that temperature sensor is placed close to that DC-DC regu...
by mkx
Mon Sep 30, 2024 12:21 pm
Forum: Announcements
Topic: v7.17beta [testing] is released!
Replies: 381
Views: 40663

Re: v7.17beta [testing] is released!

I feel like they solved the right problem the wrong way... PPPoE is a special case as it's not IP on the physical interface side ... so they can easily add VLAN ID handling to pppoe process. And tge feature is (currently) only available for PPPoE server , which may serve multiple VLANs and hence ha...
by mkx
Mon Sep 30, 2024 12:03 pm
Forum: Beginner Basics
Topic: Missing WLAN in OS 7 [SOLVED]
Replies: 12
Views: 6059

Re: Missing WLAN in OS 7 [SOLVED]

... but it does not say when "Loosing built-in cards" will be fixed? I wouldn't count on getting that fixed (probably it's a can of worms which MT disposed off already a while ago). If you need to run legacy capsman, then get an older device and run it there (you can do it on one of your ...
by mkx
Mon Sep 30, 2024 11:57 am
Forum: Beginner Basics
Topic: hAP ax^2 as AP - add ethernet port to VLAN [SOLVED]
Replies: 8
Views: 536

Re: hAP ax^2 as AP - add ethernet port to VLAN [SOLVED]

On hAP ax2 you'll have to enable vlan-filtering on bridge, without it PVID setting does nothing. Then you'll have to configure ether1 as trunk port, configuration should more or less mirror of ether10 on RB3011. But you'll gave to use /interface/bridge and subtree hence forth.
by mkx
Sun Sep 29, 2024 7:29 pm
Forum: Wireless Networking
Topic: New PPSK functionality
Replies: 33
Views: 1779

Re: New PPSK functionality

Do you actually have to add multiple VLAN IDs in datapath? My impression is that datapath VLAN ID is a default, but if other mechanisms set it differently (e.g. ppsk settings or radius reply) then wifi-qcom (the non-ac) driver will apply that exception to appropriate frames. Resulting tagged (or unt...
by mkx
Sun Sep 29, 2024 5:12 pm
Forum: General
Topic: Masquerade with VLANs [SOLVED]
Replies: 5
Views: 422

Re: Masquerade with VLANs [SOLVED]

A few things: do yourself a favour and disable detect internet feature (set detect-internet-list=none) Why MTU on LAN set to odd value of 1420? It's going to hurt all LAN communication ... possibly to make wireguard a bit faster. It may make sense, but really depends on ratio between wireguard and L...
by mkx
Sun Sep 29, 2024 2:55 pm
Forum: Announcements
Topic: v7.16.1 [stable] is released!
Replies: 320
Views: 52532

Re: v7.16 [stable] is released!

All my dynamic IP list entries are missing after the upgrade. I had to add them again from backup.

Aren't dynamic entries kept in RAM (to save lots of glash storage space and potentialky many flash writes)? That would mean that entries are lost on every reboot (upgrade or not).
by mkx
Sun Sep 29, 2024 2:00 pm
Forum: General
Topic: Wifi traffic prioritization on bridge [SOLVED]
Replies: 22
Views: 1035

Re: Wifi traffic prioritization on bridge [SOLVED]

I have hap-ac² this one has an Atheros AR8327 switch chip included: Yes, but this one is not supported by bridge L2 HW offload (you can configure it under /interface/ethernet/switch, but this kind of config comes with a few complications on their own ... IMO the performance benefit is not worth the...
by mkx
Sun Sep 29, 2024 1:41 pm
Forum: General
Topic: Trouble: Can't connect to ATL after update [SOLVED]
Replies: 45
Views: 2049

Re: Trouble: Can't connect to ATL after update [SOLVED]

Now, the question is security: What would prevent an attacker with physical access to the cable to netinstall the device and do further mischief? Physical security. As soon as attacker gains physical access to your device, you've already lost the game. Guess how "denial of service" looks ...
by mkx
Sun Sep 29, 2024 1:35 pm
Forum: RouterBOARD hardware
Topic: Crs312, a bit outdated.
Replies: 7
Views: 1258

Re: Crs312, a bit outdated.

From what @Channing wrote I'd say he'd like to see "maximum power consumption" go from 60W (specified for current device) down to ... uhhh, 30W? (Not sure if such reduction is realistic though). And I'd add "increase flash storage to at least 32MB if not 64MB". Personally I don't...
by mkx
Sun Sep 29, 2024 1:12 pm
Forum: General
Topic: FTP send "ghost" - deleted file
Replies: 2
Views: 201

Re: FTP send "ghost" - deleted file

How do you run the script? Ftom scheduller? If yes, how exactly does the scheduller job definition look like? Since the script uses local variables, I guess that having scheduler run script at midnight (or whatever the start time is) and repeat it every N minutes for 24 hours (and do it every day).....
by mkx
Sun Sep 29, 2024 11:52 am
Forum: General
Topic: Slow File Transfer Over GRE Tunnel
Replies: 1
Views: 175

Re: Slow File Transfer Over GRE Tunnel

If you have fasttrack enabled on mikrotik side, try disabling it.
by mkx
Sun Sep 29, 2024 11:49 am
Forum: RouterBOARD hardware
Topic: Crs312, a bit outdated.
Replies: 7
Views: 1258

Re: Crs312, a bit outdated.

I can understand your thinking. However in networking gear, things don't go the same pace as in general processing. Switching is typically done wirespeed on ASIC level ... since it's wirespeed, speed increases don't happen (unless it's supporting newer generation of interface standards). Yes, power ...
by mkx
Sun Sep 29, 2024 11:18 am
Forum: Wireless Networking
Topic: New PPSK functionality
Replies: 33
Views: 1779

Re: New PPSK functionality

The idea about setting vlan-id in wifi driver is that wifi driver handles the VLAN tags, not bridge (bridge only filters traffic according to existing VLAN tags). Which IMO means you have a few errors in your setup. One is use of multiple datapaths (just noticed you only have them defined but not us...
by mkx
Sun Sep 29, 2024 10:55 am
Forum: General
Topic: Two "IPv4 Fasttrack Active" entries ?!
Replies: 1
Views: 359

Re: Two "IPv4 Fasttrack Active" entries ?!

Fastpath and fasttrack are two different things. See here: viewtopic.php?t=182658
by mkx
Sat Sep 28, 2024 10:41 pm
Forum: General
Topic: RouterOS Upgrade: Recommendations for hAP ac3 [SOLVED]
Replies: 12
Views: 811

Re: RouterOS Upgrade: Recommendations for hAP ac3 [SOLVED]

Use netinstall for 7.15.3 (or whichever ROS version you decide to start with). Don't mess with netinstalling v6, upgrading from v6 to v7 leaves (hidden) v6 setup on device which consumes (precious) space. When doing netinstall, select both routeros and wifi-qcom-ac packages in the same step, this av...
by mkx
Sat Sep 28, 2024 10:27 pm
Forum: General
Topic: RouterOS Upgrade: Recommendations for hAP ac3 [SOLVED]
Replies: 12
Views: 811

Re: RouterOS Upgrade: Recommendations for hAP ac3 [SOLVED]

Keep in mind for netinstall: on 7.13+ you need wireless or wifi-qcom-ac package additionally to main package. So, if I install 7.13 or later, do I need to add the wifi-qcom-ac from the extra package to get wifiwave2? If I don’t, will I just get the regular wireless? If you install 7.13 or later, it...
by mkx
Sat Sep 28, 2024 10:08 pm
Forum: General
Topic: RouterOS Upgrade: Recommendations for hAP ac3 [SOLVED]
Replies: 12
Views: 811

Re: RouterOS Upgrade: Recommendations for hAP ac3 [SOLVED]

My suggestions:

1. 7.15.3
2. do a netinstall

Before doing step #2, do a textual export of config, it can prove a valuable aide when configuring anew. Won't help much with wifi though.
by mkx
Sat Sep 28, 2024 9:56 pm
Forum: General
Topic: storage issues?
Replies: 2
Views: 245

Re: storage issues?

And

4. check that device's storage is not full. 16MB is tight for contemporary ROS versions on ATM architecture ... and you really want to have at least few hundreds of kB free at all times.
by mkx
Sat Sep 28, 2024 2:18 pm
Forum: General
Topic: CRS326-24S+ gets a little hot
Replies: 5
Views: 474

Re: CRS326-24S+ gets a little hot

Two things: as @liviu2004 already hinted: make sure that the back of rack allows exit of hot air ... if rack is closed at the back, then no amount of fans can help, hot air is still trapped inside the rack "Operating temperature" in product brochure (specifying range of -20°C..+60°C) refer...
by mkx
Sat Sep 28, 2024 1:47 pm
Forum: Wireless Networking
Topic: Legacy wifi client does not connect to AX AP
Replies: 5
Views: 487

Re: Legacy wifi client does not connect to AX AP

While ax APs are (in principle) backwards compatible, some legacy station devices are not forward compatible. Some modern features which seem to freak out legacy clients (even to the point they even don't want to try to connect to modern AP): WPA-3 security ax standard FT and any other mobility feat...
by mkx
Sat Sep 28, 2024 1:36 pm
Forum: Beginner Basics
Topic: Configuring Extension Router Separately [SOLVED]
Replies: 11
Views: 1002

Re: Configuring Extension Router Separately [SOLVED]

Model name from export says this is LHG R: https://mikrotik.com/product/rblhgr

Which is way different than hAP ac lite.
by mkx
Sat Sep 28, 2024 1:28 pm
Forum: General
Topic: Wifi traffic prioritization on bridge [SOLVED]
Replies: 22
Views: 1035

Re: Wifi traffic prioritization on bridge [SOLVED]

The problem resides on the hAP-ac. As I'm forced to use bridge vlan filtering (no HW offload, all on CPU) for wifi-qcom-ac all traffic is handled by the CPU. Maybe this is the issue.

Which device exactly are you using? hAP ac doesn't run wifi-qcom-ac drivers due to wrong architecture (MIPSBE).
by mkx
Sat Sep 28, 2024 1:21 pm
Forum: General
Topic: hEX POE high IRQ CPU usage
Replies: 1
Views: 221

Re: hEX POE high IRQ CPU usage

According to official test results and a chunk of common sense, hEX PoE should be able to route at around 300Mbps. Give or take. But seeing your device to choke at around 80Mbps is a bit surprising. So why don't you show complete config? In a command terminal execute /export file=anynameyouwish , fe...
by mkx
Sat Sep 28, 2024 1:02 pm
Forum: General
Topic: Mikrotik router asking for ARP resolution of alot of IPs
Replies: 7
Views: 612

Re: Mikrotik router asking for ARP resolution of alot of IPs

Interesting possibility. But how/why this started happening last friday on multiple devices? :? @OP says that ARP policer kicked in ... what I'm saying is that the same thing might be going on for ages but last friday cummulative internet usage of those with flawed setups exceeded ARP policer's thr...
by mkx
Fri Sep 27, 2024 10:07 pm
Forum: General
Topic: Mikrotik router asking for ARP resolution of alot of IPs
Replies: 7
Views: 612

Re: Mikrotik router asking for ARP resolution of alot of IPs

To me it seems like Mikrotik was set with default route to use interface instead of gateway, i.e. add default gateway ether1 (where ether1 is interface used for upstream connection). It seems that there are a few tutorials floating around internet suggesting such approach.
by mkx
Fri Sep 27, 2024 10:00 pm
Forum: RouterBOARD hardware
Topic: Various devices do not load after the update
Replies: 7
Views: 722

Re: Various devices do not load after the update

And how do you know the total space needed for the update?

Due to lack of better info ... by experimenting and observation.
by mkx
Fri Sep 27, 2024 1:23 pm
Forum: RouterBOARD hardware
Topic: RBFTC11 switching from Gbps to 100Mbps
Replies: 3
Views: 528

Re: RBFTC11 switching from Gbps to 100Mbps

20cm of cable between two active RJ45 devices indeed seems a bit short. I'd try with a 2m patch cable to see if things change. For this kind of distance a cat5e cable will do (even for multi-gig speeds), no need to go overboard by using cat6+ patch cable.
by mkx
Fri Sep 27, 2024 1:20 pm
Forum: RouterBOARD hardware
Topic: Various devices do not load after the update
Replies: 7
Views: 722

Re: Various devices do not load after the update

And please tell me where and how to find out the required space for the update RouterOS 7? AFAIK there is no official information about it. ROS updater is supposed to check free space before applying update ... but from forum reports one can get a feeling that it's not conservative enough and somet...
by mkx
Fri Sep 27, 2024 9:59 am
Forum: RouterBOARD hardware
Topic: Various devices do not load after the update
Replies: 7
Views: 722

Re: Various devices do not load after the update

What could be the problem, how to avoid it? Not really an answer, but rather observation: all the mentioned devices have only 16MB flash. Which is tight for recent ROS versions (specially v7). So perhaps your script should check free flash space and bail out if free space is less than, say, 600kB (...
by mkx
Fri Sep 27, 2024 9:34 am
Forum: Announcements
Topic: Newsletter #120 | September 2024
Replies: 56
Views: 12092

Re: Newsletter #120 | September 2024

CRS304 switching results are they correct?
Those results do look very bad
As if they, somehow, only tested the 1Gbps MGMT port?
by mkx
Thu Sep 26, 2024 9:55 pm
Forum: General
Topic: Import config RB951g-2HnD to RB951UI-2HnD
Replies: 1
Views: 284

Re: Import config RB951g-2HnD to RB951UI-2HnD

If you're talking about restoring backup file, created on a different device model, then no, this is not supported. Even if it somehow works in certain device combinations. If you're talking about importing textual configuration exports ... then again they don't generally work. But since tgey are es...
by mkx
Thu Sep 26, 2024 7:44 pm
Forum: General
Topic: Are these routers part of botnet?
Replies: 2
Views: 452

Re: Are these routers part of botnet?

Most likely sending CFs or RIFs zo MT wouldn't help much to anybody. Most probably there is/was a hoke in firewall configuration of those devices which allowed atackers to get them under their control. What should be done (by you or some knowledgeable person) is zo analyze configuration with fovus b...
by mkx
Thu Sep 26, 2024 10:55 am
Forum: General
Topic: How to use HTTP proxy
Replies: 1
Views: 265

Re: How to use HTTP proxy

On end devices themselves.

While you could DST-NAT port 80 (non-encrypted HTTP) to proxy port and it would mostly work (except for older HTTP 1.0 only clients), you can't do the same for port 443 (encrypted HTTPS), client has to uderstand it's talking to proxy when trying to do HTTPS.
by mkx
Wed Sep 25, 2024 9:59 pm
Forum: General
Topic: System - Shutdown query [SOLVED]
Replies: 3
Views: 429

Re: System - Shutdown query [SOLVED]

What would happen if the MikroTik is turned off from system shutdown ? MT devices in shut down state stay in that state until they are power cycled. How to work around it? If device has option to be powered via PoE, then you can power cycle it by disable PoE out on port of powering device. Or insta...
by mkx
Wed Sep 25, 2024 5:36 pm
Forum: General
Topic: Device got hacked 1 min after connected to internet
Replies: 51
Views: 4380

Re: Device got hacked 1 min after connected to internet

Unfortunately my MNO provides only nano SIM cards with adapters like this so I need to use adapter to insert into router. Isn't it that cuttings for different SIM sizes are not through? So if one needs e.g. micro SIM, only outer piece of plastic has to be removed. The rest is still decently sturdy ...
by mkx
Wed Sep 25, 2024 3:40 pm
Forum: Announcements
Topic: v7.16.1 [stable] is released!
Replies: 320
Views: 52532

Re: v7.16 [stable] is released!

cAP ac is "arm" not "arm64" ...
by mkx
Wed Sep 25, 2024 3:31 pm
Forum: Wireless Networking
Topic: No Connection to CAPsMAN [SOLVED]
Replies: 17
Views: 3013

Re: No Connection to CAPsMAN [SOLVED]

Sure this has to be disabled? If CAP and CAPsMAN are different devices, then they won't communicate using address of 127.0.0.1 (neither of them) ... hence this rule doesn't apply. Or is it? If CAPsMAN communicates with itself (another process perhaps), then it might use 127.0.0.1 ... @JPbarries, tr...
by mkx
Wed Sep 25, 2024 3:12 pm
Forum: RouterBOARD hardware
Topic: CRS310-8G+2S+IN batches are broken
Replies: 5
Views: 1182

Re: CRS310-8G+2S+IN batches are broken

So riddle me this, if I need 20 of those switches, how many times will I have to order and RMA the units before I end up with 20 good ones? It's an interesting math problem that fits well in a public school test If you're tackling the issue with "order X, check them and RMA Y ... and loop unti...
by mkx
Wed Sep 25, 2024 3:03 pm
Forum: RouterBOARD hardware
Topic: VLAN BRidge switch chip NAT Only using one core RB 3011 UiAS RM [SOLVED]
Replies: 32
Views: 2520

Re: VLAN BRidge switch chip NAT Only using one core RB 3011 UiAS RM [SOLVED]

If you're using RB3011 "for educational purposes", then I suggest you to go with single bridge with vlan-filtering enabled. This kind of configuration works on all devices (regardless the underlying hardware) and on many devices (including all the modern switches and many modern routers) i...
by mkx
Wed Sep 25, 2024 2:42 pm
Forum: Wireless Networking
Topic: No Connection to CAPsMAN [SOLVED]
Replies: 17
Views: 3013

Re: No Connection to CAPsMAN [SOLVED]

Your firewall is quite strict at dropping anything not allowed. Which is good. But you have to allow capsman protocol. From a note in documentation for capsman v2 (the old wireless capsman): Note: CAPsMAN uses UDP port 5246 for manager traffic and UDP port 5247 for data traffic I didn't find similar...
by mkx
Wed Sep 25, 2024 9:29 am
Forum: General
Topic: Struggling with VLANs on MikroTik CRS305
Replies: 9
Views: 661

Re: Struggling with VLANs on MikroTik CRS305

And did you perfrom a cold reboot of switch after setting all things up? My experience goes that sometimes actual running switch chip config diverges from what it's supposed to be and a good cold boot (i.e. cut the power) sorts this out.
Not necessarily a solution to your problem though.
by mkx
Wed Sep 25, 2024 9:07 am
Forum: RouterBOARD hardware
Topic: VLAN BRidge switch chip NAT Only using one core RB 3011 UiAS RM [SOLVED]
Replies: 32
Views: 2520

Re: VLAN BRidge switch chip NAT Only using one core RB 3011 UiAS RM [SOLVED]

A few random bits, hopefully they'll help you to understand your device and setup: despite the urban legend of necessity to run two bridges on devices with two switch chips that's not true. Indeed setup with using external patch cord connecting ports on different switch chips may help with performan...
by mkx
Wed Sep 25, 2024 8:43 am
Forum: General
Topic: Home Lab VLAN/Routing Help
Replies: 7
Views: 645

Re: Home Lab VLAN/Routing Help

You have to add bridge port as tagged member of VLANs with which IP layer of device has to communicate (and you create corresponding vlan interface, anchored off bridge port ). In case of RB5009 that would be: /interface vlan add interface=rb5009br name=vlan10 vlan-id=10 add interface=rb5009br name=...
by mkx
Wed Sep 25, 2024 8:32 am
Forum: General
Topic: Struggling with VLANs on MikroTik CRS305
Replies: 9
Views: 661

Re: Struggling with VLANs on MikroTik CRS305

Why do you have "tag-stacking" enabled on sfp-sfpplus1?
by mkx
Wed Sep 25, 2024 8:19 am
Forum: Beginner Basics
Topic: Firmware version discrepancy
Replies: 1
Views: 509

Re: Firmware version discrepancy

routerboard firmware is separate from ROS version ... similar to BIOS/UEFI being separate from OS (Windows, linux, ...). The difference between ROS and normal PCs is that routerboard firmware ships with ROS itself and it's possible to set it to be upgraded automatically (property "auto-upgrade&...
by mkx
Tue Sep 24, 2024 12:25 pm
Forum: Beginner Basics
Topic: SLAACing a /64 address from /60 pools?
Replies: 2
Views: 522

Re: SLAACing a /64 address from /60 pools?

When router advertises a prefix, it'll advertise its own IPv6 address with it. And AFAIK it'll advertise it's LL address (but I may be wrong here). What remains to be seen (run a wireshark on a client device and check the RA packets) is whether router actually advertises /64 prefix even though the a...
by mkx
Mon Sep 23, 2024 9:04 pm
Forum: General
Topic: Help Needed: IPv6 Configuration Issues with Fritzbox and Mikrotik Switch
Replies: 4
Views: 652

Re: Help Needed: IPv6 Configuration Issues with Fritzbox and Mikrotik Switch

Check IGMP related settings on mikrotik's bridge. IGMP snooping can be quite flakey and if it's enabled, it can break IPv6 ...
by mkx
Mon Sep 23, 2024 10:44 am
Forum: RouterBOARD hardware
Topic: CRS328-24P-4S+RM speed problem
Replies: 13
Views: 6341

Re: CRS328-24P-4S+RM speed problem

a bandwidth-test beetween my CRS328 and a RB5009 Bandwidth-test (as ROS feature) is extremely CPU-bound, so in most cases it's measuring CPU performance rather than link performance. Specially so for devices with fast links and relatively weak CPU (CRS328 in your case). So: just don't use bandwidth...
by mkx
Mon Sep 23, 2024 9:30 am
Forum: Wireless Networking
Topic: Virtual AP RAdio MAC [SOLVED]
Replies: 1
Views: 394

Re: Virtual AP RAdio MAC [SOLVED]

What impact if i set the VAP radio mac to C4:AD:34:48:E1:05 (same with the master interface) It most likely won't work ... station, connected to AP (either interface) will send wifi frame with "receiver address" field set to BSSID (MAC) of AP. And then AP will take this frame and do with ...
by mkx
Mon Sep 23, 2024 9:15 am
Forum: General
Topic: pap only pppoe connection have probability authentication failed [SOLVED]
Replies: 3
Views: 512

Re: pap only pppoe connection have probability authentication failed [SOLVED]

I'm really wondering why do you insist on using PAP (which transfers username and password in cleartext) over CHAP (which doesn't exchange password) ... specially as CHAP works in your use case?

Did you check log on MT? Does it say anything about the failed PAP authentications?
by mkx
Mon Sep 23, 2024 8:50 am
Forum: General
Topic: HELP: RB5009 limiting WAN speeds of any *nix machines
Replies: 5
Views: 829

Re: HELP: RB5009 limiting WAN speeds of any *nix machines

IP generally doesn't care about OS type so generally router doesn't limit speeds for certain OS types. However it is possible that delay (and delay jitter), present on certain network path[*], affects some OSes and not others due to some interference in packet timing. But these are very hard to diag...
by mkx
Mon Sep 23, 2024 8:40 am
Forum: General
Topic: DHCP keeps sending out from old range
Replies: 2
Views: 491

Re: DHCP keeps sending out from old range

When changing IP address subnet on ROS, there are roughly 4 places where changes have to be made: /ip/address This is the place where router's own IP address is set. Optionally one has to change settings also under /ip/route ... possibly also on other routers if present in LAN. In most SOHO environm...
by mkx
Mon Sep 23, 2024 8:30 am
Forum: General
Topic: MASTER INTERFACE UNKNOWN
Replies: 7
Views: 3775

Re: MASTER INTERFACE UNKNOWN

4. very often it's a PEBKAC. With an attitude like this, it's almost certain.
by mkx
Mon Sep 23, 2024 8:21 am
Forum: Beginner Basics
Topic: ipv6 security
Replies: 14
Views: 1207

Re: ipv6 security

So if i set /ipv6 settings set disable-ipv6=yes my mikrotik router will automatically block everything from wan to lan and from lan to wan via ipv6. Correct? To be precise: router will not block IPv6, rather it will ignore all of IPv6. Not exactly the same thing, but the end effect is very similar.
by mkx
Mon Sep 23, 2024 8:19 am
Forum: Beginner Basics
Topic: Public IP NAT Rule Issue
Replies: 8
Views: 813

Re: Public IP NAT Rule Issue

You have two rules in srcnat chain. The screenshots don't show all the gory details, but ... masquerade rule is higher than "normal" src-nat rule. If masquerade rule selection rules match the packets which src-nat rule is supposed to act on, then masquerade rule will do it's job and src-na...
by mkx
Mon Sep 23, 2024 8:14 am
Forum: Beginner Basics
Topic: Auto detect internet
Replies: 1
Views: 471

Re: Auto detect internet

A word of advice: just disable "detect internet" feature ... if you know which port of your router connects towards internet, then this function doesn't add any value ... but can screw things up in random ways if it doesn't work right. I suggest you to reset your router to defaults, then u...
by mkx
Sun Sep 22, 2024 11:22 am
Forum: RouterBOARD hardware
Topic: VLAN BRidge switch chip NAT Only using one core RB 3011 UiAS RM [SOLVED]
Replies: 32
Views: 2520

Re: VLAN BRidge switch chip NAT Only using one core RB 3011 UiAS RM [SOLVED]

RB3011 doesn't offload anything to switch chips ... apart from very basic switching (without VLANs).

With vlan-filtering enabled everything is processed by CPU, including bridge filters...
by mkx
Sun Sep 22, 2024 11:13 am
Forum: Wireless Networking
Topic: Capsman loosing connection when connected through switch
Replies: 32
Views: 1942

Re: Capsman loosing connection when connected through switch

You have many firewall rules and I'm not going to verify all of them. But there are quite a few "dangerous" ones. For example: add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp It's allowing winbox access from everywhere (including internet). I'm guessing that there's...
by mkx
Sun Sep 22, 2024 9:27 am
Forum: Beginner Basics
Topic: Public IP NAT Rule Issue
Replies: 8
Views: 813

Re: Public IP NAT Rule Issue

What about order of NAT rules? They are evaluated from top to bottom, first one matching executes.
by mkx
Sat Sep 21, 2024 11:47 am
Forum: Wireless Networking
Topic: [hAP ax3] Wifi 5 Ghz channel are weak constantly dropped [SOLVED]
Replies: 9
Views: 1068

Re: [hAP ax3] Wifi 5 Ghz channel are weak constantly dropped [SOLVED]

One thing to keep in mind: permitted Tx power is not the same on all 5GHz channels. If you check output of /interface/wifi/radio/reg-info number=0 country=Denmark you'll see that some channels have limit quite a bit lower than others. In order to have signal strength (and coverage) predictable, it's...
by mkx
Sat Sep 21, 2024 11:30 am
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 71
Views: 4902

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

After some more testing, it seems to work fine with encryption=ccmp,gcmp as well. These two are basic encryption algorithms (ccmp is almost another name for AES, used in WPA2) which every device supports pretty bug-free. They use 128-bit keys. The other two (ccmp-256 and gcmp-256) are new ones (usi...
by mkx
Sat Sep 21, 2024 9:27 am
Forum: RouterBOARD hardware
Topic: Crs312, a bit outdated.
Replies: 7
Views: 1258

Re: Crs312, a bit outdated.

Apart from the fan noise ... I don't get what on hardware is to be upgraded, what is outdated? Device features 4 optical ports and 8 RJ45 10Gbps ports ... (or less optical and more electrical ports since those are combo ports). And the switch chip, around which the device is built, is a pretty decen...
by mkx
Sat Sep 21, 2024 9:10 am
Forum: Beginner Basics
Topic: Configuring MikroTikAudience for PPPoE
Replies: 3
Views: 529

Re: Configuring MikroTikAudience for PPPoE

Thanks @jaclaz. @prathy, please post current config of your Audience. Open terminal window, execute /export file=anynameyouwish hide-sensitive (the last parameter has to be used if Audience is running ROS 6.x, in ROS 7.x it doesn't exist). Then fetch the resulting file, open it with your favourite t...
by mkx
Fri Sep 20, 2024 7:37 pm
Forum: Announcements
Topic: Newsletter #114 | September 2023
Replies: 80
Views: 18453

Re: Newsletter #114 | September 2023

... but that display I don't understand... Why ?
Vastly increased WAF ... if the W is geeky ;-)
by mkx
Fri Sep 20, 2024 7:26 pm
Forum: Wireless Networking
Topic: Capsman loosing connection when connected through switch
Replies: 32
Views: 1942

Re: Capsman loosing connection when connected through switch

Quite likely. But I wonder why your firewall allows attempts to connect capsman via WAN?
by mkx
Fri Sep 20, 2024 7:08 pm
Forum: General
Topic: Pc not reachable [SOLVED]
Replies: 8
Views: 902

Re: Pc not reachable [SOLVED]

...one thing i notice is the router actually records the traffic trying to goin in, but nothing besides that How do you notice that, by running sniffer on router itself? This way you should be able to see same packet (e.g. ICMP echo request) multiple times, on each of interfaces it passes (so once ...
by mkx
Fri Sep 20, 2024 7:01 pm
Forum: General
Topic: Bios Battery to Mikrotik
Replies: 2
Views: 540

Re: Bios Battery to Mikrotik

No, none of MT devices have support for battery-backed real-time clock. Quite possibly the RTC support is stripped out of linux kernel, provided in ROS.
by mkx
Fri Sep 20, 2024 6:53 pm
Forum: Beginner Basics
Topic: RB2011UiAS-RM DNS - dns server failure [SOLVED]
Replies: 2
Views: 679

Re: RB2011UiAS-RM DNS - dns server failure [SOLVED]

DNS record of type CNAME is not URL, it points to another host name. Your CNAME record contains a few characters which are not legal in hostnames (you can probably guess which ones are those). This would be correct CNAME[*]: /ip dns static add cname="41c389ca-8639-45a6-b901-67791ad4c0cc.unifi-h...
by mkx
Fri Sep 20, 2024 6:40 pm
Forum: Beginner Basics
Topic: Connected to internet on WAN but not on LAN [SOLVED]
Replies: 13
Views: 1103

Re: Connected to internet on WAN but not on LAN [SOLVED]

But from what i understand fast track bypasses packet treatements so it helps reduce latency ? The choke point is WAN interface (e.g. ethernet port) and buffering is done after all of firewall processing is already finished. Fasttrack only reduces amount of processing time of packets, but the speed...
by mkx
Fri Sep 20, 2024 6:16 pm
Forum: Beginner Basics
Topic: Connected to internet on WAN but not on LAN [SOLVED]
Replies: 13
Views: 1103

Re: Connected to internet on WAN but not on LAN [SOLVED]

Bufferbloat is not something fasttrack can solve, it's something that queues can solve (some are designed with this problem in mind). The basic idea is to proritize packets which don't belong to high-volume connections (and this classification is the hard part). In this case: there's a connection (o...
by mkx
Fri Sep 20, 2024 5:52 pm
Forum: Beginner Basics
Topic: Configuring MikroTikAudience for PPPoE
Replies: 3
Views: 529

Re: Configuring MikroTikAudience for PPPoE

The information page you linked is not available to me (I'm getting 403 forbidden; could be that HFC limits access to Aussies). So you have to hope somebody with access (or even first-hand experience) drops by to help you.
by mkx
Fri Sep 20, 2024 5:47 pm
Forum: Beginner Basics
Topic: correct order of interfaces for PPPoE/VLAN-ISP connections? [SOLVED]
Replies: 3
Views: 803

Re: correct order of interfaces for PPPoE/VLAN-ISP connections? [SOLVED]

Trying to clear the picture of proper interface order. Think of layers: you're trying to send IP packets. PPPoE offers WAN IP interface. So PPPoE wraps IP packet in pppoe "box". your ISP requires you to use VLAN to transport pppoe "boxes", so pppoe has to be pipelined to vlan int...
by mkx
Fri Sep 20, 2024 5:19 pm
Forum: Beginner Basics
Topic: Need assistance with VLAN Firewall and NAT rules
Replies: 6
Views: 902

Re: Need assistance with VLAN Firewall and NAT rules

You should use /24 netmask on those subnets. Without proper subnet masks, routing won't work. And keep in kind when pinging around: some OSes on end devices include firewalls and some firewalls (e.g. windows) block everything coming in from other than "home" subnet. Home subnet is the one ...
by mkx
Thu Sep 19, 2024 7:56 pm
Forum: General
Topic: SIP ALG turned off, port changes!!!
Replies: 1
Views: 388

Re: SIP ALG turned off, port changes!!!

Show us config of R2 (for starters).
by mkx
Thu Sep 19, 2024 7:22 pm
Forum: Beginner Basics
Topic: ipv6 security
Replies: 14
Views: 1207

Re: ipv6 security

Disabling IPv6 support on router is definitely a safer option ... with firewall rules it's always possible to screw something up. But as @Sob wrote: IPv6 is here to stay and it's only a matter of time when you'll have to bite into this nut ... so you better crack it open before biting it.
by mkx
Wed Sep 18, 2024 8:49 pm
Forum: Beginner Basics
Topic: Lost permisions on router
Replies: 11
Views: 772

Re: Lost permisions on router

@jaclaz: I'm not saying that default setup should block everything from LAN as well. I'm just saying that attacks from LAN are possible and one should not dismiss such possibility when doing a pist-mortem (with intent to harden router's config). Yes, I agree that attacks from WAN are whole lot more ...
by mkx
Wed Sep 18, 2024 8:26 pm
Forum: Beginner Basics
Topic: Lost permisions on router
Replies: 11
Views: 772

Re: Lost permisions on router

I still not understand why ROS does not give any possibility to re-gain access ... Possibly because that would enable users to steal CPEs from ISPs if the method of regaining access would be too straight-forward (such as password printed on a sticker attached to device itself). The basic problem in...
by mkx
Tue Sep 17, 2024 2:39 pm
Forum: Announcements
Topic: v7.16rc [testing] is released!
Replies: 362
Views: 113051

Re: v7.16rc [testing] is released!

It's normal to have software release with known issues (even before releasing it), accompanying documentation just has to mention those clearly. On the other hand it's sometimes good (if not necessary) to release new version due to required new functionality ... while keeping to work on resolving kn...
by mkx
Tue Sep 17, 2024 2:31 pm
Forum: Beginner Basics
Topic: Not blocking IP / Raw on DNS !!!
Replies: 5
Views: 512

Re: Not blocking IP / Raw on DNS !!!

So are you saying that the other two rules, such as 1 chain=prerouting action=drop dst-port=53 log=no log-prefix="" protocol=udp dst-address=172.16.1.100 src-address-list=!dns are not working? According to packet flow , prerouting is executed before DST-NAT ... which means that for packets...
by mkx
Tue Sep 17, 2024 2:23 pm
Forum: Announcements
Topic: v7.16rc [testing] is released!
Replies: 362
Views: 113051

Re: v7.16rc [testing] is released!

We are not in a hurry xD, we only saw that in its official documentation and we were surprised to see v7.17 with green markers. I guess that they are planning to introduce some additional functionality (e.g. " Starting from RouterOS v7.17, DHCP snooping is supported with hardware offloading bo...
by mkx
Tue Sep 17, 2024 2:19 pm
Forum: Wireless Networking
Topic: Capsman loosing connection when connected through switch
Replies: 32
Views: 1942

Re: Capsman loosing connection when connected through switch

The problem is, that there realy isn't any disconnection, just Caps connection becomes suddenly "interrupted" and after few seconds starts working again. When frame loss happens, links don't disconnect ... in worst case they may renegotiate to lower speed (e.g. 100Mbps instead of 1Gbps) b...
by mkx
Tue Sep 17, 2024 1:59 pm
Forum: Beginner Basics
Topic: Not blocking IP / Raw on DNS !!!
Replies: 5
Views: 512

Re: Not blocking IP / Raw on DNS !!!

0 chain=prerouting action=add-dst-to-address-list dst-port=53 log=no log-prefix="" protocol=udp src-address-list=!dns dst-address-list=!dns address-list=dns!!! address-list-timeout=none-dynamic Did you thoroughly think about what this rule does? It says: if dst-port is 53 . AND . if proto...
by mkx
Tue Sep 17, 2024 12:08 pm
Forum: Wireless Networking
Topic: Capsman loosing connection when connected through switch
Replies: 32
Views: 1942

Re: Capsman loosing connection when connected through switch

Some switches try to be smart (too smart as it turns out) ... and try to detect anomalous traffic. I have a Dlink manged switch and it was messing with NTP traffic (UDP to/from port 123) inside LAN. After disabling that "feature" I have zero problems (since more than a year ago). So check ...
by mkx
Tue Sep 17, 2024 10:56 am
Forum: General
Topic: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik website
Replies: 9
Views: 1067

Re: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik websi

@User345135: since you're running ubunti, run sudo netstat -ntlp | grep 8888 If you don't have netstat installed, install it using command sudo apt install net-tools The output of netstat command should show you name of process listening on port 8888 ... and that should give you a hint as to what's ...
by mkx
Tue Sep 17, 2024 8:43 am
Forum: General
Topic: IPv6 Traffic Blocked
Replies: 1
Views: 308

Re: IPv6 Traffic Blocked

Not sure if this is ROS specific. With IPv6 there's some spcific configuration necessary on "client" router to make it work. Sometimes ISPs don't do the right thing and in those cases client has to work with ISP support to get things working.
by mkx
Tue Sep 17, 2024 8:41 am
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1447

Re: IPv6 for SSH Tunnel Server

Does that mean I cannot make it IPv6-only? or at least IPv6 first then if timed out IPv4? You may ... by using firewall filter rules. Tunneled traffic would appear in chain=output when exiting SSH tunnel. But as @sindy already explained, you would not be able to distinguish tunneled traffic from tr...
by mkx
Tue Sep 17, 2024 8:38 am
Forum: General
Topic: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik website
Replies: 9
Views: 1067

Re: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik websi

Blaming MikroTik for setting proxy properties in your browser. You need to improve your reading comprehension or be more honest. I did not blame Mikrotik. But since you were stating your problem on Mikrotik forum, it certainly did seem so. And @kleshki simply voiced his doubts ... yeah, he might ha...
by mkx
Tue Sep 17, 2024 8:27 am
Forum: Beginner Basics
Topic: Problem with VLANs and Bridge
Replies: 18
Views: 1194

Re: Problem with VLANs and Bridge

Since the CHR has no switch ASICs, perhaps the same applies to it? The problem with RB4011 (and a few other devices) is that they have more than one switch chip and bridge does L2 HW offload to them. With CHR, there is no L2 HW offload AFAIK, so it's not the same case as in the thread you linked. N...
by mkx
Mon Sep 16, 2024 3:35 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1308
Views: 249240

Re: 📣 WinBox 4 is here 📣

The error message doesn't come from Qt, it comes from XCB ... which is (one of) implementation of client side of X11 protocol ... and here 'client side' is, contrary to usual situation, the side where application is running (i.e. your Linux workstation). And it seems that it's Xtightvnc who uses XCP...
by mkx
Mon Sep 16, 2024 3:08 pm
Forum: RouterOS beta
Topic: L3HW not working properly
Replies: 19
Views: 10932

Re: L3HW not working properly

Maybe bug or something else? I seem to remember a discussion about this exact problem a while ago (could be many moths ago) and @Normis acknowledged the bug. I'm pretty sure it was supposed to be fixed since then, but I've no idea in which version this was fixed (if at all). So if the problem happe...
by mkx
Mon Sep 16, 2024 2:46 pm
Forum: Wireless Networking
Topic: Ax3 WiFi ignores access list [SOLVED]
Replies: 6
Views: 737

Re: Ax3 WiFi ignores access list [SOLVED]

My guess it operates a "matcher"/selector, not like the firewall "filter"/etc Both here and firewall filter rules have most properties "selectors" and only one property which does something (in both cases it's action ... to whatever it's set for a particular rule). In ...
by mkx
Mon Sep 16, 2024 8:59 am
Forum: Beginner Basics
Topic: Regarding the issue of NAT
Replies: 7
Views: 766

Re: Regarding the issue of NAT

I’m surprised you can’t do this using dst-nat rules by looking at dst-ip and dst-port and using those to match and send elsewhere. If DNS A records for server1.domain1.tld and server2.domain2.tld point at same IP address (and standard ports are in use), then L3/L4 firewall (which is what ROS runs[*...
by mkx
Mon Sep 16, 2024 8:45 am
Forum: Beginner Basics
Topic: Problem with VLANs and Bridge
Replies: 18
Views: 1194

Re: Problem with VLANs and Bridge

I had some problems to make VLANs work as expected until I also set the bridge as a tagged port too. Bridge has multiple personalities (and the distinction between them in ROS configuration is not made at all). One of personalities is a "CPU-facing switch port" (and by "switch" ...
by mkx
Mon Sep 16, 2024 8:32 am
Forum: Beginner Basics
Topic: hAP AX2 POE issues
Replies: 8
Views: 673

Re: hAP AX2 POE issues

Yes, but the dubitative form is anyway appropriate when the standard power supply is used, the 24V/1.2A are IMHO very "tight" to power both the "main" device and another one via (passive) PoE. Well ... one always has to do power budget calculations when doing any kind of PoE ......
by mkx
Sun Sep 15, 2024 3:41 pm
Forum: Beginner Basics
Topic: hAP AX2 POE issues
Replies: 8
Views: 673

Re: hAP AX2 POE issues

Whether the Cap Ax can actually be powered with passive PoE at 24V is not written anywhere, it may work or it may not. You're right, the passive PoE-in is rarely mentioned for MT devices with 802.3 af/at PoE-in support. But it was explained multiple times (by MT staff) that all MT's PoE-in capable ...
by mkx
Sun Sep 15, 2024 1:14 pm
Forum: Beginner Basics
Topic: RB5009 VLANs [SOLVED]
Replies: 4
Views: 744

Re: RB5009 VLANs [SOLVED]

1. I cannot access the web-interface of RB5009 (or using WinBox) from ether7 after I add "vlan-filtering=yes" to the config. 2. I still cannot understand what is the right way to change the IP address of RB5009 from 192.168.88.1 to the Base VLAN range. More or less full access to your rou...
by mkx
Sat Sep 14, 2024 3:22 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1308
Views: 249240

Re: 📣 WinBox 4 is here 📣

The benefit of having one statically compiled binary is that one can choose to package it as-is as an rpm, deb or flatpak without any further work required by Mikrotik devs. The cost is much bigger installable ... and some (functionality) problems when not using system-wide libc (and possibly some ...
by mkx
Sat Sep 14, 2024 2:23 pm
Forum: Beginner Basics
Topic: Failover script for DNS is working but PiHole only shows Router IP in queries [SOLVED]
Replies: 8
Views: 727

Re: Failover script for DNS is working but PiHole only shows Router IP in queries [SOLVED]

The only strategy, which is fast enough, is to handle it using dst-nat ... like you're doing it now. Using external DNS servers is no different in this aspect. Doing it directly on main router cones with a benefit: you are not adding another point of failure (router is already there and for differen...
by mkx
Sat Sep 14, 2024 1:32 pm
Forum: RouterBOARD hardware
Topic: Can hEX Lite / RBM11G handle multiple wireguard tunnels, OSPF, BGP (NOT full table) etc?
Replies: 2
Views: 783

Re: Can hEX Lite / RBM11G handle multiple wireguard tunnels, OSPF, BGP (NOT full table) etc?

With all of your config, even if backup solution doesn't have to be fast, any HW you throw at will struggle if flash and RAM are not large enough. hEX lite with 16MB flash and 64MB RAM is a bit tight. RBM11G with its 256MB RAM should do better but 16MB flash will be equally tight. You may want to ha...
by mkx
Sat Sep 14, 2024 1:01 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1308
Views: 249240

Re: 📣 WinBox 4 is here 📣

Creating a flatpak manifest around a statically compiled binary as it is now is no problem at all. In this aspect, cresting deb packets is not much different. Only that executable doesn't have to be statically linked, instead it's possible to declare dependencies and apt/apt-get/... will resolve th...
by mkx
Sat Sep 14, 2024 12:51 pm
Forum: Beginner Basics
Topic: Failover script for DNS is working but PiHole only shows Router IP in queries [SOLVED]
Replies: 8
Views: 727

Re: Failover script for DNS is working but PiHole only shows Router IP in queries [SOLVED]

I would simply like to know if there is any way to identify each IP on the PiHole server instead of having all queries appear with the IP of the router itself. Curently you're running a thing called "hair-pin NAT" for PiHole DNS service (the src-nat/masquerade is essential part of it). As...
by mkx
Fri Sep 13, 2024 9:54 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1308
Views: 249240

Re: 📣 WinBox 4 is here 📣

And all Cyrillic comments are unreadable in WinBox 4 It's a known issue and it'd due zo neglect of properly handling different encoding schemes ... all UIs simply accepted characters as bytecode and didn't interpret them according code page. So it was always a problem if one used different UIs (e.g...
by mkx
Fri Sep 13, 2024 9:35 pm
Forum: Beginner Basics
Topic: Is the Mikrotik CRS312-4C+8XG-RM correct for my 10 Gbps ethernet network?
Replies: 9
Views: 1042

Re: Is the Mikrotik CRS312-4C+8XG-RM correct for my 10 Gbps ethernet network?

Broadcast traffic in typical LAN is traffic where devices are looking for others offering certain service. Some examples: DHCP a device sends query about available DHCP server to broadcast address, initial reply is sent unicast (to network interface's MAC address) ARP requests device has to find out...
by mkx
Fri Sep 13, 2024 8:38 pm
Forum: Announcements
Topic: Newsletter #114 | September 2023
Replies: 80
Views: 18453

Re: Newsletter #114 | September 2023

Any chance with the next update that will check the model number for example CRS309-1G-8S+, and NOT install any wifi packages and remove wifi from webcfg. Since wifi is not supported. ROS built-in updater never changed list of installed packages ... with notable exception of 7.12.x where updater ma...
by mkx
Fri Sep 13, 2024 5:58 pm
Forum: Wireless Networking
Topic: 370m, 1GBit, stable: LHG-60G, nRay, ...
Replies: 12
Views: 755

Re: 370m, 1GBit, stable: LHG-60G, nRay, ...

It absolutely makes sense to have those wireless interfaces in bond. Default monitoring mode is mii which relies on undelying interface hardware to announce link failure. Additionally bond will introduce additional delay (default is 100ms) because links status monitoring is done regularly and the de...
by mkx
Fri Sep 13, 2024 5:43 pm
Forum: Beginner Basics
Topic: CRS312-4C+8XG port mirroring [SOLVED]
Replies: 15
Views: 1160

Re: CRS312-4C+8XG port mirroring [SOLVED]

I agree that it's only too confusing to have to configure one functionality in multiple places (VLANs is a good example of this lunacy). Instead here's my proposal: /interface ethernet switch port set ether2 mirroring=egress mirror-targets=ether3 set ether4 mirroring=ingress mirror-targets=ether3 se...
by mkx
Fri Sep 13, 2024 5:34 pm
Forum: General
Topic: Limit connections through web proxy
Replies: 2
Views: 427

Re: Limit connections through web proxy

The proxy service on ROS is not intended to be reverse proxy ... and even though it seems to work for you, it doesn't allow for proper configuration to operate as reverse proxy. You're saying that you have multiple web servers in your LAN. I suggest you to run a proper reverse proxy on one of them (...
by mkx
Fri Sep 13, 2024 5:26 pm
Forum: General
Topic: HIDDEN Wifi Networks
Replies: 9
Views: 637

Re: HIDDEN Wifi Networks

I can't say I understand why there is a need in my case for inventing mac addresses. I understand how ROS needs to invent mac addresses for virtual interfaces. I don't know how Ubiquitis are configuired for additional SSIDs on same radio, but the end result is the same as on Mikrotik. And that is m...
by mkx
Fri Sep 13, 2024 5:17 pm
Forum: Beginner Basics
Topic: CRS312-4C+8XG port mirroring [SOLVED]
Replies: 15
Views: 1160

Re: CRS312-4C+8XG port mirroring [SOLVED]

Here you are:
sorry, but this doesn't scale ... and changes names of properties (to which you opposed).
by mkx
Fri Sep 13, 2024 5:09 pm
Forum: Wireless Networking
Topic: 370m, 1GBit, stable: LHG-60G, nRay, ...
Replies: 12
Views: 755

Re: 370m, 1GBit, stable: LHG-60G, nRay, ...

It would be inte4resting to see actual configuration from one of LHG-60 devices ... what I'd expect to see is either a bond (possibly active/backup mode) or simple RSTP hierarchy (which would switch over to 5GHz backup a little slower I guess). I thought the LHG-60 has no backup 5GHz?! Sorry, I mea...
by mkx
Fri Sep 13, 2024 3:46 pm
Forum: Wireless Networking
Topic: 370m, 1GBit, stable: LHG-60G, nRay, ...
Replies: 12
Views: 755

Re: 370m, 1GBit, stable: LHG-60G, nRay, ...

It would be inte4resting to see actual configuration from one of LHG-60 devices ... what I'd expect to see is either a bond (possibly active/backup mode) or simple RSTP hierarchy (which would switch over to 5GHz backup a little slower I guess).
by mkx
Fri Sep 13, 2024 3:34 pm
Forum: General
Topic: HIDDEN Wifi Networks
Replies: 9
Views: 637

Re: HIDDEN Wifi Networks

And in some other post you dare to call others "Nerd" ??
Tjeezz ... :shock:
I called others "Mikrotik nerds" specifically :lol:
by mkx
Fri Sep 13, 2024 3:01 pm
Forum: General
Topic: HIDDEN Wifi Networks
Replies: 9
Views: 637

Re: HIDDEN Wifi Networks

AA:16:9D is actually A8:16:9D and is a roku tv 1E:1E:E3 is actually 1C:1E:E3 and is also a roku TV 9E:05:D6 is actually 9C:05:D6 and is a U6+ AP The addresses on the left are all "locally administered addresses" (see wiki article on MAC addresses ) where the second most significant value ...
by mkx
Fri Sep 13, 2024 1:28 pm
Forum: General
Topic: RouterOS CHR limits bandwidth to ~400Mbit....
Replies: 25
Views: 1484

Re: RouterOS CHR limits bandwidth to ~400Mbit....

I know this seems to be related to a license at first, but maybe not. It's interesting to see if the problem persists on another type of hypervisor, especially in Hyper-V since it doesn't use virtio drivers for switches.

Which again points at CHR itself rather than at virtualization platform.
by mkx
Fri Sep 13, 2024 1:26 pm
Forum: General
Topic: HIDDEN Wifi Networks
Replies: 9
Views: 637

Re: HIDDEN Wifi Networks

BSSID is usually MAC address of a particular radio. So if you somehow create an inventory of all (real and virtual) radios in your network, then you should be able to figure out which SSID is transmitted by which AP.
by mkx
Fri Sep 13, 2024 1:22 pm
Forum: Beginner Basics
Topic: CRS312-4C+8XG port mirroring [SOLVED]
Replies: 15
Views: 1160

Re: CRS312-4C+8XG port mirroring [SOLVED]

the new one is (IMHO without reason) stupidly complex The new one is (potentially) flexible, it may allow this scenario: /interface ethernet switch port set ether2 mirror-egress=yes mirror-ingress=no set ether4 mirror-egress=no mirror-ingress=yes set ether5 mirror-egress=yes mirror-ingress=yes /int...
by mkx
Fri Sep 13, 2024 11:27 am
Forum: RouterBOARD hardware
Topic: NetMetal ax / L23-UGSR — initial feedback from specs
Replies: 38
Views: 5978

Re: NetMetal ax / L23-UGSR — initial feedback from specs

not sure i really follow that much. just considering a cheapo isp modem (speedport plus) that probably costs a few euro is giving me all 300mbit on wifi on default setup (80mhz channel, it's ac device). What I tried to explain (with perhaps too many words) is that many times less is more ... due to...
by mkx
Fri Sep 13, 2024 11:18 am
Forum: General
Topic: RouterOS CHR limits bandwidth to ~400Mbit....
Replies: 25
Views: 1484

Re: RouterOS CHR limits bandwidth to ~400Mbit....

I think that the most important take-away from this thread so far is that throughput drops after applying (high capacity) CHR license ... without changing any of configuration. As documented in post #10 above . Which means that the code, which enforces licensed limits inside CHR somehow misses its t...
by mkx
Fri Sep 13, 2024 10:34 am
Forum: RouterBOARD hardware
Topic: Upgrading older Mikrotik equipment
Replies: 16
Views: 1797

Re: Upgrading older Mikrotik equipment

Maybe select another brand for the SFP+ ?? MT devices can be a bit picky when it comes to working with SFP modules ... MT publishes compatibility list , but of course it only contains their own modules (and even there not every box is checked). XS+85LC01D seems to have many checks so it seems to be...
by mkx
Fri Sep 13, 2024 10:11 am
Forum: General
Topic: Static DNS type FWD to populate dynamic allowed address list: first request is blocked
Replies: 9
Views: 719

Re: Static DNS type FWD to populate dynamic allowed address list: first request is blocked

Which means that somebody configured it to do that. Again, the problem is that it does not do what it is configured to do Sherlock. And I asked you to show us how it's configured, Watson. I don't follow problems of any particular users so I don't know which bug you allegedly "encountered the l...
by mkx
Thu Sep 12, 2024 8:41 pm
Forum: General
Topic: Static DNS type FWD to populate dynamic allowed address list: first request is blocked
Replies: 9
Views: 719

Re: Static DNS type FWD to populate dynamic allowed address list: first request is blocked

The firewall blocks everything except the addresses in the dynamic list.
Which means that somebody configured it to do that.

So do you want us to start the guessing game? Otherwise post full config for review.
by mkx
Thu Sep 12, 2024 8:32 pm
Forum: General
Topic: VLAN considerations along with CapsMan
Replies: 20
Views: 1643

Re: VLAN considerations along with CapsMan

Base article to truly understand my answer that follows: viewtopic.php?t=173692

Setting of properties pvid and frame-types are settings for the router-facing port of the switch.
by mkx
Thu Sep 12, 2024 5:43 pm
Forum: General
Topic: Adding configurations to CAPSMAN
Replies: 4
Views: 325

Re: Adding configurations to CAPSMAN

One (relatively radical) possibility is to disable/re-enable capsman on hAP ac2. It should trigger all CAP devices to re-provision (CAPs get un-provisioned if they loose connection with CAPsMAN). You can also go around CAP devices and individually disable/re-enable cap client. And probably there are...
by mkx
Thu Sep 12, 2024 5:36 pm
Forum: RouterBOARD hardware
Topic: NetMetal ax / L23-UGSR — initial feedback from specs
Replies: 38
Views: 5978

Re: NetMetal ax / L23-UGSR — initial feedback from specs

Well, wifi in 5GHz sucks (almost as much as 2.4GHz). According to wifi channel allocations, there are only 3 160MHz channels available: channel 50 ranging from 5170 MHz to 5330 MHz (in ROS parlance that's center frequency 5180 with Ceeeeeee channels) channel 114 ranging from 5490 MHz to 5650 MHz (th...
by mkx
Thu Sep 12, 2024 10:55 am
Forum: SwOS
Topic: smaller version of Model CRS328-24P-48+RM
Replies: 2
Views: 585

Re: smaller version of Model CRS328-24P-48+RM

I'm looking for a small version of the Model CRS328-24P-48+RM for testing configs for a customer. I don't care about speed/sfp or dual boot. I only need switch OS. Would the CRS106-1C-5S work? I couldnt find a comparison guide. Depends on how similar the testing switch should be to the "real&q...
by mkx
Thu Sep 12, 2024 10:34 am
Forum: Wireless Networking
Topic: CAPS not showing in CAPsMAN
Replies: 7
Views: 599

Re: CAPS not showing in CAPsMAN

But if there is only 1 wace2 device, why bother ? As far as info in this thread goes, @OP runs a few RBD22UGS-5HPacD2HnD (which are ac devices) and now he threw an L22UGS-5HaxD2HaxD into the mix ... which is ax device. All of these are capable of running wifi drivers (L22 only this one), so @OP wou...
by mkx
Thu Sep 12, 2024 10:28 am
Forum: Beginner Basics
Topic: Caspman Config [SOLVED]
Replies: 21
Views: 1640

Re: Caspman Config [SOLVED]

If device is fully bridged it doesn't matter if ether1 and 2 are connected
Agree to that. I was just explaining to @OP why he can't manage device via ether1 if they're running factory default config (which doesn't bridge ether1 with the rest of ports AFAIK).
by mkx
Thu Sep 12, 2024 9:24 am
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1308
Views: 249240

Re: 📣 WinBox 4 is here 📣

Thank you for the suggestion, Amm0. Added to wishlist. Behaviour should adhere to system settings. I don't use Mac, but on Windows and Linux I prefer not to have apps groupped ... and there's system-wide setting for that both in Windows and KDE (which is what I use on Linux if I can choose). In nor...
by mkx
Thu Sep 12, 2024 9:19 am
Forum: Beginner Basics
Topic: Network traffic gets slower, when adding vlans
Replies: 27
Views: 1510

Re: Network traffic gets slower, when adding vlans

It's been a while since my devices were pushed in storage starvation ... but I don't remember seeing anything in the log. Specially so not after reboot (since by default all logging goes into RAM and even if one set up logging to built-in flash, that would be unsuccessfull as well due to same reason).
by mkx
Thu Sep 12, 2024 9:16 am
Forum: Beginner Basics
Topic: Caspman Config [SOLVED]
Replies: 21
Views: 1640

Re: Caspman Config [SOLVED]

Why can't I connect to the CAPs using Winbox from the router? Why do I have to physically go to each CAP just to apply my configuration? Because out of factory, default config for most MT models is "home router" mode ... in which first ether port (ether1) is used as WAN port and to protec...
by mkx
Thu Sep 12, 2024 9:08 am
Forum: Beginner Basics
Topic: Poor upload speeds with baby jumbo frames?
Replies: 7
Views: 667

Re: Poor upload speeds with baby jumbo frames?

While it's preferable to make MTU of all interfaces the same (i.e. 1500) and while it seems that @OPs ISP allows to play with these values, it could be that there's some segment in ISP's network which doesn't support full 1500 byte packets over PPPoE ... and fragmentation happens there (and also spe...
by mkx
Thu Sep 12, 2024 8:58 am
Forum: Beginner Basics
Topic: RSTP Scenario Question
Replies: 1
Views: 287

Re: RSTP Scenario Question

Not much to take care of. One major thing is to set priority on bridge of switch you want to use as "master" in STP hiearchy to value, lower than default (which is 0x8000) ... 0x2000 would be a safe value. This way you won't see topology changes if some switch changes its MAC address (if p...
by mkx
Thu Sep 12, 2024 8:43 am
Forum: Beginner Basics
Topic: Network traffic gets slower, when adding vlans
Replies: 27
Views: 1510

Re: Network traffic gets slower, when adding vlans

If would be nice, if Winbox had told me about the full disk when saving a configuration.

I agree to that. AFAIK none of GUIs actually warn user about storage being depleted ...
by mkx
Wed Sep 11, 2024 10:30 pm
Forum: Wireless Networking
Topic: CAPS not showing in CAPsMAN
Replies: 7
Views: 599

Re: CAPS not showing in CAPsMAN

1. I uninstalled wireless package from CCR1036, but now I don't have an option for Capsman anymore. You do. It's under /interface/wifi (you have to use a few subtrees there from, capsman uses profiles). On devices with ac/ax radio and with wifi-qcom (or wifi-qcom-ac) drivers installed, one configur...
by mkx
Wed Sep 11, 2024 10:25 pm
Forum: Wireless Networking
Topic: hAP ax3 - Low Wireless Strength
Replies: 7
Views: 1430

Re: hAP ax3 - Low Wireless Strength

Be carefull with the fast (sponsored) answer of the Google (AI based?) search. :?
Gosh ... doesn't everybody (and their favourite pet) skip top results from search engines?
by mkx
Wed Sep 11, 2024 10:21 pm
Forum: Beginner Basics
Topic: Network traffic gets slower, when adding vlans
Replies: 27
Views: 1510

Re: Network traffic gets slower, when adding vlans

Which GUI do you use? There are WebFig (web based UI), Winbox3 (very stable) and new Winbox4 (early beta, so likely buggy) If you change detect-internet (to "none") in CLI, does it stick? And when you open that setting in GUI (which flips its setting) ... and close it without applying ... ...
by mkx
Wed Sep 11, 2024 10:15 pm
Forum: Beginner Basics
Topic: cap lite @ capsman
Replies: 3
Views: 330

Re: cap lite @ capsman

AND the hex is losing it's configuration, comments and also files I created. What is going on?! Doesn't it store those things on an internal device? Check hEX for flash utilization. If it's (almost) full, then configuration changes can get lost. But that happens after reboot, running copy of config...
by mkx
Wed Sep 11, 2024 10:12 pm
Forum: Beginner Basics
Topic: Network traffic gets slower, when adding vlans
Replies: 27
Views: 1510

Re: Network traffic gets slower, when adding vlans

When I close the dialog the value I get in the CLI is wrong again.
I just leave it at "LAN", that seems to work for me.

Why don't you change it via CLI if you've gotten that far? (big thumbs up for that!)
by mkx
Wed Sep 11, 2024 2:57 pm
Forum: Wireless Networking
Topic: hAP ax3 - Low Wireless Strength
Replies: 7
Views: 1430

Re: hAP ax3 - Low Wireless Strength

RBD53iG-5HacD2HnD = hAP AC3

How to tell a Mikrotik nerd from normal people: the former can recite product codes together with their marketing model names :wink: (while the later have to use their favourite internet search engine)
by mkx
Wed Sep 11, 2024 2:51 pm
Forum: Beginner Basics
Topic: Network traffic gets slower, when adding vlans
Replies: 27
Views: 1510

Re: Network traffic gets slower, when adding vlans

I think we can go back to "do NOT use quickset" ... if user comes to @holvoetn asking him about rules, then that user is already way past the IFs and BUTs which would potentially allow to use quickset.
by mkx
Wed Sep 11, 2024 2:39 pm
Forum: General
Topic: Adding a second /24 network troubles
Replies: 7
Views: 552

Re: Adding a second /24 network troubles

As for those two NAT rules - It's been a while since I set this up but if I remember correctly (and I can certainly test this..) without those DNS breaks and nothing resolves. From context of device config posted these rules are useless ... the TCP rule has potential to rewrite dst-port but actuall...
by mkx
Wed Sep 11, 2024 2:22 pm
Forum: Beginner Basics
Topic: Network traffic gets slower, when adding vlans
Replies: 27
Views: 1510

Re: Network traffic gets slower, when adding vlans

Avoiding it in total may be for most the wiser option. Exactly. If there were enough quickset profiles/schemes to cover like 98% of use cases, then I'd be all for quickset ... it is a corner stone for offering MT devices to people without ROS knowledge. However since many profiles are missing (and ...
by mkx
Wed Sep 11, 2024 2:14 pm
Forum: Beginner Basics
Topic: Vlan on crs125-24g-1s-2hnd-in
Replies: 4
Views: 680

Re: Vlan on crs125-24g-1s-2hnd-in

As I already hinted: does device, connected to ether7, expect tagged VLAN 200 or not? Required configuration on switch entirely depends on this "design decision". From your observation in last line of previous post it seems that device doesn't talk VLANs ... in which case you do need the i...
by mkx
Wed Sep 11, 2024 11:55 am
Forum: RouterBOARD hardware
Topic: Upgrading older Mikrotik equipment
Replies: 16
Views: 1797

Re: Upgrading older Mikrotik equipment

Why would I need TWO (2) SFP? Future expansions? Or some other similar excuse. See answer to your last question. anything in particular that I should watch out for when ordering the fiber? I have seen a bunch of different ones on Amazon just not sure which one to get. Just keep in mind that general...
by mkx
Wed Sep 11, 2024 11:39 am
Forum: Beginner Basics
Topic: Network traffic gets slower, when adding vlans
Replies: 27
Views: 1510

Re: Network traffic gets slower, when adding vlans

4. Do NOT use quickset
This one should be made rule number -1 ... or whatever takes to make it to very top of rules.
by mkx
Wed Sep 11, 2024 11:35 am
Forum: Beginner Basics
Topic: Vlan on crs125-24g-1s-2hnd-in
Replies: 4
Views: 680

Re: Vlan on crs125-24g-1s-2hnd-in

These two settings are not coherent: /interface ethernet switch egress-vlan-tag add tagged-ports =ether2, ether7 vlan-id=200 /interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=200 new-service-vid=0 ports= ether7 The first one says that VLAN 200 has to remain tagg...
by mkx
Wed Sep 11, 2024 11:23 am
Forum: General
Topic: Adding a second /24 network troubles
Replies: 7
Views: 552

Re: Adding a second /24 network troubles

I can see one problem: /ip dhcp-server network add address=10.172.13.0/24 comment=defconf dns-server=10.172.12.1 gateway=10.172.12.1 In principle, gateway address has to be within device's subnet ... so when using 10.172.13.0/24, gw address should be e.g. 10.172.13.1. Mind that DNS server address ca...
by mkx
Wed Sep 11, 2024 9:14 am
Forum: Beginner Basics
Topic: QinQ Help needed
Replies: 1
Views: 336

Re: QinQ Help needed

Quite many windows NIC drivers automatically strip off (one layer of) 802.1Q headers ... and if running wireshark on such windows machine, lack of outer header is to be expected (in case of your 'tripple header' that would be 802.1Q header with VID set to 3000). Some NIC drivers allow you to properl...
by mkx
Wed Sep 11, 2024 9:04 am
Forum: Beginner Basics
Topic: Network traffic gets slower, when adding vlans
Replies: 27
Views: 1510

Re: Network traffic gets slower, when adding vlans

... or causes random problems (worst case). Judging from the reports I have seen on the forum, the worst case seems to be the normality... Being an optimistic guy I tend to believe that most people, who have this **** enabled, don't see any problems (so they don't report anything on this forum) ......
by mkx
Tue Sep 10, 2024 7:14 pm
Forum: Beginner Basics
Topic: Network traffic gets slower, when adding vlans
Replies: 27
Views: 1510

Re: Network traffic gets slower, when adding vlans

Do yourself a favour and disable the detect internet thingy (set list to none). It's only good when one doesn't know which port is supposed to connect internet, otherwise it doesn't do anything (best case) or causes random problems (worst case). UDP flooding seems to be somewhere in between ...
by mkx
Tue Sep 10, 2024 3:41 pm
Forum: Beginner Basics
Topic: Beginner fail to port forwarding [SOLVED]
Replies: 10
Views: 1218

Re: Beginner fail to port forwarding [SOLVED]

This combination of rules is dangerous: add action=drop chain=input comment="defconf: drop all not coming from LAN" \ disabled=yes in-interface-list=!LAN ... add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN port=2000 protocol=tc...
by mkx
Tue Sep 10, 2024 8:21 am
Forum: Beginner Basics
Topic: Network traffic gets slower, when adding vlans
Replies: 27
Views: 1510

Re: Network traffic gets slower, when adding vlans

Any reason for using "arp=proxy-arp" setting on bridge? It does somehow defeat use of VLANs (as means to separate subnets). Can you quantify the "It gets so slow, that I can hardly work anymore." statement? Although hEX is a pretty decent little device, it's not very powerful aft...
by mkx
Mon Sep 09, 2024 3:10 pm
Forum: Beginner Basics
Topic: Ax3 with POE dlink switch
Replies: 2
Views: 406

Re: Ax3 with POE dlink switch

Nope. hAP ax3 supports passive PoE-in ... with allowed voltage range between 18V and 28V. See product info: https://mikrotik.com/product/hap_ax3 Your DLink is most probably a 803.2af/at/... compliant switch which requires proper handshake between PSE (PoE switch) and PD (powered device) ... and PD h...
by mkx
Mon Sep 09, 2024 3:02 pm
Forum: General
Topic: Slow-ish upload speeds on CCR2004-16G-2S+
Replies: 15
Views: 1191

Re: Slow-ish upload speeds on CCR2004-16G-2S+

I also don't see any high CPU usage, this is a screenshot while doing the upload part of a speedtest (I assume this is what you meant with profiler?):

Yup. But select "CPU: all" to see if one single core gets maxed out (CPU: total gives averages, which are useless in this case).
by mkx
Mon Sep 09, 2024 9:06 am
Forum: General
Topic: SOLVED | RouterOS bridge blocking traffic but not SwOS [SOLVED]
Replies: 8
Views: 1193

Re: RouterOS bridge blocking traffic but not SwOS [SOLVED]

Are you sure you need these settings on bridge ports?
internal-path-cost=10 path-cost=10 trusted=yes
They are not set to these values in default config ... and trusted has potential to interfere with traffic.
by mkx
Mon Sep 09, 2024 9:02 am
Forum: General
Topic: www-ssl secure?
Replies: 5
Views: 547

Re: www-ssl secure?

Now, it be nice if the REST API support X.509 client certificates to avoid need to store the username/password on the calling machine, but it does not today. If remote side requires any sort of authentication, then it's necessary to store something on local side. If authentication requires username...
by mkx
Sun Sep 08, 2024 7:17 pm
Forum: RouterBOARD hardware
Topic: Upgrading older Mikrotik equipment
Replies: 16
Views: 1797

Re: Upgrading older Mikrotik equipment

Not sure where you got the performance figures. The number, which seems to resemble reality the best, is listed under "Routing -> 25 ip filter tules -> 512 byte packet size". For CCR2004-16G-2S+PC it's 2767.9 Mbps. For RB5009UG+S+IN it's 3096.2 Mbps. For RB3011UiAS-RM it's 452.6 Mbps. The ...
by mkx
Sun Sep 08, 2024 5:30 pm
Forum: General
Topic: Audience Boot Loop
Replies: 2
Views: 277

Re: Audience Boot Loop

My own audience runs fine at 7.15.3. It came with v6, so I netinstalled it to one of early v7 (to get wifiwave2 drivers running). After that ordinary ROS upgrades (using ROS built-in upgrader) did things just fine. So it could be your device is somehow damaged and fit for warranty replacement (I lov...
by mkx
Sun Sep 08, 2024 5:25 pm
Forum: Beginner Basics
Topic: order of fasttrack
Replies: 3
Views: 480

Re: order of fasttrack

Exactly.
by mkx
Sun Sep 08, 2024 4:15 pm
Forum: General
Topic: www-ssl secure?
Replies: 5
Views: 547

Re: www-ssl secure?

This requires /ip/services/www-ssl to be enabled. Is there any downside? Security risk? As with every ROS service, if enabled it's important to protect it from being available too widely. And that's achieved using firewall. Default firewall allows access to (all) router services from LAN. If firewa...
by mkx
Sun Sep 08, 2024 4:07 pm
Forum: Beginner Basics
Topic: order of fasttrack
Replies: 3
Views: 480

Re: order of fasttrack

A few things to remember: firewall filter rules are evaluated from top to bottom In second case this means that fasttrack rule never gets evaluated because it's "overshadowed" by regular accept rule it's a bit of a mystery as to how fasttrack rules work. One of theories is that fasttrack r...
by mkx
Sun Sep 08, 2024 1:04 pm
Forum: RouterBOARD hardware
Topic: Upgrading older Mikrotik equipment
Replies: 16
Views: 1797

Re: Upgrading older Mikrotik equipment

Both devices have ample of ports to be used as switches as well. Just beware that CRS2004 has actually 2 switches built in and traffic between both port groups passes CPU. The same is true for both SFP+ ports, tgey are handled directly by CPU. This is not the case with RB5009, all ports (including S...
by mkx
Sun Sep 08, 2024 12:55 pm
Forum: Wireless Networking
Topic: Ether: bridge port receiving packet with its own MAC address [SOLVED]
Replies: 19
Views: 1889

Re: Ether: bridge port receiving packet with its own MAC address [SOLVED]

... spanning trees protocols is that both RSTP and MSTP are compatible with each other so should it be the problem or part of it ? Various STP protocols may be compatible in a sense that message, created by one of those, can be processed by the others. However the way these protocols work out the h...
by mkx
Sun Sep 08, 2024 12:45 pm
Forum: General
Topic: Need some hardware recommendations for a router
Replies: 2
Views: 348

Re: Need some hardware recommendations for a router

Problems with multi-gig links are at least the following: transmitting more than 1Gbps over UTP is power-ineffective and makes transcievers hot. This is a particularly big problem with SFP+ RJ45 modules because SFP modules don't offer enough cooling. Which is then a problem when quiet operation is w...
by mkx
Sun Sep 08, 2024 12:18 pm
Forum: Wireless Networking
Topic: Ether: bridge port receiving packet with its own MAC address [SOLVED]
Replies: 19
Views: 1889

Re: Ether: bridge port receiving packet with its own MAC address [SOLVED]

Mixing MSTP and RSTP is at least part (if not the whole) if your problem. RSTP is not VLAN aware and blocks physical link if it detects a loop (the error message, mentioned in this thread's title, does indicate this condition), while with MSTP it's possible to distribute VLANs over multiple physical...
by mkx
Sat Sep 07, 2024 10:39 pm
Forum: Wireless Networking
Topic: Ether: bridge port receiving packet with its own MAC address [SOLVED]
Replies: 19
Views: 1889

Re: Ether: bridge port receiving packet with its own MAC address [SOLVED]

Try to set MAC of bridge manually ... to MAC different than any of bridge ports. For ideas about proper MAC address "invention", have a look at Universal vs. local (U/L bit) section of MAC address wikipedia article (use MAC address of one of bridge ports as a basis and apply the L bit to i...
by mkx
Sat Sep 07, 2024 10:16 pm
Forum: General
Topic: Request to upgrade SSH service in RouterOS 6.x branch
Replies: 1
Views: 340

Re: Request to upgrade SSH service in RouterOS 6.x branch

MT staff (I think it was @normis) clearly stated, that ROS v6 is feature-frozen, it'll receive only (some?) security fixes. Support for ellyptic cipher algorithms is IMO not security issue. After all, OpenSSH did not discontinue support for legacy algorithms, they were deprecated ... meaning they ar...
by mkx
Sat Sep 07, 2024 10:08 pm
Forum: General
Topic: ERR_CONNECTION_CLOSED
Replies: 4
Views: 908

Re: ERR_CONNECTION_CLOSED

You will definitely have to troubleshoot the whole path betwern API client and server. Start by running wireshark on both and compare the captured traffic. If captures are identical on both ends, then it's entirely between client and server. If they differ, tgen it's something in between that interf...
by mkx
Fri Sep 06, 2024 3:55 pm
Forum: General
Topic: Internet slow with Mikrotik router
Replies: 5
Views: 575

Re: Internet slow with Mikrotik router

Apart from making configuration as similar to default (as suggested by @tangent) ... I'd start by removing DHCP client from anything but vlan2 interface. If your router manages to obtain DHCP lease on more than one interface, it may get lost as to which default route it should use. removing vlan4 in...
by mkx
Fri Sep 06, 2024 3:23 pm
Forum: General
Topic: ERR_CONNECTION_CLOSED
Replies: 4
Views: 908

Re: ERR_CONNECTION_CLOSED

Mikrotik firewall is L4 firewall ... so it operates up to TCP/UDP - i.e. it blocks traffic passing to/from specific IP address/port combination. It does not look into contents (e.g. HTTP response codes)[*]. ROS might do something about it if you actually managed to (ab)use proxy service on ROS to se...
by mkx
Fri Sep 06, 2024 3:14 pm
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1447

Re: IPv6 for SSH Tunnel Server

When creating ssh connection to your router, define "local port forwarding" with IPv6 address of remote host. Command line example in linux would look like this: ssh 192.168.88.5 -L 20202:[fe80::ae1f:6bff:feb0:26bc]:80 The trick on OpenSSH client is to enclose the IPv6 address in square br...
by mkx
Fri Sep 06, 2024 10:40 am
Forum: Beginner Basics
Topic: LAN to LAN basics
Replies: 21
Views: 2357

Re: LAN to LAN basics

@mkx Well, I paid 1.80 for that same cable, so it costs us nothing - combined - we are still ahead, and we can even afford to pay the unjust and unfair duty the Sheriff of Nottingham just imposed on us. If we're still ahead or not depends on tax rate that Sheriff (a.k.a. @anav) is trying to charge ...
by mkx
Fri Sep 06, 2024 9:25 am
Forum: Beginner Basics
Topic: hAP ax3 Routing stopped working
Replies: 4
Views: 511

Re: hAP ax3 Routing stopped working

Did you, by any chance, click around QuickSet? Using QuickSet (part of Webfig and Winbox, the "light version of UI") is pretty dangerous if one ever configures anything outside QuickSet (many of us think that when user clicks WebFig button the first time, QuickSet button should simply disa...
by mkx
Fri Sep 06, 2024 9:22 am
Forum: Beginner Basics
Topic: Connecting 2 cAP ac to hEXs using PoE
Replies: 2
Views: 396

Re: Connecting 2 cAP ac to hEXs using PoE

No. PoE-out limit on hEX S is 500mA and if using "stock" power adapter (at 24V), that translates into 12W. Single cAP ac power consumption is rated at 12W (without attachments). Additionally, "stock" pwoer adapter is rated at 1.2A, at 24V this is 28.8W. hEX S own consumption is 6...
by mkx
Fri Sep 06, 2024 9:08 am
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1308
Views: 249240

Re: 📣 WinBox 4 is here 📣

Some devices simply do not support health monitoring. It's not a winbox bug! I can understand @maisondasilva where he'd like to have the "pull out" list of items invariant. So perhaps the items, not feasible for a particular connected device could be present on the list but inactive (and ...
by mkx
Thu Sep 05, 2024 8:40 pm
Forum: General
Topic: lo iface in LAN list
Replies: 11
Views: 678

Re: lo iface in LAN list

I'm pretty sure that router, when ND is enabled, sends out packets to broadcast address via all interfaces (which includes lo). And again, as I wrote, sending traffic to broadcast on lo won't yield any response. Which means that dropping such traffic doesn't do any harm. The only issue here is your ...
by mkx
Thu Sep 05, 2024 7:31 pm
Forum: General
Topic: DHCP is offered but not bound to Brother printers only [SOLVED]
Replies: 36
Views: 2354

Re: DHCP is offered but not bound to Brother printers only [SOLVED]

/interface bridge add admin-mac=48:A9:8A:XX:YY:ZZ auto-mac=no comment=defconf frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes You can check it with either UI or by typing /interface bridge export verbose There is pvid=1 which is not exported since it's default value, but it is sti...
by mkx
Thu Sep 05, 2024 6:47 pm
Forum: General
Topic: lo iface in LAN list
Replies: 11
Views: 678

Re: lo iface in LAN list

And that traffic is being sent to broadcast address ... since only device, attached to that "network", is sender itself, it won't get any answer ... like ever. So dropping this traffic doesn't change anything. It would be different, if some service would try to connect another internal ser...
by mkx
Thu Sep 05, 2024 6:37 pm
Forum: Beginner Basics
Topic: LAN to LAN basics
Replies: 21
Views: 2357

Re: LAN to LAN basics

... VLAN1 ... leave it alone, since it costs nothing.

How can you say that not using VLAN 1 costs us nothing? I paid 1.85€ for an UTP patch cord for use with trunk connection. If I can't use VLAN 1, I'm loosing 0.00045 € due to reduced functionality !!!
by mkx
Thu Sep 05, 2024 6:21 pm
Forum: Wireless Networking
Topic: Legacy and new CAPsMan on the same x86 device
Replies: 6
Views: 915

Re: Legacy and new CAPsMan on the same x86 device

Depends on how you want it to work exactly. Fyi, legacy supports CAPsMAN forwarding, wifi-qcom(-ac) doesn't. Thanks, What I need to do is to add some ax devices in remote site and get the CAPsMAN forwarding work. Is that possibl No, capsman forwarding with new capsman is not possible. Period. You'l...
by mkx
Thu Sep 05, 2024 7:52 am
Forum: Wireless Networking
Topic: Slow WiFi [SOLVED]
Replies: 31
Views: 2677

Re: Slow WiFi [SOLVED]

I'm guessing then that we installed wifi-qcom-ac above wifi-qcom because its smaller and the settings are practically the same? Adding to post by @jaclaz: yes, you installed wifi-qcom-ac because it's smaller. And that's exactly the reason for its existence, some ac devices have the tiny 16MB flash ...
by mkx
Wed Sep 04, 2024 11:47 pm
Forum: General
Topic: TX/RX packet errors via lte rndis0 (usb)
Replies: 4
Views: 493

Re: TX/RX packet errors via lte rndis0 (usb)

You're right, coukd be a bug in android's ifconfig. Another possibility is (again android's) RNDIS stack which erroneously handles ethernet frame checksum ... but doesn't discard frame due to mismatch (could be RNDIS driver on MT to blame as well). But, as you may have guessed by now, I'm just guess...
by mkx
Wed Sep 04, 2024 4:08 pm
Forum: Beginner Basics
Topic: How communicate between router without involving WAN [SOLVED]
Replies: 7
Views: 997

Re: How communicate between router without involving WAN [SOLVED]

Shouldn't there also be 7. add ether5 on both routers to WAN interface list and remove from LAN (if present) Well, my post starts with "in a few words" :wink:. Of course actual list of things to do greatly depends on actual configuration of both routers and wanted end state (from function...
by mkx
Wed Sep 04, 2024 3:51 pm
Forum: General
Topic: TX/RX packet errors via lte rndis0 (usb)
Replies: 4
Views: 493

Re: TX/RX packet errors via lte rndis0 (usb)

Rx errors are often not detected on the other (Tx) side ... so the discrepancy in errors statistics is nothing weird. I can think of several reasons for Rx errors to happen ... ranging from "noisy" USB cable to (performance) problems in USB stack (and higher) on the android LTE device. If ...
by mkx
Wed Sep 04, 2024 3:44 pm
Forum: General
Topic: /31 through a IPSec over GRE tunnel
Replies: 7
Views: 629

Re: /31 through a IPSec over GRE tunnel

this is considered PtP addressing and works fine
Not everybody knows the name for it ... and certainly not everybody knows how to use it properly ... hence post by @TheCat12 (which is, unlike yours, useful)
by mkx
Wed Sep 04, 2024 3:32 pm
Forum: Beginner Basics
Topic: How communicate between router without involving WAN [SOLVED]
Replies: 7
Views: 997

Re: How communicate between router without involving WAN [SOLVED]

In a few words: remove ether5 from list of bridge ports on both routers assign IP addresses to ether5 on both routers. Use e.g. 192.168.42.1/30 on M1 and 192.168.42.2/30 on M2 add static routes to reach other LAN via opposite router. E.g. on M1 do /ip/route/add dst-address=192.168.1.0/24 gateway=192...
by mkx
Wed Sep 04, 2024 3:23 pm
Forum: Beginner Basics
Topic: best way to create vlan interface
Replies: 1
Views: 446

Re: best way to create vlan interface

Hey guys, i moved newly from opnsense to CHR ROs setup on proxmox, the concept of vlan seems much harder to wrap the head around. This is de-facto guide to how to VLAN on ROS: https://forum.mikrotik.com/viewtopic.php?t=143620 And, while at it, you might want to wrap your head around bridge and its ...
by mkx
Wed Sep 04, 2024 3:19 pm
Forum: Announcements
Topic: v7.15.3 [stable] is released!
Replies: 655
Views: 257173

Re: v7.15.3 [stable] is released!

The runtime is 20 days, and currently, the DNS cache has grown to 42,375 KiB. The DNS memory leak in RouterOS 7.15.3 is continuously occurring. Why have you set Cache size to 64MB? This. It's not a memory leak if service uses up to amount of RAM assigned. In this particular case, even if some DNS c...
by mkx
Wed Sep 04, 2024 3:13 pm
Forum: Announcements
Topic: v7.16rc [testing] is released!
Replies: 362
Views: 113051

Re: v7.16rc [testing] is released!

... on 1 cap AC using wifi-qcom-ac driver...

Oddly enough, no such issue on ac2 with exact same config (same RAM amount so why ??).
hAP ac2 has 3 more ethernet ports, so more buffer on switch chip is in use ... perhaps that's a life saver? LOL
by mkx
Tue Sep 03, 2024 5:49 pm
Forum: SwOS
Topic: Configure SwOS as fully Unmanaged for SonicWALL HA
Replies: 1
Views: 923

Re: Configure SwOS as fully Unmanaged for SonicWALL HA

VLAN and "fully unmanaged" don't go together in same sentence.

The closest to fully unmanaged switch MT switch can get (both SwOS and ROS) is default switch config with xSTP fully disabled (both globally and per-port).
by mkx
Tue Sep 03, 2024 4:11 pm
Forum: Beginner Basics
Topic: Amazon Firestick issues
Replies: 8
Views: 950

Re: Amazon Firestick issues

If i connect directly to my ISP's router the firesticks (2) will work but not if behind the mikrotik

Sometimes wifi stations cache connection failures and refuse even to try to reconnect to AP with MAC remembered as "problematic".
by mkx
Tue Sep 03, 2024 9:17 am
Forum: General
Topic: netinstall ethernet port of hap ax3?
Replies: 4
Views: 516

Re: netinstall ethernet port of hap ax3?

I'll stick with v7, I believe it's v7.15.3. I don't see v7.5 on routeros download page. On v7 it's generally safest to stick to latest stable release. Indeed there are some problems with newest versions on certain devices and then it's wise to run slightly older (e.g. some people have some problems...
by mkx
Mon Sep 02, 2024 7:10 am
Forum: Wireless Networking
Topic: Wireless interference between devices in close vicinity
Replies: 17
Views: 1303

Re: Wireless interference between devices in close vicinity

The problem is power pre-amplifier (PPA) in receive path and its automatic gain control. It gas to amplufy analog received signals so that they enter the analog-digital converter at certain level. The problem is that PPA doesn't know the exact frequency used and amplifies the whole 2.4GHz band ... i...
by mkx
Sun Sep 01, 2024 10:32 pm
Forum: Beginner Basics
Topic: Newbie Configuration-RB3011UiAS
Replies: 10
Views: 1597

Re: Newbie Configuration-RB3011UiAS

It seems that DHCP parameters are not meant to be received from both VLANs by the same routing instance. So now the question: what's the intended layout of your LAN devices (including VoIP devices)? I don't have VoIP, but my ISP delivers IPTV over tagged and multicast. It is possible to terminate th...
by mkx
Sun Sep 01, 2024 9:11 pm
Forum: Beginner Basics
Topic: Newbie Configuration-RB3011UiAS
Replies: 10
Views: 1597

Re: Newbie Configuration-RB3011UiAS

10.50.131.150 does not fit into 10.126.0.0/17 (this one covers range 10.126.0.1 - 10.126.127.254) but you don't have any specific router which would match better than default via pppoe internet interface. You can try to add a route towards 10.50.131.150. Ideally you'd use some gateway address (which...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 44