Community discussions

MikroTik App

Search found 6149 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 21
by mkx
Fri Jul 23, 2021 9:52 pm
Forum: Wireless Networking
Topic: Mikrotik - Early Access beta hardware?
Replies: 11
Views: 383

Re: Mikrotik - Early Access beta hardware?

@anav, so you became a mind reader after all, you know what @rextended had in mind when he wrote what he wrote. However, OP in his initial post expressly asked about "...for early access hardware or beta testing." So I took the whole sentence to be about hardware as we all have opportunity...
by mkx
Fri Jul 23, 2021 9:46 pm
Forum: General
Topic: CRS 2XX Management VLAN Question
Replies: 4
Views: 94

Re: CRS 2XX Management VLAN Question

Your setup seems fine with regard to vlan100 ... the switch chip settings, bridge and vlan interface. However, you have a small mess with trunked ports ether23 and ether24. The basic idea is that when ports become members of trunk, they are not referred by configuration anymore. Instead port trunk1 ...
by mkx
Fri Jul 23, 2021 6:24 pm
Forum: General
Topic: time of last config change
Replies: 2
Views: 62

Re: time of last config change

No, time of last change is not available.

There are tools to show differences in (text) files, it's possible to automate process.
by mkx
Fri Jul 23, 2021 6:22 pm
Forum: General
Topic: CRS 2XX Management VLAN Question
Replies: 4
Views: 94

Re: CRS 2XX Management VLAN Question

Post configuratiin for review: /export hide-sensitive file=anynameyouwish and copy-paste contents.
by mkx
Fri Jul 23, 2021 6:04 pm
Forum: Wireless Networking
Topic: Mikrotik - Early Access beta hardware?
Replies: 11
Views: 383

Re: Mikrotik - Early Access beta hardware?

Just one... correction... I disagree. Most devices older than 2 or 3 years are quite stable. Perhaps the newest in the roster (those depending on v7) will take a while longer to stabilize due to ROS v7 own instability. Unless devices are actually flawed by design (one might say that about e.g. RB40...
by mkx
Fri Jul 23, 2021 5:57 pm
Forum: General
Topic: Auto Run script on reset
Replies: 4
Views: 110

Re: Auto Run script on reset

Sure, almost nothing is really fool-proof. But I'd assume most tennants fiddling would simply push reset button and for that netinstall with custom configuration script is good enough. As soon as tennants get hold of admin password it's game over.
by mkx
Fri Jul 23, 2021 3:17 pm
Forum: General
Topic: Auto Run script on reset
Replies: 4
Views: 110

Re: Auto Run script on reset

You can install your own default configuration (which gets applied after device reset) when using netinstall for "bare metal" software install ... read description of Configure script property.
by mkx
Fri Jul 23, 2021 2:41 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 36
Views: 2799

Re: MikroTik RB5009UG+S+IN

The routing performance increase compared to RB4011, as indicated in RB5009 propaganda, is not true. E.g. number under "Routing -> 25 ip filter rules -> 512 byte packets" shown in RB5009 propaganda is 624.3 kpps / 2557.1 Mbps. Official RB4011iGS+RM test results have in same "table cel...
by mkx
Fri Jul 23, 2021 2:23 pm
Forum: RouterBOARD hardware
Topic: The big CCR2004 reboot thread (was 2004 hardware issues?)
Replies: 186
Views: 24229

Re: The big CCR2004 reboot thread (was 2004 hardware issues?)

... and they are now asking me shitty CLI things... ... why network guys suggest it ? Mikrotik devices (running ROS in particular) are not really something to recommend to people with attitude towards CLI as you have. Most network guys, who know their stuff (be it Cisco, Juniper, ... or Mikrotik), ...
by mkx
Fri Jul 23, 2021 2:13 pm
Forum: Beginner Basics
Topic: Allow Remote DNS Requests
Replies: 6
Views: 303

Re: Allow Remote DNS Requests

... you will get in real trouble sooner or later!

Rather sooner than later.
by mkx
Fri Jul 23, 2021 11:45 am
Forum: Wireless Networking
Topic: Can't get started with mAP lite [SOLVED]
Replies: 4
Views: 117

Re: Can't get started with mAP lite [SOLVED]

You could try using WinBox with MAC connectivity to get into mAP lite. Before you ask: WinBox runs happily under Wine in Linux (and in similar windows-like environment in MacOS).
by mkx
Fri Jul 23, 2021 8:38 am
Forum: Wireless Networking
Topic: Mikrotik - Early Access beta hardware?
Replies: 11
Views: 383

Re: Mikrotik - Early Access beta hardware?

Yup ... buy new model devices from your local MT distributor and you're hooked up for beta testing. Or so it seems ...
by mkx
Fri Jul 23, 2021 8:28 am
Forum: Wireless Networking
Topic: Weird speed problem, bridged network
Replies: 7
Views: 232

Re: Weird speed problem, bridged network

b-c using 5230/20/an, f-g using 5220/20/an. I thought I was guaranteed no mutual interference between single 5GHz channels. ROS lets one set things which are not exactly according to standards / best practice. If you check the list of 5GHz channels you'll see that valid channel frequencies for 20MH...
by mkx
Thu Jul 22, 2021 4:27 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 646

Re: CAP AC, HAP AC2, CAPSMAN and channels

Thanks. I've learned another way of setting per-CAP settings (apart from making it in /capsman provisioning).
by mkx
Thu Jul 22, 2021 4:18 pm
Forum: Beginner Basics
Topic: CRS309 slow internet
Replies: 9
Views: 259

Re: CRS309 slow internet

No, CCR20xx devices are very fast with regard to routing and firewalling. CRS309 is a switch with low routing/firewalling speed. The speed difference between CCR20xx and CRS309 is more than 10-fold. What I wrote about CRS309 running ROS v7 is a future prospect which will become true in yet unknown t...
by mkx
Thu Jul 22, 2021 12:11 pm
Forum: Beginner Basics
Topic: CRS309 slow internet
Replies: 9
Views: 259

Re: CRS309 slow internet

When it comes to routing, both routers will dance circles around CRS309. Both routers might even route at 10Gbps depending on usage pattern. With ROSv7 CRS309 will become a great wire-speed router, when used as firewall it will depend on usage pattern (might be wire-speed or as slow as it is with RO...
by mkx
Thu Jul 22, 2021 11:57 am
Forum: Beginner Basics
Topic: CRS309 slow internet
Replies: 9
Views: 259

Re: CRS309 slow internet

Depending on amount of packet processing, needed to forward a packet between two router's interfaces, the net throughput can vary quite a lot. However, in typical SOHO environment a pretty good indication of device's performance is the number under "Ethernet Test Results -> Routing 25 ip filter...
by mkx
Thu Jul 22, 2021 10:57 am
Forum: Wireless Networking
Topic: The best simple way for multiSSID (guest) in Capsman
Replies: 3
Views: 136

Re: The best simple way for multiSSID (guest) in Capsman

True guest network is more than additional SSID ... it needs additional LAN setup (VLAN for L2 separation, IP setup on that VLAN). CAPsMAN is only there to provision radio interfaces (with VLAN IDs if needed), the rest has to be done manually ... most of it on router, depending on particular scenari...
by mkx
Thu Jul 22, 2021 10:54 am
Forum: Wireless Networking
Topic: Weird speed problem, bridged network
Replies: 7
Views: 232

Re: Weird speed problem, bridged network

Can you try UDP throughput test (e.g. using iperf)? I'm guessing that double RTT combined with power save kicking in makes TCP performance drop to floor while UDP performance might remain high. If that's so, you might want to look into WMM priorities...
by mkx
Wed Jul 21, 2021 3:26 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 36
Views: 2799

Re: MikroTik RB5009UG+S+IN

But if there was a RB5018UG+S+RM ... I'd be in the line for one already ;-) A passively cooled CCR2004 with 16x 1Gbit and 2x SFP+ is coming. Not really the same. Specifications of RB5009 include a very fine switch chip (Marvell 88E6393), while CCR doesn't have one (PIPE is not switch chip, it's a d...
by mkx
Wed Jul 21, 2021 12:33 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 646

Re: CAP AC, HAP AC2, CAPSMAN and channels

Can you show export of such setup? I'm intrigued ;-)
by mkx
Wed Jul 21, 2021 12:29 pm
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 36
Views: 2799

Re: MikroTik RB5009UG+S+IN

I guess that enclosure as it is is to offer enough cooling surface ... for device being passively cooled and intended to be mounted in a dense pack (two one above another, two side-by-side) it needs some smartly designed enclosure. But if there was a RB5018UG+S+RM ... I'd be in the line for one alre...
by mkx
Wed Jul 21, 2021 12:22 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 646

Re: CAP AC, HAP AC2, CAPSMAN and channels

But does this way of setting things survive reboots (of either CAPsMAN or CAP)? The way I described settings are there for good. Configuration export and backup file has it as well ...
by mkx
Wed Jul 21, 2021 12:19 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 320
Views: 41410

Re: v7.1beta6 [development] is released!

We have such routing switches at work, and they are routing between VLANs inside an office. Do you enforce firewall filter for inter-VLAN connections? Without firewall enabled, those connections would be purely routed and for inter-VLAN routing the L3HW routing table is plenty large. OTOH, when I w...
by mkx
Wed Jul 21, 2021 11:29 am
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 646

Re: CAP AC, HAP AC2, CAPSMAN and channels

@gotsprings: how exactly do you adjust settings for particular CAP? It is possible to set particular parameters for a CAP even if create-dynamic-enabled if you create per-CAP provisioning rules ... for this to work several provisioning rules are needed: a general catch-all rule and several specific ...
by mkx
Wed Jul 21, 2021 8:21 am
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 320
Views: 41410

Re: v7.1beta6 [development] is released!

if i may ask, what is the expected use case of offloading fasttracked connections? Wirespeed routing with firewall enabled? I agree that 4k connections is small number even for a small business let alone for an ISP, but that doesn't mean the functionality should not be developed. It's just that one...
by mkx
Wed Jul 21, 2021 8:08 am
Forum: RouterBOARD hardware
Topic: MikroTik RB5009UG+S+IN
Replies: 36
Views: 2799

Re: MikroTik RB5009UG+S+IN

This one is a prime candidate for 4+ anennae WiFi version. Ugly as a sin, but it seems that's the way gameboys like it. On the serious note: if it had wireless, then the argumentation about particular form factor is not valid anymore. So if it came as wireless version, it would likely come in larger...
by mkx
Wed Jul 21, 2021 7:53 am
Forum: RouterOS v7 BETA
Topic: L3HW User Manual Updated
Replies: 16
Views: 1769

Re: L3HW User Manual Updated

I still don't fully understand why PVID setting is mandatory in practice. @raimondsp writes that omitting to set it keeps the default setting of pvid=1 (which we already know very well), but the argument about bridging the port with other ports with pvid=1 seems moot to me if frame-types property i...
by mkx
Tue Jul 20, 2021 9:11 am
Forum: RouterBOARD hardware
Topic: Constantly 'poe-status: power_reset' in hEX PoE [SOLVED]
Replies: 3
Views: 261

Re: Constantly 'poe-status: power_reset' in hEX PoE [SOLVED]

As I found out somewhere else, the reason they ship hEX pOE with 24V supply is to support passive PoE (which does not work with 48V power supply). As a matter of fact passive PoE does work with 48V power supply. It's that many (older) Mikrotik devices don't support supply voltages above around 30V,...
by mkx
Tue Jul 20, 2021 9:00 am
Forum: RouterOS v7 BETA
Topic: Fastpath with Input rules
Replies: 5
Views: 709

Re: Fastpath with Input rules

I guess that the thing is that when there are any firewall filter rules (which by definition enables stateful firewall), connection tracking has to be performed (because that's how connection state is determined). Connection tracking result is one of inputs for routing decision which in turn decides...
by mkx
Mon Jul 19, 2021 10:39 pm
Forum: RouterBOARD hardware
Topic: Constantly 'poe-status: power_reset' in hEX PoE [SOLVED]
Replies: 3
Views: 261

Re: Constantly 'poe-status: power_reset' in hEX PoE [SOLVED]

The PD complies with IEEE 802.3af and draws max. 3W at 24V. 802.3af/at and 24V don't go together. If you want to power an af/at PD, then you need a 48V power supply for RB960PGS. RB doesn't convert voltages, only passes whatever it receives from power adapter ... and don't start another round of qu...
by mkx
Mon Jul 19, 2021 5:43 pm
Forum: General
Topic: How to connect 2 networks
Replies: 7
Views: 278

Re: How to connect 2 networks

From functional point of view any mikrotik with at least 2 ethernet ports will do. From performance point of view they are not same after all, you will use it as router/firewall, which does stress device more than simple switching traffic. So it depends on what kind of performance you expect from it.
by mkx
Mon Jul 19, 2021 5:34 pm
Forum: Beginner Basics
Topic: Port 2 deletion in year 2021
Replies: 7
Views: 377

Re: Port 2 deletion in year 2021

It's better to change bridge MAC address. Physical ports have each one factory default (tied to hardware) while bridge is always "inventing" its own MAC address ... this way or another. One way is to use MAC of ether2 but replace second hex-digit from left with one of 2,6,A,E. E.g. if MAC ...
by mkx
Mon Jul 19, 2021 10:14 am
Forum: Beginner Basics
Topic: Port 2 deletion in year 2021
Replies: 7
Views: 377

Re: Port 2 deletion in year 2021

It brings down the network because bridge MAC address changes. By default bridge takes MAC address of first active member port and by default that's ether2. When you remove ether2 from bridge, it takes another MAC address (possibly of ether3 if that port is still member of bridge) and because of tha...
by mkx
Mon Jul 19, 2021 10:04 am
Forum: Beginner Basics
Topic: Having trouble blocking Port 22
Replies: 1
Views: 149

Re: Having trouble blocking Port 22

By default IP firewall doesn't filter traffic passing between bridged ports. If you want to enforce firewall rules on that traffic, you need in general two additional settings: set use-ip-firewall=yes in /interface bridge settings make sure traffic passing particular port (in your case ether1 with s...
by mkx
Sun Jul 18, 2021 7:41 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1008

Re: Precision Time Protocol (PTP, IEEE 1588) Support

This is a forum for networking devices and not about my personal toying with time synchronization. Right. So you came to forum asking for PtP support on ridiculously cheap devices but when asked for you don't want to explain use case. So far all use cases requiring PtP (more than one) I know requir...
by mkx
Sun Jul 18, 2021 4:22 pm
Forum: Beginner Basics
Topic: Using sign § in password [SOLVED]
Replies: 5
Views: 325

Re: Using sign § in password [SOLVED]

As I wrote: there are nany character encodings out there. Nowdays there's no reason not to use UTF-8 everywhere, but for historical reason many different encodings are used in various places and inter-working is not always smooth. The most frequent problem is assumption that applucation's "nati...
by mkx
Sun Jul 18, 2021 4:12 pm
Forum: Beginner Basics
Topic: Using sign § in password [SOLVED]
Replies: 5
Views: 325

Re: Using sign § in password [SOLVED]

OP is writing about "paragraph" sign, not about "dollar" sign.
by mkx
Sun Jul 18, 2021 3:32 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1008

Re: Precision Time Protocol (PTP, IEEE 1588) Support

@2bn2t: I still fail to see use case for PtP support on low-end devices such as hAP ac2 or RB4011 (or even CCR routers for that matter). Can you kindly describe one for me (something that doesn't involve professional use where I'd expect professional devices in use)?
by mkx
Sun Jul 18, 2021 3:27 pm
Forum: Beginner Basics
Topic: Using sign § in password [SOLVED]
Replies: 5
Views: 325

Re: Using sign § in password [SOLVED]

Non-ascii characters have multiple diferent encodings and if both parties don't (actively) agree about which encoding is used, then there are problems. Winbox quite likely (implicitly) uses encoding associated to your windows language settings while webfig (and TikApp) uses some kind of http-encoded...
by mkx
Sun Jul 18, 2021 2:17 pm
Forum: General
Topic: ASK [current tx power]
Replies: 2
Views: 220

Re: ASK [current tx power]

Seems like it never worked on ac wireless chips. Whether the functionality (reporting) is not available from chipsets or MT didn't implement reading on those chips is question for MT devs.
by mkx
Sun Jul 18, 2021 1:18 pm
Forum: General
Topic: Port trunking problems [SOLVED]
Replies: 3
Views: 264

Re: Port trunking problems [SOLVED]

Post current (non-working) config and the diagram. Post text export (execute /export hide-sensitive file=anynameyouwish and copy-paste file contents).
by mkx
Sun Jul 18, 2021 1:15 pm
Forum: Beginner Basics
Topic: Have two SXTSQ lite5, nont would reinstall
Replies: 1
Views: 134

Re: Have two SXTSQ lite5, nont would reinstall

I guess only advice is to keep trying with netinstall. Netinstall process is highly fragile and you have to observe all requirenents as set forth in netinstall manual . Often the cause of faling to do process correctly lies in (slightly) incompatible hardware and settings of PC used in the process. ...
by mkx
Sun Jul 18, 2021 1:07 pm
Forum: Beginner Basics
Topic: RouterOS do not drop unknown vlans?
Replies: 5
Views: 377

Re: RouterOS do not drop unknown vlans?

The thing is that with setting vlan-filtering=yes on bridge, ROS enforces certain level of security. One notable setting is subtree /interface bridge vlan which defines egress filtering. If you want to make CRS transparent to VLANs (and agree to move VLAN security to connected devices), then set vla...
by mkx
Sun Jul 18, 2021 12:16 pm
Forum: RouterOS v7 BETA
Topic: Routing speeds on v7 RB4011
Replies: 10
Views: 1087

Re: Routing speeds on v7 RB4011

... use under 15W ... Just bolt loads of Turbos and Superchargers to it and make it ludicrous! In the world where turbos and superchargers are meant verbatim, bolting those almost every time means that owner doesn't want to think about energy consumption (which is reflected to MPG which, in contrar...
by mkx
Sat Jul 17, 2021 11:41 pm
Forum: General
Topic: wireless client issue
Replies: 2
Views: 255

Re: wireless client issue

In short: either configure hAP lite as "client-pseudobridge" or "client-pseudobridge-clone" mode. But the result won't be ideal either way.

You can read longer article about the problrms with setup like yours here.
by mkx
Sat Jul 17, 2021 7:26 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 646

Re: CAP AC, HAP AC2, CAPSMAN and channels

Channels "which do nothing" are DFS channels. When AP selects one of those channels as candidate for operations, it has to monitor activity on channel for 1 to 10 minutes and be silent during that period of time.
by mkx
Sat Jul 17, 2021 12:34 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 646

Re: CAP AC, HAP AC2, CAPSMAN and channels

The problem with CAPsMAN provisioned wireless network is that CAPs still autonomously select channels to operate (out of list of allowed channels provisioned by CAPsMAN) - unless you manualy configure provisioning rules for each CAP. If all CAPs do the frequency scans at the very same time (e.g. aft...
by mkx
Sat Jul 17, 2021 12:17 pm
Forum: General
Topic: The problem with changing the ROS version
Replies: 1
Views: 221

Re: The problem with changing the ROS version

I suggest you to perform full netinstall . This procedure formats flash storage and removes all configuration. As you're mentioning multiple IP addresses it seems like you're using the device as router. There are multiple problems with such usage: CRS3xx devices are primarily switches. While they ca...
by mkx
Sat Jul 17, 2021 12:11 pm
Forum: General
Topic: PowerboxPro VLAN switching
Replies: 4
Views: 344

Re: PowerboxPro VLAN switching

You could use switch chip to do the tagging/untagging on ether ports and use bridge without vlan-filtering. This way bridge would act as dumb switch and SFP port would be trunk port for all VLANs available to CPU. Which is not all VLANs on switched ports, you can set VLAN membership for switch-cpu1 ...
by mkx
Fri Jul 16, 2021 3:35 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1008

Re: Precision Time Protocol (PTP, IEEE 1588) Support

I find it hard to believe that any LTE base station (except picocells) would not have sufficient GPS reception to synchronize time. ... Only indoor installations could have problems with that. In some LTE networks, indoor installations make up for more than 50% of locations. Go figure. I use the se...
by mkx
Fri Jul 16, 2021 8:09 am
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1008

Re: Precision Time Protocol (PTP, IEEE 1588) Support

What exactly in typical office environment requires timing precission better than milisecond? Not all environments are office environments! I think he is hinting that it may be e.g. a recording studio environment. OP was asking about PTP availability on hAP ac2 ... personally I wouldn't use this un...
by mkx
Fri Jul 16, 2021 7:59 am
Forum: Beginner Basics
Topic: need to assign vlan to a bridge
Replies: 2
Views: 231

Re: need to assign vlan to a bridge

You want to go through this tutorial to get more or less complete overview of how to configure VLANs properly.
by mkx
Thu Jul 15, 2021 11:34 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1008

Re: Precision Time Protocol (PTP, IEEE 1588) Support

I hope I understand you. I think that’s sarcasm? Yes, it is sarcasm, but only partially. IEEE1588v2 is essentially NTP with HW support. The net effect is higher time precission, both as absolute time and jitter. But one has to put thing into perspective: plain old NTP can give precission in order o...
by mkx
Thu Jul 15, 2021 8:46 pm
Forum: RouterBOARD hardware
Topic: Precision Time Protocol (PTP, IEEE 1588) Support
Replies: 20
Views: 1008

Re: Precision Time Protocol (PTP, IEEE 1588) Support

Why would you ever need PTP on a home-device (hAP ac2)?

To have log entties with timestamps with nano-second precission?
by mkx
Thu Jul 15, 2021 6:28 pm
Forum: General
Topic: CAPS Man & different WIFI channel config
Replies: 22
Views: 943

Re: CAPS Man & different WIFI channel config

But you do see different channels used on 2.4GHz: 1, 6 and 11. If you browse the document about chanels (I posted the link in one of my previous posts) and jump to 2.4GHz section, you'll se a nice illustration showing that in 2.4GHz channels are in fact overlapping (and thus interfering with each ot...
by mkx
Wed Jul 14, 2021 7:30 pm
Forum: General
Topic: Firewall drop all !LAN is not the same as drop all WAN
Replies: 15
Views: 752

Re: Firewall drop all !LAN is not the same as drop all WAN

I don't think it's exception for me, I never asked for one.

However, there is exception for me: my ISP delegates reverse queries for my (static) IPv6 prefix to my own DNS server. :-)
by mkx
Wed Jul 14, 2021 7:25 pm
Forum: Announcements
Topic: MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!
Replies: 58
Views: 94083

Re: MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!

I guess Latvian women are state of art hardware running complex code and Latvian men like to deal with them ;-)
by mkx
Wed Jul 14, 2021 7:22 pm
Forum: General
Topic: Firewall drop all !LAN is not the same as drop all WAN
Replies: 15
Views: 752

Re: Firewall drop all !LAN is not the same as drop all WAN

Some ports, such as 53 ... we do not open them for any reason.

I'm glad I'm not your customer. I'm running DNS server authoritative for my personal domain at home. My ISP is letting me break my own balls ;-)
by mkx
Wed Jul 14, 2021 6:17 pm
Forum: Beginner Basics
Topic: checkout for optimization
Replies: 1
Views: 189

Re: checkout for optimization

In networking world in general there are no tools which automatically optimize everything to achieve superb throughput. So manual optimization is what remains. ROS offers quite some tools for observability, one can use specialized probes and tools for analyzing the traffic patterns and possible prob...
by mkx
Wed Jul 14, 2021 5:40 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 101
Views: 11081

Re: v7 launch date

I'd rather say it's channel=frustrated_support_engineers ... frustrated by incompetent users who can't read warnings, written with letters of usual size and colour.
by mkx
Wed Jul 14, 2021 5:34 pm
Forum: RouterBOARD hardware
Topic: microSD vs USB
Replies: 3
Views: 353

Re: microSD vs USB

hEX S is built around MediaTek MT7621A chip, which supports USB 3.0 and SDXC. However hEX S implements USB 2.0 which means up to 480 Mbps. SDXC OTOH (the initial revision) means up to 104 MBps (which is around 830 Mbps). Meaning that SD is likely faster. But these are maximum numbers and storage imp...
by mkx
Wed Jul 14, 2021 4:48 pm
Forum: General
Topic: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware
Replies: 9
Views: 545

Re: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware

The problem with current fleet of Mikrotik devices is that while CRS3xx will be great for wirespeed routing, they likely don't have CPU powerful enough for firewalling at, say, 1Gbps (even if many connections will get fasttracked and thus HW offloaded). And I expect that users with 10Gbps LAN would ...
by mkx
Wed Jul 14, 2021 4:37 pm
Forum: Beginner Basics
Topic: Problem to see source address - port forward
Replies: 3
Views: 225

Re: Problem to see source address - port forward

add action=masquerade chain=srcnat src-address=192.168.100.0/24 add action=masquerade chain=srcnat src-address=10.6.0.0/21 add action=masquerade chain=srcnat You messed with src-nat royaly. Default src-nat rule is single one: add action=masquerade chain=srcnat comment="defconf: masquerade"...
by mkx
Wed Jul 14, 2021 4:23 pm
Forum: Beginner Basics
Topic: inquiry about bonding
Replies: 5
Views: 341

Re: inquiry about bonding

Bonding multiple physical links into single logical link means that if sender randomly (or using some deterministic algorithm) selects one of links to send a packet, then receiver knows how to deal with it. In your case that means router might decide to send packet with destination IP address 172.16...
by mkx
Wed Jul 14, 2021 8:57 am
Forum: General
Topic: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware
Replies: 9
Views: 545

Re: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware

Right. As long as that device comes with price tag friendly to one's budget constraints. Right? ;-)
by mkx
Wed Jul 14, 2021 8:54 am
Forum: General
Topic: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware
Replies: 9
Views: 545

Re: Realistic time in years before we can route at 10Gbps using ROS and possible up and coming hardware

... just wait for v7 which comes with HW offload for L3

which will (very likely) work on CRS3xx line of devices (not others). And perhaps future devices, built around similar ASICs.
by mkx
Wed Jul 14, 2021 8:52 am
Forum: General
Topic: CRS328-4C-20S-4S High CPU
Replies: 3
Views: 297

Re: CRS328-4C-20S-4S High CPU

Are you running a recent version of ROS? According to manual , CRS3xx is the only device family which can HW offload MSTP. Could be that this was added in some recent ROS version. Could be there's a bug regarding MSTP HW offload as well. If you're running one of recent ROS versions, then I suggest y...
by mkx
Wed Jul 14, 2021 8:44 am
Forum: Beginner Basics
Topic: inquiry about bonding
Replies: 5
Views: 341

Re: inquiry about bonding

Bonding is Layer 2 (ethernet) feature. All links, parts of bond, have to run between same logical link partners. Usually that means single device on each end. Stacked switches are logically single device, in this case bond links are connected to different physical switches. But in any case, bond is ...
by mkx
Tue Jul 13, 2021 6:13 pm
Forum: General
Topic: CAPS Man & different WIFI channel config
Replies: 22
Views: 943

Re: CAPS Man & different WIFI channel config

There are local AP settings and there are CAPsMAN settings. When device is used as CAP device, certain (most notably wireless) settings on local device are overriden with CAPsMAN settings. If CAPsMAN setup limits devices to certain frequencies, devices will (automatically) select one of frequencies ...
by mkx
Tue Jul 13, 2021 2:45 pm
Forum: General
Topic: wireless bridge between two Mikrotiks for IPTV STB
Replies: 23
Views: 1261

Re: wireless bridge between two Mikrotiks for IPTV STB

The reason it's done is because they want to allow low data rate protocols like mDNS through but to prevent things like IPTV from clogging the precious shared broadcast medium that is WiFi. Not really, this constraint is not payload-specific, it's the same for all multicast and broadcast. And exact...
by mkx
Tue Jul 13, 2021 2:33 pm
Forum: General
Topic: wireless bridge between two Mikrotiks for IPTV STB
Replies: 23
Views: 1261

Re: wireless bridge between two Mikrotiks for IPTV STB

... iptv over wifi really works for me but only if I use BCP bridge over pptp or station-wds mode. If I use station-bridge as described here it doesn't work as I expected. That's because from wireless point of view, BCP is unicast (between AP and client) and is thus "bufferable". Even if ...
by mkx
Tue Jul 13, 2021 11:07 am
Forum: General
Topic: CAPS Man & different WIFI channel config
Replies: 22
Views: 943

Re: CAPS Man & different WIFI channel config

AFAIK CAPsMAN does not really affect the way CAP works, it only provisions CAPs. Which means that CAPs are free to select any frequency channel from the provisioned list of channels. And this in turn means that frequency channel co-ordination between CAPs is not better than between usual APs. It als...
by mkx
Tue Jul 13, 2021 10:49 am
Forum: General
Topic: wireless bridge between two Mikrotiks for IPTV STB
Replies: 23
Views: 1261

Re: wireless bridge between two Mikrotiks for IPTV STB

There is no such thing as "reliable wireless" in a shared spectrum (such as WiFi). There will always be possibility for some interferer to kill the performance of your wireless link. There are two problems when sending broadcasts over wireless: wireless clients go to sleep. It's a big prob...
by mkx
Mon Jul 12, 2021 8:24 pm
Forum: RouterBOARD hardware
Topic: hEX PoE RB960PGS does not power Netgear WAX214 [SOLVED]
Replies: 7
Views: 613

Re: hEX PoE RB960PGS does not power Netgear WAX214 [SOLVED]

I guess because in the vast majority of cases these boxes are used to power other Mikrotik branded devices most of which accept Passive PoE, in which case the default 24V power supply is sufficuent. Yes, but a higher voltage wouldn't hurt either, right? Actually it would hurt. Many Mikrotik devices...
by mkx
Mon Jul 12, 2021 3:15 pm
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 927

Re: Block internet from all but one user

So we have different attitude towards this forum. Personally I try to offer technical support for whatever poster asks and I'm generally not suggesting a completely different approach to solving the problem. Unless it's different approach but still technical by means of using (preferably MT) device....
by mkx
Mon Jul 12, 2021 3:06 pm
Forum: Beginner Basics
Topic: Siemens PLC, KEpware, cant get destination NAT working [SOLVED]
Replies: 3
Views: 348

Re: Siemens PLC, KEpware, cant get destination NAT working [SOLVED]

Yes, I was thinking of port forwarding. Example: if PLC is accepting connections on TCP port number 8123, and you only want to forward connections from single management machine, then you actually need NAT rule like this: /ip firewall nat add action=dst-nat chain=dstnat src-address=10.20.30.40/32 ds...
by mkx
Mon Jul 12, 2021 1:01 pm
Forum: General
Topic: Find hostname between vlan
Replies: 9
Views: 567

Re: Find hostname between vlan

But do you have tips to make smooth connection while user from AP1 moving to area AP2 Using CAPsMAN does not enhance roaming experience. The only real benefit of using CAPsMAN is easier deployment of multiple CAPs with identical (or almost identical) configuration. There's a feature of CAPsMAN that...
by mkx
Mon Jul 12, 2021 12:49 pm
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 927

Re: Block internet from all but one user

@rextended: I think your last answer was un-needed. OP asked for help with technical issue while you're telling him how to live his personal life (and that's none of business of any of forum members). It wasn't the first time where your answers were way out of scope. If I were @hillelana, I'd report...
by mkx
Mon Jul 12, 2021 12:42 pm
Forum: Beginner Basics
Topic: Siemens PLC, KEpware, cant get destination NAT working [SOLVED]
Replies: 3
Views: 348

Re: Siemens PLC, KEpware, cant get destination NAT working [SOLVED]

Does the PLC device know to use 172.30.1.5 as default gateway (or at least for specific subnet where KEpware host resides)? If not, then you'll have to add src-nat for KEpware traffic: /ip firewall nat add action=masquerade chain=srcnat dst-address=172.30.1.2 so that packets will appear to originate...
by mkx
Mon Jul 12, 2021 8:14 am
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 927

Re: Block internet from all but one user

One thing to keep in mind: once a connection is fasttracked, it (mostly) bypasses any firewall filter and the drop rules won't break it. Only new connections won't be able to establish. If you want to break existing connections, then either disable fasttrack (not a very good idea from performance po...
by mkx
Sun Jul 11, 2021 11:58 pm
Forum: General
Topic: 1 Gbit/s with active mangle rules and queues?
Replies: 2
Views: 302

Re: 1 Gbit/s with active mangle rules and queues?

You just have to exclude connections which need to be mangled or queued from being fasttracking. This can be achieved either by changing the general "fasttrack all" firewall filter rule so that it excludes wanted connections by creating specific accept rules for wanted connections and plac...
by mkx
Sun Jul 11, 2021 1:09 pm
Forum: Beginner Basics
Topic: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN
Replies: 11
Views: 558

Re: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN

Not many SOHO routers can be configured the way you are describing ... MT is a rare exception because even entry-level routers run full-featured ROS (which means that it comes with associated configuration complexity which puzzles most newbies). Which means that most probably D-link doesn't allow to...
by mkx
Sat Jul 10, 2021 8:42 pm
Forum: Beginner Basics
Topic: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN
Replies: 11
Views: 558

Re: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN

It might be possible, but as @anav already wrote, it mostly depends on what D-link allows you to do and how exactly ISP delivers internet to you. Here's my example: my ISP gave me xDSL/router/wifi all-in-one box (some minor vendor) while internet service is on top of PPPoE. In this case using that d...
by mkx
Sat Jul 10, 2021 6:32 pm
Forum: Beginner Basics
Topic: Parsec Port Forwarding
Replies: 4
Views: 342

Re: Parsec Port Forwarding

I guess this article should give enough information for anyone half-capable of setting ROS port forwarding to get it done.
by mkx
Sat Jul 10, 2021 4:42 pm
Forum: General
Topic: Help MT constantly sending request to Google
Replies: 22
Views: 855

Re: Help MT constantly sending request to Google

You obfuscated the screenshot a tad too much. But src-mac printed starts with F0:9F:C and if it continues with "2", this means some Ubiquiti in your LAN is actually misbehaving.

And it does look suspicious, requests are highly periodic. Usual usages don't look as periodical.
by mkx
Sat Jul 10, 2021 12:00 am
Forum: SwOS
Topic: RB260GSP, short circuit error
Replies: 28
Views: 1348

Re: RB260GSP, sort circuit error

Max power consumption of hAP ac2 is rated at 16W (21W with attachments whatever that means) and I guess that it really can draw that much power at some stage during boot time. Add 5 Watts of power consumption of the cascaded RB260GSP to get total power draw of 21W. And with supply voltage around 22 ...
by mkx
Fri Jul 09, 2021 11:24 pm
Forum: RouterOS v7 BETA
Topic: L3HW User Manual Updated
Replies: 16
Views: 1769

Re: L3HW User Manual Updated

If I understood @raimondsp's explanation correctly, then it's the same for all devices and kind of makes sense: when bridge port has PVID set (and it always has one, if nothing else the implicit pvid=1), then it gets automatically added as untagged member of corresponding VLAN. Unless it's explicitl...
by mkx
Fri Jul 09, 2021 11:05 pm
Forum: Beginner Basics
Topic: edit or change interface configuration [SOLVED]
Replies: 4
Views: 438

Re: edit or change interface configuration [SOLVED]

Command "set" takes number of parameters but only single one is used as "change settings of this item" and even that parameter is optional (if omitted, command asks for numbers). The rest of parameters are actions. Your example command changes values of the following properties: ...
by mkx
Fri Jul 09, 2021 1:07 am
Forum: General
Topic: Exclude Address Lists from Export? [SOLVED]
Replies: 8
Views: 652

Re: Exclude Address Lists from Export? [SOLVED]

Dynamic entries in lists don't get exported. So if you can make all (most?) list entries dynamic, it won't bloat configuration exports.
by mkx
Fri Jul 09, 2021 12:53 am
Forum: RouterOS v7 BETA
Topic: L3HW User Manual Updated
Replies: 16
Views: 1769

Re: L3HW User Manual Updated

pvid property of /in/br/port is mandatory. If you omit it, the default pvid=1 is used, meaning the port gets bridged with other ports with VLAN ID 1. We do not want this, so we explicitly set pvid=20. Setting port's pvid leads to a dynamic vlan creation where the port is untagged by default. But we...
by mkx
Thu Jul 08, 2021 4:09 pm
Forum: RouterOS v7 BETA
Topic: L3HW User Manual Updated
Replies: 16
Views: 1769

Re: L3HW User Manual Updated

IMO there's an error in the "VLAN configuration example": /interface/bridge/port add bridge=bridge interface=ether2 pvid=20 /interface/bridge/vlan add bridge=bridge tagged=bridge,ether2 vlan-ids=20 Doesn't first line of this example set ether2 as access port for VID 20 and should thus be s...
by mkx
Thu Jul 08, 2021 2:38 pm
Forum: Wireless Networking
Topic: CAP ac + PoE IpCamera
Replies: 5
Views: 413

Re: CAP ac + PoE IpCamera

No, it's not WISP. AFAIK WISP mode uses one of wlan interfaces as WAN interface (instead of ether1), sets firewall almost as standard except for management access which is allowed from WAN and not from LAN (other modes set it just the opposite). As I wrote, I don't think there's QuickSet mode approp...
by mkx
Thu Jul 08, 2021 2:32 pm
Forum: RouterOS v7 BETA
Topic: mDNS repeater feature
Replies: 50
Views: 2576

Re: mDNS repeater feature

It's not entire nonsense, sometimes it's not possible to do it differently. Here's example: you have an IoT gadget. It might not need internet, so you want to block internet access for it. Fine, you can use IP firewall filter if you know gadget's IP address. The later part can be tricky with IPv6 an...
by mkx
Thu Jul 08, 2021 12:23 pm
Forum: Wireless Networking
Topic: CAP ac + PoE IpCamera
Replies: 5
Views: 413

Re: CAP ac + PoE IpCamera

I guess cAP ac devices could be configured as simple ethernet switch / AP combo, i.e. both attached IP cameras and wireless clients become part of common LAN segment, fully governed by main router (RB2011). @Normis, when can we expect to see a "ethernet switch / AP" QuickSet profile? The c...
by mkx
Thu Jul 08, 2021 12:15 pm
Forum: Beginner Basics
Topic: DHCP on bridge, only offer on eth1 [SOLVED]
Replies: 1
Views: 383

Re: DHCP on bridge, only offer on eth1 [SOLVED]

Since both network subnets (10.108.0.0/16 and 10.101.0.0/16) don't overlap you already need routing between those two subnets. In this case you can ditch the bridge, configure both ports as individual interfaces and allow routing between them. Depending on the rest of network infrastructure some rou...
by mkx
Thu Jul 08, 2021 8:24 am
Forum: General
Topic: Using one MT box to sign TLS certs for another
Replies: 11
Views: 651

Re: Using one MT box to sign TLS certs for another

Disclaimer: never tried myself.

Did you import the private key that goes with certificate as well? This thread contains some hints on what needs to be done ...
by mkx
Thu Jul 08, 2021 8:01 am
Forum: Beginner Basics
Topic: How do I start troubleshooting an "I - invalid" configuration?
Replies: 8
Views: 527

Re: How do I start troubleshooting an "I - invalid" configuration?

Generally ROS doesn't accept configuration stanza which is profoundly broken. But then there are configuration stanzas which are syntactically correct but don't make sense in current context of overall configuration. The thing is that with ROS one can do many things that are not really possible with...
by mkx
Wed Jul 07, 2021 7:46 pm
Forum: RouterBOARD hardware
Topic: SFP+ on the small devices
Replies: 14
Views: 1041

Re: SFP+ on the small devices

I'm not saying that nobody will need more than Gbps in near future. But, in home environment, how often do we really see need for 2.5Gbps+ connections? E.g. can your home NAS sustain transfer speeds considerably exceeding 1Gbps (125MBps) for extended periods of time? And are you willing to pay bonus...
by mkx
Wed Jul 07, 2021 4:11 pm
Forum: RouterBOARD hardware
Topic: SFP+ on the small devices
Replies: 14
Views: 1041

Re: SFP+ on the small devices

The 2.5Gbps RJ port variant would then be a ...4P+1S+ (according to official naming guide).
by mkx
Wed Jul 07, 2021 2:30 pm
Forum: Beginner Basics
Topic: (silly) question how does DNS query forwarded / DCHP DNS settings
Replies: 20
Views: 1158

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Adresse IPv6 locale du lien : fe80::997f:70f6:408e:ac18%18 Adresse IPv4 : 10.99.99.243 Serveurs DNS IPv4 : 10.99.99.1 The highlited information from your LAN computer indicates that it is receiving router's IP address to be used as DNS server. This setting is configured in /ip dhcp-server network ,...
by mkx
Wed Jul 07, 2021 12:21 pm
Forum: Beginner Basics
Topic: How do I start troubleshooting an "I - invalid" configuration?
Replies: 8
Views: 527

Re: How do I start troubleshooting an "I - invalid" configuration?

A good place to start looking would be system logs ... not everything is recorded, but something might pop up. But my experience is that there isn't a single way to troubleshoot configuration problems and one often has to deduct the problems.
by mkx
Tue Jul 06, 2021 11:12 pm
Forum: Wireless Networking
Topic: Wap ac as router
Replies: 3
Views: 342

Re: Wap ac as router

CAPsMAN comes handy if you have many APs. I wouldn't deploy it for one or two APs (actually I am doing it at home ... purely as a lab setup). And it's certainly overkill to use it for provisioning wireless on very same device (it's possible to do it with some tinkering). I'm not sure which Quick Set...
by mkx
Tue Jul 06, 2021 10:53 pm
Forum: RouterBOARD hardware
Topic: Repurposing old FibreChannel SFP transceivers [SOLVED]
Replies: 4
Views: 802

Re: Repurposing old FibreChannel SFP transceivers [SOLVED]

If they work, they'll work at 1Gbps. And they'll likely overheat, older SFPs consumed more power than modern ones while Mikrotik devices generally are not known to be good at heat dissipation (specially so the passively cooled ones).
by mkx
Tue Jul 06, 2021 5:54 pm
Forum: Wireless Networking
Topic: Wap ac as router
Replies: 3
Views: 342

Re: Wap ac as router

Yes, wAP ac can be a very capable router (routing up to around 1 Gbps, depending on complexity of firewall filter rules). Beware though that current Mikrotik devices are not the fastest when it comes to wireless. If configured properly (sometimes some tweaking is needed, what exactly depends on part...
by mkx
Tue Jul 06, 2021 5:44 pm
Forum: Beginner Basics
Topic: Import a Filterlist?
Replies: 1
Views: 277

Re: Import a Filterlist?

There are many ways to filter traffic with ROS, one would be to use address lists. However, the lists on link you posted are lists of domains and filtering the domains (more or less straight-forward) can be done only in L7 filters ... And L7 filters are becoming more and more useless because everyth...
by mkx
Tue Jul 06, 2021 5:37 pm
Forum: Beginner Basics
Topic: hostname to ip:port
Replies: 3
Views: 365

Re: hostname to ip:port

I need hostname "hello.website.com" to forward to 192.168.10.25:5520 in my LAN. How to accomplish that on my mikrotik? I'm guessing you're after a slightly more complicated setup than he one explained by @erlinden and @anav ... so in case you want to forward hello.website.com (TCP port 80...
by mkx
Mon Jul 05, 2021 7:05 pm
Forum: General
Topic: free space discrepancy between hap models
Replies: 7
Views: 505

Re: free space discrepancy between hap models

If you really want to be sure both devices are in same (vanilla) state, you should check disk free status right after netinstall without backups uploaded and restored. But, as previous posters already explained, SMIPS packages are waaay smaller than others (e.g. ARM). For example: in ROS 6.48.3 syst...
by mkx
Sun Jul 04, 2021 10:46 pm
Forum: Wireless Networking
Topic: CAPsMAN Help
Replies: 11
Views: 822

Re: CAPsMAN Help

CAP packets are encapsulated in ethernet frames and are treated by switch the same way as IP packets (encapsulated in ethernet frames). For CAP device to communicate with CAPsMAN in usual cases the connection has to be transparrent and playing with VLANs on all 3 devices doesn't help if you don't re...
by mkx
Sun Jul 04, 2021 3:47 pm
Forum: General
Topic: Could I know how router is powered via Winbox?
Replies: 3
Views: 347

Re: Could I know how router is powered via Winbox?

The way mikrotik devices (most of them, some need explicitly distinct voltage levels for supporting diverse PoE out options) combine different power sources is pretty simple: they are all fed via simple diodes and then joined together. Diodes prevent power from leaking out. That also explains the fa...
by mkx
Sat Jul 03, 2021 4:09 pm
Forum: General
Topic: NAT, masquerading, src, dst? Confused (picture) [SOLVED]
Replies: 5
Views: 632

Re: NAT, masquerading, src, dst? Confused (picture) [SOLVED]

You can't use single mAP. It would have to connect to two APs at the same time. Both APs will likely use different channels and client which has single radio can not deal with it.
by mkx
Sat Jul 03, 2021 3:52 pm
Forum: Beginner Basics
Topic: Mikrotik + freeradius auth with /etc/shadow
Replies: 2
Views: 357

Re: Mikrotik + freeradius auth with /etc/shadow

Mikrotik doesn't know anything about your /etc/shadow file. The problem is thus completely related to configuration of whatever radius implementation you're using.
by mkx
Sat Jul 03, 2021 3:46 pm
Forum: RouterOS v7 BETA
Topic: v7 launch date
Replies: 101
Views: 11081

Re: v7 launch date

Anyone care to comment if that means the 7.1 beta might well be "stable" enough for me with my RB4001, CRS328 and 4x cAP AC? Really? You didn't read to the end of post you quoted part of? @raimondsp clearly wrote that (everything) still needs polishing. I wonder how you'd deal with rough ...
by mkx
Tue Jun 29, 2021 3:40 pm
Forum: General
Topic: Missing Firewall ACTION at Logs
Replies: 9
Views: 456

Re: Missing Firewall ACTION at Logs

If you only enable logging for sigle rule, you know the action from rule definition. If you enable logging of multiple rules, then add appropriate log prefixes. If you're going into troubleshooting, then adding logging prefixes is the least problem you have at that point. BTW, packets not triggering...
by mkx
Tue Jun 29, 2021 3:17 pm
Forum: General
Topic: Missing Firewall ACTION at Logs
Replies: 9
Views: 456

Re: Missing Firewall ACTION at Logs

You don't want to log everything, you just want to log things while debugging certain rules.
by mkx
Wed Jun 23, 2021 11:11 pm
Forum: General
Topic: wireless bridge between two Mikrotiks for IPTV STB
Replies: 23
Views: 1261

Re: wireless bridge between two Mikrotiks for IPTV STB

I'd replace the pwr-line AP with some at least half-decent AP in this setup ....
by mkx
Wed Jun 23, 2021 3:05 pm
Forum: General
Topic: Problems with VLAN and Bridge
Replies: 6
Views: 593

Re: Problems with VLAN and Bridge

You have to be ware that hEX S is not really a beast of a router. It can realistically route at around 0.5 Gbps depending on amount and complexity of firewall rules. It's been mentioned on this forum before, that some devices in certain conditions seem to struggle tagging and untagging packets passi...
by mkx
Wed Jun 23, 2021 2:35 pm
Forum: General
Topic: So why do I want to run ROS on a Switch when SWOS is just fine?
Replies: 17
Views: 1207

Re: So why do I want to run ROS on a Switch when SWOS is just fine?

If one can (safely?) assume that switch performance is the same when running either of supported OSes (ROS, SwOS), and one doesn't need L3 functions, then it boils down to personal preference regarding administrative UI. Some users, very well acquainted to CLI and ROS, will obviously prefer running ...
by mkx
Wed Jun 23, 2021 8:22 am
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 320
Views: 41410

Re: v7.1beta6 [development] is released!

One last question along these lines. Will existing CCR products get hardware/fasttrack/any accellerated IPv6 support or is this only happening in the new devices with the newer switch hardware? Fasttrack is software feature, so yes, when IPv6 fasttrack gets (finally) implemented, it will be on all ...
by mkx
Tue Jun 22, 2021 7:53 pm
Forum: General
Topic: Problems with VLAN and Bridge
Replies: 6
Views: 593

Re: Problems with VLAN and Bridge

If you haven't already, I suggest you to read through this nice tutorial.

The problem when using VLAN 1 is that VID=1 is (implicit) default PVID setting for all bridge ports and if you're not careful, you get mix of tagged and untagged traffic.
by mkx
Tue Jun 22, 2021 3:12 pm
Forum: General
Topic: Problems with VLAN and Bridge
Replies: 6
Views: 593

Re: Problems with VLAN and Bridge

add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 As ports ether3 and ether5 are hybrid ports carrying both untagged (VLAN1) and ...
by mkx
Tue Jun 22, 2021 1:54 pm
Forum: Beginner Basics
Topic: mAP Lite cap configuration
Replies: 1
Views: 345

Re: mAP Lite cap configuration

In short: no.

What you want is called "wireless bridge", which transparently connects two wired "islands" into a homogenous network. Wireless standard (802.11) doesn't allow for enough transparency, you can read more about the reasons and possible work-arounds in this article.
by mkx
Tue Jun 22, 2021 8:17 am
Forum: RouterBOARD hardware
Topic: CCR2004 real routing performance?
Replies: 3
Views: 910

Re: CCR2004 real routing performance?

Official test results have many numbers in the table, ranging anything between 600 Mbps and 40 Gbps. Which means that routing performance very much depends on particular configuration. It's hard to tell how much LACP hits performance unless one performs two tests with LACP being the only difference...
by mkx
Tue Jun 22, 2021 8:06 am
Forum: General
Topic: VLANs and address assignment
Replies: 8
Views: 503

Re: VLANs and address assignment

I'm not avoiding the question, I'm just trying to stay on topic. And you're extrapolating too much for your own good ;-) . But anyway: a. ether1 attached as a bridge port to a bridge c. can separately assign an IP address to the interface and host a subnet on t he ether1 port all separate from the b...
by mkx
Mon Jun 21, 2021 11:09 pm
Forum: General
Topic: VLANs and address assignment
Replies: 8
Views: 503

Re: VLANs and address assignment

So where in original post does @Cablenut9 mention a bridge? Let's read together:

If I have some interface, like ether1, and a bunch of VLAN interfaces on it, like vlan2 and vlan3, does ether1's IP address "carry over" to the VLANs?

Nope, still no bridge ...
by mkx
Mon Jun 21, 2021 8:36 pm
Forum: General
Topic: VLANs and address assignment
Replies: 8
Views: 503

Re: VLANs and address assignment

If I have some interface, like ether1, and a bunch of VLAN interfaces on it, like vlan2 and vlan3, does ether1's IP address "carry over" to the VLANs? No, IP address is bound to interface . In your case ether1 is interface for untagged frames passing ether1 port . For VLAN interfaces ethe...
by mkx
Mon Jun 21, 2021 11:32 am
Forum: RouterBOARD hardware
Topic: RB3011 keeps rebooting when ethernet 1 is connected to gigabit capable device
Replies: 8
Views: 1377

Re: RB3011 keeps rebooting when ethernet 1 is connected to gigabit capable device

Did you try with different power adapter? Marginal (almost but not entirely failed) power adapter could supply some power but not enough. And ethernet port running at higher speed draws a little more power which might push power adapter over its limit ... at that point PA might drop the voltage belo...
by mkx
Sun Jun 20, 2021 10:10 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 1054

Re: CAPsMAN on layer2 + vlans

It is just an arbitrary decision of the CAPsMAN package to do this in the wireless driver.

Actually it's not an arbitrary decission ... up till ROS version 6.41 bridge was not VLAN aware, hardware (or low level drivers) had to deal with VLAN tagging/untagging/filtering.
by mkx
Sun Jun 20, 2021 12:39 pm
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 738

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

I don't think you can reduce number of firewall rules in input chain.
by mkx
Sun Jun 20, 2021 9:42 am
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 738

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

Indeed one has to filter access to router from certain subnets. But as I wrote the filter has to cover all router's interfaces, not only the "native" one ... and in this case the approach of "ultimate drop all rule" comes handy. This means that input chain contains a few rules al...
by mkx
Sun Jun 20, 2021 12:15 am
Forum: Beginner Basics
Topic: Slow navigation/browsing speeds [SOLVED]
Replies: 15
Views: 1279

Re: Slow navigation/browsing speeds [SOLVED]

For sure you don't want to see any of "ether1 link down" messages ... I don't know what has to be done to stabilise the ethernet link. And you can try to set /interface detect-internet set detect-interface-list=none . While in theory functionality of detect internet should be fine in pract...
by mkx
Sat Jun 19, 2021 10:24 pm
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 738

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

a. seems this way b. my limited experience says yes c. as I wrote: ROS basically treats all packets (connections) targeting any of its IP interfaces the same way. The only difference that might show is due to different firewall rules (both raw and filter). This is pretty clear even from default fire...
by mkx
Sat Jun 19, 2021 10:15 pm
Forum: Beginner Basics
Topic: Initial Internet configuration ( via SFP port)
Replies: 22
Views: 1093

Re: Initial Internet configuration ( via SFP port)

Actually, I'm thinking whether the ip-scan tool is showing everything that ever got an IP while the Leases menu shows only the active ones? IP scan tool is supposed to probe (ping or something) some address range and only display active devices. Doesn't matter how those devices obtained their IP ad...
by mkx
Sat Jun 19, 2021 1:52 pm
Forum: General
Topic: Home IoT Vlan setup
Replies: 18
Views: 1058

Re: Home IoT Vlan setup

This is not exported configuration, this might be something you pushed into device which already had some config. So do what @anav asked to do ... execute /export hide-sensitive and post output.
by mkx
Sat Jun 19, 2021 1:49 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 1054

Re: CAPsMAN on layer2 + vlans

The bridge does the tagging/untagging for every interface in the vlan table - or so I tought. The bridge does tagging/unragging for ports which are untagged members of VLANs. Bridge does nothing on trunk ports (ports that are tagged members of VLANs). With wlan interfaces they can either be tagged ...
by mkx
Sat Jun 19, 2021 1:32 pm
Forum: General
Topic: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]
Replies: 9
Views: 738

Re: blocking 10.10.0.1 from 10.20.0.1 [SOLVED]

ROS treats every own address (i.e. addresses configured as router's own regardless the interface or subnet) pretty much the same way ... and they're all treated in chain=input (unless connection is DST-NATed). If you want to block connections to "the wrong router's address" (e.g. ping from...
by mkx
Sat Jun 19, 2021 1:24 pm
Forum: Beginner Basics
Topic: Slow navigation/browsing speeds [SOLVED]
Replies: 15
Views: 1279

Re: Slow navigation/browsing speeds [SOLVED]

You went int some quite advanced configuration because you wanted some QoS ... but if that isn't done quite right, it might actually make things worse. I'd try to introduce RB to your network with configurations as default as it gets. If it will behave more or less nicely, then you'll know it's the ...
by mkx
Sat Jun 19, 2021 1:08 pm
Forum: Beginner Basics
Topic: Initial Internet configuration ( via SFP port)
Replies: 22
Views: 1093

Re: Initial Internet configuration ( via SFP port)

There are plenty of devices whose MAC addresses start with cc:50:e3 and which aren't on the DHCP lease list ... that MAC address range belongs to Espressif Inc, seems like they produce smart home gadgets. How these devices obtained their IP addresses is beyond my imagination. One reason might be tha...
by mkx
Fri Jun 18, 2021 11:32 pm
Forum: General
Topic: mikrotik redirect based on domain to internal ip [SOLVED]
Replies: 6
Views: 600

Re: mikrotik redirect based on domain to internal ip [SOLVED]

but it seems I should use reverse proxy and the included reverse proxy of mikrotik cannot do this

That's because ROS includes normal proxy, not reverse proxy. While they might both seem similar they operate differently.
by mkx
Fri Jun 18, 2021 11:11 am
Forum: General
Topic: Cant Open Ports
Replies: 9
Views: 543

Re: Cant Open Ports

First verify that internal server is actually accepting connections on TCP port 25. Then you can enable LOG flag, try remote connection and see if log contains anything. One thing you should be aware: some ISPs block port 25 (SMTP) towards clients because SMTP protocol is often used for malicious ac...
by mkx
Fri Jun 18, 2021 11:03 am
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 1054

Re: CAPsMAN on layer2 + vlans

The wlan1, wlan2, wlan24, wlan25 devices are added under the correct vlan id, but they are added as tagged ports. I would like them to be untagged. (Otherwise dumb WiFi clients won't be able to connect.) That's correct and won't cause any problem ... wlan interfaces are tagged from bridge point of ...
by mkx
Thu Jun 17, 2021 11:33 pm
Forum: Wireless Networking
Topic: CAPsMAN on layer2 + vlans
Replies: 15
Views: 1054

Re: CAPsMAN on layer2 + vlans

As @biomesh wrote, the trick is to set discovery interface to some vlan interface. For example, I have VLAN 42 intended for usual LAN traffic and I allow CAP to CAPsMAN communication via that VLAN. So on CAP device I have the following: /interface bridge add name=bridge vlan-filtering=yes /interface...
by mkx
Thu Jun 17, 2021 9:22 am
Forum: Beginner Basics
Topic: Coping with slow download speeds on my home LAN
Replies: 8
Views: 657

Re: Coping with slow download speeds on my home LAN

Did you try speedtest by connecting PC instead of netgear AP? The goal is to narrow down posible problems. If speedtest without netgear in the way shows decent speeds, this would indicate either problem with netgear itself or some interaction problem between netgear and mikrotik. If speedtest is sti...
by mkx
Wed Jun 16, 2021 10:14 pm
Forum: General
Topic: 1:1 NAT DDoS protection?
Replies: 7
Views: 523

Re: 1:1 NAT DDoS protection?

Right.
by mkx
Wed Jun 16, 2021 8:26 pm
Forum: General
Topic: 1:1 NAT DDoS protection?
Replies: 7
Views: 523

Re: 1:1 NAT DDoS protection?

Also, it's to help hide the real IP so it can't be targeted directly. What good does it make? If NAT device performs 1:1, then every single packet, destined to "fake" IP will reach "real" IP. Just as there wasn't NAT, only with a hop more. NAT, combined with firewall, is differe...
by mkx
Wed Jun 16, 2021 7:34 pm
Forum: General
Topic: 1:1 NAT DDoS protection?
Replies: 7
Views: 523

Re: 1:1 NAT DDoS protection?

Device simply performing NAT (any kind) does not recognize malicious packet and thus passes such packet along with all others. Hence a 1:1 NAT can not protect you from DDoS ...
Only stateful firewall or DPI can make that distinction and protect devices behind.
by mkx
Wed Jun 16, 2021 6:58 pm
Forum: Beginner Basics
Topic: VLAN setting [SOLVED]
Replies: 1
Views: 612

Re: VLAN setting [SOLVED]

Here's great tutorial about how to configure VLANs. When you think you're done, post config of both router and switch. From which stable id AP? I presume it's not Mikrotik.
by mkx
Wed Jun 16, 2021 6:54 pm
Forum: Beginner Basics
Topic: Coping with slow download speeds on my home LAN
Replies: 8
Views: 657

Re: Coping with slow download speeds on my home LAN

Just one more check: is netgear AP acting only as switch/AP and clients, connected to it, receive IP addresses from mikrotik LAN address space? And when you ran tests, you connected PC eith UTP cable and netgear acted as a switch? If you connect PC to the wire otherwise used to connect netgear, do y...
by mkx
Wed Jun 16, 2021 1:59 pm
Forum: Beginner Basics
Topic: Coping with slow download speeds on my home LAN
Replies: 8
Views: 657

Re: Coping with slow download speeds on my home LAN

A few errors in your configuration: /ip address add address=192.168.2.1/24 interface=ether4 network=192.168.2.0 add address=192.168.3.1/24 interface=ether4 network=192.168.3.0 If you really need these two subnets, then you really should set addresses on bridge and not on member port (ether4). /ip fi...
by mkx
Wed Jun 16, 2021 8:11 am
Forum: General
Topic: hap ac3 bandwidth test to 127.0.0.1 TCP both direction utilises only 85% of CPU [SOLVED]
Replies: 8
Views: 952

Re: hap ac3 bandwidth test to 127.0.0.1 TCP both direction utilises only 85% of CPU [SOLVED]

What does profile of CPU usage (execute /tool profile cpu=all ) show? Are all CPUs loaded equally? I'd expect come CPU cores to be (almost) idle while others loaded 100%. The reason is that ROS is handling TCP connections by using same CPU core for all packets (reason is keeping packets in-order, IP...
by mkx
Wed Jun 16, 2021 8:05 am
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 1080

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

I'm not sure about antibodies, but I'm sure I'm allergic ... to dummies :-P
by mkx
Tue Jun 15, 2021 10:45 pm
Forum: RouterBOARD hardware
Topic: SFP module is extremely hot
Replies: 48
Views: 25928

Re: SFP module is extremely hot

If you want to keep SFP temperature down and use 10Gbps links, then go with normal fibre SFPs and fibre patch cords. Fibre SFPs consume much less power and consequentially produce much less heat. Fibre patch cords tend to be less bulky than CAT7 cables or DAC cables which is good as it's easier to o...
by mkx
Tue Jun 15, 2021 10:32 pm
Forum: General
Topic: RouterBOARD 750G
Replies: 1
Views: 302

Re: RouterBOARD 750G

Product brochure states that 750g can route "up to 580Mbps throughput with larger packets, and up to 91500pps with small packets". The text doesn't go into specifics about what kind of traffic that would be, I'd assume they are absolute maximum numbers posible. If you compare it to test re...
by mkx
Tue Jun 15, 2021 8:22 pm
Forum: Beginner Basics
Topic: Setting Up small home network with MikroTik hEX RB750Gr3
Replies: 20
Views: 1657

Re: Setting Up small home network with MikroTik hEX RB750Gr3

@zedoxx: what I'd do is the following: reset to default config use quickset to configure WAN ... PPPoE go into "normal" GUI and mnever ever go back to quickset unless you repeat config from step #1 remove ether5 from bridge add IP address to ether5. Configure additional address pool and DH...
by mkx
Tue Jun 15, 2021 6:31 pm
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 1080

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

second covid dose

Which one, Pfizer? I opted for Biontech and had only minor (next to none) side effects. It's been almost 3 weeks since second shot and I'm almost certified to resume normal life ;-)
by mkx
Tue Jun 15, 2021 8:41 am
Forum: RouterBOARD hardware
Topic: Battery driven RB get bricked
Replies: 6
Views: 1148

Re: Battery driven RB get bricked

IMO whenever one runs some device off a battery, it's good thing to install under-voltage cut-off device. Not to protect powered device but to protect battery itself. None of battery chemistries (lead-acid, nickel, lithium) don't like being completely depleted and one has to protect them from gettin...
by mkx
Tue Jun 15, 2021 8:23 am
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 564

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Bridge is the only port member of these VLANs. At least for VLAN 99 you should add ether1 as tagged port or else you'll almost definitely loose management access. Nope, there is a vlan interface that is added to the brige, vlan 99, with static IP 192.168.19.252. I was managing the router through th...
by mkx
Tue Jun 15, 2021 8:05 am
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 1080

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

Isn't buying lottery ticket a prerequisite for winning the lottery? Are you doing anything about it? Or you rather spend the dime on Canadian rye? ;-)
by mkx
Mon Jun 14, 2021 11:16 pm
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 564

Re: Howto use HAP AC2 as switch+AP on vlan(s)

My dear @anav, as always you're one step ahead of me ... you already forgot you're forgetting things :-P
by mkx
Mon Jun 14, 2021 11:12 pm
Forum: Beginner Basics
Topic: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance
Replies: 13
Views: 1080

Re: RB4011iGS+5HacQ2HnD - RouterOS 6.48.3 - AC wireless preformance

I am itching to try a newer wifi6 620 or 660 at some point.

Oh please ... stop whining and do it already. And don't forget to throw your beloved 245's in my direction real hard.
by mkx
Mon Jun 14, 2021 10:55 pm
Forum: General
Topic: Howto use HAP AC2 as switch+AP on vlan(s)
Replies: 8
Views: 564

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Access ports won't work until you enable vkan-filtering on bridge. Without that bridge does not add VLAN tag on ingress as per pvid settings nor does it strip VLAN tags on egress as per untagged vlan membership. So: take a deep breathe, enable safe mode and enable vlan-filtering on bridge. If your m...
by mkx
Mon Jun 14, 2021 10:47 pm
Forum: Beginner Basics
Topic: Initial Internet configuration ( via SFP port)
Replies: 22
Views: 1093

Re: Initial Internet configuration ( via SFP port)

Btw I'm paying to have a static IPv4 and to not be anymore under their CGNAT That doesn't mean you should not allow automatic IP address acquisition. Depends how your ISP delivers internet, but they should instruct you what to do. I don't think you can actually statically set IP address when using ...
by mkx
Mon Jun 14, 2021 10:32 pm
Forum: Wireless Networking
Topic: Dual VS Triple Chain and 80Mhz
Replies: 1
Views: 572

Re: Dual VS Triple Chain and 80Mhz

Number of used chains is only indirectly connected to number of channels ... the property which links them is Tx power. In most countries regulations limit radiated power (EIRP) and that power is then divided between chains (tripple chain transmiter can spend 1/3 of power for each chain while dual c...
by mkx
Mon Jun 14, 2021 8:01 pm
Forum: Beginner Basics
Topic: RB960PSG max POE output
Replies: 5
Views: 464

Re: RB960PSG max POE output

I can reach the maximum with 48POW No, you can't. You want 4x450mA=1800mA peak power, while 48POW is rated at 1460mA which makes it short by one PoE device (if you consider RB960PGS own consumption as well). Either use an even higher-power power adapter or go with some other PoE switch. Or use dual...
by mkx
Mon Jun 14, 2021 6:53 pm
Forum: General
Topic: Stacked VLAN bridges and interfaces
Replies: 1
Views: 307

Re: Stacked VLAN bridges and interfaces

One of ways to achieve QinQ in ROS is to use multiple bridges in layered manner. Probably that's not the only way ... In your case you'd use one layer since you only have one interface carrying QinQ traffic. So what yoz can do is: create number of VLAN interfaces, one per remote location. All anchor...
by mkx
Mon Jun 14, 2021 6:19 pm
Forum: General
Topic: Next-hop and NAT
Replies: 4
Views: 387

Re: Next-hop and NAT

If you follow your initial thought, you would easily run into some routing triangle problems. They would not necessarily cause any problems initially, but could cause issued that would be hard to track. If you'd follow my suggestion, then mikrotik would just route, nothing more (no firewall no NAT)....
by mkx
Mon Jun 14, 2021 8:45 am
Forum: RouterBOARD hardware
Topic: Fans on MikroTik Cloud Router Switch 354-48G-4S+2Q+RM - volume level?
Replies: 17
Views: 1396

Re: Fans on MikroTik Cloud Router Switch 354-48G-4S+2Q+RM - volume level?

Personally I don't have any CRS354 ... but since it's actively cooled and given the diameter (and RPM) of those fans I guess I wouldn't like to have that beast anywhere near my bed nor living room sofa (nor normal office working space). And I guess closing it in some sealed mini rack would work agai...
by mkx
Mon Jun 14, 2021 8:36 am
Forum: General
Topic: Next-hop and NAT
Replies: 4
Views: 387

Re: Next-hop and NAT

If you don't need any filtering of traffic between different subnets (which would require firewall rules), then you don't need 4 VLANs on the connection between mikrotik and fortigate. Instead you should use fifth subnet for that connection. It can have longer subnet mask if you wish, e.g. 192.168.5...
by mkx
Sun Jun 13, 2021 4:53 pm
Forum: RouterBOARD hardware
Topic: Fans on MikroTik Cloud Router Switch 354-48G-4S+2Q+RM - volume level?
Replies: 17
Views: 1396

Re: Fans on MikroTik Cloud Router Switch 354-48G-4S+2Q+RM - volume level?

BTW is not ROS overkill on a Switch?

It probably is. But some people adore CLI for management and SNMP for supervision.
by mkx
Sat Jun 12, 2021 2:02 pm
Forum: General
Topic: CRS328 - can't ping device, packet sniffer shows no ICMP packets
Replies: 3
Views: 344

Re: CRS328 - can't ping device, packet sniffer shows no ICMP packets

To use packet sniffer on CRS you need to disable HW offload for the port of interest. Otherwise I don't see anything wrong with config. In some rare cases some devices misbehaved even though config seemed right. Some cleansing action was needed, you might want to try one of these (you can try all fr...
by mkx
Sat Jun 12, 2021 11:03 am
Forum: General
Topic: Port Forwarding Problem [SOLVED]
Replies: 16
Views: 1050

Re: Port Forwarding Problem [SOLVED]

You need hairpin nat.
by mkx
Sat Jun 12, 2021 10:59 am
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 769

Re: dhcp on vlan trunk not working

why would anybody want to tag all packets on a trunk port, except for a very specific one? On trunk port one would not tag/untag any of packets and would thus configure such port with frame-types=admit-only-vlan-tagged ingress-filtering=yes (when using bridge vlan filtering and appropriate setting ...
by mkx
Fri Jun 11, 2021 10:22 pm
Forum: General
Topic: Route reachable but timeout??
Replies: 7
Views: 686

Re: Route reachable but timeout??

Torch is one of tools that can help you. And no, couter increasing in one direction doesn't mean the port is not dammaged.
by mkx
Fri Jun 11, 2021 10:16 pm
Forum: General
Topic: Firewall rules to secure CHR
Replies: 4
Views: 550

Re: Firewall rules to secure CHR

Something like that. If you need to add some accept rules later, push them just below the "drop invalid" rules and above the new "drop all" ones. I wouldn't log all hits of "drop all rules", there might be many entries due to bots scanning the network. A missing accept ...
by mkx
Fri Jun 11, 2021 4:10 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 1027

Re: Preserve client IP when dst-nat to other server

By referring to "another subnet for NTP server" I was thinking of this LAN setup: --> LAN (10.0.0.0/16 or whatever the subnet mask) / | internet <--> router | \ --> "NTP lan" (NTP server with IP address e.g. 10.254.254.2/24 or any other IP address outside LAN subnet mask) The bes...
by mkx
Fri Jun 11, 2021 9:15 am
Forum: General
Topic: Route reachable but timeout??
Replies: 7
Views: 686

Re: Route reachable but timeout??

And the strange thing, it can run if I switch the function from ether 2 to ether 5. If that's the case then you might want to thoroughly check potential differences in configuration of those two ports. Next thing would be doing some elaborate tests to try to pinpoint the device where stuff breaks. ...
by mkx
Fri Jun 11, 2021 8:41 am
Forum: General
Topic: Route reachable but timeout??
Replies: 7
Views: 686

Re: Route reachable but timeout??

Sorry, crystal ball is defunct currently. What I want to write: it's impossible to tell why something stopped working while nothing supposedly changed. In this case it's only possible to find the reason by extensively debugging the whole setup. And you're the only one able to do it.
by mkx
Fri Jun 11, 2021 8:30 am
Forum: Beginner Basics
Topic: Winbox 64 bits ?
Replies: 3
Views: 521

Re: Winbox 64 bits ?

Probably a stupid quesiton... but what's the point of a 64bits Winbox ? what use case / config would require it ? Even though the name of tool is win box which implies it's a tool running in windows (and that's even true) that doesn't mean it can't be run in other environments. Such as under wine i...
by mkx
Fri Jun 11, 2021 8:18 am
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 1027

Re: Preserve client IP when dst-nat to other server

@rextended: I'll just ignore your last post, it's quite off topic already. The post is directed at me (concrete examples of "right" choices) and I think I can master my own subnet of NTP servers just fine (I've been running public NTP servers for the last 25 years). You don't know the reas...
by mkx
Thu Jun 10, 2021 10:20 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 1027

Re: Preserve client IP when dst-nat to other server

You're right ... as long as it works, we don't need any logs, debugging information or any other nonsense. But sometimes it doesn't work ... and then we need all the noise we can get ... and if there's no noise to filter, we're in troubles.
by mkx
Thu Jun 10, 2021 9:51 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 1027

Re: Preserve client IP when dst-nat to other server

observability of NTP server in ROS I do not understand how traduce that on Italian but... I'm talking about .... [user@MTrouter] > /system ntp client print enabled: yes mode: unicast primary-ntp: 192.168.42.10 secondary-ntp: 2001:1470:8000::92 dynamic-servers: status: synchronized versus user@192.1...
by mkx
Thu Jun 10, 2021 8:13 pm
Forum: RouterOS v7 BETA
Topic: Driver bug on 7.1b6 and rtl8153b ethernet chipset
Replies: 2
Views: 713

Re: Driver bug on 7.1b6 and rtl8153b ethernet chipset

You can download previous versions if you hand-craft download links similar to the current one. For example: download link for x86 7.1beta6 Extra packages is h ttps://download.mikrotik.com/routeros/ 7.1beta6 /all_packages-x86- 7.1beta6 .zip If you change it to h ttps://download.mikrotik.com/routeros...
by mkx
Thu Jun 10, 2021 7:59 pm
Forum: Wireless Networking
Topic: CAPSman Controller device
Replies: 7
Views: 963

Re: CAPSman Controller device

I'd be careful about running CAPs manager off site. If CAP devices loose connectivity towards manager (can be even a very short period of time) they shut down their radios.
by mkx
Thu Jun 10, 2021 7:54 pm
Forum: General
Topic: How get access in to vlan from mikrotik bridge mode with tagged port?
Replies: 12
Views: 526

Re: How get access in to vlan from mikrotik bridge mode with tagged port?

OK, since you're not going to describe your environment here's my last post in this thread. Here's a great tutorial on how VLANs are done in mikrotik. Won't help you if your actual LAN layout is as is on your drawing (i.e. your mikrotik completely outside of VLAN 20 area) though.
by mkx
Thu Jun 10, 2021 7:42 pm
Forum: General
Topic: How get access in to vlan from mikrotik bridge mode with tagged port?
Replies: 12
Views: 526

Re: How get access in to vlan from mikrotik bridge mode with tagged port?

Network ... It's simple and flat, it's a local area network with one router 10.10.0.1. Since we're discussing VLANs here and those are L2 (or L2.5 if you want), it still isn't simple and flat. For sure there are managed switches with configuration regarding VLANs (port membership etc.) which have m...
by mkx
Thu Jun 10, 2021 7:32 pm
Forum: Beginner Basics
Topic: locking band R11e-LTE6 [SOLVED]
Replies: 6
Views: 796

Re: locking band R11e-LTE6 [SOLVED]

If modem drops off network when you lock it to some cell, then don't do it. If your favourite MNO does at least half decent job with optimisation of their LTE network then there are very few reasons to lock to some cell instead of letting network do it's job.
by mkx
Thu Jun 10, 2021 7:28 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 1027

Re: Preserve client IP when dst-nat to other server

Not sure what you mean by own NTP server?

A raspberry pi, running NTP service ... or something like that. Or even own atomic clock, why not? After all, observability of NTP server in ROS is nil, but some of us do care about proper functioning of services.
by mkx
Thu Jun 10, 2021 6:50 pm
Forum: Beginner Basics
Topic: Preserve client IP when dst-nat to other server
Replies: 25
Views: 1027

Re: Preserve client IP when dst-nat to other server

When you're doing dst-nat to server (10.0.0.100) which is in the same subnet as original client (10.0.0.10), then it is essential to perform src-nat as well (without it, server would reply to client directly and client would reject replies because they would be coming back from IP address it did not...
by mkx
Thu Jun 10, 2021 6:40 pm
Forum: General
Topic: dhcp on vlan trunk not working
Replies: 15
Views: 769

Re: dhcp on vlan trunk not working

Your setup of VLAN ports and interfaces is hosed ... suggest you to read this nice tutorial to see where you failed.
by mkx
Thu Jun 10, 2021 6:37 pm
Forum: General
Topic: How get access in to vlan from mikrotik bridge mode with tagged port?
Replies: 12
Views: 526

Re: How get access in to vlan from mikrotik bridge mode with tagged port?

Mikrotik is fully capable of working with VLANs. But it has to be configured properly and attached to a port in the network which allows access to VLAN 200.

But again, you don't provide usable network information so you don't get usable advice.
by mkx
Thu Jun 10, 2021 6:33 pm
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 320
Views: 41410

Re: v7.1beta6 [development] is released!

If you read what @raimondsp wrote it's clear that it's constraint in current L3 HW offload implementation . Not the configuration (because it's not something user can change) nor attached devices. CRS can take jumbo frames, but they will pass CPU which offers severely low throughput ... which is wha...
by mkx
Thu Jun 10, 2021 6:30 pm
Forum: General
Topic: How get access in to vlan from mikrotik bridge mode with tagged port?
Replies: 12
Views: 526

Re: How get access in to vlan from mikrotik bridge mode with tagged port?

VLAN with different ID is just like different physical network ... to reach it, one needs router which connects to both sides. Your diagram does not show any such border device, it only shows a device sitting inside VLAN 20. If border device is properly configured, you can't just add VLAN tags to fr...
by mkx
Thu Jun 10, 2021 6:17 pm
Forum: General
Topic: Firewall rules to secure CHR
Replies: 4
Views: 550

Re: Firewall rules to secure CHR

A pretty safe approach when constructing firewall rules is to have ultimate rule in both input and forward chan which drops everything not accepted by previous rules. Your setup only drops invalid packets which doesn't really protect your router (or network behind that router). Remember: implicit la...
by mkx
Thu Jun 10, 2021 6:05 pm
Forum: RouterOS v7 BETA
Topic: OSPF routing syntax
Replies: 10
Views: 1232

Re: OSPF routing syntax

New filtering rule syntax will be introduced in the next beta. Or, to be precise, v7.1Beta7 will be released when the new syntax is ready.
Ok thank you, can you tell an approximative date for the Beta7 ?

Which part of post by @raimondsp is not clear?
by mkx
Thu Jun 10, 2021 8:06 am
Forum: Beginner Basics
Topic: Router Firewall
Replies: 1
Views: 410

Re: Router Firewall

Screenshot doesn't show everything, next time create text export by executing command /export hide-sensitive file=anynameyouwish from terminal window. Open resulting file in text editor, copy-paste contents ... With firewall filter rules everything (except chain and action) is optional, specifying m...
by mkx
Thu Jun 10, 2021 7:47 am
Forum: RouterOS v7 BETA
Topic: v7.1beta6 [development] is released!
Replies: 320
Views: 41410

Re: v7.1beta6 [development] is released!

There was a thread about L3 HW performance (or rather lack of it) and it was said that L3 HW offload for jumbo frames was not there yet. I'm not sure if that limitation is already lifted. So you might try to test similar scenario but using standard MTU values ...
by mkx
Wed Jun 09, 2021 9:57 pm
Forum: Beginner Basics
Topic: Problem routing traffic from one lan to another
Replies: 6
Views: 709

Re: Problem routing traffic from one lan to another

I'll assume the network subnets are real even if IP addresses aren't. So ... there are two potential problems: Does router 219.7.221.254 have static route towards 128.136.0.0/16 via 219.7.221.252? Does router 219.7.221.254 run stateful firewall? You are possibly creating routing triangle between mik...
by mkx
Wed Jun 09, 2021 9:37 pm
Forum: RouterBOARD hardware
Topic: VLAN problem with CRS112-8P-4S [SOLVED]
Replies: 9
Views: 1349

Re: VLAN problem with CRS112-8P-4S [SOLVED]

As @mada3k wrote: remove switch1-cpu from all vlan pirt grouos under /interface ethernet switch vlan except for VLAN 255. That's only necessary for VLANs with which ROS interacts and it interacts through appropriate vlan interface. Admitting otger VLANs to CPU only alliws broadcasts to flood the CPU...
by mkx
Wed Jun 09, 2021 9:01 am
Forum: SwOS
Topic: Port Isolation
Replies: 2
Views: 828

Re: Port Isolation

Switches don't have notion of connections ... they only see frames. So with switch it's not possible what you're after. Some switches support ACLs where you can select certain L3/L4 properties of frames which should be dropped. You can try to use that functionality to mimic connection-awareness. For...
by mkx
Wed Jun 09, 2021 8:27 am
Forum: Beginner Basics
Topic: Port 443
Replies: 4
Views: 545

Re: Port 443

Even though you might have some success by constructing L7 filter rules it probably won't last ... The encrypted connection protocols are evolving. Currently there's some initial connection metadata passed unencrypted (namely SNI field) and it is possible to construct L7 filter to fetch that data an...
by mkx
Tue Jun 08, 2021 11:24 pm
Forum: RouterBOARD hardware
Topic: Which router/switch for distributing to 10 individual RouterBOARDs 951-2n?? [SOLVED]
Replies: 4
Views: 1426

Re: Which router/switch for distributing to 10 individual RouterBOARDs 951-2n?? [SOLVED]

I wasn't sure if crs328 was able to handle such a load With some luck it will ... but there's no guarantee. If you look at official test results ... and concentrate on Ethernet test results table, you'll see some routing performance numbers. Experience goes that if you have to pick a number from th...
by mkx
Tue Jun 08, 2021 11:08 pm
Forum: Wireless Networking
Topic: Using 40 Mhz wide channels in a 2.4 Ghz wireless network deployment
Replies: 9
Views: 1123

Re: Using 40 Mhz wide channels in a 2.4 Ghz wireless network deployment

Just in case you decide to go with option #2 from my post above ... you can argument that professional networks, consisting of multiple base stations (APs in WiFi talk) and operating using single frequency channel, use pretty complicated mechanisms to overcome inter-base-station interference: exampl...
by mkx
Tue Jun 08, 2021 9:52 pm
Forum: Wireless Networking
Topic: Using 40 Mhz wide channels in a 2.4 Ghz wireless network deployment
Replies: 9
Views: 1123

Re: Using 40 Mhz wide channels in a 2.4 Ghz wireless network deployment

Due to lack of any serious advice, I'll resort to sarcasm. So you have 3 options: resign from your job immediately fight with senior staffer and resign from your job a bit later leave wireless config according to senior's "law" ... and move around the premises wearing paper bag over your h...
by mkx
Tue Jun 08, 2021 8:12 pm
Forum: Wireless Networking
Topic: Using 40 Mhz wide channels in a 2.4 Ghz wireless network deployment
Replies: 9
Views: 1123

Re: Using 40 Mhz wide channels in a 2.4 Ghz wireless network deployment

Honestly I don't see how you could possibly win this argument. He is obviously very confident about his own knowledge (so he won't take any technical arguments) and he is senior to you (so you can't force your view on him).
by mkx
Tue Jun 08, 2021 12:20 pm
Forum: RouterBOARD hardware
Topic: 3 routerboards bricked this week
Replies: 27
Views: 2184

Re: 3 routerboards bricked this week

Netinstall is very fragile process. Often netinstall seemingly does its job (returning to ready in very short time) but actually doing nothing .... proper netinstall process takes some time (IIRC something around 10-30 seconds, depending on device's storage size and platform). So it is really vital ...
by mkx
Tue Jun 08, 2021 12:12 pm
Forum: General
Topic: no routerboards bricked from 2007 [SOLVED]
Replies: 6
Views: 805

Re: no routerboards bricked from 2007 [SOLVED]

Just to clarify: term "bricked" in my previous post describes router/switch which doesn't boot after user performs some action permitted by ROS itself ... either that's ROS upgrade in one of supported ways or change of configuration which is not rejected by ROS or something else. The fact ...
by mkx
Tue Jun 08, 2021 12:05 pm
Forum: Beginner Basics
Topic: Access LAN computer from a 4G Network
Replies: 2
Views: 372

Re: Access LAN computer from a 4G Network

Not sure if it's the same in your case, but I'll mention regardless: cellular networks in general are not as transparent as fixed networks. Could be that MNO is doing some funky stuff (firewalling of outgoing connections, DPI, rate limiting, FUP, ...) which breaks NAS access for you.
by mkx
Tue Jun 08, 2021 9:22 am
Forum: Beginner Basics
Topic: Very large amount of data on WAN being blocked by defconf firewall rule (Hex S)
Replies: 11
Views: 765

Re: Very large amount of data on WAN being blocked by defconf firewall rule (Hex S)

I would think that with this decent amount of data getting sucked up my ISP would be doing something about it? I know that it'd always be a losing battle, but across thousands of customers wouldn't it add up pretty quickly? The lost data is inconsequential in regards to my data cap and my bandwidth...
by mkx
Tue Jun 08, 2021 9:09 am
Forum: Beginner Basics
Topic: Very large amount of data on WAN being blocked by defconf firewall rule (Hex S)
Replies: 11
Views: 765

Re: Very large amount of data on WAN being blocked by defconf firewall rule (Hex S)

In my browser (FF 89 in ubuntu linux) the second code block isn't limited in a frame (with vertical scroll bar), contents rendering is slightly weird as well. The same in chrome/android on my phone.

Well, I'm quite sure this is not something you or I can fix ...
by mkx
Tue Jun 08, 2021 8:38 am
Forum: General
Topic: no routerboards bricked from 2007 [SOLVED]
Replies: 6
Views: 805

Re: no routerboards bricked from 2007 [SOLVED]

Understand my point of view now? Your point of view might be valid in certain circumstances. The problem with your point of view is that MT tries to be a player in SOHO market segment where expecting users to be anything but dummies is unrealistic. It is understandable that people less tech savvy g...
by mkx
Tue Jun 08, 2021 8:29 am
Forum: Beginner Basics
Topic: Very large amount of data on WAN being blocked by defconf firewall rule (Hex S)
Replies: 11
Views: 765

Re: Very large amount of data on WAN being blocked by defconf firewall rule (Hex S)

Its better to include config and logs in the post using code tags:

Just make sure you have some little "normal" text (at least a dot or two) between two [code] [/code] blocks ... or else forum will improperly render the second (and subsequent) blocks making the effort useless.
by mkx
Tue Jun 08, 2021 8:15 am
Forum: Beginner Basics
Topic: ISP PPPOE with VLAN filtering [SOLVED]
Replies: 32
Views: 1768

Re: ISP PPPOE with VLAN filtering [SOLVED]

Question though, if I'm assigning a pvid to a bridge port would that then be added as tagged or untagged on the bridge vlan configuration? Brdige comes with multiple personalities, they are very well explained in this thread . When assigning PVID to bridge, you're assigning it to bridge port and br...
by mkx
Mon Jun 07, 2021 11:28 am
Forum: Beginner Basics
Topic: After applied filter rule internet connect not stable
Replies: 6
Views: 735

Re: After applied filter rule internet connect not stable

Question 1 add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)" how to get this IP address 127.0.0.1? It's there, implicitly set. But it's hidden from you, you can't see it anywhere. However it's not really usable for many things, e...
by mkx
Mon Jun 07, 2021 11:16 am
Forum: Beginner Basics
Topic: Connecting several CRS: Bad transfer rate
Replies: 7
Views: 650

Re: Connecting several CRS: Bad transfer rate

...for such a simple setup, I wouldn't bother finding the flaws in the remains of an old configuration. The problem I was mentioning (LCD display affecting performance) doesn't seem to be due to configuration (so it seemed at the time many users were affected by it), but rather due to interaction b...
by mkx
Mon Jun 07, 2021 11:11 am
Forum: General
Topic: someone hack my routrs - can someone help?
Replies: 15
Views: 1801

Re: someone hack my routrs - can someone help?

All but high-end devices (which includes CCR, CRS and RB1100 devices) come with set of default firewall rules. One can see default settings by executing command /system default-configuration print (just beware that lines are truncated rather than wrapped around, so make sure you have really wide ter...
by mkx
Sun Jun 06, 2021 6:00 pm
Forum: Beginner Basics
Topic: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stead
Replies: 11
Views: 842

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Subnets? I really don't get why? To ensure packets flow in both directions via same path ... otherwise things can get messy. I agree that this seems unsolicited complication, but in long term it it would save you some time ... ISP > > Zyxel FW @ 192.168.1.2 (Cabling channels all the traffic through...
by mkx
Sun Jun 06, 2021 12:13 pm
Forum: Beginner Basics
Topic: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stead
Replies: 11
Views: 842

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Proper thing to do would be the following: use one IP subnet for LAN devices (right of MT router) and one subnet for MT-FW "subnet". Ideally you would keep using same IP subnet for LAN (in case you have any static configuration on any of LAN devices). MT would simply have two interfaces, c...
by mkx
Sun Jun 06, 2021 11:56 am
Forum: General
Topic: two cpe's
Replies: 2
Views: 359

Re: two cpe's

Which particular RB750 do you have? There are a few models, some current and some discontinued. Ability to power both SXTs depends on particular model. As to the data connectivity setup: any of RB750 will nicely route traffic. The oldest midels might have hard time to actually route at 60Mbps (both ...
by mkx
Sat Jun 05, 2021 7:52 pm
Forum: General
Topic: CPU high utilization due to the Queue .CCR
Replies: 5
Views: 482

Re: CPU high utilization due to the Queue .CCR

Usual sugestion is to go with latest version from "long-term" channel, currently that's 6.47.10.
by mkx
Sat Jun 05, 2021 10:51 am
Forum: General
Topic: ROS upgrade failed on CRS328-4C-20S-4S+ now stuck in SWOS?
Replies: 3
Views: 429

Re: ROS upgrade failed on CRS328-4C-20S-4S+ now stuck in SWOS?

My guess is that you'll need physical access to the switch. And netinstall it.

SwOS doesn't have any MAC-something service, only way to manage it is via web interface.
by mkx
Sat Jun 05, 2021 10:48 am
Forum: General
Topic: DIfferent port-forwarding based on domain
Replies: 1
Views: 337

Re: DIfferent port-forwarding based on domain

It can't be done with mikrotik only. L7 is too late in the game to make redirection working (it works fine as firewall rule because it can break connection at some later stage) and other criteria don't care about SNI (Server Name Indication) which is the only way of getting domain name of intended s...
by mkx
Sat Jun 05, 2021 10:40 am
Forum: General
Topic: Bounding 802.3ad
Replies: 7
Views: 511

Re: Bounding 802.3ad

...in my opinion a single ppoe connection will not be balanced across all ports in the bond. Indeed. PPPoE is protocol on top of ethernet, hence bonding policies will only hash according to L2 ... as PPPoE server is only one (single MAC address), the only remaining variable is client MAC address.
by mkx
Sat Jun 05, 2021 10:37 am
Forum: General
Topic: DNS Forwarding is not working anymore
Replies: 4
Views: 537

Re: DNS Forwarding is not working anymore

My guess: you need properly configured hair-pin NAT for DNS resolver.

To give you better advice, post output of at least /ip firewall nat export hide-sensitive ... complete config would be better.
by mkx
Fri Jun 04, 2021 11:34 pm
Forum: Wireless Networking
Topic: hAP ac2 can't connect 5Ghz -N/AC mode
Replies: 15
Views: 9017

Re: hAP ac2 can't connect 5Ghz -N/AC mode

By the way every time I use one of your posts, I drink a beer in your honour. I hope that is payment enough ;-P So far I am still sober................... conclusion ;-PPPPP

Conclusion: next time your better half lets you to the grocery store, try to find some non-alcohol-free beer :-P
by mkx
Fri Jun 04, 2021 11:24 pm
Forum: General
Topic: Can't access network [SOLVED]
Replies: 3
Views: 536

Re: Can't access network [SOLVED]

So essentially you want to use mikrotik to wirelessly bridge multiple wired devices on L2. In short: it can't work if both wireless devices are from different vendors due to missing piece in 802.11 standard. You can read more in this nice article . There are some workarounds but all come with gotchas.
by mkx
Fri Jun 04, 2021 3:00 pm
Forum: RouterBOARD hardware
Topic: GPeR
Replies: 4
Views: 1176

Re: GPeR

You could use RBGPOE passive injector from one side to power GPeR ... I guess.
by mkx
Fri Jun 04, 2021 2:56 pm
Forum: Wireless Networking
Topic: hAP ac2 can't connect 5Ghz -N/AC mode
Replies: 15
Views: 9017

Re: hAP ac2 can't connect 5Ghz -N/AC mode

Also, other suckers like me may actually look at the thread with geniune 5Ghz issues and could benefit from my unique and amazing settings . Indeed. Sometimes I have a feeling that you use this forum as a scratchpad to scrabble your settings only to come back at some later time to find them to re-a...
by mkx
Fri Jun 04, 2021 2:47 pm
Forum: Beginner Basics
Topic: RouterOS on CRS326 - upgrade from USB flash drive
Replies: 2
Views: 395

Re: RouterOS on CRS326 - upgrade from USB flash drive

Usual mode of manual upgrading ROS is to copy npk file to root of device's storage. After that reboot device and it should pick the file. The trick in your case is how to move/copy file from flash drive to device's storage. I don't think there's command to actually copy file from one directory (or m...
by mkx
Fri Jun 04, 2021 2:42 pm
Forum: Beginner Basics
Topic: Internet fiber on switch to router
Replies: 8
Views: 598

Re: Internet fiber on switch to router

Can I connect the internet fiber to the CRS328 (who has 4 SFP+ ports) and configure the RB4011 to use that as default destination? This would however mean that all traffic from LAN to WAN has to go through the CRS328 - RB4011 connection to be routed and back to go to the internet. Assuming internet...
by mkx
Fri Jun 04, 2021 2:29 pm
Forum: General
Topic: VLAN Routing is slow on hex S
Replies: 10
Views: 692

Re: VLAN Routing is slow on hex S

Don't mix intra-VLAN switching and inter-VLAN routing . Better switch (CSS3xx or CRS3xx) can help with former (intra-VLAN switching) but not with the later (switches suck at routing even if they run ROS, like CRS3xx does). hEX S is not a very powerful router. Real-life routing performance with prett...
by mkx
Fri Jun 04, 2021 12:27 pm
Forum: Beginner Basics
Topic: Access Webserver inside Lan - Hairpin NAT [SOLVED]
Replies: 3
Views: 649

Re: Access Webserver inside Lan - Hairpin NAT [SOLVED]

Assuming your whole LAN is behind ether2 ... you'll have to add ether2 to interface list LAN:
/interface list
add interface=ether2 list=LAN

BTW, current entry to LAN interface list (add list=LAN) does nothing and would best be removed not to offer base for any wrong assumptions.
by mkx
Fri Jun 04, 2021 12:10 pm
Forum: Beginner Basics
Topic: Connecting several CRS: Bad transfer rate
Replies: 7
Views: 650

Re: Connecting several CRS: Bad transfer rate

why all interface have set [ find default-name=xxx ] speed=100Mbps ??? My guess: config started with ancient ROS version where 100Mbps was default (comment on bridge of CRS2 saying "created from master port" indicates this). This setting, however, should not affect performance if auto-neg...
by mkx
Fri Jun 04, 2021 9:26 am
Forum: Beginner Basics
Topic: L3 switch configuration
Replies: 1
Views: 355

Re: L3 switch configuration

Here's VLAN config manual for CRS1xx. Beware that routing capacity of CRS1xx devices is nowhere near wirespeed. If you need any decent throughput between VLANs you better buy proper router for that.
by mkx
Fri Jun 04, 2021 9:19 am
Forum: General
Topic: 2x CRS328-24P-4S+ with broken ports - short circuit
Replies: 4
Views: 431

Re: 2x CRS328-24P-4S+ with broken ports - short circuit

Use gigabit PoE surge protector, sometime parasite currents can happen between two devices in 100+ network devices? Perhaps not all 100+ devices, but that's up to qualified electrician to decide. It very much depends on earthing done on both ends of UTP cable. If earthing point is common for both e...
by mkx
Fri Jun 04, 2021 9:07 am
Forum: RouterOS v7 BETA
Topic: Vlan on switch vs Vlan on interface
Replies: 5
Views: 879

Re: Vlan on switch vs Vlan on interface

@Tulga described requirements: eth3 and eth5 are members of same LAN (switching traffic between ports) - LAN1: 192.168.1.0/24 (I'm guessing subnet mask) eth7 and eth9 are members of LAN2: 192.168.2.0/24 ethX (other than 3,5,7,9 and WAP port) are members of LAN3: 192.168.100.0/24 One can do it using ...
by mkx
Tue Jun 01, 2021 9:17 am
Forum: Beginner Basics
Topic: No ping to device from AP ?
Replies: 2
Views: 368

Re: No ping to device from AP ?

Post full configuration export from station. If all ports are bridged, then firewall rules likely don't do anything... but there are other settings that can affect behaviour.
by mkx
Mon May 31, 2021 8:11 am
Forum: Wireless Networking
Topic: Help with Setup
Replies: 5
Views: 787

Re: Help with Setup

It can be done if you configure VLANs on link between the two cAPs. You'll need some general knowledge about VLANs, this tutorial nicely describes how it's done on Mikrotik devices.
by mkx
Sun May 30, 2021 11:01 pm
Forum: General
Topic: Firewall NAT logging!
Replies: 9
Views: 576

Re: Firewall NAT logging!

As the failed login attempts appear from a NAT router ( unless the address is spoofed !) I don't believe address seen by SSH daemon (on radius server) is spoofed. If it was, the connection would not go farther than to second step of 3-step TCP handshake (server reply with SYN ACK), so you wouldn't ...
by mkx
Sun May 30, 2021 8:19 pm
Forum: General
Topic: Firewall NAT logging!
Replies: 9
Views: 576

Re: Firewall NAT logging!

So somebody from internet (or LAN?) is trying to get into your not-so-well hidden SSH service. As all failed logins appear to originate from your NAT router, you probably have one src-nat too many (or some too greedy src-nat). If you fix that src-nat rule, you'll see actual src addresses of those lo...
by mkx
Sun May 30, 2021 8:12 pm
Forum: RouterBOARD hardware
Topic: RB4011iGS+ PoE in seems to need a jump-start
Replies: 12
Views: 1180

Re: RB4011iGS+ PoE in seems to need a jump-start

PoE standard 802.3 af/at defines some elaborate procedure when PSE (power source) applies power to port. And if PD (powered device) does not respond appropriately, PSE should assume that connected device is not 802.3 af/at compliant and should not enable full power. RB4011 supports only passive PoE ...
by mkx
Sun May 30, 2021 1:53 pm
Forum: Wireless Networking
Topic: RB2011 wireless speed very low?
Replies: 4
Views: 871

Re: RB2011 wireless speed very low?

Even if it's "only" 802.11n, it should still be able to give realistic throughput around 100Mbps ... given reasonably interference-free environment (which might be mission impossible in certain areas). However, oficial test results indicate that realistic wired routing speed might peak at ...
by mkx
Sun May 30, 2021 11:02 am
Forum: RouterBOARD hardware
Topic: RB4011iGS+ PoE in seems to need a jump-start
Replies: 12
Views: 1180

Re: RB4011iGS+ PoE in seems to need a jump-start

Only thinking aloud: starlink brick specifies output voltage at 56V. That might be nominal voltage while in reality (specially while unloaded) it might be a tad higher. Mikrotik OTOH might refuse to start when fed by voltage higger than exactly the upper limit (57V). If, after starting up, mikrotik ...
by mkx
Sat May 29, 2021 9:07 pm
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 996

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

Ethernet technology is point to multipoint technology. It works the same regardless of how layer above (e.g. IP) is configured, frames are still sent to destination MAC address and that one still has to be learned somehow, normally using ARP who has mechanism and in order to learn destination MAC ad...
by mkx
Sat May 29, 2021 8:54 pm
Forum: Beginner Basics
Topic: Can't Access Netgear Modem Management hEX S
Replies: 4
Views: 479

Re: Can't Access Netgear Modem Management hEX S

The problem is in subnetting you have: subnet set on netgear overlaps with mikrotik's LAN (10.0.1.0/24 is upper half of 10.0.0.0/23) and that's a problem for both mikrotik and netgear. From the sketch of network layout it's not very clear how mikrotik is actually configured so it's impossible to tel...
by mkx
Sat May 29, 2021 6:03 pm
Forum: General
Topic: Mikroitk Router OS (Trial Version Limits) [SOLVED]
Replies: 3
Views: 503

Re: Mikroitk Router OS (Trial Version Limits) [SOLVED]

You can check about limitations of particular ROS license levels in this document . AFAIK ROS x86 is 32-bit and is thus limited to using 2GB RAM (usual limitation of "straight" 32-bit linux kernel). I don't know about issues with exceeding certain number of PPPoE active sessions. I wouldn'...
by mkx
Sat May 29, 2021 5:52 pm
Forum: Beginner Basics
Topic: Setting up VLAN/Firewall with Mikrotik Router (RB4011)
Replies: 5
Views: 592

Re: Setting up VLAN/Firewall with Mikrotik Router (RB4011)

please no CLI, I have seen that users post the code of the configuration and while I could some portions of it, it is too advanced for my level Just FYI: basic configuration structure (tree if you want) is mostly the same both in GUI (either winbox or webfig) and in CLI. It's much easier and more r...
by mkx
Sat May 29, 2021 5:44 pm
Forum: Announcements
Topic: v6.48.3 [stable] is released!
Replies: 117
Views: 23208

Re: v6.48.3 [stable] is released!

But 30ms really seems to be over the top for this value. Screenshot in post #51 above shows winbox UI displaying "ms" as unit for that field. Nobody said we really wanted to have such a short setting, it was just part of debugging process ... CLI error mesage implies that setting resoluti...
by mkx
Fri May 28, 2021 10:47 pm
Forum: Wireless Networking
Topic: NV2 Sync
Replies: 7
Views: 1828

Re: NV2 Sync

The NTP server itself doesn't even have to be very accurate, as it is the relative timing between APs that matters. You're right, absolute time is not important. However, clocks on co-located APs should be synchronized to a few ten nanoseconds ... remember, standard duration of guard period in 802....
by mkx
Fri May 28, 2021 3:01 pm
Forum: General
Topic: Tapatalk support lost?
Replies: 4
Views: 581

Re: Tapatalk support lost?

Being tapatalk-ignorant I find current situation very pleasing. In the past sometimes tapatalk plugin aggressively offered me to use tapatalk app and it was really pissing me off.
by mkx
Fri May 28, 2021 2:56 pm
Forum: Beginner Basics
Topic: differences between WAN RX & LAN TX
Replies: 3
Views: 415

Re: differences between WAN RX & LAN TX

There is no help, it's how queues work. Get over it. When ingress throughput exceeds allowed egress throughput, then traffic shaper (queue) buffers some traffic. If ingress traffic rate continues to exceed allowed egress throughput and buffers get full, some packets are dropped. Normal TCP streams a...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 21