MikroTik

mkx

Just noticed this IPv6 firewall filter entry (the last one): add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN and I couldn't see command that adds your VLAN17 interface to LAN interface list ... if that's indeed so, then this ...

mkx

Another thing to check: /ipv6/setttings/print ... forward setting should be set to "yes" Regarding DNS servers: it's not critical to tell clients about IPv6 addresses of DNS servers, but it's good to do it. It's been a while since I verified my setup, but I think that setting IPv6 address ...

mkx

Since you're ignoring request to show capsman config, we'll ignore your "up!" requests.

mkx

/ipv6 address add address=2001:470: 1f1c:73c::2 /64 advertise=no comment="Hurricane Assigned" interface=sit1 Just like in IPv4 also IPv6 addresses need to be accompanied with apropriate prefix length to indicate which address space is available as directly connected subnet via certain int...

mkx

I don't have any device with proper serial port so I don't know what exactly is possible. If I'm not much mistaken it is possible to upgrade routerboot via serial console, but a) you have to have appropriate fwf file ready (possible to get but not trivial) and b) use terminal client on your PC which...

mkx

ROS v7.13 (currently rc2) unbundles wifi drivers and it's possible to run hAP ac2 wireless-less. This makes flash storage around 3MB less occupied.

mkx

When mixing AP and station mode on single radio, keep in mind that station has to follow AP regarding channel and bandwidth used. Which means it's easier to get things right if physical interface acts as station and virtual one then acts as AP. Beware that the virtual AP will work on exactly same ra...

mkx

Well ... it's not ROS kicking device, it's device which doesn't want to stick to MT (it's device which does disconnect). It might be that MT sends some roaming info which device doesn't like. Hard to tell. Are you 100% sure that both radios provide actual network connectivity? If device roams to 2.4...

mkx

If you're fine with single ping, then run "/ping count=1 1.1.1.1" and you'll get instant response.

mkx

No, not really. Things don't work nicely if IP subnets don't overlap with L2 segments. In your case you have 192.168.89.0/24 on VLAN and it'll be major PITA to have one of these IP addresses on your main (tagless) network. If you can somehow plug the IKEA device directly to one ether port of hAP ax3...

mkx

G.hn standardizes different physical media, coax is one of them. When I was looking for a solution for my parents' house, I settled for MoCA (the 2.5 Gbps variety) simply because of better availability - ethernet over coax is not really popular around here because cable TV wasn't a huge thing (befor...

mkx

Basic functionality of woobm has nothing to do with drivers on ROS device. In principle it acts as AP itsrlf, one uses a wifi device to connect to it and then use web browser to open woobm pages. One of features, available on woobm's web page, is terminal window. My favourite conspiracy theory about...

mkx

I don't think wifi driver repartitioning will help with meshing+WPA3 in any way.

mkx

Since it's new device for you (and I'm guessing that your family's happiness doesn't depend on it yet), I suggest you to bite the bullet and (net)install 7.13rc on it. This version (finally) allows running modern wireless driver, which really unleashes full potential of this little gem. Absolutely u...

mkx

It has to do with backup way into ROS device ... just as much as your suggestion about dedicated off-bridge ether port.

mkx

Logs can be stored on USB disk. Userman database can be stored on USB disk. Exports can be stored on USB disk. Upgrade packages for upgrades via capsman can be stored on USB disk. However: ROS (basic bundle and any optional packages) can only be installed on flash storage and configuration can only ...

mkx

Even (... shivers... ) powerline can be an option ?

Or, if coax is available, MoCA or G.hn (the former is more popular in NA, the later slightly more in Europe).

mkx

Something from 60GHz product family.

Or dig a trench and install SM fiber, so you can extend the fiber link to the place where you'd like to use it.

mkx

Can you get in if you connect PC directly to LHGG (and not via router)?

mkx

Please stop spamming threads with WOOMB usb ...............

Why do you consider those posts as spam? Woobm is MT's own product and works quite well (if device is alive enough to enable console on USB port).

mkx

Available now in 7.12beta1!
user ed25519 keys are in 7.12?

Yes.

mkx

The router has console over serial port ... you can connect and see what it says when rebooting. Did you upgrade routerboot (equal to BIOS/UEFI on PCs) recently? Older routerboots can have hard time to boot recent ROS versions. And netinstall doesn't upgrade routerboot, you have to do it from runnin...

mkx

On devices with tiny flash (less than 64MB IIRC), the downloaded npk files are temporarily stored on RAM disk. Storing them on USB flash won't help. However ROS installed packages go directly on main flash and no other installation option is supported. When upgrading, ROS installer knows that files ...

mkx

If netis-thingie supports VLANs then no problem. But quick view tells me that it likely doesn't.

mkx

Does a good hardware reset help? E.g. unplug SFP module and plug it back after a minute or so. Ditto for router: shut it down and unplug power. After a minute or so boot it back. The idea being that changing SFP operation mode might get unnoticed by the other end of SFP link leading to loss of link....

mkx

Probably because of wifiwave2 package, yes. I think so as well. When wifiwave2 package is installed on audience, it allways boots with eror message about an error in configuration script. While it seems to be benign after device is fully configured, it might upset quickset to the point where quicks...

mkx

Nope, there isn't one "from factory". You could build one by using a 3xminiPCIe wifi cards. But beware of using two wireless cards operating in same frequency band without utilizing proper (hardware) antenna filters, both cards have ability to mutually destroy receivers. Audience is done p...

mkx

I guess that in a typical active/active scenario it would be best to configure both/all DHCP servers with same address pool. So when a client tries to renew an IP address, it'll be fine with any of servers. Even if previous lease was handled by another DHCP server, the current one will most likely A...

mkx

Also the network under dhcp-server for the iot interface has a wrong subnet mask config How you know that? how to fix that? In the config shown in post #10 above you have netmask=2 in dhcp-server network section for IoT ... set it to 24. You might also add the iot interface as a LAN inside interfac...

mkx

Yes, RB4011, having two switch chips, can run two bridges, both HW offloaded. But: each bridge has to span ethernet ports which are actually connected to same switch chip (i.e. ether1-5 on bridge1 and ether6-10 on bridge2). Snd other mixing will hamper HW offload (because HW offload only works for t...

mkx

In plain english: you can use same security profile for both capsman provisioning and for local device. You can use the rest of profiles in both places as well if they apply unaltered (datapath, channel, what not). The config is actually shared between local manually provisioned wireless interfaces ...

mkx

The whole ordeal depends very much on how things are physically connected and how's router set-up. Bridge is s switch-like entity and won't block traffic passing between diferent ports (that includes RAs).

So show us actual layout and actual config of your device.

mkx

Routing performance vastly depends on configuration. Each device has official benchmark results published as part of product page, hEX's are here . The most optimistic reading says that hEX is capable of routing at almost 2Gbps (not via a single pair of 1Gbps lines obviously, tests are done using al...

mkx

All Mikrotik wireless devices can be used as full-featured routers (but their capacity varies). On all Mikrotik wireless devices it's possible to dissable (=switch off) wireless part. Since that's done in software, you generally have chicken-egg problem: you need wireless enabled before you can conn...

mkx

Clients should stick with one DHCP server for renewal, once served by one of the DHCP servers. The other DHCP server should not NACK the address if not in his pool. I agree with first half if quoted text. Clients know which DHCP server handed out the lease so they could tey to renew the lease using...

mkx

I guess you're hitting the CPU ceiling here. While running tests, run CPU profiler, likely one of CPU cores will be at 100%. And I can imagine that wireguard handling might be tied to single CPU core for a few good reasons.

mkx

... you can import chuncks of config via the TERMINAL CLI window. And all of that while observing the CLI feedback and ptoperly react to it. Some ROS versions export config in a slightly wrong order (settings referring to items only defined in later commands), recent ROS versions are better in this...

mkx

Is the replacement device exactly the same type as was the dead one? Binary backups (backup/redtore type) are intended for exactly same device and work with same type (some device specific stuff is in backups, e.g. MAC addresses ... these are not vital if original device doesn't appear working in sa...

mkx

Have a look at VLAN on mikrotik tutorial, in particular switch with a separate router section.

If that doesn't help, then post config of both involved devices for review.

mkx

If you had properly separated WAN from LAN, then parent wouldn't be able to see any of your LAN (it would have to be behind a NAT). Hiding parent's LAN (your direct WAN) is a bit trickier, but with propervseparation of WAN and LAN on your router it shouldn't be a problem. What exactly to do? Due to ...

mkx

There are different ways of doing it, but the proper (and extensible and future-proof) way is by setting up VLAN-enabled bridge on CCR. Have a look at this tutorial on how to do it properly. There are a few use cases explained, I don't think yours is directly one of them (some concepts of switch app...

mkx

The phones are plugged to non-manageable switches, these switches are plugged to VLAN 30 ports of an edge manageable switch. I will play around with it on monday, but any idea would help :) As long as ports on edge managed switches are set as access ports[*], it should work fine. [*] In Mikrotik pa...

mkx

I have CAPsMAN running on AX^3 successfully managing three AX^2 CAPs. However, when I attempt to use CAPsMAN to manage the AX^3's CAP, there is no signal. Officially CAPsMAN can not manage local wireless. Since wave2/wifi for local configuration uses same configuration subtree as CAPsMAN, it's no n...

mkx

The error (perhaps worded slightly differently) is there for any ac device if wave2/wifi driver is installed instead of default wireless (e.g. wifiwave2 on audience). It had been reported numerous times, @rextended also pointed out exact location and proposed a solution. MT devs chose to ignore the ...

mkx

I've no idea about exact radiation patterns of those sticks. I have a suggestion: cut it to half (both along the long axis and perpendicular), take a few good photos and post them here. Then we'll start to guess about possible radiation patterns :wink: Without that, my guess is that the only orienta...

mkx

Think of AP if it was a switch and each connected station connected to separate switch port. And additional uplink port (which is wifi interface, usually connected to device's bridge). This "AP switch" is implemented in wireless driver. When default-forwarding is enabled, then "AP swi...

mkx

When setting up IPv6, one usually sets a proper (i.e. not a link-local) IPv6 address to individual interfaces. When VLANs are in the mix, this means assigning IPv6 address to vlan interface. And MT router will, by default, send out router advertisements on interfaces with proper IPv6 address. So if ...

mkx

When mentioning ether1 I meant config you have. Having it as bridge port of main-bridge in principle includes tagged traffic as well, even though you have the vlan interface attached to ether1 port. If you had vlan filtering enabled, then you could filter tagged frames from entering main-bridge, but...

mkx

Have a look at the excelent tutorial on how to do VLANs on Routeros, in particular Router on a Stick section . Switch has to be configured appropriately as well. If fiber modem works as untagged device, then configure switch port connecting it with "default vlan id" (or PVID) so that switc...

mkx

The VLAN setup is funky. You really should be using single bridge, have a look at this tutorial. In particular, use of ether1 (interconnect interface) is not fine.

mkx

DFS, a.k.a radar detection. On certain channels AP is required to listen full 10 minutes before it can start to transmit.

mkx

Increasing antenna gain and decreasing Tx power has same end effect. Normis explained in a post a few years ago (I can't find a reference, but I remember the contents very well) that wifi radio chooses actual Tx power to be the lowest of these values: country EIRP limitation less antenna gain Tx pow...

mkx

Actual loss happens on mikrotik ... packet somehow arrives at port Tx queue (another name for FIFO buffer) where it's discarded. So it's never attempted to pass to SFP and SFP knows nothing about it (not even that it was dropped). PPPoE is, in this case, payload of discarded packet. PPPoE interface ...

mkx

In that case, I'm affraid you're screwed.

mkx

Create 3 bridges, one for each LAN ad assigne ethernet port to each bridge. Configure 2 port as trunk for VLANS Use Wireguard to access my BR2 from everywhere If it is possible, configure the router as VPN Client I would like to connect the Cisco switch to the router using SFP or Ethernet Port usin...

mkx

Tx queue drops mean drops caused by Tx buffer being full because port could not transmit frames fast enough to keep the pace with rate of frames being queued for transmission. This kind of errors is not due to state of physical link and thus receiver (in this case it's SFP) can not see any sign of ...

mkx

The problem when creating firewall rules is that one needs to know exactly what traffic is expected - which combinations of remote_ip/remote_port will be used for connections. For windows defender tash is much easier as it can be configured to allow certain executable to open communiaction ports (an...

mkx

But I can't find out what the port "switch1-cpu" is for and when should I add it to a vlan or not? It's the window through which ROS (running on CPU) can communicate with (V)LANs handled by switch chip. On ROS side, that's bridge interface in your current config. On a typical switch you n...

mkx

For your goal, you need to enable "Ingress Filtering" on every port you want (not just the bridge's interface itself). With that enabled, an ingressing frame is checked against its VID and if the port is member of this VID. If no tag is there, the PVID is checked against. If the port is n...

mkx

A question: which switch model exactly are you using? There's no such thing as CS108 ... it might be CRS109 or RCS309 ... and these two need to be configured in different way to get wirespeed switching ... But in neither case it should be necessay to mix configuration in both /interface/bridge subtr...

mkx

Just a word of caution: 80+80 is not the same as 160. And if I'm not much mistaken, ax2 doesn't support any of these variants.

mkx

Much more readable configuration is shown using command "export" ... only rarely some things are missing (such as dynamic addresses, etc.). Please provide those exports.

mkx

Exactly for reasons I'm mentioning (the device-specific bits) you can't get a complete .bin file, that would mean cloning a device and that's not good (not only because of cloning license, there are other, more technical, issues involved). I suggest you to get in touch with support, they might be ab...

mkx

My goal is to reduce power for 5Ghz roaming, so that far away devices stay connected to 2.4Ghz instead of going back and forth. I don't think this will solve the ping-pong problem ... it'll just move it closer to AP (or even prompt brain-dead stations to remain on 2.4GHz even when really close to A...

mkx

It's a calculation: EIRP (which is Tx power + antenna gain) must not exceed country limitations. hAP ax3 on 5GHz has Tx power anywhere between 20dBm and 28dBm (depending on radio symbol rate). If talking about fastest rates, where lowest Tx power can be used (20dBm), and when using channels without ...

mkx

So my understanding is this should work when using a bridge that has been already attached to a VLAN? Depends how you deal with VLANs on bridge. Essentially: if you have bridge with VLAN filtering enabled, then currently the only option si to (manually?) add wifi interface to bridge as port with PV...

mkx

I can upload certificate but connection can't establish correct ... I'd say that it has something to do with key type, used in certificate. ROS v6 is pretty outdated with regard to support of security features (encryption protocols, key types, etc.) and it could be that recent windows servers depre...

mkx

Your hEX should be able to route at 100Mbps (it ma peak at around 300Mbps). But that's true with optimal config. With non-optimal config, it's routing capacity can drop to any number and it's impossible to say why in your particular case it can't reach 100Mbps. There's additional gotcha: the mention...

mkx

I think you really should communicate about this directly with support of Mikrotik (e.g. via email support@mikrotik.com). Your issue is a ROS intrinsic, forum users can't help you with it and MT staffers don't necessarily visit all the forum threads, so they will likely miss your post/question.

mkx

Mikrotik is a L3/L4 firewall. It has some L7 functionality, but that doesn't work at all if connection is encrypted (and modern web browsing uses https, so it's encrypted). Ergo, your request can not be fulfilled on Mikrotik firewall. You really should try to implement this kind of security on appli...

mkx

I don't know if it's possible to actually see the custom init script. However, the way export command works is it shows differences between current config and default. So a test would be to reset such unit to defaults (which includes custom init script) and create an export. If such export contains ...

mkx

I still cannot get VLANs working for hAP Ac2 and virtual access points for v7.13beta. Yup, it's documented behaviour. See new WiFi manual under "Replacing 'wireless' package" -> "Lost features" here are quite a few of us hoping that this feature will come back (or rather, will b...

mkx

Where exactly does it break? Is it upload phase or certificate import phase? Describe how exactly are you doing the failing phase.

And a suggestion: upgrade ROS to latest long-term version (6.49.10).

mkx

I believe that fwf file is in a kind of proprietary pseudo-flash file. The flash uploader (built in ROS) probably interprets that and writes it to flash the way it should be done. So those fwf files are not usable for generic flash writers. One thing that ROS updater definitely does is it avoids fla...

mkx

I think it will. Because incompatibility is between wireless and wave2/wifi drivers. And it's (indirectly) documented in Replacing wireless package section of new wifi manual. The 7.13 wifi driver is renamed (and enhanced) wifiwave2 driver from earlier v7, so it's compatible with it (to extent of fu...

mkx

Tx queue drops mean drops caused by Tx buffer being full because port could not transmit frames fast enough to keep the pace with rate of frames being queued for transmission. This kind of errors is not due to state of physical link and thus receiver (in this case it's SFP) can not see any sign of t...

mkx

Divide the number 3 subsequent times by 1024, a bit of free mental training :) Now days every disk manufacturer uses decimal "human readable" prefixes ... it makes "human readable" number higher (roughly by 7.4% when talking about Giga bytes). And in modern times there are even ...

mkx

Config says you're using legacy wireless driver on hAP ac2 ... upgrade that device to 7.13beta, it allows you to use wifi-qcom-ac driver (essentially wifiwave2, but slimmed to fit on hAP ac2). I know that using station-bridge mode between station and AP which don't run same generation of wireless dr...

mkx

And, damn it, I just realized that this is not an AX model so wifiwave2.npk is not needed at all.

wifiwave2 (up and including 7.12.1) is known no emit (spurious?) error message about default config.

Chateau 5G doesn't require wifiwave2 package, but will surely benefit from it. I'd put it back.

mkx

And, freezing temperatures, such as -32°C?
I think the chip will make it hot enough to withstand low temperatures.

If power accidentally fails during low temperature periods, then device will freeze to death. Literally.

But I agree on high temperature issues being more probable.

mkx

I have hard time understanding what exactly is the issue? And how exactly things are connected together? Is nginx-proxy-manager in the same subnet as internal hosts?

mkx

I just had a look at config of appr1-dsw1, I'll assume the rest suffer from same errors. Here's a brief list of things done wrong: no need for multiple bridges (MGMT is on different bridge, which doesn't have any access towards the rest of network) no PVID setting for access ports there's no need fo...

mkx

What's not correct by displaying exact size in bytes instead of some rounded multiple?

One thing is your request for option to have size displayed in MB / GB / TB, another thing is claim that CLI current behaviour is not correct.

mkx

Still getting CRL fetch failed: http error: Network unreachable for: http://x1.c.lencr.org/ It's not ROS problem, it's web site problem: $ telnet x1.c.lencr.org 80 Trying 23.205.191.135... Connected to e8652.dscx.akamaiedge.net. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.0 400 Bad Request Ser...

mkx

@riy: what's wrong with instructions in post #5 above?

mkx

Oh, since when does this minor detail matter? I thought that turning off LEDs is THE thing and the rest doesn't matter? I used to keep a RB951G inside a hard-wood (oak) under-TV cabinet and wireless worked just fine in the same room with cabinet doors closed (signal strength around -60dBm at my chai...

mkx

Closing cabinet door dims all leds (front and back) in a quickly-reversible way.

mkx

In such case, I'd be curious to see output of /interface/wifiwave2/actual-configuration/print detail ... specifically channel.width . I wouldn't drop dead if actual channel width would turn out to be less than configured in order to avoid radar detected on the lower channel. The thing is that AP is ...

mkx

Since ROS v7.12, ssh keys of type ed25519 are fine. Recent OpenSSH versions deprecated whole RSA algorithm family. And IMO enabling it is not necessarily a bad thing (if it was such a bad thing, it wouldn't be supported any more) if one uses it only to connect specific remote hosts (i.e. use actual ...

mkx

Close the cabinet door?

mkx

As mentioned the only other way I can think of is creating a VLAN interface at the Switch end of the trunk for the management VLAN and sticking a DHCP client on that. Nope. Since trunk port is member of bridge, then any other business with that port is strictly off limits. Instead you should config...

mkx

On hAP ac2? I'd say it only depends on Tx power setting. Both radios are run by same wireless chip inside same SoC. Due to lower free.air loss in lower frequencies I'd expect slightly better coverage of 2.4GHz radio, so you might be able to reduce Tx power slighly and still get same coverage. By all...

mkx

I looking for a CRS326-24S+2Q+RM Bootloader (FWF file)

It's included in each ROS system package file ... after ROS is installed, FWF file is available to upgrade routerboot.

Why do you want the file explicitly?

mkx

Hard to verify (I'm beyond 6.x since ages), but it could be that 7.11.2 has slightly smaller footprint than 6.4x (you're starting from) so there's more space for whatever temporary files ROS needs to overwrite itself.

mkx

In my working case, ISP is giving out (dynamic, but doesn't matter much) /56 prefixes via DHCPv6 prefix delegation. The I'm using /64 address for LAN interface and none for WAN interface (routing is done using link-local addresses). DHCPv6 client automatically adds route such as this: Flags: X - dis...

mkx

You need SFP+ modules for both sides (SFP without + only goes up to 1Gbps). You have a choice of using either ethernet cable (UTP cat7) or fiber optics (either multimode or singlemode would do), but ethernet is limited to 30m/90ft and even on shorter distances it tends to downrate link (2.5Gbps woul...

mkx

Have a look at Back To Home, it might help in your case. I'm just not sure if hAP ac lite is supported (already), additional architectures got supported with latest stable releases of ROS.

mkx

But my configuration can't have fast track If you really can't enable fasttrack, then RB3011 won't be much better. My hAP ac2 (a slightly better performer than RB3011 if one can trust official test results) can route at 1Gbps with fasttrack (with CPU cycles to spare) but only around 350Mbps without...

mkx

But the same specs page you linked above lists 128MB ... hmm. You ok? I bought over 100 of them and they were all 256MB! hAP ac2 (I believe it's almost identical inside apart from number of ether ports) has officially 128MB RAM. However, some early batches came with 256MB RAM (I happen to have one ...

mkx

Whenever AP decides to use some DFC channel, it has to do the listening (some channels 2 minute, some 10 minutes). Only if AP doesn't detect anything remotely similar to radar it can start using it. If it later detects anything remotely similar to radar, it has to stop transmiting at once and enter ...

mkx

I'm saying that wifiwave2 (and its successor wifi) is under active development. Some config options might exist, but the functionality is yet to come (doesn't happen often, but can happen), options might still exist but functionality is getting deprecated ... or options exist, but the way they affec...

mkx

There might be brain-dead network gear (managed switches, APs) which support VLANs but not for management access. For those one has to use hybrid ports inside LAN infrastructure. However, many (if not most) support using a dedicated VLAN for management access ... and that allows to get rid of untagg...

mkx

There are two, incompatible, versions of CAPsMAN used currently: legacy capsman which can control cAPs running legacy wireless driver and new capsman which can control newer wave2wifi devices. The ones you're mentioning in your post (hAP ac2, hAP ac3, hAP ax2) are all capable of running new wave2/wi...

mkx

Is it the same if I connect from the sfp port? Yes, all ports are connected to switch chip, that one in turn is connected to CPU (doesn't matter that both main parts are in same SoC). https://i.mt.lv/cdn/product_files/CRS112-151027100733_151033.png But your main problem is not device topology, the ...

mkx

If the existing setting gets ignored, what good is it then? Let's be patient and see what 7.13 stable brings us, shall we?

mkx

hAP config has nothing about VLANs so according to config, it should not touch tags at all. I'd netinstall hAP ac2 to be 100% sure it's really VLAN-free (it seems that occasionally the internal configuration database gets out of sync with visible configuration and proper reset clears it ... reset to...

mkx

The reason is that CRS112 is antiquated switch (which happens to support routing functions but at low sppeeds). It's not listed under "archived" hardware on MT page, but it's antiquated nrver the less. Just to be clear: it's still strong if used as proper 1Gbps switch, but for routing it w...

mkx

New wifi driver (wifi-qcom and wifi-qcom-ac, but the same was already in original wifiwave2 driver) can't tag/untag frames. ... What is doing the tagging/untagging then? The RB5009 does receive tagged frames on the ether7 interface and the stations connecting to the wifi networks do not see any VLA...

mkx

IMO things around (new) wifi are very murky right now. 7.13beta bringing wifi separated into different packages is IMO proof that MT is in the middle of serious reworking of wave2/wifi ... so we'll have to be a bit patient and wait to see what will come out of this process. I'm hoping to see vlan-ha...

mkx

.... I'd like to use as high a voltage as possible to keep current low. If your PoE cables are not really long (to cause significant power losses), then you're probably loosing more on internal DC-DC downconverters (inside PoE-powered drvices), their efficiency gets lower with increased difference ...

mkx

New wifi driver (wifi-qcom and wifi-qcom-ac, but the same was already in original wifiwave2 driver) can't tag/untag frames. It's in the new WiFi manual, section "Replacing 'wireless' package" under "Lost features".

So it seems that the problem actually starts on cAP ax ...

mkx

Without seeing (non-working) hEX config and more detailed description of wanted setup we can only respond with: it should work.

mkx

I wonder if it's still possible to configure channels in a way to "force" 802.11n.

No, not to my understanding. With wifi/wave2 we're back to supporting legacy clients (e.g. 802.11a and 802.11b).

mkx

5745 Ceee is 80MHz channel #155 and 5885 eeeC is channel #175, so they are different But they're same freq range, right? My 3 clients are newish - a Samsung Note 20, a Framework Laptop, and a Surface Pro 9. No, they're adjacent 80MHz channels. 5745 Ceee spans from 5735 to 5815 MHz and 5885 eeeC spa...

mkx

Yes. Post config so we can see how exactly is device set up.

mkx

To see complete picture we are missing capsman config. Because cap config (obviously) doesn't say anything about VLANs used for wireless interfaces.

Also: which port on CRS112 is used to connect cap?

mkx

When UDP iperf3 test shows transmitter to fall lower than configured total bandwidth, this usually means bottleneck on the transmitter itself - that's the only place UDP throughput is throttled without packets being dropped.

mkx

High-level view on CRS will show: single vlan-enabled bridge all SFP+ ports (and ether1 port) will members of bridge with per-port vlan settings as needed (port connecting to CCR will be tagged-only, other ports might be untagged access ports for a particular VLAN with pvid set appropriately) bridge...

mkx

Why do both servers have to be in same VLAN? This complicates things a lot.

mkx

Mikrotik ones S+RJ10. Docs say they can use up to 30 Meters of cable ... Another caveat: due to required high Tx power, these modules tend to run quite hot (MT's own seems to be one of hottest) ... if cooling is not adequate (with most passively cooled devices, such as CRS309-1G-8S+IN, this is the ...

mkx

I don't think that there's a single ONU SFP module on the official list of compatible hardware . There are a few threads on this forum about using various GPON SFP modules with MT and mostly the gist of them is that things either don't work at all (with some rare exceptions) or are extremely tricky ...

mkx

My impression is that you're setting the "newest" standard, older than setting are then supported as well. E.g. if you set band=5ghz-n , AP will support 802.11a and 802.11n but will not support 802.11ac nor 802.11ax. To support all standards, set highest supported by AP hardware (i.e. 5ghz...

mkx

What are exact cable lengths used? Operation at 10Gbps requires significant amount of energy and nkt many RJ45 SFP+ modules are capable of transmitting at needed power. And cable category doesn't affect this much. Which SFP+ modules are you using? Support for different SFP modules in MT devices is f...

mkx

I'm also unsure about the difference between 5745 Ceee and 5885 eeeC. Aren't they essentially the same? From the channel list on wikipedia follows, that 5745 Ceee is 80MHz channel #155 and 5885 eeeC is channel #175, so they are different (in addition, channel #175 seems to be illegal to use anywher...

mkx

Do you have country propetly set to country which actually allows use of channel 13? USA and (AFAIK) Canada don't.

mkx

thank you for your reply. so if i create a vlan interface achored to bridge i use L3, so the cpu? no? Yes, in most setups involving VLAN interface (created under /interfacw/vlan ), vlan interfaces should be used exclusively to support L3 operations (routing, providing services such as DNS). Using v...

mkx

Since 7.13beta, your wAP ac is compatible with new wifi driver: https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-Compatibility Based on this great new feature can we also expect that in the not-so-distant future, we will be able to join wifiwave2 APs to the existing CAPsMAN that has legacy wire...

mkx

What I recommend is (besides generous use of SAFEMODE) is to take an unused port lets say 5 and take it OFF the bridge. And absolutely add it to LAN interface list in case one needs winbox MAC connectivity - default config limits this kind of connectivity to LAN interface list. If done this properl...

mkx

OK, so here goes another experience: ROS will use single core to deal with packets, belonging to same connection (either real TCP connection or "apparent" UDP connection). The reason being to avoid out-of-order packet delivery (which upsets some TCP stacks). On devices with larger number o...

mkx

Since 7.13beta, your wAP ac is compatible with new wifi driver: https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-Compatibility So try to upgrade wAP ac to 7.13beta2 (should go smooth since you are already on 7.12), uninstall wireless package (it becomes a separate package after upgrade), install...

mkx

The highest part of 5GHz spectrum was added to wifi spectrum fairly recently. Not all devices support it (either their hardware can not work with such high frequencies or their firmware was not updated with new channel layout and/or country regulatory limits). So as a rule of thumb: whenever clients...

mkx

There are two wireless drivers currently in use on mikrotik gear: wireless - legacy driver which was available already in v6 and is supported by all devices except for newest (AX) gear wifi / wifiwave2 - new driver which came with v7 and AX ger. Also supported by AC devices with ARM processor. Any *...

mkx

Other dumb question, ont the crs 309 it's better to set the ip for the lan on the bridge or an interface? There are interfaces (L3 entities, essentially anything carrying IP address) and there are ports (L2 entities). When something is set as member of bridge, it becomes a port. And it should not b...

mkx

Simply set all APs with same security settings. Those include SSID, authentication types and password. Beware that when wireless station roams between APs having same SSID, it expects that the new AP is member of same L2 network (ethernet). Which basically means that APs have to act as simple switch...

mkx

*) defconf - use device factory preset credentials when using CAPs mode;

This will make my life miserable :(

Why's that? defconf is just default config ... and one can change it as it fits.

mkx

It's a pretty well known fact that ROS internal bandwidth-test tool is pretty CPU-heavy (single CPU bound) and results of it are hardly representative for device which is actually running it. If you really want to assess the performance of your setup, you have to use external test probes (such as a ...

mkx

... but because he doesn't even know how to tie his shoes...

We desperately need AI-enabled shoes.

mkx

Have a good look at 5GHz channel list . As one can see, standard channel layout (including channel width) says that 5745 and 5805 at 80MHz wide channels overlap (as well), both are covering 80MHz channel number 155 (spanning between 5735 and 5815 MHz). So try to allow properly spread frequencies ......

mkx

It's a shame about the controller requirement. I wouldn't call that "a shame" ... multiple devices can not cooperate smoothly without being coordinated by some central entity. And the same is true for any WiFi vendor. Because there isn't a standard which would allow APs to signal necessar...

mkx

I don't see any IP setup on vlan10 interface on CCR ... you'll definitely need some if you want CCR to communicate with devices in that subnet (and you want if it's supposed to be gateway for that subnet).

mkx

Did you read through this tutorial? The setup you showed is a bit awkward (it's not recomended to use VLAN ID 1 for explicit setups).

And it's likely that the problem lies in CCR setup. Can you show that config?

mkx

If the problem starts to develop (from mild one to a more serious one) without any changes in configuration or software, then this likely means a hardware fault ... such as a crack in cold junction which is getting bigger due to thermally induced material ageing. And that kind of problem is hard to ...

mkx

defconf means Default Configuration ... which only gets applied when config is reset to factory default. This doesn't apply when upgrading ROS from one version to another.

mkx

People can agree to disagree.

I don't agree

mkx

The problem is that when I check the balance of the vcores from the “Profile” tool I see that there is always one that shoots up between 80 to 98% and the rest remain at an equal average between them. What kind of workload is going on when you see one vCPU load rise towards 100%? If you're, by any ...

mkx

What if at the end of custom chain there is no explicit return?

There's implicit return at the end of all custom chains.

mkx

The last paragraph of ChatGPT-generated text is, IMO, the crux of the whole ordeal.

Long live rextended!

mkx

Despite the fact that the AI's success is impressive, it is important to keep in mind that the AI can only combine [*] the knowledge it has gained during training. Don't think like that. Regarding GPT4, he can, for example, search for knowledge on the Internet, climbing into any online manuals and ...

mkx

My guess: it's your "test-script" setting (it's very probably needless). According to netwatch docs , the netwatch service itself already does ping test by default and test-script property defines additional test to be run after the probe (simple ICMP by default) already finishes. Since /p...

mkx

Guess they need to update the page...

Probably they will, when the 7.13 gets released as stable.

mkx

New capsman doesn't support manager forwarding mode (yet) and hence the cap interfaces are not seen on capsman bridge. BTW: I'm not sure (I don't have wireless-less arm device at hand), but according to what MT staff wrote, you don't need wifi-qcom-ac installed, that package only includes hardware d...

mkx

I don't think you can. And even if it's possible, this doesn't guarantee to really get vanilla setup, sometimes some settings escape all the reset hooks. Netinstall is the only way where reset is guaranteed (it formats flash and installs ROS from scratch).

mkx

... still the adress lists exist in the flash memory, like theyre not being deleted at all. When flash is almost full, it's not possible to remove part of config (it seems that ROS wants to save a copy of new config before deleting old and it fails to do so). So this situation is unrecoverable, net...

mkx

Posted export says wireless interfaces are managed by capsman. So I don't see where seems to be the problem?

mkx

Router doesn't have anything to do with the way any wireless distribution system installed. If a particular mesh system requires a centeal controller (to keep it together), then that controller has to run somewhere. Indeed many vendors (mikrotik included) forsee running controller on a router, but i...

mkx

I suspect it has to do something with ROS update to 7.12

Each new ROS versions use ever increasing amount if permanent storage ....

mkx

@mkx, I think you missed what I meant by without FastTrack . Indeed I missed the fact you intentionally disabled fasttrack. BTW, if you only need to apply queues to a portion of traffic, then you can craft fasttrack rule so that it doesn't fasttrack traffic which has to be subject to queues (or add...

mkx

Try to sniff DHCP traffic to see actual hanshake ... I guess that final DHCP ACK comes back from repeater's MAC while MT expects to see client's MAC ... or the other way around. My guess is that repeater works similarly to station-bridge mode and that can cause all kinds of random problems, see mikr...

mkx

My suggestion: netibstall device with stable ROS (okd RSC probably means v6, so use 6.49.10), then configure it manually. Stick to defaults as much as possible and only use that RSC as reminder what was done ... but when implementing that part of functionality keep sticking to concepts of default co...

mkx

Failure to reboot is a sign that something went really wrong. Quite likely flash storage was full. And in such condition also creating backupis likely to fail. And backup is very probably incomplete and/or corrupt, so extracting config from it won't do much good. Morale of your story: relying on aut...

mkx

No, MIMO chains are part of same radio and can not be used individually.

Even devices with proper dual radios have to be used very carefully not to destroy the other radio's receivers if they are hardware-wise capable of running in same frequency spectrum.

mkx

https://en.wikipedia.org/wiki/Spanning_Tree_Protocol

mkx

A clarification question: how are configured ports which are used for the two connections between SW03 and SW02? Any special config (such as bonding) or nothing?

mkx

Check the "Design skin" if something got hidden ... skins are used both for webfix and winbox ...

mkx

The new driver doesn't care about VLAN tags, so it's critically important to attach wifi interfaces (master and slaves) to vlan-enabled bridge as ports with pvid set (or play games with ugly workarounds in case bridge is not vlan-enabled). But this rules out any fancy setups (such as VID set in acce...

mkx

I'm pretty sure address lists "work" immediately. There's another "gem" with regard to firewall: new drop rules only affect new connections. Already established connectiobs are not affected. Clearing connection tracking table does the job (but drops all the rest of established co...

mkx

While being impressed by AI success it's important to keep in mind that AI can only combine[*] knowledge it absorbed during training. The (perceived) quality of this combinatorial process does get better with newer AI generations (so yes, GPT5 will mostly give better answers than GPT4 does). But wha...

mkx

The way you describe ONT's expectations (XXX vlan as default, 201 as tagged) mostly means that vlan 200 (as identified in ONT and possibly on ONT's upstream interface) will come out on ONT downstream interface as untagged. So on CSS you could tag it (back) to any VLAN ID, but it's sensible to keep u...

mkx

All current Mikrotik devices are officially supported by ROS v7. And vice versa.

mkx

In the CAPsMAN setup, you have to set client-to-client-forwarding=yes (default is no) ... it's a datapath property.

mkx

Since your wireless setup consists of all Mikrotik devices, your slave should be configured to "station-bridge" mode ... pseudobridge has a heap of problems, missing DHCP assignments is one of them.

Read extensive article about different station modes and their problems.

mkx

It's an RB850Gx2 running ROS 6.47.9 Could be that the problems you're seeing are related to older version of either ROS or Winbox. The version of ROS you have on your device is pretty dated. It's fine to stay with v6, but you should upgrade it to latest v6, which is 6.49.10 ... And make sure you'er...

mkx

I didn't realize this forum is not monitored by mikrotik which is pretty unusual. Well, it is monitored, but loosely. We do see some MT staffers discussing here and there, but this forum is more or less intended for user to user interaction. It seems that MT wants bugs and issues officially logged ...

mkx

And you're seriously comparing GPT's ROS scripting skills with Rex? Oh my... we need more cats.

mkx

Winbox connectivity is configured under Tools>MAC Server ... and uses interface lists. Winbox visibility is configured under IP>Neighbors>Discovery Settings ... and again uses interface lists. Default setup uses two interface lists: WAN and LAN, by dedsult ether1 is member of WAN and bridge (includi...

mkx

For a, quote: "For a fly by night DYI", gear with youtube tutorials, provided by vendor and with actors speaking various dialects[*], is the best choice. With anything else, one is on his own. Umm, wait a minute, isn't this a part of DIY concept? Now I'm confused. [*] it would be unfair to...

mkx

Quite possibly yes. AFAIK RB-GPOE works both ways (also as "extractor"), but requires the PSE to work with passive PoE devices. CRS328 can be set to work with passive PoE clients when selected low voltage output (26V), which is great in this case. The only remaining detail is how to "...

mkx

Nobody is forcing to order a CD and pay for preparing it and shipping. How about that documentation? I am practically forced to waste time in rereading sentences multiple times while trying to clarify what the (obviously) non-English speaker meant through an ugly translation. Is that what customers...

mkx

My RB4011 has cores at 100% at less than 1 Gbps without FastTrack on v7 ... I have the opposite experience: my hAP ac2 was at 15-20% under v6 when doing 30Mbps (at the time I was using 30/5 VDSL), the same unit now is at 10% when doing 980Mbps (I have FO 1Gbps/100Mbps) on v7. Alas: I did netinstall...

mkx

Just beware: traditionally, ROS wasn't known for exploiting full USB capacity when working with USB flash sticks. So if a device supports USB3, this doesn't mean you will get 100MBps of file transfer rates (if USB flash disk can do it on normal computers), it might still be limited at some significa...

mkx

Just wondering... Both times this happened after a regular shutdown (/system/shutdown). Is there anything special now that breaks configuration?

Check storage space ... right before shutdown. If storage is full (or close to full), then this might be the reason for problems.

mkx

zandhaas use check for updates button and ignore the above ranting. nothing special has to be done. upgrade and forget ******************************************************** And it's true but then you have the "old" wifi package and not the qcom-ac package installed. Yes, that's a part ...

mkx

free storage space 304 KiB
How much free storage did you have on 7.12?

I posted pretty detailed observations about storage usage in my post #71 above.

mkx

RAM consumption is a dynamic thing ... and it starts from 0 after each reboot, so you should not worry about it too much. Unless your device crashes, like @sinisa observes. After all, until 7.12 wave2 driver, requirement was device with 256MB RAM. And I guess your hAP ac2 has 128MB ...

mkx

Beware of small antennae, usually antenna gain is inversely proportional to antenna size. An idea: since your problem is that device itself is inside metallic housing, why don't you re-use original antennae. only use cables of appropriate length? Depending on cable quality, additional loss is around...

mkx

The point of my question is that minimum power draw doesn't matter if device actually draws higher power significant portion of time ... as you explained your setup lacks heat dissipation, but you have to make sure that device doesn't overheat during expected (extended) periods of time with higher a...

mkx

The only way to get anything sent over PPPoE link is to have ISP to route it through. And since that traffic is actively routed via the PPPoE link towards you (ISP already configured their router to use your PPPoE link when sending the traffic for the new /29 address space), you don't have (and shou...

mkx

ChatGPT is as good at writing ROS scripts as with any other things: mostly it gets things done (surprisingly well), but sometimes it fails miserably ... the problem with ChatGPT failing is not that it's failing, the problem is that it doesn't admit that it cant provide a good result, instead it pres...

mkx

*) disk - fixed hang on reboot when network file systems mounted; That is interesting! Strods says 'Please remember that actual "bugs" must be reported to support@mikrotik.com complemented with logs, supout files, etc.' above. @pe1chl, do I understand you correctly that you're complaining...

mkx

... we require a smart LTE antenna ... What is your definition of word "smart" in this context? In UK smart means "having a clean, tidy, and stylish appearance" while in US smart means "intelligent, or able to think quickly or intelligently in difficult situations" ......

mkx

If one takes official test results with a pinch of salt, then RB4011 should be able of routing at roughly 2.5Gbps give or take. The number is approximately 10-times larger than the one of RB2011. I guess that your particular use case (200 1-to-1 NAT mappings) does mean somehow more complicated setup...

mkx

What I wrote above is my definition of idle device, for the purpose of measuring power consumption. Performance I need is full 1Gb routing with firewall, VPN and many many parallel connections. So what is your expected busy/idle ratio? If it's higher than 0.1 (or even less), then idle power consump...

mkx

If I create a backup now, it's gone again after a reboot. It seems that you're not aware of one fact: on devices with flash storage equal or less than 64MB (I think that's the magic size, could be 32MB), the root of file structure resides on RAM disk and the (raminder of) permanent flash storage is...

mkx

Then, I loaded my configuration, which is only 1 MB in size Configuration 1MB in size is not "only", it's huge for a 16MB flash device IMO. My hAP ac2 config, while device was running ROS v6, contained two country address lists (both for IPv4 and IPv6, so this actually makes 4 decently si...

mkx

If you're not able to decide which public IP address you're supposed to use, then I wonder if you have skills and information needed for the task you have to do?

mkx

While waiting for a comment from MikroTik engineers, ...

If you're serious about getting a comment from MT, then you better open a support ticket with them ... using official support channels, this forum is not one of those.

mkx

However, when users follow the official doc and at the end the cofiguration is not working, it can get frustrating. In the MT official doc, pihole container is only mentioned as an example of how to build a container. It doesn't touch the workings of the container contents at all ... so I don't see...

mkx

*) - idle is defined as: configured and working device, few registered devices (wifi), small traffic (up to 1Mbit).

How comes that RB2011 doesn't have enough performance for what you wrote above?

mkx

Isn't it the other way around (enabling TX flow control does the signaling)? My bad. But the point is: you need both flow controls enabled on both sides of a link or else it doesn't work. Now, in your particular case: you're saying there are Tx pauses on CCS610 but no Rx pauses on conected CRS310 p...

mkx

RouterBoards are far from SDRs. RouterOS is a closed source OS which only runs drivers made and approved by Mikrotik.

Therefore I'm guessing that you'll have to forget about Mikrotik for your science project.

Search found 11027 matches