MikroTik

mkx

It seems like a genuine bug. I suggest you to do the following: leave one of devices at 7.12.1 upgrade the other one (from working setup with 7.12.1) to 7.13rc2 take supout.rif file on both devices open ticket with support (either via servicedesk web page or via e-mail to support@mikrotik.com) and p...

mkx

@Mohamed, an off-topic question if I may: does life in Dubai differ from the usual one in any way due to COP28 meeting going on right now?

mkx

https://mikrotik.com/consultants

Damn, saw this post too late.

mkx

# socat -T 600 UDP4-LISTEN:51515,reuseaddr,fork UDP4:xx.xx.xx.xx:51515 Isn't this what NAT does? With "hairpin" part added? Something like this: /ip/firewall/nat add chain=dstnat action=dst-nat protocol=udp dst-port=51515 to-addresses=xx.xx.xx.xx add chain=srcnat action=masquerade protoco...

mkx

No, static lease is in DHCP server menu. ARP menu is best to be left alone, in principle any IP interface (e.g. bridge interface) learns MAC and IP mapping as it communicates with device. There are special cases when manual ARP table manipulation makes sense, but your case IMO isn't one. And if ther...

mkx

Disable DHCP client on Draytek.

Or keep it enabled, unset the static address and make lease for Drytek on MT a static one (after it's made static, it0s possible to change its properties, such as IP address offered).

mkx

If you properly configure routing on existing routers (and it may be necessary to slightly tweak firewall settings), then no NAT is necessary. N1 devices will (explicitly) target N2 addresses and main router will know to use hAP ac2 as next hop device. And vice-versa from N2 towards N1. If it turns ...

mkx

If that's the only device misbehaving, then the problem lies within that device. It's hard to tell if that device is misconfigured or it's an interworking between that device and MT's DHCP server or it's device plain buggy ...

You may try to make DHCP lease for that device static ... it might help.

mkx

Yes, it can be done. But there are a few things to be done also on your existing routers. However, the whole thing has a lot to do with general networking (you're supposed to know before attempting the task at hand) and very little with ROS specifics. This will sound rude, but MT forum IMO is not th...

mkx

Did you upgrade routerboot as well? (/system/routerboard/ ... print and upgrade)

mkx

Do you have any device in LAN which is configured to do proxy-arp? It can be any device: router, switch, AP ... even an ordinary PC.

mkx

I wasn't suggesting to place npk file to flash space, I was explaining why installation of additional package fails (because installed stuff goes to flash space).

In blunt words: don't even think of installing anything beyond basic stuff on hAP ac2, its flash is simply to small.

mkx

CCR1072 doesn't have a switch chip. So from performance point of view there are two ways of doing it, the quick (and possibly troublesome) and the correct. The quick would be to create two vlan interfaces with vlan-id=10, anchored to sfpplus1 and sfpplus2 respectively. Then create bridge and add the...

mkx

If your browsing PC is in same IP subnet as actual server (IP address on router, used as NAT intermediate, doesn't matter), then you have to implement hairpin NAT. Either use official docs or search this forum to get an idea of what and how.

mkx

You can definitely isolate traffic between RB4011 and ZTE from the rest of traffic by using VLANs. However this is separate issue from puting ZTE into bridge (as you surely realize yourself). Ideally you'll do both and achieve nice failover to 5G. How to configure VLANs? Each of your device types (R...

mkx

The relevance of my previous question: if winbox would change its host's routing, your PC would access internet via Sim LAN breakout and you're saying this doesn't use LTE ... so I'm assuming it doesn't spend your LTE quota. On the other hand I'm 99.99% sure winbox doesn't change router's gateway (u...

mkx

And how is the IPsec gateway connected to sim net? Does IPsec client (PC) use LTE to reach to internet? Thete's another fact about winbox, which might affect the traffic you're seeing: winbox is (constantly) polling connected ROS device, the more open windows the larger data (it's polling stats data...

mkx

I don't think that winbox itself changes anything on PC's networking settings. But since network settings have to be already done for winbox to connect[*], it could be that those engineers do set up things too dilligently. [*] For MAC connectivity, actual IP address set on PC doesn't matter. So it's...

mkx

The last time I checked (i.e. right now), ups support was a part of optional package aptly named ups (e.g. ups-7.13rc2-arm.npk).

mkx

Yes, wifi drivers lack lots of monitoring data. This was a trend even with legacy wireless driver beginning with ac radio chipsets. And it's getting worse without prospect of getting better. You may want to open a ticket with support (use e-mail / support portal). And keep us posted with any replies...

mkx

So it seems that you need two APs. And proper roaming will only work if both are running wave2/wifi drivers and capsman is in the mix. What would be the cheapest dual band AP that supports the upcoming wifi driver? RBD52G? I don't recomend any of devices with only 16MB of flash (hAP ac2 and cAP ac ...

mkx

It depends which CCR exactly we're talking about ... in particular, does it have a (capable) switch chip built in or not. So which one is it?

mkx

You can ignore SSIDs with signal strength lower by 30dB or more than the "wanted" SSID. E.g. if your "wanted" SSID is received at -35dBm, then any SSID on same channel with signal strength lower than -65dBm should not matter much. If there are many interferers, then their cumulat...

mkx

How's Tx power set up?

Antenna connection seems fine or else there would be a problem also in reverse direction (antenna works same in both directions).

mkx

Product page of RB912UAG-5HPnD-OUT starts with

The RB912 in an outdoor enclosure

Which means that apart from case there's no difference.

mkx

... client cannot reach the C53UiG AP from that spot. I literally make 3 steps into the room and iperf drops from 150Mbit/s to 1Mbit/s. IMO this ultimately rules out any (major) issues with AP setup and points at physical environment issues. Physics is a very stubborn bitch, if something can't be d...

mkx

What you see in wifi menu is only usable for CAPsMAN but not local ... as you did not replace wireless driver with the new wifi-qcom-ac (in system->packages menu).

mkx

These Tx drops are only a problem if you perceive them as such

No, they are not due to firewall, if firewall drops packets, they are counted by acting rule counters.

mkx

Depends on what you mean by "no interfaces are being reused". Basic fact: each port can only be untagged for a single VLAN. Each port can be member of multiple VLANs but at most one can be untagged, other have to be tagged. Which means that connected equipment (switch, AP, computer) has to...

mkx

I removed my restrictions on Tx-Power from 5Ghz and disabled 2.4Ghz for now. You may want to troubleshoot the 2.4GHz issues (make SSID different so that devices, not being part of troubleshooting, won't roam to it), you should be able to get at least a few tens of megabits on 2.4 band. Unless the c...

mkx

Is it meaningful to use CAPsMAN to manage APs (2.4 and 5) on the same and only device? I assume that 802.11r's ft-over-ds won't work otherwise. If there's only single (dual-radio) device in scenario, then using capsman doesn't help in any way. If you configure those radios locally, they will be con...

mkx

You're right, it doesn't seem to be "detect internet". You may want to post (again) (complete) config of your CRS ... we might be able to spot some other suspect of doing that ... Sometimes, after extensive configuration changes, things may go out of sync and actual running setup is not wh...

mkx

Yes, I've tried that. For some reason it's not doing what, at least I'd, expect it to do. Ah, the route is dynamic, so you can't remove it. The question then is what does add it? My suspicion is on "detect internet", check if it's enabled and set its interface list to "none".

mkx

Isn't the new smaller wave2 driver in 7.13 available for this model ?

It is. But on its 16MB flash is a really tight squeeze and config's gotta be really trivial not to completely fill the remaining space which then causes random problems.

mkx

The first line should be removed. Try this procedure (done via CLI): go into /ip/route execute command "print" note the index number of the offending route entry. Index number is the number in first column and very lijely tge offending entry will have index numver equal to 0 execute "...

mkx

Check the MAC addresses, they are explicitly set on bridge and kguest slave wlan and tgey are set to same value. I'd set them to different values. And also verify these are not the same as MAC address of any of other interfaces. In particular, wireless interface MAC addresses of master and all slave...

mkx

Why do I have a router with Gibit ports if he is not able to rout in GBits speed with a simple fasttrack rule? Router/switch combo. Let's say you're one of deprivileged folks with xDSL broadband line, which supports something less than 100Mbps of data rate, so capacity of routing at a few hundred M...

mkx

5% free space after netinstall is risky... Couldn't agree more. As I wrote elsewhere, my hAP ac2 with wifi-qcom-ac was left with perhaps 200kB free flash after installation of said package. I'm using it as the household's main router, but nothing fancy. After a few days (around 4 days to be exact) ...

mkx

As the comment says, DHCP server can not run on slave interface. In this case slave interface is kguest and it's slave of bridge. It's properly configured as sccess port of v,an 20. So "master" interface for vlan 20 is now interface bridge1.20 and you should bind DHCP server to that interf...

mkx

In default route setting, you have to set dst-address=0.0.0/0 (currently it's set to empty string which is no good).

mkx

Just noticed this IPv6 firewall filter entry (the last one): add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN and I couldn't see command that adds your VLAN17 interface to LAN interface list ... if that's indeed so, then this ...

mkx

Another thing to check: /ipv6/setttings/print ... forward setting should be set to "yes" Regarding DNS servers: it's not critical to tell clients about IPv6 addresses of DNS servers, but it's good to do it. It's been a while since I verified my setup, but I think that setting IPv6 address ...

mkx

Since you're ignoring request to show capsman config, we'll ignore your "up!" requests.

mkx

/ipv6 address add address=2001:470: 1f1c:73c::2 /64 advertise=no comment="Hurricane Assigned" interface=sit1 Just like in IPv4 also IPv6 addresses need to be accompanied with apropriate prefix length to indicate which address space is available as directly connected subnet via certain int...

mkx

I don't have any device with proper serial port so I don't know what exactly is possible. If I'm not much mistaken it is possible to upgrade routerboot via serial console, but a) you have to have appropriate fwf file ready (possible to get but not trivial) and b) use terminal client on your PC which...

mkx

ROS v7.13 (currently rc2) unbundles wifi drivers and it's possible to run hAP ac2 wireless-less. This makes flash storage around 3MB less occupied.

mkx

When mixing AP and station mode on single radio, keep in mind that station has to follow AP regarding channel and bandwidth used. Which means it's easier to get things right if physical interface acts as station and virtual one then acts as AP. Beware that the virtual AP will work on exactly same ra...

mkx

Well ... it's not ROS kicking device, it's device which doesn't want to stick to MT (it's device which does disconnect). It might be that MT sends some roaming info which device doesn't like. Hard to tell. Are you 100% sure that both radios provide actual network connectivity? If device roams to 2.4...

mkx

If you're fine with single ping, then run "/ping count=1 1.1.1.1" and you'll get instant response.

mkx

No, not really. Things don't work nicely if IP subnets don't overlap with L2 segments. In your case you have 192.168.89.0/24 on VLAN and it'll be major PITA to have one of these IP addresses on your main (tagless) network. If you can somehow plug the IKEA device directly to one ether port of hAP ax3...

mkx

G.hn standardizes different physical media, coax is one of them. When I was looking for a solution for my parents' house, I settled for MoCA (the 2.5 Gbps variety) simply because of better availability - ethernet over coax is not really popular around here because cable TV wasn't a huge thing (befor...

mkx

Basic functionality of woobm has nothing to do with drivers on ROS device. In principle it acts as AP itsrlf, one uses a wifi device to connect to it and then use web browser to open woobm pages. One of features, available on woobm's web page, is terminal window. My favourite conspiracy theory about...

mkx

I don't think wifi driver repartitioning will help with meshing+WPA3 in any way.

mkx

Since it's new device for you (and I'm guessing that your family's happiness doesn't depend on it yet), I suggest you to bite the bullet and (net)install 7.13rc on it. This version (finally) allows running modern wireless driver, which really unleashes full potential of this little gem. Absolutely u...

mkx

It has to do with backup way into ROS device ... just as much as your suggestion about dedicated off-bridge ether port.

mkx

Logs can be stored on USB disk. Userman database can be stored on USB disk. Exports can be stored on USB disk. Upgrade packages for upgrades via capsman can be stored on USB disk. However: ROS (basic bundle and any optional packages) can only be installed on flash storage and configuration can only ...

mkx

Even (... shivers... ) powerline can be an option ?

Or, if coax is available, MoCA or G.hn (the former is more popular in NA, the later slightly more in Europe).

mkx

Something from 60GHz product family.

Or dig a trench and install SM fiber, so you can extend the fiber link to the place where you'd like to use it.

mkx

Can you get in if you connect PC directly to LHGG (and not via router)?

mkx

Please stop spamming threads with WOOMB usb ...............

Why do you consider those posts as spam? Woobm is MT's own product and works quite well (if device is alive enough to enable console on USB port).

mkx

Available now in 7.12beta1!
user ed25519 keys are in 7.12?

Yes.

mkx

The router has console over serial port ... you can connect and see what it says when rebooting. Did you upgrade routerboot (equal to BIOS/UEFI on PCs) recently? Older routerboots can have hard time to boot recent ROS versions. And netinstall doesn't upgrade routerboot, you have to do it from runnin...

mkx

On devices with tiny flash (less than 64MB IIRC), the downloaded npk files are temporarily stored on RAM disk. Storing them on USB flash won't help. However ROS installed packages go directly on main flash and no other installation option is supported. When upgrading, ROS installer knows that files ...

mkx

If netis-thingie supports VLANs then no problem. But quick view tells me that it likely doesn't.

mkx

Does a good hardware reset help? E.g. unplug SFP module and plug it back after a minute or so. Ditto for router: shut it down and unplug power. After a minute or so boot it back. The idea being that changing SFP operation mode might get unnoticed by the other end of SFP link leading to loss of link....

mkx

Probably because of wifiwave2 package, yes. I think so as well. When wifiwave2 package is installed on audience, it allways boots with eror message about an error in configuration script. While it seems to be benign after device is fully configured, it might upset quickset to the point where quicks...

mkx

Nope, there isn't one "from factory". You could build one by using a 3xminiPCIe wifi cards. But beware of using two wireless cards operating in same frequency band without utilizing proper (hardware) antenna filters, both cards have ability to mutually destroy receivers. Audience is done p...

mkx

I guess that in a typical active/active scenario it would be best to configure both/all DHCP servers with same address pool. So when a client tries to renew an IP address, it'll be fine with any of servers. Even if previous lease was handled by another DHCP server, the current one will most likely A...

mkx

Also the network under dhcp-server for the iot interface has a wrong subnet mask config How you know that? how to fix that? In the config shown in post #10 above you have netmask=2 in dhcp-server network section for IoT ... set it to 24. You might also add the iot interface as a LAN inside interfac...

mkx

Yes, RB4011, having two switch chips, can run two bridges, both HW offloaded. But: each bridge has to span ethernet ports which are actually connected to same switch chip (i.e. ether1-5 on bridge1 and ether6-10 on bridge2). Snd other mixing will hamper HW offload (because HW offload only works for t...

mkx

In plain english: you can use same security profile for both capsman provisioning and for local device. You can use the rest of profiles in both places as well if they apply unaltered (datapath, channel, what not). The config is actually shared between local manually provisioned wireless interfaces ...

mkx

The whole ordeal depends very much on how things are physically connected and how's router set-up. Bridge is s switch-like entity and won't block traffic passing between diferent ports (that includes RAs).

So show us actual layout and actual config of your device.

mkx

Routing performance vastly depends on configuration. Each device has official benchmark results published as part of product page, hEX's are here . The most optimistic reading says that hEX is capable of routing at almost 2Gbps (not via a single pair of 1Gbps lines obviously, tests are done using al...

mkx

All Mikrotik wireless devices can be used as full-featured routers (but their capacity varies). On all Mikrotik wireless devices it's possible to dissable (=switch off) wireless part. Since that's done in software, you generally have chicken-egg problem: you need wireless enabled before you can conn...

mkx

Clients should stick with one DHCP server for renewal, once served by one of the DHCP servers. The other DHCP server should not NACK the address if not in his pool. I agree with first half if quoted text. Clients know which DHCP server handed out the lease so they could tey to renew the lease using...

mkx

I guess you're hitting the CPU ceiling here. While running tests, run CPU profiler, likely one of CPU cores will be at 100%. And I can imagine that wireguard handling might be tied to single CPU core for a few good reasons.

mkx

... you can import chuncks of config via the TERMINAL CLI window. And all of that while observing the CLI feedback and ptoperly react to it. Some ROS versions export config in a slightly wrong order (settings referring to items only defined in later commands), recent ROS versions are better in this...

mkx

Is the replacement device exactly the same type as was the dead one? Binary backups (backup/redtore type) are intended for exactly same device and work with same type (some device specific stuff is in backups, e.g. MAC addresses ... these are not vital if original device doesn't appear working in sa...

mkx

Have a look at VLAN on mikrotik tutorial, in particular switch with a separate router section.

If that doesn't help, then post config of both involved devices for review.

mkx

If you had properly separated WAN from LAN, then parent wouldn't be able to see any of your LAN (it would have to be behind a NAT). Hiding parent's LAN (your direct WAN) is a bit trickier, but with propervseparation of WAN and LAN on your router it shouldn't be a problem. What exactly to do? Due to ...

mkx

There are different ways of doing it, but the proper (and extensible and future-proof) way is by setting up VLAN-enabled bridge on CCR. Have a look at this tutorial on how to do it properly. There are a few use cases explained, I don't think yours is directly one of them (some concepts of switch app...

mkx

The phones are plugged to non-manageable switches, these switches are plugged to VLAN 30 ports of an edge manageable switch. I will play around with it on monday, but any idea would help :) As long as ports on edge managed switches are set as access ports[*], it should work fine. [*] In Mikrotik pa...

mkx

I have CAPsMAN running on AX^3 successfully managing three AX^2 CAPs. However, when I attempt to use CAPsMAN to manage the AX^3's CAP, there is no signal. Officially CAPsMAN can not manage local wireless. Since wave2/wifi for local configuration uses same configuration subtree as CAPsMAN, it's no n...

mkx

The error (perhaps worded slightly differently) is there for any ac device if wave2/wifi driver is installed instead of default wireless (e.g. wifiwave2 on audience). It had been reported numerous times, @rextended also pointed out exact location and proposed a solution. MT devs chose to ignore the ...

mkx

I've no idea about exact radiation patterns of those sticks. I have a suggestion: cut it to half (both along the long axis and perpendicular), take a few good photos and post them here. Then we'll start to guess about possible radiation patterns :wink: Without that, my guess is that the only orienta...

mkx

Think of AP if it was a switch and each connected station connected to separate switch port. And additional uplink port (which is wifi interface, usually connected to device's bridge). This "AP switch" is implemented in wireless driver. When default-forwarding is enabled, then "AP swi...

mkx

When setting up IPv6, one usually sets a proper (i.e. not a link-local) IPv6 address to individual interfaces. When VLANs are in the mix, this means assigning IPv6 address to vlan interface. And MT router will, by default, send out router advertisements on interfaces with proper IPv6 address. So if ...

mkx

When mentioning ether1 I meant config you have. Having it as bridge port of main-bridge in principle includes tagged traffic as well, even though you have the vlan interface attached to ether1 port. If you had vlan filtering enabled, then you could filter tagged frames from entering main-bridge, but...

mkx

Have a look at the excelent tutorial on how to do VLANs on Routeros, in particular Router on a Stick section . Switch has to be configured appropriately as well. If fiber modem works as untagged device, then configure switch port connecting it with "default vlan id" (or PVID) so that switc...

mkx

The VLAN setup is funky. You really should be using single bridge, have a look at this tutorial. In particular, use of ether1 (interconnect interface) is not fine.

mkx

DFS, a.k.a radar detection. On certain channels AP is required to listen full 10 minutes before it can start to transmit.

mkx

Increasing antenna gain and decreasing Tx power has same end effect. Normis explained in a post a few years ago (I can't find a reference, but I remember the contents very well) that wifi radio chooses actual Tx power to be the lowest of these values: country EIRP limitation less antenna gain Tx pow...

mkx

Actual loss happens on mikrotik ... packet somehow arrives at port Tx queue (another name for FIFO buffer) where it's discarded. So it's never attempted to pass to SFP and SFP knows nothing about it (not even that it was dropped). PPPoE is, in this case, payload of discarded packet. PPPoE interface ...

mkx

In that case, I'm affraid you're screwed.

mkx

Create 3 bridges, one for each LAN ad assigne ethernet port to each bridge. Configure 2 port as trunk for VLANS Use Wireguard to access my BR2 from everywhere If it is possible, configure the router as VPN Client I would like to connect the Cisco switch to the router using SFP or Ethernet Port usin...

mkx

Tx queue drops mean drops caused by Tx buffer being full because port could not transmit frames fast enough to keep the pace with rate of frames being queued for transmission. This kind of errors is not due to state of physical link and thus receiver (in this case it's SFP) can not see any sign of ...

mkx

The problem when creating firewall rules is that one needs to know exactly what traffic is expected - which combinations of remote_ip/remote_port will be used for connections. For windows defender tash is much easier as it can be configured to allow certain executable to open communiaction ports (an...

mkx

But I can't find out what the port "switch1-cpu" is for and when should I add it to a vlan or not? It's the window through which ROS (running on CPU) can communicate with (V)LANs handled by switch chip. On ROS side, that's bridge interface in your current config. On a typical switch you n...

mkx

For your goal, you need to enable "Ingress Filtering" on every port you want (not just the bridge's interface itself). With that enabled, an ingressing frame is checked against its VID and if the port is member of this VID. If no tag is there, the PVID is checked against. If the port is n...

mkx

A question: which switch model exactly are you using? There's no such thing as CS108 ... it might be CRS109 or RCS309 ... and these two need to be configured in different way to get wirespeed switching ... But in neither case it should be necessay to mix configuration in both /interface/bridge subtr...

mkx

Just a word of caution: 80+80 is not the same as 160. And if I'm not much mistaken, ax2 doesn't support any of these variants.

mkx

Much more readable configuration is shown using command "export" ... only rarely some things are missing (such as dynamic addresses, etc.). Please provide those exports.

mkx

Exactly for reasons I'm mentioning (the device-specific bits) you can't get a complete .bin file, that would mean cloning a device and that's not good (not only because of cloning license, there are other, more technical, issues involved). I suggest you to get in touch with support, they might be ab...

mkx

My goal is to reduce power for 5Ghz roaming, so that far away devices stay connected to 2.4Ghz instead of going back and forth. I don't think this will solve the ping-pong problem ... it'll just move it closer to AP (or even prompt brain-dead stations to remain on 2.4GHz even when really close to A...

mkx

It's a calculation: EIRP (which is Tx power + antenna gain) must not exceed country limitations. hAP ax3 on 5GHz has Tx power anywhere between 20dBm and 28dBm (depending on radio symbol rate). If talking about fastest rates, where lowest Tx power can be used (20dBm), and when using channels without ...

mkx

So my understanding is this should work when using a bridge that has been already attached to a VLAN? Depends how you deal with VLANs on bridge. Essentially: if you have bridge with VLAN filtering enabled, then currently the only option si to (manually?) add wifi interface to bridge as port with PV...

mkx

I can upload certificate but connection can't establish correct ... I'd say that it has something to do with key type, used in certificate. ROS v6 is pretty outdated with regard to support of security features (encryption protocols, key types, etc.) and it could be that recent windows servers depre...

mkx

Your hEX should be able to route at 100Mbps (it ma peak at around 300Mbps). But that's true with optimal config. With non-optimal config, it's routing capacity can drop to any number and it's impossible to say why in your particular case it can't reach 100Mbps. There's additional gotcha: the mention...

mkx

I think you really should communicate about this directly with support of Mikrotik (e.g. via email support@mikrotik.com). Your issue is a ROS intrinsic, forum users can't help you with it and MT staffers don't necessarily visit all the forum threads, so they will likely miss your post/question.

mkx

Mikrotik is a L3/L4 firewall. It has some L7 functionality, but that doesn't work at all if connection is encrypted (and modern web browsing uses https, so it's encrypted). Ergo, your request can not be fulfilled on Mikrotik firewall. You really should try to implement this kind of security on appli...

mkx

I don't know if it's possible to actually see the custom init script. However, the way export command works is it shows differences between current config and default. So a test would be to reset such unit to defaults (which includes custom init script) and create an export. If such export contains ...

mkx

I still cannot get VLANs working for hAP Ac2 and virtual access points for v7.13beta. Yup, it's documented behaviour. See new WiFi manual under "Replacing 'wireless' package" -> "Lost features" here are quite a few of us hoping that this feature will come back (or rather, will b...

mkx

Where exactly does it break? Is it upload phase or certificate import phase? Describe how exactly are you doing the failing phase.

And a suggestion: upgrade ROS to latest long-term version (6.49.10).

mkx

I believe that fwf file is in a kind of proprietary pseudo-flash file. The flash uploader (built in ROS) probably interprets that and writes it to flash the way it should be done. So those fwf files are not usable for generic flash writers. One thing that ROS updater definitely does is it avoids fla...

mkx

I think it will. Because incompatibility is between wireless and wave2/wifi drivers. And it's (indirectly) documented in Replacing wireless package section of new wifi manual. The 7.13 wifi driver is renamed (and enhanced) wifiwave2 driver from earlier v7, so it's compatible with it (to extent of fu...

mkx

Tx queue drops mean drops caused by Tx buffer being full because port could not transmit frames fast enough to keep the pace with rate of frames being queued for transmission. This kind of errors is not due to state of physical link and thus receiver (in this case it's SFP) can not see any sign of t...

mkx

Divide the number 3 subsequent times by 1024, a bit of free mental training :) Now days every disk manufacturer uses decimal "human readable" prefixes ... it makes "human readable" number higher (roughly by 7.4% when talking about Giga bytes). And in modern times there are even ...

mkx

Config says you're using legacy wireless driver on hAP ac2 ... upgrade that device to 7.13beta, it allows you to use wifi-qcom-ac driver (essentially wifiwave2, but slimmed to fit on hAP ac2). I know that using station-bridge mode between station and AP which don't run same generation of wireless dr...

mkx

And, damn it, I just realized that this is not an AX model so wifiwave2.npk is not needed at all.

wifiwave2 (up and including 7.12.1) is known no emit (spurious?) error message about default config.

Chateau 5G doesn't require wifiwave2 package, but will surely benefit from it. I'd put it back.

mkx

And, freezing temperatures, such as -32°C?
I think the chip will make it hot enough to withstand low temperatures.

If power accidentally fails during low temperature periods, then device will freeze to death. Literally.

But I agree on high temperature issues being more probable.

mkx

I have hard time understanding what exactly is the issue? And how exactly things are connected together? Is nginx-proxy-manager in the same subnet as internal hosts?

mkx

I just had a look at config of appr1-dsw1, I'll assume the rest suffer from same errors. Here's a brief list of things done wrong: no need for multiple bridges (MGMT is on different bridge, which doesn't have any access towards the rest of network) no PVID setting for access ports there's no need fo...

mkx

What's not correct by displaying exact size in bytes instead of some rounded multiple?

One thing is your request for option to have size displayed in MB / GB / TB, another thing is claim that CLI current behaviour is not correct.

mkx

Still getting CRL fetch failed: http error: Network unreachable for: http://x1.c.lencr.org/ It's not ROS problem, it's web site problem: $ telnet x1.c.lencr.org 80 Trying 23.205.191.135... Connected to e8652.dscx.akamaiedge.net. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.0 400 Bad Request Ser...

mkx

@riy: what's wrong with instructions in post #5 above?

mkx

Oh, since when does this minor detail matter? I thought that turning off LEDs is THE thing and the rest doesn't matter? I used to keep a RB951G inside a hard-wood (oak) under-TV cabinet and wireless worked just fine in the same room with cabinet doors closed (signal strength around -60dBm at my chai...

mkx

Closing cabinet door dims all leds (front and back) in a quickly-reversible way.

mkx

In such case, I'd be curious to see output of /interface/wifiwave2/actual-configuration/print detail ... specifically channel.width . I wouldn't drop dead if actual channel width would turn out to be less than configured in order to avoid radar detected on the lower channel. The thing is that AP is ...

mkx

Since ROS v7.12, ssh keys of type ed25519 are fine. Recent OpenSSH versions deprecated whole RSA algorithm family. And IMO enabling it is not necessarily a bad thing (if it was such a bad thing, it wouldn't be supported any more) if one uses it only to connect specific remote hosts (i.e. use actual ...

mkx

Close the cabinet door?

mkx

As mentioned the only other way I can think of is creating a VLAN interface at the Switch end of the trunk for the management VLAN and sticking a DHCP client on that. Nope. Since trunk port is member of bridge, then any other business with that port is strictly off limits. Instead you should config...

mkx

On hAP ac2? I'd say it only depends on Tx power setting. Both radios are run by same wireless chip inside same SoC. Due to lower free.air loss in lower frequencies I'd expect slightly better coverage of 2.4GHz radio, so you might be able to reduce Tx power slighly and still get same coverage. By all...

mkx

I looking for a CRS326-24S+2Q+RM Bootloader (FWF file)

It's included in each ROS system package file ... after ROS is installed, FWF file is available to upgrade routerboot.

Why do you want the file explicitly?

mkx

Hard to verify (I'm beyond 6.x since ages), but it could be that 7.11.2 has slightly smaller footprint than 6.4x (you're starting from) so there's more space for whatever temporary files ROS needs to overwrite itself.

mkx

In my working case, ISP is giving out (dynamic, but doesn't matter much) /56 prefixes via DHCPv6 prefix delegation. The I'm using /64 address for LAN interface and none for WAN interface (routing is done using link-local addresses). DHCPv6 client automatically adds route such as this: Flags: X - dis...

mkx

You need SFP+ modules for both sides (SFP without + only goes up to 1Gbps). You have a choice of using either ethernet cable (UTP cat7) or fiber optics (either multimode or singlemode would do), but ethernet is limited to 30m/90ft and even on shorter distances it tends to downrate link (2.5Gbps woul...

mkx

Have a look at Back To Home, it might help in your case. I'm just not sure if hAP ac lite is supported (already), additional architectures got supported with latest stable releases of ROS.

mkx

But my configuration can't have fast track If you really can't enable fasttrack, then RB3011 won't be much better. My hAP ac2 (a slightly better performer than RB3011 if one can trust official test results) can route at 1Gbps with fasttrack (with CPU cycles to spare) but only around 350Mbps without...

mkx

But the same specs page you linked above lists 128MB ... hmm. You ok? I bought over 100 of them and they were all 256MB! hAP ac2 (I believe it's almost identical inside apart from number of ether ports) has officially 128MB RAM. However, some early batches came with 256MB RAM (I happen to have one ...

mkx

Whenever AP decides to use some DFC channel, it has to do the listening (some channels 2 minute, some 10 minutes). Only if AP doesn't detect anything remotely similar to radar it can start using it. If it later detects anything remotely similar to radar, it has to stop transmiting at once and enter ...

mkx

I'm saying that wifiwave2 (and its successor wifi) is under active development. Some config options might exist, but the functionality is yet to come (doesn't happen often, but can happen), options might still exist but functionality is getting deprecated ... or options exist, but the way they affec...

mkx

There might be brain-dead network gear (managed switches, APs) which support VLANs but not for management access. For those one has to use hybrid ports inside LAN infrastructure. However, many (if not most) support using a dedicated VLAN for management access ... and that allows to get rid of untagg...

mkx

There are two, incompatible, versions of CAPsMAN used currently: legacy capsman which can control cAPs running legacy wireless driver and new capsman which can control newer wave2wifi devices. The ones you're mentioning in your post (hAP ac2, hAP ac3, hAP ax2) are all capable of running new wave2/wi...

mkx

Is it the same if I connect from the sfp port? Yes, all ports are connected to switch chip, that one in turn is connected to CPU (doesn't matter that both main parts are in same SoC). https://i.mt.lv/cdn/product_files/CRS112-151027100733_151033.png But your main problem is not device topology, the ...

mkx

If the existing setting gets ignored, what good is it then? Let's be patient and see what 7.13 stable brings us, shall we?

mkx

hAP config has nothing about VLANs so according to config, it should not touch tags at all. I'd netinstall hAP ac2 to be 100% sure it's really VLAN-free (it seems that occasionally the internal configuration database gets out of sync with visible configuration and proper reset clears it ... reset to...

mkx

The reason is that CRS112 is antiquated switch (which happens to support routing functions but at low sppeeds). It's not listed under "archived" hardware on MT page, but it's antiquated nrver the less. Just to be clear: it's still strong if used as proper 1Gbps switch, but for routing it w...

mkx

New wifi driver (wifi-qcom and wifi-qcom-ac, but the same was already in original wifiwave2 driver) can't tag/untag frames. ... What is doing the tagging/untagging then? The RB5009 does receive tagged frames on the ether7 interface and the stations connecting to the wifi networks do not see any VLA...

mkx

IMO things around (new) wifi are very murky right now. 7.13beta bringing wifi separated into different packages is IMO proof that MT is in the middle of serious reworking of wave2/wifi ... so we'll have to be a bit patient and wait to see what will come out of this process. I'm hoping to see vlan-ha...

mkx

.... I'd like to use as high a voltage as possible to keep current low. If your PoE cables are not really long (to cause significant power losses), then you're probably loosing more on internal DC-DC downconverters (inside PoE-powered drvices), their efficiency gets lower with increased difference ...

mkx

New wifi driver (wifi-qcom and wifi-qcom-ac, but the same was already in original wifiwave2 driver) can't tag/untag frames. It's in the new WiFi manual, section "Replacing 'wireless' package" under "Lost features".

So it seems that the problem actually starts on cAP ax ...

mkx

Without seeing (non-working) hEX config and more detailed description of wanted setup we can only respond with: it should work.

mkx

I wonder if it's still possible to configure channels in a way to "force" 802.11n.

No, not to my understanding. With wifi/wave2 we're back to supporting legacy clients (e.g. 802.11a and 802.11b).

mkx

5745 Ceee is 80MHz channel #155 and 5885 eeeC is channel #175, so they are different But they're same freq range, right? My 3 clients are newish - a Samsung Note 20, a Framework Laptop, and a Surface Pro 9. No, they're adjacent 80MHz channels. 5745 Ceee spans from 5735 to 5815 MHz and 5885 eeeC spa...

mkx

Yes. Post config so we can see how exactly is device set up.

mkx

To see complete picture we are missing capsman config. Because cap config (obviously) doesn't say anything about VLANs used for wireless interfaces.

Also: which port on CRS112 is used to connect cap?

mkx

When UDP iperf3 test shows transmitter to fall lower than configured total bandwidth, this usually means bottleneck on the transmitter itself - that's the only place UDP throughput is throttled without packets being dropped.

mkx

High-level view on CRS will show: single vlan-enabled bridge all SFP+ ports (and ether1 port) will members of bridge with per-port vlan settings as needed (port connecting to CCR will be tagged-only, other ports might be untagged access ports for a particular VLAN with pvid set appropriately) bridge...

mkx

Why do both servers have to be in same VLAN? This complicates things a lot.

mkx

Mikrotik ones S+RJ10. Docs say they can use up to 30 Meters of cable ... Another caveat: due to required high Tx power, these modules tend to run quite hot (MT's own seems to be one of hottest) ... if cooling is not adequate (with most passively cooled devices, such as CRS309-1G-8S+IN, this is the ...

mkx

I don't think that there's a single ONU SFP module on the official list of compatible hardware . There are a few threads on this forum about using various GPON SFP modules with MT and mostly the gist of them is that things either don't work at all (with some rare exceptions) or are extremely tricky ...

mkx

My impression is that you're setting the "newest" standard, older than setting are then supported as well. E.g. if you set band=5ghz-n , AP will support 802.11a and 802.11n but will not support 802.11ac nor 802.11ax. To support all standards, set highest supported by AP hardware (i.e. 5ghz...

mkx

What are exact cable lengths used? Operation at 10Gbps requires significant amount of energy and nkt many RJ45 SFP+ modules are capable of transmitting at needed power. And cable category doesn't affect this much. Which SFP+ modules are you using? Support for different SFP modules in MT devices is f...

mkx

I'm also unsure about the difference between 5745 Ceee and 5885 eeeC. Aren't they essentially the same? From the channel list on wikipedia follows, that 5745 Ceee is 80MHz channel #155 and 5885 eeeC is channel #175, so they are different (in addition, channel #175 seems to be illegal to use anywher...

mkx

Do you have country propetly set to country which actually allows use of channel 13? USA and (AFAIK) Canada don't.

mkx

thank you for your reply. so if i create a vlan interface achored to bridge i use L3, so the cpu? no? Yes, in most setups involving VLAN interface (created under /interfacw/vlan ), vlan interfaces should be used exclusively to support L3 operations (routing, providing services such as DNS). Using v...

mkx

Since 7.13beta, your wAP ac is compatible with new wifi driver: https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-Compatibility Based on this great new feature can we also expect that in the not-so-distant future, we will be able to join wifiwave2 APs to the existing CAPsMAN that has legacy wire...

mkx

What I recommend is (besides generous use of SAFEMODE) is to take an unused port lets say 5 and take it OFF the bridge. And absolutely add it to LAN interface list in case one needs winbox MAC connectivity - default config limits this kind of connectivity to LAN interface list. If done this properl...

mkx

OK, so here goes another experience: ROS will use single core to deal with packets, belonging to same connection (either real TCP connection or "apparent" UDP connection). The reason being to avoid out-of-order packet delivery (which upsets some TCP stacks). On devices with larger number o...

mkx

Since 7.13beta, your wAP ac is compatible with new wifi driver: https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-Compatibility So try to upgrade wAP ac to 7.13beta2 (should go smooth since you are already on 7.12), uninstall wireless package (it becomes a separate package after upgrade), install...

mkx

The highest part of 5GHz spectrum was added to wifi spectrum fairly recently. Not all devices support it (either their hardware can not work with such high frequencies or their firmware was not updated with new channel layout and/or country regulatory limits). So as a rule of thumb: whenever clients...

mkx

There are two wireless drivers currently in use on mikrotik gear: wireless - legacy driver which was available already in v6 and is supported by all devices except for newest (AX) gear wifi / wifiwave2 - new driver which came with v7 and AX ger. Also supported by AC devices with ARM processor. Any *...

mkx

Other dumb question, ont the crs 309 it's better to set the ip for the lan on the bridge or an interface? There are interfaces (L3 entities, essentially anything carrying IP address) and there are ports (L2 entities). When something is set as member of bridge, it becomes a port. And it should not b...

mkx

Simply set all APs with same security settings. Those include SSID, authentication types and password. Beware that when wireless station roams between APs having same SSID, it expects that the new AP is member of same L2 network (ethernet). Which basically means that APs have to act as simple switch...

mkx

*) defconf - use device factory preset credentials when using CAPs mode;

This will make my life miserable :(

Why's that? defconf is just default config ... and one can change it as it fits.

mkx

It's a pretty well known fact that ROS internal bandwidth-test tool is pretty CPU-heavy (single CPU bound) and results of it are hardly representative for device which is actually running it. If you really want to assess the performance of your setup, you have to use external test probes (such as a ...

mkx

... but because he doesn't even know how to tie his shoes...

We desperately need AI-enabled shoes.

mkx

Have a good look at 5GHz channel list . As one can see, standard channel layout (including channel width) says that 5745 and 5805 at 80MHz wide channels overlap (as well), both are covering 80MHz channel number 155 (spanning between 5735 and 5815 MHz). So try to allow properly spread frequencies ......

mkx

It's a shame about the controller requirement. I wouldn't call that "a shame" ... multiple devices can not cooperate smoothly without being coordinated by some central entity. And the same is true for any WiFi vendor. Because there isn't a standard which would allow APs to signal necessar...

mkx

I don't see any IP setup on vlan10 interface on CCR ... you'll definitely need some if you want CCR to communicate with devices in that subnet (and you want if it's supposed to be gateway for that subnet).

mkx

Did you read through this tutorial? The setup you showed is a bit awkward (it's not recomended to use VLAN ID 1 for explicit setups).

And it's likely that the problem lies in CCR setup. Can you show that config?

mkx

If the problem starts to develop (from mild one to a more serious one) without any changes in configuration or software, then this likely means a hardware fault ... such as a crack in cold junction which is getting bigger due to thermally induced material ageing. And that kind of problem is hard to ...

mkx

defconf means Default Configuration ... which only gets applied when config is reset to factory default. This doesn't apply when upgrading ROS from one version to another.

mkx

People can agree to disagree.

I don't agree

mkx

The problem is that when I check the balance of the vcores from the “Profile” tool I see that there is always one that shoots up between 80 to 98% and the rest remain at an equal average between them. What kind of workload is going on when you see one vCPU load rise towards 100%? If you're, by any ...

mkx

What if at the end of custom chain there is no explicit return?

There's implicit return at the end of all custom chains.

mkx

The last paragraph of ChatGPT-generated text is, IMO, the crux of the whole ordeal.

Long live rextended!

mkx

Despite the fact that the AI's success is impressive, it is important to keep in mind that the AI can only combine [*] the knowledge it has gained during training. Don't think like that. Regarding GPT4, he can, for example, search for knowledge on the Internet, climbing into any online manuals and ...

mkx

My guess: it's your "test-script" setting (it's very probably needless). According to netwatch docs , the netwatch service itself already does ping test by default and test-script property defines additional test to be run after the probe (simple ICMP by default) already finishes. Since /p...

mkx

Guess they need to update the page...

Probably they will, when the 7.13 gets released as stable.

mkx

New capsman doesn't support manager forwarding mode (yet) and hence the cap interfaces are not seen on capsman bridge. BTW: I'm not sure (I don't have wireless-less arm device at hand), but according to what MT staff wrote, you don't need wifi-qcom-ac installed, that package only includes hardware d...

mkx

I don't think you can. And even if it's possible, this doesn't guarantee to really get vanilla setup, sometimes some settings escape all the reset hooks. Netinstall is the only way where reset is guaranteed (it formats flash and installs ROS from scratch).

mkx

... still the adress lists exist in the flash memory, like theyre not being deleted at all. When flash is almost full, it's not possible to remove part of config (it seems that ROS wants to save a copy of new config before deleting old and it fails to do so). So this situation is unrecoverable, net...

mkx

Posted export says wireless interfaces are managed by capsman. So I don't see where seems to be the problem?

mkx

Router doesn't have anything to do with the way any wireless distribution system installed. If a particular mesh system requires a centeal controller (to keep it together), then that controller has to run somewhere. Indeed many vendors (mikrotik included) forsee running controller on a router, but i...

mkx

I suspect it has to do something with ROS update to 7.12

Each new ROS versions use ever increasing amount if permanent storage ....

mkx

@mkx, I think you missed what I meant by without FastTrack . Indeed I missed the fact you intentionally disabled fasttrack. BTW, if you only need to apply queues to a portion of traffic, then you can craft fasttrack rule so that it doesn't fasttrack traffic which has to be subject to queues (or add...

mkx

Try to sniff DHCP traffic to see actual hanshake ... I guess that final DHCP ACK comes back from repeater's MAC while MT expects to see client's MAC ... or the other way around. My guess is that repeater works similarly to station-bridge mode and that can cause all kinds of random problems, see mikr...

mkx

My suggestion: netibstall device with stable ROS (okd RSC probably means v6, so use 6.49.10), then configure it manually. Stick to defaults as much as possible and only use that RSC as reminder what was done ... but when implementing that part of functionality keep sticking to concepts of default co...

mkx

Failure to reboot is a sign that something went really wrong. Quite likely flash storage was full. And in such condition also creating backupis likely to fail. And backup is very probably incomplete and/or corrupt, so extracting config from it won't do much good. Morale of your story: relying on aut...

Search found 11067 matches