MikroTik

Amm0

# oct/08/2019 15:22:38 by RouterOS 6.34.4 You should update that router first. v6.34.4 is very old, and has some vulnerabilities. Once you do that, QuickSet options may change. One of those profiles should have a radio button for "bridge" on top right of QuickSet , that's what you want (the other r...

Amm0

For new WiFi router, if you reset-configuration with no-defaults=yes, you should be able to just add IP address to it, and configure the WiFi on the 2nd router to match, that get you close to what you want I think...a dumb switch that extends the WiFi too :) Your WiFi clients will select the “best” ...

Amm0

Similar problem. Related question, I have a limited user without any password, can I create some URL that specifies the user name it to login in instead? E.g. http://RouterOS.example.com/webfig/#Tools:Ping?login=testonly Basically I’d like to have a URL link to a webfig pages that doesn’t redirect t...

Amm0

Could at least use VRRP so if the first router dies, the smaller one takes over (at least for the 8 ports connected there

) with the need DHCP etc. or failover routing - that way it isn't just a dumb switch:

https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP

Amm0

Don't know how much you want to know but this video had a pretty good overview of how to tune the Wi-Fi: https://www.youtube.com/watch?v=JRbAqie1_AM One thing I took awhile from that was to always set the "antenna-gain" to match the device's gain. For, the hAP ac lite, it's antenna-gain=2. Also, it ...

Amm0

Yeah, if you're using 2.4Ghz as a "station", your device can't use it to connect to the Mikrotik. The "station bridge" and "pseudo-bridge" are more useful if you want to put the 2.4Ghz interface into a bridge port on the LAN side, then the "remote" Wi-Fi does all the DHCP – but you have do stuff wit...

Amm0

I presume you've already tried Winbox4Mac first just in case it's some issue with WebFig? Winbox4Mac download: http://joshaven.com/resources/tools/ if not. But yeah seems like your router might have been infected with something - at least when I haven't been able to upgrade that was the cause for me...

Amm0

This is something I really want to find an answer to as well. Using LTE as my primary internet with an MC7455 through USB and hAP ac2 @drracing07 - I still haven't gotten it working but did recently send the supout to Mikrotik. FWIW my issue is more with the MC7354 which doesn't even show up in eit...

Amm0

You tell where should I put firewall rule, in input or forward chain? In my case, I used "input" chain. But any routed segment in-between might need the same rules in the "forward" chain. Also make sure it's before any deny / reject rules. /ip firewall filter add action=accept chain=input comment="...

Amm0

Probably the best advice: Talk with the other administrators and both agree on what version to upgrade your routers... But, if you control the other routers, you can restrict the permissions. I think upgrade is a "policy" right so if you assign the admins to a group without that permission, that mig...

Amm0

99.999% time you should leave them all selected, and auto-negotiate enabled. It just works. The only cases I can think of where this would this need to change: the cable has some intermitted interference/issue that cause a lower speed to be selected sometimes - when that happens you could have a few...

Amm0

I'd bet if you look a the security profiles ( /interface wireless security-profiles ) is where your issue is, specifically I'd make sure you enable both AES and TKIM, as both the Group and Unicast Ciphers. If the password and authentication protocols don't match the SSID, it won't connect, even if y...

Amm0

I too wish this was possible. Often I find the profiles are *almost* what I need to present some options for end-user final configuration, but want to "hook" that process to do some extra stuff beyond just QuickSet, or offer a choice of my default configurations to the end-user . You can tweak WebFi...

Amm0

Two things to try: make sure TCP 2000 and UDP 2000-65500 ports are allowed in IP / Firewall / Filter (or otherwise allowed some other way) – on both server and client routers for all test to work depending on the speed of the link, and not sure why, seems like duration=15s or higher helps to make su...

Amm0

the documentation does not mention this anywhere, The LtAP documentation is weak for sure - struggled myself. Normally this would be "documented" here, but the LtAP is missing: https://wiki.mikrotik.com/wiki/Manual:USB_Features how does the modems then operate in practice together well, if you thin...

Amm0

I take it then that the top modem cannot be referenced via script at all?

Correct. You don't need to set anything – only one SIM to choose from

.

Now, You can reference the lte modem in script, but do stuff like reading the RSSI stuff or issue "AT commands" if needed, or GPS.

Amm0

On the LtAP, the sim slots are tied to specific miniPCIe cards. So SIM 1 can only reference the "top" modem, while SIM 2 and 3 can be switched via CLI/script/winbox for the "bottom" modem. You can not script or otherwise wireup SIM 1 to the bottom modem, nor can the top modem use SIM 2 or 3. Like Gh...

Amm0

Also, in your configuration you have: /ip dhcp-client # DHCP client can not run on slave interface! add dhcp-options=hostname,clientid disabled=no interface=E1WAN Since your WAN is ether1, you need to have not as a bridge port (and adjust your diagram) or create/use VLAN 99 as an VLAN interface like...

Amm0

I looked at your configuration, and nothing jumps out as what's wrong with your approach. When you use vlan-filtering=yes , how ports get tagged/untagged is effected by both the PVID set under Bridge > Ports and the Bridge > VLANs entries. There is a dense note in wiki that describe the relationship...

Amm0

Yeah I'm not sure, I'm no expert, but your config looks right...but passthrough is pretty weird, too. You can try setting the MAC address in the APN, that might help, but not sure. Whenever I've tried to do something, other than assign passthrough to a physical port, it never "just" worked - but set...

Amm0

I'm not the EE expert. AFAIK efficiency is normally pretty high for DC-DC, with the price of the upconverter sometime related to how high the efficiency is... This unit here claims 75%: http://www.tycononline.com/9-36V-In-24V19W-GigE-Pasv-PoEDCDC-Conv_p_22.html And, even at max 24W it isn't that muc...

Amm0

If it doesn't, first easy thing to try is to install Wireshark and have a look if there's any sign of life from RB on interface. – good idea There is also a Woobm-USB: https://mikrotik.com/product/woobm – I kinda forget about them but if you saw traffic with wireshark and still couldn't get in... T...

Amm0

Yeah, I certainly didn't mean to be discouraging... The "standard" approaches DO leave some gaps when you start talking about "multipath internet" (beyond BGP at edge) and the variability of wireless internet links like commercial LTE pose additional unsolved challenges to existing routing standards...

Amm0

You say your looking for a "mesh" protocol that: 1 – ring network for redundancy in a multi-site, countywide network 2 – takes into consideration the 'condition' of the connections between routers/switches (such as packet loss), which will be important in this network, since this network will use so...

Amm0

Well, I'm not sure what "DNS bridging routing" is...but I think your first DNS should be "8.8.4.4" if you wanted to use Google's Public DNS servers. That may be your issue. Good luck.

Amm0

Well, LtAP is new, and even though I have a couple, they don't work with the US LTE modems yet. And, the LtAP mini has some shortcomings (don't use USB to power to, internal GPS seems to be weak, etc.) but it works, today. Now in theory the choice between the two is the "bigger" LtAP has 2 miniPCIe ...

Amm0

If you can post your configuration, it be helpful to know what's going on. Not exactly sure what you mean "https 4g proxy"... But two quick things to check: Under Interface > Interface List make sure the LTE interface ("lte1") is associate with "WAN". If you have two routes to the internet (say hard...

Amm0

There is no "bonding" feature built in to Mikrotik that work with LTE/Wi-Fi . The alternative approach is "load balancing", that is supported with configuration on a Mikrotik. There are a few approaches for that in the forum/wiki, I think "ECMP with connection marking" is the easier, but even that i...

Amm0

Fair points. But, a 64-bit version is a bigger concern. My bet is winbox will just do the "right thing" with a dark mode theme Microsoft does... Personally, I'm with @Sob on this one: just do what other "normal" windows app do with the colors. If you want a slick UI, the mobile app is what to use, s...

Amm0

Guessing your using the Mikrotik as an SMB share. But doubt this is a Mikrotik issue, or anything the Mikrotik can do to help remove the batch file in your process. But yeah that sounds annoying to deal with it. And, I'm sure there is some other way to set up whatever that batch file does to connect...

Amm0

I'd select the band to be just "g/n" or just "only-n" and set the width 20Mhz. The first is not likely the issue but not helpful. But the "20/40Mhz" may be the issue, 2.4Ghz is only 20Mhz. Something to try.

Amm0

You said quickset is only for a one time use. I've been using it to point the WiFi marina signal ove and over. Awesome! To clarify... Groove = QuickSet okay to use again – that's what you want, QuickSet web GUI does a pretty good job of letting you select a Wi-Fi network to use, and the web interfa...

Amm0

DHCP Client also needs to change to use ether5. Also, you can use QuickSet only once on router...after that it will be confused by using ether5... I’d plug in the groove directly to a PC, and tweak it until your getting what you want on your PC. If you then plug in to router on ether5 (with DHCP cli...

Amm0

Simple answer is three “simple queue”. Set just the target in each for the single IP address (for you), and CIDR subnet for home users/guest in another two queues. Set just the upload/downloads as appropriate. Generally speaking, the less you set in a simple queue, the better.

Amm0

Two things make sure your running at the current “long-term” or “current” ROS, and latest WinBox if your connecting via a MAC address, you might want to disable all other interface on the PC to avoid potential ARP/L2 issues Now, should work with multiple interfaces...but if your having trouble, easy...

Amm0

Guessing your using just 0.0.0.0/0 in the routing table used by each WAN path. So when PBR (policy based rules) selects the route table to use, based on a connection mark or IP range etc, it doesn’t use your main routing table, which likely has the local LAN routes. And would follow your next hop ou...

Amm0

Just one question, what you mentioned: wireless PtP link (if you have both 2.4Hz and 5Ghz on the AP - one used for wireless bridge between AP, other band used for clients), Is this Nstreme Dual in MikroTik? Thanks! Maybe. Specifics matter... You need to decide what band (2.4Ghz or 5Ghz) you want to...

Amm0

A "mesh" is pretty overloaded term... Guessing you have 4 different Layer3 networks, one per AP. Your current config can work, except it's like always using "client isolation" since which AP a Wi-Fi client was using determine what other Wi-Fi client it could see (assuming your using the same SSID/pa...

Amm0

They make a 5 port switch that runs the SwOS your looking for: https://mikrotik.com/product/crs305_1g_4s_in that has SFP. You can also search the catalog and set for "SwOS" or "dual boot" as OS filter in search. There are lot more options if your willing to use ROS...perhaps even a way reduce the am...

Amm0

This may sound like an oxymoron, since QuickSet seem to be unfairly bashed, but... Is QuickSet functionality exposed via the API (or SSH/CLI)? and, yes, I know there is nothing in QuickSet that can't be done "manually" – it just save a lot of code/script/complexity to do the same things in a API app...

Amm0

Was just a guess... maybe someone else see something. Certainly don't know what might have changed in ROS to cause this either :(. But your description is kinda curious: I have clients that are not able to complete a speed test due to the upload failing. The download works great, affected clients ar...

Amm0

seamless roaming not possible in a professional way with mikrotik. capsman wont help. go with professional aps, such as aruba, or cisco. @empy, perhaps that's somewhat true for dense/complex enterprise setup...but we're talking about a dude's basement at a house, and that is after setting his main ...

Amm0

Kinda beyond the forums – Mikrotiks give you a lot of ways to do things, both a blessing and a curse of them. Your plan can work, if the two wAP are close enough together. I'll let you work through the wiki or forums, but one plan is: use QuickSet to set one to "PTP Bridge AP", creating a SSID for t...

Amm0

If you posted the configuration, it help get to the bottom of this. Other than IGMP Snooping, random suggestion is that STP might be tripping up someplace - you diagrams has no loops but the actual network may? If this just one big, flat L2 network (which is typically the case if using multicast/vid...

Amm0

Never worked for me either. Pretty sure it's not currently possible on the US R11e LTE modem (but works on the Int'l one) Another posting was requesting it as a feature: Can we please have manual band control/locking for the US modem? I have dozens of SXTs deployed, and they are jumping into Band 12...

Amm0

Mikrotik doesn't have a DSL modem themselves. If your ISP has some integrated modem/router thing, it often hard to just replace. Even if it uses something like PPPoE, which Mikrotik does support, sometimes they use a X.509 certificates to authenticate, which aren't so easy to just "get" from the ISP...

Amm0

True, if he doesn't need to add or strip VLAN tags, that work: bridge all ports. But from his diagram looks like port 2's untagged traffic should be tagged with 302 vlan, and available as 302 on ether1, same for ether2-5. If you want to "change" the VLAN ID between ports, it would look something lik...

Amm0

I have 6.44.5, and using WebFig, can see a live Network Map from a Dude server running an hEX S, on an iPad.

If you post the config and say a little about the device, it's easier to suggest what to try.

Amm0

Anyone else tried a MBIM modem with v7beta1?

Amm0

Perhaps CAPsMAN needs to add the dynamically created CAP interface to an "Interface List", the default firewall will drop !LAN traffic. But not sure. Out of curiosity, any reason you don't want to use local forwarding? CAPsMAN still controls the configuration with local forwarding so you get the sam...

Amm0

Seems like your doing netinstall right...but on Windows 10 disabling the firewall isn't so simple to do right I've found, you have to follow the NetInstall wiki pretty exactly for it to work: https://wiki.mikrotik.com/wiki/Manual:Netinstall But if your hardware was previously working, no default con...

Amm0

@nostromog is right, most LTE carrier NATs require the remote router to initiate the connect, and can't just listen on a port. The other alternative is to get a static IP from your LTE provider. In the US, the carrier charge a fee to setup once, then a small fee per month to have a static public IP ...

Amm0

May not be that simple... But generic, "modern" approach to accomplish your configuration using ROS is to use a single bridge, enable "VLAN Filtering" on it, add all the ethernet ports with a correct VLAN(PVID) set on each bridge port, and finally add all the VLAN in use to the VLAN tab along with t...

Amm0

@samoore, Those defaults sound like a good base to me. Think if you make the 2 changes on the hAP you'd be set to use ether5 for PoE. As you note, Mikrotik give you a lot of options. But the UIs all offer roughly the same options, so use what make sense. The mobile app work, and also does offer all ...

Amm0

w32pamela is right: if you mess with the Bridge > Ports in winbox, you can get your setup working pretty quick. I'm guessing our boater friend is using the hAP as a "HomeAP" (for Wi-Fi/hardlines his boat) with the Groove as a CPE to some Wi-Fi network at the dock. Also guessing he might want to chan...

Amm0

I tried a Sierra Wireless MC7354 on the hAP ac^2 via the external USB port, and it did not come up as an LTE interface. The MC7354 did work in PPP mode once configured, same as v6 - but MBIM support was the v7 feature I was waiting for/willing to try... I check the AT configuration of the module, an...

Amm0

Agree this is a hole in script'ing, so +1. But you can use the Dude to run scripts that use SNMP...might especially for the use case described above to switch network configuration based on some SNMP GET result. The needed Dude server is supported by even some lower cost routers like the hEX S. Not ...

Amm0

Instead of a script, you could try to set the "default route distance" in the LTE APN to something higher than 1, say 2, than the DHCP client used by the Wi-Fi interface. What should happen is if the Wi-Fi client interface gets a DHCP address, it would have distance of 1 (the default), and the Mikro...

Amm0

Again totally agree this approach be useful. As noted, it's working for @syadnom. *Some* builtin approach to trading latency for reliability to even out the performance of divergent upstream path would be handy. With Mikrotik making more mobile devices with multiple uplink paths – e.g. the newer LtA...

Amm0

Agree with @mkx on LTE – it's extremely robust – and the usefulness of "double FEC" is rightfully questionable. If your WISP, carrier, or ISP deploying a network and want to use an FEC tunnel that be crazy talk. I don't mean to pick on LTE here again...an FEC feature be potentially useful when you d...

Amm0

Is MBIM support in the v7 beta? e.g. all the LTE modems that say "v7"

Amm0

You might want to try to increase the boot delay in System > Routerboard and make sure your running the latest OS, include matching firmware. That being said... we use the RB953 a lot with 2 modems, but with only one R11e-LTE-US (with the other modem being a Sierra MC LTE modem). I haven't tested in...

Amm0

Related questions, I'm curious if anyone here has tried to using /ip packing to address the kinda problems @rOOt describes above? Was thinking Mikrotik could add FEC (e.g. reed-solomon or similar) to /ip packing ... Never used the feature myself (but now curious) but would seem to solve similar prob...

Amm0

@Amm0: what makes you claim that LTE is lossy? @mkx, let's call it "noisy" - mainly suggest that with LTE, or Wi-Fi, the L2/L1 stuff that deals with the noise (e.g. ACM) does have side-effects at L3, and that's where FEC might be able to mitigate frame loss. @rOOt points "a bit of interference and ...

Amm0

I can suggest that posting configurations and logs always help, with a diagram of signal path between device if you got multiple devices involved in a problem... I can say your problem seems like ARP resolution is going south someplace. Mikrotik has a feature called "proxy-arp", but a lot of thing d...

Amm0

If you have only one LAN subnet and one WAN connection, and your network configuration/routing table aren't changing a lot, there aren't a lot of downsides to masquerade. For any NAT translation, the firewall/router needs to know the IP address to use...and masquerade does a lookup of the outgoing i...

Amm0

Simply put, you can only have one SIM card active at a time, so there is nothing to load balance across SIM cards. See https://wiki.mikrotik.com/wiki/Dual_SIM_Application for the details on how it works. Also there is only one modem inside the WAP-LTE and ONE sim slot. The newer wAP R AC, https://mi...

Amm0

Interesting idea... I can see FEC-based tunneling might help with LTE, where there is little you can do to "tweak" the network to avoid packet loss, and FEC tunneling might help deal smooth out packet loss exposed due to RF reception issues (but not congestion issues...). Essentially it be "double F...

Amm0

Also, you mention "uploading two SSH key files to admin user"...that part is the more tricky I think. Since the export wouldn't include those. So for the certificates, Other might have a better idea for that...but one way is to just put the desired public key on a local web server, then include the ...

Amm0

If you have a configuration you like and /export out, I'd look at learning NetInstall. It would let you upload your .rsc and the same version packages on all units. Then if you need more in the future, you can use NetInstall to make sure you have the same version. See "Configure script" comment in h...

Amm0

+1 I thought cut-and-paste would work for Devices-to-Maps in the DUDE...but found this thread only after I created all the device in the Device section first :( While discover works, I didn't want to delete workstation etc...and thought if I created each device "manually" I could tweak (and test) th...

Amm0

1. Might want to try boot delay to 5s in System > Routerboard > Settings if that's not already set. 2. Check that System > Resources > USB sees the modem module on the USB bus 3. Try the "long-term" OS version, (in Winbox, System > Packages > Check For Updates, select "long-term" then "Download and ...

Amm0

@zaza355N, just saw this thread...what was the conclusion – did that work okay? Any problems with Xirrus AP :? 8) :?: We use Mikrotik routers for events: normally use ECMP routes to distribute load and the expose different VLANs for different event use cases with some kinda QoS applied (e.g. differe...

Amm0

@CrimzinZA As noted above, make sure the firmware matches (in Winbox, System > Routerboard > Upgrade , then reboot the box). If that doesn't help, you might want to try downgrading to the "long term" release...under System > Packages , you can select the older package. Don't know if it will help, bu...

Amm0

It might have been hardware or firmware...but sometimes LTE carrier drops the connection, not the Mikrotik side, if there are "invalid" packets . If it happens again, you should always drop invalid packets in the Mikrotik, most of the recent Mikrotik default configuration include this: /ip firewall ...

Amm0

+1 for Band 13 (US Verizon)

Amm0

If you use 2 LTE cards on LtAP, is it still possible to use USB port for USB flash (storage) ? Pretty sure won't work. AFAIK the "top" miniPCIe slot is shared with the external USB port, at least for modems. That mean you need to select the "top" miniPCIe OR external USB via ROS configuration, like...

Amm0

The new Dot1X supports being a 801.1X "server" (secures a port/interface by requiring EAP auth). But was hoping the User Manager would work as the RADIUS server for it...since Dot1X doesn't seem to support using non-RADIUS like local/ROS users or PPP/VPN "secrets" users (e.g. ones used by L2TP etc.)...

Amm0

+1 for Stripe support

Amm0

Mikrotik is now looking into this. What I know various combos of 2 modems don't work in 6.44.x, 6.45.1, 6.45.1, and 6.46beta6 on the LtAP, specifically: Sierra Wireless MC7354 (top) / Mikrotik R11e-LTE-US (bottom) Mikrotik R11e-LTE-US (top) / Mikrotik R11e-LTE-US (bottom) Mikrotik R11e-LTE-US (top) ...

Amm0

giorgos1975m, Still nothing from support - been longer than 3 days and I did provide a bunch of supout.rif files... I ended up trying 2 brand new R11e-LTE-US modems, in a previously unopened LtAP in the mean time...same result: the bottom miniPCIe does not show up a port for PPP or "DirectIP" LTE. I...

Amm0

Yeah I have concerns – I even tried a 3 different modems, that were working in other Mikrotik boards.

But I did email support@mikrotik.com about it...nothing yet.

Amm0

Curious if anyone has any suggestions... Can anyone confirm any LTE miniPCIe modem that's worked in the bottom slot of the new LtAP?

Amm0

Depending on the device or version, the sim-slot name do vary. e.g. it may "a"..."1"..."up" If you running 6.45.1, they renamed them for the LtAP: ltap - renamed SIM slots "up" and "down" to "2" and "3"; But if you hit <tab> in the console after typing sim-slot= it will "autocomplete" the potential ...

Amm0

For the Quectel EC25-V, you need to use channel 2 or 3 in "/system serial-terminal usbX channel=2" where X is the /port for the EC25. You shouldn't need to use Ctrl-A until you want to get back to the Mikrotik console (e.g. Ctrl-A, then Q). So if you used channel 0, it would connect but doesn't unde...

Amm0

Didn't see your posting, but I have the same problem: viewtopic.php?f=2&t=150209&p=739794&hilit=ltap#p739794

Amm0

Just got a couple of the new LtAP routerboards, with 2 miniPCIe slots and 3 SIMs. I'm trying to get 2 LTE modems working on it, but so far been unsuccessful ...basically I can't any modem in the BOTTOM to be show up as a "System > Port", although they show up under "System > Resources > USB" so the ...

Amm0

I have gotten it working in PPP and LTE mode, so it's possible. I'll write up what I know in case that helps. If it doesn't show up as an LTE modem, the "at-chat" option isn't the only way to issue AT commands, which I think is your problem since it's a catch-22 if the module isn't in ECM mode, it w...

Amm0

Found this thread since I wanted to do a POST using /tools fetch...very useful...

But MT should update the docs on it, since http-data etc. isn't mentioned as a parameter:
https://wiki.mikrotik.com/wiki/Manual:Tools/Fetch

Amm0

We haven't any luck with Sierra Wireless MC7455 in the miniPC slots. Is there any initialization commands or something special needed to make them work? Just saw the comment from Mikrotik that the MC7455 works in 6.36... But they've never work for us. We tried the MC7455 miniPCIe card in both RB912...

Amm0

I followed the instructions the wiki to setup CHR at Amazon. All worked great - just cloned the AMI into my account and changed the VPC to allow access. I actually wanted to backup the new CHR to AWS cloud storage (S3) via a script on CHR (since we store a lot of saved config files/backups there). H...

Search found 91 matches