MikroTik

Amm0

Cannot say if to keep the link some pinging is enough, but you could set a script that just pings the (I presume there is one) the DNS that the LTE provider gives you once every (say) hour or so. This could be a netwatch script or a scheduled one. Totally possible carrier may separately force a dro...

Amm0

Sure, that work too. But you don't have further ability to limit to just the router (which I don't show above, but /routing/rule let you exclude LAN IP from using LTE for the destination of 1.0.0.1 – a main route for 1.0.0.1 applies to all src-address) A separate routing table keeps things clean IMO...

Amm0

MikroTik support says that the RB5009 is OK, looking at the logs. IMO, its a bug if it doesn't come back if other OSes do recover... But to force ping out LTE while fiber is the active route in main requires using a routing-table. To create a new seperate routing table that only goes over LTE, it's...

Amm0

You still need some hotspot user (and password), even if hidden... You can create a hotspot user with the desire setting for the "without username" case, then use that user as a NEW value="..." in HTML as the post describes. e.g. <input type="hidden" name="username...

Amm0

It could also be "detect internet" as that also pings upgrade.mikrotik.com.

Amm0

A more complex example of using fetch with variables (and wrapping it in a function to make it easier to use from CLI) is one I wrote for extracting ZeroTier members via ZT's HTTP API to add static DNS entries for them:
viewtopic.php?t=204990&hilit=zerotier

Amm0

To store as a variable, you can just replace the ":put " with a ":global results " would work. There are also :local variables e.g. { :local results ([...]->"data") :put $results } The result is going to be JSON, so to get that into a RouterOS array, you need to use &qu...

Amm0

As I said, I haven't used the ZT container, so IDK. So my suggestion was to make sure enabled Logging is checked on the /container for ZT, and the look at "/log print". Alternatively, you might be able to access the shell of the container using /container/print then /container/shell XX whe...

Amm0

@Amm0 with the schedule do I script it into the code I have created for the sensor or use the system scheduler in system menu ? You put your code INTO scheduler's on-event. It would just need to be added once. The scheduler (aka `cron`) will then run your script on the interval= set. Using winbox, ...

Amm0

Couple thoughts: 1. Did you put the VETH in LAN interface list (or address-list if using those)? e.g. firewall blocks !LAN by default 2. The Mikrotik ZT client will inject ZT routers to the router, but using a ZT container won't... So you need a static route on CHR/X86 to the ZT network as Mikrotik ...

Amm0

The quoting all looks right, and CURL is doing same "single line" GraphQL. My other thought is /tool/fetch is using \r\n as the line ending, not just \n... Perhaps just add \n to the end, since it's complaining about In latest V7, there is the newer [:tolf] to convert any CRLF. So perhaps ...

Amm0

Well, it the -H 'Content-Type: application/json' that's messing in your /tool/fetch - that's setting it as JSON. :put ([/tool fetch url="https://somewebsite/api/graphql" \ http-method=post \ http-header-field="Content-Type:application/json,Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGc...

Amm0

@Amm0 thanks will give that a shot.

One note, in scheduler script, you might want to use "/log info TEXT" instead of a :put.

Amm0

Hmm unfortunately the same response. It is so weird that it works with Curl or Postman but not with the fetch tool. Can you post the command you're using with `curl` that works? You may also need to add JSON as the content-type to /tool/fetch, since my guess is curl is using a --json (which sets th...

Amm0

Or run at CLI, add an other :while (1) do={ ... } around the code, with a :delay 10s before the end of the loop. It take a ctrl-c to exit.

Amm0

@Amm0 I am getting somewhere now I need to just get this script to refresh every 10s when the new local pktdata is updated You can put the code into /system/schedule** script with an 10s interval, that starts at "startup". ** likely easier in winbox/webfif to cut-and-paste code than use C...

Amm0

Essentially the conversion from hex-in-a-string to an int take the following form today: [:tonum "0x$[:pick $pktdata <index> (<index> + <len>) ]"] So in your code it look like this: # Main function to decode Bluetooth advertisement data /iot bluetooth scanners advertisements { :local adids...

Amm0

I suppose you could try the old /ip/packing, as that lets you set an aggregated size. It's old as dirt, but if "packing" smaller packets into a bigger one is the goal, worth a look/try:
https://help.mikrotik.com/docs/display/ROS/IP+packing

Amm0

I believe you need spaces between attributes and brackets in graphql. Might want to try something like this: http-data="{\"query\":\"query accountid { accounts(id:2) { entities { name }}}\"}" or since query is already in the JSON perhaps http-data="{\"query\&q...

Amm0

Thanks @sirbryan. My knowledge of 60GHz is limited. I do know that it's jitter that kill you for Dante, so great data. The thing that seem limiting is there are not any MCS-like knobs to tweak – since I'm not sure negotiating a higher MCS is helpful for stability. e.g. Changing MCS has to introduce ...

Amm0

Re UBNT vs MT.... I think it be more physics, than hardware since it's a standard protocol. Only note be that Mikrotik uses a bond on 60Ghz PtP products with 5Ghz backup... For Dante, 5Ghz be worthless as backup, so using bond would add a smidgen of latency that could be avoided. I'm pretty sure Dan...

Amm0

Yeah in V6, pref-src is used for everything in routing. In V7, it's ONLY used for router initiated traffic. RouterOS V7's "FIB logic" when multiple IPs in same subnet... IDK for sure. I'm don't think it's documented what happens. I do know pref-src= on a router in V7 works for something li...

Amm0

Assuming it's V7. The address used for "local out" traffic (e.g. telnet from router) should be shown a local-address in /ip/route/print... To set it for traffic originated from the router (e.g. /tool/fetch, /system/ssh, telnet out, etc.), then pref-src= can be used to control. If pref-src ...

Amm0

Couple questions: - Were you in AES67 mode? - Did the Dante controller have a specific error on the clock and/or see a lot of jitter in clock's graphs? One thought is by default 60GHz PtP Mikrotiks use a bond with 5Ghz. I'd remove the bond if it was being used, since failover to 5Ghz is not going to...

Amm0

wAP ac is not discontinued

Perhaps, but it's "brother" with miniPCIe is marked as discontinued (https://mikrotik.com/product/wap_r_ac)

Amm0

Assuming you have not upgrade the wireless drivers...

There should be a QuickSet mode (in upper left) for "PTP Bridge CPE", you should be able to use that to connect to Starlink Wi-Fi's SSID and should bridge it to ether2 (and I think ether1).

Amm0

Fair enough, it is even more confusing. I thought it's just UDP with different ether type. That it might not be UDP was a suprise. With NirSoft's WakeMeOnLAN tool, I can successfully wake-on-lan an MSI Cubi2 system on my LAN. A sniffer trace of what WOL packet gets generated with your tool when usin...

Amm0

It may flow via L2 MAC, but it's still formatted as UDP packet AFAIK.

Could be wrong... but I think it's just specific IP address, instead of broadcast 255.255.255.255, in the UDP part of the packet.

Amm0

@normis any update on a native mac app for winbox?

Given we're at an icon flashing in task bar: https://youtu.be/sQPlwDSd5LM?t=184 — be a while.

No other proof of life... Like screenshot? Or, at least clue on framework/lang... Can we put rest it's Electron?

Amm0

Theoretically WOL could be on a BMC with an IP address, and the WOL turns out rest of system. It does not seem like a bad option to have, although perhaps confusing since IP isn't going to help in most cases. Kinda niche, but Mikrotik has the feature request category at help.mikrotik.com.

Amm0

Why on the forum?
They should have a services status on the main website.
Agree. Or perhaps some backup host someplace else for geo-redundancy. Not asking 5-nines here.

Well, they should have a status page. I'd suggest Dude and function to update the web site

Amm0

Seriously?

LOL. I don't think @DarkNate was even trying to troll [here] – just a lucky guess. If so, you have some eggs from your pizza to throw at him.

Pineapples, like IPv6, aren't everywhere.

Amm0

First bet is DNS.

Good to hear.
It really is always DNS.

Amm0

Yeah realized after that DNS was already likely MS AD DNS. I suppose another way to skin that are is set the Mikrotik DNS to your AD's DNS? Since I do think hotspot is sending all DNS to Mikrotik regardless of what DNS IP is used. While you can have a firewall rule before that has a hotspot chain ru...

Amm0

Capacs take minutes to setup and dont change very often Most Wi-Fi APs have some central manager, so it's not unreasonable to want that on Mikrotik. It's the view of all APs in one place that's useful of CAPsMAN. Or if you want to make a change to SSID/password, etc. are all easier down the road to...

Amm0

Config may help here, dunno. But ISP upstream may redirect NTP and/or DNS. Might want to try at the Terminal: :put [:resolve pool.ntp.org] I suspect that will get you the same 173.255.241.249. Be curious to see what DNS servers are getting used: /ip/dns print ; /ip/dns/cache print where data=173.255...

Amm0

Ok, thanks! I think I'm having larger MTU/MSS issues, as its not working, but I'll post a separate topic for that. Set EoIP to 1500 MTU. It will fragment but almost certainly needed since I doubt the HDHomeRun does PMTUD. Generally there 7 MPEG frames per RTP packet, so I'm guess it like needs 1400...

Amm0

Mikrotik has a pigtail part: https://mikrotik.com/product/acsmaufl

That get you SMA. Most Wi-Fi things RP-SMA. But AFAIK the wAPac is same as LTE ones with u.fl connectors on board for Wi-Fi.

Amm0

It was a serious pain in the ass and took a lot of hours. Good news is the EAP supplicant stuff just worked, no fiddling. Oh I'm sure. But the new drivers likely worth the effort. Used the wifiwave2 (now wifi-qcom-ac) on Audiences for long while, it was night-and-day difference. Welp... my RB4011 b...

Amm0

Are we talking about this one: https://mikrotik.com/product/wap_ac Yes. I mainly use the https://mikrotik.com/product/wap_r_ac which has miniPCIe slot, so I habitually add the "R". But the wAPac is identical, except no LTE modem. It's the plain "wAP R" you wouldn't want as that'...

Amm0

The wAPacR is a router, and is an AP by default. The newer wifi-qcom-ac drivers will get you Wave2 support on it. So you should not need the Starlink router - assuming the third-party Starlink+PoE to Ethernet adapter works. The Amazon links seem to do that so the ethernet that be usable can be the W...

Amm0

Some older Huawei modem had issues with IPv6, but you've disabled it in both places, so I dunno.

I'd add lte,!packet,!raw as a topic /system/logging, reboot, and collect a supout.rif file & email that and what you've seen to support@mikrotik.com

Amm0

Fair enough. More that if disabled under /ipv6, you have to change the APN under /interface/lte/apn so the ip-type=IPv4 as well.

Amm0

One thing to try is setting just the "IPv4" option in the APN Profile, instead of "auto", as the "IP Type".

Amm0

The only difference is the "LTE way" is there is no scripting actions on it. But if you didn't have that need... I'm not sure what advantage to go through the trouble to "fool" routeros into creating an actual /ip/dhcp-client for an LTE interface? The APN Profile does mimic the o...

Amm0

I hear Active Directory. First bet is DNS. I suspect the hotspot clients are using Mikrotik DNS, which isn't going to the know the SRV/etc records needed for AD LDAP. You could confirm by setting a hotspot client's DNS to explicitly use Microsoft AD DNS servers. If that works, it's for sure DNS. Eve...

Amm0

Fair enough. The double-NAT does offer a static config on Mikrotik side, so can see that's being a plus. And L2TP is a different story for the NAT'ed CGNAT going on, than say WG/etc. More note that, in most normal cases (not BGP+L2TP ;) ), likely better if modem operates in MBIM mode if possible in ...

Amm0

V7 support MBIM modems. I'd imagine you'd be able use an AT command to switch it from the "NAT-mode" (Linux ECM driver) to MBIM modem. That get the CGNAT address on the router. If you google for your modem and MBIM (or if specs suggest Windows 8-11 support), I'd imagine there is some AT co...

Amm0

In the LTE Profile, under /interface/lte/apn. /interface/lte/apn/set [find name=default] default-route-distance=2 use-peer-dns=no add-default-route=no Not sure if NTP over MBIM is even possible, but NTP not settable regardless. FWIW, If you're going to use routing tables, set a higher distance for L...

Amm0

Fair enough. I hate Confluence, as user and admin many years ago. Have you ever looked at AsciiDoc (https://asciidoc.org)? It deals with all the TOC/etc stuff that markdown doesn't. OSS, no Java, and esoteric syntax seems more Mikrotik. Apple uses it for the their new PKL language, https://pkl-lang....

Amm0

Thanks all, I've been playing about with GNS3 last night so might try see if I can lab it out before doing anything and having to get on the roof to reset it! FWIW. You shouldn't have to go to roof, assuming you know the user/password. All Mikrotik support winbox via Layer2, so can connect via MAC ...

Amm0

I'd see this done once with some UBNT with some AVIO adapters. Venue suggested its work fine. While I believe them... the use case was not something like FOH to a stage where failure be disasterous. Theoretically, 60Ghz should work. You also do have Dante's latency setting to tweak to help. So there...

Amm0

Your right. I get confused on the Chateau, most are 16MB storage. And I kinda assumed @normis has some reason for his comments however

Amm0

@normis has a point: most of the cost on Chateau LTE18 is for the LTE modem. So if LTE is not needed, it's not a great choice. e.g. while starlink is within its routing abilities, it's not a powerful router. A hAPax3 is more powerful router, and has more internal storage, if no LTE is needed. Althou...

Amm0

My question is regarding the router! I have never turned it on and it does not prevent my access via iphone. Neither router nor smartphone apps care if disabled. But if do use the app... it quite visible since it kinda looks like there is no internet (e.g. it says "Internet: disabled" or ...

Amm0

Hey Ammo, I use an Iphone and have not used this functionality. How would it make the experience better??? Don't enable it using the mobile app is my #1 advice**. The "detect-interface-list" is the only important setting. That setting is where it does the detection. Since there is no poin...

Amm0

Layer 2 vs Layer 3. /interface/vlan creates a Layer3 route on a VLAN. While the critical setting vlan-filtering=yes/no on the /interface/bridge is what essentially converts the software bridge from a.dumb switch and a VLAN-aware switch. The /interface/bridge/vlans is how you set hybrid/trunk/access ...

Amm0

If the VLAN already defined on either end of the link. The 60Ghz LHG should just bridge anything passing over it with the default configuration. e.g. you don't need to set vlan-filtering=yes and define VLANs unless you want to restrict traffic going over the link. So if the Cisco's already have VLAN...

Amm0

there are not so many new features during these revisions.

Think y'all selling yourselves short.

And docs themselves do get updated regularly.

Seems like a `cron` job...

Amm0

Winbox, IMHO is the secret sauce, allowing non CLI trained folks to access and modify their configs and view all kinds of information. Agreed. If you BOTH CLI and winbox, or have potentially multiple users making updates, it is really well integrated. e.g. the "live update" of winbox dial...

Amm0

Finally a normal reaction to this :D Part of the detect-internet logic includes adding a dhcp-client. Given "Detect" is in name, it is odd it modifies config. And since adding a dhcp-client could effect routing...why folks have negative reaction. But the graph in mobile app is super usefu...

Amm0

But, that is just a "winbox bug", that could be fixed with some additional code in winbox. After all, it knows which items you have changed. As someone who has noticed this behavior and already complained elsewhere: of course it is a bug IMHO. Mikrotik may see it differently. I think winb...

Amm0

You might just use netinstall to reset it to defaults. But it is critical you do not press reset button MORE than 10 seconds - it should be around 6-7 seconds from power on & normally some light goes from solid to flashing, at which point you release the reset button. While the button reset shou...

Amm0

But at first I didn't see the detail as I was using Comfortclick's http driver to test it and it only said Internal server error... FWIW, if you use Postman to test request, I created a RAML/OpenAPI scheme that allows testing of the REST API. See https://forum.mikrotik.com/viewtopic.php?t=199476&am...

Amm0

Your right it's not a server error so 5xx status code is wrong.

Although the specific permission that's missing be more helpful.

Amm0

i'll go through the wiki once again, then probably i'll ask support I've never used the interface-specific ones. But just re-read docs since I wrote from my memory and my usage ;). https://help.mikrotik.com/docs/pages/viewpage.action?pageId=8978569#RoMON-Secrets One of the rules is For each interfa...

Amm0

Short Answer is NO . It kinda up to the mail client to figure it out. For sure, the file extension has to match the file type (e.g. if it's a png, name should end in .png) But how Mikrotik generates the multipart MIME has some effects. Basically all attachments get added using the follow headers for...

Amm0

The skimpy docs on select-rule has come up before: https://forum.mikrotik.com/viewtopic.php?t=206072&hilit=bgp+select It can't hurt to open a ticket at support@mikrotik.com about the poor docs on BGP's select-rule. I'm not sure what is not covered by the V7 BGP filter language e.g. what can only...

Amm0

b. BTH configurations where the Peer (server for handshake) has a public IP and has no need to punch out to the proxy MT WG server. I'm not sure how BTH would interfere with other WG config. BTH with a "real" public IP would still use DDNS, but still does not "punch out" a ports...

Amm0

Create a routing rule with Source of WAN2 IP address , and force all such traffic to table pointing to WAN2. OR, even sneakier, Dst-NAT traffic to wireguard port to WAN2, to-address=WAN1 This has come up a few times.... Maybe @normis/etc can comment on it somewhere. Although it's WG, not BTH specif...

Amm0

FWIW on this one: 1. I know recommendation. This is my decision for App Android. Yeah if you don't use mobile apps, the use of "detect-internet" is unclear. But if you do use the mobile apps...it front-and-center on the app & does enable a nice graph of WAN usage if enabled. And you've...

Amm0

I would have expected some kind of API as that's more efficient (no need to parse command line) and less prone to breaking changes. All the config methods are abstractions over some internal config schema (see /console/inspect). So...I'm just not sure where efficiency comes in — once config change ...

Amm0

It's likely better thinking of the RouterOS CLI in terms of a REPL for a programming language, than ANY UNIX shell. It's thinking CLI is more like Linux/UNIX is where the trouble starts ;) FWIW, I'm not sure $() is newer than ``. The $() is more for variable assignment IMO, while backtick works anyw...

Amm0

Of course it should, you programmed the router to do so. Geez, there is no accountability in todays youth ;-) And this is why I always think ECMP and routing rules is often a better approach to load balancing. Even though ECMP is "less random" than PCC, changing the default firewall is fr...

Amm0

I didn't even think about the use (), i'm kind new to scripting, thanks for the hint!

If you know Linux/UNIX, the [] are similar to `` backtick to run a command and replace result in-place.

Amm0

The WAN has a dhcp-client enabled on it. And it goes through prerouting just like eveything else. So it gets marked per your mangle rules.

Amm0

That's DHCP.

Amm0

Distance is not the only factor. The scope and target-scope play a role & those are different in some of dynamic routes. See https://help.mikrotik.com/docs/display/ROS/IP+Routing#IPRouting-RouteSelection Routes with a scope greater than the maximum accepted value are not used for next-hop lookup...

Amm0

I have a few central routers that use blank and a specific secret (still two entries) that seems to work. At some point, I forgot to set the secret on a group of routers (so it was blank), and I want to say having two secrets (one a blank) worked to get to that group (and then set a RoMON secret to ...

Amm0

I prefer that users have compl;ete control over the process. It has also a "sharing" feature that the person with router password creates another peer. These additional "BTH users" (e.g. WG peers) can be managed by admin in winbox/CLI. But still more config wizard to create peer...

Amm0

Clearly bridge mode is the right call in your case. And in most cases with DOCSIS. Re the TV set-top box, that was my only concern with bridging. I recall some provider in Spain (Movistar?) required some specific setup with multicast based on other posts. But TV box is working, that's good news.

Amm0

But what should the post data be? It gives me an error if its left empty but I didn't figure out the correct post data. I do not think it needs a parameters. But the content-type needs to be set to application/json. So the --json '' part does that. If using an older curl, it may not have the --json...

Amm0

AFAIK, the reason is if segments use a different RoMON secrets, it can use either. Say ether1 had router with "test1" and ether2 had router with "test2", on the central router with both test1 and test2 as secret it will be able to find them both. So I'm not sure why it doesn't wo...

Amm0

Try using root-dir= without the starting "/".

e.g. root-dir=usb1/docker/rootdir/aaa

For mounts, those should be okay, but the root-dir has always been pickier on the path. Or at least that's my guess.

Amm0

Basically a cloud server operated by Mikrotik, connects the two ends, so that they can punch out of a connection they have which is not public and reach other. Well the other benefit to BTH, even with static/public IPs, the Mikrotik BTH apps (for phone/desktop) automatically create the peers from t...

Amm0

this is what it gives me back [admin@MikroTik] > system script run test 13;255;89;0;3;94;66;0;0;36;104;78;41;232;3;2;229;254; y=66 x=0 temp=26 now the one that is confusing me is // Returns the measured fluid height (or air height), in mm // scanData - represents the array of raw bytes for the manu...

Amm0

To check for updates with rest, use POST instead of GET: USER='admin:admin' ROUTER=192.168.88.1 ; curl -k -u $USER -X POST https://$ROUTER/rest/system/package/update/check-for-updates --json '' or to actually download & install: USER='admin:admin' ROUTER=192.168.88.1 ; curl -k -u $USER -X POST h...

Amm0

There is no firewall is main thing. See https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall but personally the default firewall is better than the docs: /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-...

Amm0

/ip address add address=x.x.x.178/29 interface=bridge1 network=x.x.x.176 >>> do I add this??: add address=x.x.x.178 interface=sfp-sfpplus1 network=x.x.x.177 No. Leave the address as /29. But you need a route: /ip route add gateway=x.x.x.177 /interface bridge port add bridge=bridge1 interface=ether1...

Amm0

Rplant. I am not using packet marking. I am using mark connections. Sure, but it's same issue. AFAIK I understand this, WG already picked before it enters any firewall services. WG will check routing rules in its decision on what to pick, and if none will use main. I just wish they'd have WG on the...

Amm0

(Aside for @Amm0: Did you note the existence proof showing that ASCII is incomplete for encoding all English prose? 😜) Well, my №1 unicode needs are more 18th century — I use the em—dash & en–dash a lot. 😂😜 OP has a point, webfig likely should enforce the same rules. But I too don't expect unic...

Amm0

I wonder if Mikrotik extender "GePR" at the remote end with small patch cord would help?
i.e. maybe it has higher sensitivity or/and it's negotiation works better than the remote devices chipset in this case.

IDK, just an idea.

Amm0

And changing things in different versions really does add even more complexity. That's why they reverted recently I suspect.

Amm0

Specifically, v7.13 and v7.14 have this changes:

*) console - replace reserved characters in file and script names with underscores;

So sanitize means remove spaces and special characters. The reverted this as a default in 7.15 beta.

Amm0

There were some recent builds that "sanitized" the file names. In latest 7.15beta9, it returns to the "old" behavior. *) console - added "sanitize-names" property under "/console/settings" menu (option for replacing reserved characters with underscores for fil...

Amm0

FWIW, @rplant's policy routing rules is roughly the equivalent of the following mangles: /ip firewall mangle add action=mark-connection chain=input connection-state=new in-interface=WAN1 new-connection-mark=ISP1 add action=mark-connection chain=input connection-state=new in-interface=WAN2 new-connec...

Amm0

FWIW, one thing that can happen on an hAPax3 is the antennas not being screwed on tight. That be another way make signal worse with ax3 vs ax2.

Amm0

It also might be obscure as it is only visible in switch rules and nowhere else. But where it is good enough, its simple and fully HW based. That's a good point on this approach, you could do this in a switch rule for L2HW. Now the obscurity is more that requires understanding BOTH the bowels of mu...

Amm0

I have now looked a little further and found out that the behaviour is totally different. In some input masks it is coded in others not. :( Oh, I totally agree it ain't consistent. e.g. Mikrotik for sure clarify this better. My point was more it's not really UTF-8 anywhere, other than at the edges ...

Amm0

I take @mrz's comment to be that are NOT related other than if their changing BGP code, they want to do both at same time. e.g. I agree that for BGP to install ECMP routes, add path is not necessary , but since both ADD PATH and ECMP would need changes in best path selection code, those features sho...

Amm0

V7 has periodic updates to the Linux TZ database used. V6 only gets security or other critical updates... But does seem it's "Kyiv" in 6.49.14 (which came out recently).

Amm0

From RouterOS POV, at least logically, your correct mangle should work in the case. I just think it acts like generic Linux, thus needs routing rules. Certainly possible the BTH introduced some change in this logic. That's kinda the big question. If mangle worked before at some point in this case – ...

Amm0

Both cases will use main. Mangle has no effect in either case is what I'm saying as WG in kernel already processed it. e.g. it not just keepalives that use only main.

Did this setup work in some older versions (e.g. before BTH)?

Amm0

[...] Why do I think there is a BTH bug involved? Because no keep alive is set on this Peer ( server for handshake ) and thus WHY is the wireguard module contacting or using WAN1 despite our mangle? Why is it ACTIVELY trying to reach the wireguard peer ( client for handshake )? Why would you expect...

Amm0

Mikrotik for sure clarify this better. AFAIK, in webfig, you're NOT allowed to use the full UTF-8 charset actually. e.g. while web page does use UTF-8 for unicode input — I think it's transformed into [pre-unicode] Windows 1252 codepage for storage when submitted & then on display in webfig back...

Amm0

You can create a new bridge and put Ether1-Ether4 in it. Assign x.x.x.178/29 as /ip/address the new bridge, and the desired static assign on servers. Assuming you have the default firewall/config, you need to add the new bridge interface to the "WAN" interface list (under Interfaces > List...

Amm0

Bridge mode to hAPax seem like the right call – essentially your turning it into just a cable modem. So while you'd lose Wi-Fi from the Technicolor, I'd imagine the AX from hAPax3 is going to be better than the Technicolor. And routing/NAT on hAPax3 certainly more flexible in this mode. In terms of ...

Amm0

Perhaps. It's going from extra attributes in logs — that use memory by default, not disk... to "Use CLI for configuration - keeps the Netinstall away." there is no logical support for. The config isn't some text file — how :export manifests defaults is controllable with options i.e terse o...

Amm0

Perhaps. But TCP MSS adjust doesn't help UDP nor allow normal PMTUD to work.

But running a ping test with DF bits be right call – you'd know if it's an MTU issue.

Amm0

Use CLI for configuration - keeps the Netinstall away.👈 That does not make sense. I'm not sure that's valid advice. It's does matter how you enabled stuff like graphing or dhcp leases or whatever-else needs might cleaning up.... There isn't some magic CLI to free these things once created, only net...

Amm0

Slow network could also be an indication of a MTU/MSS issue. You dont seem to have any change-mss mangle rules? My advise would be to start with a ping and follow those packets to see if they follow the expected path both in FR as UK using torch/tcpdump. If a standard ping works, try to set the siz...

Amm0

LTE speeds are variable... and modem selection is based on signal levels and modems reported CQI/etc. Different modems report different things and tower reacts differently as result. Don't mean sound coy... more that I'm not sure there is much you can do. Perhaps disabling 2G and 3G network modes mi...

Amm0

Well, the VRRP part looks right to me. I wouldn't mess with proxy-arp, that shouldn't be needed. Perhaps add the VRRP interface to the LAN interface-list? And/or check your firewall isn't block something. Also, what's exactly happening and not working (e.g. is one VRRP working, in that one one is a ...

Amm0

Building your own 5G modem isn't that expensive or challenging. Perhaps. Everything is relative. We've done that for years starting with RB953 before LTE... you'd do have to ignore the time costs, especially for a one-off. And Mikrotik RouterBoard series has languished (e.g. marginal CPUs for true ...

Amm0

On the R11e-LTE, that's how it works AFAIK. e.g. it's essentially of filter on allowed bands. Have you tried without ANY band filters? There is a lot of subtleties in how a band is selected out of your control (e.g. at the end of day, the tower/carrier is in charge what happens)

Amm0

There is also the new L11ug board, https://mikrotik.com/product/l11ug_5haxd - although the power 12-28V is more limited & only 5Ghz but AX. The wAPacR internal antennas are connected with 2 x U.FL (not MMCX) so you use come pigtails to something else. The 2.4Ghz & 5Ghz are combined. It's a o...

Amm0

another example of the eternal crusade of the evangelists of Zerotier, acting like there is no other VPN type in the world the hype for something new in a race to deprecate anything previously existent That's a bit unfair. But these "protocol wars" are silly. e.g. JUST a reminder that wit...

Amm0

In your snippet, there is no plain "WAN" interface list, e.g.
/interface/list add name=WAN include="WAN ISP1","WAN ISP2","WAN ISP3"

Amm0

And if you store the results of print an a variables – by using an "as-value" at end to cause print to return an array – you use a :foreach to get the ->data and then call the hex2ints function shown above to get them as indexed array of bytes. An index array makes "porting" the ...

Amm0

Okay, well good news is you're getting the data from the advertisements. And the "hexstring" is 36, so as bytes it's 18 - which matches the C code. :put [:len [:convert from=hex to=raw "0dff5900035e42000024684e29e80302e5fe"]] 18 [admin@MikroTik] > /iot bluetooth decode-ad data=0d...

Amm0

Don't know if case here... But that can happen if preemption-mode=no. e.g. backup starts up before the master, priority won't matter when preemption-mode=no if backup is running. See docs: preemption-mode Whether the master node always has the priority. When set to 'no' the backup node will not be e...

Amm0

From the log it does not look like it's getting NAT'ed.

Amm0

I'm not sure you can. Or I don't know how at least.

You can change the REST of the "tooltip" contents in server's "settings", "map" tab. But... the graph of services is just there even without any tooltip defined.

Amm0

It could be version specific. There have been bugs in VRRP in a few releases. You'd have to look at the release notes for "vrrp -". But more with sync-connection-tracking=yes - why I suggest you don't use that unless you really understand how suppose to works. Also, perhaps a cut-and-paste...

Amm0

No emojis. There is no UNICODE support at all (e.g. UTF-8 or UTF-16). RouterOS, essentially, uses single-byte code pages, specifically CP-1252. See https://en.wikipedia.org/wiki/Windows-1252 for your options, mostly latin-based accents/etc. e.g. following add "€×××" as comment to ether1: /...

Amm0

Good news. I think this went south when you did the netinstall. I suspect it did work orginally and did NOT need netinstall, but if new and not familiar with using MAC address in winbox to connect... it can look like things don't work and need a netinstall.... If you haven't already upgrade the mode...

Amm0

Nothing stops your inter-vlan bridging configuration, per se, but you make a mess of STP that needs to be managed (e.g configuring MSTP, or disabling STP everywhere). But certainly the doc aren't going to recommend bridging VLAN together because of all the side-effects. Doesn't mean you cannot do it...

Amm0

Try it without sync-connection-tracking to confirm it works first. e.g. sync-connection-tracking=no

I'm not seeing where you're specifying the remote address to sync with either. Note that sync-connection tracking will only work if the WAN IP is also same on both routers.

Amm0

Not very interested in going off Mikrotik though. Kinda figured. Why a bosun chair and a 2024 wAP-LTE or wAPac-LTE6 seems dirt simple and cheap - let this 5G stuff sort itself out. The ethernet down mast and PoE/DC tie-in be same regardless of 5G, so easy to swap later if more speed was needed. You...

Amm0

Your VRRP addresses need to be /32. Preemption mode will cause a router to return to master once it's back online (still based on priority). LAN connections will drop when VRRP flips since you have two routes to internet. Client connections should get reestablished but VRRP failover will be noticeab...

Amm0

Your diagram didn't make it here.

One quick option is to enable uPnP on the router and NVR. That should open the need ports. Since uPnP will generate dynamic firewall NAT rules, you can use those as examples to create your own [static] rules & disable uPnP later.

Amm0

Normally the defaults leave you a decent place. But that config ain't going to work and it's multiple things. But even in this state LTE should still come up IF it carrier supports a "network apn" — problem is not all carrier support this. At the same Terminal, you might try doing a: /syst...

Amm0

LOL, I was going to mention the more limited IDs. I use scripts for config, so keep VLAN ID under 256 was helpful for subnetting/naming too (e.g. VLAN 100 = vlan100/vrrp100/dhcp100/pool100 = 10.100.0.0/192.168.100.0) so VRRP just follows same scheme. I'm pretty sure all being vrrp-id=1 on separate V...

Amm0

VRRP is scoped to each subnet/VLAN it's attached. So the vrrp-id are not going to "overlap" across VLANs since each has their own broadcast scope. AFAIK RouterOS does not use the VRRP ID, other than in what's send out via VRRP. But setting VRRP ID to match the VLAN ID it's listening on I t...

Amm0

Still remains the question whether it brings any advantage to have any DNS server on the DHCP's DNS list other than the DHCP server's IP address. The secondary DNS brings only an advantage in the case if the first DNS - the router itself - doesn't reply. FWIW DNS clients are free to use any DNS ser...

Amm0

Yeah if you enable "Allow Remote Connections" in /ip/dns, that will add the Mikrotik router as DNS. If that's disabled, it be only the dynamic DNS (or any static DNS servers set).

Amm0

All these point are fair. But the diagram here shows 4 routers. In total, it's ~5-10 lines of config per router for "pure" WG... That seems manageable & I'd listen to @anav on config. It's when these change a lot or you have dozens of routers, then something outside of Mikrotik is ofte...

Amm0

Perhaps the better question is do the public IPs need to go through the firewall (option 2 or 3)? Or, do you want the computer with public IPs to be directly on the internet without the Mikrotik firewall (option 1). @qadir52786, I recommend you open a new topic with a diagram, description, and/or an...

Amm0

Kinda a preference thing IMO. Leaving /ip/dhcp-server/network's DNS blank is means "inherit" the /ip/dns ones. This allows default config to work... but often being explicit in config is more clear. The central question is whether you want Mikrotik to do DNS caching? If you do, you need to...

Amm0

ZeroTier is easier to setup, but even if idle it ZeroTier does use more bandwidth than WG. In - my - opinion , WireGuard is far easier to setup and far more efficent to run when KISS is applied .... but if you are a Rocket Scientist then ZeroTier is your cup of Tea. :) It's kinda "pick your po...

Amm0

ZeroTier is easier to setup, but even if idle it ZeroTier does use more bandwidth than WG. Plus as more routers are connect to same ZT network, even more bandwidth is used to maintain the bridge/paths. And the ZeroTier builtin to Mikrotik does not support ZeroTier "low bandwidth mode". If ...

Amm0

Well costs is linear largely modem's "category", typically the number after the LTE on Mikrotik's. e.g. The Chateau 5G is $530 retail, Chateau LTE12 is $229, and the LTE6 one is $149. Only major difference is the modem. Now the Chateau LTE18ax uses better CPU and better Wi-Fi at $299 ( LTE...

Amm0

It does like switching from a dongle to wi-fi is sometimes flaky. What's odd is wine does deal with multiple interfaces, since I use ZeroTier with wine+winbox+Mac which does show all the discovery with either Wi-Fi or ethernet. Have you tried disabling Wi-Fi when using the Ethernet dongle? And/or re...

Amm0

Is everything else working... and the ONLY issue why QuickSet is showing wrong LAN? Yes, the only issue puzzles me would be how come when i added WAN IP : 61.219.84.105 (interface sfp3) into address list, Quickset Local Network would jump right away from 192.168.88.1 (default LAN IP) to 61.219.84.1...

Amm0

Figured it was the array.

Anything in winbox with the <> up/down arrows next the control is generally an array in scripting. Some commands will "cast" an array of one element to str/num, but :find doesn't... So it's a bit confusing.

Amm0

@anav, did you lose fast-path with IPIP? On the TILE or one of ARM things? READER NOTE: - RoMON needs EoIP to function at Layer 2 — IPIP (at layer 3) will not work for RoMON. @anav is experimenting with IPIP as a "poor-mans WireGuard" for a Layer3 VPN between two Mikrotiks. - All EoIP, GRE...

Amm0

Hi Ammo, I was able to establish an IPIP with ipsec secret with one fixed WANIP and one dynamic Wanip ( and gain access to config via winbox ). Dont have any cgnat to test however. The DDNS trick here makes the dynamic WAN IP possible, irrespective of a CGNAT. The nice thing about either EoIP or IP...

Amm0

That looks like the Mikrotik Hotspot rules. So assuming non-guests using a normal SSID, you might be able to use the hotspot= match in a filter rule. I can not test it but something like: /ip/firewall/filter/add hotspot=auth chain=output out-interface=lte1 action=drop /ip/firewall/filter/add hotspot...

Amm0

A download (incoming) queue isn't as not as useful IMO. I'd keep the upload (outbound) queues. I presume you're using TCP-based speediest, what happens when your run a speedtest/btest/iperf for 60 seconds. I do suspect you'd see higher speeds even with a download queue when a longer test than someth...

Amm0

About filtering out the guests network, I also suppose netwatch can be a very easy solution, if I can understand how could I ping with a specific source IP (WAN1 and not LTE), is that possible? Then I've just to turn off the public bridge. I'm not using VLAN for it, I'm using a provider which autho...

Amm0

It's probably due to the extra processing required for queues. I've read that CAKE is very CPU-intensive? Yeah the queue type might affect things. I'd think fq-codel might be better starting choice. Is the queue dropping anything that might cause less bandwidth? Are you using a queue tree or simple...

Amm0

Few options: 1. put the /29 WAN on bridge, either a new one or as a tagged VLAN on existing one, then connect assign bridge ports to use the ISP bridge/VLAN - e.g. switching 2. assign all the IP to the router, and then use a NAT rule for action=netmap between a LAN IP and desired public IP - e.g. on...

Amm0

Is the guest network a VLAN? If VLAN, one way is using routing table with only main WAN and use a lookup-only-in rule (/routing/rule) based on the guest VLAN subnet to select a main-only route table (/routing/table). If not, you can create a /ip/firewall filter rule to create drop rule based on the ...

Amm0

I did some experiments a while back, kinda came to same conclusion. It's funky, but actually works. Old CAPsMAN used DLTS tunnels to the controller, so tunneling traffic over Wi-Fi isn't exactly that funky. If familiar/using with MPLS elsewhere, all links being the same has some advantage. Theoretic...

Amm0

QuickSet being wrong is NOT going to effect the rest of the config's operation.

Is everything else working... and the ONLY issue why QuickSet is showing wrong LAN?

Amm0

Couple other things too: - The first line use "get 1", however that's not an *id so it depends on print being called to establish the index of 1. Using "get ([find]->0)" or "get [find name=queue1]" instead avoid needing. - There can be multiple "target" from &...

Amm0

quickset=quicksand :-) I am wondering would it be possible that Quickset has recognized something wrong? QuickSet might need the comment "defconf" on the bridge for it show the right LAN. Since I use QuickSet as a status page... I know it uses either the name or comment "defconf"...

Amm0

What if you wanted to do EoIP on top of wireguard and add RoMON?

Ask and answered below

. So EoIP + WG with RoMON is discussed here:
viewtopic.php?t=203137&hilit=romon+wg#p1046880

Amm0

The above rule is needed for ZeroTier + RoMON.

But I recently wrote up steps for EoIP + IPSec with RoMON here – since not all routers support ZeroTier: viewtopic.php?t=206322

Amm0

For ZeroTier with RoMON , you need to modify the flow rules to allow it on at my.zerotier.com. RoMON uses a non-standard ether-type at Layer 2, so this needs to be allowed in the "Flow Rules" for the ZT network. Specifically adding the following at very TOP of the rules (before the drop ru...

Amm0

You should not be using QuickSet if you have multiple WAN. The reason QuickSet show the wrong LAN IPs, is that it's looking for the IP of an interface named "bridge". Since you renamed that, it's just guessing the first interface is the LAN. But this is only an issue if you click OK in Qui...

Amm0

It was kinda rude. You've posted before. And easy to imagine there be problems connecting from China.

I think it more that no one here can help, you should email Mikrotik with output of traceroutes in case it is something on their side.

Amm0

Dont feed the trolls.

It is possible China changed its policy recently. AFAIK, Mikrotik uses the same subnet for BTH as everything else.

Amm0

I think that the question is: Does China blocked Mikrotik's site?
I think so, but ping is OK, http and https can’t be accessed.

But this forum works?

But I'm not sure it's on the Mikrotik side. Other than the Back-to-Home feature might have caused scrutiny.

Amm0

Is it just license.mikrotik.com or does www.mikrotik.com also not work?

If you need to renew/buy a license, and it's not working, you might want to email support@mikrotik.com

Amm0

Good day i am needing some help I have a bluetooth sensor that i have connected and whitelisted it to a MikroTik KNOT LR8 router Most of that is portable to RouterOS script. The tricker part is the floats. So are you getting data from if you check "/iot bluetooth scanners advertisements print&...

Amm0

Best you can do is use comments today. Those comments could be UUIDs if you wanted, but nothing automatic. Another technique is using functions that do wrap the ":if ([find name=ether1] do={ set name=MyName } else={ add name=MyName }" kinda logic, this can reduce the script size, but not t...

Amm0

FWIW, I call it "'two passes' through the firewall" ..... but it really just transitions from a physical interface to a logical interface (via the DECAPSULATE? and ENCAPSULATE? boxes) in the Packet Flow diagrams : https://help.mikrotik.com/docs/download/attachments/328227/PacketFlowDiagram...

Amm0

yes, but in your example the input chain rule (traffic from the other public IP), limits by protocol GRE.......... You can try "protocol=ip-encap" as matcher instead of GRE. I'm not 100% sure that "IPIP" since docs don't say what it is. But worth a try as IPIP is encapsulated IP...

Amm0

Now what about on the main server MT device with public IP what do I put on its input chain so that the tunnel can be established. anything ???? You need the address-list with remote end's IP address via DDNS to be allowed in filter. See Step 3. The DDNS of remote will be the public IP detected fro...

Amm0

Also one can go into the default ipsec config and improve the security settings, for example would change the DEFAULT PROFILE SETTINGS TO a. HASH proposal (from SHA1) to SHA256 Tip: The IPSec proposals do have match on BOTH sides. If they don't, you'll see errors in log. Why I know? I'd forgot one ...

Amm0

Not sound like you, but what's use case for IPIP? It won't work for RoMON. RoMON uses a different Layer2 ether-type, so it's not even IP – which kinda why it safe since it's impossible to go via the internet without GRE (or Layer2 VPN like ZeroTier). That is if you trust all the routers connected to...

Amm0

AMMO, can you test with IPIP instead or at least tell me how to do so beyond the standard settings. aka. for client site with no static public IP --> what do I put for local address?>> aka. for server site with public IP --> what do I put for remote address?? What additional firewall rules are requ...

Amm0

Another thread that evolved into using EoIP+IPSec with RoMON to enable out-of-band management across a secure WAN. @anav asked Id be interested in your only one side needs public IP teaser. Please elaborate!!! and I tried but got: Y:ou have to be more clear than that sir, I have no idea what you me...

Amm0

It's actually IPSec, not GRE, that need to be allowed through Ubiquiti UDM-Pro to get to the "hidden hEX" #355. Only the MikroTik Routers be able to see the GRE, since the tunnel is encrypted to even the Ubiquiti UDM-Pro.... Possible the Ubiquiti UDM is accepting, rather than forwarding, t...

Amm0

Id be interested in your only one side needs public IP teaser. Please elaborate!!! Just tested with Fiber+Static to LTE+CGNAT with EoIP+IPSec: It works. But still need use the CGNAT'ed remote address on the "static IP" side. But you can use the DDNS name of the CGNAT side in EoIP config (...

Amm0

Id be interested in your only one side needs public IP teaser. Please elaborate!!! Here was the post: https://forum.mikrotik.com/viewtopic.php?t=203951&hilit=eoip+nat#p1053229 It suggests when EoIP with an "IPSec Secret" set, that Mikrotik does enable nat-traversal=yes under /ip/ipsec...

Amm0

Note that when I added an ipsec key, I was forced to turn off "Allow Fast Path"

Which is okay, you're really just using it for management. But all encryption has to flow through the CPU anyway.

Amm0

I'd love $0 to return the script name. It's this case where $0 being the containing array from a function be useful, :jobname does NOT help here: But in essense you are correct the functions are stored as items in an array. The basic design is to attempts to mimic objects and having the ability to ...

Amm0

Dont forget to tick the ipsec security otherwise you are creating an open hole at both ends..... True. It's actually setting the "IPSec Secret" that enables in V7 – I'm remembering V6 I think with checkbox. Someone suggested that EoIP with IPSec enabled, only one side needs to have a publ...

Amm0

So, with (for example), a ping-start-after-boot of 10m and a ping-timeout of 2m, the system will wait 10m after a boot, then start pinging the watch-address. If after 6 attempts in 2 minutes the watch-address does not respond to the ping, the system reboots. Correct? Yup. My situation does not use ...

Amm0

I like the idea of EoIP because of the advantages of layer 2 connectivity to all devices, but I am concerned about traffic or taxing the MT devices with firewall rules. The idea is EoIP just carries RoMON protocol. If EoIP is NOT bridge to anything, and each end has a unique IP address in same subn...

Amm0

Fair point @anav. More LTE can be finicky for a variety of reasons. And watchdog will capture the logs in supout.rif – kinda ready for a support case since LTE should recover after a hard powerfail. I kinda view watchdog as something that really shouldn't happen. But with LTE, there is a lot of thin...

Amm0

This was to resolve airtime being wasted with multicast traffic, being sent at a much lower data rate. Although this has resolved issues of hung webpages, the throughput has gone down from 400Mb+ to around 200Mb. I haven't tested it, but did you try multicast-enhance=yes ? This wifi option converts...

Amm0

There are two SIM slots, so you may need to set the alternative one (or swap the SIM cards inside work too). If it's V6, the SIM slots is under System > RouterBoard, or in V7 under Interfaces > LTE tab > Modem. No Wi-Fi on RBSXTR, just ethernet. Is this going to another router, or is the idea the SX...

Amm0

My opinion is we don't need another pointless thread about removing feature. It only adding new ones that gets them in trouble. Mikrotik has explain numerous times that breaking up is hard to do ;). Most people want stable V7 with the features it originally shipped with working. I'd say most profess...

Amm0

EOIP works between two IP addresses and doesn't care about how its packets move from point A to point B. So one can use any kind of connectivity to do the job. Since EOIP doesn't do any encryption, it's wise to use something that does it. IPsec is fine, wireguard is fine, etc. Only point was EoIP i...

Amm0

If you have some central Mikrotik router, another option might be EoIP+IPSec connected from remotes to the central router. If you enable RoMON on all the routers... then you connect the central router via winbox+romon, you'd see all the remotes via the EoIP tunnels. The EoIP do NOT need to be bridge...

Amm0

Yup, some backup VPN might be a good idea. Beyond ZeroTier. If you have two Mikrotik, SSTP is pretty trivial to setup between them. L2TP is also pretty easy to configure if you need VPN from a desktop. Or even a container with CloudFlare ZeroTrust WARP tunnel be another option too, although way more...

Amm0

If it's multi-homed ISP part... it might be similar to viewtopic.php?t=205278

Amm0

ZeroTier if ARM since it will try a few different path to connect, and not as exposed to configuration issues that WG would be firewall/etc. Winbox does not use very good encryption and does not have robust DoS features is why it's not generally recommended to be open to internet. But same logic kin...

Amm0

Personally, I think it's better to start with the newer default configuration of hAPax, and use the old config as a guide what to add on the hAPax manually. And compare the two configs after done to see if anything was missed (since they should look similar) If you add more hAPax, then it should imp...

Amm0

It's the "Get it by Tomorrow" [even Sat/Sun] that's useful about Amazon IMO. In general, if you're ordering a few units, the total cost likely be lower without Amazon - or at least that's what I've found. And Amazon often limits purchase to only one or two units is the 2nd problem (or they...

Amm0

Interesting, but who uses UPNP,,,,,,, I mean do games actually still require that?? I do everything off steam, nothing fancy required, just works. Camera systems and VoIP use uPnP a fair bit. More pointing out RouterOS does have some feature that modify the firewall dynamically... and that where mo...

Amm0

Well for an advanced user fill yer boots with ! rules. Well, if beginners enabled uPnP (or NAT-PMP recently) that !dst-nat rule is what makes it work. I guess "newbies" should only need to add lines (either accept or drop) and leave the rest alone if they don't understand. Agrueably, thre...

Amm0

Lets be honest most beginners look at that rule and dont have a sweet clue what it does. Perhaps. Or the rules added BTH or PPPoE's MSS, etc. adjustment for that matter. ;) More saying the default config is not meant to be an example. Three rules likely use more CPU than one. And Mikrotik generally...

Amm0

It's really not a "config" — it a script file used to setup a router. So when you :export, that more "script generator" & :import similarly just a script runner. Only backup is "full copy" of everything. As script, the order can be anything you want. Now if a called...

Amm0

! sure negation is particularly hard in context of rules. It connection tracking "established" part that make things trickier to understand than !. Keep in mind, QuickSet and Mobile Apps have UI for "Port Forwarding": which just add a dst-nat rule, but this only work because of ...

Amm0

That info was removed from the doc under the comment “Formatting” in the most recent update. You have to roll back to the prior version or diff them to recover the info. Perhaps the docs came before the code on the HW QoS side, dunno. I take it as good news...kinda means they been looking at/testin...

Amm0

And also routes for each VLAN? @anav means when you add an IP address to a VLAN, it includes a prefix like /24. That a subnet mask of 255.255.255.0. It will then automatically create a /24 "connected route" for test VLAN in /ip/route (marked with a "D"). A connected route means ...

Search found 3824 matches