MikroTik

Amm0

Either should work... It could be the password has characters that require escaping. try using quotes "" in the curl -u "user:password" ... (or url-encoding if using http://user:password@ scheme) SwOS has no default gateway, so you have to be on same LAN segment for it to work, i...

Amm0

Lack of responses makes me uneasy Does no one have both GUA and ULA on the same link?

LOL, you're normally the one with IPv6 answers...

You seem to allow ICMP in firewall, which would have been my guess. Is it getting any hits in counter?

Amm0

The "sandwich" in upper-right "..." has a "Page History" for any page in help.mikrotik.com. Diff can be seen there:
https://help.mikrotik.com/docs/pages/vi ... Id=8323208

Amm0

Curiosity of the day:
The netwatch help page has been changed/edited yesterday,

I filed a report about the docs. MT fixed the description of the thr- params...but yeah they forgot the ICMP probe stats (which have been wrong for a while). It's still open.

Amm0

Given what you have, and you know how to setup links and switch... And your "neighbor customers" don't have demanding needs.... The easiest way is put the customer LHG into "CPE Router" in QuickSet (see https://help.mikrotik.com/docs/spaces/ROS/pages/167706788/Default+configurati...

Amm0

*) route - added options to set dynamic-in and connected-in chains in /routing/settings; FWIW, these are not in the docs yet (or at least I cannot find them): /routing/settings/set <tab> connected-in-chain dynamic-in-chain single-process The "dynamic-in-chain" works fine, but none of the ...

Amm0

Also, what may be happening... is netwatch will not "get" a threshold value if it is still default value / left unset. (More specifically, the value return of the get will be type "nil", and NOT the default value).

Amm0

@Amm0 so you automatically give for reknown basic things that a beginner needs to learn My point is if you understand the problem, you MAY be able to avoid script. If goal is to JUST "tweak a netwatch", then to output current values (rtt- loss- etc) AND configured "threshold", t...

Amm0

I think it might be easier to just add the AAAA records, perhaps using mapped prefix ::FFFF: like ::FFFF:192.168.88.1 as the address (match to the A). This would return a valid address (from pure IPv6 point of view) to the device, which then might try to use it. [...] You're probably right. I was t...

Amm0

Didn't we already have this discussion about the same script? See https://forum.mikrotik.com/viewtopic.php?t=216444 It's a different problem. Anyway, jaclaz has more patience than I. If we knew what the desired output and preferred scheme, it be easier to help. And, my understanding is that only th...

Amm0

So if you put the WAN interface into the bridge also, with I think the same firewall rules, would it not be faster? [...] The way it's configured in the examples is it not the case that all packets between the bridged VLANs and the WAN have to be handled by the CPU at L3 where if that port (or VLAN...

Amm0

Didn't we already have this discussion about the same script? See https://forum.mikrotik.com/viewtopic.php?t=216444 It's not helpful to start again, since context is lost. Discussed in that thread is there is no need for :local variables in the first place! When a /system/script is called as action ...

Amm0

*) dhcpv4/v6-client - added check-gateway parameter;

Using WInBox4, the DHCP client "check-gateway" option is a static control, but should be drop-down.

Amm0

I did see something odd in a YouTube video. With Winbox - In the bridge section. Double click the bridge then click the ports tab, I see the interfaces with the PVID. The video showed manually putting the ether# on each vlan in the vlan tab (in the tagged untagged section). I did not do this and it...

Amm0

I think it might be easier to just add the AAAA records, perhaps using mapped prefix ::FFFF: like ::FFFF:192.168.88.1 as the address (match to the A). And a script/scheduler to keep them updated from A record if desired. Or perhaps just use NextDNS for all static records, and just let MikroTik resol...

Amm0

So, provided that the way I understood the mechanism is correct :? , it seems to me that: interval should be as low as possible (with some common sense, the default 10s seems too little, I would settle for 60 seconds or 1 minute) Well, I'd say that setting interval= is more about often you want any...

Amm0

Regardless about thoughts on AI... you haven't stated the problem you're having. That's the issue! ChatGPT analysis is also FURTHER WRONG about using 0.0.0.0-0.0.0.0 range. ONE client will get a 0.0.0.0 address, since pool in inclusive. So if the goal was ALWAYS RADIUS, then 0.0.0.0-0.0.0.0 isn't th...

Amm0

[...] the only way to know for sure if a particular box would do the job is to buy it and put a hypervisor on it and test with CHR (or x86 ISO as a VM) and PCI passthrough. If all ports are passed through and show up in the VM, then it should support everything natively. [...] Wouldn't it be easier...

Amm0

If only something like a hAP ax2 LTE6 kit existed. Well, they do make the hAP ax lite with CAT6 modem, internal antennas, 5 4 ports, and small. https://mikrotik.com/product/hap_ax_lite_lte6 If you need it as a main router with LTE backup... now the hAPaxLite-LTE6 might be a little unpowered dependi...

Amm0

I'm not sure exactly what you're trying to do since you mention fiber and LTE. For LTE, if you want the modem to go DIRECTLY to a port (thus not routed or available to the MikroTIk), you can use "passthrough". See docs: https://help.mikrotik.com/docs/spaces/ROS/pages/30146563/LTE#LTE-Passt...

Amm0

I face the same problem with a RB1100AHx4. Probably not. /container is just picky on config, so it can be a lot of things. Plus, fixes/changes get added by version. I have tried all the above and still the same problem mentioned at the top of this thread. Any clues anyone? Post what YOU tried, your...

Amm0

I would normally use static-only selection in corresponding vlan dhcp server setting but chapgpt insist [ ... ]. Any insight is much appreciated. So you knew the answer: use "static-only" to skip using a pool.... Was there an actual problem that lead you search an LLM for some answer? I'm...

Amm0

Maybe @jaclaz can share the spreadsheet, that might be easier to see what going on. Or you can use /tool/torch or /ip/firewall/connections to see the effects. packet-interval is often each icmp packet is sent within the interval. So one packet goes out when netwatch starts, then after packet-interva...

Amm0

/tool netwatch add comment=Netwatch-192.168.2.2 disabled=no down-script=Netwatch-details host=192.168.2.2 http-codes="" interval=2m name=Netwatch-192.168.2.2 packet-count=400 packet-interval=200ms test-script="" thr-avg=\ 400ms thr-loss-percent=95% type=icmp up-script=Netwatch-d...

Amm0

Converting @jaclaz calcs.... you're running 3⅓ pings every second... Assuming you the path is over fiber/cable with decent speed, I don't think it matters much – it's still not a lot of data even at 3⅓ pings/sec. But does seem high frequency. If it's working, I'd leave... or perhaps copy @jaclaz's s...

Amm0

I had case where file was corrupted in mount dir, because service was writing some file in it. So if such files are not recreated there, issue can still persist if is such case. Fair enough. More saying it's a 50/50% shot it the root-dir (*perhaps higher since there are more files) & if root-di...

Amm0

Can you see the files in the mount? ... If so, you should be able to just delete the container - not the mount. And create a new one, using same VETH and mount as before. In fact, if "copy" before deleting, you'll have all the setting to re-create it (perhaps needing to specify the tag). W...

Amm0

The only issue I'm facing now (somewhat related to the original one) is that when I get home, BTH doesn't detect that and stays connected and the connection is unusable until I manually disconnect. I'll mess around with Tasker to see if I can do something about it. On the router, it does take it a ...

Amm0

BUT your issue is DELETE does not take a body ... Well, I'm half wrong. According to RFC specs for HTTP, DELETE with a message body is just discouraged and undefined – so my "does not" is wrong. But seems MikroTik is also under the same WRONG assumption that a message body is not allowed ...

Amm0

No one has "proof" of anything. Just arguing about nothing.

MikroTik hopeful will expand there "Test Results" to include VPNs. Lot of conjecture everywhere, and no controlled apples-to-apples tests anywhere.

Amm0

The wAP generally do pretty well - obviously they need to be vertical and screwed on tight etc. And using some silicone can help further seal it.

Amm0

Error 400 for /tool fetch That does suggest it's the payload. You can enabling logging in /system/logging, which will output the generated header etc to logs: /system/logging/add action=memory topics=fetch and then compare those with working curl if you add a "-v" for verbose logs ... (an...

Amm0

What error code are you getting?

Amm0

And, "({\"items\": [{\"id\": \"$id\"}]})" like be "{\"items\": [{\"id\": \"$id\"}]}" without parentheses or perhaps just, since items is in URL, it shouldn't need items in body, but IDK the CF API... "[{\"id\&q...

Amm0

And,
http-header-field=("Content-Type: application/json","Authorization: Bearer apiToken")
should be:
http-header-field=("Content-Type: application/json","Authorization: Bearer $apiToken")

[and maybe another cut-and-paste error, just saying]

Amm0

Your URL has spaces in it: https://api.cloudflare.com/client/v4/accounts/ $accountId/rules/lists/$listId /items so might want to try: https://api.cloudflare.com/client/v4/accounts/$accountId/rules/lists/$listId/items Now, according the HTTP 1.1 spec, I pretty sure a body is allowed with a DELETE, li...

Amm0

The variable names match winbox, except the name is all lowercase, and any spaces become a dash (-): netwatch-icmp-variables.png As noted, both here and docs, if it contains a - (or space as shown in winbox), then you need to use $"first-second" in any scripts. Is there some terminology so...

Amm0

It's just $"loss-percent", $"thr-loss-percent" defines where the $"loss-percent" fails. These variables already pre-defined in the down/up-script= so they do not have to be declared or "get"

Amm0

Why are you dropping related connections as the first action? /ip firewall filter add action=drop chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked disabled=yes in-interface-list=WAN protocol=\ icmp - nevermind, it's d...

Amm0

Amm0, with all due respect :) , you need to use more linear English if you want to explain something (or maybe you also got the Latvian virus that make affected people use excessively periphrasis or double negations? :shock: ). LOL. Perhaps. I'm waiting for Apple Intelligence to do proofreading in ...

Amm0

Might want to try output=none

I'm not sure why that's getting an error. But the RAM FAILED issue is odd and never seen.

Amm0

I have a website that converts a curl command (at least most of them & also limited to what fetch can do) Click the "curl2rsc" link on https://tikoci.github.io/restraml You can past in the `curl` command and pick a "format" (i.e. to variable or to screen etc). It sometimes ta...

Amm0

The tricky ones are (IMHO) the "statistic" ones, avg and stdev, particularly the latter. I believe that the real world behaviour for these might be influenced by the sheer number of pings performed, i.e. by packet-count, a higher number of pings per run should "flatten" the stat...

Amm0

The way I read the docs, it is a "or", i.e. there are 6 different thresholds: thr-max (Default: 1s) Fail threshold for round trip time-max (a value above thr-max is a probe fail) thr-avg (Default: 100ms) Fail threshold for round trip time-avg thr-stdev (Default: 250ms) Fail threshold for ...

Amm0

What version of RouterOS are you using? If it's V7... (if not, redirect is only only in very new V7) you likely don't want to set mode= nor src-address=. Also you can can use user="" password="" instead of setting the header with auth string You can also enabling logging in /syst...

Amm0

Please share the R11e-LTE-US files so I can install them on my LTE module.

You need to get them from MikroTik as they cannot be posted publicly. Email support at support@mikrotik.com for the files, which will have the instructions since it rather complex operation.

Amm0

LOL, almost same answer.

Amm0

The "D" part is important in first column..., that mean "dynamic" config. That means it was added by RouterOS, so the way to remove a "D" item is from the source that created it. So the item you're trying to remove looks like a "connected route" (see MikroTik ...

Amm0

Another potential factor is internet traffic is often asymmetrical flows (i.e. consumer WAN typically have more download than upload). This leads to a related question... is there any difference in CPU usage between upload and download? IDK with WG, but typically there is a difference in CPU load be...

Amm0

Built-in SMB is still bad for some reason. It works fine on 7.17, but throughput on 7.18-7.19 are horrifically slow. One of my test routes is RB1100AHx4, and since 7.18beta2, SMB connections from macOS will cause a hard crash of RB1100. I opened a ticket about, SMB is not critical for me, but it st...

Amm0

then MT simply needs to ensure the functionality exists that covers both, even if its just a checkbox. Agreed! Overall, how WAN "failover" is handled could be improved more generally. Personally rather mucking with conntrack-tools/etc... I'd perfer support for adding eBPF code to the exis...

Amm0

I just wish MikroTik would expand its "Test Results" section to include VPNs beyond IPSec. Or publish some doc/white-paper on performance. Part of the problem here is that each hardware platform may yield different result to which is "best". And whether you're use case is closer ...

Amm0

This is MikroTik. Just because there are not user-visible changes, does not mean they are not "working on it". But since everyone talks about wanting a newer data plane, they could be working on that to modernize it... THEN add some X feature AFTER that architectural work. Who knows. But I...

Amm0

how about NETMAP in conjunction with ECMP + NAT POOL? I'm just thinking aloud here Clever. Now I cannot quite picture that, but I'm sure there is some tricks to pull with netmap... But issue is PCC already let you do this, which be less complex than some netmap-based scheme. IMO the use case for EC...

Amm0

That's a really good idea. Never thought about this, but fill the gap where you'd want "more stability" in load balancing. Now that come at expense of diversity/spreading, so potentially less optimal at maximizing bandwidth... Now if you have enough clients , it still get close to balance....

Amm0

I'd have to guess Blocky be more efficient. It is pure Go code, which is designed for containers and doesn't have all of the rest of Linux like PiHole. Now blocky is more limited in feature if you're coming PiHole. Also MikroTik does have adlist now in DNS, which takes a basic URL lists to block. Th...

Amm0

If you already have the powerline network up... RouterOS has a virtual machine "CHR" (which has a free edition) to test it before getting real hardware. I'd have to imagine power line presents as a switch on the ethernet side, so RouterOS and Dot1X should be able identify particular/unique...

Amm0

Well that is a different approach, I guess it avoid the needed permissions for netwatch. The only esoteric issue with using script/scheduler outside of the "On Down"/"On Up" netwatch scripts... be if the netwatch polling could happen while that is running, if that happened... the...

Amm0

[...] The docs and history suggest NAT masquerade should clear conntrack based on IP change... [...] This is not a feature request, rather just an adaptation to a new way of doing things. [...] Your asserting the kernel current logic, trumps what the MirkoTik docs do say. Perhaps. Docs could be wro...

Amm0

I get the kernel discussion... but Mikrotik does patch a lot of things, so kernel version is not always that telling. The docs and history suggest NAT masquerade should clear conntrack based on IP change... so suggestion DHCP feature for it seems premature (i.e. if DHCP client could do it , so could...

Amm0

In the case of variables names, you cannot use underscore without quotes AFAIK. So :local "my_variable" not :local my_variable.

Amm0

Hmm. If you're not seeing the lte1 interface that's a bit different. I thought the Inseego FX3100 was one of the hotspots with USB, but just looked that more full-blown router... You're may be best just using Mikrotik defaults, and enable the "DMZ Passthough" on the FX3100 to the IP addres...

Amm0

I donated my copy of TCP/IP Illustrated long ago. And Mikrotik docs are a bit vague. So very hard to definitive. Maybe someone else has ideas / double-check your theory. I doubt TCP-MP is involved: the device is a laptop and WiFi was its only path to the internet. I only have one gateway in the netw...

Amm0

I'm doing a yearly review of the firewall Some of these connections seem to be related to Apple's iCloud Private Relay (ODoH): IDK, but Apple does like TCP multiplath ... so perhaps related to escaping "invalid" you commented on. [...] I plan to selectively allow some of the invalid packe...

Amm0

BTW, what do you mean by default is https://lscr.io ? Can Registry URL be omitted, making ROS default to this one? On new units or after reset-configuration, that's the new default. I haven't test that much, why I asked (even though a more careful reading might have seen that). I filed a bug on doc...

Amm0

Seriously, which parameters lead to 19s620ms?

interval=10s packet-count=50 packet-interval=380ms

Amm0

No smartypants, connections have the connection flag, this one doesn't.

My point was it's not clear and there is more subtlety here... Might be the DHCP client polling? Now whether that's a connection in this terminology, IDK.

But I like feature.

Amm0

*) ip-service - show all TCP/UDP connections on the system (additional fixes); *) ip-service - show all TCP/UDP ports on system, including ports in containers (additional fixes); Please re-read changelog - one entry is about "connections" and one about "ports" or, as you prefer ...

Amm0

That looks right to me. As I said, I'd compare the "Status" to make sure all the other RTT things are well within the defaults. If not, or even close, specifically set the various thr-* higher. If you temporary enable topics=netwatch in /system/logging, it will log both the values got, and...

Amm0

Now there is a good idea @rplant.

OP - Is the internet via fiber, cable/DOCSIS, or wireless(5Ghz,60Ghz,LTE/5G)? CAKE lets you set that too. If it's WISP or LTE/5G, it might be just congestion.

Amm0

And polishing interpreter will not hurt. Or the JIRA list of bugs.... Just even just showing colorized syntax in webfig/winbox to show the errors that /console/inspect "highlight" does in CLI and CLI "edit" command - so if you cut-and-paste some LLM code to /system/script, it sh...

Amm0

I cannot image it being a problem, but you're right it's not entirely clear what/if the "limit" be. One has to presume its memory, but even a DHCP record of 1-2K of data each... that still add up to few or dozen(s) MBs of RAM. And, it even being 1K might be pushing it, MikroTik is pretty e...

Amm0

Are you using "b2b.static" as APN and unchecking "Use Network APN" in the LTE APN settings? You may want to confirm b2b.static is right for your account, but I think they use same for any account that has paid for the fee to enable static IPs. Otherwise the default config should ...

Amm0

That only work if VLAN already existed in /interface/bridge/vlan. Now you would have the bridge vlan entry if you already had a /interface/vlan in 7.16+, since one be created dynamically. But otherwise you need an "add"... not set.

Amm0

Still it needs to learn by actual good examples which for rsc there are not much available as for other languages which can mislead AI.

All roads lead to improving docs, and perhaps more "wizards" in UI or at least docs with complete examples to avoid needing AI (or at LLMs)...

Amm0

You can choose to understand what they meant to say or you can choose to get lost in translation.

why not be accurate and fix the RN?

Amm0

It's not hard at all. LLM models just need to be trained with formal syntax or grammar specification languages like EBNF, ANTLR, etc and might be complemented with structured representations such as ASTs. There are plenty of tools and well-documented processes for this online. You do get close the ...

Amm0

Tried another one with Dude AI. And it's similar with config (which is essentially still scripting) – while perhaps LLM get "closer" for standard config... but ,it does not know the needed order of operations and names are inconsistent. For example, I tried a somewhat more complex prompt f...

Amm0

In IP/Services.

The issue is RN says "connections", not "listeners"... There is a difference.

Amm0

I think that was my subtle finding here....The Dude AI certainly picks up changes in MikroTik docs quicker than using generic LLM. But in terms of writing scripts, it suffers same limitations as a generic LLM since it just do not know what's valid. But as @normis points out, if you write complete se...

Amm0

Great info here. Like the use of jump and using the "RFC ways" to terminate connection, instead of just "drop". I've never dug into "invalid" too much, so IDK here. But I suspect you're right about "it's the host"...so many tricks added to TCP stacks over the ...

Amm0

@normis, y'all should give some thought to this: Since MT already uses Confluence/Jira, they can just publish a link to each page that automatically creates a ticket with a comment. MikroTik has always responded to these "doc bugs". e.g. docs on :beep were fixed from above, and now picked ...

Amm0

While this was not always true (see docs)... if docker-1.docker.io is registry, you need to use "library/eclipse-mosquitto:latest". 7.18 made some changes... so new default is https://lscr.io and they also support using a "fully-qualified" remote-image that include the "hub&...

Amm0

What URL are you using for the registry-url in /container/settings?

Sometimes using the fully qualified name (or sometimes not, i.e. without :latest) helps in remote-image= . Also make sure your running the latest stable version, since various past versions have had bugs in this area.

Amm0

Hmm, I'm just relaying on volume of posts in forum as metric here.... There was another thread about DoH and Quad9, where 1.1.1.1 folks reported as more stable than Quad9. Whether @normis is correct IDK All other popular DoH services work with MikroTik without issue. Are you using "verify serve...

Amm0

In absence of this requirement, do you think DoQ would perform better than DoT? Theoretically, yes. "Plain" UDP DNS is generally one packet request, one packet response - hard to get quicker than than. QUIC does auth and request at same time, so it avoids the whole TCP SYN/ACK dance, so u...

Amm0

As a general matter, I don't like any kinda TCP for DNS, so not a big user of DoH as result. So +1 to DoQ as that give you secure DNS, without extra complexity TCP's 3-way handshakes + TLS.

Now Quad9 uses PowerDNS, which does not support DoQUIC [yet?]...so may not help for Quad9.

Amm0

Maybe @Amm0 can help you out here.

@Amm0 already explained to look at sniffers, or lab a smaller example. But ZeroTier "L2" should be transparent to "L3" [multicast] OSPF.

Amm0

Since MT already uses Confluence/Jira, they can just publish a link

100%

Just saying I rather file a ticket, than post a few times on different threads "the docs are wrong"

Amm0

If I gave the impression that I was bridging everything as one big happy L2 network, that is not what I am doing, and I agree that in such a configuration OSPF does not make sense. I think OP isn't actually bridging zerotier on RouterOS bridge – although be to confirm... OP is just checking the &qu...

Amm0

You seem to like your current topology. And if you have CGNAT, ZT is likely best. Whether you can limit ZT to just those sites, IDK.... The only other approach is abuse BackToHome (BTH) - that does deal with CGNAT and is just WireGuard under the covers. i.e. if a site had a fixed public IP, and LTE ...

Amm0

There are also few non-OSPF routers connected by Wireguard to the hub and few direct wireguard links between most important sites. ZeroTier is kind of a backup for wireguard. ZeroTier is slower with our slow connections. And I don't want to rely on routes manually defined in ZeroTier network. Fair ...

Amm0

I've used the Telit LM960 since they are miniPCIe, but problem is there not 5G, but they are LTE CAT18 and work with all US/Canada carriers. Older modems like Sierra MC7455 work pretty well but be slow nowadays (and Sierra modem do not have RSRP/RSRQ stats, while Telit will report them in RouterOS)....

Amm0

I might ask the other way, what would your recommendation instead? You can use ZT to push any route. ZT does not care if the destination is within ZT's IP range — ZT is agnostic on gateway so you can often use ZT for just route distribution. And RouterOS will happy add whatever it gets from ZT dire...

Amm0

I'm pretty convinced they are using something like Lex/Yacc or Flex/Bison That's been my long assumption too. I suspect MikroTik could cut-and-paste the presumed Lex/Yacc code into ChatGPT and ask it to generate a BNF. And with BNF, you're closer to being have some LSP (which is my bigger grip sinc...

Amm0

Yet I have no idea why CAPsMAN be involved in slow wan speed. And OP new config is pretty default, MTU is 1500 now. So something wierd, but it doesn't look like a config error. Maybe try not using auto-negotiate on ether8 and set the ethernet speed manually – but that my only guess. Is the cable the...

Amm0

Oh geez, it's actually here the DOCS that are wrong OR BUG in RouterOS. Upon checking docs... :beep is actually documented as ":beep <freq> <length>", which is wrong since its needs ":beep frequency=X length=X". RouterOS does have /console/inspect — so they have the data needed f...

Amm0

The Dude AI does not abide. It seems to have trouble even know the syntax of :beep — which is pretty regularized in syntax. And, "The Dude AI" really want to insist that argument names are not needed... Screenshot 2025-04-28 at 8.30.15 AM Medium.jpeg Screenshot 2025-04-28 at 8.31.42 AM Med...

Amm0

MikroTik RouterOS AAA users can be linked to RADIUS only & built-in RADIUS server (User Manager) does not support LDAP either. Then other side... AFAIK, Google Workspaces only support LDAP auth. So nothing easy. I imagine you can use something like FreeRADIUS/similar to be a "middle-man&quo...

Amm0

I'm going to get an RDS for testing... Realized their are now tariffs on such things in US... I'd like to purpose Mikrotik offer SKUs for a "hardware-only" version of routers/switch (or at least ones on the expensive side) for US. And, the paying for license for RouterOS, separately, since...

Amm0

Assuming the VLAN needs to be routable (thus via CPU) The primary reason I'm looking for this feature (assigning VLAN based on MAC) in CPU direction is that I want per-VLAN DHCP to work (plus a couple similar container-related cases). My reading is it would go via the CPU, but cannot say for sure. ...

Amm0

100% agree that docs are all of switching features are "messy" and incomplete (i.e. switching page does not mention RDS). Now given the 98DX4310 chip is used by RDS, and that chip is covered in docs.... On the doc comment: "MAC-based VLANs will only work properly between switch ports ...

Amm0

Do you mean MACVLAN? https://help.mikrotik.com/docs/spaces/R ... 40/MACVLAN

You'd add MACVLAN to bridge, and then tag it as needed in bridge vlan settings. But AFAIK it will use CPU.

Amm0

IDK about CCR2004 card. But do you have "promiscuous mode" enabled on the ESXi adapter interface for it? Typically that's needed.

Amm0

There has been similar commentary in past, see https://forum.mikrotik.com/viewtopic.php?t=181433&hilit=friendly+name But there is nothing like Arris/Motorola/Actiontec/etc/etc style with the "Connected Device" list, which I agree is nice. (Now the generic ISP routers are certainly less...

Amm0

RouterOS doesn't do floating point math One has to imagine netwatch is implemented in C, so internally netwatch can do floating point... Now it's an open question whether thr-loss-percent is inclusive or not (i.e. == or >= ) However, @ilium007 is correct user scripting does not do floating point......

Amm0

Now I test it again. Put kievstar simcard, on default settings - getting wrong ip. Change apn and uncheck network apn, set ip only ipv4. Before reboot - does not working. Reboot - and it’s working ok. Maybe this will be fixed in future firmware releases. Is it one of the newer "refresh" L...

Amm0

Strange. Never see that mikrotik devices needs reboot to start working properly. JFYI, yours is the second report I see in two days about some settings change that did not work until the device was rebooted (the other report was about completely unconnected to LTE settings), Ideally you're not chan...

Amm0

The point about: "<packet-count>*<packet-interval> should be below BOTH the "global" <interval> and <timeout> that apply to all netwatch types. " is interesting, never actually thought about it. I dunno actually, thus the advice ("should")... is to avoid having to know...

Amm0

Remove supout, is only for support@mikrotik.com and not for be shared on user forum because can contain sensitive data.

Agreed. I'm surprised this has not happened more. But ideally the forum should block the *.rif from being uploaded.

Amm0

I'm not sure my script is best example of how icmp check works, it assumes you understand the netwatch model. Docs could be improved to explain the high level logic of netwatch. But they do describe all the parameters: https://help.mikrotik.com/docs/spaces/ROS/pages/8323208/Netwatch#Netwatch-icmpICM...

Amm0

There was some discussion of the scheme here: https://forum.mikrotik.com/viewtopic.php?t=198168#p1031333 ...which implies it a diff upgrade scheme, but IDK. I'd imagine trying the 7.19beta8 be easier to see if that works with .09 & be easier than trying unwind how the download works. The URL dow...

Amm0

If you have not upgraded to 7.18.2, you really should do that first. See https://help.mikrotik.com/docs/spaces/ROS/pages/328142/Upgrading+and+installation . If you're already running 7.18.2, make sure the LTE fireware is updated - that on the lte1 interface dialog. There also the firmware, which is ...

Amm0

I'd make sure reboot both router and test machine after MTU changes, and make sure the "BIOS"/firmware in /system/routerboard matches the current RouterOS version. This mismatch speeds screamed "MTU problem", that has to be right — so your "guessing" I'm not sure was he...

Amm0

I imagine that the "Lifecell" SIM does work with the "Use Network APN" enabled, and most carriers do, and why that's the default. So that's what you should use for that SIM. And it dropping is because the APN is wrong for Lifecell once you disable Use Network APN. WRT your "...

Amm0

While you make good points, this thread is not place for these discussions.

Please keep this forum topic strictly related to this particular RouterOS release.

Amm0

Is there a reason you're setting MTU of 1460 on ether1 / WAN? Unless you know something, it likely should be 1500 (or you may need a PPPoE connection, or other things from your ISP than just a lower MTU).

Amm0

Yeah RouterOS has to have time to detect it gone and reinitialize, and often 10 seconds was too short on other modem... so good to see the "force" the minimum duration in power-reset (which may reflect some 30 second timeout in MBIM/LTE stuff... since modem SHOULD actually restart itself).

Amm0

You have to uncheck the "Use Network APN" box in APN dialog to use a APN name. Otherwise, the "Use Network APN" override what you set. Kyivstar may use "www.kyivstar.net" from https://apn.how/ua/kyivstar-gsm#google_vignette as the APN name, but you might confirm that wi...

Amm0

You can reset the LTE modem using: /system/routerboard/usb/power-reset bus=2 duration=45 The "bus=0" may be bus=1 etc... — I don't have Chateau with FG621 to check. Also duration= might be shorter if you like... but often modem do have some residual power and you likely want RouterOS "...

Amm0

Someone else had similar issue with the newest LTE firmware ending in 16121.1034.00.01.01.09: https://forum.mikrotik.com/viewtopic.php?t=216406 This sounds like a bug. As I suggested in other thread, I'd make sure the /system/routerboard "RouterBOOT" firmware is running 7.18.2 firmware. If...

Amm0

I am extremely happy to report that IPv6 Fasttrack works just as well as IPv4 Fasttrack does, and I get identical IPv6 forwarding performance out of the router that I do with IPv4+NAT: ~900Mbit, both directions, even with a LAN bridge + PPPoE with constrained MTU on the WAN. (IPv6, of course, is no...

Amm0

Just to satisfy my curiosity why is it considered a bad practice to change Bridge PVID? If it's a bad practice why is this option still available? IDK if "bad practice" per se. BUT... changing it you'll lose some "automatic" behaviors in VLAN bridging, especially if starting &qu...

Amm0

Larsa makes good points. Personally I'd use ZT routes if possible, since it just so simple.

I've assumed OP already had OSPF infra, perhaps with non-ZT things, and there OSPF over ZT would seem reasonable. But if you're using OSPF for route distribution ONLY for ZeroTier, that would seem silly.

Amm0

Curious why you asked...

We have relatives there, and taking my mom to visit this summer. They wanted me to "fix their wi-fi" while visiting & thinking how to outsource

.

Amm0

And when it comes to CA support, 4G modems used by MT are ... mediocre at best. Telit LM960 supports carrier aggregation Correct, the LM960 does have most CA combos for LTE CAT18, including 2 x UL carrier aggregation. But it's not one of the "stock" modems, which are all more limited in C...

Amm0

*) fix RoMON connect (introduced in v4.0beta19)

Fixed for me. Thanks.

Amm0

@rextended, random question, do you offer service in around Lucca (Tuscany)?

Amm0

Also I'd make sure you're running the latest RouterBOARD firmware (/system/routerboard/upgrade) so it matches the release 7.18.2. When version don't align that sometimes is the cause of LTE failures. Now the LTE firmware sometimes does have some implicit/un-enforced "minimum version" of bo...

Amm0

I'd confirm it works with 7.19beta if you can before downgrading the firmware. Sometime these firmware bugs are carrier-specific, and if 7.19 did not work with ...1.09 firmware, it be good to report that to Mikrotik. I think this post has the instructions to download using the manual-upgrade: https:...

Amm0

I see no mention of a switch there. Perhaps the "packet processor" may[...], but [...] switch ASIC was included in the SoC. [...] Compare this to the MT7621 SoC Datasheet where the switch is clearly pointed out (see page 2). Different architectures, ARM vs MIPS. I think generally ARM is i...

Amm0

Is this an LMT-provided Chateau? Those do have some different default configuration, so if you haven't changed this stuff... That means it comes from LMT, and since LMT is likely running a CGNAT, they may be opting out of the Mikrotik firewall in their defaults. IDK but the LMT do have some guides o...

Amm0

Look at your first filter rule (IP > Firewall > Filter). I'm not sure why you're accepting "untracked" in the first rule (i.e. connection-state=established,related,untracked)... that is actually all traffic if it's first rule, I'm not sure why that is there...

Amm0

If you can use SNMP that be better and align with Dude. For JSON values, you MIGHT be able to use the ros_command("/tool/fetch url=... as-value output=user"). And if using 7.16+ there is a ":deserialize from=json ..." that get you an array to pick out a specific value. All this g...

Amm0

I was not expecting mr. rextended with this title...

That sounds strange. Perhaps there is some middleware security box that's trying to generically block webmail services is about all I got. But you run the network, so IDK...

Amm0

Perhaps run /tool/torch on WAN when you're running nmap. It be curious if you're seeing the same TCP requests there. Perhaps your ISP is running a CGNAT or something. And if you're running `nmap` from Mikrotik LAN to the WAN IP, then I suppose you would see open since the stateful firewall does allo...

Amm0

Connecting to RoMON neighbors has quit working after upgrading to 4.0beta19 (MacOS). The initial RoMON connection to a router can be established but connections to a neighbor cannot. Yes it does not work. All you get is being stuck at "Connecting via RoMON". It does seem to be the case wi...

Amm0

Same with the PHY? Functionality onboard is a subset of available options? AFAIK it more like options on a car, except perhaps you can order multiple cold weather packages or 2 mini-sunroofs or one sunroof/one cold-weather. With these packages, being "IP cores" that ARM sells. Which is wh...

Amm0

Saying there is a ASIC inside the IPQ6010 is not accurate. Arguably the whole IPQ6010 is ASIC. But the modern term for IPQ6010 be "SoC", see https://en.wikipedia.org/wiki/System_on_a_chip. Since it's one thing, there is nothing to "offload". It's also important to note these mode...

Amm0

Might want to file a ticket at help.mikrotik.com to ask. Either it's a bug, or docs are wrong. What you're doing seems like it should work based on my reading too.

Amm0

Look at cellmapper.net (or some countries do publish their own LTE/5G tower maps) to see what bands in your area. In theory, two CAT12 devices should perform roughly the same. Your mobile carrier is what's controlling the speed way more, so that's who to ask what you should expect. Just to be clear ...

Amm0

Ok, Newsletter launched... Good! Thanks! Will we now go back to releases in the testing chain? Testing is fun, but for production I would be much happier with some kind of long term supported ROS 7 release... The rather skimpy content in the newsletter does suggest MT is working on software ;)

Amm0

Any updates?
Very close to final version.

That sounds like good news!

Amm0

I haven't test GPIO much, so IDK.

But the photo shows pin5 as "Digital input", so perhaps it's not changeable to output (even if GPIO docs suggest otherwise):

image2021-5-28_8-10-49.png

Amm0

You might want to look at the KNOT user manual, which has the GPIO assignments. The main GPIO docs do note that they vary by device, but it's easy to forgot there is an KNOT specific page that has a bit more specifics: https://help.mikrotik.com/docs/spaces/UM/pages/41680915/RB924i-2nD-BT5+BG77#RB924...

Amm0

There was another thread with similar speculation, viewtopic.php?p=1125018&hilit=openflow#p1120392:

"Sir, I see some movement on the enemy's trench."

Amm0

1) How can I confirm that the config below matches what would on this forum be labeled as "used as a switch and not as a router?" I guess I'd say don't get hung up on these terms. IMO switch/router/"switch chip"/"hardware offload" can be somewhat fuzzy in meaning, espe...

Amm0

What curious here is they did update the OpenFlow docs pretty recently:
https://help.mikrotik.com/docs/spaces/R ... 5/Openflow
and including a reference to OpenFlow 1.3 support (compare with 1.0 in https://wiki.mikrotik.com/Manual:OpenFlow)

Maybe hope it's coming back, but IDK.

Amm0

Access webfig through reverse proxy (relative paths for resources). Webfig can be run through a reverse proxy. On relative paths, webfig uses "AJAX-like" updates OUTSIDE of /webfig HTTP request path, i.e. just "/jsproxy" - which may be the root of the complaint. While that shoul...

Amm0

My only point was it was SOMEWHAT explainable. But 100% agree it's a poor design.

And, potentially problematic if someone used scripting, the "new version available" might cause a script to loop forever trying to upgrade a router.

Amm0

edit - note , when I configured nat-444 , I used a ton of jump tables to optimize the /21 CGN-nat. ( 1/2 , 1/4 , 1/8 , 1/16 , 1/32 ) which resulted in fewer nat lookups sequential steps when traffic was inbound to the customer. Yeah that part make sense: each rule executed is uses CPU and adds [mar...

Amm0

Never noticed that.

But V7 is "new version" that is "available". Now it likely be better to suggest "New major version available in 'upgrade' channel"

Amm0

Seems a Mikrotik thing. Perhaps. Someone else had similar issues with OSPF broadcast mode and ZeroTier: https://forum.mikrotik.com/viewtopic.php?p=1118612#p1118520 There too, I thought it was flow rules, but OP was using Mikrotik controller which has NO flow rules. And I forgot the it the different...

Amm0

The JSON in photo is wrong " u sername-length" & the URL is .../add-batch-user s — likely BOTH are your issue. Using CURL with 7.19beta, the following worked (*changed password/ip): curl -k 'https://192.168.88.1/rest/user-manager/user/add-batch-users' --json `jo number-of-users=1 usern...

Amm0

The PUT method only works on http://ip-router/rest/user-manager/user not on http://ip-router/rest/user-manager/user/add-batch-user and POST of http://ip-router/rest/user-manager/user/ result an error of bad command. Thank you You need to use POST with http://ip-router/rest/user-manager/user/add-bat...

Amm0

- what version of RouterOS? RouterOS V6.49.7 There is no batch-add-user AFAIK in V6 — but I'm not the expert on UM under V6. You should be able to use a for loop to add users. You'd have to adapt to your needs, but essentially something like: :for n from=1 to=100 do={ /user-manager/user add name=&q...

Amm0

You may need to change the "Flow Rules" for the ZT network on my.zerotier.com (see ZeroTier docs: https://docs.zerotier.com/rules/#rule-definition-language generally or examples here https://www.zerotier.com/blog/using-flow-rules-to-direct-users-to-services/ etc.). By default, the flow rul...

Amm0

currently i want to use simple ssh You're going to have to provide more details on what you're looking for and what your starting with... i.e. - what version of RouterOS? - is user manager already setup and working for users, and ONLY bulk add is needed? - do you want user manager to generate users...

Amm0

There is /system/history but it's not quite the same, but in the "undo=" should show the actual previous commands.

/system/history/print detail

Also RouterOS support Ctrl-R / F3 to search the command history, which is like a Linux Shell. And hitting F1 twice will the CLI options.

Amm0

For the record, I still think WinBox4 is BETTER than WinBox3. I use WinBox4 daily without operational issues. The fact WinBox4 loads way faster than Wine+WinBox3 is more than enough to accept the small different vertical vs horizontal tabs, color schemes, etc. I'll offer we DO use less Mikrotik than...

Amm0

Yes, I know we can do a mac reset. But official guidelines are (were, last I checked) not to do this. It would be nice to get this finally wrapped up. I'd just add while the simple: /interface/ethernet/reset-mac-address [find] works for ethernet... if you had other types of interfaces, those requir...

Amm0

As general matter, tend agree with @rextended that with some config-based approach (netinstall/branding/run-after-reset) to the problem. But at same time... .backup does get you an exact copy, not merely just the equivalent config. At end of day, both approach have some pro-and-cons & require yo...

Amm0

I'm thinking it's a problem with my rbm11 since no one on this forum complains of similar problems. Perhaps. I'm sure most testing is done on ARM things, and there occasional oddities on MIPS. And Mikrotik has been making changes in LTE recently too. That combo does point to a bug, or at least some...

Amm0

The issue persists in version 7.18.2. The http-redirect option does not exist. Please add it. You likely should enable the DHCP options that modern OSes use for redirect, see: https://help.mikrotik.com/docs/spaces/ROS/pages/56459266/HotSpot+-+Captive+portal#HotSpotCaptiveportal-UsingDHCPoptiontoadv...

Amm0

Depends on what you mean by both "devices" and the purpose of the "export". The winbox files can, generally, be moved around as-is... so if you just want to have saved [RouterOS] devices/passwords... the wbx file can just be "copied" as an export of sorts. If you use th...

Amm0

this will be for sure going in circles for eternity

Well when the release mgmt discussions start to overwhelming the "testing" thread... the "process" is that beta becomes a rc ;).

Amm0

AFAIK, the dns from an WG Import'ed peer is not used.

Depending on situation... you MAY be able to MANUALLY use FWD (or static/regex/etc) in /ip/dns, to re-direct something like a WG subnet.

Amm0

/routing/nexthop print

To see all routes, you can also use:

/routing/routes print

Amm0

Agree. Or, in general, a few more tests to better capture the different performance aspects of the various models. Although, "forum rule of thumb" is using the 512-sized 25 ip filter rule as a general guide to internet performance. On that score, your 250Mb/s is not too far off that 319Mb/...

Amm0

Well based on the avatar, I guess that post could be considered a dud! )

So what is the summary on why RoMON does not work here? I lost track of the conversation.

Amm0

My post intentionally refers to @Ammo's one in particular, just for the case that someone comes searching and gets mislead by it. But unless @Ammo edits his, few people will probably notice mine.

Fixed. I swear I'd seen that cause not RoMON work in past. But re-tested it, you're right.

Amm0

Agree, Mikrotik has been pretty good at updating the docs. But I'm not sure they follow the forum super closely. So I flagged your post to Mikrotik yesterday, since I already had the feature request ticket for CSV, file-name=. Mikrotik reports they fixed the docs today: https://help.mikrotik.com/doc...

Amm0

(deleted)

Amm0

In 7.18, you should be able to do it using System > Packages in WinBox/WebFig/mobile, then do a "Check for Updates", the select and enable "rose-storage", click "Apply Changes". From CLI, it's /system/package { update/check-for-updates duration=10s enable rose-storage a...

Amm0

Modem port channel assignment is stated in KNOT manual, section "GPS and NB/CAT-M": https://help.mikrotik.com/docs/spaces/UM/pages/41680915/RB924i-2nD-BT5+BG77#RB924i2nDBT5%26BG77-GPSandNB%2FCAT-M I actually tried deleting the ppp-out1 — since it should get re-created. PPP interfaces are ...

Amm0

Edit: I'd originally thought it was RoMON getting dropped, @sindy confirms the bridge's frame-types= are passed.

See @sindy's post : viewtopic.php?p=1137826#p1137981

Amm0

You probably should not be using 7.13...

See https://help.mikrotik.com/docs/spaces/R ... 2/REST+API

Amm0

20+ years since I've thought about T1 (or HDLC or Frame Relay)... Adtran used make decent stuff... although I only used to them to get HDLC to Cisco. So "router" sound newer, so IDK.... According to Mikrotik spec page: https://help.mikrotik.com/docs/spaces/ROS/pages/19136707/Software+Speci...

Amm0

There's no Wi-Fi, it's all fiber optics. I've tried IGMP, and the results don't change. Would it be a good idea to set a constant bit rate on the server? Would that help? If it's fiber and you have the bandwidth, then constant bit rate might be worth a shot. It's less work on the decoder. If you ca...

Amm0

You shouldn't need IGMP here, but that be another thing to try (you can enable on the /interface/bridge).

Also, if you control the multicast addresses using 224.0.0.0/24 is special range, so IGMP won't work with those...

Amm0

Yeah that's plain UDP MPEG-TS, no FEC/RTP, which should fit.

Is there any wi-fi in your chain?

I'd recommend you try the EoIP interface using 1450 MTU & see what happens. Although that's going to have the side-effect of lowering your bridge MTU.

Amm0

I had the ppp working earlier but I couldn't get GPS. Now I can get GPS but I can't get ppp... :-( Such a design limitation that you can't get a GPS and LTE both on at the same time. For a IOT device that is ridiculous. Geez. The default should have been right. And the /system/default-configuration...

Amm0

by testing with the terminal, I discovered that channels are 0 to 3... not 1 to 4 :-) LOL, yup. But the "info-channel" is not really used, unless you trigger it using "Info" — so I'm not sure that's your issue with LTE. Essentially it sets up the PPP session using the "data...

Amm0

What settings are you using for the ppp-client with that gps setting? I can now get location, but my ppp-client does not start due to a port conflict. I don't use PPP/LTE with this KNOT, so I know the info channel defaults to 2... But I suppose if that's not working use info-channel=4 instead /inte...

Amm0

And, yes, the docs could very much be improved. The manual is designed around RouterOS features, not devices... so for something like KNOT, all the docs for this are spread around in dozen pages. But... nowhere would you find exactly what each serial channel does... There is a /system/serial-termina...

Amm0

yes there is a gps antenna and I was able to get some location a few hours ago with other settings. However, now I can't get any location. Can you do a /system/gps/export? I just looked on a live KNOT to make sure GPS was still working, this is the configuration I'm showing that works: /system gps ...

Amm0

It looks like the ports are right, since both PPP and GPS are in use. If you look /system/gps, does it show a time as "Data Age". If it's showing 00:00:00 or :10 etc, instead of empty/none/etc Do you have an antenna connected to the GNSS port? (I cannot recall if the KNOT has a internal an...

Amm0

Mikrotik has a discussion of Policy Routing here: https://help.mikrotik.com/docs/spaces/ROS/pages/59965508/Policy+Routing Essentially you likely need some config like this: # add new/2nd routing table /routing/table/add name=ztoffice fib # route new table via remote ZT router /ip/route/add gateway=1...

Amm0

If you use "/port/print" you'll notice there are 5 channels on the USB bus. So GPS (NMEA) uses channel 1, and "PPP data" uses channel 3 — those channels are used continuously so they cannot conflict. Now, I think, by default, channel 2 is used by BOTH "PPP info" and &qu...

Amm0

Developers for Apple ecosystem have a thing called Open Radar (https://openradar.appspot.com/page/1 w) which has similar origin story. Or in JIRA allow the reporter to have some "mark public", so if you link to a issue (especially "feature request" type) in forum, it's be read-a...

Amm0

Thanks for your feedback in this thread, its really good to see! Indeed, a few sentences goes a long way. But I still maintain there is a lot of value of running whatever software on RouterOS using /container, whether CHR or RDS. i.e. I'd like to see some "milage" on /container... so if t...

Amm0

I always wanted have a front-end web server that after bot checks would generate a random btest user/password , then auto remove it 10-minutes later. Just long enough for a btest but not long enough to test an ISPs entire network and prevent time-cron-scheduled auto btests that occur ever hour or d...

Amm0

The problem I'm having is pixelation on the client side. More generally you want to look at the MTU on EoIP... If it's 1500, your UDP multicast video may be getting fragmented, and if lower you could be effecting the bridge MTU. So it bit complex "what's right MTU" here. A few sniffer tra...

Amm0

I'd cancel the QuickSet if your goal is a switch...

To reset it back to default, push the reset button for 7 seconds while powering the CRS.

Amm0

Normis said the problem is the forum software doesn't support HA and/or distributing the site between several servers. Do with this info what You will.

Sure, but that's what HAProxy is for...

Amm0

Agree w/ @TomjNorthIdaho that the "root causes" are bit unknown here & still be good info for community. re: ... Anyway, whatever they end up doing... I do hope they host it on their RDS ROSE server(s) as proof-point they work in the real-world. ... @normis mentioned "HA proxy, hi...

Amm0

migrated a complex, with hundreds of thousands posts and spanning over many years IDK specific on phpBB to discourse. But as general matter... figuring out the DDoS mitigation would seem better use of time, than complex data migration. And, while the "temporary unavailable" now appear, th...

Amm0

@rextended is right– it's "normal" if there is a crash... but console should not "crash" in the first place & likely why MT generates a file so they have some data to fix the crash. If it's getting regularly generated, you should open a ticket with Mikrotik with the console-d...

Amm0

posts will be migrated

Is there any way you can publish a ZIP of the forum content when you migrate it? I still think it interesting try the forum content in some small language model.

Amm0

A funny side note: I read "Discord" instead of "Discourse", and thought "Oh no, surely not?..." THEN I read it again. :D LOL. I also read it "Discord" at first too! It was only the lack of SCREAMING negative commentary that prompted me to read it again as Dis...

Search found 5482 matches