MikroTik

pukkita

Can I have a parent=global queue to handle all traffic towards the LAN while not intermixing the rates with the upload traffic to the two internet interfaces?

Yes, that's the way.

pukkita

For home use, options on increasing budget: - hAP ac: router + AP on single device. Drawback: you need to position it optimally for the AP. - RB3011 + wAP AC: Best of both worlds: router can be positioned on your comm cabinet, and wAP AC(s) optimally for best wireless coverage. - RB3011 + hAP AC: if...

pukkita

Which RB433? In these cases the best option is to netinstall.

pukkita

From RB1100AHx4 brochure:

Captura de pantalla 2017-11-11 a la(s) 11.23.24.png

So a difference on dude edition is it comes with a 60GB M.2 disk from factory.

Additionally, dude edition sports 3 switch groups, while non dude edition seems to have none.

pukkita

What's new in 6.39 (2017-Apr-27 10:06):
!) ppp - implemented internal algorithm for "change-mss", no mangle rules necessary;

pukkita

Only on the 750UP location, as allstarcomps said that's the only place where you need to connect more than one station. L4 is $45, but... SXT's are directional antennas, if you want to connect the two SXT lites to the AP on 750UP location, you'll need not only a radio that has L4 license, but also i...

pukkita

Post a diagram. I tried to configure all 3 in bridge mode but could only get the bridge to function over any 2 APs at one time. SXT Lite license level is L3, that means it's limited to act as an AP for only one device (wireless mode = bridge). You can either pay to raise its license to L4, or purcha...

pukkita

CAPsMAN requires certain knowledge, QoS definitely, you would be better hiring someone knowledgeable . I wouldn't limit per user (simple queue), but program a QoS (queue tree) that categorizes traffic, dynamically distributes available bandwidth depending on traffic category priority, then use PCQ q...

pukkita

When you say MI Repeater I understand it's a wireless repeater? If so, that's your first problem. I'd: - Put the Airtel router in bridge mode if possible - Deploy a internet router to manage users, speeds, QoS and CAPsMAN. Hex could be a budget candidate that fits the job nicely. - Deploy at least t...

pukkita

Exactly. If you're setting up an AP for unknown wireless/mobile devices you'll have to set it up in the most widely compatible way.

For 2.4GHz that means 20MHz and default settings.

pukkita

You need

1.- Mikrotik radio that suports 5/10MHz (not all of them do)
2.- Client with radio with same capabilities

pukkita

Because there are two directions while communicating. Let's suppose this scenario: AP <-> STATION using frequency 5640. Interference may be local and affecting only the receiving side, (e.g. other antenna nearby STATION transmitting on 5640). while it could be possible that AP can "hear" S...

pukkita

Have you tried setting the src-address on the mikrotik router to 192.168.5.1? Windows PPTP client should get a route to 192.168.5.0 via the VPN, nothing else should be required. That's the point of using same network range on LAN and VPN + proxy-arp, no routing is necessary. Check a router print on ...

pukkita

Only place where proxy-arp is needed is on bridge1, nowhere else.

Reboot the router afterwards.

pukkita

please post

/interface export
/ip address export

pukkita

Not sure if I understood your situation right. If you want the laptop acting as server to have a fixed IP, you can still use DHCP. 1.- Go to IP > DHCP Server > Leases and locate the laptop one. 2.- Double click on it, and click on "Make static". From now on, the laptop will be always offer...

pukkita

6Mbps is the lowest of the so-called "basic rates", and the only basic-rate with default configuration. Radio switches to this basic rate when initially establishing or renegotiating the radio link; this indicates you're having interferences, SXTs may have moved, a new nearby obstacle, or ...

pukkita

shouldn't need this

chain=srcnat action=masquerade src-address=192.168.5.48/29 dst-address=!192.168.5.48/29 log=no log-prefix=""

if proxy-arp is properly set.

pukkita

No, USB external disk cannot be used as system partition, and I'm afraid it cannot be used for graphs storage either.

External storage can be used for web proxy cache, samba sharing, etc.

pukkita

Lots of power off/power on and bad electricity supply can corrupt the NAND format or damage it, specially if you're writing constantly to it (do you have graphs active?). If you're experiencing such electricity supply unstability, you'd better either get an UPS at least for the router... this router...

pukkita

Looks like your NAND is gone, you'd better write support, short of netinstalling it again, resetting it to no defaults and reconfiguring it looking if it holds fine this time. Better than using a .backup, you could make an export, so that you can just copy & paste the config on this, or any rout...

pukkita

Len = Length (size).

You got it right for the rest.

pukkita

300 is radio datarate, in TCP that would equal about half, 100-150Mbps TCP.

You need clients to be dual-chain / dual stream (2x2 MIMO) while most mobile devices are single chain.

pukkita

At this moment I have CRS125-24G-1S and I want to get 2nd device with spf, gigabit lan ports and with Dude support.

Sounds like RB3011 is what you are looking for. Next option would be a CCR.

pukkita

Another thing that you may need to ensure is that you are actually masquerading or dst-natting traffic from your .123 network to your .10 network. Nope, no need to. If 10.x clients use 10.x (10.1 or 10.200) as default gateway, and .123.x clients have .123.x as default gateway both networks will be ...

pukkita

Check System > License, if it's fine then I'd say you can rest asured is not a copy.

pukkita

Exported database is sqlite, you may use sqlite tools to create the XML export, like .e.g. sqlite-manager or SqliteStudio for once in a time operations. To program an automatic conversion process, you may use sqlite to export database to CSV, then use either your own code to convert, or use a CSV to...

pukkita

This is the case right now. But tbh i don't understand why this must be the GW, when there is no device with that IP (should i give the RB750 this IP?) Yes, you should either change it to 192.168.10.1, or keep the current 192.168.10.200 AND set the clients to use 192.168.10.200 as gateway. Best app...

pukkita

CRS326 is ARM platform, whereas most CRS line is mipsbe, where dude is not supported.

Have you tried uploading the dude arm package to it then rebooting (provided you're using RouterOS and not SwOS with the CRS326)?

pukkita

Sadly i'm on the edge of insanity, because i just can't seem to get it to work. I have a static Route on the AVM Fritzbox, which redirects every request etc. directed at the 10.xxx Network right to the RB750 (because the AVM is the Gateway for the 123.xxx Clients). Can you post that route? Check th...

pukkita

200Mbps is going to depend on available spectrum, contiguous free 40MHz-50MHz minimum required.

Suitable devices for this in order of preference:

- netmetal (dual chain) + mANT30-PA
- netbox + mANT30-PA
- QRT ac
- DynaDish

pukkita

GRE does not use a port!

I know... I meant ISPs are known/likely to throttle it down also, or even block it. The point of the OP was using a transport that was unlikely to be tinkered by the ISP...

pukkita

It's stated at the calculator, link it's possible, but you'll need an outrageously high tower (>70m height) to mount the Tx device. Either that, or use four devices to create 2 PTPs. First PTP will clear the elevation by Rx'ing at the edge; this first PTP Rx radio will be wired to second PTP back to...

pukkita

You seem to miss the IP > DHCP > Network entries. Also I think for your intended setup add address=10.35.0.1 interface=bridgeopen network=10.35.0.0 Should be add address=10.35.0.1/24 interface=bridgeopen network=10.35.0.0 . Do clients connected to the open network: 1.- Get an IP? 2.- post ipconfig/a...

pukkita

- L2tp works only on port UDP 500. This is a sad notice. In OpenVPN i don't use standard ports for connect. Some ISPs will slow down traffic on this common ports.

Similarly goes for GRE.

Would be nice having customizable L2TP port for ROS... of course only ROS devices could be used on both sides.

pukkita

Check your firewall for any filter o nat rules that may be getting into OSPF's way.

pukkita

Download the sstp-client-1.0.11.tar.gz package and look at the README inside, there's no need for X. You can create .deb packages rather easily, look inside the sources. pe1chl, SSTP may not be the optimal solution but giving the limitations gamba47 is facing, which SSTP dodges, there's nothing to l...

pukkita

When i connect to the private network, it's ok, i've got an ip address and have a n internet access, but when i tryed to connect to guest network, i also get ip address, but no internet access, and also i can't ping my router from the connected device. I assume you mean the internet router plugged ...

pukkita

No need for softether, SSTP Client is all you need.

What distribution are you using?

This provides a plugin for stock pppd and a sstp client tool (sstpc).

Typical area were you may find issues while setting up is the server certificate, watch out pppd client logs on Linux server.

pukkita

Your routing is fine. Did you issue the ping to 8.8.8.8 from the router??? Remove masquerade on bridge-LAN, only masquerade you need is the one already set: You posted: /ip firewall nat add action=masquerade chain=srcnat comment="default masquerade" \ out-interface=ether1_WAN add action=ds...

pukkita

Change its logic:

 chain=input action=drop in-interface-list=WAN

pukkita

/ip address add address=192.168.88.1/24 comment=defconf interface=ether2 network=\ 192.168.88.0 You should change that IP to interface=bridge-LAN /ip arp add address=192.168.88.248 interface=bridge-LAN mac-address=7C:05:07:10:04:AD Delete this. On Winbox, open a New Terminal and issue /ip address p...

pukkita

According to the SB6141 Manual , as pcunite says there's no SFP, you should wire it like this: I am confused? I bought this SFP Copper Module (Mikrotik Item model number S-RJ01). Now you are saying i cant use it with this router and modem? I am very confused now? It is an ethernet cord, it is nothi...

pukkita

Then you'll need to to it the not optimal way. It's not optimal because you're forcing the radio on the repeater to split its tasks in two, so it: - halves the bandwidth - doubles the latency - halves available spectrum efficiency for everyone. Say wired hAP is A, repeating hAP is B, and user C is c...

pukkita

According to the SB6141 Manual, as pcunite says there's no SFP, you should wire it like this:

wiring.png

pukkita

Make sure that either - If you don't mind both SSIDs being bridged, ensure the VirtualAP interface is added as a port to the same interface (bridge) the DHCP server is running on ( Check IP > DHCP Server ). - If you want to keep both SSIDs isolated, you'll need to setup another DHCP server to be ded...

pukkita

You cannot, exceptions to proxy access list are static, so unless there's a regex pattern that will catch both orange.fr and related CDNs (highly unlikely), you'll need to add a specific proxy ACL for each.

pukkita

Yes, but that wouldn't be optimal.

Best approach is wiring both Haps, then have both broadcast any SSIDs you want on any of the two bands.

Good scenario to use CAPsMAN.

pukkita

I can't see the usefulness of storing only the src-address and port if it cannot be cross-related to a dst-address... if you just want that info, use radacct.

Otherwise, you'll need to process the data at syslog receiving stage.

pukkita

There's no dude server for MIPSBE platform, it's only supported on Tile, ARM, MMIPS and x86/CHR.

You need to install it on a supported router, then by adding the RB433 as a device, (and as long as wireless cards used aren't AC chipset), you'll be able to do spectral scans from the main dude server.

pukkita

You can setup this value on 6.40, AFAIK there's no limitation.

Obviously, unless hardware is sized for the load, this won't make a difference.

pukkita

I've setup before with port redirecting with dstnat to udp port 53, There's no need for port redirection, are you "hijacking" outgoing DNS queries and redirecting them to the cache? Depending on the resolving library used by the client this may not work (most modern libraries). You'd bett...

pukkita

How did you set it up? Basically you need to 1.- Add OpenDNS servers to IP > DNS Servers, you can set more than one by clicking on the small, bottom pointing triangle next to the Servers field. 2.- While you're at that screen, make sure Allow Remote Requests is enabled (this enables the DNS server f...

pukkita

How was your WAN setup? Does it use DHCP to get the WAN IP?

Are you sure sfp interface is linked and running? (Look at Interfaces > SFP1 > status)

pukkita

Post an export.

pukkita

Glad you found the fix!

Can the part of the firmware that handles this stage when booting get corrupted?

It can happen, you'd notice because after netinstall it won't boot either, there's a Backup Booter you can force on System > RouterBoard [Settings] in such case.

pukkita

Try netinstalling it

pukkita

Try this:

- Go to Wireless, open wlan1-gateway, click on [Advanced Mode] button, and set Multicast Helper to full.

pukkita

I'd say you have two problems; a L2, root one that causes the pppoe sessions to disconnect, you need to find the cause. Interface flapping on PPPoE Uplinks are not admisible on production scenarios, check wiring/fiber, SFP modules, Switches, etc. Are you using OSPF? The second one (high CPU load) se...

pukkita

Secondly, i have only six PtP long distance links in different directions at different locations, so i think its not feasible and investing extra budget using extra network gears for many links to 360 degree coverage with no such customer base in near future. This is government based organizational...

pukkita

Do you mean that you cannot "see" it via winbox neighbors or connect to it via previously known IP?

In such case, you need to do a netinstall

pukkita

Which interface flaps? the VLANs? What's the CPU load at those times?

pukkita

If I change the port to auto-negotiation disabled, port speed 1G, Full Duplex, the link light will appear on the CRS and report transmission activity. The Netgear will not establish link light or pass traffic.

Then you need to force 1G also at Netgear's end, did you try that?

pukkita

This remote wireless network connectivity belongs to government based wildlife remote monitoring project where 32 HD CCTV cameras live feeds from remote forest monitoring sites would be monitored at wildlife range office in the city. Nice project :D I'm curious, where is it? Have you disabled one o...

pukkita

Taking a routerboard and sticking multiple radio cards on it is a thing of the past, (and never 8 cards!!) and the least desirable option, several radios cramped on a single board interfere with each other; your approach, single RB + multiple cards is the worst option possible from a optimal standpo...

pukkita

RB800 was obsoleted long ago.

The "nearest" modern RB to RB800 is the RB850Gx2.

Depending on bandwidth and duties, more commonly used RBs for this task would be RB3011, RB1100AHx2, or CCR1009.

What are the RB intended tasks?

pukkita

hAP ac is the flagship AP for indoor use, really doubt mikrotik would be launching another device to replace it on for this segment soon.

pukkita

My guess was that the switch was creating a different ground level than the router, or something along these lines...

That's my guess also, check grounding of the enterasys, rack and 2011... everything should end on a single common ground.

pukkita

Try setting channel width to 20MHz.

pukkita

Use a MicroSD or USB, and run user-manager database off it, you're running out of space.

Which routerboard are you using?

pukkita

Try upgrading the bootloader via Bios: https://i.mt.lv/routerboard/files/p2020_3.24.fwf trying netinstall for 6.38.7 again.

pukkita

Which netinstall version? What's the bootloader version on the 1100AHx2? It is on par with the netinstall version you're using?

Have you tried to format NAND via the serial console first?

pukkita

E. Have you been changing cables ? F. Are you sure that someone in the building have not made a loop connecting cables to local switch?. I'd add: G. Are you sure nobody has created a new bridge, added a new port to an existing one, or changed/set some ethernet port master port parameter? If you had...

pukkita

BartoszP is right, highly unlikely three routers start to misbehave at the same time; check your network / routers first. If you don't find 100% CPU or other anomalies on logs: Make sure Current Firmware is the same version as Update firmware on System > Routerboard. If not, click on upgrade and re...

pukkita

BartoszP is right, highly unlikely three routers start to misbehave at the same time; check your network / routers first. If you don't find 100% CPU or other anomalies on logs: Make sure Current Firmware is the same version as Update firmware on System > Routerboard. If not, click on upgrade and reb...

pukkita

Computers in the same range expect others to reply to their arp queries, i.e. expect the rest to be L2 connected and thus receiving/replying broadcasts straight on their own. Proxy-arp aids when you use the same range for the VPN, as remote computers aren't directly connected to the network; it make...

pukkita

When you spoke about a closed rack I thought on an outdoor enclosure for a tower or something similar, not for indoor duty. In that case your plan will work, you'll lose some db's due to the longer cabling and the additional connectors, but will be better than having the router antennas inside the f...

pukkita

The "easy" solution would be a CCR1072-1G-8S+

Another possibilities:

- Use a router with an SFP+ port like CCR1009-7G-1C-1S+ plus a suitable switch, like CRS212 or the CRS317, connect them via SFP+ at 10G with a DAC cable and you're set.

- Budget option: a Hex + CRS212.

pukkita

It will work , but... Is this a sound plan? Am I using the right components? Will it work afterwards? Would it be better to do it another way? Instead of taking a desktop integrated router, adding an external enclosure, adding an additional loss point (SMA->SMA Antenna) and longer pigtails, and a cr...

pukkita

Yes, they have same chipset, QCA9533.

pukkita

In such case a hAP ac Lite could be an affordable dual radio device to learn with, plus you can connect an USB modem like the e3372 to build your MIFI solution, or use 2,4GHz radio to connect to your existing MIFI and re-broadcast via the 5GHz radio, etc.

pukkita

hAP ac and wAP ac are dual channel radios, so 12 APs = 24 radios; 1200/24 = 50 users per radio, I doubt all 50 will be active simultaneously, so as long as placement is well thought out it should be enough, short of additional APs to cover any shaded areas you may find. Most modern smartphones and t...

pukkita

I have yet to test this device, but I doubt it. CRS is a programmable Switch, but CPU power is not suitable for routing (software) that bandwidth, acccording to its specs : Captura de pantalla 2017-09-01 a la(s) 18.38.42.png Best bet for that duty if budget is no object: CCR or RB1100AH. Low Budget:...

pukkita

Post a diagram. Hand-drawn is fine.

pukkita

Post an export and a /ip route print, What's the source IP of branch office PC?

pukkita

I wouldn't design it with just a single mANTBox 19S. Apart from only covering 120 degrees, 76 simultaneous stations will be too much, I would target for 50 stations max per sector. Best bet would be using three sectors, either mANTBox19S or 15S (clients closer than 500m). You'll be covering 360, and...

pukkita

EoIP does what it needs to do but the performance knock is massive. Over a Gbps ethernet link I'm only getting around 10MB/s of real performance before the cpu hits 100%. Which routerboard? If your CPU does not support hardware acceleration for AES encryption/decryption then it would be slow as hel...

pukkita

I'd use 5GHz better, not only because of the potential higher throughput by using 40MHz or wider channels; 2.4GHz spectrum is much smaller and already saturated by home routers.

pukkita

If environment conditions are going to be tough, I would stay away from RB + radio cards + pigtails. If heat is going to be high, it will put a stress on all mechanical connections: PCIe card slots, internal and external pigtails.... also 3 PCIe radios cramped on the same board/enclosure is not opti...

pukkita

AFAIK this model doesn't have serial port, and USB port is for powering only. What is your goal?

pukkita

It may link on 5GHz, but waP is not a good choice for this application. Majority of traffic (download) will go from wAP to SXT; wAP have small gain omni antennas not suited for linking at 300m. If you expect to connect more devices to it, your best bet would be using a SXT-SA for the Apartment (90 d...

pukkita

I would generate supouts while on troublesome setups and email support linking to this post, so that they're aware of this. (this is an user forum, while mikrotik staff reads the forum, is not the most efficient way to report bugs)

pukkita

MIFI as internet source wirelessly connected to a hap lite to do bw management isn't what I would call and optimal setup.

Instead of using an additional device, I'd use a wAP LTE straight and build your own MIFI, this time with all ROS goodies.

pukkita

Use SSTP then...

You can set up a different port if you want
NAT friendly
Less likely to be throttled down by ISPs

pukkita

For 1Gbps bandwidth, definitelly a RB1100AHx2 would be the minimum I'd get.

Regarding AP count, it depends on the size/shape of the floors in the building, you'll need to position them for optimal coverage.

I'd start with 10-12 APs.

pukkita

pukkita

Maybe a mix Metal and Groove

With omnis? don't.

I would use hAP ac + wAP ac.

What's the internet bandwidth? As main router / controller I'd go for a RB1100AHx2 or CCR.

pukkita

Capturing traffic at the edge router I don't see anythig related with the DHCP, is it possible that the first MKT is filtering the DHCP discover?

Could be... have you torched MKT1 ether wired to MKT2 to see if DHCP requests are present?

pukkita

Connect to it via mac-winbox, and look at the logs, to determine why web server has stopped (hdd space full, etc).

In such case it would be best to reboot after cleanup.

pukkita

2 chain=srcnat action=src-nat to-addresses=84.54.xxx.250 src-address=192.168.88.37 log=yes log-prefix="SRCNAT" I cannot see where 84.54.xxx.250 is assigned on IP > Addresses? If you want to src-nat the router will need to have that IP assigned. Re: Mangle: Have a look at Tomas Kirnak's Lo...

pukkita

Just tested (6.40.2) on a 951Ui model and doesn't reboot.

Does it happen with a different USB device? Does it happen with no USB device?

I would netinstall it to 6.40.2. If problem persists, generate a supout and email support linking to this post.

pukkita

Never mind

I cleared it anyway, as if you had that doubt, so could future users browsing the thread.

pukkita

Guess with "transparent" you mean a bridged scenario: just use a bigger subnet. You will have a bridged (switched) network. To achieve this, instead of using 192.168.0.0/24, use 192.168.0.0/23: Network: 192.168.0.0/23 HostMin: 192.168.0.1 HostMax: 192.168.1.254 Broadcast: 192.168.1.255 Hos...

pukkita

Something's not quite right there. Have you used .backup files to move configs between routers? Try this: Go to the bridge, and blank Admin. MAC Address (click on upward pointing triangle on its right, then apply) Run (you will temporarily lost the connection) /interface ethernet reset-mac-address [...

pukkita

If you create a Netwatch monitor that reaches out to 8.8.4.4 and if it can't reach that address is disable the main route until reachable again, won't that IP become instantly reachable when it fails over to the second backup default route, causing it to fail back over to the failed line? No, becau...

pukkita

Follow the presentation mangle to the letter until you get a solid grasp on it, before jumping into customizations.

Order, and following it to the utmost detail is really important.

pukkita

No, not for the local address, but for remote-address of the specific customer needing it. Local address should/could be the same for all pppoe users on a given router, and it's usually a private one as it won't be using by anything else than local traffic between its pppoe users and the router.

pukkita

Follow the same logic/instructions on the presentation, it's wonderfully covered there.

pukkita

- MKT2 LAN IP? 172.10.0.0/16 that's not an RFC1918 range, you're using a public Internet range (belongs to AT&T in the US) for a private network. Proper range is 172.16.0.0/12 In any case: Captura de pantalla 2017-08-29 a la(s) 12.36.42.png MKT1: ether3 shouldn't be a port of a bridge, or switc...

pukkita

I am doing this with PPPoE and running PPPoE at each relay rather than centrally (I have reasons for doing it like this). I have a /25 public IP range that I wish to use as sparingly as possible. As some sites might only need 1 or 2 CPE with public IPs, how is best to achieve this without wasting p...

pukkita

to next device connected to the suspect port ether1, if it's the internet router, then the internet router IP facing the mikrotik device. What's the ROS version and System > Routerboard firmware versions? I would netinstalll, reset to no defaults and restore the config on the RB2011 in any case, as ...

pukkita

Glad it helped

Those lists are created to help mangle determine kind of traffic:

- Local networks to local networks
- Local networks to internet
- Internet to local networks

As depending on that rerouting should be done or not, etc.

pukkita

I suggested supout/support route because looks like a bug and Mikrotik would better know...

pukkita

Omnitik has single radio (5GHz) it doesn't have 2.4GHz.

pukkita

Set the internet router LAN ip for watch address and check if supout is generated after such 30s connectivity loss.

pukkita

Check on System > Routerboard Current Firmware is 3.41, upgrade and reboot if isn't.

pukkita

Every time I connect ether1 to my switch (C5G124-48P2) ~30 seconds later the router turns off.. Unplug the cable from either end, and the router will boot back up. My initial thought was the 802.3at switch port might be causing issues with the passive PoE input on ether1.. It shouldn't, but I disab...

pukkita

Double check Fimrware is up to date. If it is, generate a supout and email support linking to this post.

pukkita

What are:

- MKT1 LAN IP
- MKT1 PTP IP
- MKT2 PTP IP?
- MKT2 LAN IP?

mockup.jpg

pukkita

No, not directly from ROS.

Closest feature is the IP > Hotspot >User Profiles, create new one, Advertise tab, which most probably won't work as most websites nowadays are HTTPS, whose traffic you cannot intercept to play man-in-the-middle.

pukkita

Do you have any insight into how to make both WAN's accessible? The problem I assume I am running into is when traffic comes in to the new fiber it is going back out the comcast line so it is never making the complete connection. For example, I can ping the public IP of the comcast line but not the...

pukkita

ether 2 and ether 4 on the RB 1200 are damaged so are unusable. with your diagram and suggested setup could i say ether 6-9 be used for connecting any devices that need to intercommunicate amongst theirselves and use ether 1,3,5 for the fibre link with the valns? No, 1,3,5 are still the best ports ...

pukkita

MANGLE chain: prerouting, src. address 192.168.32.3, in. interface:lan bridge, action: mark routing, new routing mark to_cable When mangle rule is disabled everything is working fine, when is enabled NAS is no longer available over VPN. Where is the problem? As you have guessed, on that mangling: y...

pukkita

This matter is not suited for a short explanation on a forum thread, Have a look at Tomas Kirnak's Load Balance / Mangle Deep Dive presentation.

The fact of your WAN interfaces being VLANs doesn't change a thing, just use them as WANs.

pukkita

PS. I also can't ping 10.0.0.253 or 10.0.3.253, strangly enough... /ip address add address=10.0.0.253 interface=02-pfSense network=10.0.0.0 add address=10.0.3.253 interface=02-GUEST-pfSense-VLAN200 network=10.0.3.0 Once you add ports to a bridge, any IPs should be assigned on the bridge itself: /ip...

pukkita

Have a look at Tomas Kirnak's Load Balance / Mangle Deep Dive presentation.

Your problem comes from the fact you're not marking on input chain.

pukkita

I changed the cost to 10 both of them and now traffic goes both interface.. is this correct implementation ? Yes, that's ECMP in action. should i change the gateway on router-2 or any extra setting ? No need to do anything for failover, test that for yourself by disabling any of radio link interfac...

pukkita

The quid here is playing with radio links interface costs in order to achieve ECMP . add authentication=simple authentication-key=xxxx interface=ether10-11Ghz network-type=broadcast priority=14 add authentication=simple authentication-key=xxxx cost=20 interface=ether11-5GhzLink network-type=broadcas...

pukkita

All mikrotik devices sport all ROS features, so for lab use almost any device will allow you to setup labs. Unlicensed CHR will be limited to 1Mbps, but again, for a Lab this still allows to setup any scenario, and you can get an unlimited temporary license for 60 days. You can run user-manager or d...

pukkita

locodog already said how would that be accomplished. I stand by my advise, RB1200 will be probably the best performing board of the three. Let's look at it's block diagram: Captura de pantalla 2017-08-27 a la(s) 12.08.08.png If you were to use just the RB1200 without an additional switch, most optim...

pukkita

Ok, then if those are PTPs, lock down the highest stable, low RTT datarate on the AP radio.

Be sure to pass traffic while evaluating highest stable datarate with low RTT. If RTT goes nuts on a given datarate, select the next lower one.

pukkita

It definitely looks like some sort of L2 issue is happening, broadcast storm, network loop or similar.

Try logging into an affected powerbox via mac-winbox or RoMON, and have a look at /tool profile, and interfaces looking for saturated ethernets.

pukkita

Look like the rebuild was not successful, the database possibly got corrupted due to lack of space.. You may need to clear it out and start from scratch, or have someone knowledgeable to inspect it if it contains useful accounting data.

pukkita

The only issue is that I need to add a L2TP Server binding and a new Interface List item for every L2TP client. Do all remote users need access to the router itself?? In such case it will be easier to change the firewall logic, instead of /ip firewall filter add action=drop chain=input comment=&quo...

pukkita

That looks much better. I have 3 links, all 5 ghz, all with cm9 cards. On the same RB433? There's where your problem probably comes. Specially if at any given moment two of them need to Tx and Rx simultaneously. I'd rather seperate radios on different RBs, and go straight to integrated units (SXTs, ...

pukkita

There's relevant info lacking from your post, so speaking out of my guessings... Firstly, if local VPN IP on router is 192.168.99.1, you should use it to access it; otherwise, you need to do some adjustments on the remote PC connecting via VPN: - Make your VPN connection the default route (making al...

pukkita

BR433 on my side with cm9 cards

Cards? There's more than one? What's at the other side? A sector (PtMP)?

pukkita

Doesn't look so stable. Which devices are you using? Is this a PTP or a PtMP? What's the System > RouterBoard Current vs Upgrade Firmware on both? If this is a PTP, for 3km link, signal levels are really unleveled, assuming both AP and station are the same model, I'd bet you have either fresnel or l...

pukkita

There are several possible ways of doing this. One of them is setting default route through an Internet host like 8.8.8.8 by using recursivity, so that the "ping gateway" ROS feature controls the failover. I have had issues with this, and wouldn't be surprised if your ISP, or further up th...

pukkita

Your radius is not responding.

Check the hotspot router reaches the radius ip.

Check Radius service is not failing due to database problems, high load, or that it doesn't have accounting enabled.

Is radius an external radius host, or user-manager running on the same device?

pukkita

Post a diagram, depìcting devices, interfaces and IPs. Hand drawn is perfectly fine.

pukkita

Difficult to provide more specific instructions due to the scarce information, but: Assuming there's one router with one WAN connection which routes 6 public IP addresses, in order to masquerade outgoing Internet connections you only need: - Have all the IPs assigned on the router. I assume the 12.1...

pukkita

What's on System > License?

It doesn't have to be related to license, there are other settings that may cause this, like bad ip pool, inconsistent settings, etc.

Watch out the log when that happens, and post it here. Posting an export of your config is a good idea also.

pukkita

It was introduced on 6.40.2, but can be used on any fasttrack enabled ROS version.

pukkita

You're welcome!

pukkita

You could use a RB912 with a 2nd radio installed + 2 external antennas, but it won't be neither less bulkier nor cheaper, and way less reliable (pigtails). I understand Mikrotik philosophy is providing flexible building blocks at disruptive prices, that's why no too-scenario-specific devices are rel...

pukkita

Yes, looks like some kind of ethernet problem with that laptop.

pukkita

If I do that, broadcast a client SSID and connect as a client, on the same 5GHz radio I'd imagine I'll suffer from the common problem of wireless mesh and I could see a reduction in performance. Does the MIMO (triple chain) of the product off-set the loss of air-time in this case Yes, it does suffe...

pukkita

No need for the second mangle on output chain. This rule alone should be enough: /ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=VPN_Gateway passthrough=no protocol=tcp src-address=192.168.168.101 dst-address=!192.168.168.0/24 dst-port=80 log=no log-prefix="" ...

pukkita

Which interface? do you refer to a laptop?

pukkita

Try upgrading to 6.40.2, per its changelog : *) pppoe-client - fixed wrong MRU detection over VLAN interfaces; Not all Movistar ONTs expose VLANs anymore, that could be the reason others not experiencing problems if this fixes it. Have seen some Movistar ONTs change from exposing VLANs to not exposi...

pukkita

ROS version? Firmware version? (System > Routerboard Current Firmware ) Looks like MTU problem. Does your pppoe-out1 enter Running state? Open a New Terminal and issue the following commands, posting them back here: /ip address print /ip route print /interface print Have you had a look at the WAN st...

pukkita

Reset it to no defaults (connect to it via winbox neighbors tab afterwards, no need for ip settings) Station: - Setup it as wireless-mode=station-bridge - Create a bridge - Add wlan1 and ether1 to the bridge. AP: -wireless mode is AP-bridge or bridge - Create a bridge - Add wlan1 and ether1 to it Do...

pukkita

At this point, I would save an export (.rsc file) for backup, then:

- netinstall the router.
- Reset it to no defaults
- Connect to it from Winbox Neighbors tab, then import or copy & paste backup. rsc file contents.

Post a System > Routerboard screenshot. Current firmware should be 3.35.

pukkita

Try keeping the reset button pressed until you see the hAP appear in netinstall. Have you played with protected RouterBoot features in the past? When you say winbox doesn't detect it, do you refer to Neighbors tab? Even with a laptop with its ethernet as only network active interface? (all the rest ...

pukkita

Yes. Despite being a tiny device, it supports all ROS features (CPU allowing).

pukkita

NAT is the last step in traffic manipulation, unless routing steers traffic via a specific WAN, where NAT is set, NAT is not going to happen.

Please post

/ip route print detail
/ip address print
/ip firewall address-list print

pukkita

Check the reset switch is not damaged and is shorting itself even w/o pressing it. That may cause the reboot loop.

pukkita

Try setting src-address in radius to 127.0.0.1.

I assume both user-manager and hotspot are installed on the same router.

pukkita

Yes, it's a new optimization to default firewall filter rules. Yes, it has to do with fasttrack.

pukkita

Have you done an spectral scan? You'll need a non AC Mikrotik radio (or other brand) to carry it out. Specific scenario 5GHz Spectrum is what will dictate what speeds can be achieved, regardless of equipment used. If there's 40MHz contiguous spectrum available, you may get near those 200Mbps. If the...

pukkita

Thanks very much indeed for the clarification about IPTV and the QOS configuration!! Have you any thoughts about the make, model, and performance of a suitable load balancer which we will need if we go for 2 uplinks? The already deployed RB850G can cope with the two. Do you think that speed limitat...

pukkita

You're not doing any load balancing, and steering all LAN - > Internet traffic towards WAN1: add action=mark-connection chain=prerouting comment=LAN->WAN connection-mark=no-mark dst-address-list=!local-lan dst-address-type=!local \ new-connection-mark=LAN->WAN passthrough=yes src-address-list=local-...

pukkita

Depends on expected customer distance, I'd recommend mANTBox 19S for >800m customers, and 15S or SXT-SA for closer customers. You need to study the terrain, then deploy sectors estrategically depending on surrounding conditions and customer density; typical setup 3 x 19S to cover 360 for mid-long di...

pukkita

Are you using hotspot? Or plain DHCP?

pukkita

Don't think that's possible, because there's only one switch chip. FYI, 6.41RC has a new bridge/switch chip implementation, where hardware offloading is used to accelerate switching/bridging when possible. Haven't tested it yet, and don't know which specific circumstances need to be met for HW offlo...

pukkita

I was referring to setup your own IPTV streaming server. When I refer to multicast, I refer to stream IPTV via multicast, i.e. users will be connected to the server and will "fetch" the same stream from the network, i.e., if 5 users are watching a given channel, and such channel is 3Mbps, ...

pukkita

Check updates from SwOS GUI

pukkita

As it's a CRS, i.e. a switch, it has one switch chip.

All ports are connected to this switch chip:

Captura de pantalla 2017-08-24 a la(s) 18.26.40.png

pukkita

Does it appear in red?

So far cannot spot anything, which ROS version? Could you export it again using /export compact this time?

pukkita

It may, depending on other factors, but I think there are more suitable options. What's the available Internet bandwidth? In any case, for a network of that size, I'll use a RB3011 minimum. If budget allows, investing on a RB1100AHx2 or CCR from starters will better protect the investment and allow ...

pukkita

Yes, is it possible to change default configuration.

You need to use netinstall Configure Script feature.

pukkita

The question is Omnitik the right decision for a base spot in this situation?! No. Stay away from Omnis. Basebox would be a good choice if only a handful, similar distance customers will use it, or to use it (PoE version) as a PoE Switch and reserve radio to carry out spectrum scans w/o disturbing ...

pukkita

which routerboard out of the 3 i have is better suited to handle a high user load? The RB1200 im looking at roughly a user load of anywhere from 20 users up top 600 connectedf at any given time. What's the internet bandwidth? Are you running queues? I would invest straight on a RB1100AHx2 or a CCR.

pukkita

I think there's a 99.9% probability of the problems being due to the Tenda switches. Probably a bug or limitation in its arp'ing scheme. Avoid Tenda and Whatever-link (D, TP, LR...) brand crappy switches. Netgear is usually fine, and so are CRS routerboards. You can try setting proxy-arp or local-pr...

pukkita

No problem either. I found the power rating of a RB2011UiAS-2HnD-IN as 11W, yours is the non Wireless version, so max power will be less.

For 12V: 11W=12V*I; I = 0.91A. So you have enough margin even with the 1.3A limitation.

pukkita

I would directly write support in this case. BTW, There's a SwOS 2.5rc2 release candidate version, not sure if would help in your case.

pukkita

As long as the PSU provides enough amps, you won't have any underpowering or other problems in your scenario (would be different if you powered the 2011 via PoE-In using a long cable). RB2011 original power adapter is 24V @ 1.2A, i.e. Maximum Power = 24V * 1.2A = 28.8W. I doubt maximum power draw fr...

pukkita

Have a look at this presentation by Tomas Kirnak.

On dual WAN setups means should be deployed so that traffic entering by a given wan leaves by the same one.

Double check you're actually masquerading on the secondary WAN too, when it's the default route hosts from internet should ping too.

pukkita

double check the ROS or SwOS version and firmware, from SwOS changelog : What's new in v2.4: *) CSS106: fixed upgrade over PoE ports when PoE stopped working; *) CRS326: fixed port in disabled VLAN mode to forward untagged packets; What's new in v2.3: *) fixed CRS317: make 10G links more stable; *) ...

pukkita

The solution to this is placing more APs on each floor, at a minimum another RB951 at third floor, wiring it to the main RB951. This RB will need to be wired to the main RB951, configuration needed: On third floor RB951: setup wireless, create a bridge and add the wireless interface and the ether po...

pukkita

Have done some integrations, mostly using hardware DVB-S or DVB-C streamers.

There's a very interesting software project for this: stalker-portal

pukkita

(netinstall can run under wine but it would be better when it could run from commandline) It would be actually really nice , as it would be possible to setup tftp/dhcp netinstall servers on the network. I haven't fully reverse engineered what netinstall does exactly, wonder what's the reason (apart...

pukkita

1. Is there a way of automating the process of getting into netinstall mode? For example, is there a command that can be issued 'reboot into boot loader mode' so I can write a script to automate that part (eg tied to a DHCP lease event that would spot the router grabbing an IP) /system routerboard ...

pukkita

You can follow a more general approach, and mark regular HTTP/S, and HTTP/HTTPs "downloads" (more than X Mb on a given established connection, 5MB in this example) using mangle connection-bytes : add action=mark-connection chain=prerouting dst-port=80,443 new-connection-mark=HTTP packet-ma...

pukkita

In that case you can add a second antena/internet uplink, and make the main router load balance the connections through the two internet uplinks. No need for a second routerboard. QoS plus second internet uplink and load balancing should provide a smoother experience for all users. Third possible en...

pukkita

Plug yours directly to the 3011 and test if you have same problems.

pukkita

Firmware is not up to date, note Upgrade Firmware = 3.36 while Current Firmware=3.26.

To upgrade:

1.- Click on Log.

2.- Go to System > Routerboard and click the Upgrade button.

Watch out log, when you see a message stating upgrade was successful, reboot the router.

pukkita

Are there any PCs directly connected to the 3011? Do those ping internet?

pukkita

can you ping those?

- 82.114.64.3
- 82.114.64.4
- 192.168.1.1

instead of traceroute do a

tracert -d 8.8.8.8

pukkita

What's the ROS version?

What's in System > Routerboard, can you post a screenshot?

pukkita

Which devices are broadcasting the wireless signal? How are they connected to the mikrotik RB951 router?

Is the RB951 the only AP?

pukkita

Post an export, and some description on how the 750 is wired to the rest of the network.

Depending on that, it may be possible to leverage bridge filters to isolate those rogue DHCP servers from the 750.

pukkita

Can you tell me how to do that, im not expert for mikrotik. Copy and paste this onto a New Terminal: /ip firewall filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP" add chain=input action=accept connection-state=established,related comment="defconf: acc...

pukkita

post an

ipconfig /all

on your PC, I assume you run windows.

BTW, your router is exposed to the internet, you should add firewall rules to prevent anyone from bruteforcing your router.

pukkita

You need to make masquerade more specific: /ip firewall nat add action=masquerade out-interface=ether1 chain=srcnat comment="Masquerade WAN" src-address=192.168.1.0/24 Apart from that everything looks fine, the arp problem doesn't seem to be related to 3011 config. Do PCs connected to swit...

pukkita

Which ports are those switches connected to? A hand drawn diagram depicting what's connected and where on the 3011 would be essential.

Connect to it using winbox, open a New Terminal and issue

/export

Pasting the output here.

pukkita

In my case, DHCP server should run on VLAN interface, which is part of a bridge "trunk". Not quite... vlan is "hanging" from bridge-trunk. The only interfaces which are part of bridge-trunk, i.e. are bridge ports, are ether4 and ether5. I don't understand why vlan102 is "sl...

pukkita

Looks like an arp problem. Check Arp setting of LAN interface.

pukkita

On average there are between 30 and 80 devices online at any given time. Bandwidth from wisp is stated as 60 mbs download and 40mbs upload. [...] Unfortunately although the speed is now expected by provider to be between 4 and 7 megabits we sometimes get dips down to as low as 1megabit although at ...

Search found 3031 matches