Community discussions

Search found 2925 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 10
by mkx
Tue Aug 27, 2019 8:32 am
Forum: Beginner Basics
Topic: tag all untagged traffic - can't get it working
Replies: 12
Views: 954

Re: tag all untagged traffic - can't get it working

I do have a VLAN configured in a bridge. The config command you posted a few posts back indicates that you're configuring VLANs on switch chip. So there are two ways of doing it: On switch chip You configure things in /interface ethernet switch port and /interface ethernet switch vlan configuraton ...
by mkx
Tue Aug 27, 2019 8:15 am
Forum: General
Topic: Request: FEC tunnel types
Replies: 27
Views: 3075

Re: Request: FEC tunnel types

@Amm0: what makes you claim that LTE is lossy?
by mkx
Mon Aug 26, 2019 8:27 pm
Forum: General
Topic: ICMP Firewall Potential Bug
Replies: 13
Views: 1153

Re: ICMP Firewall Potential Bug

Different traceroute programmes use different packet types. Some use same ICMP packets (windows does it IIRC), some use some UDP (linux does it).
by mkx
Mon Aug 26, 2019 8:11 pm
Forum: Beginner Basics
Topic: RBM11G + R11e-LTE not working
Replies: 34
Views: 2591

Re: RBM11G + R11e-LTE not working

What do print the following commands? /interface print detail /ip dhcp-client print detail # obfuscate any public data /ip address print detail # you might want to obfuscate public WAN address here /ip route print detail # obfuscate the public route Just try to obfuscate public data following the sa...
by mkx
Mon Aug 26, 2019 7:34 pm
Forum: General
Topic: Force NTP Client Update
Replies: 5
Views: 422

Re: Force NTP Client Update

Hey ntp client will determine on it's own how frequently it should poll the upstream server for time update. Usually it starts at 64s and backs down down to 1024s, once clocks are in sync and drift is under control. The problem is that mine is drifting too much for some reason, I need to manually u...
by mkx
Mon Aug 26, 2019 7:04 pm
Forum: General
Topic: Weird IPv6 stuff
Replies: 4
Views: 483

Re: Weird IPv6 stuff

2001:4bb8:248:2868::/64 is a network address (similar to aaa.bb.cc.0/24 in IPv4) do setting this address as host address is invalid (ability to set it anyway is a bug, but then lots of IPv6 implementation in current ROS is buggy).
by mkx
Mon Aug 26, 2019 6:55 pm
Forum: Beginner Basics
Topic: Remote Name Server [SOLVED]
Replies: 5
Views: 557

Re: Remote Name Server [SOLVED]

Could I use one IP address to two (or more) domain? Yes, if different subdomains resolve to same IP address. Most (if no all) HTTP servers support name based virtual servers. Non-ancient HTTPS srrvers do as well (using TLS SNI). How could I delegate to sub.domain.com to world wide? Could I use this...
by mkx
Mon Aug 26, 2019 6:47 pm
Forum: Beginner Basics
Topic: RBM11G + R11e-LTE not working
Replies: 34
Views: 2591

Re: RBM11G + R11e-LTE not working

Post full configuration of RBM11G ... you can get it by executing command /export hide-sensitive in a command window. Hide sensitive data (such as usernames and passwords) and then post it here, enclosing it in [code][/code] environment for better readability..
by mkx
Mon Aug 26, 2019 6:42 pm
Forum: Beginner Basics
Topic: hAP AC2 as main router over bridge setup
Replies: 2
Views: 365

Re: hAP AC2 as main router over bridge setup

Personally I'd add another RBD52G where Technicolor is. Then I'd forget about Technicolor's wireless, routing and firewalling (in short: configure it to bridge mode so that it semi-transparently passes traffic to your main RB). Then I'd configure one of RBD52Gs (possibly the one in the store room) t...
by mkx
Mon Aug 26, 2019 12:13 pm
Forum: Beginner Basics
Topic: RBM11G + R11e-LTE not working
Replies: 34
Views: 2591

Re: RBM11G + R11e-LTE not working

Does internet work on RBM11G itself? You can check it by executing
/ping www.google.com
If this works, then it's something about LAN setup (either IP settings on router, DHCP settings or firewall rules). If it doesn't, then it's something about LTE and/or WAN setup.
by mkx
Mon Aug 26, 2019 8:39 am
Forum: Beginner Basics
Topic: RBM11G + R11e-LTE not working
Replies: 34
Views: 2591

Re: RBM11G + R11e-LTE not working

IP -> Firewall -> NAT Add Chain: srcnat Out. Interface: lte1 Action: Masquerade (This on "action" tab) Regards. Or, better yet (if using firewall rules resembling default rules from recent ROS versions) add lte1 interface to WAN interface list. It'll magically make RB to use all the right firewall ...
by mkx
Mon Aug 26, 2019 8:38 am
Forum: Beginner Basics
Topic: Wireless CM9
Replies: 1
Views: 231

Re: Wireless CM9

A quick search in the internet reveals one CM9 minipci wireless card ... which seems to be single radio (with dual chain), but 2.4/5 GHz selectable. Which means you need two cards for your use case.
by mkx
Mon Aug 26, 2019 8:26 am
Forum: Beginner Basics
Topic: RB4011iGS with more subnets
Replies: 11
Views: 1162

Re: RB4011iGS with more subnets

The shown configuration doesn't correspond to how you described the config: - ether2 is 192.168.10.1/24, DHCP - connected to PC1 (Windows, IP 192.168.10.254) - ether10 is 192.168.20.1/24, DHCP - connected to PC2 (Windows, IP 192.168.20.254) The config doesn't show any IP config on ether2 - there's a...
by mkx
Sun Aug 25, 2019 10:59 pm
Forum: Wireless Networking
Topic: WiFi QOS keeps mobile device awake (WMM?)
Replies: 3
Views: 573

Re: WiFi QOS keeps mobile device awake (WMM?)

So you set keepalive-frames=enabled and then you find odd the fact that clients are kept alive?
by mkx
Sun Aug 25, 2019 10:47 pm
Forum: Beginner Basics
Topic: RB4011iGS with more subnets
Replies: 11
Views: 1162

Re: RB4011iGS with more subnets

As somebody replied in some thread: the magic ball department is using another forum. If you want to get some useful input here, start by posting complete configuration - you can get it running /export hide-sensitive in command window.
by mkx
Sat Aug 24, 2019 10:30 pm
Forum: General
Topic: NTP Server Open to Internet
Replies: 1
Views: 302

Re: NTP Server Open to Internet

You'll have to add a firewall filter which will allow connections to UDP port 123 in chain=input ... and place this firewall rule above general drop all rule for same chain.
by mkx
Sat Aug 24, 2019 10:21 pm
Forum: Beginner Basics
Topic: Providing re-sellers real IP
Replies: 4
Views: 582

Re: Providing re-sellers real IP

First guess: you currently have one generic SRC-NAT rule (possibly with action=masquerade). You'll have to add specific SRC-NAT rule for each reseller, i.e. /ip firewall nat add action=src-nat chain=srcnat comment="reseller1" out-interface=<ISP interface> src-address=192.168.60.1/30 to-addresses=00...
by mkx
Sat Aug 24, 2019 8:22 pm
Forum: Beginner Basics
Topic: Need help with specific configuration on mAP lite
Replies: 4
Views: 542

Re: Need help with specific configuration on mAP lite

As your main wifi AP is not Mikrotik, you are very limited in selection of station modes. Really read tge manual document I linked in my previous post, it'll explain all the problems you're facing. I'm not familiar with QuickSet modes so I can't comment of feasibility of CPE mode for this particular...
by mkx
Sat Aug 24, 2019 8:13 pm
Forum: Beginner Basics
Topic: Providing re-sellers real IP
Replies: 4
Views: 582

Re: Providing re-sellers real IP

First guess: you currently have one generic SRC-NAT rule (possibly with action=masquerade). You'll have to add specific SRC-NAT rule for each reseller, i.e. /ip firewall nat add action=src-nat chain=srcnat comment="reseller1" out-interface=<ISP interface> src-address=192.168.60.1/30 to-addresses=000...
by mkx
Sat Aug 24, 2019 7:57 pm
Forum: General
Topic: Plex + Dynamic IP + DHCP IP
Replies: 4
Views: 510

Re: Plex + Dynamic IP + DHCP IP

... but will the hEX always force this MAC to x.x.x.27, nomatter wifi or rj45? DHCP server doesn't know hor does it care which interface Plex uses to connect to LAN, it only cares about MAC address ... so if Plex will use same MAC address for either wired or wlan connection, then DHCP server will o...
by mkx
Sat Aug 24, 2019 7:37 pm
Forum: Beginner Basics
Topic: Need help with specific configuration on mAP lite
Replies: 4
Views: 542

Re: Need help with specific configuration on mAP lite

The problem you're facing is that plain 802.11 doesn't support wireless bridges (which would transparently connect two parts of wired network). Most of WiFi vendors solve this using some proprietary extensions, so does Mikrotik. This, however, means that both APs participating in such bridge have to...
by mkx
Sat Aug 24, 2019 3:19 pm
Forum: General
Topic: Plex + Dynamic IP + DHCP IP
Replies: 4
Views: 510

Re: Plex + Dynamic IP + DHCP IP

For DST-NAT the WAN IP address doesn't really matter, it can be done without referencing it. However, destination (LAN/DMZ server) needs to have static IP address. And this part is not possible (at least with ROS DHCP server) if server's MAC address changes (each network interface has different MAC ...
by mkx
Sat Aug 24, 2019 12:43 pm
Forum: Beginner Basics
Topic: How to dumb bridge (?) using hAP ac lite
Replies: 11
Views: 1022

Re: How to dumb bridge (?) using hAP ac lite

Well, it isn't showing up in winbox.
I'm not sure about this, but it could be that device is not accepting MAC connections over ether1 ... so if your management PC is connected to ether1, try to plug it to some other ether port ...
by mkx
Sat Aug 24, 2019 12:37 pm
Forum: General
Topic: Recommended upgrade paths?
Replies: 2
Views: 463

Re: Recommended upgrade paths?

My suggestion for upgrades: export configuration to plain text using command /export verbose file=exported-config.rsc and copy file to management computer first upgrade to latest release with same major version number (e.g. upgrade the 4.10 device to 4.17) then upgrade it to lowest version with next...
by mkx
Fri Aug 23, 2019 10:41 pm
Forum: RouterBOARD hardware
Topic: RB2011UIAS-2HND-IN completely dead
Replies: 5
Views: 825

Re: RB2011UIAS-2HND-IN completely dead

I'd try with another power supply anyway. The modern switching type of power supplies tend to fail in the way that they provide correct voltage when not under load. When loaded, they drop the voltage and as the time goes by, voltage drop increases to the point when powered device no longer works (co...
by mkx
Fri Aug 23, 2019 10:25 pm
Forum: Wireless Networking
Topic: wireless repeater mode and IPv6 [SOLVED]
Replies: 4
Views: 549

Re: wireless repeater mode and IPv6 [SOLVED]

If both AP3 and AP2 are mikrotik, then you can create transparent wireless hop if you set one of the two APs to mode=bridge or mode=ap-bridge (the former if both APs are used exclusively for point-to-point connection, the later if master AP should serve "normal" stations as well). The other AP shoul...
by mkx
Fri Aug 23, 2019 10:16 pm
Forum: General
Topic: Routing or Bridge for p2p wireless link
Replies: 4
Views: 491

Re: Routing or Bridge for p2p wireless link

Bridge means less package processing on the involved devices ... which means lower delay and possibly higher throughput. However, bridge also means broadcasts (including ARP requests) for the whole subnet will hit all the wireless links (presumably bottlenecks) ... which means somewhat reduced throu...
by mkx
Fri Aug 23, 2019 9:45 pm
Forum: General
Topic: Firewall Rules PPPoE vs ethernet-port
Replies: 9
Views: 964

Re: Firewall Rules PPPoE vs ethernet-port

Just noticed: on the "non-standard" router the accept filter rule is in chain=forward ... should be in chain=input if IPsec is terminated on router itself. Thank you for your input. Tried also with chain=input - doesn't work either. I'm under the impression I didn't explain the setup good enough: M...
by mkx
Fri Aug 23, 2019 8:08 pm
Forum: Beginner Basics
Topic: How to dumb bridge (?) using hAP ac lite
Replies: 11
Views: 1022

Re: How to dumb bridge (?) using hAP ac lite

Winbox searches for routerboard devices and presents a list. Then you select presented device. Devices don't need IP address configured.

When device is reset to no configuration, it doesn't have IP address nor runs DHCP client ...
by mkx
Fri Aug 23, 2019 7:55 pm
Forum: General
Topic: Firewall Rules PPPoE vs ethernet-port
Replies: 9
Views: 964

Re: Firewall Rules PPPoE vs ethernet-port

Just noticed: on the "non-standard" router the accept filter rule is in chain=forward ... should be in chain=input if IPsec is terminated on router itself.
by mkx
Fri Aug 23, 2019 4:28 pm
Forum: General
Topic: Test for leaking VLAN's
Replies: 4
Views: 512

Re: Test for leaking VLAN's

First off you have to decide how you're supposed to see that a packet has leaked to the wrong VLAN. VLAN ID is obviously a wrong choice (specially so in the untagged section of a VLAN). You could look for packets with sender/receiver MAC address which are not supposed to be in the observed VLAN ... ...
by mkx
Fri Aug 23, 2019 4:20 pm
Forum: General
Topic: Firewall Rules PPPoE vs ethernet-port
Replies: 9
Views: 964

Re: Firewall Rules PPPoE vs ethernet-port

Are you absolutely positive that the "black box router" is transparent regarding udp ports 500 and 1701?

Generally firewall rules don't care about different ports other than using them as additional match criterion.
by mkx
Fri Aug 23, 2019 4:13 pm
Forum: Beginner Basics
Topic: Simplifying my forward chain? [SOLVED]
Replies: 6
Views: 665

Re: Simplifying my forward chain? [SOLVED]

Safer (and sometimes easier) way is to construct a list of explicitly allowed connections and drop the rest at the end. Your current one is the opposite: drop watever you thought it should be dropped and (implicitly) allow the rest. Any way you do it, there's an essential rule missing in your curren...
by mkx
Fri Aug 23, 2019 4:09 pm
Forum: Beginner Basics
Topic: VLAN on ISP connection
Replies: 2
Views: 359

Re: VLAN on ISP connection

The most straightnforward way, but with some limitations which might bite you in the future, would be this: keep ether1 (ISP) off any bridge at all costs create needed vlan interfaces off the ether1 - you probably already created one for VLAN 640 so you need to add one for VLAN 300 and possibly one ...
by mkx
Fri Aug 23, 2019 3:50 pm
Forum: General
Topic: Passive POE question (RB4011iGS+RM / cAP ac)
Replies: 1
Views: 367

Re: Passive POE question (RB4011iGS+RM / cAP ac)

PoE out for RB4011 actually says 600mA for voltages less than 30V and 400mA for voltages above 30V. Specs say about cAP ac consumption that it's 13W without attachments and 24W maximum. I'm not surewhat does count as attachment, but let's say you want to power "bare" cAP acs, so let's calculate with...
by mkx
Fri Aug 23, 2019 9:27 am
Forum: General
Topic: RB960PGS with POE burns in lightning
Replies: 1
Views: 301

Re: RB960PGS with POE burns in lightning

... inside the village there are RB960PGS connected to each other on cat5e cable ... Lightning strikes, even if not really near, can cause considerable voltage inducted in any metallic cable. Which includes cat5e cables if those are not laid inside some steel-reinforced concrete which would shield ...
by mkx
Fri Aug 23, 2019 9:09 am
Forum: Beginner Basics
Topic: How to dumb bridge (?) using hAP ac lite
Replies: 11
Views: 1022

Re: How to dumb bridge (?) using hAP ac lite

... reset the hAP ac lite with no defaults connect ot hAP ac lite using winbox MAC connection and configure the following: I thought that combination of these two steps would leave device with no configuration whatsoever, no bridge etc. I'm pretty sure that the first quoted bullet can not be achiev...
by mkx
Fri Aug 23, 2019 8:16 am
Forum: Beginner Basics
Topic: How to effectively configure 6 hEX units ?
Replies: 5
Views: 691

Re: How to effectively configure 6 hEX units ?

Configure 1 how you want it. Do an /export and then do a full reset on the others and import the .rsc file you made from the first one. Which would cover all but last two OP's points (SSH keys and password) ... those two are only possible to automate by using (binary) backups which should not be us...
by mkx
Fri Aug 23, 2019 8:06 am
Forum: Announcements
Topic: hAP lite
Replies: 389
Views: 164041

Re: hAP lite

Something like RB450Gx4 ...?
Or, if amount of RAM and storage offered by RB450Gx4 is not needed, a RBD52G (with wireless disabled) might be considered as well ... comes with a case and lower price-tag while offering same wired performance.
by mkx
Thu Aug 22, 2019 1:44 pm
Forum: General
Topic: fasttrack or RAW is better for blocking ddos attacks?
Replies: 2
Views: 320

Re: fasttrack or RAW is better for blocking ddos attacks?

On the other hand, if you need connection tracking enabled, then RAW is the place to drop DDOS packets.
by mkx
Thu Aug 22, 2019 8:40 am
Forum: Beginner Basics
Topic: How to dumb bridge (?) using hAP ac lite
Replies: 11
Views: 1022

Re: How to dumb bridge (?) using hAP ac lite

I'm not sure about the QuickSet modes (I'm pretty sure there isn't one for exactly this setup, but there might be something really close to it ... and I may be entirely wrong about this), but you could go this way: download and install winbox to your management computer (if you're not familiar: that...
by mkx
Thu Aug 22, 2019 8:33 am
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 609
Views: 154592

Re: RouterOS v7.0 beta1 - when?

Maybe you are going backwards :)

Seems like that indeed :wink:

I certainly hope that folders from @Normis' screenshot are created in advance and that 7.0alpha219 was empty at the time ... which would mean that there are 219 alpha releases to go before we get some public RC :mrgreen:
by mkx
Wed Aug 21, 2019 3:43 pm
Forum: Beginner Basics
Topic: Remote Winbox access blocked from IP Services IP auto fill in from address, How do i stop the auto config
Replies: 1
Views: 293

Re: Remote Winbox access blocked from IP Services IP auto fill in from address, How do i stop the auto config

There was a winbox vulnerability present for quite a while which allowed remote user to use winbox service without knowing correct password (and username). You may want to check this thread to check if your problems are related ...
by mkx
Wed Aug 21, 2019 9:15 am
Forum: General
Topic: question about CCR 1072 CPU
Replies: 3
Views: 522

Re: question about CCR 1072 CPU

CPU producer marks CPUs with stock frequency with a reason. And the reason is that according to tests (and 6-sigma process) the CPU will run at stock frequency without a glitch for designed life-time. If the same CPU is run at higher frequency, it might not run without a glitch (over-clocking tricks...
by mkx
Wed Aug 21, 2019 9:03 am
Forum: General
Topic: Question about CCR and inter-vlan routing performances
Replies: 7
Views: 831

Re: Question about CCR and inter-vlan routing performances

I am more concerned if the CCR can use more than one CPU core when you have all traffic on 1 interface. (normally when you run 8 different interfaces the interrupt load and part of the filtering is spread over 8 cores) Even if interrupts are mapped statically (i.e. portX always interrupts coreY) - ...
by mkx
Tue Aug 20, 2019 10:57 pm
Forum: General
Topic: CCR1036 inter-vlan routing performance issue
Replies: 1
Views: 257

Re: CCR1036 inter-vlan routing performance issue

I'm afraid you're hitting the ceiling for single-connection throughput. Routing is single core per connection. If you'll test multiple parallel connections (e.g. 10), router will use more cores and cumulative throughput will be better.
by mkx
Tue Aug 20, 2019 10:52 pm
Forum: General
Topic: Not receive Advertising Link Partner SFP+, to SFP+
Replies: 1
Views: 299

Re: Not receive Advertising Link Partner SFP+, to SFP+

Auto negotiation is set to disabled. In this case there is no advertisements ... instead parameters are hard set to 1Gbps full-duplex. If the other end is not set to exactly the same, it's likely to see link failure...
by mkx
Tue Aug 20, 2019 10:46 pm
Forum: Beginner Basics
Topic: 4G LTE Confusion
Replies: 3
Views: 536

Re: 4G LTE Confusion

SXT-4g support ONLY 4G. It will not connect over anything other. SXT-LTE support 4G+3G+2G. In addition to that, 4G supports less of commonly used frequency bands than LTE (bands 1 - 2100MHz and 8 - 900 MHz). Also TDD band support is different. Whether this matters or not ... you'll have to find out...
by mkx
Tue Aug 20, 2019 3:02 pm
Forum: General
Topic: 1:1 Nat from ISP Can't port forward
Replies: 2
Views: 382

Re: 1:1 Nat from ISP Can't port forward

Probably you don't need netmap, you rather need (a few) simple DST-NAT rules ... where dst-address is router's WAN IP address (192.168.0.1) ... router knows nothing about real WAN IP, it is already hidden by ISP's modem.
by mkx
Tue Aug 20, 2019 12:36 pm
Forum: General
Topic: Feature requests
Replies: 1159
Views: 207332

Re: Feature requests

2. With your topic you want to say that the accuracy difference NTP+1PPS versus IEEE1588 is insignificant? 3. If in the future I decide to use a PTP/IEEE1588 grandmaster server and broadcast/unicast the clock via a VLAN, will this process of tagging/untagging have a big impact on the accuracy of th...
by mkx
Tue Aug 20, 2019 12:10 pm
Forum: General
Topic: Feature requests
Replies: 1159
Views: 207332

Re: Feature requests

1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)? 1. No idea. If I have to choose, then I'd hesitantly choose a yes. According to wiki (https://wiki.mikrotik.com/wiki/Manual:System/GPS): Note: The time is no...
by mkx
Tue Aug 20, 2019 11:30 am
Forum: General
Topic: RB450G to RB450G☓4 How to Transfer State
Replies: 10
Views: 1035

Re: RB450G to RB450G☓4 How to Transfer State

... would like to transfer my DNS cache of my establish, related IP state to the new router. The old router I had kept the default IP address (192.168.88.1); however, on the new router, the address and range is 10.0.8.2-10.0.8.254 with router on 10.0.8.1. You can't. Connection tracking states are m...
by mkx
Mon Aug 19, 2019 10:05 pm
Forum: General
Topic: Feature requests
Replies: 1159
Views: 207332

Re: Feature requests

2. If you use NTP (which is the most precise timing protocol supported by mikrotik) to propagate the time, then I don't think you gain much by using 1PPS source ... Precission gain will have order of magnitude of milliseconds and that's also order of magnitude of precission obtainable using NTP ove...
by mkx
Mon Aug 19, 2019 9:37 pm
Forum: General
Topic: Feature requests
Replies: 1159
Views: 207332

Re: Feature requests

Still I want to ask you about 1PPS signal. 1. Is there any component/hardware (eg: GPS) of a Mikrotik equipment which can provide to the other LAN equipment such kind of signal (1PPS)? 2. I have a heX router (NTP client) which is synchronized to a RB1100AH (NTP server). Directly connected to heX, t...
by mkx
Mon Aug 19, 2019 5:15 pm
Forum: General
Topic: Feature requests
Replies: 1159
Views: 207332

Re: Feature requests

Answer to questions 1,2,4 and 5 is: No. Variation of answer to question 2: most decent switches/routers are good enough as a (single?) step in otherwise fully IEEE1588-compliant path if they are lightly loaded so that delay jitter is really low. This way the additional constant delay due to active d...
by mkx
Sun Aug 18, 2019 11:30 am
Forum: Wireless Networking
Topic: Bridge VLAN performance drop
Replies: 1
Views: 325

Re: Bridge VLAN performance drop

CRS3xx should have HW offload support for VLANs ... if things are configured properly it should not experience any slowdowns in intra-VLAN frame forwarding. You shoukd be aware that CRS devices are essentially switches and L3 (routing) performance is lagging far behind. So whether the observed 30% p...
by mkx
Sat Aug 17, 2019 6:24 pm
Forum: Beginner Basics
Topic: Routing both lan and wan on one interface
Replies: 1
Views: 356

Re: Routing both lan and wan on one interface

It is possible and I'm sure there are many ways to do it. From L2 (connectivity) point of view, you can use separate VLANs to separate different networks (WAN v.s. LAN) passing the same wire. From L3 point kf view, you may want to consider if firewalling the WAN-addressed virtual server should be do...
by mkx
Sat Aug 03, 2019 9:19 pm
Forum: General
Topic: Transparent NAT
Replies: 5
Views: 558

Re: Transparent NAT

Most LTE modems playing smart by doing NAT themselves are not configurable enough to do netmap-style of NAT ... even if they do, you should find a way to configure that on the LTE modem thingy, nothing to be done on RB. And since you want to perform NAT on CCR in a smart way, you can't do netmap-sty...
by mkx
Sat Aug 03, 2019 7:31 pm
Forum: RouterBOARD hardware
Topic: CRS112x strange issue [SOLVED]
Replies: 7
Views: 1006

Re: CRS112x strange issue [SOLVED]

How are PCs set-up ... IP address, subnet mask, default gateway? Is there a DHCP server involved or you set them up manually?
by mkx
Sat Aug 03, 2019 5:07 pm
Forum: RouterBOARD hardware
Topic: CRS112x strange issue [SOLVED]
Replies: 7
Views: 1006

Re: CRS112x strange issue [SOLVED]

Did you tey to reboot CRS after change of IP? It shouldn't matter, but who knows ...

Does /interface bridge port print show 'H' in flags column for ether and sfp ports?
by mkx
Sat Aug 03, 2019 2:35 pm
Forum: Beginner Basics
Topic: Access DSL modem in "bridge mode" behind Mikrotik [SOLVED]
Replies: 12
Views: 1225

Re: Access DSL modem in "bridge mode" behind Mikrotik [SOLVED]

When you're testing ping from PfSense, does counter of the appropriate masquerade rule increase?
by mkx
Sat Aug 03, 2019 1:04 pm
Forum: Beginner Basics
Topic: Not showing IP on connected devices [SOLVED]
Replies: 13
Views: 1094

Re: Not showing IP on connected devices [SOLVED]

Please post output of command /export hide-sensitive (run it from a command window) ... and obfuscate public addresses ... paste it inside [code][/code] environment for better readability.

No need for verbosity, but do post complete setup, sometimes problems are hidden elsewhere.
by mkx
Sat Aug 03, 2019 12:58 pm
Forum: Beginner Basics
Topic: Two VLANs in a bridge or two bridges
Replies: 2
Views: 453

Re: Two VLANs in a bridge or two bridges

Option with two bridges allows HW offload on ether ports of one of bridges (probably you want this on LAN bridge), while single-bridge-multiple-VLAN does not if VLANs are configured on bridge.. If functionality-wise you're happy with your current setup, then you should stick to it. If you stick to t...
by mkx
Sat Aug 03, 2019 12:30 pm
Forum: Beginner Basics
Topic: Access DSL modem in "bridge mode" behind Mikrotik [SOLVED]
Replies: 12
Views: 1225

Re: Access DSL modem in "bridge mode" behind Mikrotik [SOLVED]

Does PfSense know about 172.16.2.0/24? Or it treats it as "normal" WAN address?

Can your RB ping Vigor?
by mkx
Sat Aug 03, 2019 10:19 am
Forum: General
Topic: Very simple VLAN
Replies: 16
Views: 1440

Re: Very simple VLAN

Thanks - and is there a simple way to "tie" the two subnets together so that everything (including broadcast) works across them both? Subnets and common broadcast domains don't go together. Unless you know well what you're doing ... but then you wouldn't be asking this particular question here ...
by mkx
Sat Aug 03, 2019 10:16 am
Forum: Beginner Basics
Topic: Port Forward/Passthrough
Replies: 5
Views: 540

Re: Port Forward/Passthrough

By default, connections from LAN to WAN are not restricted in any way. The only requirement us a working SRC-NAT configuration (which is there by default on SOHO models as well unless WAN connectivity type is a non-common one). You're mentioning a /25 WAN subnet which indicates a non-common setup (f...
by mkx
Fri Aug 02, 2019 7:39 pm
Forum: Beginner Basics
Topic: Routing between bridged interfaces and a port [SOLVED]
Replies: 1
Views: 383

Re: Routing between bridged interfaces and a port [SOLVED]

Router needs IP address for each subnet it should be routing to/from.

Read up some IP routing basics ... when you do, don't skip the part with multiple routers in same network, this is the part where fun begins.
by mkx
Fri Aug 02, 2019 2:32 pm
Forum: Beginner Basics
Topic: Router for 1Gbit Wan from Mikrotik (What model?)
Replies: 4
Views: 744

Re: Router for 1Gbit Wan from Mikrotik (What model?)

CRS line are switches with L3 functionality. It's fine to use them with ROS as switches (you don't have to boot SwOS for that). You should go for RB line, such as RB750Gr3 (which probably barely reaches your requirements) or some faster model (those typically come with bigger number of ports) such a...
by mkx
Thu Aug 01, 2019 5:41 pm
Forum: General
Topic: CRS317-1G-16S+RM as storage switch
Replies: 4
Views: 646

Re: CRS317-1G-16S+RM as storage switch

CRSes will be as good as any other managed switch with regard to iSCSI...
by mkx
Thu Aug 01, 2019 3:10 pm
Forum: RouterBOARD hardware
Topic: GPeR question
Replies: 18
Views: 2302

Re: GPeR question

I can see a communication noise happening around here. How about MT guys writing a few lines of technical description about GPeR ... what is it, how it works. Doesn't really have to disclose some patented technology ... I guess it's about a fairly simple (electrical) signal shaper with some DC bypas...
by mkx
Thu Aug 01, 2019 12:33 pm
Forum: RouterBOARD hardware
Topic: RouterBOARD naming
Replies: 47
Views: 24404

Re: RouterBOARD naming

1. I prefer the classic or Hex-S (!) style :-)

Say hello to Flintstones next time you meet them :wink:

Black is new white :lol:
by mkx
Thu Aug 01, 2019 12:30 pm
Forum: RouterBOARD hardware
Topic: 1100x4 unexpected downgrade
Replies: 4
Views: 526

Re: 1100x4 unexpected downgrade

This could happen if NAND was partitioned (for fall-back) and the backup partition never got updated (neither ROS nor config). The mechanism is such that routerboot starts device from the other partition if there's an error making RB to reboot. Power outage counts as such (personally I don't think p...
by mkx
Thu Aug 01, 2019 12:24 pm
Forum: Wireless Networking
Topic: Long range connection
Replies: 17
Views: 1465

Re: Long range connection

Other technologies like 4G use a lot more power and they can do it. Just a tad of nitpicking: user's equipment in 4G operates at similar Tx powers as WiFi (max Tx power at around 20dBm) and also uses similarly shitty antennae (with gain around 0dBi) ... the difference is in the base stations: those...
by mkx
Thu Aug 01, 2019 7:02 am
Forum: Beginner Basics
Topic: No internet on LAN - hex rb750gr3 with E3372
Replies: 12
Views: 1159

Re: No internet on LAN - hex rb750gr3 with E3372

So did you try to add lte1 interface to WAN interface list? Did it do the trick or not?
by mkx
Wed Jul 31, 2019 10:20 pm
Forum: Beginner Basics
Topic: No internet on LAN - hex rb750gr3 with E3372
Replies: 12
Views: 1159

Re: No internet on LAN - hex rb750gr3 with E3372

None of your routing information/config is there?? Probably because all of it is dynamic. /ip route print and /ip address print would reveal lots of things. Before posting output of these commands do obfuscate public IP addresses ... but do it consistently so that it will be obvious what belongs to...
by mkx
Wed Jul 31, 2019 3:49 pm
Forum: Beginner Basics
Topic: NAT is blocking the acess to that port when active
Replies: 2
Views: 379

Re: NAT is blocking the acess to that port when active

Probably your DST-NAT rule is too general. Execute command /ip firewall nat export in a terminal window and post result here.
by mkx
Tue Jul 30, 2019 11:25 pm
Forum: General
Topic: NAT to a local server
Replies: 25
Views: 1880

Re: NAT to a local server

When setting in-interface=bridge NAT should stop working for connections from WAN ...
by mkx
Tue Jul 30, 2019 11:11 pm
Forum: Wireless Networking
Topic: How to get signal-strength from wireless card
Replies: 3
Views: 534

Re: How to get signal-strength from wireless card

Signal strength has its meaning for the receiving party. When device is in station mode, it only talks to single peer and signal strength of that peer is a fairly good indication of the two-way connection quality. When device is in ap mode (any of them), it's talking to many peers and none of them c...
by mkx
Tue Jul 30, 2019 5:31 pm
Forum: General
Topic: Calculating Power Consumption for POE
Replies: 2
Views: 409

Re: Calculating Power Consumption for POE

cAP ac supports PoE-out ... connected PoE client would count as attachment. Some other devices feature USB ports which can be used to connect some power-hungry peripherials, such as LTE modems or flash sticks... Or miniPCIe slots to add wireless or LTE interfaces ... All of those count as attachments.
by mkx
Tue Jul 30, 2019 5:22 pm
Forum: General
Topic: Router OS in GSM environment
Replies: 2
Views: 411

Re: Router OS in GSM environment

Routeros is about data (IP in particular) routing. If you're talking about VoIP, then many people did it. If you're talking about GSM circuit-switched voice, then ROS won't help you. Not many GSM chipsets support digital voice break-out ... and even if some does, it is 64kbps ADPCM or something simi...
by mkx
Mon Jul 29, 2019 11:16 pm
Forum: RouterBOARD hardware
Topic: GPeR question
Replies: 18
Views: 2302

Re: GPeR question

1) Of course it matters (and two port has nothing to do with it) Really ... what's the big difference between 2-port ethernet hub and 2-port ethernet switch? And yes, port count has everything to do with it. Instead of forwarding frame to the other port because forwarding table (MAC address list) o...
by mkx
Mon Jul 29, 2019 5:49 pm
Forum: General
Topic: PPPoE Client as main Link 3G as Backup
Replies: 1
Views: 303

Re: PPPoE Client as main Link 3G as Backup

How about searching for mikrotik dual wan failover using your favourite internet search page? One of top results is this manual page, seems promissing to me.
by mkx
Mon Jul 29, 2019 5:35 pm
Forum: General
Topic: Possible security breach
Replies: 12
Views: 4919

Re: Possible security breach

Old thread, I know, but I think its worth bumping. I had same thing happen to me. There were 2 ptty scripts in my scheduler. I had my router exposed to WAN with default username only a matter of minutes but didnt notice the script until a few days later. I deleted scripts, the admin user, the new r...
by mkx
Sun Jul 28, 2019 2:38 pm
Forum: General
Topic: Login failure for user Radius via api
Replies: 3
Views: 554

Re: Login failure for user Radius via api

API login method has changed.
by mkx
Sun Jul 28, 2019 2:33 pm
Forum: Beginner Basics
Topic: Vlan config and bridging
Replies: 3
Views: 567

Re: Vlan config and bridging

There are many points where things might have turned wrong way. Post output of /export hide-sensitive after you've mangled any remaining sensitive data such as public IP addresses ...
by mkx
Sat Jul 27, 2019 11:18 pm
Forum: Beginner Basics
Topic: Fixed IP using VLANs. How?
Replies: 1
Views: 336

Re: Fixed IP using VLANs. How?

IMHO LAN infrastructure devices should for very same reason have their IP addresses set statically.
by mkx
Fri Jul 26, 2019 8:59 pm
Forum: Wireless Networking
Topic: Wifi equipment for 70m distance behind windows
Replies: 14
Views: 1188

Re: Wifi equipment for 70m distance behind windows

Powering is not a problem...i have power outlet on balcony. A what to use for device in building 1? I'm not sure if supplied power adapter is weatherproof as well ... For the building1 any routerboard with 2.4GHz wireless would do. In absence of other ideas/reasons I'd go with second wAP ac (for no...
by mkx
Fri Jul 26, 2019 8:52 pm
Forum: General
Topic: How debug L2 and IP firewall?
Replies: 4
Views: 480

Re: How debug L2 and IP firewall?

I think you should properly separate ether2 from the rest of LAN on L2 by removing ether2 from brudge and then assure needed communication by routing and firewalling. You'd need separate subnet (probably a /30 would do) for connection between RB and the "untrusted network"'s gateway. If you go this ...
by mkx
Fri Jul 26, 2019 7:25 pm
Forum: General
Topic: How debug L2 and IP firewall?
Replies: 4
Views: 480

Re: How debug L2 and IP firewall?

  1. Are you testing connectivity from LAN device from one subnet towards router's address in another subnet or you're testing between LAN devices?
  2. Post complete configuration (output of command /export hide-sensitive and obfuscate sensitive data, such as public IP address)
by mkx
Fri Jul 26, 2019 7:09 pm
Forum: Wireless Networking
Topic: Wifi equipment for 70m distance behind windows
Replies: 14
Views: 1188

Re: Wifi equipment for 70m distance behind windows

If we set aside problem with powering (wireless powering wasn't seriously developed ever since Tesla failed to extort more money from J.P.Morgan), a wAP ac would make a good wireless hop.

As both hops (2.4 and 5GHz) would essentially be point-to-point, I'd configure them as nstreme bridges.
by mkx
Fri Jul 26, 2019 4:21 pm
Forum: Beginner Basics
Topic: VLAN 1003 über eigenen Switchport
Replies: 2
Views: 339

Re: VLAN 1003 über eigenen Switchport

Depends on how things are set up currently. If AP tags the traffic itself, then you can set port vlan security so that on ingress it only accepts tagged frames. A random passer-by won't know it needs to tag packets so for him the port will seem useless. If one knows to tag frames with correct VID, h...
by mkx
Fri Jul 26, 2019 1:51 pm
Forum: General
Topic: Feature requests
Replies: 1159
Views: 207332

Re: Feature requests

Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces... I don't know how to script it, but possibility is available already: /interface print where type=pppoe-out pppoe has no relation to poe...
by mkx
Fri Jul 26, 2019 1:49 pm
Forum: Wireless Networking
Topic: Wifi equipment for 70m distance behind windows
Replies: 14
Views: 1188

Re: Wifi equipment for 70m distance behind windows

If the reason for avoiding LAN cables is fear for interference from power lines to UTP cables or fear for some power surges, then you could use fibre connection between the "main wireless hop" (building-2-building) and their hAP ac2 ... dumb media converters supporting multi-mode fibre and 10/100 Mb...
by mkx
Fri Jul 26, 2019 1:41 pm
Forum: Wireless Networking
Topic: Intel Wireless Cards for ROS
Replies: 2
Views: 376

Re: Intel Wireless Cards for ROS

As far as I understand, x86 is not actively developed anymore ... hence no new drivers. Hence no support for newer hardware. MT suggests to switch over to CHR ... for one thing MT down't have to develop tons of drivers, VM abstraction layer takes care of that. With ROS7 things might change - who kno...
by mkx
Fri Jul 26, 2019 1:24 pm
Forum: General
Topic: Feature requests
Replies: 1159
Views: 207332

Re: Feature requests

Need feature to detect if device have poe-out interfaces - now any poe-command (even print command) causes error in script if HW doesn't have poe-out interfaces...

I don't know how to script it, but possibility is available already: /interface print where type=pppoe-out
by mkx
Thu Jul 25, 2019 10:43 pm
Forum: General
Topic: VLAN issue
Replies: 8
Views: 720

Re: VLAN issue

My thinking: ports ether23 and ether24 are set up equally. As VLANs seemingly work as they should on ether24 (Sonicwall trunk ... when connecting to different access ports computer becomes part of correct VLAN) - you might want to verify this by connecting Sonicwall to ether23 ... it serms that CRSe...
by mkx
Thu Jul 25, 2019 10:34 pm
Forum: Beginner Basics
Topic: Significant Speed Issues with MikroTik [SOLVED]
Replies: 18
Views: 1580

Re: Significant Speed Issues with MikroTik [SOLVED]

LAN IP address is bound to ether2 which is slave device of bridge ... and that's wrong. Move it to bridge interface. Where would I change this setting? I found the WAN ethernet but according to winbox it is already linked to the bridge. Perhaps I am looking in the wrong spot? That would be in /ip a...
by mkx
Thu Jul 25, 2019 8:50 pm
Forum: Beginner Basics
Topic: Significant Speed Issues with MikroTik [SOLVED]
Replies: 18
Views: 1580

Re: Significant Speed Issues with MikroTik [SOLVED]

LAN IP address is bound to ether2 which is slave device of bridge ... and that's wrong. Move it to bridge interface. Any good reason to limit advertised speeds on ether ports only to 1000-full? Autonegotiation will select it if both link partners support it, negotiation of anything else indicates pr...
by mkx
Thu Jul 25, 2019 8:01 pm
Forum: Beginner Basics
Topic: How change to swos in fiberbox csr105
Replies: 3
Views: 407

Re: How change to swos in fiberbox csr105

Check it yourself, specs for all switches are here . I guess they call them switches even though they run ROS because their CPU is weak and unable of routing anywhere near wirespeed, but they feature decent switch chip capable of wirespeed switching. Anyway, on most dual-OS devices ROS offers same s...
by mkx
Thu Jul 25, 2019 7:54 pm
Forum: Beginner Basics
Topic: Significant Speed Issues with MikroTik [SOLVED]
Replies: 18
Views: 1580

Re: Significant Speed Issues with MikroTik [SOLVED]

First thing is to profile CPUs to get idea whether CPU is bottleneck ... and which subsystem is hit most.
by mkx
Thu Jul 25, 2019 7:29 pm
Forum: General
Topic: VLAN issue
Replies: 8
Views: 720

Re: VLAN issue

OK,I'll assume then the print-out is fine. What I just noticed: ether21 and ether22 are not set to be members of VLAN 100 (neither tagged nor untagged) on any of switches. Which explains why clients of third SSID don't get anything ... when AP is connected to any of ether21 or ether22 ports. It does...
by mkx
Thu Jul 25, 2019 4:57 pm
Forum: General
Topic: VLAN issue
Replies: 8
Views: 720

Re: VLAN issue

What you posted as output of /interface bridge vlan print doesn't correspond to how it should be configured (nor how you wanted it configured). The difference between /interface bridge vlan export and /interface bridge vlan print is that the former shows configuration directives and the later shows ...
by mkx
Thu Jul 25, 2019 4:52 pm
Forum: RouterBOARD hardware
Topic: HEX S RB760iGS → console mode...?
Replies: 4
Views: 600

Re: HEX S RB760iGS → console mode...?

You can use Woobm USB gadget to connect to router's console ... I can't vouch that it works with all RB devices but I haven't heard it doesn't either.
by mkx
Thu Jul 25, 2019 4:46 pm
Forum: Wireless Networking
Topic: Question use mikrotik equipment with unifi
Replies: 1
Views: 379

Re: Question use mikrotik equipment with unifi

For RB750Gr3 it's not so important the number of wireless clients, more important is how active those clients will be ... in particular number of open connections. If those clients will be decently non-active, they'd have a few thousand connections in total open at any given time ... which is not a ...
by mkx
Thu Jul 25, 2019 4:06 pm
Forum: General
Topic: VLAN issue
Replies: 8
Views: 720

Re: VLAN issue

One thing that strikes me odd: /interface bridge vlan add bridge=bridge tagged= " ether23-TRUNK,ether24-TRUNK,sfpplus1-TRUNK,sfpplus2-\ TRUNK,ether21-TRUNK,ether22-TRUNK " untagged= " ether1-VLAN10,ether2-VLAN10,e\ ther3-VLAN10,ether4-VLAN10,ether5-VLAN10,ether6-VLAN10,ether7-VLAN10,ether\ 8-VLAN10,...
by mkx
Thu Jul 25, 2019 4:00 pm
Forum: General
Topic: Multicast CPU Load Switch CRS328
Replies: 3
Views: 340

Re: Multicast CPU Load Switch CRS328

When I capturing with Wireshark, I see also the Multicast package on Members which are not subscriping the Multicast. So IGMP Snooping ist not working, is that right? Of course IGMP Snooping is activated. In our Cisco Enviroment its all working perfectly. IGMP snooping seems to be borken on Mikroti...
by mkx
Thu Jul 25, 2019 3:44 pm
Forum: Beginner Basics
Topic: Routing wireless to ethernet doesn't work
Replies: 11
Views: 726

Re: Routing wireless to ethernet doesn't work

Packets targeting directly accessible subnets will leave via corresponding interface. The original problem involves 3 subnets: 192.168.89.0./24 ... computer has address 192.168.89.15 and can communicate with any devices withing this subnet (including 192.168.89.1 which happens to be gateway for this...
by mkx
Thu Jul 25, 2019 3:31 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35744

Re: v6.45.2 [stable] is released!

Not any direct method to access to flash neither ?
Nope. Not the system part of it.
by mkx
Thu Jul 25, 2019 2:36 pm
Forum: General
Topic: Multicast CPU Load Switch CRS328
Replies: 3
Views: 340

Re: Multicast CPU Load Switch CRS328

Verify that the ports in question (all of them) are actually hardware accelerated ... execute /interface bridge port print , the HW accelerated ports have flag H displayed in flags area. Note that all ports members of affected by multicast[*] need to be HW accelerated, if one single port is not, the...
by mkx
Thu Jul 25, 2019 2:29 pm
Forum: General
Topic: How to allow an URL for a specific port
Replies: 7
Views: 488

Re: How to allow an URL for a specific port

What we need is to open the 3000 port in our Mikrotik but not for all the inbound traffic or all the addresses. We need to open it only for a specific URL that we have for a voting platform. Port 3000 is not standard port for any particular protocol. So what protocol is it (kids doing programming t...
by mkx
Thu Jul 25, 2019 2:23 pm
Forum: Beginner Basics
Topic: Routing wireless to ethernet doesn't work
Replies: 11
Views: 726

Re: Routing wireless to ethernet doesn't work

The problem was in the routing information on your computers ... when computer gets configuration via DHCP, it usually gets default route. If some computer receives two such configurations (for two distinct interfaces), then it's somehow undefined how it routes own traffic. It receives two different...
by mkx
Thu Jul 25, 2019 2:19 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35744

Re: v6.45.2 [stable] is released!

What actually that fix_space.npk does ??? Somewhere around ROS 6.41 the upgrade process could sometimes break and leave some files un-acounted for. Those could be removed only by net-installing the device. This npk tries to find such orphaned files and removes them. Newer versions are supposedly no...
by mkx
Thu Jul 25, 2019 2:12 pm
Forum: Wireless Networking
Topic: 2GHz WiFi 40MHz width best channel
Replies: 7
Views: 678

Re: 2GHz WiFi 40MHz width best channel

40MHz channel is contigous, so if you configure it as 2412-Ce, it will actually occupy frequency band between 2402 MHz and 2442 MHz. N.b. all published frequencies refer to channel centre frequency. So essentially it will be CH 1+5. What you're asking for (CH 3+11) would result in non-contigous chan...
by mkx
Thu Jul 25, 2019 12:46 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35744

Re: v6.45.2 [stable] is released!

On hAP ac2 (and other devices witch tiny flash disks), root of what you see in /files print is in RAM disk and gets wiped after every restart. The non-volatile file storage is under /flash ...
by mkx
Thu Jul 25, 2019 12:41 pm
Forum: Beginner Basics
Topic: Routing wireless to ethernet doesn't work
Replies: 11
Views: 726

Re: Routing wireless to ethernet doesn't work

Do the computers on both networks know to use your RB as gateway between the two networks?

Or to ask it differently: is this RB the only router in the whole LAN story or is it additional router but there are other main routers in both subnets?
by mkx
Thu Jul 25, 2019 12:37 pm
Forum: Beginner Basics
Topic: How change to swos in fiberbox csr105
Replies: 3
Views: 407

Re: How change to swos in fiberbox csr105

Specifications for CRS105 (fiberbox) only mention RouterOS as supported OS. Specifications for CRS switches that support SwitchOS (e.g. CRS326) do mention that ...
by mkx
Thu Jul 25, 2019 12:28 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35744

Re: v6.45.2 [stable] is released!

[*] it is possible to have two (or more) ROS versions installed in unit has flash storage with size of 64MB or more. In this case, one can partition flash to two halves and run different version of ROS in both partitions. If ROS crashes or fails to boot from one partition, it'll automatically try t...
by mkx
Thu Jul 25, 2019 9:11 am
Forum: RouterBOARD hardware
Topic: Quectel EP06-E and wAP R ac (RBwAPGR-5HacD2HnD)
Replies: 8
Views: 1471

Re: Quectel EP06 and wAP R ac (RBwAPGR-5HacD2HnD)

I suspect that the B28 tower is at a different location to the other tower doing band 3&7!? All 3 cells from different bands are run by the very same baseband hardware (same eNB ID). Which means that quite likely all 3 cells are located on the same tower. Quite likely because RF gear (DAC, power am...
by mkx
Wed Jul 24, 2019 10:56 pm
Forum: General
Topic: Port 80 redirect [SOLVED]
Replies: 14
Views: 723

Re: Port 80 redirect [SOLVED]

I can understand the sentiment of tourists passing by. Anyhow I'm inviting you for a beer (or if you dislike non-native beer which I would understand fully) some other beaverage when you hapoen to pass by ...
by mkx
Wed Jul 24, 2019 10:28 pm
Forum: General
Topic: Port 80 redirect [SOLVED]
Replies: 14
Views: 723

Re: Port 80 redirect [SOLVED]

Btw one of my biggest surprises in your country was to find a stallion on the menu of a normal restaurant. Yeah, I know ... I guess this is the real reason for the horse-loving Brits to leave EU :wink: Regarding the highway vignettes: it's a simple tax on all those Czechs and Polaks hoarding toward...
by mkx
Wed Jul 24, 2019 10:15 pm
Forum: General
Topic: IPSec performance
Replies: 4
Views: 682

Re: IPSec performance

Profile the CPU usage to see where CPU cycles are spent. In addition check the packet size of data traffic. If apps are using full 1500 byte frames, then IPsec will have to fragment them (due to own overhead) which means double frame rate and PPS is a constraint as well. Either reduce packet size (w...
by mkx
Wed Jul 24, 2019 10:06 pm
Forum: General
Topic: Feature request for v7.x
Replies: 269
Views: 63557

Re: Feature request for v7.x

I'd say that such an expensive hardware (as CCRs are) Apparently we have different definition of expensive... I think our CCR1009's are quite cheap. Perhaps not ... but we might have different perspectives. Me, for example, I associate CCRs with decent LAN size which deserves some dedicated boxes t...
by mkx
Wed Jul 24, 2019 5:30 pm
Forum: General
Topic: Getting a configuration suggestion
Replies: 5
Views: 347

Re: Getting a configuration suggestion

If the internet service is for a hotel, why would you even consider allowing one guest to hog all the bandwidth MKX.

As I wrote: it's up to OP to decide, I know what I would do (but that's not the point). I just mentioned a few possible reasons for choosing one over another, that's all.
by mkx
Wed Jul 24, 2019 5:22 pm
Forum: General
Topic: NTP server client troubleshooting
Replies: 2
Views: 273

Re: NTP server client troubleshooting

The dynamic servers come from DHCP server. If you configured IP address(es) of router manually or if DHCP server, serving IP config on particular VLAN, doesn't include list of NTP servers in its address lease, then the list of dynamic servers will be empty. If ntp client displays empty list of "dyna...
by mkx
Wed Jul 24, 2019 5:09 pm
Forum: General
Topic: Port 80 redirect [SOLVED]
Replies: 14
Views: 723

Re: Port 80 redirect [SOLVED]

I think the quote is "skin the cat" one shears sheep! ;-P
I don't eat cats and I don't know any other reason to skin an animal :wink:
by mkx
Wed Jul 24, 2019 5:06 pm
Forum: General
Topic: Bond: link loss is not detected by Mikrotik (LACP)
Replies: 5
Views: 444

Re: Bond: link loss is not detected by Mikrotik (LACP)

You mean that MII alone is not able to detect outage if only a single direction of a fiber link is affected? The whole thing depends heavily on how particular interface vendor implemented MII stuff inside their hardware ... But yes, generally speaking fiber modules have no idea about Tx part of the...
by mkx
Wed Jul 24, 2019 4:46 pm
Forum: General
Topic: Feature request for v7.x
Replies: 269
Views: 63557

Re: Feature request for v7.x

I'd say that such an expensive hardware (as CCRs are) sitting idle at some cheap enterprise, is a rare species which doesn't warrant developing new functionality. I mean ... having idle CCR costing anywhere between 425€ and 3000€, but saving some 1000€ by not buying a modest x86_64 server which woul...
by mkx
Wed Jul 24, 2019 4:38 pm
Forum: Beginner Basics
Topic: Virtual AP Mac address... use same ones?
Replies: 1
Views: 214

Re: Virtual AP Mac address... use same ones?

Theoretically you can safely apply MAC address exported from old device. The only limitation is that another wireless device with same MAC address should not exist in the neighbourhood. So if the original device was permanently switched off, you're good to (re)use the same MAC.
by mkx
Wed Jul 24, 2019 4:30 pm
Forum: General
Topic: Port 80 redirect [SOLVED]
Replies: 14
Views: 723

Re: Port 80 redirect [SOLVED]

@mkx: Or you can use ...

I know there are plenty of ways to "skin the sheep" ... I was just pointing out potential side effect if OP followed advice by @sindy as it was originally written. After one is aware of the problem, it's quite easy to find the way around ...
by mkx
Wed Jul 24, 2019 4:22 pm
Forum: General
Topic: RB4011, Ubiquiti devices, VLANs and IPSEC
Replies: 4
Views: 341

Re: RB4011, Ubiquiti devices, VLANs and IPSEC

All VLAN setup on RB4011 is ... well, wrong. I suggest you to read through this tutorial . Come back if things don't work after reading and understanding the tutorial. As to the roadwarior access ... it's hard to tell as you didn't post complete setup (at least /ip firewall mangle section is missing...
by mkx
Wed Jul 24, 2019 2:22 pm
Forum: General
Topic: Getting a configuration suggestion
Replies: 5
Views: 347

Re: Getting a configuration suggestion

There are two things which are to be corrected: If I didn't overlook something in the firewall filter list for chain=input , then access to DNS service from internet is allowed. Which is not good. There isn't a rule allowing it indeed, but for sanity sake there should be a rule /ip firewall filter a...
by mkx
Wed Jul 24, 2019 2:07 pm
Forum: General
Topic: Feature request for v7.x
Replies: 269
Views: 63557

Re: Feature request for v7.x

A solution like ha proxy in router os v7 would be usefull I like to run multiple ssl sites behind my mikrotik router on 1 public ip and lets encrypt support to automaticly secure them with ssl The only sensible part of this wish is "letsencrypt support for SSL certificates" ... If you're running mu...
by mkx
Wed Jul 24, 2019 2:03 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35744

Re: v6.45.2 [stable] is released!

The point is that I haven't been able to restore the factory firmware (6.43) doing a factory reset (pressing button before turning on the power). Routerboards don't have dual firmware installed [*]. Factory reset only returns configuration to factory default [**], not the software version. Informat...
by mkx
Wed Jul 24, 2019 11:31 am
Forum: General
Topic: Port 80 redirect [SOLVED]
Replies: 14
Views: 723

Re: Port 80 redirect [SOLVED]

So add in-interface=your-wan-interface name or dst-address-type=local (or both) to your dst-nat rule ... My understanding is, that if you only set dst-address-type=local , you loose access to webfig (web GUI for administering routerboards ... in case you care, I personally use it). If you want to k...
by mkx
Wed Jul 24, 2019 11:20 am
Forum: General
Topic: Getting a configuration suggestion
Replies: 5
Views: 347

Re: Getting a configuration suggestion

The major thing, which might help, is to move firewall rule add action=fasttrack-connection chain=forward connection-state=established,related right above rule add action=accept chain=forward connection-state=established,related As it is now, nothing gets fast-tracked (and fast-tracking does speed-u...
by mkx
Wed Jul 24, 2019 11:08 am
Forum: General
Topic: Port 80 redirect [SOLVED]
Replies: 14
Views: 723

Re: Port 80 redirect [SOLVED]

The rule is too greedy and actually captures all connections targeting port 80 (even those from LAN towards internet). You should limit that to connections arriving through WAN interface. You can do it in one of the following two ways: add chain=dstnat action=dst-nat to-addresses=10.0.0.2 protocol=t...
by mkx
Wed Jul 24, 2019 9:27 am
Forum: Wireless Networking
Topic: 160MHz support for US RB4011
Replies: 4
Views: 646

Re: 160MHz support for US RB4011

For 160MHz channel, it would have to be possible to use a contigous 160MHz frequency channel. Which with limitations from "united states3" is not the case: chunk from 5170MHz to 5250MHz is exactly 80MHz wide, thus it can be used for 80MHz channel or 80+80MHz channel (one half of it) chunk from 5735M...
by mkx
Tue Jul 23, 2019 10:58 pm
Forum: RouterBOARD hardware
Topic: NetInstall -> Flashing with RouterOS 6.45.1
Replies: 8
Views: 1080

Re: NetInstall -> Flashing with RouterOS 6.45.1

Hello Mikrotik support,

This forum is not really official support channel, rather users's chat room with occasional MT personnel fly-by. If you expect response from MT, contact them at support@mikrotik.com ...
by mkx
Tue Jul 23, 2019 8:05 pm
Forum: General
Topic: Bond: link loss is not detected by Mikrotik (LACP)
Replies: 5
Views: 444

Re: Bond: link loss is not detected by Mikrotik (LACP)

Mii monitoring works approximately as well as speed (and duplex) auto-negotiation. I.e. it can sometimes fail if connection is marginal ... Which opens a question: is there a good reason not to allow autonegotiation on those two links?
by mkx
Tue Jul 23, 2019 4:03 pm
Forum: Wireless Networking
Topic: Mikrotik AP using 40Mhz but not find on the AP on the Ubiquiti station?
Replies: 3
Views: 440

Re: Mikrotik AP using 40Mhz but not find on the AP on the Ubiquiti station?

A few days ago I was playing with similar setup (PtP link on 5GHz) and I had a similar problem. I was using two hAP ac lites (so Mikrotik on both sides). One thing: according to wikipedia list of channels , frequency 5800 doesn't seem to be a valid channel, it seems like one should choose either 578...
by mkx
Tue Jul 23, 2019 3:53 pm
Forum: General
Topic: [ASK] FastTrack for SpeedTest
Replies: 14
Views: 930

Re: [ASK] FastTrack for SpeedTest

Of course it will not be useful for fasttrack, because connection marks are not processed for fasttracked connections. I guess it may serve OP's purpose ... connection marks are not processed for fasttracked connections because once a connection is fasttracked, it can not be un-fasttracked and will...
by mkx
Tue Jul 23, 2019 10:58 am
Forum: General
Topic: Watchdog biting on an unreliable connection - queue issue
Replies: 2
Views: 232

Re: Watchdog biting on an unreliable connection - queue issue

My personal view (I'm sure many around here will disagree) is that ICMP with so many network admins (and "admins") blocking it is inherently unreliable. Thus it's unfit to depend upon for device watchdog unless you control all devices involved. E.g. it is probably fine to use pings against some othe...
by mkx
Tue Jul 23, 2019 10:44 am
Forum: Beginner Basics
Topic: Q: src.port <> dst.port
Replies: 8
Views: 757

Re: Q: src.port <> dst.port

Regarding firewall > nat forwarding settings .. In general>src.port field there is "25,80,443,587" and in action>dst.port field there is "25-587" Be careful. There are 3 distinct port settings: src-port , dst-port and to-ports ... src-port check the port used by client. Usually that's some random h...
by mkx
Mon Jul 22, 2019 10:18 pm
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

Sigh ... You mentioned: you don't have corresponding /ip dhcp-server network nor /ip dhcp-server ... . Maybe I don´t understand you but I think I do have the network: add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 \ netmask=24 and no need for a d...
by mkx
Mon Jul 22, 2019 7:09 pm
Forum: RouterBOARD hardware
Topic: Mikrotik RBSXTR (No Modem) 9dBi 60 degree LTE Antenna
Replies: 8
Views: 1011

Re: Mikrotik RBSXTR (No Modem) 9dBi 60 degree LTE Antenna

I'm not to knowledgeable when it comes to antennas. The negative gain... this is usually in relation to something? In short: yes, this is relative figure - imaginnary truly omni-directional antenna would have gain of 0dBi). Higher the number, better signal. The most ordinary dipole antennae have ga...
by mkx
Mon Jul 22, 2019 4:29 pm
Forum: General
Topic: IPTV Lan Help.
Replies: 10
Views: 788

Re: IPTV Lan Help.

Solution by @sindy is for sure more resource-effective. I just wrote minimum changes from your current setup. I'd suggest you first implement my changes and if IPTV starts to work, go ahead and implement what @sindy wrote.
by mkx
Mon Jul 22, 2019 4:27 pm
Forum: General
Topic: Bond: link loss is not detected by Mikrotik (LACP)
Replies: 5
Views: 444

Re: Bond: link loss is not detected by Mikrotik (LACP)

What is setting of link-monitoring attribute of bond? Not every interface and every mode supports all possible values.
by mkx
Mon Jul 22, 2019 4:21 pm
Forum: General
Topic: NAT and Firewall forward rules
Replies: 5
Views: 406

Re: NAT and Firewall forward rules

Default ROS firewall includes the following two rules: ... filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked" ... filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-inte...
by mkx
Mon Jul 22, 2019 4:09 pm
Forum: Beginner Basics
Topic: New filter rules ?
Replies: 6
Views: 729

Re: New filter rules ?

Rules #0, #6 and #7 are around for quite some time (let's say at least since 6.42 if not earlier ... rule #0 is probably around ever since fast-track got introduced) ... rule #4 is new to me as well ...
by mkx
Mon Jul 22, 2019 4:03 pm
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

I don't know what exactly you mean by "I must have stopped the ipTV service" ... but you don't have DHCP server running on LAN2 - you don't have corresponding /ip dhcp-server network nor /ip dhcp-server ...
by mkx
Mon Jul 22, 2019 9:18 am
Forum: General
Topic: IPTV Lan Help.
Replies: 10
Views: 788

Re: IPTV Lan Help.

OpenWRT IPTV create a switch -> Vlan 20 CPU = Tagged ethernet1/wan connection = Tagged ethernet3/IPTV connection = Untagged Create an interface name: IPTV static address: 192.168.2.245 IPV4 gateway: 255.255.255.0 Physical settings Vlan interface:eth0.20 This part would be probably translated to ROS...
by mkx
Sun Jul 21, 2019 12:33 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35744

Re: v6.45.2 [stable] is released!

Did you reboot device after uploading additional .npk's? What does log contain about it?

BTW, security requires DHCP package ....
by mkx
Sun Jul 21, 2019 11:53 am
Forum: RouterBOARD hardware
Topic: Mikrotik RBSXTR (No Modem) 9dBi 60 degree LTE Antenna
Replies: 8
Views: 1011

Re: Mikrotik RBSXTR (No Modem) 9dBi 60 degree LTE Antenna

The PDF linked in previous post shows gain pattern in the bottom two charts. The left chart shows gain as function of frequency in low frequency bands and prooves that the dish is mediocre antenna for these frequencies at best (simple dipole antenna would have gain of around 2dBi but in narrow frequ...
by mkx
Sat Jul 20, 2019 5:58 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35744

Re: v6.45.2 [stable] is released!

Cannot upgrade HAP lite series

Did you bother to scan through even this topic? It's been mentioned many times that hAP lite devices have low amount RAM and flash and sadly some steps have to be taken to get them to upgrade.
by mkx
Sat Jul 20, 2019 5:55 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35744

Re: v6.45.2 [stable] is released!

Sysadmins that know Mikrotik well also know not to update anything for a few days after release or to do updates on non-critical test HW first. It's always nice to see a new release, but then I always have to check the forum to see how broken it actually is... that's the reality. But Mikrotik is al...
by mkx
Sat Jul 20, 2019 5:46 pm
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 45
Views: 2682

Re: Need to set up access to NAS openvpn

True about the mask, but it really is unusual, /18 is huge network .... One of larger ISPs in my country (which in turn is fairly small) operating FTTH and VDSL used /16 netmask until a year ago. They went to /17 after that. Still some way to reach /18 ;-) Their network is running fairly good, seem...
by mkx
Sat Jul 20, 2019 2:52 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35744

Re: v6.45.2 [stable] is released!

I've got a hAP-lite and hAP-mini in a test setup for OSPF routing, neither will upgrade. hAP's need quite some free RAM, they download upgrade packages to RAM disk. I fear that devices with tiny 32MB RAMs are on their edge if you run OSPF ... as it needs some RAM to contain routing tables. Same pro...
by mkx
Fri Jul 19, 2019 1:21 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 102
Views: 36524

Re: v6.46beta [testing] is released!

I understand that they are using TTL this way to spread users over the servers. Using short TTL for load-sharing is abuse of DNS TTL. This kind of load sharing should be done by adding multiple A records to same FQDM and let DNS round-robin mechanism to spread the load. I understand that it's out o...
by mkx
Fri Jul 19, 2019 9:07 am
Forum: General
Topic: Block Chromecast [SOLVED]
Replies: 5
Views: 584

Re: Block Chromecast [SOLVED]

There are a few problems with your setup. I'm assuming your AP1 has similar configuration ... AP1 (LAN part of it at least) and AP2 share same L2 domain ... this is an assumption as you didn't post config of AP1. Which means that only one DHCP server (on one of APs) should be running Your subnet is ...
by mkx
Fri Jul 19, 2019 8:42 am
Forum: Beginner Basics
Topic: cant ping the second subnet on vpn site to site
Replies: 3
Views: 371

Re: cant ping the second subnet on vpn site to site

Probably it has to do with your fi]/ip firewall[/i] settings ... on both HQ and branch routers. Crystal ball is moot these days, so instead post complete config of both routers and we might get some idea. Export configs using /export hide-sensitive ...
by mkx
Fri Jul 19, 2019 8:38 am
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

Using custom chains has certainly some good effects: you can reuse same filters for multiple original chains (e.g. if you want to limit ICMP traffic to certain types and you want to do it for both chain=input and chain=forward) and you jump to the generic chain (filter rule execution returns to the ...
by mkx
Thu Jul 18, 2019 11:00 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 609
Views: 154592

Re: RouterOS v7.0 beta1 - when?

Another one time... When chupaca... When can we use ROS v7?
We won't use ROS v7, ROS v7 will use us ...
by mkx
Thu Jul 18, 2019 10:57 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 102
Views: 36524

Re: v6.46beta [testing] is released!

It would be nice if the TTL of the resolved domain could be ignored in the settings of IKEv2. TTL in DNS system is there with a reason. Every sane DNS admin will have loong TTLs when changes are not expected. So when TTL is short, it shouldn't be overriden, could be that IP address will really chan...
by mkx
Thu Jul 18, 2019 10:36 pm
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

The top-most firewall rule accepts just everything and none of later rules for chain=forward don't restrict anything. The default fast-track rule greediness is limited by condition connection-state=established,related . But fast-tracking also goes in the way of mangling, so you may want to disable t...
by mkx
Thu Jul 18, 2019 10:11 pm
Forum: General
Topic: RB750GR3 dropping camera data
Replies: 7
Views: 663

Re: RB750GR3 dropping camera data

However, there's a loopback adapter which then gives the camera an IP of 192.168.0.129.

Can you post a sketch of network layout with physical connections and addresses of the interfaces? Can be hand-drawn and photographed.
by mkx
Thu Jul 18, 2019 10:05 pm
Forum: General
Topic: Block Chromecast [SOLVED]
Replies: 5
Views: 584

Re: Block Chromecast [SOLVED]

By using chain=forward ... input is for traffic targeting router/AP itself.

And even if you fix it, it can happen it still won't work, depending on overall configuration of AP2. So if it doesn't work, post complete output of command /export hide-sensitive
by mkx
Thu Jul 18, 2019 6:09 pm
Forum: General
Topic: RB750GR3 dropping camera data
Replies: 7
Views: 663

Re: RB750GR3 dropping camera data

Move ip address to "interface" bridge1 ... your current setup is not correct even though things seem to work somehow. While it might seem that it has nothing to do with your problems, it might interfere (some weird problems have already been reported in this forum that went away after such error was...
by mkx
Thu Jul 18, 2019 5:49 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 69382

Re: v6.45.1 [stable] is released!

My thinking is that using STP to create redundant links between two directly attached devices is (slight) abuse.

In this case it would be better to use bonding. There are many varieties, if you only want to have backup line, you can use active-backup mode.
by mkx
Thu Jul 18, 2019 9:16 am
Forum: General
Topic: Possible to get port MAC used in Agent Remote ID field?
Replies: 3
Views: 339

Re: Possible to get port MAC used in Agent Remote ID field?

What you see in Remote Agent ID is HEX notation of text string "CC:2D:E0:67:38:B9" ... 0x43 is "C", 0x3a is ":" etc. If you wanted Remote Agent ID returned in the same way as MAC (less formatting, which includes ":" signs), you'd have to enter port name as some text garbage, but in ISO 8859-2 code p...
by mkx
Thu Jul 18, 2019 9:06 am
Forum: General
Topic: Firewall question
Replies: 6
Views: 510

Re: Firewall question

SMTP servers have all the information needed to make educated decision about rate limiting. Some SMTP servers support limiting incoming mail rate.
by mkx
Thu Jul 18, 2019 8:53 am
Forum: Beginner Basics
Topic: Redirecting to another port [SOLVED]
Replies: 6
Views: 619

Re: Redirecting to another port [SOLVED]

You'll have to use /interface bridge settings set use-ip-firewall=yes , disable HW acceleration on one (or both) involved ether ports (to force traffic through router's CPU) and then construct appropriate NAT rules (probably a single rule would do but make it specific enough so that it doesn't mess ...
by mkx
Thu Jul 18, 2019 8:44 am
Forum: Beginner Basics
Topic: Interface Confusion IP Firewall Filter
Replies: 1
Views: 283

Re: Interface Confusion IP Firewall Filter

ROS firewall has notion of connection states. Usual approach is to use a quite general firewall rule near to beginning of firewall rule list add action=accept chain=forward connection-state=established,related,untracked which passes packets of connections which have already been allowed by other rul...
by mkx
Thu Jul 18, 2019 8:31 am
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

How should I proceed with the firewall to separate the lans? see post #24 by @anav In addition to those 2 rules, add rule which allows necessary connectivity between management devices in 192.168.1.0/24 and AP (IP address 172.16.24.120) ... possibly limit the connectivity to only a few necessary po...
by mkx
Thu Jul 18, 2019 8:15 am
Forum: Beginner Basics
Topic: VLAN Bridge Filtering ALternative
Replies: 9
Views: 987

Re: VLAN Bridge Filtering ALternative

Specs say that RB450Gx4 uses IPQ4019 SoC which in turn is supposed to have AR8327 switch chip embedded. If it's true what @tdw writes about Atheros' proprietary extension (and I believe he's right) and if that embedded switch chip really is complete AR8327 (I've mild doubts about that, my RBD52G usi...
by mkx
Thu Jul 18, 2019 8:08 am
Forum: Beginner Basics
Topic: APbridge mode vs Station mode [SOLVED]
Replies: 3
Views: 500

Re: APbridge mode vs Station mode [SOLVED]

what is the difference between the ap-bridge mode and station mode. Basic operation of WiFi is point to multipoint. The role of central device (access point) are numerous: it broadcasts system information, such as SSID, encryption configuration (WEP, WPA, WPA2), etc. selects frequency channel to wo...
by mkx
Wed Jul 17, 2019 9:03 pm
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

I still think that Ubiquiti AP doesn't like address 172.16.24.2 for its management interface. And that RB config is fine regarding that. What still confuses me is that it obviously falls back to some weird default configuration if it can't connect to management console after restart. Can't you confi...
by mkx
Wed Jul 17, 2019 5:32 pm
Forum: Beginner Basics
Topic: VLAN Bridge Filtering ALternative
Replies: 9
Views: 987

Re: VLAN Bridge Filtering ALternative

Sadly modern SOHO-class RB devices seem to contain crippled switch chips ... Internally Mikrotik will be using VLANs to perform this multiplexing/demuliplexing with the Realtek and MediaTek switch chips, and don't provide any user access to VLAN functionality. Thanks for the explanation and link to...
by mkx
Wed Jul 17, 2019 5:18 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 609
Views: 154592

Re: RouterOS v7.0 beta1 - when?

Will not run, you need one core per pixel.
Image
by mkx
Wed Jul 17, 2019 5:13 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 69382

Re: v6.45.1 [stable] is released!

It's when I apply the bridge config that things gets weird...
As @pe1chl wrote: you have to remove router functionality by hand (either via GUI or CLI, just don't use quickset).
by mkx
Wed Jul 17, 2019 11:38 am
Forum: General
Topic: Mikrotik Point to Multi Point Configuration
Replies: 6
Views: 443

Re: Mikrotik Point to Multi Point Configuration

... but different ip, right?
That would make management easier.
by mkx
Wed Jul 17, 2019 11:33 am
Forum: General
Topic: Mikrotik Point to Multi Point Configuration
Replies: 6
Views: 443

Re: Mikrotik Point to Multi Point Configuration

Correct. But do read about different station modes ... the usual "station" mode might not give you the functionality you are after ...
by mkx
Wed Jul 17, 2019 11:26 am
Forum: General
Topic: Why Mikrotik ???
Replies: 32
Views: 6238

Re: Why Mikrotik ???

I wasn't ware of that (I thought they only had maritime border after Алекса́ндр II Никола́евич sold Alaska to the USA) ... where is that land border located?
by mkx
Wed Jul 17, 2019 11:22 am
Forum: General
Topic: Mikrotik Point to Multi Point Configuration
Replies: 6
Views: 443

Re: Mikrotik Point to Multi Point Configuration

ap-bridge is the one serving multiple stations. And that happens to be default wireless mode. If you want mikrotik box to act as client of an AP, you have to change its mode to some variety of "station" ... you can read about differences in manual.
by mkx
Wed Jul 17, 2019 11:19 am
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

I guess the real issue here is how Unifi console wants to connect to AP (and vice versa) ... BTW, in which subnet is Unifi console sitting? Could be that AP wants permanent connection to Unifi console and if it looses it (due to some IP reconfig), it reverts to some kind of defaults?
by mkx
Wed Jul 17, 2019 11:03 am
Forum: General
Topic: Why Mikrotik ???
Replies: 32
Views: 6238

Re: Why Mikrotik ???

This is highly offensive to Latvians. We have no connection to russia ...

Last time I checked (it was like right now), Latvia had 216km of connection to Russia with at least 7 major doors ... not counting backdoors :wink:
by mkx
Wed Jul 17, 2019 10:46 am
Forum: General
Topic: rb750gr3 Gigabit auto negotiation [SOLVED]
Replies: 16
Views: 1331

Re: rb750gr3 Gigabit auto negotiation [SOLVED]

I do understand that, but when you just like to see interface info and write this and get: /interface ethernet set [ find default-name=ether1 ] name=ether1-Wan speed=100Mbps Its not intuitive at all what is then the speed is showing. speed=100Mbps could then be. Actual speed? Auto negotiation off s...
by mkx
Wed Jul 17, 2019 9:29 am
Forum: General
Topic: RB750GR3 dropping camera data
Replies: 7
Views: 663

Re: RB750GR3 dropping camera data

RB750Gr3 is not a switch, it's a router. With default configuration it's ether1 port is WAN. You can use it as a switch, but be sure only to use ports ether2-ether5.
by mkx
Wed Jul 17, 2019 9:19 am
Forum: Wireless Networking
Topic: Wifi Latency issue
Replies: 2
Views: 461

Re: Wifi Latency issue

I guess that the weird ping pattern observed on the phone is due to power-saving kicking in when phone is idle (wireless can be power hungry and optimizing it by putting wifi chip to sleep frequently is one of first things to do). If a device is connected to AC (suppose the Ambivision gadget is) thi...
by mkx
Wed Jul 17, 2019 9:10 am
Forum: Wireless Networking
Topic: LHG LTE kit overampllification [SOLVED]
Replies: 5
Views: 728

Re: LHG LTE kit overampllification [SOLVED]

Does a floor make some difference in this case?
Floor in what sense?
by mkx
Wed Jul 17, 2019 9:08 am
Forum: Beginner Basics
Topic: VLAN Bridge Filtering ALternative
Replies: 9
Views: 987

Re: VLAN Bridge Filtering ALternative

... I currenly don't have any device with modern switch chip to test with). Sadly modern SOHO-class RB devices seem to contain crippled switch chips (RB4011 has RTL8367, RB750Gr3 has MT7621) which don't have any VLAN support what so ever. Seems like MT is trying to create some gap between RB and CR...
by mkx
Wed Jul 17, 2019 8:59 am
Forum: Beginner Basics
Topic: VLAN Bridge Filtering ALternative
Replies: 9
Views: 987

Re: VLAN Bridge Filtering ALternative

Sadly what @Sob writes is true: MT devs stopped at implementing HW offload for CRS3xx, other devices with capable switch chips didn't get that treatment. The positive thing about bridge vlan-filtering is unified configuration on any RB device. When doing stuff on switch chip, one has to study partic...
by mkx
Wed Jul 17, 2019 8:38 am
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

[] > /ping src-address=172.16.24.1 192.168.1.1 count=4
This test showed that RB4011 can reach itself. :wink:
by mkx
Wed Jul 17, 2019 8:27 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 69382

Re: v6.45.1 [stable] is released!

Is it me or 6.45.1 is giving everyone a different type of headache? Judging from posts in this tread it does seem that 6.45.1 is a troublesome child of MT. This is not my personal experience though, have updated 6 pieces (2x hAP ac lite, 1x hAP, 2x RB951G and 1xhAP ac2) from 6.44.x and I didn't hav...
by mkx
Tue Jul 16, 2019 11:50 pm
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

First to routing and firewalling: I don't see anything in RB4011 config which would prevent connectivity from 172.16.24.2 to 192.168.1.1. Firewall is very permissive (allows just anything in chain=forward, also everything on chain=input except for connections originating from internet). I wonder why...
by mkx
Tue Jul 16, 2019 4:30 pm
Forum: Beginner Basics
Topic: Routing betwe Mikrotik and Cisco ASA
Replies: 3
Views: 420

Re: Routing betwe Mikrotik and Cisco ASA

If I'm correct about ASA's firewall connection tracking engine tripping ... then the most correct way would be to turn off connection tracking for those connections on cisco ASA. I have no idea whatsoever how to do it (if that's possible at all, I'd expect it is). I've other ideas, but as they are m...
by mkx
Tue Jul 16, 2019 11:15 am
Forum: Beginner Basics
Topic: Routing betwe Mikrotik and Cisco ASA
Replies: 3
Views: 420

Re: Routing betwe Mikrotik and Cisco ASA

There are 2 potential problems: do firewalls on devices in both networks (cisco and RB) allow connections from the "alien" LANs? does cisco ASA perform as firewall as well? As replies from RB network towards cisco network won't pass ASA (unless you play with NAT on RB), this could screw connection t...
by mkx
Tue Jul 16, 2019 11:06 am
Forum: RouterBOARD hardware
Topic: CRS312-4C+8XG-RM questions
Replies: 7
Views: 1080

Re: CRS312-4C+8XG-RM questions

We will update the CRS312-4C+8XG documentation regarding that.
You could update the Specifications table by mentioning those 4 combo ports as well ...
by mkx
Tue Jul 16, 2019 10:56 am
Forum: RouterBOARD hardware
Topic: Lost RouterOS due to major power failure - Netinstall doesn't work
Replies: 1
Views: 338

Re: Lost RouterOS due to major power failure - Netinstall doesn't work

Netinstall is very fragile and it is vital to follow procedure in official Netinstall manual ... including warnings about windows firewall and network interfaces. Netinstall is evolving as well so you may want to try different netinstall versions. As it is highly advisable to use same version of ROS...
by mkx
Tue Jul 16, 2019 10:48 am
Forum: Wireless Networking
Topic: LHG LTE kit overampllification [SOLVED]
Replies: 5
Views: 728

Re: LHG LTE kit overampllification [SOLVED]

It can become a problem if you get real close to the tower. You can remedy that by turning LHG dish slightly away from the cell tower - the LHG has quite narrow antenna beam (making it high gain) but slight miss-alignment will give additional signal degradation if needed. Most of LTE devices like to...
by mkx
Tue Jul 16, 2019 10:43 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 69382

Re: v6.45.1 [stable] is released!

All packages have to be the same version (and system package leads the game).
by mkx
Tue Jul 16, 2019 9:38 am
Forum: General
Topic: Printing in other network
Replies: 1
Views: 184

Re: Printing in other network

Just for clarification: if you want to print from a PC in 192.168.10.0/24, you are using printer at 192.168.8.10:9100? This can't work because of "routing triangle". Consider this: PC with address e.g. 192.168.10.142 decides to connect 192.168.8.10. Doesn't have direct connectivity, so it decides to...
by mkx
Tue Jul 16, 2019 9:16 am
Forum: General
Topic: Config wan pppe with block 8 ip static
Replies: 1
Views: 187

Re: Config wan pppe with block 8 ip static

Yes, you can. Just assign the second IP address to the LAN interface ... Beware: if you would use the IP address block as /29 subnet, then you'd loose two addresses: aaa.bbb.ccc. 200 would become network address and aaa.bbb.ccc. 207 would become broadcast address. As those addresses come as routed b...
by mkx
Tue Jul 16, 2019 8:50 am
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

From all of the talking it's not really clear to me how things are configured. How about this: create configuration export from your RB4011 ... do it running command /export hide-sensitive inside a terminal window ... post the output here, but be sure to enclose it in [ code]...[/ code] environment....
by mkx
Tue Jul 16, 2019 8:40 am
Forum: Beginner Basics
Topic: Access devices in one VLAN from other VLAN
Replies: 3
Views: 388

Re: Access devices in one VLAN from other VLAN

I take it that updating the OS will not affect the actual configuration, but I would like to ask you one last question to make sure. In the router's menu, I did not find a menu item like "update OS", only "System/AutoUpgrade". Is this the same? Updating OS might change actual configuration ... if t...
by mkx
Tue Jul 16, 2019 8:31 am
Forum: Beginner Basics
Topic: 2 x Lan, 2 x DVR, 1 Problem
Replies: 9
Views: 673

Re: 2 x Lan, 2 x DVR, 1 Problem

Your WAN interface is not ether1 but rather pppoe-out1 (ether1 is only physical interface, carrying PPPoE traffic; the logical interface which carries WAN traffic, is pppoe-out1), so the NAT rule you have now add action=dst-nat chain=dstnat comment=DVR_1 dst-port=8000 in-interface=ether1 protocol=tc...
by mkx
Mon Jul 15, 2019 5:10 pm
Forum: Beginner Basics
Topic: 2 x Lan, 2 x DVR, 1 Problem
Replies: 9
Views: 673

Re: 2 x Lan, 2 x DVR, 1 Problem

There are some other minor errors in the configuation: /ip address add address=192.168.99.1/24 interface= ether2 network=192.168.99.0 The LAN address should really be bound to interface=bridge1 ... sometimes this kind of error causes weird behaviour. /ip dns set servers=192.168.99.1 This setting ins...
by mkx
Mon Jul 15, 2019 5:01 pm
Forum: Beginner Basics
Topic: 2 x Lan, 2 x DVR, 1 Problem
Replies: 9
Views: 673

Re: 2 x Lan, 2 x DVR, 1 Problem

The IP addresses used in configuration, don't correspond to IP addresses indicated on the chart (why did you bother writing them there if you didn't want to show exact addresses anyway?), I'll assume the addresses in the config export are correct. So: add action=dst-nat chain=dstnat comment=DVR_1 ds...
by mkx
Mon Jul 15, 2019 2:04 pm
Forum: RouterBOARD hardware
Topic: CRS312-4C+8XG-RM questions
Replies: 7
Views: 1080

Re: CRS312-4C+8XG-RM questions

As the product naming page explains: CRS series: 3 total number of interfaces: 12 number of combo 10G Ethernet/SFP ports: 4 (4C+ part of name) number of 5G/10G Ethernet ports: 8 (8XG part of name) The mentioned CRS317-1G-16S+RM fetaures only 1Gbps ports (ethernet) or 10Gbps (SFP+). So it's like comp...
by mkx
Mon Jul 15, 2019 1:40 pm
Forum: General
Topic: VLAN and filtering on non-CRS3xx devices
Replies: 11
Views: 901

Re: VLAN and filtering on non-CRS3xx devices

I've no idea about STP, but Back to my main question: Is this understanding correct: So if understood/read this correctly, I can get VLAN filtering on non-CRS3xx devices like my RB3011, either by Using /interface bridge vlan and loosing hardware offload, or By using /interface ethernet switch More o...
by mkx
Mon Jul 15, 2019 12:47 pm
Forum: Beginner Basics
Topic: External DNS-server and Wake-On-Lan.
Replies: 4
Views: 378

Re: External DNS-server and Wake-On-Lan.

2. Mikrotik should switch to using the UbS16.04 as a DNS-server when it is turned on. Not related to the WoL problem, but ... the point above is not going to happen automatically. DNS services are expected to be available (semi) permanently. Surely services have problems and due to that one configu...
by mkx
Mon Jul 15, 2019 9:26 am
Forum: General
Topic: VLAN and filtering on non-CRS3xx devices
Replies: 11
Views: 901

Re: VLAN and filtering on non-CRS3xx devices

I'm already running bridge based VLAN, but using the pre 6.41 way, one bridge per VLAN, thinking to update that to the new way. You don't run bridge based VLAN. In ROS, bridge is "kind of a switch". In pre-6.41 times bridge was a "dumb switch" and passed traffic around without regard to VLAN tags, ...
by mkx
Mon Jul 15, 2019 9:09 am
Forum: Beginner Basics
Topic: 2 x Lan, 2 x DVR, 1 Problem
Replies: 9
Views: 673

Re: 2 x Lan, 2 x DVR, 1 Problem

Post output from command /ip firewall nat export (run it from terminal window). I suspect your port forward setting might be a tad too greedy and steals all connections, not only those destined at Network2 ...
by mkx
Sun Jul 14, 2019 9:47 am
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

[Also, where is this in winbox? /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes I don't know where in winbox that is, in webfig it's in bridge->settings I reverted to the last step I showed you. The problem is the AP is not working on br...
by mkx
Sat Jul 13, 2019 11:27 pm
Forum: Wireless Networking
Topic: quick set pppoe
Replies: 6
Views: 679

Re: quick set pppoe

Status of the wireless link seems quite fine, radio-wise it should be able to transfer at least around 20Mbps in uplink (conservative estimate based on reported Tx-rate value of 78Mbps). I think that you should consult the administrator of the other end of the link, he might give some more insight a...
by mkx
Sat Jul 13, 2019 11:10 pm
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

No, you don't need anything special to set-up VLANs on RB4011, they are dealt by router's CPU. The price for that functionality is performance hit for traffic between different ethernet ports carrying same VLAN, which would be carried by switch chip if switch chip was at least half-decent. In your c...
by mkx
Sat Jul 13, 2019 10:48 pm
Forum: General
Topic: help to set ipv6 / 48
Replies: 35
Views: 2410

Re: help to set ipv6 / 48

Can't you negotiate with your ISP about link-local address of your router? To use it instead of fe80::1234:5678:123 ?

When seeing such stories I become grateful that my ISP delivers IPv6 over PPPoE (together with IPv4) without fussing around with addresses for this and that ..
by mkx
Sat Jul 13, 2019 5:41 pm
Forum: Wireless Networking
Topic: quick set pppoe
Replies: 6
Views: 679

Re: quick set pppoe

Another thing: is there any good reason to limit data rates with rate-set=configured supported-rates-a/g=6Mbps,9Mbps,12Mbps ? I believe default setting is rate-set=default supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps ... at least that's default for 5GHz wireless interfac...
by mkx
Sat Jul 13, 2019 5:30 pm
Forum: Wireless Networking
Topic: quick set pppoe
Replies: 6
Views: 679

Re: quick set pppoe

While transfering some data, run command /interface wireless monitor wlan1 ... pay attention to the following items: tx-rate, all of *signal-strength* items, tx-ccq ... One thing that bites you quite likely: country regulations with regard to allowed EIRP ... LHG has a high-gain antenna and with rec...
by mkx
Sat Jul 13, 2019 1:45 pm
Forum: Beginner Basics
Topic: RouterOS v6.41.4 access to admin panel -password problem [SOLVED]
Replies: 9
Views: 918

Re: RouterOS v6.41.4 access to admin panel -password problem [SOLVED]

If you perform factory reset, then everything gets reset to factory defaults, including usrnames and passwords. How that what you said corresponds to FAQ which states: How can I recover a lost password? If you have forgotten the password, there is no recovery for it. You have to reinstall the route...
by mkx
Sat Jul 13, 2019 1:32 pm
Forum: Beginner Basics
Topic: Different networks (not part of bridge) can still see each other
Replies: 4
Views: 482

Re: Different networks (not part of bridge) can still see each other

You have to use chain=forward ...chain=input deals with connections targeting router itself. And you need a pair of drop rules because the replies are treated by "related" rule after connections they pass firewall in the forward direction. Edit: actually this is dependant on rules order. If the drop...
by mkx
Sat Jul 13, 2019 12:24 pm
Forum: RouterBOARD hardware
Topic: NetInstall RB1100 Kernel Panic
Replies: 1
Views: 512

Re: NetInstall RB1100 Kernel Panic

Use another version of netinstall ... Make sure that no other device is in the same physical network during netinstalling (read: use direst ethernet connection between PC and RB) and make sure you follow all instructions from netinstall manual ... which is vital as netinstall procedure is fairly fra...
by mkx
Sat Jul 13, 2019 12:20 pm
Forum: General
Topic: Product Request: Mode switch "Doorbell" trigger
Replies: 4
Views: 579

Re: Product Request: Mode switch "Doorbell" trigger

If you take any of the RBs with passive PoE out, you should be able to shunt the power out lines on that Ethernet port by a serial combination of a pushbutton and a resistor, so your script would monitor the power drain (yes/no). This is an interesting idea. However to make it truly work "like a do...
by mkx
Sat Jul 13, 2019 12:06 pm
Forum: Beginner Basics
Topic: RouterOS v6.41.4 access to admin panel -password problem [SOLVED]
Replies: 9
Views: 918

Re: RouterOS v6.41.4 access to admin panel -password problem [SOLVED]

If you perform factory reset, then everything gets reset to factory defaults, including usrnames and passwords. OK, perhaps not just everything, malicious code might survive :wink: There's a gotcha: it is possible to install custom defaults (after netinstalling device) and some ISPs deliver RBs to t...
by mkx
Sat Jul 13, 2019 12:02 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 97
Views: 32117

Re: v6.44.5 [long-term] is released!

Can't you connect via ssh but using administrative user name?
by mkx
Sat Jul 13, 2019 12:12 am
Forum: RouterBOARD hardware
Topic: PowerBox pro cannot upgrade from 44.2 to 45.1
Replies: 7
Views: 818

Re: PowerBox pro cannot upgrade from 44.2 to 45.1

My guess is that you'll have to perform netinstall. Make sure you create and save configuration export (the text version of it) before doing it. I also suggest that you start configuring it starting from default setup ... specially firewall settings ... and only add needed functionality (not just bl...
by mkx
Sat Jul 13, 2019 12:07 am
Forum: Beginner Basics
Topic: RouterOS v6.41.4 access to admin panel -password problem [SOLVED]
Replies: 9
Views: 918

Re: RouterOS v6.41.4 access to admin panel -password problem [SOLVED]

OK, so it's not Tenda after all. Default password on ROS is empty password. If that doesn't work, it might be set by whomever you got the router from and is highly unlikely for you to get correct answer from this forum. And, if you don't find out password, the only way getting in is netinstall device.
by mkx
Fri Jul 12, 2019 11:44 pm
Forum: Beginner Basics
Topic: RouterOS v6.41.4 access to admin panel -password problem [SOLVED]
Replies: 9
Views: 918

Re: RouterOS v6.41.4 access to admin panel -password problem [SOLVED]

Does it matter that my router is Tenda?
Surely you call Apple customer support when you have issues with your HP laptop running Windows?
by mkx
Fri Jul 12, 2019 3:59 pm
Forum: General
Topic: CRS3xx hardware offload with split-horizon? or similar setup?
Replies: 6
Views: 560

Re: CRS3xx hardware offload with split-horizon? or similar setup?

If export doesn't show settings, then that's definitely a bug. On my RB951G export displays relevant settings: [user@RB951G] /interface ethernet> export # jul/12/2019 12:50:53 by RouterOS 6.45.1 # software id = QCG5-PSG8 # # model = 951G-2HnD # serial number = 642E05BB727B /interface ethernet set [ ...
by mkx
Fri Jul 12, 2019 1:55 pm
Forum: SwOS
Topic: three new CSS326 on existing network
Replies: 6
Views: 785

Re: three new CSS326 on existing network

On power up the management console starts at 192.168.88.1 (see documentation for the css326). As each of the three switches powers up with that default address, ... That's merely default. When your switches arrive and you start configuring them, you'll plug one at the time. It'll get some address f...
by mkx
Fri Jul 12, 2019 12:07 pm
Forum: General
Topic: VLAN VRRP
Replies: 18
Views: 1441

Re: VLAN VRRP

As I'll be unable to use my left hand for some time now ...

Wow, bummer! I certainly hope you'll get well soon ...
by mkx
Fri Jul 12, 2019 12:05 pm
Forum: General
Topic: Bug in Log when rotate log (6.40.1)
Replies: 6
Views: 718

Re: Bug in Log when rotate log (6.40.1)

However, I cannot reproduce your problem, maybe I understand incorrectly but my timezone is set to Europe/Amsterdam which is +01 with DST, so currently +02. When I now do a /log print I get messages from yesterday with date and messages from today (also in the 00:00-02:00 range) without date. Did y...
by mkx
Fri Jul 12, 2019 11:15 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 102
Views: 36524

Re: v6.46beta [testing] is released!

Do you have proper hair-pin NAT implemented? The single dstnat rule you've shown only does things half-way: UDP packet with dst-address=8.8.8.8 arrives at router (src-address=192.168.0.x) router uses dstnat rule to replace dst-address to dst-address=192.168.0.4 ... src-address remains set to 192.168...
by mkx
Fri Jul 12, 2019 9:58 am
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

Nothing much points out to me as wrong in your configuration. One thing, that might affect how things behave: LAN2 IP address should be bount do interface bridge2 - now it's bound to it's slave interface ether10. Im' not sure you really need these set to yes: /interface bridge settings set use-ip-fi...
by mkx
Thu Jul 11, 2019 10:52 pm
Forum: SwOS
Topic: three new CSS326 on existing network
Replies: 6
Views: 785

Re: three new CSS326 on existing network

Don't use chains of switches. Don't use DHCP. Configure static addresses.

I don't see any problem with chain of switches, specially not in context presented by OP.

I do agree with the second part: don't use DHCP to configure management interfaces of network infrastructure devices.
by mkx
Thu Jul 11, 2019 10:48 pm
Forum: RouterBOARD hardware
Topic: Mikrotik RBGESP surge protector [SOLVED]
Replies: 1
Views: 488

Re: Mikrotik RBGESP surge protector [SOLVED]

It doesn't matter.

Surge protectors create conductive path between wires and PE when an overvoltage occurs. It doesn't matter from which side of surge protector such surge originates.
by mkx
Thu Jul 11, 2019 10:20 pm
Forum: Beginner Basics
Topic: 1wan + 2 lan isolated from each other
Replies: 63
Views: 4416

Re: 1wan + 2 lan isolated from each other

Post full configuration as shown by running command /export hide-sensitive from a terminal window ... when posting config, put it into [code] .. [/code] environment. Combined that with the network schematics we might have an idea or two.
by mkx
Thu Jul 11, 2019 4:01 pm
Forum: General
Topic: IP Firewall Filter rule preference
Replies: 2
Views: 306

Re: IP Firewall Filter rule preference

Once I already wrote: potential malicious user can easily spoof src-address but can hardly spoof in-interface ... if you care about security, you have to keep this in mind. However, many times it's not this simple and one has to use a combination of both.
by mkx
Wed Jul 10, 2019 11:31 pm
Forum: Beginner Basics
Topic: Access WAN router from lan
Replies: 2
Views: 329

Re: Access WAN router from lan

You quite probably need a src-nat rule for connections from LAN towards 4G modem because 4G modem knows nothing about gateway to your LAN subnet. By configuring src-nat all those connections will appear to 4G modem as if they originated from router with which it can communicate directly.
by mkx
Wed Jul 10, 2019 10:09 pm
Forum: General
Topic: SFP RB4011
Replies: 19
Views: 1531

Re: SFP RB4011

And such "intelligent" SFP modules need some support from router which router might not know how to provide. Due to this GPON by Bell might not work any better on Routerboards when they move to 10Gbps sync rate. Thanks @mkx ...... so what you're saying is that due to MikroTik's SFP[+] implementatio...
by mkx
Wed Jul 10, 2019 9:29 pm
Forum: Beginner Basics
Topic: how to set up isp vlan public ip ?????
Replies: 2
Views: 566

Re: how to set up isp vlan public ip ?????

Let's assume router's ether1 interface will be used for WAN. And let's assume ether1 is not member of any bridge. So the minimum config would be this: /interface vlan add name=wan interface=ether1 vlan-id=180 /ip address add address=81.244.55.234/30 interface=wan /ip route add dst-address=198.198.2....
by mkx
Wed Jul 10, 2019 4:28 pm
Forum: Wireless Networking
Topic: Wifi range is really bad for a reason
Replies: 17
Views: 1425

Re: Wifi range is really bad for a reason

Surely you're aware that 5GHz signal drops quite quickly with the distance and doesn't run "around the corner".
by mkx
Wed Jul 10, 2019 4:22 pm
Forum: General
Topic: SFP RB4011
Replies: 19
Views: 1531

Re: SFP RB4011

The following provides an exceptionally good overview of How Stuff Works: How Fiber-to-the-home Broadband Works @tdw has a point: from router's point of view, any SFP connection to optical network (regardless if it's active or passive) is using "active" SFP module. The problem here (which is not en...
by mkx
Wed Jul 10, 2019 4:01 pm
Forum: RouterBOARD hardware
Topic: R11e-LTE PAcket Loss
Replies: 13
Views: 1146

Re: R11e-LTE PAcket Loss

Interesting, -105dbm for the rsrp is a little poor, I usually get from -90 to -70, have you the SXT outside and pointed towards the cell tower? or in the general direction? I'm not sure if the signal would equate to packet loss, does the connection ever just drop? LTE works quite fine down to RSRP ...
by mkx
Wed Jul 10, 2019 3:29 pm
Forum: General
Topic: EoIP over Internet
Replies: 2
Views: 245

Re: EoIP over Internet

Quite a few (if not all) MNOs firewall subscribers against incoming connections even if subscribers are using proper (read: globally routable) IP addresses ... You might need a "fixed anchor" to establish wanted tunnel ... with a hop on the "anchor".
by mkx
Wed Jul 10, 2019 6:59 am
Forum: General
Topic: DST NAT Rules Work for some connections.
Replies: 12
Views: 678

Re: DST NAT Rules Work for some connections.

Some wild guessing: if you make RB default gateway for your server, Windows will detect this as new network and you might need to adjust windows firewall settings to make those services available to the world (again).
by mkx
Wed Jul 10, 2019 6:52 am
Forum: General
Topic: Port Forwarding Not Working but Shows Packets
Replies: 11
Views: 876

Re: Port Forwarding Not Working but Shows Packets

Are you sure that firewall on 10.0.1.89 is not freaking out on inbound VPN connections?
by mkx
Tue Jul 09, 2019 11:31 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 97
Views: 32117

Re: v6.44.5 [long-term] is released!

Your image is corrupted :)
corrected ;)
Now it's encrypted in cyrillic :wink:
by mkx
Tue Jul 09, 2019 7:26 pm
Forum: Wireless Networking
Topic: MikroTik RouterOS and 802.11i
Replies: 1
Views: 359

Re: MikroTik RouterOS and 802.11i

According to wikipedia article 802.11i is more or less the same as WPA2.

So, yes, RouterOS supports WPA2 and WPA.
by mkx
Mon Jul 08, 2019 10:53 pm
Forum: RouterBOARD hardware
Topic: Netinstall doens't work on RB951 that reboot every 9s
Replies: 5
Views: 693

Re: Netinstall doens't work on RB951 that reboot every 9s

Did you try to replace power adapters?
by mkx
Mon Jul 08, 2019 10:27 pm
Forum: General
Topic: Is 16MB enough?
Replies: 6
Views: 529

Re: Is 16MB enough?

Do you happen to know if graphing engine truncate old data it collects to reduce DB size? hour/day/week/month... - If I set graphing, will 16 mb suffice for years to come? Graphing engine truncates and averages data: 5-minute averages will be displayed for last day (288 data points) 30-minute avera...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 10