MikroTik

Zacharias

I would recommend you to remove your Public IP... So vlan28 is your WAN interface ? The rules look fine ... I can't remove the public IP address because we have connection from more than one ISP. So the public DNS is set to resolve using the mentioned public IP address. So vlan28 is your WAN interf...

Zacharias

Yes indeed is confusing...

Many times i forget it too...
But its a L7 client-server protocol that assists L2 functionalities ...

Zacharias

The OP had CRS112 in comparison with other specific switches... Ofcorse he can get a CRS3xx... But that is another discussion... There was no comparison between CRS112 with any CRS3xx from my side ... In the small switch category I suggest you look at either TP link TL-SG3210XHP-M2 or Ubiquiti US-8-...

Zacharias

but the switching of RB5009 would be worst I think.

Worst in comparison with what device ?

Zacharias

What switch you choose or not depends on your actual needs... For example if you need POE or not and how many, if it should have SFPs and if yes how many, number of ports, the switch chip features and so on.... Personally i would choose the CRS112, with or without POE... However, between rb4011 and ...

Zacharias

@mkx, DHCP is a Layer 7 ( Application Layer ) Protocol ...
https://help.mikrotik.com/docs/display/ ... r+Networks

Zacharias

I would recommend you to remove your Public IP...

So vlan28 is your WAN interface ?
The rules look fine ...

Zacharias

It is a Routing matter...
You just need the correct routes on the Zyxel for each network you want to reach on the MikroTIK side ...

Screenshots are not really helpfull to see your configuration, it is better to export your config with /export hide-sensitive ...

Zacharias

Post your configuration with /export hide-sensitive

Zacharias

Zacarias - confirmed limited access for the username and password the ISP have given me. I'll see what they will trust me with

I thought so...

Zacharias

Bridge VLAN filtering on the AP is NOT necessary either on Capsman or Local Forwarding... Ofcorse you can configure it, but that does not make it a must... It all depends on what you need to achieve... There is an example in the wiki https://wiki.mikrotik.com/wiki/Manual:CAPsMAN_with_VLANs , as you ...

Zacharias

It would be nice if we could scroll down the list ...
Or better when it would use multiple columns to fit everything without scrolling, when possible.

Yes, maybe that would be good too...

Zacharias

I guess there's room for bugs here

Yes, maybe ...

Zacharias

Normal dst nat rule -----> from the internet port is visible but appears closed Generally speaking, if a port is in listening state you can check if it is Open through the internet or not... So thats not really true... Actually a closed port is a port that is reachable but no application is listeni...

Zacharias

*) added separate "Show Columns" window for list of visible columns;

It would be nice if we could scroll down the list ...

Zacharias

Normally the Power and WiFi Led should be on after the alignment...
First, check the configuration on both devices, and also make sure on the AP side the status is in Running state...
Check the logs on both devices too...

Did you made any changes to their configuration ?

Zacharias

@mkx, how exactly MikroTIK finds that this IP is indeed in use ? What are the chances that there is another device in the same network with an APIPA address assigned and that being the same as the Phone's ( 169.254.8.184 )? I mean 169.254.8.184 is indeed duplicate or not ? From my point of view, yes...

Zacharias

Is that true?

As far as i know it is not implemented yet ...

Zacharias

The address space 169.254.x.y/16, is used when a host can not actually detect a DHCP server, thus it is assigning itself a link local address using a mechanism called APIPA ( Automatic Private IP Addressing )... So, first it seems that this device can not detect a DHCP Server... Gratuitous ARP, is u...

Zacharias

Where is the problem ?
There are no details about the version thats all ...

Zacharias

oops, i was looking at the ipv6 firewall...

Zacharias

Indeed it looks like a DNS problem...

But it can be anything wrong in your confguration that might cause this problem ...

Zacharias

First of all, Local address, is an address configured--assigned to one of the Routers interfaces... So, if for example you are in the subnet 10.10.10.0/24, and your Router has the address 10.10.10.1/24 and a host, the address 10.10.10.254/24, only 10.10.10.1/24 is a Local address... Also, from a qui...

Zacharias

The SIM card holder, as far as i remember from the last time i replaced the LTE modem on a WAP, is just on the back side of the PCB... no need to remove the modem...
But if you don't feel comfortable checking the SIM card holder, sure don't try it...

Zacharias

Is there any RSTP option on your netgear?
If yes disable it...

if the port still goes in discarding state, post the configurations of both hex and wap, /export hide-sensitive

Zacharias

What do you mean you need the configuration ? Is there a starting point ? Read here: https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless https://wiki.mikrotik.com/wiki/Bridging_Networks_with_SXT https://wiki.mikrotik.com/wiki/Manual:Wireless_Station_Modes https://wiki.mikrotik.com/wiki/Manual:W...

Zacharias

No, it is not supposed to happen...
But certainly something is causing it...

Can you try station mode instead of station pseudobridge and see if the problem persists ?

Zacharias

Why are you using super channel and not regulatory domain ?

Zacharias

@anav, you' re right on that...
Network diagrams are a must on Complex networks but not only... Even on simple topologies, visualising the Network is really helpfull...

Zacharias

What is the equipment on the client side ?

Zacharias

There is no such thing as general ideal Wireless settings for any PTP or PTMP Link... It all depends on the enviroment your Antenna exists... How crowded the air is, how much interference and noise from other Antennas there is, the obstacles between your Antenna and the CPE ( equipment on clients si...

Zacharias

@anav as i can see you did like that diagram...

Zacharias

What i would do is : 1. Configure the Hap in station mode ( i don't think you need any layer 2 communication with the AP or the network that the AP exists ) 2. Set the wlan interface of the HAP as WAN ( remove it from any bridge, create NAT masquerade rule for the wlan interface ) 3. Either enable D...

Zacharias

I dont't think that a reboot would solve such a problem... but anyways...

But even if the sim holder is faulty, it is easy to check it... Wap has a screw at the bottom, when you remove it you can pull it and reveal the SIM holder ...
https://help.mikrotik.com/docs/display/UM/wAP+R+ac

Zacharias

@OzanOral26 ,
I see no Mangle configuration in your export... nor any routes....
Neither any Route rule as @anav suggested... Which is an alternative ofcorse...

Zacharias

If the SIM card holder is faulty, how can a reboot, as you said earlier, solve the problem ?

Zacharias

Yes, ISP supplied

Then it seems you don't have Full rights...
But check again to confirm it ...

Zacharias

What do you mean ?
If you delete the logout page, when the user logs out, there will be no page displayed that the user indeed logged out...
What would be the actual reason to delete these pages ?

Zacharias

@mikejp, what ROS Device, model are you using ?
Did the ISP provided you that Router or not ?

Under system users, the username you are using, does it show Full Group permissions or not ?

Zacharias

they don't pass bridge logic handled by CPU. With forwarding=yes, Enabled Bridge firewall was working just fine between 2 wireless clients on the same radio.... I could allow or drop traffic between those hosts... Edit: On different device with not the same wireless chip ( as my first test ), Bridg...

Zacharias

So it can be used as an alternative to a VPN connection ?

Zacharias

@mkx, my actual test was on a Wireless interface (i know it can be done with setting forwarding to no)... On a wireless interface it is obvious that more than 1 hosts can exist on that same interface... And ofcorse on the wireless interface all the traffic goes through the CPU... Thus i could effect...

Zacharias

@mkx, i have nothing to disagree with... But, when using the Bridge Firewall, in order for it to work, you must disable the hardware offload, otherwise the traffic will bypass the CPU and the Bridge Firewall filter will not work... So, since it works ( at least on a quick lab test i run ), i can onl...

Zacharias

Did you try to change the external port ? For example use dst port: 8080 and port: 80
Is the counter on the specific rule zero or it counts packets ?
In any case, Low ports ( <1024 ) might be blocked from your ISP for security reasons... Thats why i suggested changing your external port...

Zacharias

Is the SIM card correctly positioned ?
Is the SIM card in good condition ?

Zacharias

I would suggest you to reset to no defaults when you re doing some practice instead of working on existing configuration ...

Zacharias

I think you can find the information you look for here https://wiki.mikrotik.com/wiki/Manual:Interface/LTE

Zacharias

If more than one user exists on the same port, then nothing on MT device can prevent those users talk to each other as long as they are in same VLAN (or none VLAN). Why not if i enable the Bridge Firewall ? You can successfully block users to reach each other using the Bridge Firewall even if they ...

Zacharias

Am not sure if station pseudobridge creates any problems here.
Since you can't use station-bridge to connect to a CAP, what i would try is let the AP out of CapsMAN, configure manually the wireless interface as AP, then configure the reapear to station bridge mode...
And test again ...

Zacharias

If more that one users exist on the same port, that would not work ...

Zacharias

Are you sure you have configured it just as a Repeater ?
Post your wireless configuration for that AP with hide-sensitive...

Zacharias

You will need to enable the use-ip-firewall feature in the Bridge settings or use-ip-firewall-for-vlan if you use VLANs so that you can filter Layer 2 traffic.... Isolating everyone from everyone is not something that will happen just because you createVLANs.. Also, you will need to adjust the firew...

Zacharias

As @anav already wrote (using different words): what exactly does "Private VLAN" mean in your context? If wikipedia article describes your view of the matter, then ... hell yes, RB4011 can run large number of private VLANs. I would like everyone connecting to RB4011 to be isolated from ea...

Zacharias

You re not using any NAT to reach your server right ?
Only Routing is needed...

Zacharias

Your problem is not the VLANs... VLANs work on Layer 2 of the OSI model... They are used to create seperate broadcast domains... So... what i would do is check my Firewall... When you try to access VLAN109 from VLAN110, what actually happens in simple words, is as soon as the traffic reaches the Rou...

Zacharias

Thanks a lot...

Zacharias

Disable any firewall or antivirus program running on your computer..
Disable any other network adapter except the ethernet one used for Netinstall..
Try different versions of Netinstall...
Use a switch between RB4011 and your computer, as already suggested...

Zacharias

You can not use WDS on Capsman...

Zacharias

How could that be a general problem ?

Zacharias

What exactly are you trying to achieve ? According to the WiKi, RB5009 supports Bridge Vlan Filtering in Hardware Level, meaning that you will not loose the Hardware offload feature... https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features Also, here you can see how Bridge VLAN filtering wo...

Zacharias

I have a question for the 60 GHz Devices...
What does the Signal Value indicate ?
Am not talking about the RSSI, but for the Signal value...What is the unit of measurement for that Value ?

Zacharias

As said earlier, you need no NAT to enter a Router that has a Public IP assigned to one of its interfaces ... Check your NAT rules again ... The only reason why you would need NAT, is if the MikroTIK is behind another Router... In that case yes you would need NAT from the Router that is before the M...

Zacharias

If am not mistaken, it will be possible in the future to implement VLAN-Filtering without CPU-Resouces
New Feature in RouterOS 7.1rc1

Nice to know that ...

Zacharias

the cloud updates to fixed ip and i gave you the result of that

ok, so where is the problem ?

Zacharias

Sorry but you can't use different frequencies on the same radio Band... Can you show the details from the Network analyzer ? As you re saying, you are using two frequencies for the 2.4 GHz at the same time, lets say 2412 and 2437 and two frequencies at the same time ( without the use of secondary fr...

Zacharias

If you create a Route with a Routing Mark, the Route will not be used unless you Route traffic specifically to that Route, by using Mangles for example... I would suggest you to add the Route and give it some time... it might take some time to update the IP of the Cloud.. normally it should be 60 se...

Zacharias

I ve noticed that as soon as you open Winbox, if there is for example the Log Window open, or anyother window, if you press the ESC button multiple times the Winbox will close too... Which did not happen with the previous version... @Zacharias I do not see the behavior you're reporting. not later ....

Zacharias

I see no Routing Marks in your Routing Table...

Zacharias

According to the Wiki:
any : on AP - regular 802.11 Access Point or Nstreme Access Point; on station - selects Access Point without specific sequence, it could be changed by connect-list rules.
Source : https://wiki.mikrotik.com/wiki/Manual: ... e/Wireless

Zacharias

I ve noticed that as soon as you open Winbox, if there is for example the Log Window open, or anyother window, if you press the ESC button multiple times the Winbox will close too... Which did not happen with the previous version... I use saved sessions so that as soon as i enter winbox, certain win...

Zacharias

That is not an error...
Somewhere in your Firewall you have enabled the Log and it actually shows input traffic to port 8291 (MikroTik)...

Zacharias

Nice work ...

Zacharias

Please create a network diagram.. it will help to understand your Network topology...

In general if you want to create a Trunk port on your CCR, you can create them directly to the Interface that connects to the Nework switch...

Zacharias

1. You have no HairPin NAT configured... You only have a dst-nat rule and nothing more... For the HairPin NAT you will need a src-nat rule ,out-interface=VLAN10, src-address=the Source address, dst-address=the destination address and action=masquerade... 2. VLANs work on Layer 2 of the OSI level... ...

Zacharias

You should ofcorse set your Antenna to Regulatory Domain and select your Country...
Then makes multiple tests to see what frequency gives you the best results...

Zacharias

@anav is right on that, i never saw what you have connected on that Access port from the diagram... You could as well configure it as a Hybrid port. A hybrid port acts an Access port as well as a Trunk port, it accepts Tagged and Untagged frames at the same time... When an untagged frame comes in on...

Zacharias

Is it technically possible to have et10 on the RB4011 configured as an access port for VLAN30? Sure why not... You can apply Bridge VLAN filtering on RB4011, which will be implemented in Software ( CPU Resources ) ofcorse... If it was only to use the SFP port as the Trunk port, personally i would n...

Zacharias

On your NAT rules, create a NAT rule with action=masquerade chain=src-nat and src-address=the LAN subnet you want to use that specific WAN, out-interface= the WAN you want... Place it on top...

Zacharias

But if it is a requirement to be rackmountable, why didn't you choose a switch that can be actually placed to a rack ?

Zacharias

Check here:
https://mikrotik.com/products/ptp

Zacharias

For the Mikrotik, you can check on the wiki:
https://help.mikrotik.com/docs/
https://wiki.mikrotik.com/wiki/Manual:TOC

Zacharias

There are some MUM presentations about Queues...
You can find many information there ...

Zacharias

Test if you can power another POE device from your RB4011...

Zacharias

Try adding wpa-psk and TKIP ...
Test again...

Zacharias

I want to have all eth in one bridge.

I never said anything different...
Let all your interfaces on one Bridge, set bridge ARP to enabled, but on the specific ethernet interface that your Guests are connected to set it to reply only...
Check again my previous post...

Zacharias

Sorry but i know nothing about how quick setup works... never used it...

1) i used station pseudobridge mode before (with reset), configured security profile etc;

Export your wireless configuration ...

Zacharias

On your Local network let the ARP on your Bridge Interface to enabled and set your Static IP addresses as you wish...

On the ethernet interface that is used for your Guests, set ARP to reply only... On the DHCP Server used for the Guest network, enable the add arp for leases...

Zacharias

ok, so the cloud is updated but you can not access the device nor you can ping it, correct ?
There must be something wrong in your configuration ...

Maybe you should post your configuration with hide-sensitive ...

Zacharias

There is no USB interface on the RB4011....

You can check the available CHR versions here https://mikrotik.com/download

Zacharias

You can't have two different ARP modes on the same Bridge...

What is that you want to achieve ?
In general, you can have ARP mode set to reply-only on your Bridge Interface and on your DHCP Server select add-arp-for-leases so that an ARP entry is created for every lease on your DHCP Server only...

Zacharias

Check your Layer 1 ( your cable connected to the PD (Powered device) )...

Zacharias

You should use station-pseudobridge mode...
If your device is already configured with the quick setup, you might need to reset your device before applying again your configuration...

Zacharias

You need no NAT, i already said that before... If the Cloud is updated with a public IP, it is accessible... Check in your firewall the Drop rules in the Input chain.. Or just creat an accept rule on chain input for 8291 and place it on top (we always prefer VPN Tunnels to access our Devices)... Can...

Zacharias

Great to know...

Can you enable proxy-arp on your Bridge and let your configuration as it was before, does it work now?

Zacharias

1) why distance 10 and not 1. That is a route with a Routing Mark, in my case there was no reason to set it to 1 or 100... When you update the IP address successfully you will be able to access your Router through your static IP... Ofcorse you should allow TCP 8291 on your Firewall (not good for Se...

Zacharias

ok, but as you said, some times it goes close to -120dbm ...
My opinion as already stated, is that you should imporve the signal quality and then see how it goes...

Zacharias

You 're welcome...
Ofcorse someone who has the knowledge can change the TTL again and thus having Internet again...

Zacharias

What exactly did you solve? As stated in my earlier post, even if you put 2 or 3 frequencies in the List, only 1 will be used... Even if you configure different frequencies, on slave configuration for example, only the frequency in the master configuration will be used... You can check that with a w...

Zacharias

Is the OVPN server configured in ethernet or IP mode ? You can try the IP mode and use different addresses for the OVPN than your network.. Then add the Route to your Client... I can see you are using the same IP address space for the OVPN server as your LAN network... So the Route is not needed in ...

Zacharias

As i mentioned in my previous post, in your OVPN client's config you should add a Route for your local network...

What is your LAN subnet ? The same are you are using on the OVPN server ?

Zacharias

What device are you trying to connect the LHG to ? also maybe someone can show max possible Passive PoE parameters Depends on the cable quality... In any case you can't exceed the maximum distance of the ethernet cable, which according to the standard is 100 m ... There are ways you can extend the P...

Zacharias

Is the OPVN client a Compuer or an other Mikrotik device ?

Zacharias

VLANs are used to create different network segments ( for network segmentation in simple words)... They work in the Layer 2 of OSI model... If you are blocking something you need to check your Firewall ... Although, when you say that some sites do work but some others dont, my mind goes to MTU probl...

Zacharias

From a quick look i can see you are using CRS309 in Routing mode, so as i can see from the Ethernet Results for this device it can achieve about 340 Mbps (in Routing with 512 Byte packets) ... https://mikrotik.com/product/crs309_1g_8s_in#fndtn-testresults So the speeds look normal... This device is ...

Zacharias

Is there a route to your LAN on the OVPN conifig ?

For example ( part of OVPN config):

# Add route for Remote Host's Subnet
route 192.168.10.0 255.255.255.0

Zacharias

Have a look here:
viewtopic.php?t=88187#p442942

And here:
viewtopic.php?t=101096

Zacharias

It all depends on what you want to achieve...

If i were you and i only needed to connect the LTE to my computer, i would not use the passthrough at all...
However, you can check if you are able to create a VLAN on your computers network adapter...

Zacharias

There is something wrong with your configuration then... Working example: Routing Table: /ip route add check-gateway=ping distance=10 gateway=192.168.33.1 routing-mark=Test Address List: /ip firewall address-list add address=cloud.mikrotik.com list=Cloud add address=cloud2.mikrotik.com list=Cloud2 M...

Zacharias

There are small/medium Racks , as well as wall mounted small racks...
Anyways, i do understand you, it would be nice if we could have everything consuming the least space possible...

Zacharias

On the Mangles Facility create a Rule on the output chain, with destination address cloud.mikrotik.com or cloud2.mikrotik.com (depends on the device ROS version) and then create a new Routing Mark to the WAN you want to use (that Routing Mark should ofcorse exist in your Routing Table)... You could ...

Zacharias

My opinion is that the All in one idea might be nice for a home user...
In a production enviroment i dont really understand why would i need in a 1U rack space to have a switch, a Router and a POE switch all together... I will just use one more 1U space to place my POE switch and thats all...

Zacharias

For now i dont have a router between my SXT and my devices

Then why exactly you need the passthrough for ?

Zacharias

Sorry but i ve never come up with such a problem...
And i don't really see why the special characters can cause any problem...

I do use VPNs, with complex passwords and never had a problem like the one you describe...

Zacharias

@Scimitar,
right now there is no such solution ...

Zacharias

If the queue size is small, you will increase the packet loss but decrease the Latency. If the queue size is big, you will decrease the packet loss but increase the Latency. It all depends on what you need and what applications are used inside your network... In any case, if you device the Total Que...

Zacharias

You should create a Management VLAN to access the LTE device from your Network and ether1 as the passthrough Interface ... Go to Interfaces VLAN, create a new VLAN on interface ether1 with VID lets say 10 and name it VLAN10. Assign an IP address to VLAN10, for example 192.168.10.1/24 Then on the LTE...

Zacharias

What Logging Rules do I need to enable? <= critical / error / firewall / info / warning

None, just check if there is any entry on the Log in red color when you re trying to connect...
What is your ROS version ?

Zacharias

But after some time RSRP becomes more than -120-124 and RSSI -90-92 and I can’t use the Internet anymore.

That is a really Poor signal...
So it is normal to have connection problems...
You should place the Audience somewhere with a better signal coverage...

Zacharias

that could be grouped to the advertised "up to 4 in a 1 HE space" with similar mounting options?

No...

Specially looking for
- PoE out
- some more SFP+
- some 10G/2.5G RJ45 ethernet

What you' re looking for is a POE Switch, not a Router...

Zacharias

If I use another username / PWD WITHOUT special characters I CAN logon, but ONLY via the Web interface (NOT via WinBox, that stays "stuck" on "Logging in ...")

And what does the log say on the CCR ?

Zacharias

On Winbox, go to IP, Addresses and change from ether1 to Bridge Interface ...

Zacharias

If the Leds are on, even with no cable connected and you did netinstall the device, if the problem is not solved then it seems as a hardware problem...

Zacharias

It is not possible to use multiple frequencies on a single radio. A single radio can't use more than one frequencies anyways... (except on 5GHz, when using the secondary frequency feature for 160MHz channels) The AP will only choose 1 frequency to use... So even if you put multiple frequencies in t...

Zacharias

What exactly does not work?
Give more details ...

Zacharias

I'm pointing out that the idea of putting a random mac-address is a bullshit. Any actual reference on that instead of your personal opinion ? The addresses created with the way i described above, are locally administered unicast MAC addresses, as far as i know and remember... So it does not look ...

Zacharias

just type 12 hexadecimal digits randomly

I gave an option...
You like to type 12 HEX digits, someone else might not ...

Zacharias

It is likely assumed that in a rack where you want 2 or 4 of these routers, you already have some air circulation and cooling.

Some air cooling would certainly help...

Zacharias

An easy way to create a new MAC address is, go to /Interfaces Eoip, click add and then check the Mac address field, you can copy and use that MAC address...
Do not click OK, just exit from EoIP Facility...

Zacharias

1. Upgrade to 6.48.3

2. Assign 192.168.88.1/24 to your Bridge Interface, not to the slave port (ether1)

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0

Then test again...

Zacharias

Sorry but you have no VLAN configuration at all... However, from a real quick look the rule add action=drop chain=input src-address-list=!Thosts is most probably causing the second subnet not being able to resolve DNS queries, thus no internet access from youtr side... Add your second subnet to the ...

Zacharias

Have you checked the Logs on all your devices ?

Zacharias

Everything you need to know about Bridges is here https://help.mikrotik.com/docs/display/ROS/Bridge

Zacharias

How do you restrict the Bandwitdh ?
With Simple queues or Queue trees and how?

Zacharias

Use /export hide-sensitive and post your code inside code tags...

Zacharias

Carrier aggregation indeed works even if you use Cell lock.. I ve tried it my self and it works... So there must be a reason that in your case prevents it from working... What makes a band to be considered wrong ? In any cases in the general tab of the LTE interface you can choose only the Bands tha...

Zacharias

But i don't see any newer beta version than 7.1beta6 ...
Where do you get theat error ? In the logs ?

Zacharias

Are you sure no Loops are created (not physical ones)?
How have you achieved a Loop free topology ?

Zacharias

Export your configuration (with hide-sensitive parameter)...

Zacharias

Are the Leds On even if there is no cable connected ?

you could try to netinstall your device ...

https://wiki.mikrotik.com/wiki/Manual:Netinstall

Zacharias

Cat 6 LTE supports carrier aggregation, meaning it can use more that 1 bands at the same time, thus providing better performance results...

However, even for a Cat 4 LTE, your speeds are very low...

Zacharias

Not knowing more details about the network topology i don't think i can help...

In general, you could setup a VPN to access the remote Network, that is the safest and recommended way ...

Zacharias

What VLAN implementation are you using ?
Bridge VLAN filtering ?
Hardware VLAN using switch chip?
Posting your configuration (with hide-sensitive) would certainly help ...

Zacharias

What do you mean by disconnection ?
Does the LTE interface goes down ? R flag missing ?
Or the LTE is Running ?

You can export your configuration with hide-sensitive parameter and post it so we can have a look...

Zacharias

There are many examples around the Wiki according to VLANs...
Ofcorse you can create a VLAN trunk on your CCR...

What have you tried so far ?
Network diagram ?

Zacharias

When one of the tunnels goes down, the route via that interface will become inactive and the one with lowest distance value will be chosen among those that remain active. @sindy, my answer was according to your responce above... Since we only have two WAN interfaces here, if one goes down, only one...

Zacharias

When one of the tunnels goes down, the route via that interface will become inactive and the one with lowest distance value will be chosen among those that remain active. Or he cant just use lookup instead of lookup only in table , so if the WAN in the Route Rules specified for that source address ...

Zacharias

Have you set the correct APN settings of your provider ?

In case the APN settings were wrong he would probably not register at all ...

Zacharias

Are you sure the problem is on the switches ?
Did you try to access them through another computer ?

Zacharias

Does the device run RouteOS or swOS ?

Zacharias

The connection looks very good...
So there must be another reason...

On the general tab of the LTE, select only LTE in Network Mode and see how it goes ...

Zacharias

so you never added the bridge interface on the l2tp profile for both the client and server as it is already mentioned in the wiki... No, I added the bridge interface on the l2tp profile on server CHR side (see OP) but didn't do the same on the client side as I tought that I don't need the bridge in...

Zacharias

yes ok...
so you never added the bridge interface on the l2tp profile for both the client and server as it is already mentioned in the wiki...

Nice you solved it anyways...

Zacharias

There are many things changed since 6.35.4...

Obviously there are some country regulations applied...
No issue to me ...

Zacharias

Sure it is...
Just route your VPN client through the ISP you need using either Routing Rules or Mangles Facility...

Zacharias

When you do register, what are the values of RSRP, RSRQ and SINR ?

Zacharias

But the way you describe it is that the problem was on the default profile...

Am just trying to understand what the misconfiguration was ...

Zacharias

Maybe yes, maybe no... it depends...

Zacharias

AES 256-CBC cipher is not considered strong ?
it's just deprecated for new openvpn client version, I'm not saying that AES 256-CBC is weak

It is, but it still works ...

Zacharias

so what do you suggest to implement an strong and easy VPN system for windows clients? AES 256-CBC cipher is not considered strong ? With L2tp/Ipsec I have problem when two people over same ip try to connect, one of them is kicked after few time. There is an explanation from @sindy as to why this h...

Zacharias

So where was the problem with adding the Bridge in the default profile ?

Zacharias

Well, i don't think so ?
Ether1 is used for that...

https://help.mikrotik.com/docs/display/ROS/Netinstall

Zacharias

Yes. Sorry I wasn't precise enough.

Now it is understood, thanks

Zacharias

the virtual switch only accepts frames with source MAC address of the NIC itself

@sindy,

you mean the VMs NIC then, right ?

Zacharias

the virtual switch only accepts frames with source MAC address of the NIC itself. @sindy, So you mean that if for example a VM wants to communicate with a physical host, outside the virtualization engine, that physical host will see the mac address of the VM or the mac address of the physical NIC o...

Zacharias

@sindy, are you refering to promiscuous mode (Vmware) or something else? Yes, I do, but as it may be called otherwise on other virtualization platforms (it's called MAC address spoofing in Microsoft's Hyper-V), I was more verbose about the behaviour. ok, but why if promiscuous mode is disabled woul...

Zacharias

@webor,

what virtualization engine do you use ?

@sindy, are you refering to promiscuous mode ( Vmware) or something else?

Zacharias

Good to know ...

Zacharias

@rextended, i do not care about your personal opinion at all... :D In my earlier post i just explained the importance of the probabilites because you never mentioned it at the beginning but only after i made a comment on that. 2/0 & 2/1 = 100 % is different to : 2/0 & 2/1 = 50% + 50% Nothing...

Zacharias

@Rextended, Page 126, indicates that using both addresses and ports gives you better possibility for even distribution. So, using lets say src address or both addresses the possibilities are less. But ofcorse, increasing the number of connections you increase the possibilities of even distribution. ...

Zacharias

Syntesis:
Change all password on already monitored devices using ros_command("/user set rextended password=!RxR$$io22")

Yes, but how do you apply that to multiple devices in order to change the password to more than one Ros devices ?

As for the Dude, got it... nice to know...

Zacharias

@rextended, What exactly are you talking about ?because am totally confused... I pasted the text and the source where it belongs so that it is easier for you to read... Did you even see the word source ? Provided with a link ? Indicating where that text belongs to... That was an example, even if it ...

Zacharias

Each line is a different WAN and you need a SingleWAN address list for sites who don't like you changing the source-address all the time. I do agree, both addresses and ports does create a more even load distribution. As you said, there will be a problem with sites that do not like seeing a differe...

Zacharias

I don't understand your description on post #8 ...

Zacharias

@rextended, This means that two completely unrelated connections could match the same PCC matcher, and would be put on the same line. PCC works better the more connections you put across it so that the hash function has more chances to produce different outputs. Source : https://update.mikrotik.com/...

Zacharias

Am not really sure i understand ...

Zacharias

That is true...

Zacharias

2/0 & 2/1 = 50% + 50%.... instead 3/0, 3/1, 3/2 = 33,3_% + 33,3_% + 33,3_% for do 66,6_% / 33.3_% must used 3/0 & 3/1 omitting 3/3 @rextended how exactly did you make these calculations ? The hashing algorithm used on PCC does not divide the traffic equally... So this : 2/0 & 2/1 = 50% ...

Zacharias

Provide more details...

Zacharias

It's already possbile on The Dude change all password at the same time since v4.

How ?
Does it change the credentials on Dude and/or the monitored devices credentials as well ?

Zacharias

Did you take a look here in case you miss something ?
https://wiki.mikrotik.com/wiki/Manual:B ... _bridging)

Zacharias

Here is an example of how you could add more weight on your WAN 1 Interface : add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \ per-connection-classifier=both-addresses:4/0 action=mark-connection new-connection-mark=ISP1_conn add chain=prerouting in-interface=LA...

Zacharias

@mkx, also I discover than if packet is fragmented, tls-host do not work... I do not know why, I'm expecting defragment before check, but do not happen.... That is referenced already... Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segme...

Zacharias

Do you have IP address set on interface vlan533? If you don't, that explains

@mkx it would be in a Running state even with no address assigned on the VLAN interface...

Zacharias

and manage the ports using Winbox, as if they were all the same unit? The controller Bridge and Port extender is about virtually extending the ports. You can expand the capacity of your network without using this particular function. If this is correct, would you consider this the logical way to ex...

Zacharias

Am talking about the Led on port 10 that stays on...

Zacharias

ok, so you want to route the IP Phone devices through the LTE ?

That is the case ?

If yes you can either go with Routing Rules or with the Mangle Facility ....

But i need more information ...

Zacharias

192.168.16.x/24 belongs to 192.168.0.0/16... so that is why it is dropped by the firewall ...

Zacharias

@leveche does it work now if you change strong-crypto=yes ?

Zacharias

Check on the Registration table the channel width used by your client device.. Does it use 80 MHz ?
Also on the Status page of your AP the frequency selected ...

Zacharias

I noticed if I power the RB4011 from a 48volt power supply on the back, the led of port 10 stay on.

Really ?
Ros version ?

I ve never used a 48Volt power supply on a RB4011...

Zacharias

It seems that the VPN address space you re trying to reach through yout Lan belongs to that address list...
Can you confirm that ?
If that is the pool of the VPN we re talking about 192.168.16.2-192.168.16.200, then it is obviously added to that address list (192.168.0.0/16)

Zacharias

@pe1chl there is a little reference about Routing Rules here : https://wiki.mikrotik.com/wiki/Manual:IP/Route To my understanding, when you create a Routing Mark, what you actually do is you create a custom Table. So, as there is the Main Routing Table, the Local Routing Table there are the ones tha...

Zacharias

WMM is about traffic prioritization not speed ...

Zacharias

What does the rule say? It says that whatever goes in your Bridge interface and wants to go out from any interface other than your Bridge, that could be the VPN in your case, and if the address you try to reach belongs to the address list you have configured and if the chain is the forward one ( tra...

Zacharias

I get "ERROR: could not connect to XX.XX.XX.XX

This is an indication that you can not reach or connect to the device for some reason..

It is not a problem related to The Dude and Winbox ...

Zacharias

Did you try 80MHz channel width ? (if it is supported by the client device)

Also, am sure you know that you cant reach the theoritical maximum right ?

Zacharias

Is your ROS version updated to 6.48.3 ?

Zacharias

@anav as @rextended replied earlier, the packets coming from the AP are src-nated upon leaving the WAN interface of the AP, thus they will appear as coming from 192.168.1.x/24 to the Netgear. Also, you cant use the Input Chain on the AP, since you do not target an IP configured on any of the APs int...

Zacharias

@anav, same distance on all routes ?

Zacharias

Maybe the OP means that NAT does not work when using the Second WAN while the first one is still UP ?

Search found 3501 matches