MikroTik

Steveocee

Something very wrong there. Even the RB2011 could do 350Mb without fast track!
Config will tell the story.

Steveocee

Will you be licensing your ESXi installations? If not you can only use 8 vCPU's per machine so you'd have a lot of redundant cores. Saying that it's better to run WITHOUT HT for CHR so only 4 over.

Steveocee

You may have been better buying a connectorised radio such as a Netbox or Netmetal.
I would generally advise leaving the antennas alone on the RB2011

Steveocee

Your router is very vulnerable. If it is public facing you need to update it and at a minimum put a public facing firewall on it.

Steveocee

IP>Firewall>Service Port isn't "the" service. It's a service helper. A very bad one at that. Do you have any port forwards? Are you using UPnP? 5060 is generally used for VOIP/SIP, do you have anything that uses that on your network? You could make a rule to drop it however surely your fir...

Steveocee

You won't be able to use discovery tool unless you use some kind of EOIP solution. UBNT discovery requires being on the same broadcast network which you won't be going in through VPN even though you can access the IP's.

Steveocee

Here is my CRS328-24P-4S+RM Annotation 2019-03-18 105542.png This is running; 3 data only ports 3 48v ports running 2 UniFi AC Pro's and a PoE splitter for modem. 3 24v ports Running 2 UniFi CCTV cameras and an NSM5 3 SFP's I didn't think consumption was too bad to be fair bearing in mind I also run...

Steveocee

Firstly, thank you for linking my video 8) I use home.mydomain.com for getting into certain things remotely and from home. These are differentiated by port number. I can't do that with internal DNS so it suits me quite well. I shared what I found as I initially had a lot of problems getting a hairpi...

Steveocee

Hello, I'm assuming that the /16s are just to summarize local subnets and you don't have such a big network. Otherwise, break the subnet down to smaller ones (like /24). Also, I'd probably go with fiber regardless since your working with two buildings. Fiber will insulate you from grounding issues,...

Steveocee

Liked & Subbed.
Nice to see well made content.

Steveocee

Great idea. Shame the RB2011 only has SFP and not SFP+ so won't do a 10Gb connection.

Steveocee

You need hairpin NAT.

Steveocee

Bummer, no worries. Thanks for the compatibility link! I'm not sure if anyone can verify or has tried but do the Cisco 1GB SFP's work with MikroTik routers? I've got a couple laying around at my parents i was thinking of having them ship me. Cisco GLC-SX-MM work absolutely fine. I picked a load up ...

Steveocee

If i set 50m/50m in simple queue maxlimit, shaping will not work. Now, I set my values to 40m/40m and it worked. Why is that? Queue will only apply once you hit the max limit, if you set it higher than your connection can go then it will never apply itself. It going red only signifies traffic is ne...

Steveocee

it's rx/tx , I think, so upload or download depending on that interface / target you apply it to.

Correct, however it is done from client of interface perspective so for pppoe interface the values do reverse.

Steveocee

Faulty hardware. Recently had similar with a CCR thinking ether5-7 was connected when they weren't.

Steveocee

Roaming is done by the client. You can only try to encourage it.
Make sure you use the same encryption method and key and try to separate the wireless channels as far as you can. It can help to stick a minimum RSSI of around -75 on to discourage sticky clients.

Steveocee

I think btest is limiting your results.

Steveocee

Just finished bandwidth test

What did you use to test?
25% on a quad core CPU device means 1 core was running at 100% whilst the others were idle.

Steveocee

You won't.

The interface on your CHR will always be connected to the vSwitch/port group in ESXi.

Steveocee

Broken?

It does sound like there is a fault with the hardware there with the LED's being vertically stacked, bad track on the board probably.

Steveocee

This forum sometimes! The guy sis asking what seems a really simple question, can he back to back two of the 60Ghz links, the answer is yes. Who mentioned dual radios and PtMP? Radio A <WIRELESS> Radio B <CAT5> Radio C <WIRELESS> Radio D. Is there some additional text in the same colour as the page...

Steveocee

Lets be honest though, the only use the beeper really gets is when you're bored and you want to play the Mario tune?

Steveocee

You could set up a VPN in the datacenter. I need to ask though, why do you need that many IP's on your home connection? Have you heard of this amazing thing called NAT?

Steveocee

Use bridge, not AP bridge and it will work.
Also ensure you have correctly set SSID and password.

Steveocee

Hi Steveocee Thanks for your reply, have you found the new equipment gives greater range or is it about the same?. You might be better on EE as they use the 1800Mhz band where I can get clients pulling down up to 85Mb. O2 only work on the 800Mhz channel which I've found Ok but speeds rarely go abov...

Steveocee

This forum sometimes! The guy sis asking what seems a really simple question, can he back to back two of the 60Ghz links, the answer is yes. Who mentioned dual radios and PtMP? Radio A <WIRELESS> Radio B <CAT5> Radio C <WIRELESS> Radio D. Is there some additional text in the same colour as the page ...

Steveocee

Having the device set to Auto is probably the worst way of operating the unit. It needs to be configured correctly otherwise it'll be all over the place.
Please give some details or config you have as an example (don't forget the country you are in) and I'm sure people on here will help you.

Steveocee

It will work as well as daisy-chaining switches will work.

As @mistry7 has already said, loosely there are 4 channels. 58, 60, 62 and 64 Ghz. Just don't reuse the same channel back to back and you'll be fine.

Steveocee

You are up to date.

You have a "current" firmware (think of as BIOS) and a "factory firmware" which you will never be able to upgrade and is there purely for in case of emergency.

Steveocee

This won't be totally applicable but it explains how to get the dynamic bit down far easier than my typing will do.
https://www.youtube.com/watch?v=_kw_bQyX-3U

Steveocee

You should probably post your config as this will give us a better idea of what you have done and where it can be fixed. Make sure to use "hide-sensitive" flag so no personal information is posted.

Steveocee

Sounds like you need hairpin NAT. Youtube has some excellent videos on how to do it (mine being one of them).

Steveocee

OP has stated line saturation is causing the PPPoE connection to drop and has sensibly suggested a limit of the PPPoE interface, I honestly don't know where the logic in limiting users individually came from there? @OP the solution from @solar77 is perfect for you. Be aware though I think when you s...

Steveocee

I'm sure this will be a vlaid reason why not but.....plug into ether9?

Steveocee

Have had one on test for a couple of weeks. As I move about from client to client I've been doing some very barbaric speedtest.net results and comparing.

The long and short of my findings was give up if you plan on using O2 network.

Awaiting an EE SIM to see if things improve.

Steveocee

As a parent of a 2, 3, 5 and 8 year old speaking. Have you considered saying "No"? No scripting needed.
The only "script" you'd possibly need is a CD set to loop saying no

Tell me about it. Hindsight eh?

Steveocee

*Fixed* Don't think my problem was related. I have a route policy on site that tells it to send certain devices up a VPN. I managed to go "to" the device down the WAN and then it was trying to respond back up the VPN hence firewalls blocking packets from unexpected sources. Good luck to th...

Steveocee

How strange.
I have just come across this problem myself. I am port forwarding from a specific remote IP back into my network and using torch I can see the LAN device trying to get back to it with dst IP but it simply isn't available.

Steveocee

Just use a weird 5GHz channel nobody else is using

Losing a bucket of throughput, opening yourself up to local noise and losing full duplex.

I currently have a 2.4Km link on trial, it's struggling.

Steveocee

Hi Colin, Welcome to the world of MikroTik. Very little official documentation, lots of user input (with multiple solutions to 1 issue normally) and an extremely steep learning curve. Use the default config to start with, adapt it to get you "online" and then study it from there to unders...

Steveocee

Your bridge is using the MAC address of your ether port.

Set an admin-mac of your ether interface (I always use ether1 for continuity) but increment the second character EG 00:AA: becomes 02:AA

Will get rid of the error for you.

Steveocee

Hi Colin, Welcome to the world of MikroTik. Very little official documentation, lots of user input (with multiple solutions to 1 issue normally) and an extremely steep learning curve. Use the default config to start with, adapt it to get you "online" and then study it from there to underst...

Steveocee

I use G3's connected to a CRS328, works fine with no problems. I changed from a UniFi 8 port switch last week and to be honest didn't even remember the G3's are 24v only. I've been really impressed with the CRS328 so far.

Steveocee

As a parent of a 2, 3, 5 and 8 year old speaking. Have you considered saying "No"? No scripting needed.

Steveocee

lil0's OP The free space thing could be a problem, remove all packages you don't need. Remove all files you don't need (or at least back them up). Let's face it, do you need MPLS and BGP on this device? Probably not, be brutal, remove everything you don't need. I use a hAP Mini as a travel router a...

Steveocee

To be honest, this shouldn't escalate to an last resort like netinstall - the small size is not good because does not allow to use all compatible features simultaneously, it's like installing Linux and only be able to execute X11 or Console(tty) but not both - it is damaging the brand, and SPI Flas...

Steveocee

If the modem is truly in bridge mode then you won't be able to access it via the WAN through SSH. Your SSH should be hitting the MikroTik. This would only not be the case if it wasn't actually in bridge mode and was routing and your MikroTIk was simply taking a LAN connection from it. I use a modem ...

Steveocee

I really can't begin to tell you what a bad idea that is. So you're downloading P2P, maybe one of the files is infected, this then generates multiple services on the host, all of which then tell your router to open up ports which it does because UPnP is on which then enables more malicious software ...

Steveocee

Bridge all ports and enable hardware offload so it uses switch chip rather than CPU.
Job done.

Steveocee

IP>Kid Control
Maybe it won't limit to 30 mins per day but it's a start to minimise watch time.

Steveocee

Dropped a bunch of Cisco GLC-SX-MM's into a CRS328-24P-4S+RM yesterday and all worked absolutely fine with auto negotiation. The "B" end's were a CRS125, CRS112 and UniFi 8 port.

Steveocee

The menu is under IP>SMB, you can create the share in there but for an honest opinion, it will be hideous to use. As it is USB2 based the transfer speed will be very slow and you'll have far less headache with a "real" NAS unit.

Steveocee

You can use mangle to add routing marks then set the appropriate routing marks in your IP>Routes. Use mangle to identify either src or destination and then apply either an "in-vpn" or "out-vpn" mark to it. I use very similar to identify specific LAN devices to be able to use my w...

Steveocee

No problem at all. I've recently spun something similar up for a customer request. My use case was pppoe-out1 with static IP X.X.X.1 and then it had a /29 of routed IP's Y.Y.Y.0/29 of which each port in the router (RB3011) was going to have a different LAN range but traffic coming from a correspondi...

Steveocee

Yeah @support !!! Why didn't you know this guy had problems for 5 years? Be more like Huawei and spy on your users data so we can complain about that instead!

Steveocee

Have a watch through this. Will explain everything you need.
https://www.youtube.com/watch?v=_kw_bQyX-3U&t=1s

Steveocee

Download Winbox and try L2 connection, no IP needed.

Steveocee

This just sounds like you didn't set up your firewall properly. Not a vulnerability. If you enable DNS cacheing then the router will do it regardless, it is up to you then as the user to ensure that only requests you want answered are responded to. Usually a dro pUDP-53 rule from the WAN interface i...

Steveocee

https://youtu.be/rnMy_ffvskQ?t=239

Forgot I made that video.

Steveocee

Yeah your config sounds screwed up. With a drop rule there should be no need for an extra rule in there. Also after the drop rule there should be no hits on any input rules........ This. Unless you have an established & related rule and the requests are coming form the same hosts and by some wi...

Steveocee

Yes it is. I have trouble keeping it on to be fair, the device is so light and once you have a cat5 and power cable plugged in it struggles to stand up with it's own weight.

Steveocee

Finally got my link up! 64Ghz wasn't cutting it but when I've tried out 66Ghz we now have a link. There is still some more panning that needs to be done, still not quite the 4Km touted recently.

66g1.JPG

Steveocee

X86 isn't really a supported variant any more. "Real" hardware installations are now advised to be done using CHR through a Virtual Host.

Steveocee

CRS series are primarily switches with an amount of L3 capability. I think you'd need to use fast track and hardly anything else to get near the throughput you want. Ideally you'd need an RB3011 or upwards to route at those sorts of speeds.

Steveocee

You don't buy CHR. You can buy a CHR license though, is that what you mean?

Steveocee

Assuming Comcast work like most, you can connect a DHCP-client device to the modem and you're on the net. If so, reset the RB3011 to factory defaults and connect the modem to ether1. Should get you up and running (providing they don't have any weird MAC timeout restrictions on the services) and then...

Steveocee

Not heard any mumbles of it.
The SFP approach is the closest yet but there will be little appetite in going for VDSL now with the general lean towards fibre to the premises.

Steveocee

This will be a LOT for someone to write for you a step by step guide. Maybe watch some YouTube tutorials first? Setting up router, then hotspot, then come back with any configuration issues or changes that need making?

Steveocee

Are you using client isolation? That would mitigate a lot for you, you should not get a storm across all ports though unless you add the ports to a bridge and then have a single pppoe server on the bridge.

Steveocee

Your router has been hacked and likely has a script running on startup.

You need to do a netinstall to latest version and then re on figure securely before connecting back to the web.

Steveocee

I’m on mobile but search this forum for the term “port flopping”. There is a large thread about it, why it is happening and how the problem hasn’t yet been fully solved.

Steveocee

@Steveocee Thanks for wonderful and helpful video that you share in youtube, I am totally new user to Mikrotik but base on your guidance from the video, after some testing and reboot finally I able to get the loopback/ Hairpin NAT plus DYNDNS work perfectly with my Dynamic IP. Keep up the good job ...

Steveocee

Do you actually need the port open? Could the traffic be part of your established or related chain instead? If you are "dialling out" to this company then you shouldn't need this rule.

Can you do an export (hiding the addresses of course) so we can see and help?

Steveocee

Several people have already said, you are not missing anything. Your expectation of the product is too high. Either use an LHG60 to get gigabit or you will have to deal with the connection you are getting. The fact you are gettin 800+ burst rates is impressive to say the least, especially in the con...

Steveocee

It was only temporary downtime, not full shut down. The current version is quite stable also.
You can script the router to pull WAN ip from your interface if you really need it to on net watch up but that is very long way around an easily solvable problem.

Steveocee

^^^^ Anav missed the easy solution. Although correct in that they are essentially in a L2 network, you can force L3 connectivity.

If the interfaces are in the same bridge you can use the bridge settings to use IP firewall or bridge filters and stop them from talking that way.

Steveocee

Should be doable with a dst-nat rule I think.
Need a bit more info from your side to give you a more exact answer though.

Steveocee

MikroTik Kid Control is brilliant for controlling who can access the net at what times and at what speeds across a grouped amount of devices.
No good for site control though.

Steveocee

I want to stream 4k high bitrate media, to 4 devices around the house if its possible I'd like to do that from a big external HDD hooked up to the router via usb 3.0 or something faster via NFS or something similar. If I can do this it basically means I can avoid buying a NAS which would be amazing...

Steveocee

Separate network for her devices and use something like OpenDNS to filter DNS requests?

Steveocee

The channel is not something MikroTik are releasing, the channel itself is already there. MikroTik are enabling the use of the channel through firmware which currently is only in the RC version but will ultimately release to current (whenever that may be). It is the 66000 channel which moves further...

Steveocee

Interesting
So I will then always set up bridges like this:
Code: Select all
/interface bridge
add admin-mac=x[26AE]:xx:xx:xx:xx:xx auto-mac=no name=bridge
Where x are random[0-9A-F]

My MTCNA tutor taught to increment the first digit set by 2.
IE 00:AA:BB becomes 02:AA:BB

Steveocee

What happens if you use MAC address rather than IP? I always use MAC where I can as it means I don't lock myself out with L3 problems.

Steveocee

Are you plugged in to ether2 when you are doing this? If you are connecting to the router via IP, the IP sits on the bridge, if you remove the port from the bridge then you lose your IP connectivity.

Steveocee

IP>DHCP-SERVER>NETWORKS

Click into your network and then use the DNS box to full in the DNS servers you want to hand to DHCP clients.

That should work, do an ipconfig release and renew just in case.

Steveocee

Do you need to run the traffic locally through manager? The traffic is being tunneled back to the manager hence where the CPU usage is coming from, without tunneling you should get full speed.

Steveocee

You can't connect to two networks as a client regardless of version.

If you had a board with 2 of the 5ghz chips then yes but certainly not through virtual. It simply can't do what you are asking.

Steveocee

80m should be fine even with heavy rain. Maybe use the upper channels if you can.

Performance on these is great and I find the quoted distances to be a minimum.

Steveocee

I use similar to exclude a few countries from reaching me and my router (and vice versa). Your router is most likely trying to reach DNS outside your country and updates will be coming from MT (Latvia?) so a different approach is probably needed. If this is for access control you would be better rea...

Steveocee

Serial into it and see if anything is amiss. We use a standard USB-Serial adapter and then a Dev/Null cable in between to get access. Console you will see if ports are disabled or not. Recently had a similar problem not being able to netinstall a CCR and I ended up leaving it connected for around 15...

Steveocee

You could turn on graphing for the LTE interface, activate the www server (make sure you firewall it properly) and view it locally?

Steveocee

Very difficult in general now as most P2P uses encryption.
Hope they integrate IDS/IPS feature in RouterOS in v7.

I like your optimism.

Steveocee

IP > DHCP-Server > Networks Change the DNS server you are handing out to the IP of your Pi-Hole. Done. Be careful with Pi-Hole though, I would be more inclined to statically set the DNS in the client devices rather than blanket the network as I've read recently it has been a bit flakey with provider...

Steveocee

Hex can do 48v in and out but does not have WiFi chip built in. You would need a separate AP.
https://mikrotik.com/product/RB960PGS

Steveocee

Steveocee: The solution to this is to reduse the 2,4GHz transmit power a bit so that clients sees the 5GHz net as the strongest when close. This would reduce the 2,4GHz theoretical coverage, but normally not the actual/usable coverage, since coverage is normally limited by tx power on client. Yep, ...

Steveocee

Are you sure it is not just somebody trying to attack your router and it's doing it's job? Does/Has the CPU usage subside(d)?

Steveocee

Are you using the same SSID name for both your 5G network and 2G network? Devices roaming from 5G to 2G would leave the 5G AP as running but not active. My P20 Lite is a PITA as it's dual band and I have done everything I can to get it to prefer 5G but it always ends up on 2.4G

Steveocee

With firewalls my personal ethos is drop everything and allow only what you want. Your firewall was allowing what you want and dropping "some" stuff. Your rules can be much simpler if you set them up as per below and that may transpire into better CPU utilisation. Nobody has asked what mod...

Steveocee

Its worthwhile stating that one can make up numerous Interface Lists (subset1, newlist23, etc) but the options for each list is fixed at interfaces. Valid entries are: WAN entries, LAN entries, dynamic entries, or No entries They are applied as an Inclusion Entry or an Exclulsion entry. So there is...

Steveocee

You will need to set up /tools email to work correctly but when done use the below to create a script and then run the script on mode button being pressed; #Define Email variables here :local toEmail toaddress@mikrotik.com :local fromEmail fromaddress@mikrotik.com #Ping Variables :local avgRtt; :loc...

Steveocee

It is doubtful the router is faulty. Most likely a misconfiguration. Please post your config for us so we can see and advise.
Enter into terminal; export hide-sensitive=yes
This will export your config hiding most specific details, ensure to edit out anything else.

Steveocee

I too do similar with my setup. Interface list as an example "WANs" for my 2 WAN interfaces which is good for firewall & NAT rules and make use of address lists in multiple ways. I think of it more as interface-list for hardware interfaces and address-lists for IP related. Sometimes bo...

Steveocee

There is a padlock in the top right corner of Winbox. If it is lit and locked you are encrypted. If not then you aren't.

Steveocee

Very difficult in general now as most P2P uses encryption.

Steveocee

You can have multiple routes all with the same priority however RouterOS will prioritise more specific routes over others. In your instance you can set routes to those individual IP's through the relevant WAN interfaces and still have a generic 0.0.0.0/0 rule all with the same priority and them coin...

Steveocee

It's useful in certain instances.

Steveocee

Good info all the way round.
I suspect it may have been this.......... .g. laptop connected to wifi and eth at the same time with those interfaces bridged.
It has not re-occurred yet.

PEBKAC ?

Steveocee

Hello,

This shouldn't be too difficult to do, do you need the bridge names to be dynamic some how or just a set name and comment for each? Reading your script you've already made I don't see the need for scripting what could be a few lines of config though?

Steveocee

It might be easy to hire any kind of developer, but to find a person who can quickly adapt and start working on important v7 RouterOS features - not an easy task. Anyway. Multi Threaded BGP doesn't exist. It will not be coming in v7 and is not implemented in any other brand routers. You can read ot...

Steveocee

PCC requires mangle and connection tracking to work.
Fast track removes all connection tracking in an effort to process packets faster.

No bug. No magic.

Steveocee

Very open ended question with not enough detail.

An unhelpful answer would be: Are they both turned on?
A helpful answer would be, please post your configs for all to see and help you.

Both answers are applicable with ambiguity of question.

Steveocee

Hey Steve, can you elaborate? My bridge has a mac assigned, why would one need to assign it a different one? Or Are you saying that each interface to bridge interaction should see a different bridge mac address and if so how to do that??? By default the bridge uses auto-mac which grabs the MAC addr...

Steveocee

Where is "total-bytes" coming from? The router does not register or hold this information unless using hotspot.

Steveocee

It can be helpful setting a MAC address for your bridge. I generally tend to use ether1 MAC as a template so if the MAC is 00:01:02 I will increment the second character by 2 so it becomes a made up MAC of 02:01:02 and this has resolved these situations before.

Steveocee

How are you trying to reset? You can't just push the reset button with MT. Are you deploying this to a public facing connection straight away? Try resetting (properly) then connecting only your computer to the device, ensure you use a decent admin password in doing so. To reset you need to hold rese...

Steveocee

Try having console open and watch what it says to do. I had similar and the router was waiting for a reboot.

Steveocee

What does it say in the logs?
5Ghz may be disabling itself if it "thinks" it is seeing DFS and is in a DFS channel. You need to provide more of your config for further help.

Steveocee

Even with a fully implemented and well working TDMA I would not expect you to be able to manage a 10Mb upload from one client whilst still providing anywhere near 70Mb to the others as download. For the cost of a single CPE it's worth keeping your 16 customers happy so 1 doesn't ruin the experience ...

Steveocee

Your PPTP client is creating it's own route which is not helping /interface pptp-client add add-default-route=yes connect-to=XXXX.privateinternetaccess.com \ dial-on-demand=yes disabled=no name=PPTP-PIA password=XXXXX user=\ XXXXX Should be /interface pptp-client add add-default-route=no connect-to=...

Steveocee

MikroTik and UBNT SFP compatibility is quite good. I've just deployed a pair of UBNT SFP's one end to a UniFi switch and the other to a hAP AC.

Steveocee

Any update?

Not available (yet) but both SFQ and PCQ can provide a solution if you don't have brand flexibility.

Steveocee

I would be very tempted to install an additional piece of hardware to serve this client on their own link leaving your large sector for the others.

It's that upload with TDMA that is affecting you. I doubt there is very little you can do to mitigate it doing this other than splitting the load.

Steveocee

Agreed. Certainly not an RB. Most likely an Alix as previously mentioned.

Steveocee

The Hex(s) would only be as powerful if a little less than your current router so I would steer away from that if possible. RB4011 is a relatively decent choice although I would argue that as this is effectively a corporate and production environment it would be very good justification to run in a C...

Steveocee

You don't have the ether into the combo port do you? Combo is 1 or the other and not both.

Steveocee

If you add it through ESXi as you normally would then it should present in RouterOS as "Disk1" or similar.

Steveocee

If you WAN links are more than 100/100 then I'd recommend getting a dedicated router and switch rather than the CRS112 I'm currently targeting routing between dual Gigabit WAN links (800/200Mb/s for download/upload on each) and 20 WiFi access point. Which product withing [1] Mikrotik routers range ...

Steveocee

Can we get some example of your config?

Steveocee

Your ISP will need to make this change for you. It's incredibly simple and easy for them to set up but UPnP is looked down on due to it being a huge security risk. You may be better off setting your XBOX to a static non DHCP ranged IP and then asking for relevant ports to be forwarded to it. Your ho...

Steveocee

How do you want to use your 2 connections? Are you wanting to load balance them or have a simple failover? Simple failover could be achieved like this; /ip route add check-gateway=ping distance=1 gateway=PRIMARY_WAN_INTERFACE add distance=2 gateway=SECONDARY_WAN_INTERFACE For your NAT rules I would ...

Steveocee

I use a far simpler version of what @anav uses but probably just as viable for you. It's fast, simple and doesn't require any scripting either (nice for a MT solution). This takes anav's approach and uses the actual WAN interfaces, my personal ones are pppoe_client1 and 2 but you get the idea. /ip r...

Steveocee

Firewall rules run from top to bottom. It's good practise to have a "drop all" at the bottom anyway but if you wanted something as a counter then yes you could move it higher up. Due to the way traffic "cascades" though if a packet matches on a rule higher up then it won't cascad...

Steveocee

Master/Slave relationship used to be when you wanted to switch interfaces on the same switch chip. The master was designated as a "main" interface with all slaves able to switch to it, from itand between each other. 6.41 flipped that on it's head with the "new" bridge implementat...

Steveocee

Hi Carlos, The mANT mentioned will be fine for what you want. Although all (well most) MikroTik kit has fully fledged RouterOS running on it, it's incredibly versatile in that it can be configured to do more or less anything you want. If you wanted to achieve what you said in your OP you can simply ...

Steveocee

What are you doing that double PAT is becoming a problem? I only ask because there is so much "oooooooh don't do that" about this but rarely is the root cause mentioned other than the originator has "read it's bad". What are you struggling doing OP? Is there any room to speak wit...

Steveocee

Maybe both are correct?
System disk size can only be up to 16GB however that does not stop you adding additional disk at a size of your choice?

Steveocee

So you bought this pre configured by liberty?
If you did and you net install them you will lose all settings, some people can be very rash with suggestions on here.

Do you want to actually reset the device to factory or simply gain access and add an extra VPN tunnel,?

Steveocee

You can also encourage (read as force) people to use your DNS with the below as well, just make sure they are placed at the top of your NAT table. /ip firewall nat add action=redirect chain=dstnat comment="DNS Loopback" dst-port=53 protocol=tcp src-address=192.168.109.0/24 add action=redir...

Steveocee

Using export via terminal is the best way to "see" your config in it's raw format. A slightly more person friendly approach would be to do something like; export file=myrouterexport This saves the export locally. Then using Winbox go into "Files" and download the complete RSC file.

Steveocee

Are you using hardware offload? If so, turn it off as this will negate that.

Steveocee

Yep, this is default value now, even for Gb capable switch (?) [admin@Mancave-Switch] > /interface ethernet export # nov/22/2018 14:20:55 by RouterOS 6.43.4 # software id = DV88-GETP # # model = CRS125-24G-1S # serial number = REMOVED /interface ethernet set [ find default-name=ether1 ] speed=100Mbp...

Steveocee

What happens if you remove auto negotiation, can you force Gb?

Steveocee

This is very easily doable using a simple queue however you'd need to give some more details for anybody to give you a meaningful response that you can glean config from.

Steveocee

Making more threads just halves the attention

viewtopic.php?f=13&t=141884

Steveocee

I'm not totally understanding what you are asking? Is this filtering out port 21 on outbound traffic or just internally?

Steveocee

If you are physically connected to the router then you should be able to use L2 MAC connection through Winbox.

Steveocee

Passive only and 24v at that. I thought Netgear "only" did 48v PoE

https://mikrotik.com/product/RB750r2

Steveocee

Your rules don't look especially heavy, I've had similar amounts running on an RB951Ui which on paper has a worse CPU (read that "on paper" part though). Saying that the RB951Ui often in my testing performs better with Btest then the hap AC which should be better due to the newer and faste...

Steveocee

Would be fine.
I use a Hex PoE Lite at my parents paired with one of the older UAP-AC-LR's which runs from 24v and the pairing has always been rock solid.

Steveocee

This is the basic setup I use for both my main internet connections as well as my VPN setups, it's fast (very) and requires no additional scripting or netwatch usage. Just ensure your pppoe client does not create it's own default route. /ip route add check-gateway=ping comment=Internet distance=1 ga...

Steveocee

Pre-empting the worst is probably the best summary.
If they're poking at certain ports when they shouldn't then you probably don't want them poking at anything.

Steveocee

Roaming in this way is driven by the client device, you can have the best setup in the world but a sticky client won't move. You can try to encourage this movement by ensuring you are using non overlapping channels and employing a minimum RSSI on the AP's.

Steveocee

I've dropped you an email. My extract has probably 95% of what you need, just need to change the line that grabs the MAC address to grab the SN and you should be good to go.

Steveocee

A dst-nat rule should do this week enough. If you match against anything destined TCP/UDP 53 and just dst-nat it to your server you can rule all dns through it.

Have you specified it on the DHCP server as well or is the MT not doing that?

Steveocee

Glad you got it sorted.
Maybe just shuffle the "accept dst-nat" rule to number 3? You really want the rules with the most traffic towards the top so the packets are not delayed in being handled and est&rel will be the highest ones (in most applications).

Steveocee

Thanks for some feedback - i will look at making a few amendments to my base config generator to include some enhancements to the firewall. I have remove the IPs / screenshots from the post above Just removed my home routers firewall config with this to see how it works .. we specialise in VoIP so ...

Steveocee

I agree but just strange it allows it on Sat...

Because.......

MikroTik

Steveocee

You probably wouldn't with that implementation. You are only FT'ing the "input" traffic and not the "forward" with that rule. Once you apply it to the forward chain then things start to get a lot more interesting but it begs the question if you really "need" to? Trying ...

Steveocee

00:00:00-23:59:59

I doubt that second will go astray.

Steveocee

DNS is also open to the world!! Your firewall rules fast track anything going input then you have drop rules after this which will never work as you have already fast tracked the traffic. steve@general:~$ dig forum.mikrotik.com @X.X.X.X ; <<>> DiG 9.10.3-P4-Ubuntu <<>> forum.mikrotik.com @X.X.X.X ;;...

Steveocee

"00:00:00-00:00:00"

I think is what you want.

Steveocee

So quick follow up. MikroTik support have so far been very responsive however the implication is currently that the issue is with my computers L2 connectivity. My desktop and 2 laptops can't discover it (cabled and 2 wireless) however the 'Tik App on my phone on the same wireless AP as the laptops C...

Steveocee

If both networks are running from the one single RB2011 in the middle then you do not need to do anything to get them talking. Both networks are connected to a "router" so it will naturally route between them.

Steveocee

Right, the picture helps. >You need ALL the numbers you have mentioned >You need to change the in-interface to pppoe-out1 >You need another rule for the UDP traffic, to do this, open up your current one and choose "copy" which will open up another window copied from the first, go to genera...

Steveocee

I think you want something like this, you won't be able to copy/paste it as my in-interface name is probably different to yours, change this for your WAN interface name and it should work.; /ip firewall nat add action=dst-nat chain=dstnat comment=example-rule dst-port=3189 in-interface=ether1_WAN pr...

Steveocee

This will guide you through; https://www.youtube.com/watch?v=3ni_R03OOrg thanks but i know those things, i just don't know which one of these numbers is the port ! TCP: 1935,3478-3480 UDP: 3074,3478-3479 right now i put this (3478-3480) for both ports and chose Wlan1 for "In Interface" an...

Steveocee

This will guide you through;
https://www.youtube.com/watch?v=3ni_R03OOrg

Steveocee

How are you planning on shaping the traffic? (Out of interest).
I would recommend CHR as it is a "current" product where X86 has been left behind a bit in terms of hardware support.

Steveocee

Your problem looks to be the same as others have found a common issue here;
viewtopic.php?f=3&t=128762&p=693740&hil ... ng#p693740

Steveocee

I think you are confusing routeros version a bit with your routerboard FW. If you are uploading the file to the wAP, do a system > reboot. That will initiate an update of routerOS. Once routerOS is updated go to system > routerboard and you will see that the 6.43.4 FW is available for the board. Hit...

Steveocee

I see so I have been using the wrong file for uprade ehhhhhhhh ok I will check the architecture and let you know

It's ARM like the poster above has said.

Steveocee

I too get this however it is not so much a problem as expected behaviour. You can use split VPN types as you have found or you could set up a VPN from the router and some sort of policy based routing to get around this.

Steveocee

It sounds like there is a second DHCP server on your network. Maybe you have bridged the WAN interface? Could be a possibility. Try turning off your dhcp server and then connect to your network as dhcp client to check. Also posting config is needed with most problems, 95% of it will not be unique to...

Steveocee

Thank you for your reply. But it's vary sad...

It's a change to how you need to operate. Sad in the short term I agree but once you adjust your working methods. It will become second nature as it currently is.

Steveocee

We are the biggest UK distributor for MikroTik and we have stock: https://linitx.com/product/mikrotik-routerboard-hap-ac2-with-uk-psu-tower-shape/15370 Hope that helps Nick I live in EU, not in UK. Issue is for EU not UK. :) Good job they ship to the EU then!!! https://linitx.com/info/shippingreturns

Steveocee

35% of a quad core is 100% load of a core in single core application. Total utilisation doesn't tell you this, if you check profile when CPU is that high I reckon you have a maxed out core hence the packet drops.

Steveocee

You will need to post your config to let everyone see and help.

Steveocee

Hi Steve, Just send me the airline tickets and I will be glad to stand at one end of the connection to move things around. I am really lucky ;-) On the other hand the fetid vapours of intoxicated Brits (on warm beer) may be a cloud to dense for your traffic ;-PP That's it. Must be the toxicity of t...

Steveocee

My 2.6Km link does not want to link up. I'm using 64800 as not totally sure about legalities of 66Ghz in the UK yet. Little bit gutted as I expected at least something. Apparently you do not direct the antenna. We previously worked with SIKLU so there is experience. The main thing that would be dir...

Steveocee

My 2.6Km link does not want to link up. I'm using 64800 as not totally sure about legalities of 66Ghz in the UK yet. Little bit gutted as I expected at least something.

Steveocee

It's a great idea to have a management network if your end devices can be separated like that. Once you are in a SOHO/SMB environment then this becomes almost standard to have multiple LANs (/vlans). The trick is ensuring nobody simply plugs in to your MGMT network to access the devices. Ensuring yo...

Steveocee

Pardon me for asking but is there a specific "need" to have the traffics behave in this way?
You could simplify your life massively by using a PCQ load balanced queue and balancing over the 2 connections which would introduce failover as well.

Steveocee

Smokeping.

Steveocee

Setting up a NAT rule is not enough. If your firewall is blocking the connection then the NAT rule will not work. You'd be better doing an export of both your firewall filters and NAT table for everyone to see and advise on. The default config has a rule to drop anything non-dst NAT'd which is very ...

Steveocee

CRS305-1G-4S+IN Maybe a stupid question but could one use the above device as an ethernet translation/adapter device (ethernet in from the LAN, fibre out to specific locations or devices)? The info says the ethernet is strictly for management so me thinks not. You could use an SFP+ to ether net ada...

Steveocee

Maybe this then?
https://mikrotik.com/product/hap_ac2

Steveocee

Which one would be recommended? Small physical size would be good for me...

Where is your budget at? A hAP AC2 could do what you want but so could a CCR1009. Budget plays a part.
I take it the CRS125 can be reused as a switch if you need that many ethernet ports?

Steveocee

So, I have too much firewall rules and/or too much VLAN routing?

Yes.

Steveocee

You need a ROUTER not a SWITCH WITH L3 CAPABILITY.
Your config is far beyond what I would ever want to deploy onto a CRS125, you are asking too much of it.

Steveocee

I suggest you all write to Mikrotik support, seeing as they clearly don't believe me - based on the fact that they have done NOTHING about this bug in the last 9 months.
Posting here is essentially pointless.

Done.

Steveocee

Would be nice if CRS112 was half rack width with option to join 2 together to make 16 port full width.

Steveocee

How are you auth'ing these users?

You can build contention groups within simple queues without too much problems. Just need a way of identifying who is in which pipe;
https://wiki.mikrotik.com/wiki/Manual:HTB

Steveocee

SMB over the web is hideous. Latency will affect the performance massively. If you can you might be better trying to get an FTP or SFTP up and attack it that way.

Steveocee

Interesting as both statements can actually be correct at the same time if you read the information as a whole..... User added entries (user in place of admin, you know, the ones you specify yourself) take priority over servers gained dynamically -HOWEVER- If a server is gained dynamically BEFORE a ...

Steveocee

Normis I understand your comment about 8 Clients 125Mbps etc, but the problem is we are competing with full fibre installs in the UK and a speed test at 100Mbps is not what they signed up for or expect. We offer 100, 250, 500 and 1Gbps plans and having that missing product in the middle is a real p...

Steveocee

This implies that the router is certainly capable;
https://mikrotik.com/product/RB951G-2Hn ... estresults

Most likely an issue with your configuration. Can you post an export for all to see?

Steveocee

Unless you find an alternate reference stating otherwise, I think you may owe me some brewskis :-)))))) "When both static and dynamic servers are set, static server entries are more preferred, however it does not indicate that static server will always be used (for example, previously query wa...

Steveocee

Hi Steve, - DHCP Client, USE PEER DNS, instructs the router to use ISP DNS servers - IP DNS, allows one to enter in manually selected DNS Servers such as google and dyndns They both show up on the IP DNS page, and from what I gather the USE PEER DNS takes precedence and thus although one may have g...

Steveocee

For IntusDave:
Do you have any problem or do you update? I run your script but the script didn't download nothing.

I thank you for your help!

Are you running IP > Cloud ? Would be the "easiest" thing to check at this point as it is a prerequisite.

Search found 1120 matches