MikroTik

mkx

In the CAPsMAN setup, you have to set client-to-client-forwarding=yes (default is no) ... it's a datapath property.

mkx

Since your wireless setup consists of all Mikrotik devices, your slave should be configured to "station-bridge" mode ... pseudobridge has a heap of problems, missing DHCP assignments is one of them.

Read extensive article about different station modes and their problems.

mkx

It's an RB850Gx2 running ROS 6.47.9 Could be that the problems you're seeing are related to older version of either ROS or Winbox. The version of ROS you have on your device is pretty dated. It's fine to stay with v6, but you should upgrade it to latest v6, which is 6.49.10 ... And make sure you'er...

mkx

I didn't realize this forum is not monitored by mikrotik which is pretty unusual. Well, it is monitored, but loosely. We do see some MT staffers discussing here and there, but this forum is more or less intended for user to user interaction. It seems that MT wants bugs and issues officially logged ...

mkx

And you're seriously comparing GPT's ROS scripting skills with Rex? Oh my... we need more cats.

mkx

Winbox connectivity is configured under Tools>MAC Server ... and uses interface lists. Winbox visibility is configured under IP>Neighbors>Discovery Settings ... and again uses interface lists. Default setup uses two interface lists: WAN and LAN, by dedsult ether1 is member of WAN and bridge (includi...

mkx

For a, quote: "For a fly by night DYI", gear with youtube tutorials, provided by vendor and with actors speaking various dialects[*], is the best choice. With anything else, one is on his own. Umm, wait a minute, isn't this a part of DIY concept? Now I'm confused. [*] it would be unfair to...

mkx

Quite possibly yes. AFAIK RB-GPOE works both ways (also as "extractor"), but requires the PSE to work with passive PoE devices. CRS328 can be set to work with passive PoE clients when selected low voltage output (26V), which is great in this case. The only remaining detail is how to "...

mkx

Nobody is forcing to order a CD and pay for preparing it and shipping. How about that documentation? I am practically forced to waste time in rereading sentences multiple times while trying to clarify what the (obviously) non-English speaker meant through an ugly translation. Is that what customers...

mkx

My RB4011 has cores at 100% at less than 1 Gbps without FastTrack on v7 ... I have the opposite experience: my hAP ac2 was at 15-20% under v6 when doing 30Mbps (at the time I was using 30/5 VDSL), the same unit now is at 10% when doing 980Mbps (I have FO 1Gbps/100Mbps) on v7. Alas: I did netinstall...

mkx

Just beware: traditionally, ROS wasn't known for exploiting full USB capacity when working with USB flash sticks. So if a device supports USB3, this doesn't mean you will get 100MBps of file transfer rates (if USB flash disk can do it on normal computers), it might still be limited at some significa...

mkx

Just wondering... Both times this happened after a regular shutdown (/system/shutdown). Is there anything special now that breaks configuration?

Check storage space ... right before shutdown. If storage is full (or close to full), then this might be the reason for problems.

mkx

zandhaas use check for updates button and ignore the above ranting. nothing special has to be done. upgrade and forget ******************************************************** And it's true but then you have the "old" wifi package and not the qcom-ac package installed. Yes, that's a part ...

mkx

free storage space 304 KiB
How much free storage did you have on 7.12?

I posted pretty detailed observations about storage usage in my post #71 above.

mkx

RAM consumption is a dynamic thing ... and it starts from 0 after each reboot, so you should not worry about it too much. Unless your device crashes, like @sinisa observes. After all, until 7.12 wave2 driver, requirement was device with 256MB RAM. And I guess your hAP ac2 has 128MB ...

mkx

Beware of small antennae, usually antenna gain is inversely proportional to antenna size. An idea: since your problem is that device itself is inside metallic housing, why don't you re-use original antennae. only use cables of appropriate length? Depending on cable quality, additional loss is around...

mkx

The point of my question is that minimum power draw doesn't matter if device actually draws higher power significant portion of time ... as you explained your setup lacks heat dissipation, but you have to make sure that device doesn't overheat during expected (extended) periods of time with higher a...

mkx

The only way to get anything sent over PPPoE link is to have ISP to route it through. And since that traffic is actively routed via the PPPoE link towards you (ISP already configured their router to use your PPPoE link when sending the traffic for the new /29 address space), you don't have (and shou...

mkx

ChatGPT is as good at writing ROS scripts as with any other things: mostly it gets things done (surprisingly well), but sometimes it fails miserably ... the problem with ChatGPT failing is not that it's failing, the problem is that it doesn't admit that it cant provide a good result, instead it pres...

mkx

*) disk - fixed hang on reboot when network file systems mounted; That is interesting! Strods says 'Please remember that actual "bugs" must be reported to support@mikrotik.com complemented with logs, supout files, etc.' above. @pe1chl, do I understand you correctly that you're complaining...

mkx

... we require a smart LTE antenna ... What is your definition of word "smart" in this context? In UK smart means "having a clean, tidy, and stylish appearance" while in US smart means "intelligent, or able to think quickly or intelligently in difficult situations" ......

mkx

If one takes official test results with a pinch of salt, then RB4011 should be able of routing at roughly 2.5Gbps give or take. The number is approximately 10-times larger than the one of RB2011. I guess that your particular use case (200 1-to-1 NAT mappings) does mean somehow more complicated setup...

mkx

What I wrote above is my definition of idle device, for the purpose of measuring power consumption. Performance I need is full 1Gb routing with firewall, VPN and many many parallel connections. So what is your expected busy/idle ratio? If it's higher than 0.1 (or even less), then idle power consump...

mkx

If I create a backup now, it's gone again after a reboot. It seems that you're not aware of one fact: on devices with flash storage equal or less than 64MB (I think that's the magic size, could be 32MB), the root of file structure resides on RAM disk and the (raminder of) permanent flash storage is...

mkx

Then, I loaded my configuration, which is only 1 MB in size Configuration 1MB in size is not "only", it's huge for a 16MB flash device IMO. My hAP ac2 config, while device was running ROS v6, contained two country address lists (both for IPv4 and IPv6, so this actually makes 4 decently si...

mkx

If you're not able to decide which public IP address you're supposed to use, then I wonder if you have skills and information needed for the task you have to do?

mkx

While waiting for a comment from MikroTik engineers, ...

If you're serious about getting a comment from MT, then you better open a support ticket with them ... using official support channels, this forum is not one of those.

mkx

However, when users follow the official doc and at the end the cofiguration is not working, it can get frustrating. In the MT official doc, pihole container is only mentioned as an example of how to build a container. It doesn't touch the workings of the container contents at all ... so I don't see...

mkx

*) - idle is defined as: configured and working device, few registered devices (wifi), small traffic (up to 1Mbit).

How comes that RB2011 doesn't have enough performance for what you wrote above?

mkx

Isn't it the other way around (enabling TX flow control does the signaling)? My bad. But the point is: you need both flow controls enabled on both sides of a link or else it doesn't work. Now, in your particular case: you're saying there are Tx pauses on CCS610 but no Rx pauses on conected CRS310 p...

mkx

RouterBoards are far from SDRs. RouterOS is a closed source OS which only runs drivers made and approved by Mikrotik.

Therefore I'm guessing that you'll have to forget about Mikrotik for your science project.

mkx

So when 7.12 with installed wifiwave2 package gets upgraded to 7.13beta1 (or newer), wifi-qcom (or wifi-qcom-ac) package replaces the previously installed wifiwave2 package. I noticed an important difference on AC2 (no previous wifiwave2). Wireless was there after upgrade... Sure thing ... because ...

mkx

Did you enable both tx-flow-control and rx-flow-control on all involved ports on both switches? As far as I understand, Rx flow control only signals the other end of each physical leg that it needs to pause if port receives feedback from upstream buffer ... and as far as I understand, most switches ...

mkx

The document, linked by @EdPa in post #2, says: The configuration menu used to be called 'wifiwave2' in RouterOS versions before 7.13, where it was a part of the 'wifiwave2' software package. So when 7.12 with installed wifiwave2 package gets upgraded to 7.13beta1 (or newer), wifi-qcom (or wifi-qcom...

mkx

You do realize that container images them selves are not Mikrotik's business, right? Anything you place inside container image is on you, you have to find relevant documentation (possibly on container package maintainer's site). Mikrotik only makes possible to run container images and that's where t...

mkx

What is possible to do to avoid double reboots, but requires quite some manual work: download main package of new ROS version for correct device platform open it using 7zip and extract correct routerboot firmware file. It's inside etc/ folder, but most platform packages contain multiple firmware fil...

mkx

Even if I can do VLAN tagging based on specific MAC addresses I would still need to route the traffic from bridge->bridge which I would think would result in the same behavior. Nope, from IP layer point of view, it would be vlanX <-> vlanY traffic ... in this case, bridge interface has no meaning a...

mkx

Do devices running the new wifi-qcom-ac package still have the old wifiwave2 limitation where VLANs couldn't be configured? Found it in the wiki: 802.11ac chipsets do not support this type of VLAN tagging (vlan-id), but they can be configured as VLAN access ports in bridge settings. Just upgraded m...

mkx

hAP ac2 has a few led lit during normal operation: power led on tge same side as ethernet ports and power jack - between power jack and ether ports. It's steadily lit after power on. ethernet activity leds on the otger side ... beliw those dot pictograms (those dots are supposed to represent the num...

mkx

I stand by my first line of my previous post.

I'd think again (and again) about necessity to run two IP subnets over single ethernet broadcast domain.

mkx

I was unable to import the public key ED25519 from my YubiKey, I successfully imported ed25519 keys, created by openssh. The pub file starts with "ssh-ed25519 ", continues with 69 characters (the actual publuc key) and followed with key owner identification (user@host). Format of file on ...

mkx

Do as it says: write to support@mikrotik.com

mkx

As long as you take into account the differences between different technologies when estimating throughput from SINR, then you should get some sensible results. Just don't react on minor differences, when estimating throughput from SINR the error margin can even exceed 50% (I guess).

mkx

As the error message says: disc-lite5 already serves maximum number of clients and the new one is not allowed to connect. Two things, in order from less important to the critical one: taking from description from diagram "PTP BRIDGE AP" ... I'm assuming that disc-lite5 is running in "...

mkx

This seems to be ax-related bug. So I suggest you to create supout file at the time when ax2 is unable to communicate with OpenWRT (WPA-TKIP only) ... and open trouble ticket with support@mikrotik.com.

mkx

You've placed yourself in a pond of mud ... I assume your client devices are configured with /24 subnet and proper gateway address, so initially they don't know a squat about the other subnet being available on the same physical network. And this is what happens: deviceA (e.g. from 10.0.0.0/24 subne...

mkx

I don't use DoH, so I can't provide you with definitive answer here. But: your setup uses FQDN of DoH server ... so before DNS DoH client on your router can resolve anything, it has to resolve FQDN of DoH server itself. Do you see the chicken-egg problem here? There are a few ways out, one is to set...

mkx

According to specs, both devices you mentioned are nearly identical wireless-wise. So they should perform similarly as long as positions of AP and clients doesn't change. Any obstacles, even TV set, negatively affect the range and throughput. When there's an obstacle close to a device (either AP or ...

mkx

Honestly, it's not even worth the effort. It has no impact on router performance and is not indicative of any issue at all. Thank you! Netinstall didn't helped. :( Netinstall formats flash disk in a sense of writing new filesystem metadata. But I highly doubt that it does low-level format of flash ...

mkx

Meanwhile, still can not understand how to get to SFP Module information page... The IP manually assigned to the SFP interface leads to RouterOS Web GUI... :? If you try to access IP address, assigned to one of ROS interfaces, then ROS believes (rightfully so) that you're trying to use ROS service....

mkx

... Mikotik Manual:Fast Path says that FastTrack is FastPath+Connection Tracking. Does it means that FastTrack contains Fast Path？ My interpretation is that without fastpath there is no fasttrack. However I have mixed feelings about the importance of fastpath ... as fastoath manual specifies, there...

mkx

You really can't AFAIK. In theory it's possible, in practice not so much. SINR figure gives a very good estimate about maximum possible spectral efficiency. Google for "SINR throughput" to read more and get some tables/charts (one random link ). But then there are other unknowns. SINR val...

mkx

Well, if you're running firewall, then fastpath doesn't make much sense (if I understand its function correctly, it's a shortcut between different drivers and traffic then bypasses some of generic L2 of ROS and all of L3, for firewalling such shortcuts should not happen). Fasttract is (again accordi...

mkx

The information, shown in the screenshot, is actually data about reception on RB951 side for that particular wireless station (station doesn't report its stats to AP). So the values shown by AP mostly depend on station's transmit capabilities and (to a lesser extent) on AP's reception capabilities (...

mkx

... I was assured that this bug has been fixed in the 7.12 branch.
Well, it isn't. Still...

[sarcasm]
Well, 7.12 branch isn't abandoned/surpassed yet.
[/sarcasm]

mkx

I guess the concept you described is quite fine. If you care about autonomy while on batteries, make sure you get a highly efficient DC-DC down-converter. Some shitty ones can have efficiency as low as 50% and difference between 0.5A and 1A of power draw for 10W load (at 24V) is significant if batte...

mkx

Noticed that on all of them I needed to reboot a second time to upgrade the routerboard firmware despite having "/system routerboard settings set auto-upgrade=yes" configured. That's expected and has been so ever since auto-upgrade is available. The reason is that .fwf files with new rout...

mkx

I don't think you can get around this "positive-negative" mismatch without DC-DC converter. Unless you're willing to mount RB so that metallic parts of its chassis don't touch metallic parts of rack and other devices (i.e. have its chasis galvanically isolated from the rest of your DC). Yo...

mkx

It could be 5009 specific (i.e. a bug), but anyway: check how frequently graphing data gets stored to flash, it's under Tools->Graphing->Interface Rules->Graphing Settings ... it seems that default is 24 hours, try setting it to shorter interval. This probably won't make the bug disappear, but you'l...

mkx

I think @pe1chl is right: telco DC power supply is nominally -48V, so positive on chasis. IT gear, if DC powered, is almost always +48V, so negative on chasis.

mkx

The config may partly work but it's all wrong. Have a look at this tutorial about how to properly configure VLANs on mikrotik devices.

mkx

You are wrong. Let's have a look... v6.48.4 [stable] on Mon Aug 23, 2021 v6.49 [stable] on Thu Oct 07, 2021 v6.48.5 [long-term] on Fri Oct 08, 2021 What your table doesn't show and I'm not sure it's possible to get that missing info from the past: when exactly did 6.48.x got promoted into long-term...

mkx

Which existing version should become long-term?

My favourite kebab-retailer said that 7.1.5 was a good one ...

mkx

Trying to figure out why Bridge is passing packets through firewall. Packets from where to where? Since your posted setup heavily deviates from defaults, I strongly suggest you to disable detect-internet , i.e. /interface/detect-internet/set detect-interface-list=none . As to DNS: you're heavily ma...

mkx

How would you implement this within a flat network setup? Either simply add bond interface (bonding1) to bridge1 which makes the bond (from layer 2 perspective) equal member of LAN network. You can do teh same on both devices, in that case use one as switch only, without firewalling, routing, DHCP ...

mkx

Hi buy one Rb L41G-2axD I upgraded from 7.8 to 7.12and the Wireless interface disappeared, what should I do to get the wireless interface back?

Install wifwave2 package (from extra packages). Next time use built-in upgrade feature which upgrades all installed packages automaticalky.

mkx

Are you sure that bridge HW offload is disabled (at least for ports which are of interest)?

mkx

Huh? This is definitely a no-go: /ip address add address=192.168.1.9/24 interface=bridge1 network=192.168.1.0 add address=192.168.1.31/24 interface=bonding1 network=192.168.1.0 You can't have two independent interfaces with same network address and expect for router to figure it out. And if the same...

mkx

Config says that device should be transmitting SSID with name MikroTik-2C00AA and that it's an open AP, i.e. no password needed and no encryption used over the air. Config also says it's running ancient ROS version and that config has a minor error in config (due to error in default config): LAN IP ...

mkx

RB951G boots with 7.12. Can't say if it's stable, nobody's at home ATM. ;-)

mkx

Post #11 above (by @jericho63) IMO shows that throughput problems are not due to traffic hitting CPU (it'd be much higher than 2% at 2.5Gbps) but some other reasons, internal to how switch chip handles the traffic. High CPU load while running btest is usual but has nothing with normal traffic handli...

mkx

Did you try to enable flow control (both Tx and Rx) on all involved ports? The thing that bothers a switch the most is speed change - from faster to slower port. In this case switch has to buffer data and we all know that buffer bloat is bad. So when that tiny buffer fills up, switch has two choices...

mkx

From release notes of 7.12 (released today):

*) ssh - added support for user ed25519 public keys;

So upgrade to 7.12 and check if it works for you. If not, then ask for support directly MT support (support@mikrotik.com), posting in this forum won't help (much).

mkx

If you try to access PiHole web interface by connecting to that IP address explicitly and you don't get the expected behaviour, then this has nothing to do with dst-nat, it has either something to do with routing or config on PiHole device itself. So post full config of your router to see if it's th...

mkx

To get better idea about what's going on you may want to fire up wireshark on client and capture all communication. But in a nutshell it's like this: client has IP address 192.168.0.254, netmask /24 and gateway 192.168.0.1. Let's assume there are no specific routing rules on client. similarly server...

mkx

The whole wireless shebang should be under "Wireless" menu subtree (winbox, top part of left frame). Check the settings there. If you can't figure it out, then post the textual config export: open terminal window, execute command /export hide-sensitive file=anynameyouwish , fetch the resul...

mkx

Nothing wrong with it, IMO it was one of greatest Mikrotiks at its time. I've got 2 of gigabit variant (RB951G) at home and they are fine. Great as switches, fine as 2.4GHz APs (802.11 n only) with very decent range (being high-power wifi APs). A bit slow if used as routers (should handle 100Mbps ju...

mkx

If you can't go with wires, then configure naster wireless interface on cAP as station-bridge. The rest of config should be as dull as possible: create a btidge, set all interfaces as bridge ports (both ethernet interfaces, master wireless interface as well as virtual wireless interface), create a v...

mkx

If I understand you correctly, you're trying to use dual WAN with some policy-based routing? If that's right, then ... PBR works best if the device enforcing policy is the default/only gateway for LAN hosts. In case of your prefered provider that will mean double NAT but most of time this won't hurt...

mkx

Hi, I just received a new RB951 router ...

My, oh my .... that device is discontinued (note the filter settings), how did you manage to buy a new one?

Anyways, let me google that for you ... it's the first link offered.

mkx

We are all becoming androids

mkx

at some time a release has to be made.

Says who? ;-)

mkx

Assuming you're running legacy capsman (with separate configuration subtree under /capsman) ... your caps-man datapath config most probably lacks setting client-to-client-forwarding=yes ...

mkx

ping from bridge0 to bridge1 address > ping 192.168.77.1 interface=bridge0 When you run ping with interface= property set, this actually overrides the egress interface selection (you probably expected that it somehow selects source IP address). Essentially you're overriding part of routing process,...

mkx

A few errors in your config: you configure VLAN interface vlan100 on ether3 ... which is later enslaved as bridge port. You should never do that ... if ether3 is supposed to carry non-vlan traffic which is of interest of other bridge ports, then you should properly configure bridge with vlan filteri...

mkx

I also read that germany has 'deactivated' it's 3G. The freed up frequencies are used for LTE. Does the LtAP ignore those frequencies if I uncheck 3G? The 2G/3G/LTE checks are about technology, not about frequencies. So you can safely uncheck 2G and 3G, your LtAP will not ignore LTE on B1 and B8 (t...

mkx

Your IPv6 settings are the same as I have when ISP uses simple IPv6 over ethernet. So I guess these should be fine unless your ISP requires something special ... Regarding prefix: DHCPv6 has two properties: pool-prefix-length which should be left set to 64 unless you know (much) better .. and prefix...

mkx

A question: what kind of technology (from your router's point of view) does your ISP use? Is it plain ethernet? Or is it PPPoE? In the later case default route is configured differently.

mkx

Dynamic gateway is missing. On my router I get such entry: Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, g - SLAAC; + - ECMP Columns: DST-ADDRESS, GATEWAY, DISTANCE DST-ADDRESS GATEWAY DISTANCE DAg ::/0 fe80::2cc8:1bff:fe77:dee6%vlan-99 1 Note the 'g' flag (gateway).

mkx

You can check actual state of IPv6 routing table by executing /ipv6/route/print But it comes with a gotcha: you have to run fairly recent ROSv7 ... 7.11.2 is fine but I don't remember when print command of routes started to display dynamic routes. You can also run /tool/traceroute 2001:4860:4860::88...

mkx

IPv6 routing is different than IPv4 .... in particular, DHCPv6 doesn't provide gateway information. Instead, Routing Anouncements are sent out by routers. By default, ROS is configured to ignore those ... which might be safe but it's wrong. You should enable it: /ipv6/settings/set accept-router-adve...

mkx

You should set address to your LAN interface. By setting whole address, you are not actually using pool functionality (which takes care that all prefixes actually fall into pool prefix space) risking invalid configuration in case that assigned prefix changes ... using pool changes in prefix are hand...

mkx

I don't know how exactly you configured those IPv6 addresses ... but in principle it should be done like this: /ipv6/address add address=::aa:bbcc:ddee from-pool=pool2 interface=exampleInterface The above will pull a yet-unused /64 prefix from named pool and add the postfix part set by address prope...

mkx

When configuring DHCPv6 client, you should set (or rather: leave at default) pool-prefix-length=64. Because that's the prefix size created by the pool when one configures IPv6 address with from-pool=ZZZ property.

mkx

You'll have to show the config of both MTs ... export them to text file and copy-paste contents inside [code] [/code] block.

mkx

The list, per-se, doesn't clarify the contiguous vs. non-contiguous, it just says it supports intra-band CA (e.g. 1+1).

mkx

PPPoE works directly over ethernet (MAC) so nothing that ARP can help you with. If you're using ARP reply-only as a sort of security measure, you'll have to reconsider your strategy.

mkx

All of rules where you have log=yes are suspects. It's not clear why neither input nor output interfaces are known, but if you find the exact rule logging these events it might be possible to find explanation.

mkx

Clients are connecting to 5G when they start the connection near the AP. If they connect at further distances, they don't switch from 2G to 5G when they get close to the AP. This behaviour very much depends on clients (and almost doesn't depend on AP). The wifiwave2 driver enables the roaming featu...

mkx

Try only activating LTE bands 2, 5, 12 and 41n (?) as these the only ones both provided by T-Mobile according to their FAQ ...

The bands you're mentioning are not used in Europe. Bands, mentioned by @OP in OP, are just fine.

mkx

The maximum speed for 3g is 7.2 Mbps. Actually UMTS/HSPA (3G used in Europe and hence Gernany) can be a bit faster, but not many MNOs kept up with 3G development after they rolled out LTE. Most HSPA networks go up to 21Mbps (DL), another step is 42Mbps (but that's sort of CA, not many HSPA networks...

mkx

Two suggestions (not sure if any if them will help): disable "Detect internet" ... winbox is only allowed through LAN interfaces and if "detect internet" somehow misdetects and "proclaims" LAN interface as WAN, then you loose connectivity. IMO "Detect internet"...

mkx

A far shot: if firewall rules (including mangle) are incompatible with fasttrack, user throughput drops to the floor. If you post mikrotiks' config (text export), we might be able to help you better.

mkx

Sure thing. Before doing anything else, create backup fetch file off device (so you can revert to current config in case something goes wrong). Also get winbox (if you don't have it already) for the same reason (it can connect to MT device even if IP setup is FUBAR). The most straight-forward way (b...

mkx

0 - install wifiwave2 package (and reconfigure wireless setup, wifiwave2 uses different configuration tree). You're running legacy wireless drivers and those make much slower wireless than the new wifiwave2 drivers. And you're lucky to have hAP ac3 which is one of few pre-ax devices capable of runni...

mkx

I'd be very surprised if 5GHz interface goes silent and there's nothing in logs. The only explanation would be older version of ROS running on your Chateau ax. In early ROS 7.x versions there were quite some bugs in wifiwave2 driver, in latest versions (7.11.2 as of time I'm writing this) wireless w...

mkx

... may we connect it on L2 with keeping every bridge own MTU? No, you can not. MTU is integral property of a L3 network ... which most of times overlaps with L2 broadcast domain (or L2.5 if one uses some advanced L2 tech, such as VLAN). Fragmentation is performed by L3 entity (IP stack of e.g. a r...

mkx

Correct. You also don't add bridge port to list of VLAN members.

mkx

Again: how exactly does the network topology look like when hAP ax3 is in the picture? BTW, when doing speedtests, try to select same server every time. My experience is that some servers some times give lower results than others. If your ISP runs their own speedtest server, use that one, many ISPs ...

mkx

I can be helpful, but I don't like spoon-feeding fellow users. So: did you go through tutorial I linked in my previous post? If yes, what exactly seems to be a problem?

mkx

One thing that does affect throughout is the fact that hAP ax3 has only got one 2.5Gbps port ... so if you connect it between PC and cable, one of legs will be limited to 1Gbps. Next: if you're trying to use wireless, make sure hAP ax3 is connected to cable using the 2.5Gbps port. Then: default wire...

mkx

It seems that you can't stop those scripts. But reconsider the strategy of your script ... or implement some checks. If it's run every minute, does it have to run in endless loop? Perhaps you could drop the loop and rely on scheduler to run it frequently. Or add ability to detect already running scr...

mkx

Why would HW Offload break my configuration? Most probably switch chip can not (or is not properly set-up by bridge to) work with required 802.1Q headers. And since WAN port is the only port of that bridge, offloading doesn't make much of a difference, apart from handling 802.1Q headers (which seem...

mkx

GPON SFPs are pretty tricky in ROS as well.

mkx

Yup, capsman2 (with wave2 CAPs) definitely improves mobility (roaming), so it's sensible to run capsman2 even for only 2 compatible APs. And since capsman2 shares quite some configuration with local wifiwave2 instance, I wouldn't be so negative about using capsman anymore (this was way different for...

mkx

Some of 5GHz channels are subject to radar detection ... if AP detects anything remotely similar to radar signals it has to stop transmitting and search for different channel. Depending on particular setup it might be too limired to find a different channel to use. However, something should be in lo...

mkx

In few words: I can't run CAPsMAN and a CAP on the same device. You don't have to ... and you're not supposed to. Wifiwave2 and capsman2 share setup, so you should provision local wifiwave2 interfaces directly, just use same security profiles (datapaths can be different).. All the bells and whistle...

mkx

station-pseudobridge has many gotchas, including the one which requires wired device to communicate with main network do that station-pseudobridge device (hAP ac lite) learns mapping between IP address and MAC. In general wireless bridges really work nice (transparent etc.) only if both AP and stati...

mkx

Having same nerwork addresses on different interfaces always means problems. And case when connected device has same IP address as router itself (even though on unrelatted interface) borders to impossible. Fixing your setup by changing some network address is much easier than working around it. Whic...

mkx

what a shitty forum You have specific issues particular to your ISP (I could be calling names here), which don't have much with Mikrotik and ROS. You can't realistically expect a cookbook recipe for solving your problem if none of forum members ever encountered similar issues. Can you? And calling ...

mkx

100-feet long stretch of UTP cable is pretty long (it's actually more than 30m which is rating of your SFP module). Even though it's a CAT-8 and thus good for some high throughputs, reachable range depends on transciever's power capabilities ... and longer stretches require quite high power, not man...

mkx

The firewall you're currently using onky drops unwanted connections coming in via ether1 (the penultimate rule) in selective way - it doesn't affect DSTNAT-ed connections. The last rule drops a few more connectiobs (which are not dropped by previous rule). But: your firewall doesn't have any rule wh...

mkx

The config export is not complete. But anyway: never add VLAN interface back to bridge as port. Instead you should be setting bridge pirt as tagged member of MGMT VLAN. /interface bridge vlan add bridge=bridge comment=LAN tagged= bridge, sfp-sfpplus4,ether10 untagged=MGMT_NET vlan-ids=900 And make s...

mkx

By shuffling SFP modules around you more or lesd prooved it's likely a matter of faulty SFP cage. I've no idea if it can be (easily) repaired. So you should avoid using it (yeah, I know). Or try to find a module that doesn't trip the problem and is useful to you, my hunch is that a non-DDM module mi...

mkx

MT devices typically don't do voltage conversions for PoE. If you measured much lower PoE out voltage than supply voltage (0.1V is acceptable, 15V is not), then there's a hardware damage in your device.

mkx

It seems that there's single i2c bus in your device and that both power supplies' management and SFP's DDM interfaces connect to that bus. And if sone device hogs that i2c bus, then polling status of other devices times out. It's hard to tell why SFP5 seems to be a problem, could be it's (manufactur...

mkx

If properly configured, both OSes should provide equal performance. ROS seems to be much better supported these days (active development) though ... As to ROS configuration: use single bridge and use VLANs (even if they are strictly internal to device) to separate traffic between different port grou...

mkx

The very first question, which pops in my mind when reading your post, is: why L2 connectivity? Unless you have very specific reason, L3 connectivity would be better in several aspects.

mkx

I am having some issues enabling 5G on my CAP devices, so far CAP devices are registered and able to see them in the CAP-interface, however the state it comes in is inactive. If you're referring to state of wireless interface (and in conjunction with it as bridge port), then status "not runnin...

mkx

if you are on a saturated tower getting max 10%, CA isn’t going to do a whole lot ... My experience (my previous career was senior radio engineer for incumbent MNO) is that indeed CA doesn't make miracles. But in most cases it will increase user's throughput anywhere between 25% and 300% depending ...

mkx

I would argue that areas with such low speed demands might be better with a cheaper LTE modem and the CAT 6 and up more suited to areas with gigabit ports. These days it's imposible to get near modem or cell tower maximum throughput, with many concurrent devices we're all aiming at getting roughly ...

mkx

Firewall address lists can consume quite a bit of permanent storage ... my solution on a hAP ac2 since upgraded to v7 is to not use firewall address lists, at least nothing with more than a few tens of members (I've learned my lesson the hard way - I had to netinstall device to get out of death spir...

mkx

You should be using single bridge. And yes, you should be using firewall. The two items above are not correlated (i.e. by using multiple bridges one doesn't bypass necessity for firewall). And no, creating DMZ doesn't really depend on switch chip - in some cases switch chip can offload CPU but AFAIK...

mkx

Another question, does 1:1 NAT described by mkx implies that I have to assign all of my private hosts addresses to one WAN interface? If your ISP assigns you a subnet (e.g. /28) and reserves one IP address for own use (telling you to use it as upstream gateway address), then this means that those I...

mkx

From performance point of view ... yes. I guess (I don't have a RB1100 nor RB4011 to test) that both bridges would be HW offloaded, specially so if one would take care to "enslave" correct set of ports. Passive wire instead of power hungry CPU. The only difference is 1Gbps (wire) vs. 2.5Gb...

mkx

/disk set usb1 type=hardware add parent=usb1 partition-number=1 partition-offset=512 partition-size=\ "128 035 675 648" type=partition The above is configuration. If you execute /disk/print you'll see actual running values, one of them being slot . Also observe flags column, it should con...

mkx

Nothing you can do on CRS (apart from disabling that SRC NAT rule). Instead you have to configure Sophos with static route towards your LAN. I'm not familiar with sophos syntax, in Mikrotik diakect it would be this /ip/route add dst-address=192.168.200.0/24 gateway=10.0.0.2 Quite likely Sophos will ...

mkx

The interconnect between both switch chips traverses CPU so it can't be HW accelerated (CPU has to shift all the bits). True HW acceleration would be if both switch chips would interconnect directly (i.e. you'd have switch port named e.g. switch1-switch2 just like you have switch1-cpu). You can make...

mkx

You should post configuration of both Mikrotiks to get any meaningful feedback. Execute /export hide-sensitive file=anynameyouwish in terminal window, fetch file off device, open it with text editor, redact any remaining sensitive data (such as serial number or wireless password; public IP address w...

mkx

I.e. whatever chipset differences can exist within the same family but different models, they are masked by standardized CLI which might slightly differ in command args only. As @tdw already explained, you are overdoing things. The problem with MT is not lack of grand unified UI for L2 stuff, unifi...

mkx

... config depending on chipset used (which is very low level and should be taken care at another layer of abstraction ...

There is another abstraction level: bridge with VLAN filtering enabled. But it seems you don't like its performance on your particular device.

mkx

However, different wireless drivers do interact with passing frames beyond basic MAC addressing and some drivers might burp on frames they don't recognize. I think the problem is that the drivers have to do some kind of workaround to replace ARP. The WiFi has the same MAC for all clients, but they ...

mkx

Does the same issue persist if you bypass the OpenWRT (i.e. if you connect wAP ac to same trunk port of ac2)?

mkx

When thinking about parsing ND info ... keep in mind that every IPv6 device can have multiple IPv6 addresses active and some of them will change over time (that's one of design goals of SLAAC). Also router will only have host in neighbour table if host communicates via router (if it only communicate...

mkx

This can work without NAT on LRs. Instead you have to configure routing on WR. Either by adding a number of static routes or by running a routing protocol (e.g. BGP or OSPF) on the interconnection segment ... In either case you have to make sure all those LAN segments (off LR routers) have unique ad...

mkx

ROS DHCPv6 server doesn't hand out IPv6 addresses, do you can not assign static leases. So I guess this means your plans can't be done solely using ROS. If you come up with idependent way of setting computers with static IPv6 addresses (either 3rd party DHCPv6 server or manual setup), then you can c...

mkx

In theory every 802.11 device should be able to pass 802.1Q tagged packet if it fits the MTU of wireless interface. After all, the 802.1Q header comes after usual ethernet headers and from ethernet point of view only payload type differs (from e.g. IPv4 or IPv6 payload type). And that doesn't affect...

mkx

Where should I start looking at? First you have to diagnose what exactly means "freezes all other network traffic". Obviously that's not exactly the case as your own observation goes: you can still get very decent throughput from your PC to internet (or is it the other way around?). Think...

mkx

Indeed your config doesn't contain anything that fasttrack might be affecting. Fastpath is another thing. I see you're setting slightly larger-than-standard MTU on VLAN interfaces ... what are MTU and L2MTU settings on underlying physical interface (sfpplus1)? Make sure they are both large enough to...

mkx

L2 config: https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples L3 config: just like ordinary router running ROS. Since you'll have VLANs on switch chip, bridge will be configured as VLAN-agnostic entity. But you'll need vlan interfaces, one per VLAN, and IP setup will be bound ...

mkx

dig 'mobilesvr' returns SERVFAIL As per RFC 1034 domain names are either absolute and are composed from multiple (that's 2 or more) parts, delimited with a dot "." ... or relative which doesn't contain a dot, and, when used, software needs to append domain name. Each DNS entry should be t...

mkx

... if I create wifi3 and make it "slave" of wifi2 to also function on 2.4GHz it simply doesn't work and in status it always says "scanning". Basics first: only master interface can set properties of physical radio, prime example is frequency used. Any slave interface will piggy...

mkx

Post the config of router so we can see what exactly is configured. Without it, we can only guess. And that ain't fun to me.

mkx

Many people wonder about perils of detect intetnet. To disable it, it's best to set all items to "none" (without the double quotes).

mkx

I'm not aware of fasttrack messing with individual packets. But it does mess with certain firewall features. One of them is mangling.

mkx

And using IP address which is router's own address on that "non-populated" bridge is separate issue any way. Because when router processes packets, it first checks if the packet is targeting any of its own addresses (and performs appropriate action, DST-NAT is one possibility, servicing re...

mkx

... CRS112 have a dedicate chip for switch and l3 hardwareoffloading

Where did you see L3 HW offloading mentioned for CRS112 (it does have L3 functionality but not performance)? There are products that indeed feature L3 HW offloading, but those are in CRS3xx family.

mkx

Enabling packet sniffer disables fasttrack/fastpath. So you need to check with your config why any of these two break your data streams (and fasttrack is prime suspect).

mkx

Check MTU size of bridge ports (L2MTU property). If I understand you right, bridge is passing PPOoE frames. So it won't do fragmentation, no L2 device does fragmentation (only router / L3 device can), so you have to ensure that resulting frames are snall enough to pass all L2 entities. PPPoE comes w...

mkx

Just as you see use cases for what you requested (keep user from locking self out of router by dedsult) I can see the oposite: many users forgetting to press that "commit" (or "un-safe" or whatever) button before logging out and thus loosing all the changes made during the sessio...

mkx

Detect internet ...

https://help.mikrotik.com/docs/display/ ... t+Internet

mkx

Product page in Specifications under Operating System doesn't list SwOS ... for devices actually offering dual boot this item lists both OSes.

So no, it's not possible to run SwOS on CRS106-1C-5S.

mkx

No, ROS NAT is layer 4 (TCP or UDP) function. For your needs you need a layer 7 server (reverse proxy). All the popular web servers can do it (nginx, apache, etc.) and there are some specialized products (haproxy, traefik, etc.) None of them are available natively in ROS, but you can run (at least s...

mkx

Can I use the CRS112 as a Layer 3 switch?

You can (as @tangent already wrote). BUT: the performance will be waaaay lower than wirespeed. L3 is on CRS1xx entirely done by CPU and your switch's CPU is pretry slow.

mkx

When router is reset to factory defaults, then admin password is reset as well. Newer devices have default password printed on a label (which is more or less hidden), older devices have empty default password. If you have newer device but the label was destroyed or lost, then theoretically official ...

mkx

When on line with MT support it would be worth to ask if those mini-PCIe slots actually are powered via USB bus. It could be that they are powered independently (if they're dual-bus, USB and PCIe, then they need independent powering for times when PCIe device uses the slot) and in this case it would...

mkx

Which local speed? You only have routed interfaces which means there is no local traffic. IMO "local traffic" would be traffic bridged/switched between ports members of same (local) subnet. As @tangent wrote: you have queues all over the place, affecting all (vast majority?) of traffic .....

mkx

Do I understand correctly that with the created masquerade rule, the router will replace my address (192.168.0.28) in packets with its own (192.168.123.1)? That's the basic idea about SRC NAT. Action can be either src-nat or masquerade, both will replace src-address (and possibly src-port), details...

mkx

Very probably ... because likely the "alien" equipment you need to connect doesn't use your MT router as its default gateway. Adding that src-nat rule will make "alien" device believe that traffic is coming from router itself and that one has IP address in same IP subnet as "...

mkx

... local speed capped at 100mbps (its should 1gbps) Which local speed? You only have routed interfaces which means there is no local traffic. IMO "local traffic" would be traffic bridged/switched between ports members of same (local) subnet. As @tangent wrote: you have queues all over th...

mkx

set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode allow-sharedkey=yes band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=canada2 disabled=no frequency=5745 mode=ap-bridge \
ssid="Edwin(5G)"

set time-zone-name=America/Puerto_Rico

Ts, ts, ts ...

mkx

Some of enumerated features were gone with some reasons. E.g. displays were soem times placed on top of unit ... which can be rack-mountable. In that case it was obscured by equipment, mounted above such unit ... and thus useless. In addition, display activity (refreshes) was frequently causing real...

mkx

Indeed that's the biggest issue when it comes to mobile broadband performance. Physical layer (LTE carriers) is shared medium and a very congested one (many concurrent users). I would agree, but for the mast I connect to, if I walk towards it (and achieve additional tree clearance), BW increases si...

mkx

If packet, used by traceroute (linux traceroute usually uses UDP packet, targeting a random high port, some traceroute tools use ICMP packets), is DST-NATed, then the same final address will be shown twice: when TTL expires at the moment when packet hits NAT-performing device and that device replies...

mkx

/interface/wireless/info/hw-info <5G interface> whould show HW capabilities of a particular radio. hAP ac2 (pretty similar wireless hardware as hAP ac3) says "ranges: 4920-5925/5/a,an20,an40,ac20,ac40,ac80" However, wikipedia channel list lists part of UNII3 as indoor-only in certain regi...

mkx

I'm just of opinion that congestion is what kills you,

Indeed that's the biggest issue when it comes to mobile broadband performance. Physical layer (LTE carriers) is shared medium and a very congested one (many concurrent users).

mkx

Can I upgrade the firmware to 6.49.8 remotely?

You can. And it's mostly safe to do it.

mkx

It seems that the bridge and/or the ethernet port is taken down before the NFS share is unmounted? In "normal" linux servers, when NFS server is stopped, it doesn't communicate with clients, it simply drops dead. (After that, NFS clients might hang waiting for NFS server to get alive agai...

mkx

... whatever difference in CAT6 to CAT18 offer using same 2x2 antenna is going to be some smaller percentages (e.g. there is also FEC rate associated with the QAM, so performance is still pretty linear) Linear? Indeed higher modulations will only bring improvement in throughput in perfect radio con...

mkx

Also: only a fraction of MT products accept power supply in range of 10V-14.5V (which is voltage range expected during car operation).

mkx

The built-in modem, R11e-LTE, does support LTE band 20.

Just a word of wisdom: LHG has pretty poor antenna gain for lower frequencies (below 1GHz) (source: LHG-LTE brochure). So if signal strength of your chosen MNO is not good, then don't expect stelar performance.

mkx

IIRC initial design goal was to support dual-OS on all CRS3xx devices. It seems MT gave up on this quite early into introduction of devices from this family, so it's likely that your CRS won't see SwOS support. But as @holvoetn suggested, you better ask support@miktotik about that.

mkx

I guess you're talking about "IVL - Independent Learning" ... and is the only mode supported by bridge (most switches support also SVL - Shared learning). But my guess is that this is not your problem, probably it's RSTP ... if you're connecting two bridges/switches using two physical link...

mkx

I was using these commands: scp user@router:usb1-part1/log.5.txt . scp log.5.txt user@router:flash/ My router has USB stick plugged in (it's mounted under /usb1-part1) and I have logging configured to store files there. The first command fetched one of older log files to linux PC. The second command...

mkx

It is possible to scp single file ... just don't include the leading / on path to sorce file name. Example: scp username@router:flash/skins/default.json . Essentially it's exactly the same as shown by /file/print . And copying files to router works the same way ... without leading / in the destinati...

mkx

Even more conclusive: product page doesn't mention SwOS at all.

Only a handful of CRS devices actually support dual boot and product pages of those do mention both OSes as supported. One example is CRS326-24G-2S+IN.

mkx

I don't have a LtAP LTE6 so I can't say this with confidence. But the way I understand product description and block diagram, the device has only one LTE modem built in (and it's shown on the output you showed in previous post), connected to USB bus. This card can use either SIM2 or SIM3 slot. Then ...

mkx

Groove has single dual-band radio, so it can only operate in one frequency at any time. If you need dual connectiviry, then you have to use true dual-radio device (any other Mikrotik with support for both 2.4GHz and 5GHz) or two devices.

mkx

Is the admin MAC set on bridge unique in your network?

mkx

What you're describing is "bridging" eth1 and eth4 ... which obviously involves a bridge. A straight-forward way would be to create a new bridge, move eth4 to it and add eth1 to it. Which would imediately invalidate all WAN IP setup ... you'd have to move everything, which refers to eth1, ...

mkx

When using wireless interface as router upstream interface, it should not be part of any bridge. Only when wireless interface is stand-alone, it can be used directly for L3 stuff (e.g. DHCP client). To allow wireless interface to connect to different APs, you configure them in interface/wifiwave2/ac...

mkx

Anything higher than 1 will do (though it is probably limited). Right, VLAN ID is limited to 12 bits, which limits values to range 0-4095. However, 0 and 4095 are reserved values, which leaves values 1-4094 for normal use (both values included). As @erlinden mentioned, most vendors abuse VID 1 as s...

mkx

You're asking about problem with your routing but you don't provide the setup you have (and serms to have an error in it)?

mkx

... CRS125 does HW offloading in ROS v6... L2 yes, L3 not. And in v7 the L2 HW offload on CRS125 remains just the same as it was in v6. Please note that I'm not trying to persuade you into buying a new L2 switch, I'm just fixing some misplaced statements not to mislead other readers. So I simply st...

mkx

I guess the only ambiguous character in Pwd is the third one ... which is capital o ("oh") ... if it was digit zero, it would be crossed.

mkx

You can either set MAC addresses for virtual AP interfaces or they will be created by ROS automatically. If you set them by hand, then you yourself have to make sure they are unique in your network (and neighbourhood). If ROS creates them automatically, then they will be based on physical interface'...

mkx

It's not an update, it's your data being sent in the wild (TX on your wan port).

The blue line (featuring a spike) is Rx.

mkx

I beg to differ: CRS326-24G-2S+ has two SFP+ (10Gbps) ports while CRS125 has one SFP (1Gbos) port. In addition CRS326 supports (limited) L3HW offloading and can thus serve as a wirespeed router in a small(ish) multi-LAN environment (no stateful FW allowed so this feature really has limited usability...

mkx

I guess Konstantin wonders to which of interfaces applies the "(Limited access)" part. I guess it wouldn't be a question is the output was "Available on lte1 (Limited access), ether1" ... or if the comment explicitly mentioned interface name. Or if MT dropped the "detect int...

mkx

Command system/resource/usb/print will show (among others) device identification in format <bus>-<device>. Hopefully at least bus number doesn't change with each reboot ...

Search found 12058 matches