MikroTik

pcunite

I hope that the new logo is just a bad joke. It must be...

I think it looks really nice. Very professional, tidy, and to the point. The new font is really nice.

pcunite

Known issues are forum tribal know-how distributed among thousands of forum entries and hidden behind a poor forum search ...It is no wonder the same issues and bugs are reported and asked about again and again ... I really enjoy MikroTik products personally, but can hardly recommend them to others...

pcunite

See my signature.

pcunite

@ work, we run everything v6, except 1 device with v7 for WireGuard.

Same. Needed to provide VPN (WireGuard) for a client so I went with a dedicated device running v7.2.1.

pcunite

Is unapproved because you do not use two C14, one for low, and one for high voltage...

:-p

pcunite

I requested one but named it incorrectly.

pcunite

I'm not an expert on wifi products from MikroTik, but I have done a large rollout. I used about twenty wAP ac units and two NetMetal ac2 units. We covered a campus of about ten buildings. Client had 30/30 fiber to the premises in a remote area. However, I've not used MikroTik in wifi in noisy (radio...

pcunite

I'm working on a product and testing with the wAP R ac. I'm sure you're familiar with the other notable hardware options. I'll probably go with the Netmetal 5 ac. Yes, I think its fine for what it is, a fully enclosed unit. For my needs, I will need a different modem too. Probably going to go with t...

pcunite

Having developed SW myself for many years, I really wonder how MT manages to produce such blunders again and again. Sorry MikroTik, but something with your SW dev and test processes is more than broken. I have a software development background too. There is a lot to like about MikroTik. If we step ...

pcunite

IDK how to do that...? From within the Winbox GUI tool, open up the menu item "New Terminal". Then type the following command: export file="Export.rsc" . Then navigate to the "Files" menu option and you'll note the newly exported configuration. Right click on it and do...

pcunite

This was the answer! Thank you so much tdw and mrz for you assistance! Once I added the rest of the mark rules the routing I had already setup worked. I've been working on this for WAY too long and you all got me where I needed to be. Thanks! May I see your configuration? I'm in this same boat and ...

pcunite

Not qualified to answer the question yet. I'm going through the process of setting up failover to cellular with a wAP R ac . Final solution will probably be a NetMetal ac2 or LtAP . I'm working with three ISP WAN connections at the moment: PPPoE over 2.4Ghz, cellular, and a T1. I think that within t...

pcunite

Yes, need it.

pcunite

Recently there's this new wave of "smart" spammers ...

Excellent observation. I noticed something off too in certain posts and wondered what the end-game was. It is always about the link.

pcunite

Any success with the Quectel EC25 line of Mini PCIe cards installed in a MikroTik wAP R or NetMetal ac²? The EC25-AFX has B14 and B71 support. The EC25-AF does not include B71 (looking at their PDF anyway). Personally, I need B14 for FirstNet use on ATT.

pcunite

Does MikroTik make a cellular modem compatible product for use with FirstNet (Public Safety)? I need Band B14 support. Also, is there a miniPCIe LTE CAT6 modem with B14 support that I could install in something like a wAP R, LtAP mini, or NetMetal ac²?

pcunite

Yes, same.

pcunite

Would this fix be related to running scripts such as the ATT gateway bypass? My ATT gateway bypass was broken in 7.2 but working in 7.1.5 EDIT: Just tested on an RB4011, ATT gateway script still not working. Reverted back to 7.1.5.

What error are you getting?

pcunite

The new logo, youtube channel, and better community outreach is good. Being in the forums is a good thing. I would also like to see maybe one resource (a person) who's focus is exploring common use cases with MikroTik products. They will write verbose documentation and maybe videos on these subjects...

pcunite

Or, you can do what many people do: wait for some brave souls to install and test it and report the experience.

I like to wait about six months to a year before touching MikroTik firmware ... with a feather.

pcunite

Can you try using RouterOS 6.48.6 Long-term?

pcunite

@pcunite: Keys, not certificates.

Thank you for the correction. Nebula is worth a look.

pcunite

So, what is the best practice? How many support engineers do you have? How many end users (total devices)? 1-100 end devices: Option A: Single server key. 100-1000 end devices: Option B: Multiple server key, 1 server per 100. 1000+ end devices: Option C: Multiple server key, 1 server per device, pl...

pcunite

That would also mean I should apply the same thinking for Wifi devices. Exclude the ethernet port I use for the AP from QoS on the Switch, and let the WiFi QoS be handled by the AP. If the AP hardware can handle it. However, if the AP has a fast connection to the switch or router, then let the rout...

pcunite

I think your question is the answer. It depends, doesn't it? At least until WireGuard is truly everywhere and automated tools are available to update clients somehow. I only have limited experience with WireGuard, but am currently using an RPi server, behind the router. I would of course like to see...

pcunite

Not really understanding this text from the help. Is it saying one should implement QoS on the Switch instead of the Router? Theory, best practices, and what you need. It's all a balancing act. As a rule, you should QoS as close to the end device as possible. Consider what would happen if you had c...

pcunite

May I join this discussion as to why ? From the very beginning, and even now, the bridge, bridge port is confusing. It will always be confusing because it is an insufficient abstraction for the people who use it. This is why @sindy can not make it any clearer. No one more capable and patient than hi...

pcunite

Ugh, need a PSE-8 for a CRS112. Seems a shame. Only port 8 does not put out PoE correctly.

pcunite

How many ports? How many watts? PoE++ (802.3bt) is 60W or 100W. Driving that much power, what use case? Might be cheaper to build a shelf with injector bricks for just what you need. Cisco Catalyst 9300 UPoE offerings PoE Texas GBT-24-M PoE Texas GBT-24-M-53V3000W Planet Tech UPOE-1600G FS.com S5860...

pcunite

Weird ... this could potentially be exploited to create a Denial of Service, assuming you can make them act funny from user accessible Access ports.

pcunite

Do you have any plans to release an updated 2021 (or 2022) guide for QoS that focuses on RouterOS 7.1.1 and CAKE / FQ_Codel? I wouldn't say I have plans. Have not really used v7 enough. I'll wait until it is more mainstream unless I find some pressing need for it. WireGuard is very interesting to m...

pcunite

I just remembered that I found and rejected such a switch before buying the CRS328 ... Agree, the CRS328 is just about the only PoE switch in MikroTik's lineup worth buying (outside of outdoor models). I mean, the goofy 8 port with two power supplies that you have to mount somewhere? I think its re...

pcunite

The CRS328-24P-4S+RM is a nice switch, but way too big. Need a short depth version. The CRS326-24G-2S+RM is due an upgrade to 4 SFP+ ports.

pcunite

The MikroTik Neighbor Discovery protocol may not be propagating correctly based on allowed interfaces. Especially so with VLAN. In In the Winbox GUI, go to IP / Neighbor List / Discovery Settings and observe.

pcunite

I plan to buy some fiber optic SFP+ modules for my RB5009. Do you have any tips, for normal user please? I've been working with fiber a great deal lately and have some experience and advice. I have an opinion that I think is applicable to what even a home user should consider. Cost is a considerati...

pcunite

Find a professional who will use MikroTik. Then yes, wire in all the AP's back to a central switch. The switch in turn will be controlled by a MikroTik router. Always MikroTik, all the time. Working on an installation now with twenty wAP AC units. Going well.

pcunite

The exterior design is fine, don't want them to even look like something conspicuous. However, 16mb, and lack of new specs. Well, you can see the response from their customer base.

pcunite

What is up with MikroTik hardware production? Nobody has parts in stock and its getting pushed to December. Like the CRS328 PoE switch.

pcunite

No need for IPSec because Wireguard rules the world now … the RB5009 is not enterprise gear where IPSec is the standard … home users love 💕 WireGuard. SMB will also love wireguard …. It’s becoming a WireGuard world. Agreed, the push is on. I'm using it, nay, forcing its use. :-) I did have an issue...

pcunite

If I may, I hope I can help to clear up some confusion. We can help you better if you speak more about your application and less about networking. Sindy can handle that part for you, he is an expert in that domain. So, reading between the lines, it seems like you might be linking GMRS repeaters over...

pcunite

Can you do it in the GUI Winbox interface?

pcunite

pcunite, I do not understand what you are discussing regarding clearing connections. Is this something I should be worried about on my setup? Well, I don't know. It comes down to how ISP1 fails and the applications you are using. After the failover to the different ISP, if your application times ou...

pcunite

I do not insist further, I have already written you the script that does the right job, based on the real traffic of equipment in production and not only theoretically simulated. Its okay, I can sort it out. If you have a ping session, not stop (ping 8.8.8.8 -t), when the change over occurs it will...

pcunite

If just one connection on connection tracking is already closed for timeout (or other reasons) during the execution of the clean, the script will stop with error because the connection is already closed, and do not finish his works. Okay, if that is the case, would it be possible to close connectio...

pcunite

Can you provide a link to the document you are referring to? What I understand about the benefits of an Asymmetric VLAN ( after searching ) is that you can have two VLANs in the same broadcast domain. You don't need a router as packets actually get switched. You can have a custom MAC table with two ...

pcunite

rextended, Oh my goodness. This is awesome! It works excellent. You should make a separate post about WAN Failover and update the link in your signature to point to that new dedicated topic. It takes a good while to write up topics, so no pressure. Just a grateful user. Note, I changed the timeout t...

pcunite

Clear connection-tracking is needed because remote address unreachable do not cause the clear of connection-tracking. What access method you use? Thank you anav and rextended for your examples and help on this subject. I'm testing in a lab using two simple MikroTik units. So, my connection method i...

pcunite

The WAN fail over technique works properly if I clear connection tracking. Otherwise, the network appears to timeout. I tested with a long ping session to a remote host and a VPN session. Disabling the interface will automatically clear connection tracking and makes the fail over occur right away. S...

pcunite

You could take a look at bundles made by others to get a sense of what you might need. Here is one from r0c-n0c for example.

pcunite

Use two (optionally) QR codes. One to connect to your free wifi, and the other to open a web link (the menu at http:10.0.10.5/index.html or whatever).

pcunite

Thank you anav, I will look into your notes and see how I comply.

pcunite

I have a WireGuard server (Ubuntu 20.04) running behind a MikroTik router at remote Network B. It seems to work well, with one exception I would like your thoughts on. I'm getting a " Destination host unreachable " reply (which shows up as an invalid packet in a firewall rule), but only fo...

pcunite

I have been testing the CRS328-24P-4S+RM and its power characteristics with a P4400 Kill-A-Watt meter. Firmware 6.47.10 installed. Power draw: 1) 19 watts, when powered on, nothing plugged into ports, the idle state. 2) 20 watts, when one SFP+ plugged into an available port. 3) 24 watts, when all SF...

pcunite

Good to see this. I use MikroTik for several reasons, but getting VoIP correct is a big part of that.

pcunite

All of this happens automatically. I was just explaining what happens. For most of the world, you will want to run within Regulatory limits. Set country, all other stuff will be automatic. Just to confirm ... I'm installing 20 wAP AC's at a client site. Naturally, the power might need to be turned ...

pcunite

I still don't fully understand why PVID setting is mandatory in practice. @raimondsp writes that omitting to set it keeps the default setting of pvid=1 (which we already know very well), but the argument about bridging the port with other ports with pvid=1 seems moot to me if frame-types property i...

pcunite

Thank you, excited about the changes, wireguard too.

pcunite

I think the annoying thing about wall warts is how to properly rack them. If there was a way to tie the wall wart to the back or side of the MikroTik device, that would be enough for most of us.

Yep. Would like to have a standard (another one?) so as to make them easy to manage and replace.

pcunite

AFAIK Wireguard is a layer 3 VPN so there is no concept of VLANs - it will route packets between different subnets at each end and firewall rules can be used to restrict which subnets can communicate with each other. If you really need to extend the layer 2 domain then VxLAN, GRETAP or in the Mikro...

pcunite

Part of a nine building fiber rollout. Need switches with at least three SFP+ ports on them, PoE for 12'ish devices and short depth. Not unreasonable. The CRS328 is just total overkill.

pcunite

Hi pcunite, I too contemplated using the raspberry pi for WG but I think your throughput will suffer if using that device?? The Raspberry Pi might not have enough horsepower, I don't know yet. I was using it as a test. Could build a Ubuntu system if necessary. Would also consider using MikroTik har...

pcunite

Not familiar with your use case.

pcunite

Nice! For the corporate side, you could simply install Wireguard on any Linux instance and port-forward to it instead of having an extra MikroTik device (unless you want or need to of course). I have done this before and it's been very stable and reliable for my usage pattern (mind you, less than 5...

pcunite

Why shouldn't the CRS112-8P-4S-IN be upgraded for SFP+ now that the cost delta for SFP+ has dropped so far? Agreed. The CRS112 is a funny thing with its 8 ethernet, yet 4 SFP? A tiny switch yet you need two power supplies to make it work for all PoE needs. It is an ungainly thing. The CRS326 is wha...

pcunite

I will soon be looking into a solution to enable remote staff to use physical telephony devices (VoIP phones) alongside their personal laptops running behind their home internet service plans. Allowing them to VPN into the corporate network using Wireguard, running on a MikroTik, is the goal. My thi...

pcunite

Thank you for the update.

pcunite

I hear you too.

pcunite

Have not used it personally, but the Middle Atlantic PD-DC-125R, seems like it would help in a rack with a lot of such equipment. The nice thing about MikroTik, most units can be PoE powered over ether1. So, you can clean up power to them using a single PoE switch.

pcunite

Your question is outside the use case for most of the forum members. That said, seems like the HotSpot feature is what you're asking about. Would need to be customized, I guess.

pcunite

Interesting. As another work-around, do you think these types of heatsinks on the SFP module would help?

pcunite

Use a generic sfp module from fs.com.

pcunite

I have a question about security or probably best practices when it comes to VLANs with WIFI: I guess setting all access ports to " admit-only-untagged-and-priority-tagged " is clearer, but is there an actual impact on network security here, or are those just two ways to do the same thing...

pcunite

RouterOS version is 6.44.6, device is a CCR1036-8G-2S+

I think 6.44.x was vulnerable, so I don't think this is a new'ish hack. Here is a post about it. I updated to 6.47.x a while back to play it safe.

pcunite

I disagree, I find it very confusing to have set PVID on the bridge ports and then not put the associated untagged entries on the bridge vlan. When reading a config its dirt easy visually to see what a person has done. It's so difficult to have to double check a config when not seeing the config, e...

pcunite

Yes, I think that would be good. I have the same problem with the MikroTik documentation actually. The reason I feel it is bad practice to unnecessarily set the "untagged" port statically in addition to the PVID is when it comes time to make changes, you have to remember to make the chang...

pcunite

Well, very sorry to hear of your troubles. I enjoy MikroTik products and I hate to hear such stories. I think if you could, mail it to a forum member who is very familiar with the WiFi side of thing. You know, to offer some proof to help your case. You probably really do have a bad hardware unit. Ho...

pcunite

Not gonna happen. With that port spec, it would be CRS320-16P-4S+RM.

Well, you know how rumors are! Incorrect information. How did you arrive at CRS320?

pcunite

Use the PTP Calulator this link to see options involving frequency and distance.

pcunite

I want this.

pcunite

Look at what showed up on my desktop today! Wonder if it is going to be true? I could really use this switch model.

pcunite

MikroTik S+31DLC10D module. So, sfp connected between fiberbox and rb4011, network cable between fiberbox and rb4011. What gives you confidence that the SFP is compatible with the fiberbox? Previously you have an RJ45 connection. That SFP module is single mode 1310nm. Is your ISP good with that? Lo...

pcunite

All working fine when setting Wan to ether1.

What kind, brand, etc. SFP module are you using in the RB4011's SFP+ slot?

pcunite

How do you mean rule out? SFP+ port is set as Wan and then the rest of the network is plugged in ether 1-5. Am i doing something wrong here? No, you're not doing anything wrong. I was just stating that you might try a test with an Ethernet port to verify the issue is with the SFP port and not somet...

pcunite

Please try to use ether1 to rule out the SFP module. Report back.

pcunite

Is there a reason why you explicitly set the untagged= parameter as this will be dynamically populated. I am considering removing lines referencing the untagged member because of the reasons you note. I also needed to set the tagged member as well. I really appreciate the help. I'm looking into how...

pcunite

I'm attempting to set some values under the /interface bridge vlan command, namely the untagged property. Normally, I set this like so: set bridge=BR1 tagged=ether4 [find vlan-ids=10] . However, I need a way to append the value to what is already present. Here's what I've cobbled together so far, bu...

pcunite

One thing I do not like about the configuration shown in the examples up at the top (which are otherwise very good) is that it has unnecessary use of the "untagged" setting. @mducharme What if I put in a disclaimer, stating it was unnecessary and handled automatically? This article series...

pcunite

Intel AX200 connected at 1.2Gbit/s at Aruba AP-555 with 80 MHz channel == stable 800 Mbit/s up and down while copy a big file to and from a SMB file server.

Tell the rest of the class what you paid for the Aruba.

pcunite

The PoE issue was introduced in 6.46.8, as the comments from that release prove it.

Using a hEX PoE to power two Dahua SD1A203T-GN. PoE set to auto on. Firmware v6.47.9 without issue. I think these units are 2 or 3 years old. Factory firmware was 6.42.7.

pcunite

A CRS326-24G with 4 SFP+ ports. A 16 port ethernet short depth version of the CRS328-24P.

pcunite

See my post here.

pcunite

This surely wins an award as the longest first post ever. Well done simpleIT! You win a prize! Cozy up to a fireplace and read the provided material anav has linked for you. Read slowly, its all there.

pcunite

It might be best for you to read my VLAN tutorial, linked in my signature. Read slowly. It will all make sense. It shows how to mange all devices on the network. How to setup everything from scratch.

pcunite

You only need to create an SSID that represents each VLAN. See post here for examples.

pcunite

I upgraded a hAP mini from 6.47.8 and got the same WiFi problem as with 6.48, fixed by downgrading.

After upgrading RouterOS and RouterBOARD, then doing a reset, then adding back your config via console, do you still have the same issues?

pcunite

What is the observed behavior under 6.47.9?

pcunite

Upgraded from 6.44 and 6.46 and went largely without incident. Mix of RB4011, RB3011, RB2011, hAP ac lite, hEX PoE, CRS112-8P, CRS326-24G, hAP ac, hAP ac², wAP ac, and cAP ac. This feels like a good update. Time will tell. I miss antenna gain on the AP's but at least can get to it via CLI.

pcunite

Use a remotely controllable power outlet, like this, this, or this.

pcunite

Thank you! This is very interesting. I do have the option of specifying the cabling. Can I use use simplex single strand LC-LC cables everywhere? Even for short runs? Naturally, I'll do what is cheaper, but to have BiDi duplex over single strand can I buy OS2 9/125, single strand single mode cables ...

pcunite

I have an upcoming project to where I will require a fiber run in excess of 300m. Probably about 620 meters distance. I would like to be able to maintain a 10G link between the buildings if possible. I only have experience with 850nm Dual LC modules (like the S-85DLC05D) with 50/125 OM3 LC-LC style ...

pcunite

Your example configuration script does not provide enough context. I recommend you study the article you linked first, get it working correctly, before trying to add a CAPsMAN into the mix. The reason you can't broadcast DHCP requests could be because of a couple of reasons. I would need to see how ...

pcunite

normis says: You can adjust Tx-power by selecting "all rates fixed" in Tx Power Mode and afterwards setting a lower Tx power.

Would it be possible to bring back Antenna Gain or something similar? I need a simple way to lower power.

pcunite

Antenna-gain is now a CLI-only parameter.

Why?

pcunite

Agree, I wish there was a proper onboard API to control them.

pcunite

Good to hear. The 2011 units are under powered.

pcunite

A discussion with interested individuals is occurring here.

pcunite

Unfortunately that is inconclusive. The CVE says "6.41.3 through 6.46.5, and 7.x through 7.0 Beta5" which would potentially include 6.46.1. Unfortunately I've never seen MT publish their software development hierarchy so I'm not sure. Additionally, they haven't posted any further details ...

pcunite

All MikroTik routers should be running
6.47.4 [stable]
6.46.6 [long-term]
or 7.0beta6 [testing]
due to CVE-2020-11881

Please confirm 6.46.1 (stable) is unaffected.

pcunite

To run the scan on Groove there are prerequisites

Thanks for sharing. To confirm, can't scan on 5Ghz via Winbox? Have to use Dude?

pcunite

Sure, but does the RB3011 have wifi? I think he wants devices at both sites to provide wifi!

Sorry, yes the hAP AC2 would be better in his scenario.

pcunite

MikroTik has too many SKUs. For 100mb service, consider the RB3011 or better the RB4011. Hang the Wifi AP's off available ports.

pcunite

Appreciate the great effort here. You have put the work into this. The information about how to configure these devices needs to be more open, more clear, and easily digestible. This will help to move that forward. An entire topic should be spent on Service Discovery between VLANs, I should think.

pcunite

Excellent videos! Good to see the team and the products, puts a human touch behind the brand. Please consider making a 16 port PoE switch as described.

pcunite

... getting some pushback of late on the use of pvid and the associated bridge vlan settings ... personally I think its clearer when configuring and reading to have the bridge vlan settings visible. Is there any downside to RELYING on the dynamically generated settings? This is why I initially show...

pcunite

No, not RB4011 again ... They really should produce one device with two different cases (IN and RM), just like they did with RB2011 or certain models of CCR1009... The ears on the RB4011 are bad, yes. However, the one that ships with the CRS112 is really nice. But yes, a pure rack-mount would be ap...

pcunite

A crs318-16P-2S+ would be great. I would like it in an "IN" desktop form factor, although I am sure a RM version would be popular too.

They could make some ears to accommodate us both. I think it is a needed SKU.

pcunite

@pcunite thanks for doing this. I've noticed a few things that I'd like your input on. @blurrybird, >>why you are detecting VoIP by just blanket accepting 10,000+ ports? The original article was created a long time ago. The VoIP equipment I used at the time used those range of ports. I think it is ...

pcunite

I can no longer recommend the RB4011 as I've been getting the issue described here with it hitting 100% CPU, freezing up, etc. I'm at very low load (residential), but still happens what seems like once a month now. Going back to the CCR1009 that I didn't sell, yet, along with the switch. Sorry to h...

pcunite

I need an improved CRS112-8P-4S-IN rackmount switch. I see that the netPower 16P is close to what I would want, hardware wise, but in an incompatible design for my needs. The CRS328-24P-4S+RM is too big. Any news of a possible CRS328-16P-4S+RM on the horizon?

pcunite

I have been wading thru this thread since the 2013 beginning looking for a "final" recommended way to provide the QoS to make a couple of VOIP phones to work. But that appears not to be. My configuration, as shown, is what you are looking for. It works. I use it on multiple networks. Don'...

pcunite

Absolutely, that is the purpose of this hardware. If you have a speed issue, as pointed out, then you can make adjustments. Keep everything on the same switch group if you can, then it can hit the CPU to get out to WAN. If you need to hit the other bridge, I don't think it will be that bad for one o...

pcunite

I just find out that netPower 16P is CRS318-16P-2S+OUT. So, we suggest mikrotik can release CRS318-16P-2S+IN-2HnD.

Yes, this could be the update to the CRS112-8P-4S-IN.

pcunite

Things have changed with iOS 13 and macOS 10.15. Study the link. You can use a tool like CertManEX to create these new types or openssl.

pcunite

You can be as restrictive as you feel you need to be. What is the threat vector? Are you protecting access from neighbors (don't have valid access credentials) or clients within (do have credentials)? * Turn the power down to prevent signals escaping the home. Use more low power units to fill in gap...

pcunite

Official Response from MT Support: How would you expect to treat VLAN-ID 0 packets in RouterOS? Should we allow the users to configure a special-purpose VLAN interface that accepts these packets? How should RouterOS respond - with or without VLAN-ID 0 header? Glad to see them thinking about it. I d...

pcunite

Study VLAN techniques as noted in my signature.

pcunite

Thank you.

pcunite

I like how they use just enough power to accomplish the goal. I didn't want big beefy hardware, unless I needed it. Take the RB4011 for example, handles 1G fiber service just fine on small networks.

pcunite

The best option would be for the bridge to be able to strip VLAN 0, but isn't that something MT needs to fix?

Its not so much a fix, as it is additional functionality we want.

pcunite

+2
Make two case options, a proper rack-mount, and a nice desktop version.

pcunite

I want to clarify with some information provided to me. The ATT Residential RG sends all outgoing packets as 802.1p (tagged with VLAN 0). Their Commercial gateways sends all outgoing packets as 802.1q PVID 2 (tagged with VLAN 2). These are not always enforced, as I understand it. My residential 1G f...

pcunite

Can someone measure its idle power usage? Preferably with one or two 10g ports connected (optical sfp+ or DAC).
Also, how loud is it under low load circumstances?

I would like to know as well. Also, if I disconnect the fans, or redundant power, can I get the power usage down?

pcunite

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging?

Ask wojo

pcunite

I'm surprised the hEX/RB750Gr3 isn't recommended especially for people on 300/300 or 100/100. Does it not work well with wpa_supplicant despite having a switch chip?

Recommended just means what most have reported success with. Since the RB4011 is known to work, it is therefore, recommended.

pcunite

If anyone has an .stl for the RB750 / hEX case, would you mind sharing?

I would like a square case for the cAP AC too.

pcunite

Both? The Bridge Method and the Supplicant Method?

I was referring to the Supplicant Method, only the RB4011 is recommended.

pcunite

What happens when you use a Sharpie pen on it?

pcunite

I have the BGW210 and I was able to downgrade the modem back to firmware 1.0.29 and extracted the keys and certs, then upgraded it back to firmware 2.6.4 and it works fine. My MikroTik router is the CRS125-24G-1S-2HnD ... how do I do that with this router? Only the RB4011 is recommended at this time.

pcunite

So, I picked up a hEX and ... the boards are identical size and layout - ports, power, usb, LEDs, etc. The hAP board will fit very nicely into the hEX case for anyone interested .

Really? Nice find! I had not thought of that. When you say hEX, you mean this one?

pcunite

Good to see a desktop version of the CRS3XX line. I need the CRS112-8P-4S-IN upgraded to the CRS3xx hardware and have 16 ports, rackmount or desktop (short depth PoE switch).

pcunite

@pcunite No worries. I'll see if I can rerun the test graphs with the updated baseline when office reopens. I've seen some weird packet issues when using RED for the defaults. So, I've gone back to SFQ for default but use RED for the bulky flows. The behavior of RED as default causes the VoIP queue...

pcunite

Does not preserve chosen interior window sizing and spacing after selecting Session / Save. Windows 10, 125DPI.

pcunite

If upstream hardware requires 802.1p, then that ability is not configurable with MikroTik, yet. Instead, you'll need to place a Cisco switch in front of the MikroTik and have it set the bits on the outgoing packets.

pcunite

Set parent queues to have a bucket-size of 0.005. Changed the default queue to sfq . (Using red gave similar performance, but multiple downloads seemed less fair). Rationale for the 0.005 size is to copy CoDel as much as possible. @bharrisau, I've have tested your feedback and have made changes to ...

pcunite

The hAP ac is a very under powered device. The hAP ac2 is much better for just about everyone not doing something crazy. I use both at different locations. The bugs on the hAP ac2, my understanding, can be avoided if using the pure software approach to VLANs (if doing vlans). Don't try to use the sw...

pcunite

See my signature. Note that your hAP ac is under-powered for QoS tasks.

pcunite

You are asking a lot in one post. I'll respond to your conversation points. Have more: It is always ideal to have a faster router and a bigger pipe to manage incoming packets. If you can, always have more available to you than what will ever be sent to you. If applications don't play by the rules, t...

pcunite

Do you need to mark the connection before mark the packet? Yes/No/Why? Please add some words about this in your second post where you talk about marking. How to use RouterOS to accomplish a task vs. how RouterOS itself works are two different concepts. I only focus on the former. However, everyone ...

pcunite

If you know and understand MikroTik, it is the better option. However, there are situations to where MikroTik (circa 2020) offerings are not the best: Over 50 clients per AP 100Mbps plus data requirements per connected client You will not get the fastest WiFi speed from current MikroTik hardware. In...

pcunite

This device is expressly created for the purpose of using the CPU and vlans. You should configure it that way.

pcunite

I know it is frustrating. The non-wifi model is a great product. Not sure what is happening on the other SKU. I do think it would help to have clear documentation on how to setup the various options. Its possible to create a unwise configuration. The software will happily let you do it.

pcunite

Own certificates are ok, but for own use (personal or some closed group). They are useless for services that have random visitors, because they would have to trust your CA to be able to verify them.

Of course ...

pcunite

It is fairly commercial here, especially related to the HotSpot feature.

pcunite

I like using my own certificates. To do this, you'll need to create a self-signed Root certificate. Then create all your end entity certs signed by your root. Install your entity certs as normal. Then export the Root, without its private key (in X509v3 DER or PEM format) and install that on all comp...

pcunite

I would still very much like to see the following changes: - easier widget for selection of columns (a modal panel with checkmarks for all possible columns in a "square" layout where multiple checkmarks can be toggled before clicking OK) Agreed, takes way to much effort to deselect all th...

pcunite

Have you gotten around to creating such a series? I'm a home user and looking into using MikroTik. Good to have you here! MikroTik's are a lot of fun. If you get frustrated, we'll try to help. I have not produced the series because I would need compensation for such an endeavor. It takes a very lon...

pcunite

@pcunite What about this? However, my concern is that in other posts, I saw that the "bridge" method ATT offers out of the box forces you to use their small NAT tables on the ATT gateway ... is that still the case with this "dumb bridge" method? The bridge method, as shown at th...

pcunite

is the only advantage of going with the supplicant method to prevent having the actual ATT Gateway powered on and active at all times?

Basically, yes. If you are willing to keep the ATT RG powered up, then its a very good method.

pcunite

I'm not familiar with simple Queues, never used them. You can see my signature for how I handle this.

pcunite

I had a need to do this recently. Here is a full working example that posts JSON to a PHP server and then emails the data. Apply this to your router # Install this script and name it "GetIPAddress" # Enable the scheduler to run once a day and also on boot /system scheduler add name=RunGetI...

pcunite

in the topic Switch with a separate router (RoaS), what is the difference between the Switch Config file and the Router Config file?

The two files are the configurations for the two hardware devices that will be in use. One a switch, the other a router.

pcunite

11K should be fine. I have 4,000 on an RB3011 and its no trouble. Use RAW rules something like this: /ip firewall raw add action=drop chain=prerouting disabled=yes in-interface=ether1 src-address-list=PortScanners add action=add-src-to-address-list address-list=PortScanners address-list-timeout=2w c...

pcunite

I can't get a lease. Applied fallback VLAN and it still doesn't work. The RB750Gr3 uses a MT7621 switch chip . The Atheros8227 chips need fallback mode set. For the other types, you might try a different setting. Until MikroTik has a consistent firmware across the hardware lines, we will have to gu...

pcunite

I use a similar setup too. Read the article mkx linked to. It will tell you all you need to know. After that, you'll make custom firewall rules. I allow IP Cameras to access NTP servers and nothing else, for example. Take time to really study the article. It won't waste your time.

pcunite

I tried this on an RB4011 using certs from an NVG510. Unfortunately I kept getting "rejected" after "authenticating", I did make sure I set the clock properly.

The certs from the NVG510 work for VDSL, but not for fiber service.

pcunite

What I find so frustrating, and the OP no doubt too, is the lack of documentation for all of these various use cases. It takes a while for a big tree to fall, but when it does, there is no stopping it. Hopefully, MikroTik will think about their brand and the collection of us who really are the face ...

pcunite

Set the two parent queues (UP and DOWN) to have a bucket-size of 0.005. Create a bulkUp queue of kind PCQ, set the pcq-limit to 11*[upload rate in Mbps] (100ms of upload bandwidth) and the pcq-total-limit to 10 times that. Select all 4 classifier options. Create a bulkDown queue of kind sqf. Change...

pcunite

Shouldn't the topic be moved to viewforum.php?f=23?

I'm okay with that. Please keep the original url and redirect it to whatever the new one will be. Also, remove many of the old posts that don't advance the topic, since the new 2020 edition for example.

pcunite

Study the link in my signature until you can quote it from memory. Then ... you will have mastered VLAN separation.

pcunite

what about when there are several LAN interfaces?

There are several ways, in RouterOS, to combine several things into one. Maybe VLAN, maybe interface lists, maybe address lists. Its up to you. Then you simply mangle them and send them to the queue.

pcunite

Pride comes before a fall. Companies much larger than MikroTik have had to learn this valuable lesson. One more time ... please hire a Product Manager who understands your users.

pcunite

poe variant ???

This is a short depth model, very useful. PoE would be larger and needed too for IP Camera rollouts.

pcunite

This is amazing. 802.1x method was incredibly easily once converted to .pem.

Enjoy! It is a really nice solution.

pcunite

It is useful for the community to know. Yes, do let MikroTik know directly. They probably source these power supply units and do not make them themselves.

pcunite

do you prefer to put highest priority 1 (in my situation game : Apex) to fast track?

Fast Track is CPU usage mitigation technique. Queuing is a bandwidth utilization technique. Different goals. If the CPU can handle it, you need to use Queue technique only.

pcunite

#DOWN
add name=DOWN max-limit=1M parent=LAN queue=default
# UP
add name=UP max-limit=100k parent=WAN queue=default

I will still get : Download Mbps 9.68, Upload Mbps 0.56

How is this possible?

You can not use Fast Track and Queues Tree together.

pcunite

Can anyone post reasonable reason why it's important? Verification that file is downloaded is plain strange.

It breaks the user experience "feedback" expected in the GUI. If I drag'n drop a file into the Files menu, I expect to see something present after the upload progress bar.

pcunite

... is buying the certs themselves possible or do I need to specifically buy a NVG510 ... ?

You can purchase certs off eBay.

pcunite

Miro, a South African distributor for MikroTik has this PDF on their website.

Nice find.

pcunite

Thank you for your hard work, I want to report a possible bug or perhaps it's AT&T causing this, but lately I can't even go past seven days of uptime before getting "rebinding" or "searching". I then need to restart the router and AT&T Gateway. Since I work night-shift m...

pcunite

Post your question under the Scripting section. There is an active group that likes to do that.

pcunite

You'll need to do so in the Registry.

pcunite

How to add some TCP ports and prioritize them as VOIP? can I simply do this and it will be enough? Please study the example more closely. VoIP packets on your network will not be the same as others. Using Mangle , you will choose what you need to mark. It could be via IP Address, standard SIP or RT...

pcunite

I have updated my articles on traffic shaping (QoS). See the link in my signature.

pcunite

It is not clear what you are asking for. See the VLAN article in my signature.

pcunite

Post the output (between code tags) of export file="myExport.rsc".

pcunite

For the purposes of hooking up a PC on port 4 when needed for management, yes I'd thought leaving it as untagged on VLAN 99 as no-one else will have physical access to this and it was purely a quick way should I be locked out.

Just make ether4 an Access port for VLAN 99.

pcunite

Thanks for the reply, I took the "bridge PVID" part from here . And the wiki is also extremely confusing. If you look closely they are showing you multiple ways to setup management access. You don't truly want to connect to the switch with untagged traffic, do you? In the article you will...

pcunite

Beautiful diagram. I love to see nicely put together information. I am grateful to mkx, sindy, and others for helping me to create the article. I'm not good at editing configurations, and I'm in a rush at the moment, so they'll have to chime in on this one. Something that caught my eye is that your ...

pcunite

Do you use interface lists more than address lists because of performance? I don't know which is more performant. But I must admit a hate with Address Lists and seeing all those ungainly things showing up there without a way to put them into neat little folders. I would assume, not having access to...

pcunite

Do you have a more secure example? I'm not the authority on firewall rules. An example would look something like this: # Sample INPUT example limiting Router exposure from the LAN (VLAN) /ip firewall filter add chain=input action=accept connection-state=established,related comment="Allow Estab...

pcunite

Thank you. I always like to see a C++ implementation of something. Really shows you what is needed and easier to translate to other options too. I don't have a need right now for this, but might in the future.

pcunite

I've taken to downloading all of your examples and putting them in vscode with the MikroTik extension in tabs. ... the "Learn MikroTik book I bought" suggests blowing away the default firewall config and using some of their examples which are slightly different ... they drop invalid conne...

pcunite

Current Issues I'm trying to solve: internet access on management vlan, printer on vlan60 talk to vlan10, learn better firewall rules All equipment should be on its own VLAN which I call the Base ( MGMT ) VLAN. Do this before you do anything else, and have a PC plugged into this VLAN so you can adm...

pcunite

How the heck do you get into this thing?

Isn't it fun? : - )

Plug your PC and cAP AC into a switch. Manually assign the PC an .88 network (192.168.88.123). Reset the cAP AC. When it boots back up, you can connect to it via IP or MAC.

pcunite

I have a question to ask the admins (how do we private message you and talk about the forums)? I am planning on rewriting this article. What is the best course of action to maintain the link (which is pinned and also maybe linked elsewhere)? I would like for all posts to be deleted except for the fi...

pcunite

Now for my questions with the cAP AC. I would like to have wifi on vlans. Do I need CAPSMan? For the RB4011, do I need to get rid of the default vlan of 0 on interface ethernet switch port? Assuming you are following this guide , set the cAP AC exactly as demonstrated in the article. Always think o...

pcunite

I found the free DNS servers at AdGuard to be very good. They seem to have more locations and the roundtrip is only 50ms. They also have some "family friendly" DNS servers which may interest some households.

Nice find. Will give them a try.

pcunite

@stuartkoh

Thanks for the write-up.

pcunite

i have tested that with no better results.

Well, sorry to hear that. We need RouterOS to have better support for 802.1p tags is what this is coming down to.

Search found 1376 matches