MikroTik

pe1chl

Well, when you click it it does not show a checkmark but an exclamation mark. That indicates "not".

pe1chl

Known problems when upgrading systems that have BGP: - existing routing filters fail to work when they do not "accept" prefix. e.g. you made a filter to set local-pref, it will fail in v7. workaround: add an accept at the end before upgrading - existing peers which have update-source set t...

pe1chl

In other words, you can trash the DNS service with just setting some unsupported value in some setting that doesn't have input validation? Interesting. I agree with you that such parameter values, unless they have some special meaning that is useful (like "infinity" or "not checked&q...

pe1chl

But DNS server crash is a very serious problem in my opinion. Most web pages cannot be accessed and are directly interrupted It is not a "DNS server crash", it is configuration of the DNS with unusable parameters. It would have to be found how that happened, but that likely cannot be trac...

pe1chl

Well, I "need" to run 7.10rc versions because they have BFD. But it seems that version is better than 7.9
When a 7.10 "stable" version is released (I know what stable means, not stability of the software but stability of the release version...) I will deploy it more widely.

pe1chl

You will have to understand that v7 bgp is different from v6 bgp, many commands are different and some things are no longer there.

pe1chl

The user manager in v7 is more towards a plain RADIUS server (with some more capabilities in that regard) and less of a fancy thing with web interface etc. That is apparently the direction they decided. You can put anything you like in the comment field for the record, but it is no longer accessible...

pe1chl

Many thanks for your complete answer ! Just a last question/confirmation, when partitioning from 1 to 2 partitions, I will NOT loose any configuration ? Just create partition, copy config to the new, activate to test, reboot, reactivate the old, reboot. Thanks When you set 2 partitions and reboot y...

pe1chl

Yes, you can partition the CCR2116, but not the CRS devices. In a 128MB device with typical usage you can make 2 partitions. Of course when you have usage of the space that could potentially expand, like user manager or dude, you should be careful. But in normal use for only firmware and configurati...

pe1chl

We have argued with MikroTik that they should add new data to the performance figures on their older products, at least those that are still for sale, when used with RouterOS v7.x instead of v6.x. The published figures for products that were designed and released with v6 are all for running with v6 ...

pe1chl

Ok thanks! I'm preparing to run a CCR1009 on v7.10 once it is released as "stable". Of course it is partitioned so I can switch back when required. I already prepared the 6.49 config (I know some snags in BGP config) and imported it in a CHR and upgraded that, and the result does not look ...

pe1chl

Anyone with experience with these versions on the CCR1009 or other CCR10xx devices?
Before, I read about general instability on TILE so before taking the plunge (I have tested on CHR) it is good to know...

pe1chl

It can be tricky to debug. In this case apparently the WiFi interface becomes unresponsive. With newest firmware on the competitor's devices we see infrequent kernel crashes. As they make the "oops" output available to the user (including stack backtrace), we can see that it is happening i...

pe1chl

These devices run on 5V supply, which is easily supplied using any USB version.
The higher voltage 12-24V is only required when the device also has "passive" PoE-out, indeed to reduce current towards the next device.
"real" PoE usually uses 48V.

pe1chl

Yes.
Read about QoS.

pe1chl

As I recall, when I set that up years ago, I tried a couple of delay times, and once I found what worked, I doubled that for the permanent script. Sure, but that holds only for your situation and possibly your test case. I can guarantee you that on a VDSL line, after a power loss, you will not have...

pe1chl

It will not (or only barely) be financially attractive to use old computers as routers. Separate licenses cost money, and they are included with MikroTik devices. E.g. the new L009 for $129 comes with an L5 license included, CCR2004 for $465 comes with L6 license. Computers generally use a lot more ...

pe1chl

The symptoms of the global variables now appear again in an hAP ax3, something is not being done right in the RouterOS code, they reintroduce bugs that were solved at least in the RB750Gr3.

Most RouterOS code is not dependent on the device it is running on.

pe1chl

Yes, that is unfortunately the only viable workaround. Ok, maybe you could make a clever script that does a DNS lookup in a loop (with a delay in the loop) until the resolve succeeds. When using a fixed wait time the actual delay required depends a lot on the configuration and many external factors....

pe1chl

That in fact is also a "problem with the ISP"...

pe1chl

Yes, it would certainly be preferable when there was a read-only property of each list that returns the actual members of that list.

pe1chl

That is certainly true. That is why I included that in the reply with the special cable.
The fact that he has a device with some USB-C charging outputs does not mean they can deliver 12V.

pe1chl

Yes, but without a concrete example, can't be clear what the user want do....

I think it is quite clear what he wants. And in general I do not like the "why would you want that??" approach to answering questions.

pe1chl

My understanding is that when he has a list like the default "static" or "dynamic" lists, he wants to know which interfaces are member of that. He does not want to get the word "static", he wants a list of all interfaces that are considered static. /interface print whe...

pe1chl

My understanding is that when he has a list like the default "static" or "dynamic" lists, he wants to know which interfaces are member of that.
He does not want to get the word "static", he wants a list of all interfaces that are considered static.

pe1chl

I see that on Aliexpress you can buy cables with a USB-C connector at one end and a barrel jack on the other, claiming that they output 12V DC. So likely there is such a chip built in to the USB-C connector that tells the supply to deliver 12V. Assuming that your powerbank REALLY is USB-C PD compati...

pe1chl

This is likely impossible. "interface lists" aren't really lists, they are bits set in a value related to every interface.
There does not seem to be a query function in RouterOS to ask which interfaces are (dynamic) member of a certain list.

pe1chl

I can't find any information about the startup order of services when booting RouterOS into a router. I'd like to understand which services are activated first and which ones last, for example, assuming the services are enabled, does the client PPPoE service start before or after the SNTP service? ...

pe1chl

It's only 5V No, that is wrong! USB-C supplies can deliver a number of different voltages. They start out at 5V but they talk to a chip on the receiving end that tells them what voltage to deliver. So indeed it would be possible to add such an input to a (new) MikroTik device and have it powered by...

pe1chl

Every additional SSID decreases performance, so reducing the number SSID needed is what helps performance. e.g. If your goal is "cleanup the config" by using only virtual SSIDs... that's not a good idea. Indeed! I cleaned up my config and have only a single SSID now with mac-based assignm...

pe1chl

Out of interest, is there anyway to change the Actual MTU of the pppoe client? Not really. It is possible to set max-mtu (and max-mru ) on PPPoE-client, but that's only "negotiation input" from client's side In his case it apparently is (he asked on other forums) but in the general case a...

pe1chl

Yes that is OK, the value you should set in the IPv6->ND should be the same as the Actual MTU of your PPPoE interface while the connection is up. When that can be only 1454 due to the ISP network, that is the correct value to use. Also put it in the Max MTU and Max MRU fields of the PPPoE interface....

pe1chl

Yes. You need to have a rule with that routing mark and what table it has to lookup. Actually I think that is a better solution as it gives you control over the sequence and the "lookup" or "lookup only". Hopefully it will be made like this for IPv4 as well (of course with warnin...

pe1chl

I also have one RB4011 on my desk for testing purposes, but that one is not as much suited for docker containers because of the limited storage which can be easily expanded on RB5009. (One thing on 5009 that I dislike *very* much is the lack of serial port, but we have what we have.) Yeah, it is a ...

pe1chl

But really I posted the first line because I'm curious why the time change log after power cut. The reason for that is the router does not have a realtime clock chip. Its clock only runs when the device is powered on and running. At intervals of several hours it writes in a file, and the timestamp ...

pe1chl

Lots of babble babble but not even a reply to my question, let alone an attempt to try a solution.
I wish you good luck! (but will not help you further)

pe1chl

Doesn't traffic get disrupted on your devices when power is cut ?
How odd ...

When the power gets cut, I notice it for other reasons. So I would first fix that before posting on a forum that my new device has a problem.

pe1chl

May I ask why? (I am too inclined to use it as is.)

Well, "powered hub" that is usually something in the "cheap crap Chinese computer add-on" category and it is probably less reliable than your router.

pe1chl

Now you have identified one VPN that you do not like, and you may be able to block it in some way, but you will have to live with the fact that there are many different VPN providers, from "good" and "bad" guys, and that you will never be able to block them all. So your original ...

pe1chl

That is not an advisable solution! IPv6 has a separate MTU setting under IPV6->ND that you can set to 1492. Set the ethernet MTU back to 1500. You can also experiment with setting the MTU of the PPPoE interface to 1500 and see if that remains after it re-connects. If so, your ISP supports larger MTU...

pe1chl

I would not add a powered hub only for this. Either use a powersupply connected to the device, or use it as it is.

pe1chl

Well, maybe read more carefully before reply... he also says "I get cuts in traffic which is quite annoying while working remotely and in meetings". So it is likely not his power failing, but the ax2 crashing for some reason. What RouterOS version is it running? has that been updated after...

pe1chl

Do you have a connection to the ISP with less than 1500 byte MTU? E.g. a PPPoE connection often has that problem. If so, first try to fix that. Try to set 1500 byte MTU and MRU on the PPPoE interface and see if that remains after re-negotiation. If so, your problem is probably fixed. If not remove t...

pe1chl

Way in the past, in some v6.xx version, one time I have seen the same thing on my router: timeout values suddenly zero, all DNS queries fail.
No idea what has caused it. Of course easy to fix.

pe1chl

That is what I mean, there also is another setting to allow MAC spoofing. You NEED that to run a bridge in a VM.

pe1chl

Is BGP Route Flap Damping (RFC 2439) implemented?
As far as I know not supported. But it is a good feature request.

More than 10 years later, has it already been considered or even worked on?

pe1chl

I do not have experience with Proxmox, but in VMware ESXi there are settings for this, maybe on Proxmox as well.

pe1chl

That is right. Using src-address-type=!local is likely too broad. But of course you could use src-address=!(the address of the external interface).

pe1chl

v7 is not production ready for my needs, so if you force v7 even on older hardware, then... this is the end of an era for me. May I ask why? Just curious what you are missing. What I don't understand is why, after all the times we have mentioned this, there still is not a published table of differe...

pe1chl

The problem is that there is no BNF definition of the language that corresponds with the behavior of the parser. So you cannot make arbitrarily complex nested expressions that would be valid in almost any language. At some point it just issues an error. And of course, the indication and handling of ...

pe1chl

For me, the most important is to add a BNF definition of the language and make the parser adhere to it. I have found many times that when combining various constructs that each are supported into a complicated expression, it does not work. You need to break up complicated expressions into various st...

pe1chl

Simplify a lot of work ? I would say it is just a niche case that is mainly a trick, and associative arrays (as in the example by rextended) are the proper way to do what you want. Sure there are some things that can be improved in the scripting language, and especially in its parser, but I don't co...

pe1chl

ok. the mac table is full. traffic dropped. let's clear up some old inactive entries. The problem is that the entries that make your table overflow are neither old nor inactive. They probably are waiting for the targeted machine to answer to the ARP query, and when that answer comes in to send the ...

pe1chl

Still issue on rb4011 with rc3 with vlan and l3hw

RB4011 and L3HW ??? What???

pe1chl

Well, you could do an extra check before accepting an entry. When the entry has bits in the subnet part of the address, it is bad and should be discarded. E.g. when the entry is 80.81.82.83/24 it is bad. When it is 80.81.82.0/24 it is good. But when it is 80.81.82.0/2 it is bad. It would also be wor...

pe1chl

I think it has always been like that. This setting requires a reboot. Maybe it should indicate that.

pe1chl

The forum has a search function. When you search for VTI you can find the many other requests to have it implemented. Due to the limits of the search function it is not so easy to find the latest reply from a MikroTik employee, but I'm quite sure that the latest reply was "there currently are n...

pe1chl

A few days ago, I was attacked by a host in a local area network，This host scans the local area network segment 192.168.0.0/16, Probably not really an attack. Some applications think it is a good idea to locate other users of the application, or sometimes certain resources (like a printer) by scann...

pe1chl

Configure and use IPv6, then you get many addresses that you can use without NAT.

pe1chl

Log is seen by admin to reveal some undesired activity. Copypasting is time consuming. Consider adding a button which will call New Firewall rule, with pre-filled IP from Log entry. This is supposed to improve usability. Of course you would not want to make a "new firewall rule" for that!...

pe1chl

That OID is a standard MIB-2 one.

pe1chl

WiFi AP being connected is from Ubuiqiti or Cisco, have seen it happen on both. We have several RB951G-2HnD and they have been upgraded from 7.7 to 7.9.1 when this first happened, before there was no such issue and there has been no config change. Normally such a situation will mean loss of connecti...

pe1chl

There appears to be a "new" issue (at least from 7.9.1 but it could be in any version after ~ 7.7) with WiFi in station mode (connecting to another AP), with a DHCP client on the wireless interface. When the WiFi gets established, the DHCP client does not always succeed in getting an addr...

pe1chl

There appears to be a "new" issue (at least from 7.9.1 but it could be in any version after ~ 7.7) with WiFi in station mode (connecting to another AP), with a DHCP client on the wireless interface. When the WiFi gets established, the DHCP client does not always succeed in getting an addre...

pe1chl

It has been requested for many years, but the recent reply to it was that it is not planned to be implemented. That is indeed sometimes inconvenient, but it is what it is. Remember that there are tens of different VPN protocols each having multiple options, and it simply isn't possible to implement ...

pe1chl

Think of them as a template, they're unused until you send something into them from a parent chain They are not a template. You can view them as a subroutine. It can be called from other chains (like input and forward) using action "jump" (which should have been named "call"). S...

pe1chl

What you want to do is not possible with MikroTik. RouterOS does not support VTI and apparently there are no plans to add it. What you can do instead: remove all your IPsec config and add a GRE tunnel with IPsec password. That will automatically create IPsec policies for transporting GRE over IPsec....

pe1chl

When I run a scan, I see about 100 APs on 2.4 GHz and 40 APs on 5 GHz. The entire 5GHz band is used, the high channels too. And I run my own PtP link on 5520 so don't want to be close to that either.

pe1chl

Main point (and I see this return on many threads where performance issues are being reported) is to make sure your chosen frequency is CLEAR from interference by other APs.

That is a good joke!
But I do not live in the desert...

pe1chl

I'm sure you can always find scenarios and cook up tests that show a problem.
My only remark is that in normal situations it will not be that much of a problem.

pe1chl

In Linux it is not like in some other OSes, that a process demanding CPU at the same (default) priority will automatically starve other processes. In fact, when a process is demanding a lot of CPU, its priority is automatically decreased a little, so that other processes will go first and it gets th...

pe1chl

While all of your remark is quite correct, my remark was about your indication towards 50% expected real life speed. 1201Mpbs date rate (yes, RADIO data rate. After all, we are talking about wifi), translates on AX device to 800Mbps-something speed. Over Wifi. That's a bit more then 50%. Ok, when I...

pe1chl

Maybe you have other equipment and you can use an "automatic transfer switch" to switch between inverter and mains, and feed its output to the CCR2004 and maybe also to equipment that has only one powersupply. Usually you can set a priority in such devices (or it is fixed and you can wire ...

pe1chl

Maybe you have other equipment and you can use an "automatic transfer switch" to switch between inverter and mains, and feed its output to the CCR2004 and maybe also to equipment that has only one powersupply. Usually you can set a priority in such devices (or it is fixed and you can wire ...

pe1chl

I also see 1201/1201 being reported as data rate. What is reported there is the RADIO datarate. The radio is halfduplex and it has additional overhead for the radio protocol. So unlike a 1Gbps ethernet link which gives you very near to 1Gbps actual throughput in both directions at the same time, a ...

pe1chl

Most likely scenario is that for an entry added by someone/something, the subnet mask was specified as /2 instead of e.g. /24 RouterOS will automatically match the aaa.bbb.ccc.ddd/2 address to leave only the first two bits, which can be 64, instead of throwing an error when an address is specified ...

pe1chl

But no gigaspeed over wireless. Current MT products do not have that capability. If other vendor, wrong place to ask. :lol: Cap AX says 'Wireless 5 GHz Max data rate 1200 Mbit/s' would that not be gigabit? Always remember that such speeds (not only for MikroTik but also for all other manufacturers)...

pe1chl

Most likely scenario is that for an entry added by someone/something, the subnet mask was specified as /2 instead of e.g. /24 RouterOS will automatically match the aaa.bbb.ccc.ddd/2 address to leave only the first two bits, which can be 64, instead of throwing an error when an address is specified w...

pe1chl

But in what real-world use-cases should I select this new option over the "normal" SNAT or Masquerading action?

Ask that in the topic about "Full-Cone NAT"... those people seem to have a use for it.

pe1chl

Well thinking about it more, converting multicast to unicast may indeed be the only way to get multicast working on a single WiFi SSID with dynamically assigned VLANs.... Maybe it would be better when the multicast-helper setting "default" recognized this and enabled multicast helper for t...

pe1chl

The multicast helper configuration (on or off) has no effect on this problem... Well, that was wrong... I had wrongly assumed that the setting "default" for multicast helper would be OK for typical multicasts like IPv6 RA or Chromecast, as with that setting it works OK when a single VLAN ...

pe1chl

I fully agree. I don't have any equipment capable of running wifiwave2 (I have a 4011 but cannot afford to lose 2.4GHz) so I cannot test that. Maybe you can do an experiment :-) When you have several APs running on VLANs (using the vlan tag option in the Wireless interface) you can just add a single...

pe1chl

The multicast helper configuration (on or off) has no effect on this problem... Of course the handling of VLAN tags (inside the wifi driver) requires additional processing. Not by looking at the access list every time, but by registering the VLAN determined from the access list at time of connection...

pe1chl

(continuation of discussion in beta topic that has been locked) I found a temporary way to log something when BFD detects a link loss. I added a logging entry with topics=bgp,debug,!packet,!timer That logs a "Entering OpenConfirm state BgpStarter ..." message every time BGP is restarted. O...

pe1chl

Well, normally you would not add another address on the tunnel interface, but rather a static route like this:
/ip route add dst-address=192.168.100.0/23 gateway=192.168.81.2

pe1chl

When you have setup the GRE tunnel (that seems OK) of course then you need to add a route to the destination network via the remote IP on the GRE tunnel (10.10.6.2).

pe1chl

Remember that you cannot run a bridging wireless repeater across different brands! WiFi does not have a standardized transparent bridge mode.
The safest bet is to remove the bridge and make a routing setup, i.e. have a different network on the AP side (with its own DHCP server etc), and double-NAT.

pe1chl

Nobody else using dynamic VLAN assignment for wireless?
This problem is driving me nuts... I would at least want to hear if someone can confirm this problem or if I maybe have some subtle error in my config that causes this.
Even support has not replied to my ticket SUP-114289 after a month...

pe1chl

Your Palo Alto is probably doing "VTI". MikroTik does not support that.
Instead you can use a GRE tunnel over IPsec transport.

pe1chl

Detailed and easy to understand steps to solve this problem. Thank you for sharing your answer If that's detailed enough for you, maybe you can make it detailed enough for me? How do I make the router receive IPv6 address to redistribute it internally? Or no further steps are required? It just rece...

pe1chl

Indeed, unfortunately for a long time the units have been shipped with "bundle package".
6.49b22 is not off-factory, I think ?

Once you have bundle package, it will remain when you upgrade via the "check" button.

pe1chl

Indeed, unfortunately for a long time the units have been shipped with "bundle package". That means all packages are always on the unit, except you can disable some of them. Then they will not appear in the menus and they won't be running (so they cannot cause security issues), but they st...

pe1chl

Netinstall. Or: don't upgrade.

pe1chl

!) route - added BFD (CLI only); In v6 the BFD logged messages using the facility "bfd". So I added that to the logging to get informative messages about bfd dead link detection. In the current version it does not seem to log anything, neither from bfd nor from bgp. I only see the lower u...

pe1chl

When using DHCPv6, the router can get its gateway via that. Nothing iffy about that. It does not need a RA receiver to receive a link-local address, that is assigned automatically derived from the MAC. The RA receiver is only required to set a global address on the link, which isn't required as you ...

pe1chl

Another possibility: use two devices. One running newest ROS version as border gateway (which is realistically the target for CVE-2023-32154 related attacks) and the other running whatever ROS version works for your wireless (and doesn't have to accept RAs because you use IPv4 for management) ... I...

pe1chl

CVE-2023-32154 will not affect most people.

pe1chl

... or do not bother about IPsec config on the MikroTik and just create the IPsec tunnel with an IPsec password. That will auto-generate the settings. However, getting IPsec to work between different manufacturers is not so simple. You need experience and persistence. "can nobody help me" ...

pe1chl

I guess i just need to buy new device, i dont have anything special installed and i did neinstall few months ago... Did you do backup before the netinstall and restore afterwards? Don't do that! Use export/import when you really need to transport some config. Better is to use default settings and d...

pe1chl

Indeed I also update a hAP ac2 without problems, but on that device the flash memory space is getting very tight. When you have put files of your own on the device, remove them. When you have installed extra stuff like user-manager, remove it (move to some other device). When you have done upgrade a...

pe1chl

But all the white empty spaces in post are annoying as well.

Yeah it is idiotic that the number of posts, time of joining the forum (and location) is displayed with every post. People can look that up in the profile.
Due to this, extra blank space is added after every short post.

pe1chl

Well I guess that with any change in any system there will be people claiming it is a problem because their niche use is now no longer possible... I use a lot of comments, but as I have switched over to winbox quite some time ago (after initially using webfig because I use Linux and did not want to ...

pe1chl

One example is the DHCP lease tables. I have scripts that go through each of my edge routers (20ish at present) and makes current leases static for use by UISP and traffic shaping. Sometimes I have the customer's full name in the comment field, but more often than not I pull the hostname from the D...

pe1chl

As you can see from other commenters, who like it ... This is a matter of taste. How is "left aligned" in your big monitor not wasting space, but centering is wasting space? It is the same amount of wasted space, just in a different place. Do not use webfig in a maximised window on a ultr...

pe1chl

I like the inline comments in WebFig. It's saving me a lot of time scrolling. I ask that Mikrotik don't change this back. . Actually we have asked, earlier on this thread and on the 7.9 threads as well, to have the OPTION to choose inline or "newline" comments, just like the winbox has (a...

pe1chl

As expected (feared), the count is before route filtering, whereas in v6 it was after route filtering. But still better than nothing! If you refer to "filtered" by routing filters then there is no difference filtered or not filtered, total route count stays the same in both cases. In v7, ...

pe1chl

Please read all of the above before you post your useless addition!

pe1chl

It looks like the BFD actually works fine! Hooray! Next wish-list item: make the "BGP Sessions" tab in winbox auto-refreshing like the "BGP Peers" tab in version 6. Right now the information displayed w.r.t. active sessions, prefixes, rx/tx messages and uptime is stale unless you...

pe1chl

*) bgp - show approximate received prefix count by the session;

As expected (feared), the count is before route filtering, whereas in v6 it was after route filtering.
But still better than nothing!

pe1chl

It is not only about "router going down", it also (and mainly) is about "link going down". When you have a partial mesh of WiFi PtP links or Internet tunnels between many different locations, and there are alternative paths, you want your routing to adapt quickly when a link is d...

pe1chl

What is the justification for removing the default style.

******** maintainers that blame all problems on styles...

pe1chl

Well, routing rules are always a bit troublesome. One would want either a "destination is connected route" matcher in routing rules (so one can lookup in main table) or even better some feature to "automatically copy connected routes to this table" in routing tables. I understand...

pe1chl

It is not advisable to upgrade "lite" devices to 7.x "just for the sake of upgrading".
I would say only do it when you require some functionality that is only in 7.x, if not remain on 6.x for the lifetime of the device.

pe1chl

The blog says "with enabled IPv6 advertisement functionality" but I think that should be read as "with enabled IPv6 advertisement receiver functionality", right?
I.e. merely having IPv6 router advertisement enabled is not a problem?

pe1chl

blog = new help docs?

No, blog = https://blog.mikrotik.com/
But nothing has been posted there for nearly two years...

pe1chl

Come on! Not so impatient! It could take 2 years to fix that, BFD is still not working after 2 years.

pe1chl

In comparison with previous versions, inline comments are less usefull and readable for me. As example - in Interface list page or Firewall filter list page - there are many more important columns and I need to fit them to browser window.If I enlarge comment column to see full length of comments(wh...

pe1chl

Blog entry following soon

Blog? I did not know it still existed...

pe1chl

That must be a bug that involves more than setting a priority, as I use that to set 802.1p priority and it mostly works for me. I know about one peculiar bug: a GRE tunnel with "DSCP inherit" and IPsec transport, over PPPoE on a VLAN with 802.1p priority, will not work on the 4011 while th...

pe1chl

Yes, that is a bit sad. But it only happened today, not during the forum maintenance.

pe1chl

Yes, phase 1 at least has to be compatible for all. There is a chicken-egg problem because the server cannot know the identity of the client before starting phase 1 (especially when you cannot tie that to remote address). In general I would suggest that, however cute it may be to have all kinds of v...

pe1chl

It is always difficult to follow other people's fragmented config and claimed problems, but on my router it works OK using "ip ipsec policy group", different settings per group, and linking of the identity to the group. It looks like you already have that, however. The order of the rules m...

pe1chl

I have no such requirement, my prefix is static. And most users don't have the requirement to open ports to a local server.

pe1chl

I guess x86 in combination with Wireless is not the main focus of MikroTik...

pe1chl

it takes extensive configuration with scripts to achieve basic functionality like a selective firewall There really isn't much difference between IPv4 and IPv6 firewall configuration. A problem in RouterOS v6 is that IPv6 is an optional module that is disabled by default, and when you first poweron...

pe1chl

I am talking about performance. Your complaint is that it is slow. Still no exact test or comparison with those other routers Well, I agree with him that "Test results" for products on the product page (certainly for those that are still being sold) should include a specification of what ...

pe1chl

Give specific numbers, how much IPv6 are you routing

These days, on my home router the traffic volume ratio is about 40/60 for IPv6/IPv4.
At work, it is about 50/50.

pe1chl

The most often used priority sequence for the 3 bit field is: 1,2,0,3,4,5,6,7
So indeed 1 is lowest, 2 is above that, and then 0 (default) is higher and 3-7 are above that (7 is highest).

pe1chl

WPA3 is a change in security, not in rf waves, if your client has it implemented as expected and your AP too it just works. Got a few Aruba APs running and if there's something that has been working no matter what it's WPA3. Unless you have a crap Android phone that doesn't even get those patches a...

pe1chl

Yes it looks OK. But "is synced" is not sufficient, you really need that detail that /system/ntp/client/print provides, e.g. the synced stratum and system offset, and even the synced server. E.g. when synced stratum is 10 or more, it can still be synchronized but some other clients may ref...

pe1chl

What does /system/ntp/client/print show?

pe1chl

So RouterOS is choosing the proposal of site1, instead of roadwarrior, although site1 has a remote id matcher configured.

I don't see it in your config. You need to have an /ip/ipsec/identity configuration.

pe1chl

I am still wondering why the comment is now a column? And I actually wonder and question the decision-process behind this change. I think it is great! It has always been possible in winbox, and the setting "inline comments" is always the first thing I do when using winbox on a new device....

pe1chl

People used to buy RB2011UiAS-2HnD-IN because they are used to it and used to have same configs on all devices for years, and never because they needed RACK mount option (which 2011 doesn't have at all, not that 4 slow wifi routers in a RACK makes much sense to me anyways) RB2011 without WiFi does ...

pe1chl

It has been a bit of a mess for quite some time... duplicated field names in Winbox (e.g. "Full duplex") and different names for what could be the same thing ("Speed" vs "Rate"). Usually one of them is the configured setting and the other one is the negiotiated setting....

pe1chl

Is ether13 a member of a bridge of which all other ports are a member too? In that case you cannot limit access this way. The rule would need the name of the bridge as the in-interface, and it would match all bridge member ports. Of course it is possible to implement a bridge filter, but I'm not sur...

pe1chl

We have over 700 devices and not all of them connected. As mentioned, impossible to know which ones.

pe1chl

For now, I would not recommend the use of WPA3. (independent from the use of MikroTik WiFi) I don't have problems with WPA3 on Ubiquiti AP, i have combo WPA2/3 but then, i only have them for like 2-3 months now. I have tested with WPA2/WPA3 on Ubiquiti and I find that some devices won't connect to ...

pe1chl

It is actually quite common to see issues like this whenever new WiFi standards are introduced and also when they are implemented by AP manufacturers... I have seen it all on our Unifi system. It will take some time before the perfect balance between new features and compatibilty is found. For now, ...

pe1chl

My uploads were aweful, like I said above, i need to test more! but whatever type i used over time it got worse be-it cake/FQ_Codel or simple queues. now i've downgraded all is well. Ok I use only DSCP-based marking of traffic and translation to 802.11p priority tagging which is processed by my DSL...

pe1chl

Disabling WPA3 should eliminate PMKSA error, as it is WPA3 related.
I am not so sure about that.

For sure it is. But it depends on the connected clients. It may well be that your modern clients on 5GHz have no problem, and the old crap or IoT devices (ESP based) have problems.

pe1chl

Sadly I've had to downgrade to 7.9 due to problems with QOS.

What did you configure w.r.t QoS and what problems do you have? I presume it isn't related to qos-hw.

pe1chl

Thanks for the pictures... did you check the 2 locations for transistors (or double diodes) near the 5V FAN connection? Do they have 5V on some of the pins? They could be related to the FAN pins, and the fact that they are not populated could explain why there is no output voltage on that connector....

pe1chl

Well, when you use 40 MHz channel width you effectively have only one channel anyway, so it does not matter if it always uses channel 1...
IMHO the max width on 2 GHz is 20 MHz, which gives you 3 channels.

pe1chl

P.S. Please stay on the topic!

If only MikroTik would do that themselves. I.e. finish the unfinished features in v7 before starting a new one.

pe1chl

Fiber is a commercial operation here. The places where it was deployed early were subsidized or at least guaranteed by some authority like a municipality or a housing agency. In most places, there is a cold calculation of "what will it cost to deploy it, how many customers will we get, and what...

pe1chl

The issue is not only "internet speed". When I do a scan on an indoor router here, I see about 100 APs on 2 GHz (and I only have 1-6-11 in my scanlist so there probably are more), and only 15 on 5 GHz. Almost any ISP provides a dual-band router these days, but of course the shielding is a ...

pe1chl

Come on, it took me a moment to modify all my scripts on the forum and in production to be ready I think the issue is not how much work it is for a capable programmer to modify the code, but more the vast number of copy/paste programmers that have tinkered a script that works and suddenly it breaks...

pe1chl

It depends on what you want: best distribution of load, or least chance of subtle problems with certain sites or services.
I use "src address only". That gives least chance of trouble, but it only distributes load well when you have lots of users.

pe1chl

aditionally i am not sure PPPoE Server can benefit of L3 Hardware Offload at all

Maybe not this hardware, but actually some of the SoC do implement PPPoE hardware offloading, as it is a common use case for consumer routers.
However, it does not look like RouterOS uses it.

pe1chl

Back in 2018 it "was considered" to add a function library for scripting, and input was requested for what functions would be useful to have: https://forum.mikrotik.com/viewtopic.php?p=951855 One of the first proposed category was manipulation of date/time values. Unfortunately we never go...

pe1chl

Yes, it is just the name of the version, which happens to include a date/time (only for v7, in v6 this wasn't done).
Of course it can be changed when they change their build scripts. Still, that will show the new format date only for new versions, not for neighbors that run older versions.

pe1chl

When you are working on this anyway, please consider the following: 1. allow to set software queue priority directly from DSCP. now, there is a detour required: set "priority" from DSCP, then set "packet mark" from priority, then assign queue priority based on packet mark. Howeve...

pe1chl

BTW, another place to adopt:
Code: Select all
[admin@MikroTik] > :put [ /system/resource/get build-time ]
May/09/2023 10:38:53

That is probably just as string as distributed in the package, not the result of a function that is running on the device itself...

pe1chl

Yes, it should be enough to define a policy and peer. As long as there is "some" route to the remote network, ipsec will pickup the traffic and send it according to policy. (not that I would do that... I would define a GRE/IPsec tunnel and assign an IP to each endpoint and route the traffi...

pe1chl

What should i choose on gateway in route list on external tunnel ipsec site to site connections? For that you normally do not have to add any route. Your default route will be sufficient. There only has to exist "a" route to the destination for ipsec site to site to work, it does not even...

pe1chl

At this point, we're taking about the output of "clock get" to avoid the need to parse English month names... Nothing more is included AFAIK (yet?). The change notes said: *) console - changed time format according to ISO standard; So I expected any date/time output visible on the console...

pe1chl

of course you can write a script that displays the interesting data in a loop (e.g. every few seconds), and when you start that from the terminal you can look at it. you can even maintain some derived values in the script and display them as well, like average, average over last minute, lowest, high...

pe1chl

What I don't understand is why the new date format is implemented only for console, and only in very limited cases. The first log message I see already breaks the new system: 14:27:56 system,info ntp change time May/10/2023 14:27:56 => May/10/2023 14:27:56 I mean, was it really that difficult to mak...

pe1chl

Unfortunately no.

pe1chl

In case if anybody has misbehaving rb4011 using vlans, please make sure you have MSTP enabled on bridge. Didn’t work in long run. I tried also disabling hw offloading on bridge ports or enable ign snooping as someone suggested and none of it helped. Gave up and reverted to 7.7 again. My 4011 is doi...

pe1chl

As I mentioned, I tried it both with access-list and with radius authentication, but the result is the same. So the issue is in the handling of the assigned VLAN, not in the mechanism that assigns it. I think no special treatment of multicast should be required. E.g. I have a separate VLAN where my ...

pe1chl

I optimized my WiFi by using only a single SSID and using VLAN assignment via RADIUS (user-manager) to get each client on the correct VLAN. This is on classic Wireless, not wifiwave2. It turns out it does not work correctly: the client receives directed traffic and broadcasts, but not multicasts fro...

pe1chl

Well, at the moment I am more bothered by the bug in VLAN assignment via RADIUS even for a single client...

pe1chl

That is not so bad, right? It is sufficient for typical home-router use where internet is on ether1 and home devices are on the other ports. Ok, it is not optimal for use of SFP1. It would preferably be reconfigurable so that SFP1 is on the direct connection to the SoC and ether1-ether8 on the secon...

pe1chl

It says "2011... container support: no". But well, 2011 supported MetaROUTER.

pe1chl

Item numbers are only valid in the user interface, not in scripts. The numbers are generated when a "print" command is used and are only valid for that login session.
To refer to items in scripts you always need to use [find ...], not item numbers.

pe1chl

Well you could start by disabling fasttrack and see if it works better...

pe1chl

In recent versions you can have a user-defined RAMdisk. But I do not know if you can upgrade from packages stored there. And of course it would not work with the built-in upgrade commands, as I don't think you can set the download location, it is always .download in the root. (well, maybe you could ...

pe1chl

Of course it is a disadvantage that you need to study a lot and do a lot of work when others (that use a framework) suddenly are able to do "spectacular" things like having a canvas with multiple overlapping child windows, like winbox has, and you want to introduce that in webfig. Or you w...

pe1chl

Also, when you have a router that allows it (sufficient storage), always make 2 partitions and copy your running partition to the other one before the upgrade. Then, whenever an upgrade is not what you like it to be, you can just activate the other partition and reboot, and you are back to exactly w...

pe1chl

You are probably talking about installation of a SIP app and configuring that to make calls via some SIP server. That is not what is commonly known as VoWIFI. VoWIFI is a service provided by telecom companies in addition to their VoLTE service (voice over 4G/5G), that does not use SIP directly on th...

pe1chl

Just look at Ubi Unifi interface - that's how modern interface should look like. When the look of the user interface is important to you, select the product that has the look you like! I think most users of MikroTik equipment do not care a bit how the webfig looks. Furthermore, I don't think "...

pe1chl

ok, I'll do an export (text-only ) of the configuration, scripts and modem settings. Then I'll do a total reset so at least I have the firewall with the default rules; then I'll add what's missing by hand. I don't see any other solution. You can also use this command in commandline mode: /system/de...

pe1chl

It may still be an option to go back to Orange, as nowadays it is EU-mandatory for providers to allow other manufacturer's equipment on their network. In the past, many ISPs implemented things like this to silently lockout other routers than what they provide themselves, and other manufacturers were...

pe1chl

Delete the "add action=drop chain=input comment="Winbox on WAN" dst-port=8291 in-interface=lte1 protocol=tcp" as well. You don't want that! The remainder seems to be about the default firewall, but I did not check that to every bit. I think MikroTik should add a "reset firew...

pe1chl

@pe1chl Because the user @jimint some users probably don't understand the difference between data transport and the services transported by transport.... Sorry but I lost track of that discussion due to excessive quote stripping (probably mandated by a dictator moderator). It looks like it is time ...

pe1chl

There is no reason to block SCTP. Just use the default firewall rules. You contradict yourself, in the default firewall the SCTP directed to an IP that does not exist is deleted anyway... (or at most his machine is used to perhaps amplify an attack, if the response goes out again on the WAN because...

pe1chl

Also showing dropped packets making it unusable on RB4011iGS+

You are also thinking that "rx drop" indicates a problem?

pe1chl

I got IPv6 working but I am not sure why things worked in 7.8 and earlier releases, but I had to make a change to get it working in 7.9.

Most likely the config is wrong and it happened to work.
Please start a new topic with you export included. Not useful to discuss within this release topic.

pe1chl

There is no reason to block SCTP.
Just use the default firewall rules.

pe1chl

@pe1chl So I would do well to delete them ? I have been using them for a few years and they have always worked well , only lately they give me that problem. Those rules bring you absolutely nothing. They never "worked well", they were just no-ops. Until, apparently, some of your devices s...

pe1chl

IPv6 works fine for me on version 7.9 Are you using stateful or slaac? I am using slaac. The dhcpv6 client asks for and gets a prefix for ND. I add an address from the pool for the router which creates a route. This works fine with 7.8 but not 7.9. I will dig into it later but was curious what is w...

pe1chl

IPv6 works fine for me on version 7.9

pe1chl

I'm just curious where the SCTP is coming from here. It's also connection oriented like TCP, so this could be a replay from a client initiating it. The above is why I stated that people should not mess with the "raw" table when they do not know exactly what they are doing. When there was ...

pe1chl

In general it can be said that people who do not have a detailed understanding of firewalls should NOT mess with the "raw" table! Especially they should not copy other people's "advice for firewall rules". Rules in the "raw" table can have unintended consequences and us...

pe1chl

"rx drop" is not packet loss. And where is the packet loss in winbox? I make a ping www.google.com packet-loss=0% So what is your problem? I see the same thing. Packet loss is 0% on ping from either router or host behind it. So my conclusion is: no problem. But apparently some people beli...

pe1chl

"rx drop" is not packet loss.

pe1chl

All settings are saved in a database on disk. When the disk is full, that cannot happen anymore.
Basically you need to make sure the disk never is full. For a hEX S this should be no problem unless you put user files on the flash. Don't! Use a USB stick.

pe1chl

Being a person that uses the webfig much more than winbox, this change: . *) webfig - added inline comments; . is plain terrible. I'd love being able to at least choose the old behavior and having the comments on a different line instead of inline. Please consider having this as an option and not f...

pe1chl

And make sure it does not use 192.168.132.1 as the external resolver...

pe1chl

Packet loss is 0% on my RB4011. You will need to provide more details.

pe1chl

Of course there are reasons why one cannot upgrate to v7, but I can't imagine that this particular issue would get any priority. It looks like the sequence is always the same and may be the sequence these address lists were added during configuration. It is a matter of "getting used to". Y...

pe1chl

You are right, I tested it only with v7 but now that I look on a v6.49 router indeed it is not sorted. Apparently the sorting is done by the router, not winbox.

pe1chl

Yes, either you use "check for updates" and let the router download the packages, or when that isn't possible (e.g. because the router has no internet connectivity) you check which packages you have and upload the same new version of everything (routeros-xxx and otherpackage-xxx) to the ro...

pe1chl

wifiwave2 is an implementation of drivers from the manufacturer of the chipset, rather than an in-house written driver (which wireless is). So there are many small details that are missing or incomplete... this is only one of them. We can only hope that over time, some things are coming back. But li...

pe1chl

When looking at the "/ip dns cache" it appears that in the Name column, every instance of .com is replaced with .cOm
This is not happening in the Data column (e.g. for a CNAME to a .com domain)
Why is that?

Edit: nevermind, apparently Cloudflare DNS is doing that...

pe1chl

Any chance to fix this viewtopic.php?p=938420#p938367 simple issue of not sorted Address List in DHCP static lease drop down option? Reported already many times with each new release :-(, How much time takes this fix...on or two minutes? It works OK here. Did you try to reproduce it without your se...

pe1chl

This means that if I use winbox 3.37 and earlier, with bad skins from 7.8 onwards (barring future bugfixes), I can have full access , instead using 3.38 the menus are hidden correctly, giving false security , but just use 3.37 and you still have full access ?.... I think skins are not really about ...

pe1chl

Firewall rules lists are still 'cut in the middle' when first displayed. As soon as you move to another tab and go back to the previous one, the list is complete. My experience is that: - "filter" list is cut at line 96 - "nat" at line 46 - "mangle" at line 73 Works OK...

Search found 11903 matches